github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2026-03-05 04:12:09 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: github:kata-tests-gh-cli-trigger
Branches Tags
github:main github:topic/genpolicy-distribute-different-settings-rather-than-patching-for-ci github:dependabot/cargo/src/agent/tracing-667a7af472 github:dependabot/cargo/src/agent/clap-f572f62cb7 github:zizmor-update-to-1.20 github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.10.0 github:topic/build-kernel-do-not-expected-a-modules-tarball-for-vanilla-kernel github:dependabot/go_modules/src/runtime/k8s.io/cri-api-0.35.2 github:dependabot/cargo/src/tools/kata-ctl/toml-0.9.8 github:dependabot/cargo/src/tools/kata-ctl/strum-0.27.1 github:dependabot/cargo/src/tools/genpolicy/const_format-0.2.35 github:dependabot/cargo/src/tools/agent-ctl/toml-0.9.11spec-1.1.0 github:dependabot/cargo/src/libs/toml-1.0.3 github:dependabot/cargo/src/agent/strum-0.27.1 github:dependabot/cargo/src/agent/toml-0.9.6 github:dependabot/cargo/src/agent/const_format-0.2.35 github:dependabot/github_actions/docker/build-push-action-6.19.2 github:dependabot/go_modules/src/runtime/github.com/go-openapi/errors-0.22.6 github:dependabot/cargo/src/agent/tokio-c49fc46c2e github:dependabot/cargo/src/tools/genpolicy/openssl-6888b711b6 github:dependabot/cargo/src/agent/tracing-9421c2f3ac github:topic/tests-try-crio github:osv-scanner-bump-2.3.3 github:topic/tests-lower-the-load-on-aks github:sprt/disable-pmem github:topic/ci-lower-secrets-required github:disable-guest-empty-dir github:topic/oras-cache-still-not-working github:bump-to-go-1.25 github:dependabot/go_modules/src/runtime/github.com/go-openapi/runtime-0.29.2 github:topic/re-enable-sandboxapi-tests github:topic/main-no-cache github:topic/kata-deploy-upgrade github:copilot/replace-gperf-url-with-urls github:dependabot/github_actions/actions/attest-build-provenance-3.2.0 github:dependabot/github_actions/docker/login-action-3.7.0 github:stale-issues-by-date github:dependabot/github_actions/tim-actions/wip-check-1.1.0 github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.9.0 github:dependabot/github_actions/actions/download-artifact-7.0.0 github:topic/arm64-increase-runner-timeout github:decouple-kernel-rootfs github:topic/ovmf-tdx github:dependabot/cargo/kvm-ioctls-0.24.0 github:ci-test github:topic/move-builder-images-to-quay.io github:runtime-rs-stability-test github:runtime-rs-policy-debug github:numa-topology github:topic/stability-rs github:dependabot/cargo/vmm-sys-util-0.15.0 github:dependabot/cargo/vm-memory-0.16.2 github:fupan_test github:topic/tests-experimental-force-guest-pull-test-authenticated-registries github:fupan_tests github:dependabot/cargo/src/agent/tracing-subscriber-0.3.20 github:fupan_nontee_test github:sprt-patch-2 github:sprt/test-pr-up github:sprt/cleanup-policy-settings github:fix-create-container-timeout github:zvonkok-patch-1 github:amd64-nvidia-gpu-cicd-part2 github:burgerdev/codegen-test github:kata-tests-gh-cli-trigger github:topic/wainersm-ci_setup_kubectl github:topic/wainersm/fix_coco_stability_tests github:sprt/remove-ci-env github:revert-11466-blockfile github:saul/updateimg github:sprt/fix-validate-ok-to-test github:sprt-patch-1
github:3.27.0 github:3.26.0 github:3.25.0 github:3.24.0 github:3.23.0 github:3.22.0 github:3.21.0 github:3.20.0 github:3.19.1 github:3.19.0 github:3.18.0 github:3.17.0 github:3.16.0 github:3.15.0 github:3.14.0 github:3.13.0 github:3.12.0 github:3.11.0 github:3.10.1 github:3.10.0 github:3.9.0 github:3.8.0 github:3.7.0 github:3.6.0 github:3.5.0 github:3.4.0 github:release-3.4.0 github:3.3.0-test github:3.3.0 github:CC-0.8.1 github:CC-0.8.0 github:3.2.0 github:3.3.0-alpha0 github:3.2.0-rc0 github:3.2.0-alpha4 github:CC-0.7.0 github:3.1.3 github:CC-0.6.0 github:3.2.0-alpha3 github:3.2.0-alpha2 github:3.1.2 github:3.2.0-alpha1 github:3.1.1 github:CC-0.5.0 github:3.2.0-alpha0 github:3.1.0 github:CC-0.4.0 github:3.0.2 github:3.1.0-rc0 github:CC-0.3.0 github:3.0.1 github:3.1.0-alpha1 github:CC-0.2.0 github:3.0.0 github:3.1.0-alpha0 github:2.5.2 github:3.0.0-rc1 github:3.0.0-rc0 github:3.0.0-alpha1 github:untagged-b5b6198308b02e3a2666 github:2.5.1 github:3.0.0-alpha0 github:2.5.0 github:2.4.3 github:2.5.0-rc0 github:2.4.2 github:2.5.0-alpha2 github:2.5.0-alpha1 github:2.4.1 github:2.4.0 github:2.5.0-alpha0 github:2.4.0-rc0 github:2.3.3 github:2.3.2 github:2.4.0-alpha2 github:2.3.1 github:2.4.0-alpha1 github:2.3.0 github:2.4.0-alpha0 github:2.3.0-rc1 github:2.2.3 github:2.3.0-rc0 github:2.2.2 github:2.3.0-alpha2 github:2.2.1 github:2.3.0-alpha1 github:2.3.0-alpha0 github:2.2.0 github:2.2.0-rc0 github:2.2.0-alpha1 github:2.1.1 github:2.2.0-alpha0 github:2.1.0 github:2.0.4 github:2.1.0-rc0 github:2.0.3 github:2.1.0-alpha2 github:2.1.0-alpha0 github:2.1.0-alpha1 github:2.1-alpha1 github:2.0.2 github:1.13.0-alpha0 github:2.0.1 github:1.12.1 github:2.1-alpha0 github:1.11.5 github:1.12.0 github:1.12.0-rc0 github:1.11.4 github:1.10.8 github:2.0.0 github:2.0.0-rc1 github:untagged-c2a61792b39392572d0f github:2.0.0-rc0 github:1.11.3 github:1.10.7 github:1.12.0-alpha1 github:2.0.0-alpha3 github:1.10.6 github:1.11.2 github:1.12.0-alpha0 github:2.0.0-alpha2 github:1.10.5 github:1.11.1 github:2.0.0-alpha1 github:1.11.0 github:1.10.4 github:1.9.7 github:1.10.3 github:1.11.0-rc0 github:1.9.6 github:1.11.0-alpha1 github:1.10.1 github:1.9.5 github:1.11.0-alpha0 github:1.9.4 github:1.10.0 github:1.9.3 github:1.10.0-rc0 github:1.9.0-rc0 github:1.9.0-alpha2 github:1.9.0-alpha0 github:stable-1.8.2 github:stable-1.8-test.0
..
compare: github:3.21.0
Branches Tags
github:main github:topic/genpolicy-distribute-different-settings-rather-than-patching-for-ci github:dependabot/cargo/src/agent/tracing-667a7af472 github:dependabot/cargo/src/agent/clap-f572f62cb7 github:zizmor-update-to-1.20 github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.10.0 github:topic/build-kernel-do-not-expected-a-modules-tarball-for-vanilla-kernel github:dependabot/go_modules/src/runtime/k8s.io/cri-api-0.35.2 github:dependabot/cargo/src/tools/kata-ctl/toml-0.9.8 github:dependabot/cargo/src/tools/kata-ctl/strum-0.27.1 github:dependabot/cargo/src/tools/genpolicy/const_format-0.2.35 github:dependabot/cargo/src/tools/agent-ctl/toml-0.9.11spec-1.1.0 github:dependabot/cargo/src/libs/toml-1.0.3 github:dependabot/cargo/src/agent/strum-0.27.1 github:dependabot/cargo/src/agent/toml-0.9.6 github:dependabot/cargo/src/agent/const_format-0.2.35 github:dependabot/github_actions/docker/build-push-action-6.19.2 github:dependabot/go_modules/src/runtime/github.com/go-openapi/errors-0.22.6 github:dependabot/cargo/src/agent/tokio-c49fc46c2e github:dependabot/cargo/src/tools/genpolicy/openssl-6888b711b6 github:dependabot/cargo/src/agent/tracing-9421c2f3ac github:topic/tests-try-crio github:osv-scanner-bump-2.3.3 github:topic/tests-lower-the-load-on-aks github:sprt/disable-pmem github:topic/ci-lower-secrets-required github:disable-guest-empty-dir github:topic/oras-cache-still-not-working github:bump-to-go-1.25 github:dependabot/go_modules/src/runtime/github.com/go-openapi/runtime-0.29.2 github:topic/re-enable-sandboxapi-tests github:topic/main-no-cache github:topic/kata-deploy-upgrade github:copilot/replace-gperf-url-with-urls github:dependabot/github_actions/actions/attest-build-provenance-3.2.0 github:dependabot/github_actions/docker/login-action-3.7.0 github:stale-issues-by-date github:dependabot/github_actions/tim-actions/wip-check-1.1.0 github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.9.0 github:dependabot/github_actions/actions/download-artifact-7.0.0 github:topic/arm64-increase-runner-timeout github:decouple-kernel-rootfs github:topic/ovmf-tdx github:dependabot/cargo/kvm-ioctls-0.24.0 github:ci-test github:topic/move-builder-images-to-quay.io github:runtime-rs-stability-test github:runtime-rs-policy-debug github:numa-topology github:topic/stability-rs github:dependabot/cargo/vmm-sys-util-0.15.0 github:dependabot/cargo/vm-memory-0.16.2 github:fupan_test github:topic/tests-experimental-force-guest-pull-test-authenticated-registries github:fupan_tests github:dependabot/cargo/src/agent/tracing-subscriber-0.3.20 github:fupan_nontee_test github:sprt-patch-2 github:sprt/test-pr-up github:sprt/cleanup-policy-settings github:fix-create-container-timeout github:zvonkok-patch-1 github:amd64-nvidia-gpu-cicd-part2 github:burgerdev/codegen-test github:kata-tests-gh-cli-trigger github:topic/wainersm-ci_setup_kubectl github:topic/wainersm/fix_coco_stability_tests github:sprt/remove-ci-env github:revert-11466-blockfile github:saul/updateimg github:sprt/fix-validate-ok-to-test github:sprt-patch-1
github:3.27.0 github:3.26.0 github:3.25.0 github:3.24.0 github:3.23.0 github:3.22.0 github:3.21.0 github:3.20.0 github:3.19.1 github:3.19.0 github:3.18.0 github:3.17.0 github:3.16.0 github:3.15.0 github:3.14.0 github:3.13.0 github:3.12.0 github:3.11.0 github:3.10.1 github:3.10.0 github:3.9.0 github:3.8.0 github:3.7.0 github:3.6.0 github:3.5.0 github:3.4.0 github:release-3.4.0 github:3.3.0-test github:3.3.0 github:CC-0.8.1 github:CC-0.8.0 github:3.2.0 github:3.3.0-alpha0 github:3.2.0-rc0 github:3.2.0-alpha4 github:CC-0.7.0 github:3.1.3 github:CC-0.6.0 github:3.2.0-alpha3 github:3.2.0-alpha2 github:3.1.2 github:3.2.0-alpha1 github:3.1.1 github:CC-0.5.0 github:3.2.0-alpha0 github:3.1.0 github:CC-0.4.0 github:3.0.2 github:3.1.0-rc0 github:CC-0.3.0 github:3.0.1 github:3.1.0-alpha1 github:CC-0.2.0 github:3.0.0 github:3.1.0-alpha0 github:2.5.2 github:3.0.0-rc1 github:3.0.0-rc0 github:3.0.0-alpha1 github:untagged-b5b6198308b02e3a2666 github:2.5.1 github:3.0.0-alpha0 github:2.5.0 github:2.4.3 github:2.5.0-rc0 github:2.4.2 github:2.5.0-alpha2 github:2.5.0-alpha1 github:2.4.1 github:2.4.0 github:2.5.0-alpha0 github:2.4.0-rc0 github:2.3.3 github:2.3.2 github:2.4.0-alpha2 github:2.3.1 github:2.4.0-alpha1 github:2.3.0 github:2.4.0-alpha0 github:2.3.0-rc1 github:2.2.3 github:2.3.0-rc0 github:2.2.2 github:2.3.0-alpha2 github:2.2.1 github:2.3.0-alpha1 github:2.3.0-alpha0 github:2.2.0 github:2.2.0-rc0 github:2.2.0-alpha1 github:2.1.1 github:2.2.0-alpha0 github:2.1.0 github:2.0.4 github:2.1.0-rc0 github:2.0.3 github:2.1.0-alpha2 github:2.1.0-alpha0 github:2.1.0-alpha1 github:2.1-alpha1 github:2.0.2 github:1.13.0-alpha0 github:2.0.1 github:1.12.1 github:2.1-alpha0 github:1.11.5 github:1.12.0 github:1.12.0-rc0 github:1.11.4 github:1.10.8 github:2.0.0 github:2.0.0-rc1 github:untagged-c2a61792b39392572d0f github:2.0.0-rc0 github:1.11.3 github:1.10.7 github:1.12.0-alpha1 github:2.0.0-alpha3 github:1.10.6 github:1.11.2 github:1.12.0-alpha0 github:2.0.0-alpha2 github:1.10.5 github:1.11.1 github:2.0.0-alpha1 github:1.11.0 github:1.10.4 github:1.9.7 github:1.10.3 github:1.11.0-rc0 github:1.9.6 github:1.11.0-alpha1 github:1.10.1 github:1.9.5 github:1.11.0-alpha0 github:1.9.4 github:1.10.0 github:1.9.3 github:1.10.0-rc0 github:1.9.0-rc0 github:1.9.0-alpha2 github:1.9.0-alpha0 github:stable-1.8.2 github:stable-1.8-test.0

395 Commits
kata-tests ... 3.21.0

Author SHA1 Message Date
stevenhorsman
c2b0650491 release: Bump version to 3.21.0 
Bump VERSION and helm-chart versions

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-09-23 20:59:00 +02:00
Fabiano Fidêncio
bfc54d904a agent: Fix format issues 
In the previous commit we've added some code that broke `cargo fmt --
--check` without even noticing, as the code didn't go through the CI
process (due to it being a security advisory).

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
 2025-09-23 16:47:39 +02:00
Steve Horsman
3e67f92e34 Merge commit from fork 
Fix malicious host can circumvent initdata verification on TDX
 2025-09-23 13:31:29 +01:00
Alex Lyn
a9ec8ef21f kata-types: remove trailing slash from DEFAULT_KATA_GUEST_SANDBOX_DIR 
Trailing slash in DEFAULT_KATA_GUEST_SANDBOX_DIR caused double slashes
in mount_point (e.g. "/run/kata-containers/sandbox//shm"), which failed
OPA strict equality checks against policy mount_point. Removing it aligns
generated paths with policy and fixes CreateSandboxRequest denial.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-23 14:01:22 +02:00
Steve Horsman
bcd0c0085c Merge pull request #11821 from mythi/coco-guest-update 
Confidential containers version updates
 2025-09-23 12:45:38 +01:00
Mikko Ylinen
5cb1332348 build: enable nvidia-attester for coco-guest-components 
coco-guest-components tarball is used as is for both vanilla coco
rootfs and the nvidia enabled rootfs. nvidia-attester can be built
without nvml so make it globally enabled for coco-guest-components.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
 2025-09-23 12:38:32 +03:00
Mikko Ylinen
e878d4a90a versions: bump guest-components and trustee for CoCo v0.16.0 
Pick the latest CoCo components targeted for the next release.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
 2025-09-23 12:38:32 +03:00
Fupan Li
a27009012c Merge pull request #11834 from Apokleos/fix-initdata-whitespace 
CI: Keep base64 output of initdata annotation is a single line
 2025-09-23 15:16:35 +08:00
Alex Lyn
4e793d635e Merge pull request #11736 from kata-containers/enhance-copyfile 
runtime-rs: Enhance copyfile when sharedfs is disabled
 2025-09-23 14:15:44 +08:00
Alex Lyn
f254eeb0e9 CI: Keep base64 output is a single line 
This commit addresses an issue where base64 output, when used with a
default configuration, would introduce newlines, causing decoding to
fail on the runtime.

The fix ensures base64 output is a single, continuous line using the -w0
flag. This guarantees the encoded string is a valid Base64 sequence,
preventing potential runtime errors caused by invalid characters.

Note that: When you use the base64 command without any parameters, it
typically automatically adds newlines to the output, usually every 76 chars.

In contrast, base64 -w0 explicitly tells the command not to add any
newlines (-w for wrap, and 0 for a width of zero), which results in a
continuous string with no whitespace.

This is a critical distinction because if you pass a Base64 string with
newlines to a runtime, it may be treated as an invalid string, causing
the decoding process to fail.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-23 11:58:53 +08:00
Fupan Li
72a0f5daec Merge pull request #11794 from Sumynwa/sumsharma/clh_netdev_hotplug_pciinfo 
runtime: clh: Add pci path for hotplugged network endpoints
 2025-09-23 09:57:57 +08:00
Dan Mihai
02ace265d9 Merge pull request #11827 from microsoft/danmihai1/exec-retries 
tests: k8s: retry kubectl exec
 2025-09-22 17:14:50 -07:00
Hyounggyu Choi
16c2dd7c96 Merge pull request #11769 from Apokleos/enhance-blockdev 
Enhance block device AIO mode
 2025-09-22 14:01:38 +02:00
Alex Lyn
5dd36c6c0f runtime-rs: Correctly set permission and mode for dir when copy files 
Correctly set dir's permissions and mode. This update ensures:

The dir_mode field of CopyFileRequest is set to DIR_MODE_PERMS
(equivalent to Go's 0o750 | os.ModeDir), which is primarily used for the
top-level directory creation permissions.
The file_mode field now directly uses metadata.mode() (equivalent to
Go's st.Mode) for the target entry.

This change aims to resolve potential permission issues or inconsistencies
during directory and file creation within the guest environment by precisely
matching the expected mode propagation of the Kata agent.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-22 17:59:57 +08:00
Greg Kurz
0f5511962c Merge pull request #11638 from ldoktor/ocp-peer-pods 
ci.ocp: More debug output and tweaks
 2025-09-22 11:57:46 +02:00
Alex Lyn
429133cedb runtime-rs: Introduce shared FS volume management in VolumeResource 
The core purpose of introducing volume_manager to VolumeResource is to
centralize the management of shared file system volumes. By creating a
single VolumeManager instance within VolumeResource, all shared file
volumes are managed by one central entity. This single volume_manager
can accurately track the references of all ShareFsVolume instances to
the shared volumes, ensuring correct reference counting, proper volume
lifecycle management, and preventing issues like volumes being
overwritten.

This new design ensures that all shared volumes are managed by a central
entity, which:
(1) Guarantees correct reference counting.
(2) Manages the volume lifecycle correctly, avoiding issues like volumes
being overwritten.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-22 15:03:41 +08:00
Alex Lyn
90c99541da runtime-rs: Integrate VolumeManager into ShareFsVolume lifecycle 
This commit integrates the new `VolumeManager` into the `ShareFsVolume`
lifecycle. Instead of directly copying files, `ShareFsVolume::new` now
uses the `VolumeManager` to get a guest path and determine if the volume
needs to be copied. It also updates the `cleanup` function to release
the volume's reference count, allowing the `VolumeManager` to manage its
state and clean up resources when no longer in use.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-22 15:03:27 +08:00
Alex Lyn
e73daa2f14 runtime-rs: Add sandbox level volume manager within non-sharedfs 
This commit introduces a new `VolumeManager` to track the state of shared
volumes, including their reference count and its corresponding container
ids.
The manager's goal is to handle the lifecycle of shared filesystem volumes,
including:
(1) Volume State Tracking: Tracks the mapping from host source paths to guest
destination paths.
(2) Reference Counting: Manages reference counts for each volume, preventing
premature cleanup when multiple containers share the same source.
(3) Deterministic guest paths: Generates unique guest paths using random string
to avoid naming conflicts.
(4) Improved Management: Provides a centralized way to handle volume creation,
copying, and release, including aborting file watchers when volumes are no longer
in use.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-22 14:45:16 +08:00
Mikko Ylinen
28ab972b3f agent-ctl: bump image-rs 
pull image-rs from CoCo guest-components that is targeted for
CoCo v0.16.0.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
 2025-09-22 08:31:58 +03:00
Alex Lyn
313c7313f0 runtime-rs: Refactor code to improve copyfile logic and readability 
This commit refactors the `CopyFile` related code to streamline the
logic for creating guest directories and make the code structure
clearer.

Its main goal is to improve the overall maintainability and facilitate
future feature extensions.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-22 11:30:47 +08:00
Alex Lyn
f36377070a runtime-rs: Enhance Copyfile to ensure existing contents synchronized 
This commit is designed to perform a full sync before starting monitoring
to ensure that files which exist before monitoring starts are also synced.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-22 11:30:35 +08:00
Alex Lyn
2f5319675a runtime-rs: Set native aio more for initdata block device 
This commit updates the configuration for the initdata block
device to use the BlockDeviceAio::Native mode.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-22 10:13:44 +08:00
Alex Lyn
5ca403b5d9 runtime-rs: Allow per-device AIO mode configuration for block devices 
This commit enhances control over block device AIO modes via hotplug.

Previously, hotplugging block devices was set with default AIO mode (io_uring).
Even if users reset the AIO mode in the configuration file, the changes would
not be correctly applied to individual block devices.

With this update, users can now explicitly configure the AIO mode for hot-plugging
block devices via the configuration, and those settings will be correctly applied.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-22 10:13:44 +08:00
Alex Lyn
425e93a9b8 runtime-rs: Get more block device info within Device Manager 
We need more information about block device, just relapce the original
method get_block_driver with get_block_device_info and return its
BlockDeviceInfo.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-22 10:13:44 +08:00
Xuewei Niu
50ffa0fbfd Merge pull request #11495 from Caspian443/temp-selinux 
runtime-rs: align SELinux feature with runtime-go (#9866)
 2025-09-21 17:12:37 +08:00
Caspian443
2221b76b67 runtime-rs: Add selinux support for hypervisor 
- read selinux_label from OCI spec in sandbox
- set selinux_label in preparevm and startvm in hypervisor

Fixes: [#9866](https://github.com/Caspian443/kata-containers/issues/9866)

Signed-off-by: Caspian443 <scrisis843@gmail.com>
 2025-09-21 13:59:17 +08:00
Caspian443
a658db8746 runtime-rs: hypervisor: add SELinux support functions 
- Add disable_selinux and selinux_label fields to hypervisor for SELinux support.
- Implement related SELinux support functions.

Fixes: #9866

Signed-off-by: Caspian443 <scrisis843@gmail.com>
 2025-09-21 13:59:17 +08:00
Xuewei Niu
04948c616e Merge pull request #11830 from zvonkok/gpu-lts 
gpu: Add correct latest driver per default
 2025-09-21 13:58:34 +08:00
Zvonko Kaiser
e6f12d8f86 gpu: Add latest driver per default 
Lets make sure that we use latest driver for CI and release.
There was a sort step missing.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-09-20 23:50:35 +00:00
Fabiano Fidêncio
54e8081222 qemu: Fix submodules location change 
The submodule change led to a breakage on our build of QEMU.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
 2025-09-20 22:12:27 +02:00
Lukáš Doktor
346ebd0ff9 ci.ocp: Allow to set CAA_IMAGE 
we might want to provide different CAA_IMAGE (repo) to reproduce issues.

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
 2025-09-20 06:57:54 +02:00
Lukáš Doktor
bf90ccaf75 ci.ocp: Allow to set/provide PP_IMAGE_ID 
to be able to test with older or custom peer-pod image.

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
 2025-09-20 06:57:54 +02:00
Lukáš Doktor
b7143488d9 ci.ocp: Allow to set CAA TAG 
to allow re-running with older CAA tag for bisection/reproduction.

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
 2025-09-20 06:57:54 +02:00
Lukáš Doktor
12c5e0f33f ci.ocp: Log more details on failure 
recently we got ErrImagePull, having more details should help analyzing
issues.

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
 2025-09-20 06:57:54 +02:00
Lukáš Doktor
7565c881e6 ci.ocp: Log variables in bash-friendly format 
this should simplify copy&paste of the values from logs.

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
 2025-09-20 06:57:54 +02:00
Lukáš Doktor
a300b6b9a9 ci.ocp: Allow to set operator/caa commits 
this can help reproducing or bisecting issues related to operator/caa
versions.

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
 2025-09-20 06:57:53 +02:00
Dan Mihai
524bf66cbc tests: k8s-credentials-secrets: retry on exec error 
Retry after "kubectl exec" failure, instead of aborting the test
immediately.

Example of recent error:

https://github.com/kata-containers/kata-containers/actions/runs/17828061309/job/50693999052?pr=11822

not ok 1 Credentials using secrets
 (in test file k8s-credentials-secrets.bats, line 59)
  `kubectl exec $pod_name -- "${pod_exec_command[@]}" | grep -w "username"' failed

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
 2025-09-19 17:45:05 +00:00
Dan Mihai
01c7949bfd tests: k8s-number-cpus: retry on kubectl exec error 
Retry after "kubectl exec" failure, instead of aborting the test
immediately.

Example of recent error:

https://github.com/kata-containers/kata-containers/actions/runs/17813996758/job/50644372056

not ok 1 Check number of cpus
...
error: Internal error occurred: error sending request: Post
"https://10.224.0.4:10250/exec/kata-containers-k8s-tests/cpu-test/c1?command=sh&command=-c&command=
cat+%!F(MISSING)proc%!F(MISSING)cpuinfo+%!C(MISSING)grep+processor%!C(MISSING)wc+-l&error=1&output=1": EOF

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
 2025-09-19 17:44:55 +00:00
Dan Mihai
91c3804959 tests: k8s: add container_exec_with_retries() 
Add container_exec_with_retries(), useful for retrying if needed
commands similar to:

kubectl exec <pod_name> -c <container_name> -- <command>

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
 2025-09-19 17:42:59 +00:00
Dan Mihai
eec6c8b0c4 tests: k8s: retry after kubectl exec error 
Some of the k8s tests were already retrying if `kubectl exec` succeeded
but produced empty output. Perform the same retries on `kubectl exec`
error exit code too, instead of aborting the test immediately.

Example of recent exec error:

https://github.com/kata-containers/kata-containers/actions/runs/17813996758/job/50644372056

not ok 1 Check number of cpus
...
error: Internal error occurred: error sending request: Post
"https://10.224.0.4:10250/exec/kata-containers-k8s-tests/cpu-test/c1?command=sh&command=-c&command=
cat+%!F(MISSING)proc%!F(MISSING)cpuinfo+%!C(MISSING)grep+processor%!C(MISSING)wc+-l&error=1&output=1": EOF

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
 2025-09-19 15:43:39 +00:00
Hyounggyu Choi
0fb40eda12 Merge pull request #11822 from BbolroC/runtime-no-hotplug-ibm-sel-s390x 
runtime: Set maxmem to initialmem on s390x when memory hotplug is disabled
 2025-09-18 17:31:01 +02:00
Hyounggyu Choi
d90e785901 runtime: Set maxmem to initialmem on s390x when memory hotplug is disabled 
On s390x, QEMU fails if maxmem is set to 0:

```
invalid value of maxmem: maximum memory size (0x0) must be at least the initial memory size
```

This commit sets maxmem to the initial memory size for s390x when hotplug is disabled,
resolving the error while still ensuring that memory hotplug remains off.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
 2025-09-18 14:05:33 +02:00
Mikko Ylinen
49fbd6e7af runtime: qemu: disable memory hotplug for ConfidentialGuests 
The setting '-m xM,slots=y,maxmem=zM' where maxmem is from
the host's memory capacity is failing with confidential VMs
on hosts having 1T+ of RAM.

slots/maxmem are necessary for setups where the container
memory is hotplugged to the VM during container creation based
on createContainer info.

This is not the case with CoCo since StaticResourceManagement
is enabled and memory hotplug flows have not been checked.

To avoid unexpeted errors with maxmem, disable slots/maxmem
in case ConfidentialGuest is requested.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
 2025-09-17 23:43:36 +02:00
Dan Mihai
ca244c7265 Merge pull request #11753 from Apokleos/fix-anno 
runtime-rs: Fix annotations within runtime-rs to pass the agent policy check
 2025-09-16 16:42:26 -07:00
Dan Mihai
e2992b51ad tests: k8s-job debug information 
Log the output of "kubectl logs", to hopefully help understand test
failures similar to:

https://github.com/kata-containers/kata-containers/actions/runs/17709473340/job/50326984605?pr=11753

not ok 1 Run a job to completion
 (in test file k8s-job.bats, line 37)
   `kubectl logs "$pod_name" | grep "$pi_number"' failed

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
 2025-09-16 22:36:31 +02:00
Dan Mihai
8854e69e28 tests: k8s-empty-dirs debug information 
Log the output of "kubectl logs", to hopefully help understand test
failures similar to:

https://github.com/kata-containers/kata-containers/actions/runs/17709473340/job/50326984613?pr=11753

not ok 2 Empty dir volume when FSGroup is specified with non-root container
 (from function `assert_equal' in file k8s-empty-dirs.bats, line 16,
 in test file k8s-empty-dirs.bats, line 65)
 `assert_equal "1001" "$uid"' failed

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
 2025-09-16 22:36:31 +02:00
Fabiano Fidêncio
96108006f2 agent: Panic on errors accessing the attestation agent binary 
Let's make sure that whenever we try to access the attestation agent
binariy, we only proceed the startup in case:
* the binary is found (CoCo case)
* the binary is not present (non-CoCo case)

In case any error that's not `NotFound`, we should simply abort as that
could mean a potential tampering with the binary (which would be
reported as an EIO).

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-09-16 21:35:00 +02:00
Fabiano Fidêncio
d056fb20fe initramfs: Enforce --panic-on-corruption for veritysetup 
Let's enforce an error on veritysetup in case there's any tampering with
the rootfs.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-09-16 21:35:00 +02:00
Alex Lyn
bc1170ba0c runtime-rs: Add bundle_path annotation within oci spec 
Add the annotation of OCI bundle path to store its path.
As it'll be checked within agent policy, we need add them
to pass agent policy validations.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-16 21:31:02 +02:00
Alex Lyn
71ddbac56d runtime-rs: Correctly set CONTAINER_TYPE_KEY within OCI Spec annotation 
With the help of `update_ocispec_annotations`, we'll add the contaienr
type key with "io.katacontainers.pkg.oci.container_type" and its
corresponding type "pod_sandbox" when it's pause container and
"pod_container" when it's an other containers.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-16 21:31:02 +02:00
Alex Lyn
a47c0cdf66 kata-types: Introduce a helper to update oci spec annotations 
It'll updates OCI annotations by removing specified keys and adding
new ones. This function creates a new `HashMap` containing the updated
annotations, ensuring that the original map remains unchanged.

It is optimized for performance by pre-allocating the necessary capacity
and handling removals and additions efficiently.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-16 21:31:02 +02:00
Alex Lyn
9992e1c416 kata-types: Export POD_CONTAINER and POD_SANDBOX constants as public 
To enable access to the constants `POD_CONTAINER` and `POD_SANDBOX` from
other crates, their visibility has been updated to public. This change
addresses the previous limitation of restricted access and ensures these
values can be utilized across the codebase.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-16 21:31:02 +02:00
Alex Lyn
95585d818f runtime-rs: Add sandbox annotation of nerdctl network namespace 
Add the annotation of nerdctl network namespace to let nerdctl know which namespace
to use when calling the selected CNI plugin with "nerdctl/network-namespace".
As it'll be checked within agent policy, we need add them to pass agent policy validations.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-16 21:31:00 +02:00
Dan Mihai
bc75f6a158 Merge pull request #11783 from billionairiam/agenttypo 
kata-agent: Rename misleading variable in config parsing
 2025-09-16 11:07:17 -07:00
Fabiano Fidêncio
e31a06d51d kata-manager: Handle zst unpacking 
On 63f6dcdeb9 we added the support to
download either a .xz or a .zst tarball file. However, we missed adding
the code to properly unpack a .zst tarball file.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
 2025-09-16 19:16:14 +02:00
Fabiano Fidêncio
4265beb081 tools: agent-ctl: Fix unresolved ch import 
agent-ctl's make check has been failing with:
```
    Checking kata-agent-ctl v0.0.1 (/home/ubuntu/runner/_layout/_work/kata-containers/kata-containers/src/tools/agent-ctl)
error[E0432]: unresolved import `hypervisor::ch`
  --> src/vm/vm_ops.rs:10:5
   |
10 |     ch::CloudHypervisor,
   |     ^^ could not find `ch` in `hypervisor`
   |
note: found an item that was configured out
  --> /home/ubuntu/runner/_layout/_work/kata-containers/kata-containers/src/runtime-rs/crates/hypervisor/src/lib.rs:30:9
   |
30 | pub mod ch;
   |         ^^
note: the item is gated here
  --> /home/ubuntu/runner/_layout/_work/kata-containers/kata-containers/src/runtime-rs/crates/hypervisor/src/lib.rs:26:1
   |
26 | / #[cfg(all(
27 | |     feature = "cloud-hypervisor",
28 | |     any(target_arch = "x86_64", target_arch = "aarch64")
29 | | ))]
   | |___^
```

Let's just make sure that we include ch conditionally as well.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
 2025-09-16 18:44:33 +02:00
Fupan Li
4a92fc1129 runtime-rs: add the sandbox's shm volume support 
Docker containers support specifying the shm size using the --shm-size
option and support sandbox-level shm volumes, so we've added support for
shm volumes. Since Kubernetes doesn't support specifying the shm size,
it typically uses a memory-based emptydir as the container's shm, and
its size can be specified.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-09-16 16:32:41 +02:00
Fupan Li
d48c542a52 runtime-rs: Support Firecracker disk rate limiter 
This PR adds code that passes disk limiter parameters from KC
configuration to Firecracker.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-09-16 16:27:58 +02:00
Fupan Li
e0caeb32fc runtime-rs: move the rate limiter to hypervisor config 
Since the rate limiter would be shared by cloud-hypervisor
and firecracker etc, thus move it from clh's config to
hypervisor config crate which would be shared by other vmm.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-09-16 16:27:58 +02:00
Fupan Li
73e31ea19a runtime-rs: add the block devices io limit support 
Given that Rust-based VMMs like cloud-hypervisor, Firecracker, and
Dragonball naturally offer user-level block I/O rate limiting, I/O
throttling has been implemented to leverage this capability for these
VMMs. This PR specifically introduces support for cloud-hypervisor.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-09-16 16:27:58 +02:00
Steve Horsman
ac74ef4505 Merge pull request #11801 from Apokleos/blk-sharerw 
runtime-rs: Enable share-rw=true when hotplug block device within qemu
 2025-09-16 14:55:57 +01:00
Sumedh Alok Sharma
3443ddf24d runtime: clh: Add pci path for hotplugged network endpoints 
This commit introduces changes to parse the PciDeviceInfo received
in response payload when adding a network device to the VM with cloud
hypervisor. When hotplugging a network device for a given endpoint,
it rightly sets the PciPath of the plugged-in device in the endpoint.

In calls like virtcontainers/sandbox.go:AddInterface, the later call
to agent sends the pci info for uevents (instead of empty value) to
rightly update the interfaces instead of failing with `Link not found`

Signed-off-by: Sumedh Alok Sharma <sumsharma@microsoft.com>
 2025-09-16 12:45:57 +00:00
Alex Lyn
e9a5de35e8 runtime-rs: Enable share-rw=true when hotplug block device within qemu 
Support for the share-rw=true parameter has been added. While this
parameter is essential for maintaining data consistency across multiple
QEMU instances sharing a backend disk image, its implementation also
serves to standardize parameters with the block device hotplug
functionality in kata-runtime/qemu.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-16 10:55:29 +01:00
Fupan Li
df852b77b5 Merge pull request #11799 from Apokleos/fix-virtual-volume-type 
runtime-rs: Bugfix for kata virtual volume overlay fstype
 2025-09-16 09:38:07 +08:00
Dan Mihai
489b677927 Merge pull request #11732 from microsoft/saulparedes/init_data_policy_support 
genpolicy: add init data support
 2025-09-15 15:45:57 -07:00
Fabiano Fidêncio
8abfef358a tests: Only run docker tests with one VMM 
Docker tests have been broken for a while and should be removed if we
cannot maintain those.

For now, though, let's limit it to run only with one hypervisor and
avoid wasting resources for no reason.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
 2025-09-15 23:03:04 +02:00
Fabiano Fidêncio
dce6f13da8 tests: Only run devmapper tests with QEMU 
devmapper tests have been failing for a while. It's been breaking on the
kata-deploy deployment, which is most likely related to Disk Pressure.

Removing files was not enough to get the tests to run, so we'll just run
those with QEMU as a way to test fixes.  Once we get the test working,
we can re-enable the other VMMs, but for now let's just not waste
resources for no reason.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
 2025-09-15 23:02:33 +02:00
Saul Paredes
e3e406ff26 tests: remove add_allow_all_policy_to_yaml call from helper func 
add_allow_all_policy_to_yaml now also sets the initdata annotation. So don't overwrite the
initdata annotation that was previously set by create_coco_pod_yaml_with_annotations.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
 2025-09-15 11:40:29 -07:00
Saul Paredes
cc73b14e26 docs: update policy docs 
Update policy docs to use initdata annotation and encoding

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
 2025-09-15 11:40:29 -07:00
Saul Paredes
b5352af1ee tests: update tests that manually set policy 
Use new initdata annotation instead

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
 2025-09-15 11:40:29 -07:00
Saul Paredes
2d8c3206c7 gha: allow cbl-mariner to test using initdata annotation 
Allow "cc_init_data" hypervisor annotation.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
 2025-09-15 11:40:29 -07:00
Saul Paredes
5d124523f8 runtime: add initdata support in clh 
Prepare the initdata image and mount it as a block device.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
 2025-09-15 11:40:21 -07:00
Saul Paredes
252d4486f1 runtime: delete initdata annotation 
Delete annotation from OCI spec and sandbox config. This is done after the optional initdata annotation value has been read.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
 2025-09-15 11:34:26 -07:00
Saul Paredes
af41f5018f runtime: share initdata setup code 
Move setup code such that it can be used by other hypervisors.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
 2025-09-15 11:34:26 -07:00
Saul Paredes
a427537914 genpolicy: add initdata support 
Encode policy inside initdata and encode as annotation (base64(gzip(toml))).

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
 2025-09-15 11:34:26 -07:00
Saul Paredes
10de56a749 kata-types: expose encode and decode initdata helper methods 
These methods can be used by other components, such as genpolicy.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
 2025-09-15 11:34:26 -07:00
Mikko Ylinen
86fe419774 versions: update kernel-confidential to Linux v6.16.7 
update to the latest available v6.16 stable series kernel for CoCo.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
 2025-09-15 20:29:22 +02:00
Steve Horsman
fab828586b Merge pull request #11771 from stevenhorsman/attempt-crio-1.34.0-bump 
runtime: Bump cri-o to latest
 2025-09-15 17:31:13 +01:00
Alex Tibbles
fa6e4981a1 versions: bump ovmf edk2 version 
Update ovmf to latest release. Includes CVE-2024-38805 fix.

EDK2 changelogs for releases since edk2-stable202411:
https://github.com/tianocore/edk2/releases/tag/edk2-stable202508
https://github.com/tianocore/edk2/releases/tag/edk2-stable202505
https://github.com/tianocore/edk2/releases/tag/edk2-stable202502

Signed-off-by: Alex Tibbles <alex@bleg.org>
 2025-09-15 15:38:33 +02:00
stevenhorsman
dc64d256bf runtime: Bump cri-o to latest 
Bump cri-o to 1.34.0 to try and remediate security advisories
CVE-2025-0750 and CVE-2025-4437.

Note: Running
```
go get github.com/cri-o/cri-o@v1.34.0
```
seems to bump a lot of other go modules, hence the size of the
vendor diff

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-09-15 14:29:06 +01:00
stevenhorsman
16dd1de0ab kata-monitor: Update deprecated use of grpc functions 
In google.golang.org/grpc v1.72.0, `DialContext`, is deprecated, so
switch to use `NewClient` instead.
`grpc.WithBlock()` is deprecated and not recommend, so remove this

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-09-15 14:29:06 +01:00
stevenhorsman
b9ff5ffc21 kata-monitor: Replace use of deprecated expfmt.FmtText 
In `github.com/prometheus/common v0.62.0` expfmt.FmtText
is deprecated, so replace with `expfmt.NewFormat(expfmt.TypeTextPlain)`.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-09-15 14:29:06 +01:00
stevenhorsman
7f86b967d1 runtime: Replace use of deprecated expfmt.FmtText 
In `github.com/prometheus/common v0.62.0` expfmt.FmtText
is deprecated, so replace with `expfmt.NewFormat(expfmt.TypeTextPlain)`.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-09-15 14:29:06 +01:00
stevenhorsman
62ed86d1aa runtime: Update deprecated use of grpc.Dial 
In google.golang.org/grpc v1.72.0, `Dial`, is deprecated, so
switch to use `NewClient` instead

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-09-15 14:29:06 +01:00
stevenhorsman
334340aa18 runtime: Update remove methods 
In selinux v1.12.0, `label.SetProcessLabel`, was removed to be
replaced by `selinux.SetExecLabel`

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-09-15 14:29:06 +01:00
Fabiano Fidêncio
ad7e60030a tests: k8s: kata-deploy: Remove unnecessary dirs to free up space 
This is following Steve's suggestion, based on what's been done on
cloud-api-adaptor.

The reason we're doing it here is because we've seen pods being evicted
due to disk pressure.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
 2025-09-15 15:27:54 +02:00
Fabiano Fidêncio
60ba121a0d kata-deploy: nit: Fix test name 
Just add a "is" there as it was missing.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
 2025-09-15 15:27:54 +02:00
Fabiano Fidêncio
d741544fa6 kata-deploy: Don't fail if the runtimeclass is already deleted 
I've hit this when using a machine with slow internet connection, which
took ages to download the kata-cleanup image, and then helm timed out in
the middle of the cleanup, leading to the cleanup job being restarted
and then bailing with an error as the runtimeclasses that kata-deploy
tries to delete were already deleted.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
 2025-09-15 15:27:54 +02:00
Fupan Li
679cdeadc8 runtime: fix the issue clh resize vcpu failed 
Since the cloud hypervisor's resize vCPU is an asynchronous operation,
it's possible that the previous resize operation hasn't completed when
the request is sent, causing the current call to return an error.
Therefore, several retries can be performed to avoid this error.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-09-15 14:29:25 +02:00
Alex Tibbles
66a3d4b4a2 versions: bump kernel to 6.12.47 
Update LTS kernel to latest.

Signed-off-by: Alex Tibbles <alex@bleg.org>
 2025-09-15 14:19:48 +02:00
Alex Tibbles
710c117a24 version: Bump QEMU to v10.1.0 
A minor release of QEMU is out, so update to it for fixes and features.

QEMU changelog: https://wiki.qemu.org/ChangeLog/10.1

Notes:
* AVX support is not an option to be enabled / disabled anymore.
* Passt requires Glibc 2.40.+, which means a dependency on Ubuntu 25.04
  or newer, thus we're disabling it.

Signed-off-by: Alex Tibbles <alex@bleg.org>
 2025-09-15 14:19:25 +02:00
stevenhorsman
e3aa973995 versions(deps): Bump slab versions prior to 0.4.10 
Although versions of slab prior to 0.4.10, don't have a security
vulnearability, we can bump them all to keep things in sync

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-09-15 09:48:03 +02:00
stevenhorsman
9c0fcd30c5 ci: Add slab to dependabot groups 
Add slab, so that in future the different component bumps are all done together

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-09-15 09:48:03 +02:00
stevenhorsman
924051c652 genpolicy: Bump slab crate to 0.4.11 
Bump versions to remediate CVE-2025-55159

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-09-15 09:48:03 +02:00
stevenhorsman
8fb4332d42 agent-ctl: Bump slab crate to 0.4.11 
Bump versions to remediate CVE-2025-55159

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-09-15 09:48:03 +02:00
dependabot[bot]
84bcf34c75 build(deps): bump slab from 0.4.10 to 0.4.11 in /src/runtime-rs 
Bumps [slab](https://github.com/tokio-rs/slab) from 0.4.10 to 0.4.11.
- [Release notes](https://github.com/tokio-rs/slab/releases)
- [Changelog](https://github.com/tokio-rs/slab/blob/master/CHANGELOG.md)
- [Commits](https://github.com/tokio-rs/slab/compare/v0.4.10...v0.4.11)

---
updated-dependencies:
- dependency-name: slab
  dependency-version: 0.4.11
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-09-15 09:48:03 +02:00
Fabiano Fidêncio
60790907ef clh: Update to v48.0 release 
```
Experimental fw_cfg Device Support
This feature enables passing configuration data and files, such as VM
boot configurations (kernel, kernel cmdline, e820 memory map, and ACPI
tables), from the host to the guest. (#7117)

Experimental ivshmem Device Support
Support for inter-VM shared memory has been added. For more information,
please refer to the ivshmem documentation. (#6703)

Firmware Boot Support on riscv64
In addition to direct kernel boot, firmware boot support has been added
on riscv64 hosts. (#7249)

Increased vCPU Limit on x86_64/kvm
The maximum number of supported vCPUs on x86_64 hosts using KVM has been
raised from 254 to 8192. (#7299)

Improved Block Performance with Small Block Sizes
Performance for virtio-blk with small block sizes (16KB and below)
is enhanced via submitting async IO requests in batches. (#7146)

Faster VM Pause Operation
The VM pause operation now is significantly faster particularly for VMs
with a large number of vCPUs. (#7290)

Updated Documentation on Windows Guest Support
Our Windows documentation now includes instructions to run Windows 11
guests, in addition to Windows Server guests. (#7218)

Policy on AI Generated Code
We will decline any contributions known to contain contents generated or
derived from using Large Language Models (LLMs). Details can be found
in our contributing documentation. (#7162)

Removed SGX Support
The SGX support has been removed, as announced in the deprecation notice two
release cycles ago. (#7093)

Notable Bug Fixes
Seccomp filter fixes with glibc v2.42 (#7327)
Various fixes related to (#7331, #7334, #7335)
```

From https://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v48.0

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
 2025-09-15 08:30:18 +02:00
Fupan Li
4dc21aa966 Merge pull request #11766 from Apokleos/fix-create_container_timeout 
kata-types: Support create_container_timeout set within configuration
 2025-09-15 10:19:58 +08:00
Alex Lyn
7874505249 Merge pull request #11782 from Apokleos/enhance-policy-rs 
genpolicy: Enhance policy rule for runtime-rs scenarios
 2025-09-15 10:07:14 +08:00
Alex Lyn
e3d6cb8547 Merge pull request #11716 from lifupan/fupan_main 
runtime-rs: make the virtio-blk use the pci bus as default
 2025-09-15 09:49:40 +08:00
Alex Lyn
7062a769b7 genpolicy: Exclude cgroup namespace from namespace validation 
Exclude 'cgroup' namespace from namespace checks during `allow_linux`
validation. This complements the existing exclusion of the 'network'
namespace.

As runtime-rs has specific cgroup namespace configurations, and excluding it from
policy validation ensures parity between runtime-rs and runtime-go implementations.

This allows focusing validation on critical namespaces like PID, IPC, and MNT, while
avoiding potential policy mismatches due to another cgroup namespace management by
the runtime-rs.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-14 17:24:06 +08:00
Alex Lyn
12a9ad56b4 genpolicy: Normalize namespace type for mount/mnt compatibility 
Add `normalize_namespace_type()` function to map "mount"
(case-insensitive) to "mnt" while keeping other values unchanged.
This ensures namespace comparisons treat "mount" and "mnt" as
equivalent.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-14 17:24:06 +08:00
Alex Lyn
ebdfbd3120 genpolicy: Make comparison order-independent and accept CAP_X/X 
- Use set comparison to ignore ordering differences when matching
  capabilities.
- Add normalization to strip "CAP_" prefix to support both CAP_XXX and
  XXX formats.

This makes capability matching more robust against different ordering
and naming formats.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-14 17:23:58 +08:00
Alex Lyn
04dedda6ed runtime-rs: Bugfix for kata virtual volume overlay fstype 
As prvious configure with overlayfs is incorrect, which causes the agent
policy validation failure. And it's also different with runtime-go's
configuration. In this patch, we'll correct its fstype with overlay and
align with runtime on this matter.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-14 16:38:09 +08:00
Fupan Li
d073af4e64 dragonball: fix the issue of missing unregister doorbell 
It should unregister the doorbell resources once the
device was reset.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-09-14 09:08:26 +08:00
Fupan Li
2844a6f938 runtime-rs: sync hotunplug the block devices for dragonball 
When hot-removing a block device, the kernel must first unmount the
device and then destroy it on the VM. Therefore, a
prepare_remove_block_device procedure must be added to wait for the
kernel to unmount the device before destroying it on the VM.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-09-14 09:08:26 +08:00
Fupan Li
6e5fe96ed1 dragonball: sync remove the block devices 
When hot-removing a block device, the kernel must first remove the
device and then destroy it on the VM. Therefore, a
prepare_remove_block_device procedure must be added to wait for the
kernel to unmount the device before destroying it on the VM.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-09-14 09:08:26 +08:00
Fupan Li
c80ddd3fd9 runtime-rs: make virtio-blk use the pci bus as default 
Since Dragonball's MMIO bus only supports legacy interrupts, while
the PCI bus supports MSIX interrupts, to improve performance for block
devices, virtio-blk devices are set to PCI bus mode by default.

We had tested the virtio-blk's performance using the fio with the
following commands:

fio -filename=./test  -direct=1 -iodepth 32 -thread -rw=randrw
-rwmixread=50 -ioengine=libaio -bs=4k -size=10G -numjobs=4
-group_reporting -name=mytest

When used the legacy interrupt, the io test is as below:

read : io=20485MB, bw=195162KB/s, iops=48790, runt=107485msec
write: io=20475MB, bw=195061KB/s, iops=48765, runt=107485msec

Once switched to msix innterrupt, the io test is as below:

read : io=20485MB, bw=260862KB/s, iops=65215, runt= 80414msec
write: io=20475MB, bw=260727KB/s, iops=65181, runt= 80414msec

We can get 34% performance improvement.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-09-14 09:08:26 +08:00
Fupan Li
2dd172c5b6 dragonball: Add the pci bus support for virtio-blk 
Added support for PCI buses for virtio-blk devices. This commit adds
support for PCI buses for both cold-plugged and hot-plugged
virtio-blk devices. Furthermore, during hot-plugging, support is added for
synchronous waiting for hot-plug completion. This ensures that multiple devices
can be hot-plugged successfully without causing upcall busy errors.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-09-14 09:08:26 +08:00
Fupan Li
3c3823f2e4 dragonball: refactoring the pci system manager 
In order to support the pci bus for virtio devices,
move the pci system manager from vfio manager to
device manager, thus it can be shared by both of
vfio and virtio pci devices.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-09-14 09:08:26 +08:00
Fupan Li
59273e8b2d dragonball: add the msix interrupt support 
Add the msix notify support for virito queues.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-09-14 09:08:26 +08:00
Fupan Li
7de6455742 dragonball: add the pci bus support for virtio 
Add the pci bus support for virtio devices.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-09-14 09:08:26 +08:00
Dan Mihai
34925ae740 Merge pull request #11795 from microsoft/danmihai1/snp-annotations 
runtime: snp: enable CoCo annotations
 2025-09-12 14:23:54 -07:00
Dan Mihai
60beb5236d runtime: snp: enable CoCo annotations 
Use @DEFENABLEANNOTATIONS_COCO@ in configuration-qemu-snp.toml,
for consistency with the tdx and coco-dev configuration files.

k8s-initdata.bats was failing during CI on SNP without this change,
because the cc_init_data annotation was disabled.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
 2025-09-12 15:38:33 +00:00
RuoqingHe
a011d2132f Merge pull request #11775 from RuoqingHe/fix-test_execute_hook 
libs: Fix unit tests under non-root user
 2025-09-12 08:03:05 +08:00
Aurélien Bombo
760b465bb0 Merge pull request #11788 from kata-containers/sprt/zizmor-branch 
ci: Run Zizmor on pushes to any branch
 2025-09-11 11:52:06 -05:00
Aurélien Bombo
11655ef029 ci: Run Zizmor on pushes to any branch 
This runs Zizmor on pushes to any branch, not just main.

This is useful for:

 1. Testing changes in feature branches with the manually-triggered CI.
 2. Forked repos that may use a different name than "main" for their
    default branch.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
 2025-09-11 09:33:25 -05:00
Ruoqing He
f6e93c2094 libs: Fix test_get_uds_with_sid_with_zero 
Test case for `get_uds_with_sid` with an empty run directory would not
hit the 0 match arm, i.e. "sandbox with the provided prefix {short_id:?}
is not found", because `get_uds_with_sid` will try to create the
directory with provided short id before detecting `target_id`.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-09-11 02:04:54 +00:00
Ruoqing He
b10e5a2250 libs: Fix test_get_uds_with_sid_ok 
Preset directory `kata98654sandboxpath1` will produce more than one
`target_id` in `get_uds_with_sid`, which causes test to fail. Remove
that directory to make this test work.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-09-11 02:04:54 +00:00
Ruoqing He
efeba0b8ed libs: Detect guest protection before testing 
`test_arch_guest_protection_*` test cases get triggered simultaneously,
which is impossible for a single machine to pass. Modify tests to detect
protection file before preceding.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-09-11 02:04:54 +00:00
Ruoqing He
a9ba18d48c libs: Fix test_execute_hook test 
Case 4 of `test_execute_hook` would fail because `args` could not be
empty, while by providing `build_oci_hook` with `vec![]` would result in
empty args at execution stage.

Modify `build_oci_hook` to set args as `None` when empty vector is
provided.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-09-11 02:04:54 +00:00
Dan Mihai
5d59341f7f Merge pull request #11780 from ryansavino/snp-guest-kernel-upgrade-issue 
packaging: add required modules for confidential guest kernel
 2025-09-10 18:21:26 -07:00
Liang, Ma
a989686cf6 kata-agent: Rename misleading variable in config parsing 
The variable `addr` was used to store the log level string read from the
`LOG_LEVEL_ENV_VAR` environment variable. This name is misleading as it
implies a network address rather than a log level value.

This commit renames the variable to `level` to more accurately reflect
its purpose, improving the overall readability of the configuration code.

A minor whitespace formatting fix in a macro is also included.

Signed-off-by: Liang, Ma <liang3.ma@intel.com>
 2025-09-11 07:54:48 +08:00
Steve Horsman
58259aa5f4 Merge pull request #11754 from stevenhorsman/go.mod-1.24.6-bump 
versions: Tidy up go.mod versions
 2025-09-10 14:11:33 +01:00
Hyounggyu Choi
1737777d28 Merge pull request #11743 from BbolroC/enable-ci-qemu-se-runtime-rs 
runtime-rs: Enable s390x nightly test for IBM SEL
 2025-09-10 15:00:16 +02:00
Alex Lyn
1d26d07110 Merge pull request #11781 from lifupan/fupan_main_qemu 
runtime-rs: log out the qemu console when debug enabled
 2025-09-10 16:59:30 +08:00
Hyounggyu Choi
1060a94b08 GHA: Add s390x nightly test for runtime-rs on IBM SEL 
A new internal nightly test has been established for runtime-rs.
This commit adds a new entry `cc-se-e2e-tests-rs` to the existing
matrix and renames the existing entry `cc-se-e2e-tests` to
`cc-se-e2e-tests-go`.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
 2025-09-10 10:57:40 +02:00
Hyounggyu Choi
37764d18d4 tests: Skip k8s tests for qemu-se-runtime-rs 
Tests skipped because tests for `qemu-se` are skipped:
- k8s-empty-dirs.bats
- k8s-inotify.bats
- k8s-shared-volume.bats

Tests skipped because tests for `qemu-runtime-rs` are skipped:

- k8s-block-volume.bats
- k8s-cpu-ns.bats
- k8s-number-cpus.bats

Let's skip the tests above to run the nightly test
for runtime-rs on IBM SEL.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
 2025-09-10 10:57:40 +02:00
Steve Horsman
e502fa2feb Merge pull request #11731 from kata-containers/dependabot/go_modules/src/tools/csi-kata-directvolume/github.com/ulikunitz/xz-0.5.14 
build(deps): bump github.com/ulikunitz/xz from 0.5.11 to 0.5.14 in /src/tools/csi-kata-directvolume
 2025-09-10 09:47:28 +01:00
Steve Horsman
3f25b88f89 Merge pull request #11737 from kata-containers/dependabot/cargo/src/runtime-rs/tracing-subscriber-0.3.20 
build(deps): bump tracing-subscriber from 0.3.17 to 0.3.20 in /src/runtime-rs
 2025-09-10 09:47:07 +01:00
Steve Horsman
22bc29cb4a Merge pull request #11746 from stevenhorsman/bump-tests-go-mod-yaml-3.0.1 
versions: Bump gopkg.in/yaml.v3
 2025-09-10 09:46:18 +01:00
RuoqingHe
106c6cea59 Merge pull request #11774 from RuoqingHe/2025-09-09-disable-make-test-libs-temporarily 
ci: gatekeeper: Mark `make test libs` not required
 2025-09-10 14:52:33 +08:00
Fupan Li
16be168062 runtime-rs: log out the qemu console when debug enabled 
When hypervisor's debug enabled, log out the qemu's console
messages for kernel boot debugging.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-09-10 14:19:15 +08:00
Fupan Li
5715408d61 runtime-rs: add the console device to kernel boot for qemu 
Add the console device to kernel boot, thus we can log
out the kernel's boot message for debug.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-09-10 14:10:45 +08:00
Ruoqing He
6a2d813196 ci: gatekeeper: Mark make test libs not required 
There are still some issues to be address before we can mark `make test`
for `libs` as required. Mark this case as not required temporarily.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-09-10 03:52:20 +00:00
Ryan Savino
85779a6f1a packaging: add required modules for confidential guest kernel 
SNP launch was failing after the confidential guest kernel was upgraded to 6.16.1.
Added required module CONFIG_MTRR enabled.
Added required module CONFIG_X86_PAT enabled.

Fixes: #11779

Signed-off-by: Ryan Savino <ryan.savino@amd.com>
 2025-09-09 21:58:15 -05:00
Xuewei Niu
c1ee0985ed Merge pull request #11770 from stevenhorsman/agent-ctl-bump-hypervisor 
agent-ctl: version: bump hypervisor
 2025-09-09 11:59:25 +08:00
Aurélien Bombo
ceab55a871 Merge pull request #11772 from kata-containers/sprt/zizmor-hash 
ci: security: Fix "commit hash does not point to a Git tag"
 2025-09-08 13:56:25 -05:00
Aurélien Bombo
b640fe5a6a Merge pull request #11756 from kata-containers/sprt/curl-logging 
ci: cri-containerd-amd64: add logging for curl failures
 2025-09-08 11:55:29 -05:00
Aurélien Bombo
c0030c271c ci: security: Fix "commit hash does not point to a Git tag" 
This fixes all such issues, ie.:

https://github.com/kata-containers/kata-containers/security/code-scanning/459
https://github.com/kata-containers/kata-containers/security/code-scanning/508
https://github.com/kata-containers/kata-containers/security/code-scanning/510

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
 2025-09-08 11:17:54 -05:00
Aurélien Bombo
cbcc7af6f3 Merge pull request #11615 from kata-containers/sprt/zizmor-pedantic 
security: gha: Run Zizmor in auditor mode
 2025-09-08 10:28:19 -05:00
stevenhorsman
87356269d8 versions: Tidy up go.mod versions 
Update go 1.23 references to go 1.24.6 to match
versions.yaml

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-09-08 14:03:47 +01:00
stevenhorsman
2d28f3d267 agent-ctl: version: bump hypervisor 
Bump the version of runtime-rs' hypervisor crate
to upgrade (indirectly) protobug and remediate vulnerability
RUSTSEC-2024-0437

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-09-08 13:23:03 +01:00
dependabot[bot]
5ae34ab240 build(deps): bump github.com/ulikunitz/xz 
Bumps [github.com/ulikunitz/xz](https://github.com/ulikunitz/xz) from 0.5.11 to 0.5.14.
- [Commits](https://github.com/ulikunitz/xz/compare/v0.5.11...v0.5.14)

---
updated-dependencies:
- dependency-name: github.com/ulikunitz/xz
  dependency-version: 0.5.14
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-08 11:30:49 +01:00
Alex Lyn
8eeea7d1fc runtime-rs: Correct the default create_container_timeout with 30s 
The previous document about the default of create_container_timeout
is 30,000 millseconds which not keep alignment with runtime-go.
In this commit, we'll change it as 30 seconds.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-07 21:59:37 +08:00
Alex Lyn
3e53f2814a kata-types: Support create_container_timeout set within configuration 
Since it aligns with the create_container_timeout definition in
runtime-go, we need to set the value in configuration.toml in seconds,
not milliseconds. We must also convert it to milliseconds when the
configuration is loaded for request_timeout_ms.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-07 21:59:32 +08:00
Alex Lyn
4644a02871 Merge pull request #11752 from Apokleos/fix-hooks-devcgrp 
runtime-rs: Remove default value of Linux.Resources.Devices and correctly set Hooks in OCI Spec to meet with Agent Policy requirements
 2025-09-07 18:01:02 +08:00
stevenhorsman
66dc24566f versions: Bump gopkg.in/yaml.v3 
Bump gopkg.in/yaml.v3 from 3.0.0 to 3.0.1 to remediate
CVE-2022-28948

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-09-05 16:36:48 +01:00
Aurélien Bombo
c480737ebd ci: cri-containerd-amd64: add logging for curl failures 
This is to investigate #11755.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
 2025-09-05 10:35:45 -05:00
Aurélien Bombo
efbc69a2ec Merge pull request #11760 from kata-containers/sprt/oidc-fix 
ci: aks: Refresh OIDC token in case access token expired
 2025-09-05 10:29:35 -05:00
Dan Mihai
1f68f15995 Merge pull request #11759 from microsoft/danmihai1/policy-storages 
genpolicy: print Input and Policy storages
 2025-09-04 15:07:45 -07:00
Aurélien Bombo
f39517a18a ci: aks: Refresh OIDC token in case access token expired 
It's possible that tests take a long time to run and hence that the access
token expires before we delete the cluster. In this case `az cli` will try
to refresh the access token using the OIDC token (which will have
definitely also expired because its lifetime is ~5 minutes).

To address this we refresh the OIDC token manually instead. Automatic
refresh isn't supported per Azure/azure-cli#28708.

Fixes: #11758

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
 2025-09-04 12:44:02 -05:00
Dan Mihai
9b0b7fc795 genpolicy: print Input and Policy storages 
Print the Storage data structures, to help with debugging.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
 2025-09-04 16:03:03 +00:00
Cameron Baird
bdd98ec623 ci: Add test case for iptables, exercised via istio init container 
Introduce new test case in k8s-iptables.bats which verifies that
workloads can configure iptables in the UVM.

Users discovered that they weren't able to do this for common usecases
such as istio. Proper support for this should be built into UVM
kernels. This test ensures that current and future kernel
configurations don't regress this functionality.

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
 2025-09-04 07:18:45 +02:00
Cameron Baird
d16026f7b9 kernel: add required configs for ip6tables support 
Currently, the UVM kernel fails for istio deployments (at least with the
version we tested, 1.27.0). This is because the istio sidecar container
uses ip6tables and the required kernel configs are not built-in:

```
iptables binary ip6tables has no loaded kernel support and cannot be used, err: exit status 3 out: ip6tables v1.8.10 (legacy):
can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
```

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
 2025-09-04 07:18:45 +02:00
Aurélien Bombo
1dcc67c241 security: gha: Use Zizomor's auditor mode 
This is the strictest possible setting for Zizmor.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
 2025-09-03 12:30:09 -05:00
Hyounggyu Choi
49ca96561b Merge pull request #11750 from BbolroC/use-pattern-working-for-both-runtimes 
tests: Use "Failed" consistently for both runtimes
 2025-09-03 13:06:05 +02:00
Alex Lyn
e235fc1efb runtime-rs: Remove default value of Linux.Resources.Devices in OCI Spec 
In certain scenarios, particularly under CoCo/Agent Policy enforcement,
the default initial value of `Linux.Resources.Devices` is considered
non-compliant, leading to container creation failures. To address this
issue and ensure consistency with the behavior in `runtime-go`, this
commit removes the default value of `Linux.Resources.Devices` from the
OCI Spec.

This cleanup ensures that the OCI Spec aligns with runtime expectations
and prevents policy violations during container creation.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-03 18:42:34 +08:00
Alex Lyn
203f7090a6 runtime-rs: Ensure the setting of hooks when OCI Hooks is existing. 
Only the StartContainer hook needs to be reserved for execution in the
guest, but we also make sure that the setting happens only when the OCI
Hooks does exist, otherwise we do nothing.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-09-03 17:38:40 +08:00
Hyounggyu Choi
6d6202bbe3 tests: Use "Failed" consistently for both runtimes 
In k8s-guest-pull-image.bats, `failed to pull image` is
not caught by assert_logs_contain() for runtime-rs.
To ensure consistency, this commit changes `failed` to
`Failed`, which works for both runtimes.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
 2025-09-03 09:09:13 +02:00
Hyounggyu Choi
150c90e32a Merge pull request #11728 from BbolroC/fix-sealed-secret-volume 
runtime-rs: Adjust path for sealed secret mount check
 2025-09-02 16:57:33 +02:00
Fupan Li
9cc1c76ade Merge pull request #11729 from kata-containers/dependabot/go_modules/src/tools/log-parser/gopkg.in/yaml.v3-3.0.1 
build(deps): bump gopkg.in/yaml.v3 from 3.0.0 to 3.0.1 in /src/tools/log-parser
 2025-09-02 17:05:51 +08:00
dependabot[bot]
8330dd059f build(deps): bump tracing-subscriber in /src/runtime-rs 
Bumps [tracing-subscriber](https://github.com/tokio-rs/tracing) from 0.3.17 to 0.3.20.
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-subscriber-0.3.17...tracing-subscriber-0.3.20)

---
updated-dependencies:
- dependency-name: tracing-subscriber
  dependency-version: 0.3.20
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-08-29 20:44:35 +00:00
Xuewei Niu
f6ff9cf717 Merge pull request #11689 from Caspian443/fix-devmapper-selinux-mount-issue 
runtime-rs: Empty block-rootfs Storage.options and align with Go runtime
 2025-08-29 15:29:46 +08:00
Aurélien Bombo
754f07cff2 Merge pull request #11614 from kata-containers/workflow-permissions-tightening 
Workflow permissions tightening
 2025-08-28 10:56:03 -05:00
dependabot[bot]
3a0416c99f build(deps): bump gopkg.in/yaml.v3 in /src/tools/log-parser 
Bumps gopkg.in/yaml.v3 from 3.0.0 to 3.0.1.

---
updated-dependencies:
- dependency-name: gopkg.in/yaml.v3
  dependency-version: 3.0.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-08-28 14:03:22 +00:00
Hyounggyu Choi
65fdb18c96 runtime-rs: Adjust path for sealed secret mount check 
Mount validation for sealed secret requires the base path to start with
`/run/kata-containers/shared/containers`. Previously, it used
`/run/kata-containers/sandbox/passthrough`, which caused test
failures where volume mounts are used.

This commit renames the path to satisfy the validation check.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
 2025-08-28 15:38:07 +02:00
Fabiano Fidêncio
08d2ba1969 cgroups: Fix "." parent cgroup special case 
ef642fe890 added a special case to avoid
moving cgroups that are on the "default" slice in case of deletion.

However, this special check should be done in the Parent() method
instead, which ensures that the default resource controller ID is
returned, instead of ".".

Fixes: #11599

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-08-27 08:15:15 +02:00
Caspian443
617af4cb3b runtime-rs: Empty block-rootfs Storage.options and align with Go runtime 
- Set guest Storage.options for block rootfs to empty (do not propagate host mount options).
- Align behavior with Go runtime: only add xfs nouuid when needed.

Signed-off-by: Caspian443 <scrisis843@gmail.com>
 2025-08-26 01:27:21 +00:00
Caspian443
9a7aadaaca libs: Introduce rootfs fs types 
- Add new kata-types::fs module with:
  - VM_ROOTFS_FILESYSTEM_EXT4
  - VM_ROOTFS_FILESYSTEM_XFS
  - VM_ROOTFS_FILESYSTEM_EROFS
- Export fs module in src/libs/kata-types/src/lib.rs
- Remove duplicated filesystem constants from src/runtime-rs/crates/hypervisor/src/lib.rs
- Update src/runtime-rs/crates/hypervisor/src/kernel_param.rs (and tests) to import from kata_types::fs

Signed-off-by: Caspian443 <scrisis843@gmail.com>
 2025-08-26 01:26:53 +00:00
Fabiano Fidêncio
63f6dcdeb9 kata-manager: Support xz and zst suffixes for the kata tarball 
We moved to `.zst`, but users still use the upstream kata-manager to
download older versions of the project, thus we need to support both
suffixes.

Fixes: #11714

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-08-25 21:15:06 +02:00
Fupan Li
687d0bf94a Merge pull request #11715 from fidencio/topic/backport-qemu-reclaim-guest-freed-memory 
runtime: qemu: Add reclaim_guest_freed_memory [BACKPORT]
 2025-08-25 16:59:29 +08:00
Fabiano Fidêncio
fd1b8ceed1 runtime: qemu: Add reclaim_guest_freed_memory [BACKPORT] 
Similar to what we've done for Cloud Hypervisor in the commit
9f76467cb7, we're backporting a runtime-rs
feature that would be benificial to have as part of the go runtime.

This allows users to use virito-balloon for the hypervisor to reclaim
memory freed by the guest.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-08-22 23:56:47 +02:00
stevenhorsman
b4545da15d workflows: Set top-level permissions to empty 
The default suggestion for top-level permissions was
`contents: read`, but scorecard notes anything other than empty,
so try updating it and see if there are any issues. I think it's
only needed if we run workflows from other repos.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-08-22 14:13:21 +01:00
stevenhorsman
f79e453313 workflows: Tighten up workflow permissions 
Since the previous tightening a few workflow updates have
gone in and the zizmor job isn't flagging them as issues,
so address this to remove potential attack vectors

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-08-22 14:13:21 +01:00
Fabiano Fidêncio
e396a460bc Revert "local-build: Enforce USE_CACHE=no" 
This reverts commit cb5f143b1b, as the
cached packages have been regenerated after the switch to using zstd.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-08-22 14:03:36 +02:00
Steve Horsman
23d2dfaedc Merge pull request #11707 from fidencio/topic/switch-to-use-zstd-when-possible 
kata-deploy: local-build: Use zstd instead of xz
 2025-08-22 10:06:00 +01:00
stevenhorsman
8cbb1a4357 runtime: Fix non constant Errorf formatting 
As part of the go 1.24.6 bump there are errors about the incorrect
use of a errorf, so switch to the non-formatting version, or add
the format string as appropriate

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-08-22 10:44:15 +02:00
stevenhorsman
381da9e603 versions: Bump golang to 1.24.6 
golang 1.25 has been released, so 1.23 is EoL,
so we should update to ensure we don't end up with security issues

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-08-22 10:44:15 +02:00
stevenhorsman
0ccf429a3d workflows: Switch workflows to use install_go.sh 
Update the two workflows that used setup-go to
instead call `install_go.sh` script, which handles
installing the correct version of golang

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-08-22 10:44:15 +02:00
stevenhorsman
5f7525f099 build: Add darwin support to arch_to_golang 
Avoid the error `ERROR: unsupported architecture: arm64`
in install_go.sh on darwin

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-08-22 10:44:15 +02:00
stevenhorsman
3391c6f1c5 ci: Make install_go.sh more portable 
`${kernel_name,,}`  is bash 4.0 and not posix compliant, so doesn't
work on macos, so switch to `tr` which is more widely
supported

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-08-22 10:44:15 +02:00
Alex Lyn
91913f9e82 Merge pull request #11711 from stevenhorsman/remote-allow-cc_init_data-annotation 
runtime: Enable init_data annotation
 2025-08-22 14:41:53 +08:00
Fupan Li
1a0fbbfa32 Merge pull request #11699 from Apokleos/support-nonprotection 
runtime-rs: Support initdata within NonProtection scenarios
 2025-08-22 10:24:47 +08:00
Hyounggyu Choi
41dcfb4a9f Merge pull request #11321 from BbolroC/reconnect-timeout-qemu-se 
runtime-rs: Adjust VSOCK timeouts for IBM SEL
 2025-08-22 00:34:05 +02:00
Fabiano Fidêncio
cb5f143b1b local-build: Enforce USE_CACHE=no 
We need that to regenerate the tarballs that are already cached in the
zstd format.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-08-21 21:00:20 +02:00
stevenhorsman
081823b388 runtime: Enable init_data annotation 
In #11693 the cc_init_data annotation was changes to be hypervisor
scoped, so each hypervisor needs to explicitly allow it in order to
use it now, so add this to both the go and rust runtime's remote
configurations

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-08-21 19:26:10 +01:00
Fabiano Fidêncio
f8d7ff40b4 local-build: Fix shim-v2 no cache build with measured rootfs 
We need to get the root_hash.txt file from the image build, otherwise
there's no way to build the shim using those values for the
configuration files.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-08-21 19:56:01 +02:00
Fabiano Fidêncio
ad240a39e6 kata-deploy: tools: tests: Use zstd instead of xz 
Although the compress ratio is not as optimal as using xz, it's way
faster to compress / uncompress, and it's "good enough".

This change is not small, but it's still self-contained, and has to get
in at once, in order to help bisects in the future.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
 2025-08-21 19:53:55 +02:00
Fabiano Fidêncio
9cc97ad35c kata-deploy: Bump image to use alpine 3.22 
As 3.18 is already EOL.

We need to add `--break-system-packages` to enforce the install of the
installation of the yq version that we rely on.  The tests have shown
that no breakage actually happens, fortunately.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
 2025-08-21 19:53:55 +02:00
Fabiano Fidêncio
1329ce355e versions: image / initrd: Bump to alpine 3.22 
As the 3.18 is EOL'ed.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-08-21 19:53:55 +02:00
Fabiano Fidêncio
c32fc409ec rootfs-builder: Bump alpine to 3.22 
As we were using a very old non-supported version.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-08-21 19:53:55 +02:00
Zvonko Kaiser
60d87b7785 gpu: Add more debugging to CI/CD 
Capture NVRC logs via journalctl

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-08-21 18:09:20 +02:00
Alex Lyn
e430727cb6 runtime-rs: Change the initdata device driver with block_device_driver 
Currently, we change vm_rootfs_driver as the initdata device driver
with block_device_driver.

Fixes #11697

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-08-21 18:56:26 +08:00
Alex Lyn
5cc028a8b1 runtime-rs: Support initdata within NonProtection scenarios 
we also need support initdat within nonprotection even though the
platform is detected as NonProtection or usually is called nontee
host. Within these cases, there's no need to validate the item of
`confidential_guest=true`, we believe the result of the method
`available_guest_protection()?`.

Fixes #11697

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-08-21 18:56:23 +08:00
Hyounggyu Choi
faf5aed965 runtime-rs: Adjust VSOCK timeouts for IBM SEL 
The default `reconnect_timeout` (3 seconds) was found to be insufficient for
IBM SEL when using VSOCK. This commit updates the timeouts as follows:

- `dial_timeout_ms`: Set to 90ms to match the value used in go-runtime for IBM SEL
- `reconnect_timeout_ms`: Increased to 5000ms based on empirical testing

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
 2025-08-21 12:35:44 +02:00
Hyounggyu Choi
b7d2973ce5 Merge pull request #11696 from BbolroC/enable-initdata-ibm-sel-runtime-rs 
runtime-rs Enable initdata IBM SEL
 2025-08-21 09:23:46 +02:00
Hyounggyu Choi
c4b4a3d8bb tests: Add hypervisor qemu-se-runtime-rs for initdata 
This commit adds a new hypervisor `qemu-se-runtime-rs`
to test initdata for IBM SEL (s390x).

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
 2025-08-20 18:57:50 +02:00
Hyounggyu Choi
2ec70bc8e2 runtime-rs: Enable initdata spec for IBM SEL 
Add support for the `InitData` resource config on IBM SEL,
so that a corresponding block device is created and the
initdata is passed to the guest through this device.

Note that we skip passing the initdata hash via QEMU’s
object, since the hypervisor does not yet support this
mechanism for IBM SEL. It will be introduced separately
once QEMU adds the feature.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
 2025-08-20 18:57:50 +02:00
Zvonko Kaiser
c980b6e191 release: Bump version to 3.20.0 
Bump VERSION and helm-chart versions

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-08-20 18:18:05 +02:00
Markus Rudy
30aff429df Merge pull request #11647 from Park-Jiyeonn/opt/sealed-secret-prefix-check 
Optimize sealed secret scanning to avoid full file reads
 2025-08-20 17:18:20 +02:00
Alex Lyn
014ab2fce6 Merge pull request #11693 from BbolroC/revert-initdata-annotation 
runtime-rs: Fix issues for initdata
 2025-08-20 21:17:52 +08:00
Fabiano Fidêncio
dd1752ac1c Merge pull request #11634 from mythi/coco-kernel-v6.16 
versions: update kernel-confidential to Linux v6.16.1
 2025-08-20 13:01:05 +02:00
Fupan Li
29ab8df881 Merge pull request #11514 from Apokleos/ci-for-libs 
CI: Introduce CI for libs to Improve code quality and reduce noises
 2025-08-20 18:59:27 +08:00
Hyounggyu Choi
0ac8f1f70e Merge pull request #11705 from Apokleos/remove-default-guesthookpath 
kata-types: remove default setting of guest_hook_path
 2025-08-20 11:15:25 +02:00
Mikko Ylinen
a0ae1b6608 packaging: kernel: libdw-dev and python3 to builder image 
These new dependencies are needed by Linux 6.16+.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
 2025-08-20 11:34:09 +03:00
Mikko Ylinen
412a384aad versions: update kernel-confidential to Linux v6.16.1 
Linux v6.16 brings some useful features for the confidential guests.
Most importantly, it adds an ABI to extend runtime measurement registers
(RTMR) for the TEE platforms supporting it. This is currently enabled
on Intel TDX only.

The kernel version bump from v6.12.x to v6.16 forces some CONFIG_*
changes too:

MEMORY_HOTPLUG_DEFAULT_ONLINE was dropped in favor of more config
choices. The equivalent option is MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO.

X86_5LEVEL was made unconditional. Since this was only a TDX
configuration, dropping it completely as part of v6.16 is fine.

CRYPTO_NULL2 was merged with CRYPTO_NULL. This was only added in
confidential guest fragments (cryptsetup) so we can drop it in this update.

CRYPTO_FIPS now depends on CRYPTO_SELFTESTS which further depends on
EXPERT which we don't have. Enable both in a separate config fragment
for confidential guests. This can be moved to a common setting once
other targets bump to post v6.16.

CRYPTO_SHA256_SSE3 arch optimizations were reworked and are now enabled
by default. Instead of adding it to whitelist.conf, just drop it completely
since it was only enabled as part of "measured boot" feature for
confidential guests. CONFIG_CRYPTO_CRC32_S390 was reworked the same way.
In this case, whitelist.conf is needed.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
 2025-08-20 11:32:48 +03:00
Hyounggyu Choi
0daafecef2 Revert "runtime-rs: Correct the coresponding initdata annotation const" 
This reverts commit 37685c41c7.

This renames the relevant constant for initdata.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
 2025-08-20 10:15:23 +02:00
Hyounggyu Choi
f0db4032f2 Revert "kata-types: Align the initdata annotation with kata-runtime's definition" 
This reverts commit ede773db17.

`cc_init_data` should be under a hypervisor category because
it is a hypervisor-specific feature. The annotation including
`runtime` also breaks a logic for `is_annotation_enabled()`.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
 2025-08-20 10:15:23 +02:00
Hyounggyu Choi
208cec429a runtime-rs: Introduce CoCo-specific enable_annotations 
We need to include `cc_init_data` in the enable_annotations
array to pass the data. Since initdata is a CoCo-specific
feature, this commit introduces a new array,
`DEFENABLEANNOTATIONS_COCO`, which contains the required
string and applies it to the relevant CoCo configuration.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
 2025-08-20 10:15:23 +02:00
Hyounggyu Choi
1f978ecc31 runtime-rs: Fix issues for empty initdata annotation test 
Currently, there are 2 issues for the empty initdata annotation
test:

- Empty string handling
- "\[CDH\] \[ERROR\]: Get Resource failed" not appearing

`add_hypervisor_initdata_overrides()` does not handle
an empty string, which might lead to panic like:

```
called `Result::unwrap()` on an `Err` value: gz decoder failed
Caused by:
    failed to fill whole buffer
```

This commit makes the function return an empty string
for a given empty input and updates the assertion string
to one that appears in both go-runtime and runtime-rs.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
 2025-08-20 10:15:23 +02:00
alex.lyn
b23d094928 CI: Introduce CI for libs to Improve code quality and reduce noises 
Currently, runtime-rs related code within the libs directory lacks
sufficient CI protection. We frequently observe the following issues:
- Inconsistent Code Formatting: Code that has not been properly
  formatted
is merged.
- Failing Tests: Code with failing unit or integration tests is merged.

To address these issues, we need introduce stricter CI checks for the
libs directory. This may specifically include:
- Code Formatting Checks
- Mandatory Test Runs

Fixes #11512

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-08-20 15:36:09 +08:00
alex.lyn
0f19465b3a shim-interface: Do cargo check and reduce warnings 
Reduce shim-interface's warings caused by non-formatted or unchecked operations.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-08-20 15:36:09 +08:00
alex.lyn
e05197e81c safe-path: Do cargo check and reduce warnings 
Reduce warings caused by non-formatted or unchecked operations.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-08-20 15:36:09 +08:00
alex.lyn
683d673f4f protocols: Do cargo format to make codes clean 
Fix protocols' warings by correctly do cargo check/format.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-08-20 15:36:09 +08:00
alex.lyn
38242d3a61 kata-types: Do cargo check and reduce warnings 
Reduce noises caused by non-formated codes.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-08-20 15:36:09 +08:00
alex.lyn
283fd45045 kata-sys-utils: fix warnings for s390x 
The warning reports as bwlow:
```
   --> kata-sys-util/src/protection.rs:145:9
    |
145 |         return Err(ProtectionError::NoPerms)?;
    |         ^^^^^^^ help: remove it
    |
...
error: `to_string` applied to a type that implements `Display` in
`format!` args
   --> kata-sys-util/src/protection.rs:151:16
    |
151 |             err.to_string()
    |                ^^^^^^^^^^^^ help: remove this
```

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-08-20 15:36:09 +08:00
alex.lyn
730b0f1769 kata-sys-utils: Do cargo check codes and reduce warnings 
Fix kata-sys-utils warings by correctly do cargo check and test it well.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-08-20 15:35:42 +08:00
Fabiano Fidêncio
585d0be342 Merge pull request #11691 from alextibbles/update-lts-kernel 
versions: update to latest LTS kernel 6.12.42
 2025-08-20 08:55:06 +02:00
Fupan Li
b748688e69 Merge pull request #11698 from Apokleos/filter-arpneibhors 
runtime-rs: Add only static ARP entries with handle_neighours
 2025-08-20 14:05:20 +08:00
Alex Lyn
c4af9be411 kata-types: remove default setting of guest_hook_path 
To make it aligned with the setting of runtime-go, we should keep
it as empty when users doesn't enable and set its specified path.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-08-20 13:56:42 +08:00
Zvonko Kaiser
bce8efca67 gpu: Rebuild initrd and image for kernel bump 
We need to make sure that we use the latest kernel
and rebuild the initrd and image for the nvidia-gpu
use-cases otherwise the tests will fail since
the modules are not build against the new kernel and
they simply fail to load.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-08-19 17:32:42 -04:00
Alex Tibbles
e20f6b2f9d versions: update to latest LTS kernel 6.12.42 
Fixes #11690

Signed-off-by: Alex Tibbles <alex@bleg.org>
 2025-08-19 17:32:42 -04:00
Fabiano Fidêncio
3503bcdb50 Merge pull request #11701 from alextibbles/go-stdlib-#11700 
versions: sync go.mod with versions.yaml for go 1.23.12
 2025-08-19 22:14:57 +02:00
Alex Tibbles
a03dc3129d versions: sync go.mod with versions.yaml for go 1.23.12 
OSV-Scanner highlights go.mod references to go stdlib 1.23.0 contrary to intention in versions.yaml, so synchronize them.
Make a converse comment for versions.yaml.

Fixes: #11700

Signed-off-by: Alex Tibbles <alex@bleg.org>
 2025-08-19 11:30:19 -04:00
Hyounggyu Choi
93ec470928 runtime/tests: Update annotation for initdata 
Let's rename the runtime-rs initdata annotation from
`io.katacontainers.config.runtime.cc_init_data` to
`io.katacontainers.config.hypervisor.cc_init_data`.

Rationale:
- initdata itself is a hypervisor-specific feature
- the new name aligns with the annotation handling logic:
c92bb1aa88/src/libs/kata-types/src/annotations/mod.rs (L514-L968)

This commit updates the annotation for go-runtime and tests accordingly.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
 2025-08-19 15:17:01 +02:00
Alex Lyn
903e608c23 runtime-rs: Add only static ARP entries with handle_neighours 
To make it aligned with runtime-go, we need add only static ARP
entries into the targets.

Fixes #11697

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-08-19 20:09:20 +08:00
Steve Horsman
c92bb1aa88 Merge pull request #11684 from zvonkok/gpu-required 
gatekeeper: GPU test required
 2025-08-15 10:30:19 +01:00
Hyounggyu Choi
28bd0cf405 Merge pull request #11640 from rafsal-rahim/bm-initdata-s390x 
Feat | Implement initdata for bare-metal/qemu for s390x
 2025-08-15 10:42:32 +02:00
Zvonko Kaiser
3a4e1917d2 gatekeeper: Make GPU test required 
We now run a simple RAG pipeline with each PR to make
sure we do not break GPU support.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-08-14 18:35:39 -04:00
Aurélien Bombo
3a5e2060aa Merge pull request #11683 from kata-containers/sprt/static-checks-default-branch 
ci: static-checks: Don't hardcode default repo branch
 2025-08-14 17:01:18 -05:00
Zvonko Kaiser
55ee8abf0b Merge pull request #11658 from kata-containers/amd64-nvidia-gpu-cicd-step2 
gpu: AMD64 NVIDIA GPU CI/CD Part 2
 2025-08-14 17:51:26 -04:00
Aurélien Bombo
0fa7d5b293 ci: static-checks: Don't hardcode default repo branch 
This would cause weird issues for downstreams which default branch is not
"main".

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
 2025-08-14 13:22:20 -05:00
Zvonko Kaiser
dcb62a7f91 Merge pull request #11525 from was-saw/qemu-seccomp 
runtime-rs: add seccomp support for qemu
 2025-08-14 12:35:32 -04:00
Zvonko Kaiser
8be41a4e80 gpu: Add embeding service 
For a simple RAG pipeline add a embeding service

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-08-14 16:34:21 +00:00
RuoqingHe
65a9fe0063 Merge pull request #11670 from kevinzs2048/add-aavmf 
CI: change the directory for Arm64 firmware
 2025-08-14 21:30:21 +08:00
stevenhorsman
43cdde4c5d test/k8s: Extend initdata tests to run on s390x 
Enable testing of initdata on the qemu-coco-dev and qemu-se
runtime classes, so we can validate the function on s390x

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-08-14 17:10:58 +05:30
rafsalrahim
9891b111d1 runtime: Add initdata support to s390x 
- Added support for initdata device on s390x.
- Generalized devno generation for QEMU CCW devices.

Signed-off-by: rafsalrahim <rafsal.rahim@ibm.com>
 2025-08-14 17:10:58 +05:30
wangxinge
d147e2491b runtime-rs: add seccomp support for qemu 
This commit support the seccomp_sandbox option from the configuration.toml file
and add the logic for appending command-line arguments based on this new configuration parameter.

Fixes: #11524

Signed-off-by: wangxinge <wangxinge@bupt.edu.cn>
 2025-08-14 18:45:03 +08:00
Xuewei Niu
479cce8406 Merge pull request #11536 from was-saw/clh/fc-seccomp 
runtime-rs: add seccomp support for cloud hypervisor and firecracker
 2025-08-14 18:23:14 +08:00
Dan Mihai
ea74024b93 Merge pull request #11663 from burgerdev/arp 
genpolicy: support AddARPNeighbors
 2025-08-13 14:54:36 -07:00
Kevin Zhao
aadad0c9b6 CI: change the directory for Arm64 firmware 
Previouly it is reusing the ovmf, which will enter some
issue for path checking, so move to aavmf as it should
be.

Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
 2025-08-13 23:39:44 +02:00
Fabiano Fidêncio
cfd0ebe85f Merge pull request #11675 from katexochen/snp-guest-policy 
runtime: make SNP guest policy configurable
 2025-08-13 22:20:51 +02:00
Steve Horsman
c7f4c9a3bb Merge pull request #11676 from stevenhorsman/golang-1.23.12-bump 
versions: Bump golang to 1.23.12
 2025-08-13 15:24:17 +01:00
Park.Jiyeon
2f50c85b12 agent: avoid full file reads when scanning sealed secrets. 
Read only the sealed secret prefix instead of the whole file.
Improves performance and reduces memory usage in I/O-heavy environments.

Fixes: #11643

Signed-off-by: Park.Jiyeon <jiyeonnn2@icloud.com>
 2025-08-13 20:32:03 +08:00
Paul Meyer
5635410dd3 runtime: make SNP guest policy configurable 
Dependening on the platform configuration, users might want to
set a more secure policy than the QEMU default.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
 2025-08-13 09:06:36 +02:00
stevenhorsman
1a6f1fc3ac versions: Bump golang to 1.23.12 
Bump go version to remediate vuln GO-2025-3849

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-08-12 14:46:29 +01:00
Dan Mihai
9379a18c8a Merge pull request #11565 from Sumynwa/sumsharma/agent_ctl_vm_boot_support 
agent-ctl: Add option "--vm" to boot pod VM for testing.
 2025-08-11 09:36:23 -07:00
Sumedh Alok Sharma
c7c811071a agent-ctl: Add option --vm to boot pod VM for testing. 
This change introduces a new command line option `--vm`
to boot up a pod VM for testing. The tool connects with
kata agent running inside the VM to send the test commands.
The tool uses `hypervisor` crates from runtime-rs for VM
lifecycle management. Current implementation supports
Qemu & Cloud Hypervisor as VMMs.

In summary:
- tool parses the VMM specific runtime-rs kata config file in
/opt/kata/share/defaults/kata-containers/runtime-rs/*
- prepares and starts a VM using runtime-rs::hypervisor vm APIs
- retrieves agent's server address to setup connection
- tests the requested commands & shutdown the VM

Fixes #11566

Signed-off-by: Sumedh Alok Sharma <sumsharma@microsoft.com>
 2025-08-11 11:03:18 +00:00
wangxinge
f3a669ee2d runtime-rs: add seccomp support for cloud hypervisor and firecracker 
The seccomp feature for Cloud Hypervisor and Firecracker is enabled by default.
This commit introduces an option to disable seccomp for both and updates the built-in configuration.toml file accordingly.

Fixes: #11535

Signed-off-by: wangxinge <wangxinge@bupt.edu.cn>
 2025-08-11 17:59:30 +08:00
Hyounggyu Choi
407252a863 Merge pull request #11641 from Apokleos/kata-log 
runtime-rs: Label system journal log with kata
 2025-08-11 08:44:31 +02:00
Alex Lyn
196d7d674d runtime-rs: Label system journal log with kata 
Route kata-shim logs directly to systemd-journald under 'kata' identifier.

This refactoring enables `kata-shim` logs to be properly attributed to
'kata' in systemd-journald, instead of inheriting the 'containerd'
identifier.

Previously, `kata-shim` logs were challenging to filter and debug as
they
appeared under the `containerd.service` unit.

This commit resolves this by:
1.  Introducing a `LogDestination` enum to explicitly define logging
targets (File or Journal).
2.  Modifying logger creation to set `SYSLOG_IDENTIFIER=kata` when
logging
to Journald.
3.  Ensuring type safety and correct ownership handling for different
logging backends.

This significantly enhances the observability and debuggability of Kata
Containers, making it easier to monitor and troubleshoot Kata-specific
events.

Fixes: #11590

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-08-10 16:00:36 +08:00
Aurélien Bombo
be148c7f72 Merge pull request #11666 from kata-containers/sprt/static-check-exclude-security-md 
ci: static-checks: add SECURITY.md to exclude list
 2025-08-08 12:50:29 -05:00
Fabiano Fidêncio
dcbdf56281 Merge pull request #11660 from zvonkok/remove-stable 
ci: Remove stable
 2025-08-08 14:18:25 +02:00
Xuewei Niu
1d2f2d6350 Merge pull request #11219 from fidencio/topic/version-qemu-bump-to-10.0.0 
version: Bump QEMU to v10.0.0
 2025-08-08 19:04:45 +08:00
RuoqingHe
aaf8de3dbf Merge pull request #11669 from kevinzs2048/add-timeout 
ci: cri-containerd: add 5s timeout for creating sanbox with crictl
 2025-08-08 18:25:58 +08:00
Alex Lyn
9816ffdac7 Merge pull request #11653 from Apokleos/align-initdata-annoation 
Align initdata annoation with kata-runtime
 2025-08-08 16:24:09 +08:00
Kevin Zhao
1aa65167d7 CI: cri-containerd: add 5s timeout for creating sanbox with crictl 
After moving Arm64 CI nodes to new one, we do faced an interesting
issue for timeout when it executes the command with crictl runp,
the error is usally: code = DeadlineExceeded

Fixes: #11662

Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
 2025-08-08 15:41:39 +08:00
Fupan Li
b50777a174 Merge pull request #10580 from pmores/make-vcpu-allocation-more-accurate 
runtime-rs: make vcpu allocation more accurate
 2025-08-08 14:14:40 +08:00
Xuewei Niu
beea0c34c5 Merge pull request #11060 from kata-containers/sprt/vfsd-metadata 
runtime: virtio-fs: Support "metadata" cache mode
 2025-08-08 11:13:57 +08:00
Fabiano Fidêncio
f9e16431c1 version: Bump QEMU to v10.0.3 
As the new release of QEMU is out, let's switch to it and take advantage
of bug fixes and improvements.

QEMU changelog: https://wiki.qemu.org/ChangeLog/10.0

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-08-07 22:31:30 +02:00
Greg Kurz
f9a6359674 Merge pull request #11667 from c3d/bug/11633-qmp 
qemu: Respect the JSON schema for hot plug
 2025-08-07 16:04:12 +02:00
Aurélien Bombo
6d96875d04 runtime: virtio-fs: Support "metadata" cache mode 
The Rust virtiofsd supports a "metadata" cache mode [1] that wasn't
present in the C version [2], so this PR adds support for that.

 [1] https://gitlab.com/virtio-fs/virtiofsd
 [2] https://qemu.weilnetz.de/doc/5.1/tools/virtiofsd.html#cmdoption-virtiofsd-cache

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
 2025-08-07 21:24:40 +08:00
Pavel Mores
69f21692ed runtime-rs: enable vcpu allocation tests in CI 
This series should make runtime-rs's vcpu allocation behaviour match the
behaviour of runtime-go so we can now enable pertinent tests which were
skipped so far due the difference between both shims.

Signed-off-by: Pavel Mores <pmores@redhat.com>
 2025-08-07 10:32:44 +02:00
Pavel Mores
00bfa3fa02 runtime-rs: re-adjust config after modifying it with annotations 
Configuration information is adjusted after loading from file but so
far, there has been no similar check for configuration coming from
annotations.  This commit introduces re-adjusting config after
annotations have been processed.

A small refactor was necessary as a prerequisite which introduces
function TomlConfig::adjust_config() to make it easier to invoke
the adjustment for a whole TomlConfig instance.  This function is
analogous to the existing validate() function.

The immediate motivation for this change is to make sure that 0
in "default_vcpus" annotation will be properly adjusted to 1 as
is the case if 0 is loaded from a config file.  This is required
to match the golang runtime behaviour.

Signed-off-by: Pavel Mores <pmores@redhat.com>
 2025-08-07 10:32:44 +02:00
Pavel Mores
e2156721fd runtime-rs: add tests to exercise floating-point 'default_vcpus' 
Also included (as commented out) is a test that does not pass although
it should.  See source code comment for explanation why fixing this seems
beyond the scope of this PR.

Signed-off-by: Pavel Mores <pmores@redhat.com>
 2025-08-07 10:32:44 +02:00
Pavel Mores
1f95d9401b runtime-rs: change representation of default_vcpus from i32 to f32 
This commit focuses purely on the formal change of type.  If any subsequent
changes in semantics are needed they are purposely avoided here so that the
commit can be reviewed as a 100% formal and 0% semantic change.

Signed-off-by: Pavel Mores <pmores@redhat.com>
 2025-08-07 10:32:44 +02:00
Pavel Mores
cdc0eab8e4 runtime-rs: make sandbox vcpu allocation more accurate 
This commit addresses a part of the same problem as PR #7623 did for the
golang runtime.  So far we've been rounding up individual containers'
vCPU requests and then summing them up which can lead to allocation of
excess vCPUs as described in the mentioned PR's cover letter.  We address
this by reversing the order of operations, we sum the (possibly fractional)
container requests and only then round up the total.

We also align runtime-rs's behaviour with runtime-go in that we now
include the default vcpu request from the config file ('default_vcpu')
in the total.

We diverge from PR #7623 in that `default_vcpu` is still treated as an
integer (this will be a topic of a separate commit), and that this
implementation avoids relying on 32-bit floating point arithmetic as there
are some potential problems with using f32.  For instance, some numbers
commonly used in decimal, notably all of single-decimal-digit numbers
0.1, 0.2 .. 0.9 except 0.5, are periodic in binary and thus fundamentally
not representable exactly.  Arithmetics performed on such numbers can lead
to surprising results, e.g. adding 0.1 ten times gives 1.0000001, not 1,
and taking a ceil() results in 2, clearly a wrong answer in vcpu
allocation.

So instead, we take advantage of the fact that container requests happen
to be expressed as a quota/period fraction so we can sum up quotas,
fundamentally integral numbers (possibly fractional only due to the need
to rewrite them with a common denominator) with much less danger of
precision loss.

Signed-off-by: Pavel Mores <pmores@redhat.com>
 2025-08-07 10:32:44 +02:00
Christophe de Dinechin
ec480dc438 qemu: Respect the JSON schema for hot plug 
When hot-plugging CPUs on QEMU, we send a QMP command with JSON
arguments. QEMU 9.2 recently became more strict[1] enforcing the
JSON schema for QMP parameters. As a result, running Kata Containers
with QEMU 9.2 results in a message complaining that the core-id
parameter is expected to be an integer:

```
qmp hotplug cpu, cpuID=cpu-0 socketID=1, error:
QMP command failed:
Invalid parameter type for 'core-id', expected: integer
```

Fix that by changing the core-id, socket-id and thread-id to be
integer values.

[1]: be93fd5372

Fixes: #11633

Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
 2025-08-07 09:13:57 +02:00
Alex Lyn
37685c41c7 runtime-rs: Correct the coresponding initdata annotation const 
As we have changed the initdata annotation definition, Accordingly, we also
need correct its const definition with KATA_ANNO_CFG_RUNTIME_INIT_DATA.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-08-07 10:45:28 +08:00
Alex Lyn
163f04a918 Merge pull request #11651 from microsoft/danmihai1/debug-kubectl-logs 
tests: k8s-sandbox-vcpus-allocation debug info
 2025-08-07 10:27:29 +08:00
Aurélien Bombo
e3b4d87b6d ci: static-checks: add SECURITY.md to exclude list 
This adds SECURITY.md to the list of GH-native files that should be excluded by
the reference checker.

Today this is useful for downstreams who already have a SECURITY.md file for
compliance reasons. When Kata onboards that file, this commit will also be
required.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
 2025-08-06 11:24:52 -05:00
Markus Rudy
3eb0641431 genpolicy: add rule for AddARPNeighbors 
When the network interface provisioned by the CNI has static ARP table entries,
the runtime calls AddARPNeighbor to propagate these to the agent. As of today,
these calls are simply rejected.

In order to allow the calls, we do some sanity checks on the arguments:

We must ensure that we don't unexpectedly route traffic to the host that was
not intended to leave the VM. In a first approximation, this applies to
loopback IPs and devices. However, there may be other sensitive ranges (for
example, VPNs between VMs), so there should be some flexibility for users to
restrict this further. This is why we introduce a setting, similar to
UpdateRoutes, that allows restricting the neighbor IPs further.

The only valid state of an ARP neighbor entry is NUD_PERMANENT, which has a
value of 128 [1]. This is already enforced by the runtime.

According to rtnetlink(7), valid flag values are 8 and 128, respectively [2],
thus we allow any combination of these.

[1]: https://github.com/torvalds/linux/blob/4790580/include/uapi/linux/neighbour.h#L72
[2]: https://github.com/torvalds/linux/blob/4790580/include/uapi/linux/neighbour.h#L49C20-L53

Fixes: #11664

Signed-off-by: Markus Rudy <mr@edgeless.systems>
 2025-08-06 17:24:36 +02:00
Zvonko Kaiser
1b1b3af9ab ci: Remove trigger for stable branch 
We do not support stable branches anymore,
remove the trigger for it.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-08-06 09:22:24 +08:00
Hyounggyu Choi
af01434226 Merge pull request #11646 from kata-containers/sprt/param-static-checks 
ci: static-checks: Auto-detect repo by default
 2025-08-05 22:13:20 +02:00
Alex Lyn
ede773db17 kata-types: Align the initdata annotation with kata-runtime's definition 
To make it work within CI, we do alignment with kata-runtime's definition
with "io.katacontainers.config.runtime.cc_init_data".

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
 2025-08-03 22:51:39 +08:00
Dan Mihai
05eca5ca25 tests: k8s-sandbox-vcpus-allocation debug info 
Print more details about the behavior of "kubectl logs", trying to understand
errors like:

https://github.com/kata-containers/kata-containers/actions/runs/16662887973/job/47164791712

not ok 1 Check the number vcpus are correctly allocated to the sandbox
 (in test file k8s-sandbox-vcpus-allocation.bats, line 37)
   `[ `kubectl logs ${pods[$i]}` -eq ${expected_vcpus[$i]} ]' failed with status 2
 No resources found in kata-containers-k8s-tests namespace.
...
 k8s-sandbox-vcpus-allocation.bats: line 37: [: -eq: unary operator expected

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
 2025-08-01 20:09:17 +00:00
Aurélien Bombo
c47bff6d6a Merge pull request #11637 from kata-containers/sprt/remove-install-az-cli 
gha: Remove unnecessary install-azure-cli step
 2025-08-01 09:34:46 -05:00
Fabiano Fidêncio
82f141a02e Merge pull request #11632 from burgerdev/codegen 
runtime: reproducible generation of Golang proto bindings
 2025-07-31 23:49:18 +02:00
Fabiano Fidêncio
7198c8789e Merge pull request #11639 from zvonkok/gpu_guest_components 
gpu: guest components
 2025-07-31 21:42:31 +02:00
Aurélien Bombo
9585e608e5 ci: static-checks: Auto-detect repo by default 
This auto-detects the repo by default (instead of having to specify
KATA_DEV_MODE=true) so that forked repos can leverage the static-checks.yaml CI
check without modification.

An alternative would have been to pass the repo in static-checks.yaml. However,
because of the matrix, this would've changed the check name, which is a pain to
handle in either the gatekeeper/GH UI.

Example fork failure:
https://github.com/microsoft/kata-containers/actions/runs/16656407213/job/47142421739#step:8:75

I've tested this change to work in a fork.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
 2025-07-31 14:33:24 -05:00
Zvonko Kaiser
8422411d91 gpu: Add coco guest components 
The second stage needs to consider the coco guest components

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-31 17:11:21 +00:00
Markus Rudy
3fd354b991 ci: add codegen to static-checks 
Signed-off-by: Markus Rudy <mr@edgeless.systems>

Fixes: #11631

Co-authored-by: Steve Horsman <steven@uk.ibm.com>
 2025-07-31 17:58:25 +01:00
Markus Rudy
9e38fd2562 tools: add image for Go proto bindings 
In order to have a reproducible code generation process, we need to pin
the versions of the tools used. This is accomplished easiest by
generating inside a container.

This commit adds a container image definition with fixed dependencies
for Golang proto/ttrpc code generation, and changes the agent Makefile
to invoke the update-generated-proto.sh script from within that
container.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
 2025-07-31 17:58:25 +01:00
Markus Rudy
f7a36df290 runtime: generate proto files 
The generated Go bindings for the agent are out of date. This commit
was produced by running
src/agent/src/libs/protocols/hack/update-generated-proto.sh with
protobuf compiler versions matching those of the last run, according to
the generated code comments.

Since there are new RPC methods, those needed to be added to the
HybridVSockTTRPCMockImp.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
 2025-07-31 17:58:25 +01:00
Fabiano Fidêncio
d077ed4c1e Merge pull request #11645 from kata-containers/topic/fix-kbuild-sign-pin-issue 
build: nvidia: Fix KBUILD_SIGN_PIN breakage
 2025-07-31 18:31:34 +02:00
Fabiano Fidêncio
8d30b84abd build: nvidia: Fix KBUILD_SIGN_PIN breakage 
We only need KBUILD_SIGN_PIN exported when building nvidia related
artefacts.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-31 16:39:20 +02:00
Fabiano Fidêncio
20bef41347 Merge pull request #11236 from kata-containers/amd64-nvidia-gpu-cicd 
gpu: AMD64 NVIDIA GPU CI/CD
 2025-07-31 14:52:01 +02:00
Aurélien Bombo
96f1d95de5 gha: Remove unnecessary install-azure-cli step 
az cli is already installed by the azure/login action.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
 2025-07-30 10:42:56 -05:00
Zvonko Kaiser
fbb0e7f2f2 gpu: Add secrets passthrough to the workflow 
We need to pass-through the secrets in all the needed workflows
ci, ci-on-push, ci-nightly, ci-devel

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-30 13:51:01 +00:00
Zvonko Kaiser
30778594d0 gpu: Add arm64-nvidia-a100 to actionlint.yaml 
Make zizmor happy about our custom runner label

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-30 13:45:59 +00:00
Zvonko Kaiser
8768e08258 gpu: Add embeding service 
For a simple RAG pipeline add a embeding service

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-30 13:45:59 +00:00
Zvonko Kaiser
254dbd9b45 gpu: Add Pod spec for NIM llama 
Pod spec for the NIM inferencing service

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-30 13:45:59 +00:00
Zvonko Kaiser
568b13400a gpu: Add NIM bats test 
We're running a simple NIM container to test if the GPUs
are working properly

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-30 13:45:59 +00:00
Zvonko Kaiser
6188b7f79f gpu: Add run_kubernetes_nv_tests.sh 
Replicate what we have for run_tests and run .bats files

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-30 13:45:59 +00:00
Zvonko Kaiser
9a829107ba gpu: Add selector for k8s tests 
We want to reuse the current run_tests with GPUs, introduce a var
that will define what to run.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-30 13:45:59 +00:00
Zvonko Kaiser
7669f1fbd1 gpu: Add NVIDIA GPU test block for amd64 
Once we have the amd64 artifacts we can run some arm64 k8s tests.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-30 13:45:59 +00:00
Zvonko Kaiser
97d7575d41 gpu: Disable metrics tests 
We are not running the metrics tests anyway for now
lets make room to run the GPU tests.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-30 13:45:58 +00:00
Anastassios Nanos
00e0db99a3 Merge pull request #11627 from itsmohitnarayan/FirecrackerVersionUpdate 2025-07-30 13:59:55 +03:00
Kumar Mohit
5cccbb9f41 versions: Upgrade Firecracker Version to 1.12.1 
Updated versions.yaml to use Firecracker v1.12.1.
Replaced firecracker and jailer binaries under /opt/kata/bin.

Tested with kata-fc runtime on Kubernetes:
- Deployed pods using gitpod/openvscode-server
- Verified microVM startup, container access, and Firecracker usage
- Confirmed Firecracker and jailer versions via CLI

Signed-off-by: Kumar Mohit <68772712+itsmohitnarayan@users.noreply.github.com>
 2025-07-30 12:51:08 +05:30
Saul Paredes
1aaaef2134 Merge pull request #11553 from microsoft/danmihai1/genpolicy-cleanup 
genpolicy: reduce complexity
 2025-07-28 14:32:59 -07:00
Dan Mihai
c11c972465 genpolicy: config layer logging clean-up 
Use a simple debug!() for logging the config_layer string, instead of
transcoding, etc.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
 2025-07-28 18:30:13 +00:00
Dan Mihai
30bfa2dfcc genpolicy: use CoCo settings by default 
- "confidential_emptyDir" becomes "emptyDir" in the settings file.
- "confidential_configMap" becomes "configMap" in settings.
- "mount_source_cpath" becomes "cpath".
- The new "root_path" gets used instead of the old "cpath" to point to
  the container root path..
- "confidential_guest" is no longer used. By default it gets replaced
  by "enable_configmap_secret_storages"=false, because CoCo is using
  CopyFileRequest instead of the Storage data structures for ConfigMap
  and/or Secret volume mounts during CreateContainerRequest.
- The value of "guest_pull" becomes true by default.
- "image_layer_verification" is no longer used - just CoCo's guest pull
  is supported.
- The Request input files from unit tests are changing to reflect the
  new default settings values described above.
- tests/integration/kubernetes/tests_common.sh adjusts the settings for
  platforms that are not set-up for CoCo during CI (i.e., platforms
  other than SNP, TDX, and CoCo Dev).

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
 2025-07-28 18:30:13 +00:00
Dan Mihai
94995d7102 genpolicy: skip pulling layers for guest-pull 
Skip pulling container image layers when guest-pull=true. The contents
of these layers were ignored due to:
- #11162, and
- tarfs snapshotter support having been removed from genpolicy.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
 2025-07-28 18:30:13 +00:00
Dan Mihai
f6016f4f36 genpolicy: remove tarfs snapshotter support 
AKS Confidential Containers are using the tarfs snapshotter. CoCo
upstream doesn't use this snapshotter, so remove this Policy complexity
from upstream.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
 2025-07-28 18:30:10 +00:00
Steve Horsman
077c59dd1f Merge pull request #11385 from wainersm/ci_make_coco_nontee_required 
ci/gatekeeper: make run-k8s-tests-coco-nontee job required
 2025-07-28 14:16:23 +01:00
Steve Horsman
74fba9c736 Merge pull request #11619 from kata-containers/install-dependencies-gh-cli 
ci: Try passing api token into githubh api call
 2025-07-28 13:35:12 +01:00
Xuewei Niu
2a3c8b04df Merge pull request #11613 from RuoqingHe/clippy-fix-for-libs-20250721 
mem-agent: Ignore Cargo.lock
 2025-07-28 17:45:29 +08:00
RuoqingHe
3f46347dc5 Merge pull request #11618 from RuoqingHe/fix-dragonball-default-build 
dragonball: Fix warnings in default build
 2025-07-28 11:24:46 +08:00
Xuewei Niu
e5d5768c75 Merge pull request #11626 from RuoqingHe/bump-cloud-hypervisor-v47 
versions: Upgrade to Cloud Hypervisor v47.0
 2025-07-28 10:34:45 +08:00
Ruoqing He
4ca6c2d917 mem-agent: Ignore Cargo.lock 
`mem-agent` here is now a library and do not contain examples, ignore
Cargo.lock to get rid of untracked file noise produced by `cargo run` or
`cargo test`.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-07-28 10:32:46 +08:00
Ruoqing He
3ec10b3721 runtime: clh: Re-generate client code against v47.0 
Re-generates the client code against Cloud Hypervisor v47.0.

Note: The client code of cloud-hypervisor's OpenAPI is automatically
generated by openapi-generator.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-07-25 20:44:14 +02:00
Ruoqing He
14e9d2c815 versions: Upgrade to Cloud Hypervisor v47.0 
Details of v47.0 release can be found in our roadmap project as
iteration v47.0: https://github.com/orgs/cloud-hypervisor/projects/6.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-07-25 20:42:24 +02:00
Xuewei Niu
6f6d64604f Merge pull request #11598 from justxuewei/cgroups 2025-07-25 17:53:03 +08:00
Hyounggyu Choi
860779c4d9 Merge pull request #11621 from Apokleos/enhance-copyfile 
runtime-rs: Some extra work to enhance copyfile with sharedfs disabled
 2025-07-25 11:27:03 +02:00
Ruoqing He
639273366a dragonball: Gate MmapRegion behind virtio-fs 
`MmapRegion` is only used while `virtio-fs` is enabled during testing
dragonball, gate the import behind `virtio-fs` feature.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-07-25 09:09:35 +00:00
Ruoqing He
2e81ac463a dragonball: Allow unused to suppress warnings 
Some variables went unused if certain features are not enabled, use
`#[allow(unused)]` to suppress those warnings at the time being.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-07-25 09:07:19 +00:00
Ruoqing He
5f7da1ccaa dragonball: Silence never read fields 
Some fields in structures used for testing purpose are never read,
rename to send out the message.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-07-25 09:07:19 +00:00
Ruoqing He
225e6fffbc dragonball: Gate VcpuManagerError behind host-device 
`VcpuManagerError` is only needed when `host-device` feature is enabled,
gate the import behind that feature.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-07-25 09:07:19 +00:00
Ruoqing He
0502b05718 dragonball: Remove with-serde feature assertion 
Code inside `test_mac_addr_serialization_and_deserialization` test does
not actually require this `with-serde` feature to test, removing the
assertion here to enable this test.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-07-25 09:05:55 +00:00
Xuewei Niu
60e3679eb7 runtime-rs: Add full cgroups support on host 
Add full cgroups support on host. Cgroups are managed by `FsManager` and
`SystemdManager`. As the names impies, the `FsManager` manages cgroups
through cgroupfs, while the `SystemdManager` manages cgroups through
systemd. The two manages support cgroup v1 and cgroup v2.

Two types of cgroups path are supported:

1. For colon paths, for example "foo.slice:bar:baz", the runtime manages
cgroups by `SystemdManager`;
2. For relative/absolute paths, the runtime manages cgroups by
`FsManager`.

vCPU threads are added into the sandbox cgroups in cgroup v1 + cgroupfs,
others, cgroup v1 + systemd, cgroup v2 + cgroupfs, cgroup v2 + systemd, VMM
process is added into the cgroups.

The systemd doesn't provide a way to add thread to a unit. `add_thread()`
in `SystemdManager` is equivalent to `add_process()`.

Cgroup v2 supports threaded mode. However, we should enable threaded mode
from leaf node to the root node (`/`) iteratively [1]. This means the
runtime needs to modify the cgroups created by container runtime (e.g.
containerd). Considering cgroupfs + cgroup v2 is not a common combination,
its behavior is aligned with systemd + cgroup v2, which is not allowed to
manage process at the thread level.

1: https://www.kernel.org/doc/html/v4.18/admin-guide/cgroup-v2.html#threads

Fixes: #11356

Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
 2025-07-25 14:52:55 +08:00
alex.lyn
613dba6f1f runtime-rs: Some extra work to enhance copyfile with sharedfs disabled 
As some reasons, it first should make it align with runtime-go, this
commit  will do this work.

Fixes #11543

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-25 11:39:20 +08:00
Xuewei Niu
6aa3517393 tests: Prevent the shim from being killed in k8s-oom test 
The actual memory usage on the host is equal to the hypervisor memory usage
plus the user memory usage. An OOM killer might kill the shim when the
memory limit on host is same with that of container and the container
consumes all available memory. In this case, the containerd will never
receive OOM event, but get "task exit" event. That makes the `k8s-oom.bats`
test fail.

The fix is to add a new container to increase the sandbox memory limit.
When the container "oom-test" is killed by OOM killer, there is still
available memory for the shim, so it will not be killed.

Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
 2025-07-24 23:44:21 +08:00
Steve Horsman
c762a3dd4f Merge pull request #11372 from kata-containers/dependabot/cargo/src/dragonball/openssl-af8515b6e0 
build(deps): bump the openssl group across 4 directories with 1 update
 2025-07-24 13:27:24 +01:00
Fupan Li
fdbe549368 Merge pull request #11547 from Apokleos/virtio-scsi 
runtime-rs: support block device driver virtio-scsi within qemu-rs
 2025-07-24 18:02:11 +08:00
Xuewei Niu
635272f3e8 runtime-rs: Ignore SIGTERM signal in shim 
When enabling systemd cgroup driver and sandbox cgroup only, the shim is
under a systemd unit. When the unit is stopping, systemd sends SIGTERM to
the shim. The shim can't exit immediately, as there are some cleanups to
do. Therefore, ignoring SIGTERM is required here. The shim should complete
the work within a period (Kata sets it to 300s by default). Once a timeout
occurs, systemd will send SIGKILL.

Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
 2025-07-24 17:15:15 +08:00
Xuewei Niu
79f29bc523 runtime-rs: QEMU get_thread_ids() returns real vCPU's tids 
The information is obtained through QMP query_cpus_fast.

Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
 2025-07-24 17:15:15 +08:00
stevenhorsman
475baf95ad ci: Try passing api token into githubh api call 
Our CI keeps on getting
```
jq: error (at <stdin>:1): Cannot index string with string "tag_name"
```
during the install dependencies phase, which I suspect
might be due to github rate limits being reduced, so try
to pass through the `GH_TOKEN` env and use it in the auth header.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-24 08:49:32 +01:00
alex.lyn
b40d65bc1b runtime-rs: support block device driver virtio-scsi within qemu-rs 
It is important that we continue to support VirtIO-SCSI. While
VirtIO-BLK is a common choice, virtio-scsi offers significant
performance advantages in specific scenarios, particularly when
utilizing iothreads and with NVMe Fabrics.

Maintaining Flexibility and Choice by supporting both virtio-blk and
virtio-scsi, we provide greater flexibility for users to choose the
optimal storage(virtio-blk, virtio-scsi) interface based on their
specific workload requirements and hardware configurations.

As virtio-scsi controller has been created when qemu vm starts with
block device driver is set to `virtio-scsi`. This commit is for blockdev_add
the backend block device and device_add frondend virtio-scsi device via qmp.

Fixes #11516

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-24 14:00:02 +08:00
alex.lyn
e683a7fd37 runtime-rs: Change the device_id with block device index 
As block device index is an very important unique id of a block device
and can indicate a block device which is equivalent to device_id.
In case of index is required in calculating scsi LUN and reduce
useless arguments within reusing `hotplug_block_device`, we'd better
change the device_id with block device index.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-24 11:57:00 +08:00
alex.lyn
4521cae0c0 runtime-rs: Support AIO for hotplugging block device within qemu 
In this commit, block device aio are introduced within hotplug_block_device
within qemu via qmp and the "iouring" is set the default.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-24 11:57:00 +08:00
alex.lyn
b4d276bc2b runtime-rs: Handle virtio-scsi within device manager 
It should be correctly handled within the device manager when do
create_block_device if the driver_option is virtio-scsi.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-24 11:57:00 +08:00
alex.lyn
fbd84fd3f4 runtime-rs: Support virtio-scsi device within handle_block_volume 
It supports handling scsi device when block device driver is `scsi`.
And it will ensure a correct storage source with LUN.

Fixes #11516

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-24 11:57:00 +08:00
alex.lyn
57645c0786 runtime-rs: Add support for block device AIO 
In this commit, three block device aio modes are introduced and the
"iouring" is set the default.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-24 11:57:00 +08:00
alex.lyn
40e6aacc34 runtime-rs: Introduce scsi_addr within BlockConfig for SCSI devices 
It's used to help discover scsi devices inside guest and also add a
new const value `KATA_SCSI_DEV_TYPE` to help pass information.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-24 11:57:00 +08:00
alex.lyn
125383e53c runtime-rs: Add support for configurable block device aio 
AIO is the I/O mechanism used by qemu with options:
- threads
  Pthread based disk I/O.
- native
  Native Linux I/O.
- io_uring (default mode)
  Linux io_uring API. This provides the fastest I/O operations on

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-24 11:56:52 +08:00
dependabot[bot]
ef9d960763 build(deps): bump the openssl group across 4 directories with 1 update 
Bumps the openssl group with 1 update in the /src/dragonball directory: [openssl](https://github.com/sfackler/rust-openssl).
Bumps the openssl group with 1 update in the /src/runtime-rs directory: [openssl](https://github.com/sfackler/rust-openssl).
Bumps the openssl group with 1 update in the /src/tools/genpolicy directory: [openssl](https://github.com/sfackler/rust-openssl).
Bumps the openssl group with 1 update in the /src/tools/kata-ctl directory: [openssl](https://github.com/sfackler/rust-openssl).


Updates `openssl` from 0.10.72 to 0.10.73
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.72...openssl-v0.10.73)

Updates `openssl` from 0.10.72 to 0.10.73
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.72...openssl-v0.10.73)

Updates `openssl` from 0.10.72 to 0.10.73
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.72...openssl-v0.10.73)

Updates `openssl` from 0.10.72 to 0.10.73
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.72...openssl-v0.10.73)

---
updated-dependencies:
- dependency-name: openssl
  dependency-version: 0.10.73
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: openssl
- dependency-name: openssl
  dependency-version: 0.10.73
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: openssl
- dependency-name: openssl
  dependency-version: 0.10.73
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: openssl
- dependency-name: openssl
  dependency-version: 0.10.73
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: openssl
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-23 15:17:12 +00:00
Fabiano Fidêncio
58925714d2 Merge pull request #11579 from Apokleos/fix-hotplug-blk 
runtime-rs: Support hotplugging host block devices within qemu-rs
 2025-07-23 11:10:04 +02:00
alex.lyn
a12ae58431 runtime-rs: Support hotplugging host block devices within qemu-rs 
Although Previous implementation of hotplugging block device via QMP
can successfully hot-plug the regular file based block device, but it
fails when the backend is /dev/xxx(e.g. /dev/loop0). With analysis about
it, we can know that it lacks the ablility to hotplug host block devices.

This commit will fill the gap, and make it work well for host block
devices.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-22 15:40:03 +08:00
Fabiano Fidêncio
acae4480ac Merge pull request #11604 from fidencio/release/3.19.1 
release: Bump version to 3.19.1
 2025-07-22 09:00:15 +02:00
Fabiano Fidêncio
0220b4d661 release: Bump version to 3.19.1 
As there were a few moderate security vulnerability fixes missed as part
of the 3.19.0 release.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-21 20:09:21 +02:00
Steve Horsman
09efcfbd86 Merge pull request #11606 from kata-containers/dependabot/cargo/src/tools/genpolicy/zerocopy-0.6.6 
build(deps): bump zerocopy from 0.6.1 to 0.6.6 in /src/tools/genpolicy
 2025-07-21 18:58:56 +01:00
Steve Horsman
9f04d8e121 Merge pull request #11605 from kata-containers/dependabot/cargo/src/tools/kata-ctl/unsafe-libyaml-0.2.11 
build(deps): bump unsafe-libyaml from 0.2.9 to 0.2.11 in /src/tools/kata-ctl
 2025-07-21 18:50:01 +01:00
dependabot[bot]
a9c8377073 build(deps): bump zerocopy from 0.6.1 to 0.6.6 in /src/tools/genpolicy 
---
updated-dependencies:
- dependency-name: zerocopy
  dependency-version: 0.6.6
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-21 12:50:38 +00:00
dependabot[bot]
0b4c434ece build(deps): bump unsafe-libyaml in /src/tools/kata-ctl 
Bumps [unsafe-libyaml](https://github.com/dtolnay/unsafe-libyaml) from 0.2.9 to 0.2.11.
- [Release notes](https://github.com/dtolnay/unsafe-libyaml/releases)
- [Commits](https://github.com/dtolnay/unsafe-libyaml/compare/0.2.9...0.2.11)

---
updated-dependencies:
- dependency-name: unsafe-libyaml
  dependency-version: 0.2.11
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-21 12:46:27 +00:00
Fabiano Fidêncio
35629d0690 Merge pull request #11603 from stevenhorsman/security-updates-21-jul 
dependencies: More crate bumps to resolve security issues
 2025-07-21 14:33:07 +02:00
stevenhorsman
162ba19b85 agent-ctl: Bump rusttls 
Bump rusttls to >=0.23.18 to remediate RUSTSEC-2024-0399

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-21 10:41:59 +01:00
stevenhorsman
42339e9cdf dragonball: Update url crate 
Update url to 2.5.4 to bump idna to 1.0.3 and remediate
RUSTSEC-2024-0421

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-21 10:35:05 +01:00
stevenhorsman
1795361589 runk: Update rustjail 
Update the rustjail crate to pull in the latest security fixes

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-21 10:31:18 +01:00
stevenhorsman
28929f5b3e runtime: Bump promethus 
Bump this crate to remove the old version of protobuf
and remediate RUSTSEC-2024-0437

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-21 10:29:57 +01:00
stevenhorsman
e66aa1ef8c runtime: Bump promethus and ttrpc-codegen 
Bump these crates to remove the old version of protobuf
and remediate RUSTSEC-2024-0437

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-21 10:29:39 +01:00
Fabiano Fidêncio
d60513ece9 Merge pull request #11597 from kata-containers/topic/fix-release-static-tarball-content 
release: Copy the VERSION file to the tarball
 2025-07-20 21:06:40 +02:00
Fabiano Fidêncio
55aae75ed7 shellcheck: Fix issues on kata-deploy-merge-builds.sh 
As we're already touching the file, let's get those fixed.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-20 09:33:50 +02:00
Fabiano Fidêncio
aaeb3b3221 release: Copy the VERSION file to the tarball 
For the release itself, let's simply copy the VERSION file to the
tarball.

To do so, we had to change the logic that merges the build, as at that
point the tag is not yet pushed to the repo.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-20 00:06:14 +02:00
Fabiano Fidêncio
21ccaf4a80 Merge pull request #11596 from fidencio/release/v3.19.0 
release: Bump version to 3.19.0
 2025-07-19 18:27:36 +02:00
Fabiano Fidêncio
60f312b4ae release: Bump version to 3.19.0 
Bump VERSION and helm-chart versions

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-19 09:11:30 +02:00
Fabiano Fidêncio
1351ccb2de Merge pull request #11576 from Tim-Zhang/update-protobuf-to-fix-CVE-2025-53605 
chore: Update protobuf to fix CVE-2025-53605
 2025-07-19 07:43:13 +02:00
Fabiano Fidêncio
7f5f032aca runtime-rs: Update containerd-shim / containerd-shim-protos 
Let's bump those to their 0.10.0 releases, which contain fixes for the
CVE-2025-53605.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-19 00:18:01 +02:00
Fabiano Fidêncio
6dc4c0faae Merge pull request #11589 from fidencio/topic/fix-tdx-qemu-path-for-non-gpu 
qemu: tdx: Fix binary path for non-gpu TDX
 2025-07-18 17:24:00 +02:00
Tim Zhang
2fe9df16cc gent-ctl: update Cargo.lock to fix CVE-2025-53605 
Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/392
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 16:13:25 +02:00
Tim Zhang
45b44742de genpolicy: update Cargo.lock to fix CVE-2025-53605 
Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/394
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 16:10:52 +02:00
Tim Zhang
fa9ff1b299 kata-ctl: update prometheus/protobuf to fix CVE-2025-53605 
Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/395
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 16:05:13 +02:00
Tim Zhang
d0e7a51f7b dragonball: update prometheus/protobuf to fix CVE-2025-53605 
Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/396
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
 2025-07-18 16:02:29 +02:00
Tim Zhang
222393375a agent: update ttrpc-codegen to remove dependency on protobuf v2 
To fix CVE-2025-53605.

Fixes: https://github.com/kata-containers/kata-containers/security/dependabot/397
Fixes: #11570

Signed-off-by: Tim Zhang <tim@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 16:02:07 +02:00
Fabiano Fidêncio
60c3d89767 Merge pull request #11558 from gmintoco/feature/helm-nodeSelector 
helm: add nodeSelector support to kata-deploy chart
 2025-07-18 15:52:19 +02:00
Fabiano Fidêncio
3143787f69 qemu: tdx: Fix binary path for non-gpu TDX 
On commit 90bc749a19, we've changed the
QEMUTDXPATH in order to get it to work with GPUs, but the change broke
the non-GPU TDX use-case, which depends on the distro binary.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 15:26:27 +02:00
Fabiano Fidêncio
497a3620c2 tests: Remove references to qemu-sev 
As it's been removed from our codebase.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 12:49:54 +02:00
Fabiano Fidêncio
17ce44083c runtime: Remove reference to sev package 
Otherwise it'll just break static checks.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-18 12:49:54 +02:00
Gus Minto-Cowcher
3b5cd2aad6 helm: remove qemu-sev references 
qemu-sev support has been removed, but those bits were left behind by
mistake.

Signed-off-by: Gus Minto-Cowcher <gus@basecamp-research.com>
 2025-07-18 12:49:54 +02:00
Gus Minto-Cowcher
41d41d51f7 helm: add nodeSelector support to kata-deploy chart 
- Add nodeSelector configuration to values.yaml with empty default
- Update DaemonSet template to conditionally include nodeSelector
- Add documentation and examples for nodeSelector usage in README
- Allows users to restrict kata-containers deployment to specific nodes by labeling them

Signed-off-by: Gus Minto-Cowcher <gus@basecamp-research.com>
 2025-07-18 12:49:54 +02:00
Fabiano Fidêncio
7d709a0759 Merge pull request #11493 from stevenhorsman/agent-ctl-tag-cache 
ci: cache: Tag agent-ctl cache
 2025-07-18 12:12:46 +02:00
Fabiano Fidêncio
4a6c718f23 Merge pull request #11584 from zvonkok/fix-kernel-debug-enabled 
kernel: fix enable kernel debug
 2025-07-18 11:38:36 +02:00
Sumedh Alok Sharma
47184e82f5 Merge pull request #11313 from Ankita13-code/ankitapareek/exec-id-agent-fix 
agent: update the processes hashmap to use exec_id as primary key
 2025-07-18 14:07:15 +05:30
Fabiano Fidêncio
d9daddce28 Merge pull request #11578 from justxuewei/vsock-async 
runtime-rs: Fix the issue of blocking socket with Tokio
 2025-07-18 10:13:03 +02:00
Xuewei Niu
629c942d4b runtime-rs: Fix the issue of blocking socket with Tokio 
According to the issue [1], Tokio will panic when we are giving a blocking
socket to Tokio's `from_std()` method, the information is as follows:

```
A panic occurred at crates/agent/src/sock/vsock.rs:59: Registering a
blocking socket with the tokio runtime is unsupported. If you wish to do
anyways, please add `--cfg tokio_allow_from_blocking_fd` to your RUSTFLAGS.
```

A workaround is to set the socket to non-blocking.

1: https://github.com/tokio-rs/tokio/issues/7172

Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
 2025-07-18 10:55:48 +08:00
Xuewei Niu
1508e6f0f5 agent: Bump Tokio to v1.46.1 
Tokio now has a newer version, let us bump it.

Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
 2025-07-18 10:55:48 +08:00
Xuewei Niu
5a4050660a runtime-rs: Bump Tokio to v1.46.1 
Tokio now has a newer version, let us bump it.

Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
 2025-07-18 10:55:48 +08:00
Zvonko Kaiser
a786dc48b0 kernel: fix enable kernel debug 
The KERNEL_DEBUG_ENABLED was missing in the outer shell script
so overrides via make were not possible.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-18 02:24:19 +00:00
Fabiano Fidêncio
eb2bfbf7ac Merge pull request #11572 from stevenhorsman/RUSTSEC-2024-0384-remediate 
More crate bumps for security remediations
 2025-07-17 22:35:05 +02:00
Zvonko Kaiser
cef9485634 Merge pull request #11450 from kata-containers/dependabot/cargo/src/agent/nix-0.27.1 
build(deps): bump nix to 0.26.4 in agent, libs, runtime-rs
 2025-07-17 14:22:40 -04:00
stevenhorsman
41a608e5ce tools: Bump borsh, liboci-cli and oci-spec 
Bump these crates to remove the unmaintained dependency
proc-macro-error and remediate RUSTSEC-2024-0370

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 18:23:19 +01:00
stevenhorsman
e56f493191 deps: Bump zbus, serial_test & async-std 
Bump these crates across various components to remove the
dependency on unmaintained instant crate and remediate
RUSTSEC-2024-0384

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 18:23:19 +01:00
stevenhorsman
bb820714cb agent-ctl: Update borsh 
- Update borsh to remove the unmaintained dependency
proc-macro-error and remediate RUSTSEC-2024-0370

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 18:23:19 +01:00
Steve Horsman
549fd2a196 Merge pull request #11581 from stevenhorsman/osv-scanner-action-permissions-fix 
workflow: Fix osv-scanner action
 2025-07-17 18:18:16 +01:00
stevenhorsman
a7e27b9b68 workflow: Fix osv-scanner action 
- The github generated template had an old version which
isn't valid for the pr-scan, so update to the latest
- The action needs also `actions: read` and `contents:read` to run in kata-containers

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 17:29:35 +01:00
Steve Horsman
8741f2ab3d Merge pull request #11580 from kata-containers/osv-scanner-action 
workflow: Add osv-scanner action
 2025-07-17 17:00:34 +01:00
stevenhorsman
1a75c12651 workflow: Add osv-scanner action 
Add action to check for vulnerabilities in the project and
on each PR

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 16:41:56 +01:00
stevenhorsman
4c776167e5 trace-forwarder: Add nix features 
Some of the nix apis we are using are now enabled by features,
so add these to resolve the compilation issues

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 15:09:21 +01:00
dependabot[bot]
cd79108c77 build(deps): bump nix in /src/tools/trace-forwarder 
Bumps [nix](https://github.com/nix-rust/nix) from 0.23.1 to 0.30.1.
- [Changelog](https://github.com/nix-rust/nix/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nix-rust/nix/compare/v0.23.1...v0.30.1)

---
updated-dependencies:
- dependency-name: nix
  dependency-version: 0.30.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-17 15:09:06 +01:00
stevenhorsman
9185ef1a67 runtime-rs: Bump nix to matching version 
runtime-rs needs the same version as libs,
so sync this up as well.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 15:08:46 +01:00
dependabot[bot]
219ad505c2 build(deps): bump nix from 0.24.3 to 0.26.4 in /src/agent 
Nix needs to be in sync between libs and agent, so bump
the agent to the libs version

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-17 15:01:06 +01:00
dependabot[bot]
a4d22fe330 build(deps): bump nix from 0.24.2 to 0.26.4 in /src/libs 
---
updated-dependencies:
- dependency-name: nix
  dependency-version: 0.26.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-17 15:01:06 +01:00
stevenhorsman
51f41b1669 ci: cache: Tag agent-ctl cache 
The peer pods project is using the agent-ctl tool in some
tests, so tagging our cache will let them more easily identify
development versions of kata for testing between releases.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-16 11:32:33 +01:00
Ankita Pareek
5f08cc75b3 agent: update the processes hashmap to use exec_id as primary key 
This patch changes the container process HashMap to use exec_id as the primary
key instead of PID, preventing exec_id collisions that could be exploited in
Confidential Computing scenarios where the host is less trusted than the guest.

Key changes:
- Changed `processes: HashMap<pid_t, Process>` to `HashMap<String, Process>`
- Added exec_id collision detection in `start()` method
- Updated process lookup operations to use exec_id directly
- Simplified `get_process()` with direct HashMap access

This prevents multiple exec operations from reusing the same exec_id, which
could be problematic in CoCo use cases where process isolation and unique
identification are critical for security.

Signed-off-by: Ankita Pareek <ankitapareek@microsoft.com>
 2025-07-11 10:10:23 +00:00
Wainer dos Santos Moschetta
3ab6a8462d ci/gatekeeper: make run-k8s-tests-coco-nontee job required 
The CoCo non-TEE job (run-k8s-tests-coco-nontee) used to be required but
we had to withdraw it to fix a problem (#11156). Now the job is back
running and stable, so time to make it required again.

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
 2025-07-10 12:19:19 +01:00
1471 changed files with 97443 additions and 55288 deletions
Expand all files Collapse all files

1
.github/actionlint.yaml vendored
View File

@@ -23,3 +23,4 @@ self-hosted-runner:
- s390x
- s390x-large
- tdx
- amd64-nvidia-a100

3
.github/dependabot.yml vendored
View File

@@ -66,6 +66,9 @@ updates:
rustix:
patterns:
- rustix
slab:
patterns:
- slab
time:
patterns:
- time

3
.github/workflows/PR-wip-checks.yaml vendored
View File

@@ -9,8 +9,7 @@ on:
- labeled
- unlabeled
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

4
.github/workflows/actionlint.yaml vendored
View File

@@ -11,8 +11,8 @@ on:
paths:
- '.github/workflows/**'
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

21
.github/workflows/basic-ci-amd64.yaml vendored
View File

@@ -13,8 +13,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-containerd-sandboxapi:
@@ -49,6 +48,8 @@ jobs:
- name: Install dependencies
run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
@@ -89,6 +90,8 @@ jobs:
- name: Install dependencies
run: bash tests/stability/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
@@ -132,6 +135,8 @@ jobs:
- name: Install dependencies
run: bash tests/integration/nydus/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
@@ -209,6 +214,8 @@ jobs:
- name: Install dependencies
run: bash tests/functional/tracing/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
@@ -253,6 +260,8 @@ jobs:
- name: Install dependencies
run: bash tests/functional/vfio/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
@@ -272,10 +281,7 @@ jobs:
fail-fast: false
matrix:
vmm:
- clh
- qemu
- dragonball
- cloud-hypervisor
runs-on: ubuntu-22.04
env:
KATA_HYPERVISOR: ${{ matrix.vmm }}
@@ -294,6 +300,8 @@ jobs:
- name: Install dependencies
run: bash tests/integration/docker/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
@@ -339,6 +347,7 @@ jobs:
- name: Install dependencies
env:
GITHUB_API_TOKEN: ${{ github.token }}
GH_TOKEN: ${{ github.token }}
run: bash tests/integration/nerdctl/gha-run.sh install-dependencies
- name: get-kata-tarball
@@ -383,6 +392,8 @@ jobs:
- name: Install dependencies
run: bash tests/functional/kata-agent-apis/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0

7
.github/workflows/basic-ci-s390x.yaml vendored
View File

@@ -13,8 +13,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-containerd-sandboxapi:
@@ -48,7 +47,9 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Install dependencies
run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
run: bash tests/integration/cri-containerd/gha-run.sh
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0

3
.github/workflows/build-checks-preview-riscv64.yaml vendored
View File

@@ -12,8 +12,7 @@ on:
required: true
type: string
permissions:
contents: read
permissions: {}
name: Build checks preview riscv64
jobs:

8
.github/workflows/build-checks.yaml vendored
View File

@@ -5,8 +5,8 @@ on:
required: true
type: string
permissions:
contents: read
permissions: {}
name: Build checks
jobs:
@@ -42,6 +42,10 @@ jobs:
path: src/runtime-rs
needs:
- rust
- name: libs
path: src/libs
needs:
- rust
- name: agent-ctl
path: src/tools/agent-ctl
needs:

19
.github/workflows/build-kata-static-tarball-amd64.yaml vendored
View File

@@ -23,9 +23,10 @@ on:
secrets:
QUAY_DEPLOYER_PASSWORD:
required: false
KBUILD_SIGN_PIN:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:
@@ -95,6 +96,7 @@ jobs:
- name: Build ${{ matrix.asset }}
id: build
run: |
[[ "${KATA_ASSET}" == *"nvidia"* ]] && echo "KBUILD_SIGN_PIN=${{ secrets.KBUILD_SIGN_PIN }}" >> "${GITHUB_ENV}"
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
@@ -141,7 +143,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 15
if-no-files-found: error
@@ -150,7 +152,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-amd64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.zst
retention-days: 15
if-no-files-found: error
@@ -201,6 +203,7 @@ jobs:
- name: Build ${{ matrix.asset }}
id: build
run: |
[[ "${KATA_ASSET}" == *"nvidia"* ]] && echo "KBUILD_SIGN_PIN=${{ secrets.KBUILD_SIGN_PIN }}" >> "${GITHUB_ENV}"
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
@@ -220,7 +223,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 15
if-no-files-found: error
@@ -312,7 +315,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-amd64-shim-v2${{ inputs.tarball-suffix }}
path: kata-build/kata-static-shim-v2.tar.xz
path: kata-build/kata-static-shim-v2.tar.zst
retention-days: 15
if-no-files-found: error
@@ -343,10 +346,12 @@ jobs:
- name: merge-artifacts
run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
env:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
path: kata-static.tar.xz
path: kata-static.tar.zst
retention-days: 15
if-no-files-found: error

15
.github/workflows/build-kata-static-tarball-arm64.yaml vendored
View File

@@ -24,8 +24,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: false
permissions:
contents: read
permissions: {}
jobs:
build-asset:
@@ -121,7 +120,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 15
if-no-files-found: error
@@ -130,7 +129,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-arm64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.zst
retention-days: 15
if-no-files-found: error
@@ -195,7 +194,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 15
if-no-files-found: error
@@ -282,7 +281,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-arm64-shim-v2${{ inputs.tarball-suffix }}
path: kata-build/kata-static-shim-v2.tar.xz
path: kata-build/kata-static-shim-v2.tar.zst
retention-days: 15
if-no-files-found: error
@@ -313,10 +312,12 @@ jobs:
- name: merge-artifacts
run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
env:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-static-tarball-arm64${{ inputs.tarball-suffix }}
path: kata-static.tar.xz
path: kata-static.tar.zst
retention-days: 15
if-no-files-found: error

13
.github/workflows/build-kata-static-tarball-ppc64le.yaml vendored
View File

@@ -24,8 +24,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:
@@ -83,7 +82,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 1
if-no-files-found: error
@@ -148,7 +147,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 1
if-no-files-found: error
@@ -221,7 +220,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-ppc64le-shim-v2${{ inputs.tarball-suffix }}
path: kata-build/kata-static-shim-v2.tar.xz
path: kata-build/kata-static-shim-v2.tar.zst
retention-days: 1
if-no-files-found: error
@@ -256,10 +255,12 @@ jobs:
- name: merge-artifacts
run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
env:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-static-tarball-ppc64le${{ inputs.tarball-suffix }}
path: kata-static.tar.xz
path: kata-static.tar.zst
retention-days: 1
if-no-files-found: error

5
.github/workflows/build-kata-static-tarball-riscv64.yaml vendored
View File

@@ -24,8 +24,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:
@@ -81,6 +80,6 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-riscv64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 15
if-no-files-found: error

15
.github/workflows/build-kata-static-tarball-s390x.yaml vendored
View File

@@ -27,8 +27,7 @@ on:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:
@@ -115,7 +114,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 15
if-no-files-found: error
@@ -182,7 +181,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
retention-days: 15
if-no-files-found: error
@@ -230,7 +229,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-s390x${{ inputs.tarball-suffix }}
path: kata-build/kata-static-boot-image-se.tar.xz
path: kata-build/kata-static-boot-image-se.tar.zst
retention-days: 1
if-no-files-found: error
@@ -307,7 +306,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-artifacts-s390x-shim-v2${{ inputs.tarball-suffix }}
path: kata-build/kata-static-shim-v2.tar.xz
path: kata-build/kata-static-shim-v2.tar.zst
retention-days: 15
if-no-files-found: error
@@ -342,10 +341,12 @@ jobs:
- name: merge-artifacts
run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
env:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
path: kata-static.tar.xz
path: kata-static.tar.zst
retention-days: 15
if-no-files-found: error

3
.github/workflows/cargo-deny-runner.yaml vendored
View File

@@ -11,8 +11,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
permissions: {}
jobs:
cargo-deny-runner:

4
.github/workflows/ci-coco-stability.yaml vendored
View File

@@ -9,8 +9,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
permissions: {}
jobs:
kata-containers-ci-on-push:
@@ -31,3 +30,4 @@ jobs:
AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

10
.github/workflows/ci-devel.yaml vendored
View File

@@ -2,17 +2,15 @@ name: Kata Containers CI (manually triggered)
on:
workflow_dispatch:
permissions:
contents: read
permissions: {}
jobs:
kata-containers-ci-on-push:
permissions:
actions: write
attestations: write
contents: read
id-token: write
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/ci.yaml
with:
commit-hash: ${{ github.sha }}
@@ -28,6 +26,8 @@ jobs:
CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
ITA_KEY: ${{ secrets.ITA_KEY }}
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
build-checks:
uses: ./.github/workflows/build-checks.yaml

6
.github/workflows/ci-nightly-s390x.yaml vendored
View File

@@ -4,8 +4,7 @@ on:
name: Nightly CI for s390x
permissions:
contents: read
permissions: {}
jobs:
check-internal-test-result:
@@ -16,7 +15,8 @@ jobs:
test_title:
- kata-vfio-ap-e2e-tests
- cc-vfio-ap-e2e-tests
- cc-se-e2e-tests
- cc-se-e2e-tests-go
- cc-se-e2e-tests-rs
steps:
- name: Fetch a test result for {{ matrix.test_title }}
run: |

10
.github/workflows/ci-nightly.yaml vendored
View File

@@ -7,17 +7,15 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
permissions: {}
jobs:
kata-containers-ci-on-push:
permissions:
actions: write
attestations: write
contents: read
id-token: write
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/ci.yaml
with:
commit-hash: ${{ github.sha }}
@@ -32,3 +30,5 @@ jobs:
CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
ITA_KEY: ${{ secrets.ITA_KEY }}
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

11
.github/workflows/ci-on-push.yaml vendored
View File

@@ -3,7 +3,6 @@ on:
pull_request_target:
branches:
- 'main'
- 'stable-*'
types:
# Adding 'labeled' to the list of activity types that trigger this event
# (default: opened, synchronize, reopened) so that we can run this
@@ -14,8 +13,7 @@ on:
- reopened
- labeled
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -33,11 +31,10 @@ jobs:
needs: skipper
if: ${{ needs.skipper.outputs.skip_build != 'yes' }}
permissions:
actions: write
attestations: write
contents: read
id-token: write
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/ci.yaml
with:
commit-hash: ${{ github.event.pull_request.head.sha }}
@@ -53,3 +50,5 @@ jobs:
CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
ITA_KEY: ${{ secrets.ITA_KEY }}
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

7
.github/workflows/ci-weekly.yaml vendored
View File

@@ -27,9 +27,10 @@ on:
required: true
QUAY_DEPLOYER_PASSWORD:
required: true
KBUILD_SIGN_PIN:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-amd64:
@@ -43,6 +44,8 @@ jobs:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
secrets:
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
publish-kata-deploy-payload-amd64:
needs: build-kata-static-tarball-amd64

650
.github/workflows/ci.yaml vendored
View File

@@ -35,10 +35,12 @@ on:
required: true
QUAY_DEPLOYER_PASSWORD:
required: true
NGC_API_KEY:
required: true
KBUILD_SIGN_PIN:
required: true
permissions:
contents: read
id-token: write
permissions: {}
jobs:
build-kata-static-tarball-amd64:
@@ -52,6 +54,8 @@ jobs:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
secrets:
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
publish-kata-deploy-payload-amd64:
needs: build-kata-static-tarball-amd64
@@ -71,112 +75,112 @@ jobs:
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
# build-kata-static-tarball-arm64:
# permissions:
# contents: read
# packages: write
# id-token: write
# attestations: write
# uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
build-kata-static-tarball-arm64:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
# publish-kata-deploy-payload-arm64:
# needs: build-kata-static-tarball-arm64
# permissions:
# contents: read
# packages: write
# uses: ./.github/workflows/publish-kata-deploy-payload.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# registry: ghcr.io
# repo: ${{ github.repository_owner }}/kata-deploy-ci
# tag: ${{ inputs.tag }}-arm64
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# runner: ubuntu-22.04-arm
# arch: arm64
# secrets:
# QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
publish-kata-deploy-payload-arm64:
needs: build-kata-static-tarball-arm64
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with:
tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-arm64
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
runner: ubuntu-22.04-arm
arch: arm64
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
# build-kata-static-tarball-s390x:
# permissions:
# contents: read
# packages: write
# id-token: write
# attestations: write
# uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# secrets:
# CI_HKD_PATH: ${{ secrets.ci_hkd_path }}
# QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
build-kata-static-tarball-s390x:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
secrets:
CI_HKD_PATH: ${{ secrets.ci_hkd_path }}
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
# build-kata-static-tarball-ppc64le:
# permissions:
# contents: read
# packages: write
# uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# secrets:
# QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
build-kata-static-tarball-ppc64le:
permissions:
contents: read
packages: write
uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
# build-kata-static-tarball-riscv64:
# permissions:
# contents: read
# packages: write
# id-token: write
# attestations: write
# uses: ./.github/workflows/build-kata-static-tarball-riscv64.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# secrets:
# QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
build-kata-static-tarball-riscv64:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-riscv64.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
# publish-kata-deploy-payload-s390x:
# needs: build-kata-static-tarball-s390x
# permissions:
# contents: read
# packages: write
# uses: ./.github/workflows/publish-kata-deploy-payload.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# registry: ghcr.io
# repo: ${{ github.repository_owner }}/kata-deploy-ci
# tag: ${{ inputs.tag }}-s390x
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# runner: s390x
# arch: s390x
# secrets:
# QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
publish-kata-deploy-payload-s390x:
needs: build-kata-static-tarball-s390x
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with:
tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-s390x
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
runner: s390x
arch: s390x
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
# publish-kata-deploy-payload-ppc64le:
# needs: build-kata-static-tarball-ppc64le
# permissions:
# contents: read
# packages: write
# uses: ./.github/workflows/publish-kata-deploy-payload.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# registry: ghcr.io
# repo: ${{ github.repository_owner }}/kata-deploy-ci
# tag: ${{ inputs.tag }}-ppc64le
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# runner: ppc64le
# arch: ppc64le
# secrets:
# QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
publish-kata-deploy-payload-ppc64le:
needs: build-kata-static-tarball-ppc64le
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with:
tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-ppc64le
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
runner: ppc64le
arch: ppc64le
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
build-and-publish-tee-confidential-unencrypted-image:
permissions:
@@ -275,61 +279,33 @@ jobs:
run-kata-monitor-tests:
if: ${{ inputs.skip-test != 'yes' }}
runs-on: ubuntu-22.04
needs: build-kata-static-tarball-amd64
env:
GH_TOKEN: ${{ github.token }}
permissions:
actions: write # Permission to trigger the gh workflows
steps:
- name: Checkout the code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
- name: Trigger kata monitor tests
run: |
./tests/gha-helper.sh trigger-and-check-workflow \
run-kata-monitor-tests.yaml \
${{ github.ref }} \
${{ github.sha }} \
'{
"artifact-run-id":"${{ github.run_id }}",
"tarball-suffix":"-${{ inputs.tag }}",
"commit-hash":"${{ inputs.commit-hash }}",
"target-branch":"${{ inputs.target-branch }}"
}'
uses: ./.github/workflows/run-kata-monitor-tests.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
run-k8s-tests-on-aks:
if: ${{ inputs.skip-test != 'yes' }}
runs-on: ubuntu-22.04
needs: publish-kata-deploy-payload-amd64
env:
GH_TOKEN: ${{ github.token }}
uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
permissions:
actions: write # Permission to trigger the gh workflows
steps:
- name: Checkout the code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
- name: Trigger run-k8s-tests-on-aks workflow
run: |
./tests/gha-helper.sh trigger-and-check-workflow \
run-k8s-tests-on-aks.yaml \
${{ github.ref }} \
${{ github.sha }} \
'{
"artifact-run-id":"${{ github.run_id }}",
"tarball-suffix":"-${{ inputs.tag }}",
"registry":"ghcr.io",
"repo":"${{ github.repository_owner }}/kata-deploy-ci",
"tag":"${{ inputs.tag }}-amd64",
"commit-hash":"${{ inputs.commit-hash }}",
"pr-number":"${{ inputs.pr-number }}",
"target-branch":"${{ inputs.target-branch }}"
}'
contents: read
id-token: write # Used for OIDC access to log into Azure
with:
tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-amd64
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
secrets:
AZ_APPID: ${{ secrets.AZ_APPID }}
AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
run-k8s-tests-on-amd64:
if: ${{ inputs.skip-test != 'yes' }}
@@ -343,206 +319,198 @@ jobs:
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
# run-k8s-tests-on-arm64:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: publish-kata-deploy-payload-arm64
# uses: ./.github/workflows/run-k8s-tests-on-arm64.yaml
# with:
# registry: ghcr.io
# repo: ${{ github.repository_owner }}/kata-deploy-ci
# tag: ${{ inputs.tag }}-arm64
# commit-hash: ${{ inputs.commit-hash }}
# pr-number: ${{ inputs.pr-number }}
# target-branch: ${{ inputs.target-branch }}
run-k8s-tests-on-arm64:
if: ${{ inputs.skip-test != 'yes' }}
needs: publish-kata-deploy-payload-arm64
uses: ./.github/workflows/run-k8s-tests-on-arm64.yaml
with:
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-arm64
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
run-k8s-tests-on-nvidia-gpu:
if: ${{ inputs.skip-test != 'yes' }}
needs: publish-kata-deploy-payload-amd64
uses: ./.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
with:
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-amd64
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
secrets:
NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
run-kata-coco-tests:
if: ${{ inputs.skip-test != 'yes' }}
runs-on: ubuntu-22.04
needs:
- publish-kata-deploy-payload-amd64
- build-and-publish-tee-confidential-unencrypted-image
- publish-csi-driver-amd64
env:
GH_TOKEN: ${{ github.token }}
- publish-kata-deploy-payload-amd64
- build-and-publish-tee-confidential-unencrypted-image
- publish-csi-driver-amd64
uses: ./.github/workflows/run-kata-coco-tests.yaml
permissions:
actions: write # Permission to trigger the gh workflows
steps:
- name: Checkout the code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
- name: Trigger kata-coco-tests for amd64 arch
run: |
./tests/gha-helper.sh trigger-and-check-workflow \
run-kata-coco-tests.yaml \
${{ github.ref }} \
${{ github.sha }} \
'{
"artifact-run-id":"${{ github.run_id }}",
"tarball-suffix":"-${{ inputs.tag }}",
"registry":"ghcr.io",
"repo":"${{ github.repository_owner }}/kata-deploy-ci",
"tag":"${{ inputs.tag }}-amd64",
"commit-hash":"${{ inputs.commit-hash }}",
"pr-number":"${{ inputs.pr-number }}",
"target-branch":"${{ inputs.target-branch }}"
}'
contents: read
id-token: write # Used for OIDC access to log into Azure
with:
tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-amd64
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
secrets:
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
AZ_APPID: ${{ secrets.AZ_APPID }}
AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
ITA_KEY: ${{ secrets.ITA_KEY }}
# run-k8s-tests-on-zvsi:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: [publish-kata-deploy-payload-s390x, build-and-publish-tee-confidential-unencrypted-image]
# uses: ./.github/workflows/run-k8s-tests-on-zvsi.yaml
# with:
# registry: ghcr.io
# repo: ${{ github.repository_owner }}/kata-deploy-ci
# tag: ${{ inputs.tag }}-s390x
# commit-hash: ${{ inputs.commit-hash }}
# pr-number: ${{ inputs.pr-number }}
# target-branch: ${{ inputs.target-branch }}
# secrets:
# AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
run-k8s-tests-on-zvsi:
if: ${{ inputs.skip-test != 'yes' }}
needs: [publish-kata-deploy-payload-s390x, build-and-publish-tee-confidential-unencrypted-image]
uses: ./.github/workflows/run-k8s-tests-on-zvsi.yaml
with:
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-s390x
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
secrets:
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
# run-k8s-tests-on-ppc64le:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: publish-kata-deploy-payload-ppc64le
# uses: ./.github/workflows/run-k8s-tests-on-ppc64le.yaml
# with:
# registry: ghcr.io
# repo: ${{ github.repository_owner }}/kata-deploy-ci
# tag: ${{ inputs.tag }}-ppc64le
# commit-hash: ${{ inputs.commit-hash }}
# pr-number: ${{ inputs.pr-number }}
# target-branch: ${{ inputs.target-branch }}
run-k8s-tests-on-ppc64le:
if: ${{ inputs.skip-test != 'yes' }}
needs: publish-kata-deploy-payload-ppc64le
uses: ./.github/workflows/run-k8s-tests-on-ppc64le.yaml
with:
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-ppc64le
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
# run-kata-deploy-tests:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: [publish-kata-deploy-payload-amd64]
# uses: ./.github/workflows/run-kata-deploy-tests.yaml
# with:
# registry: ghcr.io
# repo: ${{ github.repository_owner }}/kata-deploy-ci
# tag: ${{ inputs.tag }}-amd64
# commit-hash: ${{ inputs.commit-hash }}
# pr-number: ${{ inputs.pr-number }}
# target-branch: ${{ inputs.target-branch }}
run-kata-deploy-tests:
if: ${{ inputs.skip-test != 'yes' }}
needs: [publish-kata-deploy-payload-amd64]
uses: ./.github/workflows/run-kata-deploy-tests.yaml
with:
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-amd64
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
# run-metrics-tests:
# # Skip metrics tests whilst runner is broken
# if: false
# # if: ${{ inputs.skip-test != 'yes' }}
# needs: build-kata-static-tarball-amd64
# uses: ./.github/workflows/run-metrics.yaml
# with:
# registry: ghcr.io
# repo: ${{ github.repository_owner }}/kata-deploy-ci
# tag: ${{ inputs.tag }}-amd64
# commit-hash: ${{ inputs.commit-hash }}
# pr-number: ${{ inputs.pr-number }}
# target-branch: ${{ inputs.target-branch }}
run-basic-amd64-tests:
if: ${{ inputs.skip-test != 'yes' }}
needs: build-kata-static-tarball-amd64
uses: ./.github/workflows/basic-ci-amd64.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
# run-basic-amd64-tests:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: build-kata-static-tarball-amd64
# uses: ./.github/workflows/basic-ci-amd64.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
run-basic-s390x-tests:
if: ${{ inputs.skip-test != 'yes' }}
needs: build-kata-static-tarball-s390x
uses: ./.github/workflows/basic-ci-s390x.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
# run-basic-s390x-tests:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: build-kata-static-tarball-s390x
# uses: ./.github/workflows/basic-ci-s390x.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
run-cri-containerd-amd64:
if: ${{ inputs.skip-test != 'yes' }}
needs: build-kata-static-tarball-amd64
strategy:
fail-fast: false
matrix:
params: [
{ containerd_version: lts, vmm: clh },
{ containerd_version: lts, vmm: dragonball },
{ containerd_version: lts, vmm: qemu },
{ containerd_version: lts, vmm: stratovirt },
{ containerd_version: lts, vmm: cloud-hypervisor },
{ containerd_version: lts, vmm: qemu-runtime-rs },
{ containerd_version: active, vmm: clh },
{ containerd_version: active, vmm: dragonball },
{ containerd_version: active, vmm: qemu },
{ containerd_version: active, vmm: stratovirt },
{ containerd_version: active, vmm: cloud-hypervisor },
{ containerd_version: active, vmm: qemu-runtime-rs },
]
uses: ./.github/workflows/run-cri-containerd-tests.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
runner: ubuntu-22.04
arch: amd64
containerd_version: ${{ matrix.params.containerd_version }}
vmm: ${{ matrix.params.vmm }}
# run-cri-containerd-amd64:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: build-kata-static-tarball-amd64
# strategy:
# fail-fast: false
# matrix:
# params: [
# { containerd_version: lts, vmm: clh },
# { containerd_version: lts, vmm: dragonball },
# { containerd_version: lts, vmm: qemu },
# { containerd_version: lts, vmm: stratovirt },
# { containerd_version: lts, vmm: cloud-hypervisor },
# { containerd_version: lts, vmm: qemu-runtime-rs },
# { containerd_version: active, vmm: clh },
# { containerd_version: active, vmm: dragonball },
# { containerd_version: active, vmm: qemu },
# { containerd_version: active, vmm: stratovirt },
# { containerd_version: active, vmm: cloud-hypervisor },
# { containerd_version: active, vmm: qemu-runtime-rs },
# ]
# uses: ./.github/workflows/run-cri-containerd-tests.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# runner: ubuntu-22.04
# arch: amd64
# containerd_version: ${{ matrix.params.containerd_version }}
# vmm: ${{ matrix.params.vmm }}
run-cri-containerd-s390x:
if: ${{ inputs.skip-test != 'yes' }}
needs: build-kata-static-tarball-s390x
strategy:
fail-fast: false
matrix:
params: [
{ containerd_version: active, vmm: qemu },
{ containerd_version: active, vmm: qemu-runtime-rs },
]
uses: ./.github/workflows/run-cri-containerd-tests.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
runner: s390x-large
arch: s390x
containerd_version: ${{ matrix.params.containerd_version }}
vmm: ${{ matrix.params.vmm }}
# run-cri-containerd-s390x:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: build-kata-static-tarball-s390x
# strategy:
# fail-fast: false
# matrix:
# params: [
# { containerd_version: active, vmm: qemu },
# { containerd_version: active, vmm: qemu-runtime-rs },
# ]
# uses: ./.github/workflows/run-cri-containerd-tests.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# runner: s390x-large
# arch: s390x
# containerd_version: ${{ matrix.params.containerd_version }}
# vmm: ${{ matrix.params.vmm }}
run-cri-containerd-tests-ppc64le:
if: ${{ inputs.skip-test != 'yes' }}
needs: build-kata-static-tarball-ppc64le
strategy:
fail-fast: false
matrix:
params: [
{ containerd_version: active, vmm: qemu },
]
uses: ./.github/workflows/run-cri-containerd-tests.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
runner: ppc64le
arch: ppc64le
containerd_version: ${{ matrix.params.containerd_version }}
vmm: ${{ matrix.params.vmm }}
# run-cri-containerd-tests-ppc64le:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: build-kata-static-tarball-ppc64le
# strategy:
# fail-fast: false
# matrix:
# params: [
# { containerd_version: active, vmm: qemu },
# ]
# uses: ./.github/workflows/run-cri-containerd-tests.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# runner: ppc64le
# arch: ppc64le
# containerd_version: ${{ matrix.params.containerd_version }}
# vmm: ${{ matrix.params.vmm }}
# run-cri-containerd-tests-arm64:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: build-kata-static-tarball-arm64
# strategy:
# fail-fast: false
# matrix:
# params: [
# { containerd_version: active, vmm: qemu },
# ]
# uses: ./.github/workflows/run-cri-containerd-tests.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# runner: arm64-non-k8s
# arch: arm64
# containerd_version: ${{ matrix.params.containerd_version }}
# vmm: ${{ matrix.params.vmm }}
run-cri-containerd-tests-arm64:
if: ${{ inputs.skip-test != 'yes' }}
needs: build-kata-static-tarball-arm64
strategy:
fail-fast: false
matrix:
params: [
{ containerd_version: active, vmm: qemu },
]
uses: ./.github/workflows/run-cri-containerd-tests.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
runner: arm64-non-k8s
arch: arm64
containerd_version: ${{ matrix.params.containerd_version }}
vmm: ${{ matrix.params.vmm }}

6
.github/workflows/cleanup-resources.yaml vendored
View File

@@ -4,13 +4,13 @@ on:
- cron: "0 0 * * *"
workflow_dispatch:
permissions:
contents: read
id-token: write
permissions: {}
jobs:
cleanup-resources:
runs-on: ubuntu-22.04
permissions:
id-token: write # Used for OIDC access to log into Azure
environment: ci
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

4
.github/workflows/codeql.yml vendored
View File

@@ -19,8 +19,8 @@ on:
schedule:
- cron: '45 0 * * 1'
permissions:
contents: read
permissions: {}
jobs:
analyze:

5
.github/workflows/commit-message-check.yaml vendored
View File

@@ -6,8 +6,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -42,7 +41,7 @@ jobs:
filter_out_pattern: '^Revert "|^Reapply "'
- name: DCO Check
uses: tim-actions/dco@2fd0504dc0d27b33f542867c300c60840c6dcb20 # master (2020-04-28)
uses: tim-actions/dco@f2279e6e62d5a7d9115b0cb8e837b777b1b02e21 # v1.1.0
with:
commits: ${{ steps.get-pr-commits.outputs.commits }}

13
.github/workflows/darwin-tests.yaml vendored
View File

@@ -6,8 +6,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -18,13 +17,15 @@ jobs:
test:
runs-on: macos-latest
steps:
- name: Install Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: 1.23.10
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Install golang
run: |
./tests/install_go.sh -f -p
echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
- name: Build utils
run: ./ci/darwin-test.sh

17
.github/workflows/docs-url-alive-check.yaml vendored
View File

@@ -2,8 +2,7 @@ on:
schedule:
- cron: '0 23 * * 0'
permissions:
contents: read
permissions: {}
name: Docs URL Alive Check
jobs:
@@ -14,23 +13,21 @@ jobs:
env:
target_branch: ${{ github.base_ref }}
steps:
- name: Install Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: 1.23.10
env:
GOPATH: ${{ github.workspace }}/kata-containers
- name: Set env
run: |
echo "GOPATH=${{ github.workspace }}" >> "$GITHUB_ENV"
echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
path: ./src/github.com/${{ github.repository }}
# docs url alive check
- name: Install golang
run: |
./tests/install_go.sh -f -p
echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
- name: Docs URL Alive Check
run: |
cd "${GOPATH}/src/github.com/${{ github.repository }}" && make docs-url-alive-check

3
.github/workflows/gatekeeper-skipper.yaml vendored
View File

@@ -31,8 +31,7 @@ on:
skip_static:
value: ${{ jobs.skipper.outputs.skip_static }}
permissions:
contents: read
permissions: {}
jobs:
skipper:

3
.github/workflows/gatekeeper.yaml vendored
View File

@@ -12,8 +12,7 @@ on:
- reopened
- labeled
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

7
.github/workflows/govulncheck.yaml vendored
View File

@@ -3,8 +3,7 @@ on:
name: Govulncheck
permissions:
contents: read
permissions: {}
jobs:
govulncheck:
@@ -14,12 +13,12 @@ jobs:
include:
- binary: "kata-runtime"
make_target: "runtime"
- binary: "containerd-shim-kata-v2"
- binary: "containerd-shim-kata-v2"
make_target: "containerd-shim-v2"
- binary: "kata-monitor"
make_target: "monitor"
fail-fast: false
steps:
- name: Checkout the code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

3
.github/workflows/kata-runtime-classes-sync.yaml vendored
View File

@@ -6,8 +6,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

43
.github/workflows/osv-scanner.yaml vendored Normal file
View File

@@ -0,0 +1,43 @@
# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities,
# in addition to a PR check which fails if new vulnerabilities are introduced.
#
# For more examples and options, including how to ignore specific vulnerabilities,
# see https://google.github.io/osv-scanner/github-action/
name: OSV-Scanner
on:
workflow_dispatch:
pull_request:
branches: [ "main" ]
schedule:
- cron: '0 1 * * 0'
push:
branches: [ "main" ]
permissions: {}
jobs:
scan-scheduled:
permissions:
actions: read # # Required to upload SARIF file to CodeQL
contents: read # Read commit contents
security-events: write # Require writing security events to upload SARIF file to security tab
if: ${{ github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6" # v2.1.0
with:
scan-args: |-
-r
./
scan-pr:
permissions:
actions: read # Required to upload SARIF file to CodeQL
contents: read # Read commit contents
security-events: write # Require writing security events to upload SARIF file to security tab
if: ${{ github.event_name == 'pull_request' }}
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6" # v2.1.0
with:
# Example of specifying custom arguments
scan-args: |-
-r
./

4
.github/workflows/payload-after-push.yaml vendored
View File

@@ -5,8 +5,7 @@ on:
- main
workflow_dispatch:
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -25,6 +24,7 @@ jobs:
target-branch: ${{ github.ref_name }}
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
build-assets-arm64:
permissions:

5
.github/workflows/publish-kata-deploy-payload.yaml vendored
View File

@@ -34,8 +34,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
kata-payload:
@@ -85,6 +84,6 @@ jobs:
TAG: ${{ inputs.tag }}
run: |
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)/kata-static.tar.xz" \
"$(pwd)/kata-static.tar.zst" \
"${REGISTRY}/${REPO}" \
"${TAG}"

10
.github/workflows/release-amd64.yaml vendored
View File

@@ -8,9 +8,10 @@ on:
secrets:
QUAY_DEPLOYER_PASSWORD:
required: true
KBUILD_SIGN_PIN:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-amd64:
@@ -20,6 +21,7 @@ jobs:
stage: release
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
permissions:
contents: read
packages: write
@@ -71,9 +73,9 @@ jobs:
fi
for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}"
done

7
.github/workflows/release-arm64.yaml vendored
View File

@@ -9,8 +9,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-arm64:
@@ -71,9 +70,9 @@ jobs:
fi
for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}"
done

7
.github/workflows/release-ppc64le.yaml vendored
View File

@@ -9,8 +9,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-ppc64le:
@@ -71,9 +70,9 @@ jobs:
fi
for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}"
done

7
.github/workflows/release-s390x.yaml vendored
View File

@@ -11,8 +11,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-s390x:
@@ -75,9 +74,9 @@ jobs:
fi
for tag in "${tags[@]}"; do
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
"$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}"
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
"$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
"$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
"${tag}-${TARGET_ARCH}"
done

6
.github/workflows/release.yaml vendored
View File

@@ -2,8 +2,7 @@ name: Release Kata Containers
on:
workflow_dispatch
permissions:
contents: read
permissions: {}
jobs:
release:
@@ -35,6 +34,7 @@ jobs:
target-arch: amd64
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
build-and-push-assets-arm64:
needs: release
@@ -126,7 +126,7 @@ jobs:
- name: Set KATA_STATIC_TARBALL env var
run: |
tarball=$(pwd)/kata-static.tar.xz
tarball=$(pwd)/kata-static.tar.zst
echo "KATA_STATIC_TARBALL=${tarball}" >> "$GITHUB_ENV"
- name: Download amd64 artifacts

5
.github/workflows/run-cri-containerd-tests.yaml vendored
View File

@@ -1,7 +1,6 @@
name: CI | Run cri-containerd tests
permissions:
contents: read
permissions: {}
on:
workflow_call:
@@ -59,6 +58,8 @@ jobs:
- name: Install dependencies
timeout-minutes: 15
run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball for ${{ inputs.arch }}
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0

57
.github/workflows/run-k8s-tests-on-aks.yaml vendored
View File

@@ -2,11 +2,6 @@ name: CI | Run kubernetes tests on AKS
on:
workflow_call:
inputs:
artifact-run-id:
description: "The run id where the artifact was uploaded"
required: false
type: string
default: ${{ github.run_id }}
tarball-suffix:
required: false
type: string
@@ -37,46 +32,9 @@ on:
required: true
AZ_SUBSCRIPTION_ID:
required: true
workflow_dispatch:
inputs:
artifact-run-id:
description: "The workflow run id where the artifact was uploaded"
required: true
type: string
tarball-suffix:
description: "The suffix of the kata tarball to use"
required: false
type: string
registry:
description: "The oci container registry to install kata-deploy from"
required: true
type: string
repo:
description: "The oci container repository/image to install kata-deploy from"
required: true
type: string
tag:
description: "The oci container image tag to install kata-deploy using"
required: true
type: string
pr-number:
description: "Identifier used to distinguish between PRs/dev/nightly tests"
required: true
type: string
commit-hash:
description: "The code to checkout for testing"
required: false
type: string
target-branch:
description: "The target branch to rebase on and ensure the tests are up-to-date"
required: false
type: string
default: ""
permissions:
contents: read
id-token: write
permissions: {}
jobs:
run-k8s-tests:
@@ -111,6 +69,9 @@ jobs:
instance-type: normal
auto-generate-policy: yes
runs-on: ubuntu-22.04
permissions:
contents: read
id-token: write # Used for OIDC access to log into Azure
environment: ci
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
@@ -141,9 +102,6 @@ jobs:
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
run-id: ${{ inputs.artifact-run-id }}
github-token: ${{ github.token }}
repository: ${{ github.repository}}
path: kata-artifacts
- name: Install kata
@@ -189,6 +147,13 @@ jobs:
timeout-minutes: 60
run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Refresh OIDC token in case access token expired
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ secrets.AZ_APPID }}
tenant-id: ${{ secrets.AZ_TENANT_ID }}
subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
- name: Delete AKS cluster
if: always()
run: bash tests/integration/kubernetes/gha-run.sh delete-cluster

26
.github/workflows/run-k8s-tests-on-amd64.yaml vendored
View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests-amd64:
@@ -31,11 +30,7 @@ jobs:
fail-fast: false
matrix:
vmm:
- clh #cloud-hypervisor
- dragonball
- fc #firecracker
- qemu
- cloud-hypervisor
container_runtime:
- containerd
snapshotter:
@@ -73,6 +68,25 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Remove unnecessary directories to free up space
run: |
sudo rm -rf /usr/local/.ghcup
sudo rm -rf /opt/hostedtoolcache/CodeQL
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
sudo rm -rf /opt/ghc
sudo rm -rf /usr/local/share/boost
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
sudo rm -rf /usr/lib/jvm
sudo rm -rf /usr/share/swift
sudo rm -rf /usr/local/share/powershell
sudo rm -rf /usr/local/julia*
sudo rm -rf /opt/az
sudo rm -rf /usr/local/share/chromium
sudo rm -rf /opt/microsoft
sudo rm -rf /opt/google
sudo rm -rf /usr/lib/firefox
- name: Configure CRI-O
if: matrix.container_runtime == 'crio'
run: bash tests/integration/kubernetes/gha-run.sh setup-crio

3
.github/workflows/run-k8s-tests-on-arm64.yaml vendored
View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests-on-arm64:

89
.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml vendored Normal file
View File

@@ -0,0 +1,89 @@
name: CI | Run NVIDIA GPU kubernetes tests on arm64
on:
workflow_call:
inputs:
registry:
required: true
type: string
repo:
required: true
type: string
tag:
required: true
type: string
pr-number:
required: true
type: string
commit-hash:
required: false
type: string
target-branch:
required: false
type: string
default: ""
secrets:
NGC_API_KEY:
required: true
permissions: {}
jobs:
run-nvidia-gpu-tests-on-amd64:
strategy:
fail-fast: false
matrix:
vmm:
- qemu-nvidia-gpu
k8s:
- kubeadm
runs-on: amd64-nvidia-a100
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
DOCKER_TAG: ${{ inputs.tag }}
GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBERNETES: ${{ matrix.k8s }}
USING_NFD: "false"
K8S_TEST_HOST_TYPE: all
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
persist-credentials: false
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Deploy Kata
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
- name: Install `bats`
run: bash tests/integration/kubernetes/gha-run.sh install-bats
- name: Run tests
timeout-minutes: 30
run: bash tests/integration/kubernetes/gha-run.sh run-nv-tests
env:
NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
- name: Collect artifacts ${{ matrix.vmm }}
if: always()
run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts
continue-on-error: true
- name: Archive artifacts ${{ matrix.vmm }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: k8s-tests-${{ matrix.vmm }}-${{ matrix.k8s }}-${{ inputs.tag }}
path: /tmp/artifacts
retention-days: 1
- name: Delete kata-deploy
if: always()
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh cleanup

3
.github/workflows/run-k8s-tests-on-ppc64le.yaml vendored
View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests:

3
.github/workflows/run-k8s-tests-on-zvsi.yaml vendored
View File

@@ -25,8 +25,7 @@ on:
AUTHENTICATED_IMAGE_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests:

17
.github/workflows/run-kata-coco-stability-tests.yaml vendored
View File

@@ -35,9 +35,7 @@ on:
AUTHENTICATED_IMAGE_PASSWORD:
required: true
permissions:
contents: read
id-token: write
permissions: {}
jobs:
# Generate jobs for testing CoCo on non-TEE environments
@@ -52,6 +50,9 @@ jobs:
pull-type:
- guest-pull
runs-on: ubuntu-22.04
permissions:
id-token: write # Used for OIDC access to log into Azure
environment: ci
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
@@ -91,9 +92,6 @@ jobs:
- name: Install kata
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
- name: Download Azure CLI
run: bash tests/integration/kubernetes/gha-run.sh install-azure-cli
- name: Log into the Azure account
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
@@ -141,6 +139,13 @@ jobs:
timeout-minutes: 300
run: bash tests/stability/gha-stability-run.sh run-tests
- name: Refresh OIDC token in case access token expired
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ secrets.AZ_APPID }}
tenant-id: ${{ secrets.AZ_TENANT_ID }}
subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
- name: Delete AKS cluster
if: always()
run: bash tests/integration/kubernetes/gha-run.sh delete-cluster

347
.github/workflows/run-kata-coco-tests.yaml vendored
View File

@@ -2,11 +2,6 @@ name: CI | Run kata coco tests
on:
workflow_call:
inputs:
artifact-run-id:
description: "The run id where the artifact was uploaded"
required: false
type: string
default: ${{ github.run_id }}
tarball-suffix:
required: false
type: string
@@ -40,216 +35,179 @@ on:
required: true
ITA_KEY:
required: true
workflow_dispatch:
inputs:
artifact-run-id:
description: "The workflow run id where the artifact was uploaded"
required: true
type: string
tarball-suffix:
description: "The suffix of the kata tarball to use"
required: false
type: string
registry:
description: "The oci container registry to install kata-deploy from"
required: true
type: string
repo:
description: "The oci container repository/image to install kata-deploy from"
required: true
type: string
tag:
description: "The oci container image tag to install kata-deploy using"
required: true
type: string
pr-number:
description: "Identifier used to distinguish between PRs/dev/nightly tests"
required: true
type: string
commit-hash:
description: "The code to checkout for testing"
required: false
type: string
target-branch:
description: "The target branch to rebase on and ensure the tests are up-to-date"
required: false
type: string
default: ""
permissions:
contents: read
id-token: write
permissions: {}
jobs:
# run-k8s-tests-on-tdx:
# strategy:
# fail-fast: false
# matrix:
# vmm:
# - qemu-tdx
# snapshotter:
# - nydus
# pull-type:
# - guest-pull
# runs-on: tdx
# env:
# DOCKER_REGISTRY: ${{ inputs.registry }}
# DOCKER_REPO: ${{ inputs.repo }}
# DOCKER_TAG: ${{ inputs.tag }}
# GH_PR_NUMBER: ${{ inputs.pr-number }}
# KATA_HYPERVISOR: ${{ matrix.vmm }}
# KUBERNETES: "vanilla"
# USING_NFD: "true"
# KBS: "true"
# K8S_TEST_HOST_TYPE: "baremetal"
# KBS_INGRESS: "nodeport"
# SNAPSHOTTER: ${{ matrix.snapshotter }}
# PULL_TYPE: ${{ matrix.pull-type }}
# AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
# AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
# ITA_KEY: ${{ secrets.ITA_KEY }}
# AUTO_GENERATE_POLICY: "yes"
# steps:
# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# with:
# ref: ${{ inputs.commit-hash }}
# fetch-depth: 0
# persist-credentials: false
run-k8s-tests-on-tdx:
strategy:
fail-fast: false
matrix:
vmm:
- qemu-tdx
snapshotter:
- nydus
pull-type:
- guest-pull
runs-on: tdx
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
DOCKER_TAG: ${{ inputs.tag }}
GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBERNETES: "vanilla"
USING_NFD: "true"
KBS: "true"
K8S_TEST_HOST_TYPE: "baremetal"
KBS_INGRESS: "nodeport"
SNAPSHOTTER: ${{ matrix.snapshotter }}
PULL_TYPE: ${{ matrix.pull-type }}
AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
ITA_KEY: ${{ secrets.ITA_KEY }}
AUTO_GENERATE_POLICY: "yes"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
persist-credentials: false
# - name: Rebase atop of the latest target branch
# run: |
# ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
# env:
# TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
# - name: Deploy Snapshotter
# timeout-minutes: 5
# run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
- name: Deploy Snapshotter
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
# - name: Deploy Kata
# timeout-minutes: 10
# run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-tdx
- name: Deploy Kata
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-tdx
# - name: Uninstall previous `kbs-client`
# timeout-minutes: 10
# run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
- name: Uninstall previous `kbs-client`
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
# - name: Deploy CoCo KBS
# timeout-minutes: 10
# run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
- name: Deploy CoCo KBS
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
# - name: Install `kbs-client`
# timeout-minutes: 10
# run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
- name: Install `kbs-client`
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
# - name: Deploy CSI driver
# timeout-minutes: 5
# run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
- name: Deploy CSI driver
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
# - name: Run tests
# timeout-minutes: 100
# run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Run tests
timeout-minutes: 100
run: bash tests/integration/kubernetes/gha-run.sh run-tests
# - name: Delete kata-deploy
# if: always()
# run: bash tests/integration/kubernetes/gha-run.sh cleanup-tdx
- name: Delete kata-deploy
if: always()
run: bash tests/integration/kubernetes/gha-run.sh cleanup-tdx
# - name: Delete Snapshotter
# if: always()
# run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
- name: Delete Snapshotter
if: always()
run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
# - name: Delete CoCo KBS
# if: always()
# run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
- name: Delete CoCo KBS
if: always()
run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
# - name: Delete CSI driver
# timeout-minutes: 5
# run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
- name: Delete CSI driver
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
# run-k8s-tests-sev-snp:
# strategy:
# fail-fast: false
# matrix:
# vmm:
# - qemu-snp
# snapshotter:
# - nydus
# pull-type:
# - guest-pull
# runs-on: sev-snp
# env:
# DOCKER_REGISTRY: ${{ inputs.registry }}
# DOCKER_REPO: ${{ inputs.repo }}
# DOCKER_TAG: ${{ inputs.tag }}
# GH_PR_NUMBER: ${{ inputs.pr-number }}
# KATA_HYPERVISOR: ${{ matrix.vmm }}
# KUBECONFIG: /home/kata/.kube/config
# KUBERNETES: "vanilla"
# USING_NFD: "false"
# KBS: "true"
# KBS_INGRESS: "nodeport"
# K8S_TEST_HOST_TYPE: "baremetal"
# SNAPSHOTTER: ${{ matrix.snapshotter }}
# PULL_TYPE: ${{ matrix.pull-type }}
# AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
# AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
# AUTO_GENERATE_POLICY: "yes"
# steps:
# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# with:
# ref: ${{ inputs.commit-hash }}
# fetch-depth: 0
# persist-credentials: false
run-k8s-tests-sev-snp:
strategy:
fail-fast: false
matrix:
vmm:
- qemu-snp
snapshotter:
- nydus
pull-type:
- guest-pull
runs-on: sev-snp
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
DOCKER_TAG: ${{ inputs.tag }}
GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBECONFIG: /home/kata/.kube/config
KUBERNETES: "vanilla"
USING_NFD: "false"
KBS: "true"
KBS_INGRESS: "nodeport"
K8S_TEST_HOST_TYPE: "baremetal"
SNAPSHOTTER: ${{ matrix.snapshotter }}
PULL_TYPE: ${{ matrix.pull-type }}
AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
AUTO_GENERATE_POLICY: "yes"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
persist-credentials: false
# - name: Rebase atop of the latest target branch
# run: |
# ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
# env:
# TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
# - name: Deploy Snapshotter
# timeout-minutes: 5
# run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
- name: Deploy Snapshotter
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
# - name: Deploy Kata
# timeout-minutes: 10
# run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-snp
- name: Deploy Kata
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-snp
# - name: Uninstall previous `kbs-client`
# timeout-minutes: 10
# run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
- name: Uninstall previous `kbs-client`
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
# - name: Deploy CoCo KBS
# timeout-minutes: 10
# run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
- name: Deploy CoCo KBS
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
# - name: Install `kbs-client`
# timeout-minutes: 10
# run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
- name: Install `kbs-client`
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
# - name: Deploy CSI driver
# timeout-minutes: 5
# run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
- name: Deploy CSI driver
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
# - name: Run tests
# timeout-minutes: 50
# run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Run tests
timeout-minutes: 50
run: bash tests/integration/kubernetes/gha-run.sh run-tests
# - name: Delete kata-deploy
# if: always()
# run: bash tests/integration/kubernetes/gha-run.sh cleanup-snp
- name: Delete kata-deploy
if: always()
run: bash tests/integration/kubernetes/gha-run.sh cleanup-snp
# - name: Delete Snapshotter
# if: always()
# run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
- name: Delete Snapshotter
if: always()
run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
# - name: Delete CoCo KBS
# if: always()
# run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
- name: Delete CoCo KBS
if: always()
run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
# - name: Delete CSI driver
# timeout-minutes: 5
# run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
- name: Delete CSI driver
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
# Generate jobs for testing CoCo on non-TEE environments
run-k8s-tests-coco-nontee:
@@ -263,6 +221,8 @@ jobs:
pull-type:
- guest-pull
runs-on: ubuntu-22.04
permissions:
id-token: write # Used for OIDC access to log into Azure
environment: ci
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
@@ -303,17 +263,11 @@ jobs:
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
run-id: ${{ inputs.artifact-run-id }}
github-token: ${{ github.token }}
repository: ${{ github.repository}}
path: kata-artifacts
- name: Install kata
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
- name: Download Azure CLI
run: bash tests/integration/kubernetes/gha-run.sh install-azure-cli
- name: Log into the Azure account
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
@@ -369,6 +323,13 @@ jobs:
if: always()
run: bash tests/integration/kubernetes/gha-run.sh report-tests
- name: Refresh OIDC token in case access token expired
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ secrets.AZ_APPID }}
tenant-id: ${{ secrets.AZ_TENANT_ID }}
subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
- name: Delete AKS cluster
if: always()
run: bash tests/integration/kubernetes/gha-run.sh delete-cluster

16
.github/workflows/run-kata-deploy-tests-on-aks.yaml vendored
View File

@@ -29,9 +29,7 @@ on:
AZ_SUBSCRIPTION_ID:
required: true
permissions:
contents: read
id-token: write
permissions: {}
jobs:
run-kata-deploy-tests:
@@ -50,6 +48,8 @@ jobs:
vmm: clh
runs-on: ubuntu-22.04
environment: ci
permissions:
id-token: write # Used for OIDC access to log into Azure
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
@@ -72,9 +72,6 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Download Azure CLI
run: bash tests/functional/kata-deploy/gha-run.sh install-azure-cli
- name: Log into the Azure account
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
@@ -105,6 +102,13 @@ jobs:
- name: Run tests
run: bash tests/functional/kata-deploy/gha-run.sh run-tests
- name: Refresh OIDC token in case access token expired
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ secrets.AZ_APPID }}
tenant-id: ${{ secrets.AZ_TENANT_ID }}
subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
- name: Delete AKS cluster
if: always()
run: bash tests/functional/kata-deploy/gha-run.sh delete-cluster

22
.github/workflows/run-kata-deploy-tests.yaml vendored
View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-kata-deploy-tests:
@@ -59,6 +58,25 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Remove unnecessary directories to free up space
run: |
sudo rm -rf /usr/local/.ghcup
sudo rm -rf /opt/hostedtoolcache/CodeQL
sudo rm -rf /usr/local/lib/android
sudo rm -rf /usr/share/dotnet
sudo rm -rf /opt/ghc
sudo rm -rf /usr/local/share/boost
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
sudo rm -rf /usr/lib/jvm
sudo rm -rf /usr/share/swift
sudo rm -rf /usr/local/share/powershell
sudo rm -rf /usr/local/julia*
sudo rm -rf /opt/az
sudo rm -rf /usr/local/share/chromium
sudo rm -rf /opt/microsoft
sudo rm -rf /opt/google
sudo rm -rf /usr/lib/firefox
- name: Deploy ${{ matrix.k8s }}
run: bash tests/functional/kata-deploy/gha-run.sh deploy-k8s

32
.github/workflows/run-kata-monitor-tests.yaml vendored
View File

@@ -2,11 +2,6 @@ name: CI | Run kata-monitor tests
on:
workflow_call:
inputs:
artifact-run-id:
description: "The run id where the artifact was uploaded"
required: false
type: string
default: ${{ github.run_id }}
tarball-suffix:
required: false
type: string
@@ -17,28 +12,8 @@ on:
required: false
type: string
default: ""
workflow_dispatch:
inputs:
artifact-run-id:
description: "The workflow run id where the artifact was uploaded"
required: true
type: string
tarball-suffix:
description: "Identifier used to distinguish between PRs/dev/nightly tests"
required: false
type: string
commit-hash:
description: "The code to checkout for testing"
required: false
type: string
target-branch:
description: "The target branch to rebase on and ensure the tests are up-to-date"
required: false
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-monitor:
@@ -78,14 +53,13 @@ jobs:
- name: Install dependencies
run: bash tests/functional/kata-monitor/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
run-id: ${{ inputs.artifact-run-id }}
github-token: ${{ github.token }}
repository: ${{ github.repository}}
path: kata-artifacts
- name: Install kata

3
.github/workflows/run-metrics.yaml vendored
View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-metrics:

5
.github/workflows/run-runk-tests.yaml vendored
View File

@@ -13,8 +13,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-runk:
@@ -38,6 +37,8 @@ jobs:
- name: Install dependencies
run: bash tests/integration/runk/gha-run.sh install-dependencies
env:
GH_TOKEN: ${{ github.token }}
- name: get-kata-tarball
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0

5
.github/workflows/shellcheck.yaml vendored
View File

@@ -10,8 +10,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -27,6 +26,6 @@ jobs:
fetch-depth: 0
persist-credentials: false
- name: Run ShellCheck
uses: ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca # master (2024-06-20)
uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
with:
ignore_paths: "**/vendor/**"

5
.github/workflows/shellcheck_required.yaml vendored
View File

@@ -11,8 +11,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -29,7 +28,7 @@ jobs:
persist-credentials: false
- name: Run ShellCheck
uses: ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca # master (2024-06-20)
uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
with:
severity: error
ignore_paths: "**/vendor/**"

3
.github/workflows/stale.yaml vendored
View File

@@ -4,8 +4,7 @@ on:
- cron: '0 0 * * *'
workflow_dispatch:
permissions:
contents: read
permissions: {}
jobs:
stale:

3
.github/workflows/static-checks-self-hosted.yaml vendored
View File

@@ -6,8 +6,7 @@ on:
- reopened
- labeled # a workflow runs only when the 'ok-to-test' label is added
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

36
.github/workflows/static-checks.yaml vendored
View File

@@ -7,8 +7,7 @@ on:
- synchronize
workflow_dispatch:
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -150,3 +149,36 @@ jobs:
needs: skipper
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
uses: ./.github/workflows/govulncheck.yaml
codegen:
runs-on: ubuntu-22.04
needs: skipper
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
permissions:
contents: read # for checkout
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
- name: generate
run: make -C src/agent generate-protocols
- name: check for diff
run: |
diff=$(git diff)
if [[ -z "${diff}" ]]; then
echo "No diff detected."
exit 0
fi
cat << EOF >> "${GITHUB_STEP_SUMMARY}"
Run \`make -C src/agent generate-protocols\` to update protobuf bindings.
\`\`\`diff
${diff}
\`\`\`
EOF
echo "::error::Golang protobuf bindings need to be regenerated (see Github step summary for diff)."
exit 1

6
.github/workflows/zizmor.yaml vendored
View File

@@ -2,11 +2,9 @@ name: GHA security analysis
on:
push:
branches: ["main"]
pull_request:
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -27,3 +25,5 @@ jobs:
- name: Run zizmor
uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1
with:
persona: auditor

2
Makefile
View File

@@ -42,7 +42,7 @@ generate-protocols:
# Some static checks rely on generated source files of components.
static-checks: static-checks-build
bash tests/static-checks.sh github.com/kata-containers/kata-containers
bash tests/static-checks.sh
docs-url-alive-check:
bash ci/docs-url-alive-check.sh

2
VERSION
View File

@@ -1 +1 @@
3.18.0
3.21.0

12
ci/README.md
View File

@@ -306,7 +306,7 @@ tarball to the newly created VM that will be used for debugging purposes.
> [!NOTE]
> Those artifacts are only available (for 15 days) when all jobs are finished.
Once you have the `kata-static.tar.xz` in your VM, you can login to the VM with
Once you have the `kata-static.tar.zst` in your VM, you can login to the VM with
`kcli ssh debug-nerdctl-pr8070`, go ahead and then clone your development branch
```bash
@@ -323,15 +323,15 @@ $ git config --global user.name "Your Name"
$ git rebase upstream/main
```
Now copy the `kata-static.tar.xz` into your `kata-containers/kata-artifacts` directory
Now copy the `kata-static.tar.zst` into your `kata-containers/kata-artifacts` directory
```bash
$ mkdir kata-artifacts
$ cp ../kata-static.tar.xz kata-artifacts/
$ cp ../kata-static.tar.zst kata-artifacts/
```
> [!NOTE]
> If you downloaded the .zip from GitHub you need to uncompress first to see `kata-static.tar.xz`
> If you downloaded the .zip from GitHub you need to uncompress first to see `kata-static.tar.zst`
And finally run the tests following what's in the yaml file for the test you're
debugging.
@@ -363,11 +363,11 @@ and have fun debugging and hacking!
Steps for debugging the Kubernetes tests are very similar to the ones for
debugging non-Kubernetes tests, with the caveat that what you'll need, this
time, is not the `kata-static.tar.xz` tarball, but rather a payload to be used
time, is not the `kata-static.tar.zst` tarball, but rather a payload to be used
with kata-deploy.
In order to generate your own kata-deploy image you can generate your own
`kata-static.tar.xz` and then take advantage of the following script. Be aware
`kata-static.tar.zst` and then take advantage of the following script. Be aware
that the image generated and uploaded must be accessible by the VM where you'll
be performing your tests.

53
ci/openshift-ci/peer-pods-azure.sh
View File

@@ -116,33 +116,44 @@ az network vnet subnet update \
for NODE_NAME in $(kubectl get nodes -o jsonpath='{.items[*].metadata.name}'); do [[ "${NODE_NAME}" =~ 'worker' ]] && kubectl label node "${NODE_NAME}" node.kubernetes.io/worker=; done
# CAA artifacts
CAA_IMAGE="quay.io/confidential-containers/cloud-api-adaptor"
TAGS="$(curl https://quay.io/api/v1/repository/confidential-containers/cloud-api-adaptor/tag/?onlyActiveTags=true)"
DIGEST=$(echo "${TAGS}" | jq -r '.tags[] | select(.name | contains("latest-amd64")) | .manifest_digest')
CAA_TAG="$(echo "${TAGS}" | jq -r '.tags[] | select(.manifest_digest | contains("'"${DIGEST}"'")) | .name' | grep -v "latest")"
if [[ -z "${CAA_TAG}" ]]; then
if [[ -n "${CAA_IMAGE}" ]]; then
echo "CAA_IMAGE (${CAA_IMAGE}) is set but CAA_TAG isn't, which is not supported. Please specify both or none"
exit 1
fi
TAGS="$(curl https://quay.io/api/v1/repository/confidential-containers/cloud-api-adaptor/tag/?onlyActiveTags=true)"
DIGEST=$(echo "${TAGS}" | jq -r '.tags[] | select(.name | contains("latest-amd64")) | .manifest_digest')
CAA_TAG="$(echo "${TAGS}" | jq -r '.tags[] | select(.manifest_digest | contains("'"${DIGEST}"'")) | .name' | grep -v "latest")"
fi
if [[ -z "${CAA_IMAGE}" ]]; then
CAA_IMAGE="quay.io/confidential-containers/cloud-api-adaptor"
fi
# Get latest PP image
SUCCESS_TIME=$(curl -s \
-H "Accept: application/vnd.github+json" \
"https://api.github.com/repos/confidential-containers/cloud-api-adaptor/actions/workflows/azure-nightly-build.yml/runs?status=success" \
| jq -r '.workflow_runs[0].updated_at')
PP_IMAGE_ID="/CommunityGalleries/cocopodvm-d0e4f35f-5530-4b9c-8596-112487cdea85/Images/podvm_image0/Versions/$(date -u -jf "%Y-%m-%dT%H:%M:%SZ" "${SUCCESS_TIME}" "+%Y.%m.%d" 2>/dev/null || date -d "${SUCCESS_TIME}" +%Y.%m.%d)"
if [[ -z "${PP_IMAGE_ID}" ]]; then
SUCCESS_TIME=$(curl -s \
-H "Accept: application/vnd.github+json" \
"https://api.github.com/repos/confidential-containers/cloud-api-adaptor/actions/workflows/azure-nightly-build.yml/runs?status=success" \
| jq -r '.workflow_runs[0].updated_at')
PP_IMAGE_ID="/CommunityGalleries/cocopodvm-d0e4f35f-5530-4b9c-8596-112487cdea85/Images/podvm_image0/Versions/$(date -u -jf "%Y-%m-%dT%H:%M:%SZ" "${SUCCESS_TIME}" "+%Y.%m.%d" 2>/dev/null || date -d "${SUCCESS_TIME}" +%Y.%m.%d)"
fi
echo "AZURE_REGION: \"${AZURE_REGION}\""
echo "PP_REGION: \"${PP_REGION}\""
echo "AZURE_RESOURCE_GROUP: \"${AZURE_RESOURCE_GROUP}\""
echo "PP_RESOURCE_GROUP: \"${PP_RESOURCE_GROUP}\""
echo "PP_SUBNET_ID: \"${PP_SUBNET_ID}\""
echo "CAA_TAG: \"${CAA_TAG}\""
echo "PP_IMAGE_ID: \"${PP_IMAGE_ID}\""
echo "AZURE_REGION=\"${AZURE_REGION}\""
echo "PP_REGION=\"${PP_REGION}\""
echo "AZURE_RESOURCE_GROUP=\"${AZURE_RESOURCE_GROUP}\""
echo "PP_RESOURCE_GROUP=\"${PP_RESOURCE_GROUP}\""
echo "PP_SUBNET_ID=\"${PP_SUBNET_ID}\""
echo "CAA_IMAGE=\"${CAA_IMAGE}\""
echo "CAA_TAG=\"${CAA_TAG}\""
echo "PP_IMAGE_ID=\"${PP_IMAGE_ID}\""
# Clone and configure caa
git clone --depth 1 --no-checkout https://github.com/confidential-containers/cloud-api-adaptor.git
git clone --revision "${CAA_GIT_SHA:-main}" --depth 1 --no-checkout https://github.com/confidential-containers/cloud-api-adaptor.git
pushd cloud-api-adaptor
git sparse-checkout init --cone
git sparse-checkout set src/cloud-api-adaptor/install/
git checkout
echo "CAA_GIT_SHA: \"$(git rev-parse HEAD)\""
echo "CAA_GIT_SHA=\"$(git rev-parse HEAD)\""
pushd src/cloud-api-adaptor
cat <<EOF > install/overlays/azure/workload-identity.yaml
apiVersion: apps/v1
@@ -208,12 +219,12 @@ echo "AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET}" >> install/overlays/azure/serv
echo "AZURE_TENANT_ID=${AZURE_TENANT_ID}" >> install/overlays/azure/service-principal.env
# Deploy Operator
git clone --depth 1 --no-checkout https://github.com/confidential-containers/operator
git clone --revision "${OPERATOR_SHA:-main}" --depth 1 --no-checkout https://github.com/confidential-containers/operator
pushd operator
git sparse-checkout init --cone
git sparse-checkout set "config/"
git checkout
echo "OPERATOR_SHA: \"$(git rev-parse HEAD)\""
echo "OPERATOR_SHA=\"$(git rev-parse HEAD)\""
oc apply -k "config/release"
oc apply -k "config/samples/ccruntime/peer-pods"
popd
@@ -227,7 +238,7 @@ popd
SECONDS=0
( while [[ "${SECONDS}" -lt 360 ]]; do
kubectl get runtimeclass | grep -q kata-remote && exit 0
done; exit 1 ) || { echo "kata-remote runtimeclass not initialized in 60s"; kubectl -n confidential-containers-system get all; echo; echo CAA; kubectl -n confidential-containers-system logs daemonset.apps/cloud-api-adaptor-daemonset; echo pre-install; kubectl -n confidential-containers-system logs daemonset.apps/cc-operator-pre-install-daemon; echo install; kubectl -n confidential-containers-system logs daemonset.apps/cc-operator-daemon-install; exit 1; }
done; exit 1 ) || { echo "kata-remote runtimeclass not initialized in 60s"; kubectl -n confidential-containers-system get all; echo; echo "kubectl -n confidential-containers-system describe all"; kubectl -n confidential-containers-system describe all; echo; echo CAA; kubectl -n confidential-containers-system logs daemonset.apps/cloud-api-adaptor-daemonset; echo pre-install; kubectl -n confidential-containers-system logs daemonset.apps/cc-operator-pre-install-daemon; echo install; kubectl -n confidential-containers-system logs daemonset.apps/cc-operator-daemon-install; exit 1; }
################

38
docs/how-to/how-to-run-kata-containers-with-SE-VMs.md
View File

@@ -89,16 +89,16 @@ However, if any of these components are absent, they must be built from the
$ # Assume that the project is cloned at $GOPATH/src/github.com/kata-containers
$ cd $GOPATH/src/github.com/kata-containers/kata-containers
$ make rootfs-initrd-confidential-tarball
$ tar -tf build/kata-static-kernel-confidential.tar.xz | grep vmlinuz
$ tar --zstd -tf build/kata-static-kernel-confidential.tar.zst | grep vmlinuz
./opt/kata/share/kata-containers/vmlinuz-confidential.container
./opt/kata/share/kata-containers/vmlinuz-6.7-136-confidential
$ kernel_version=6.7-136
$ tar -tf build/kata-static-rootfs-initrd-confidential.tar.xz | grep initrd
$ tar --zstd -tf build/kata-static-rootfs-initrd-confidential.tar.zst | grep initrd
./opt/kata/share/kata-containers/kata-containers-initrd-confidential.img
./opt/kata/share/kata-containers/kata-ubuntu-20.04-confidential.initrd
$ mkdir artifacts
$ tar -xvf build/kata-static-kernel-confidential.tar.xz -C artifacts ./opt/kata/share/kata-containers/vmlinuz-${kernel_version}-confidential
$ tar -xvf build/kata-static-rootfs-initrd-confidential.tar.xz -C artifacts ./opt/kata/share/kata-containers/kata-ubuntu-20.04-confidential.initrd
$ tar --zstd -xvf build/kata-static-kernel-confidential.tar.zst -C artifacts ./opt/kata/share/kata-containers/vmlinuz-${kernel_version}-confidential
$ tar --zstd -xvf build/kata-static-rootfs-initrd-confidential.tar.zst -C artifacts ./opt/kata/share/kata-containers/kata-ubuntu-20.04-confidential.initrd
$ ls artifacts/opt/kata/share/kata-containers/
kata-ubuntu-20.04-confidential.initrd vmlinuz-${kernel_version}-confidential
```
@@ -190,8 +190,8 @@ can be easily accomplished by issuing the following make target:
$ cd $GOPATH/src/github.com/kata-containers/kata-containers
$ mkdir hkd_dir && cp $host_key_document hkd_dir
$ HKD_PATH=hkd_dir SE_KERNEL_PARAMS="agent.log=debug" make boot-image-se-tarball
$ ls build/kata-static-boot-image-se.tar.xz
build/kata-static-boot-image-se.tar.xz
$ ls build/kata-static-boot-image-se.tar.zst
build/kata-static-boot-image-se.tar.zst
```
`SE_KERNEL_PARAMS` could be used to add any extra kernel parameters. If no additional kernel configuration is required, this can be omitted.
@@ -344,18 +344,18 @@ $ make virtiofsd-tarball
$ make shim-v2-tarball
$ mkdir kata-artifacts
$ build_dir=$(readlink -f build)
$ cp -r $build_dir/*.tar.xz kata-artifacts
$ cp -r $build_dir/*.tar.zst kata-artifacts
$ ls -1 kata-artifacts
kata-static-agent.tar.xz
kata-static-boot-image-se.tar.xz
kata-static-coco-guest-components.tar.xz
kata-static-kernel-confidential-modules.tar.xz
kata-static-kernel-confidential.tar.xz
kata-static-pause-image.tar.xz
kata-static-qemu.tar.xz
kata-static-rootfs-initrd-confidential.tar.xz
kata-static-shim-v2.tar.xz
kata-static-virtiofsd.tar.xz
kata-static-agent.tar.zst
kata-static-boot-image-se.tar.zst
kata-static-coco-guest-components.tar.zst
kata-static-kernel-confidential-modules.tar.zst
kata-static-kernel-confidential.tar.zst
kata-static-pause-image.tar.zst
kata-static-qemu.tar.zst
kata-static-rootfs-initrd-confidential.tar.zst
kata-static-shim-v2.tar.zst
kata-static-virtiofsd.tar.zst
$ ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts
```
@@ -369,7 +369,7 @@ command before running `kata-deploy-merge-builds.sh`:
$ make rootfs-image-tarball
```
At this point, you should have an archive file named `kata-static.tar.xz` at the project root,
At this point, you should have an archive file named `kata-static.tar.zst` at the project root,
which will be used to build a payload image. If you are using a local container registry at
`localhost:5000`, proceed with the following:
@@ -381,7 +381,7 @@ Build and push a payload image with the name `localhost:5000/build-kata-deploy`
`latest` using the following:
```
$ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh kata-static.tar.xz localhost:5000/build-kata-deploy latest
$ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh kata-static.tar.zst localhost:5000/build-kata-deploy latest
... logs ...
Pushing the image localhost:5000/build-kata-deploy:latest to the registry
The push refers to repository [localhost:5000/build-kata-deploy]

23
docs/how-to/how-to-use-the-kata-agent-policy.md
View File

@@ -32,11 +32,24 @@ Kubernetes users can encode in `base64` format their Policy documents, and add t
### Encode a Policy file
For example, the [`allow-all-except-exec-process.rego`](../../src/kata-opa/allow-all-except-exec-process.rego) sample policy file is different from the [default Policy](../../src/kata-opa/allow-all.rego) because it rejects any `ExecProcess` requests. You can encode this policy file:
For example, the [`allow-all-except-exec-process.rego`](../../src/kata-opa/allow-all-except-exec-process.rego) sample policy file is different from the [default Policy](../../src/kata-opa/allow-all.rego) because it rejects any `ExecProcess` requests. To encode this policy file, you need to:
- Embed the policy inside an init data struct
- Compress
- Base64 encode
For example:
```bash
$ base64 -w 0 allow-all-except-exec-process.rego
cGFja2FnZSBhZ2VudF9wb2xpY3kKCmRlZmF1bHQgQWRkQVJQTmVpZ2hib3JzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgQWRkU3dhcFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENsb3NlU3RkaW5SZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBDb3B5RmlsZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENyZWF0ZUNvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENyZWF0ZVNhbmRib3hSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBEZXN0cm95U2FuZGJveFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEdldE1ldHJpY3NSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBHZXRPT01FdmVudFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEd1ZXN0RGV0YWlsc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IExpc3RJbnRlcmZhY2VzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgTGlzdFJvdXRlc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IE1lbUhvdHBsdWdCeVByb2JlUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgT25saW5lQ1BVTWVtUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUGF1c2VDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBQdWxsSW1hZ2VSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBSZWFkU3RyZWFtUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVtb3ZlQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVtb3ZlU3RhbGVWaXJ0aW9mc1NoYXJlTW91bnRzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVzZWVkUmFuZG9tRGV2UmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVzdW1lQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU2V0R3Vlc3REYXRlVGltZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFNldFBvbGljeVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFNpZ25hbFByb2Nlc3NSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBTdGFydENvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXJ0VHJhY2luZ1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXRzQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU3RvcFRyYWNpbmdSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBUdHlXaW5SZXNpemVSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVFcGhlbWVyYWxNb3VudHNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVJbnRlcmZhY2VSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVSb3V0ZXNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBXYWl0UHJvY2Vzc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFdyaXRlU3RyZWFtUmVxdWVzdCA6PSB0cnVlCgpkZWZhdWx0IEV4ZWNQcm9jZXNzUmVxdWVzdCA6PSBmYWxzZQo=
$ STRING="$(< allow-all-except-exec-process.rego)"
$ cat <<EOF | gzip -c | base64 -w0
version = "0.1.0"
algorithm = "sha256"
[data]
"policy.rego" = '''
$STRING
'''
EOF
H4sIAAAAAAAAA42UTW/TQBCG7/4Vq/QQOCQKQXCo1ENIAkRqiGWnpBJCaGKP7RXrXTM7DnV/PRMiVUh07R582J3H8/XO7AnJa2fVjRrNpm+ms1EEpnSkuarPd76C+bv3oyj6lgPD92jUOKOzbkpYupEA4/E4ulJL13Sky4rVq+y1ms/mb9VWZ+S8K1iM1DgClijRlcBpvLqf3OoMrcfJJkfLutBI12rRQFbhZD6dCRfJ4SeUqOSz/OMSNopyLKA1rBZ5vkjiLyhBj458gr9a9KyubxRTi/9i6W9oQualcR5TzrUNElLZR20waCcExqWzDNoi9WMp2PzoHkLQSi7JdQPUJ+QtMuksWLQQu912fZK+BZHz7QolaRN0c6s9bywjFZBhL5W4lsPEFuvPjhvTlh+6mNwx2MudNdLDZXwnf4SYGFo/3O64NWZTy+SEgAQhT1lECQZKsHan4UgXLGUw+FWTzHjh0woIt661HGxJgh4xT0RoV6/w1IO19XAOKfJFTxmxva6DRQsX/12jIKBLC0Y0Er2DuUutxMM5nak9QaZt2cOwf4En1ww42nN3OK+w14/B4u+a/CWLesHWTYU1Eph+GS/w0470Y/1LcgDNA40/yKOMzw/tE7N+wOx/NwUYj9H5qf4DsX93tO4FAAA=
```
### Attach the Policy to a pod
@@ -49,7 +62,7 @@ kind: Pod
metadata:
name: policy-exec-rejected
annotations:
io.katacontainers.config.agent.policy: cGFja2FnZSBhZ2VudF9wb2xpY3kKCmRlZmF1bHQgQWRkQVJQTmVpZ2hib3JzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgQWRkU3dhcFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENsb3NlU3RkaW5SZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBDb3B5RmlsZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENyZWF0ZUNvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENyZWF0ZVNhbmRib3hSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBEZXN0cm95U2FuZGJveFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEdldE1ldHJpY3NSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBHZXRPT01FdmVudFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEd1ZXN0RGV0YWlsc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IExpc3RJbnRlcmZhY2VzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgTGlzdFJvdXRlc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IE1lbUhvdHBsdWdCeVByb2JlUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgT25saW5lQ1BVTWVtUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUGF1c2VDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBQdWxsSW1hZ2VSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBSZWFkU3RyZWFtUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVtb3ZlQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVtb3ZlU3RhbGVWaXJ0aW9mc1NoYXJlTW91bnRzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVzZWVkUmFuZG9tRGV2UmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVzdW1lQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU2V0R3Vlc3REYXRlVGltZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFNldFBvbGljeVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFNpZ25hbFByb2Nlc3NSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBTdGFydENvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXJ0VHJhY2luZ1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXRzQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU3RvcFRyYWNpbmdSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBUdHlXaW5SZXNpemVSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVFcGhlbWVyYWxNb3VudHNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVJbnRlcmZhY2VSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVSb3V0ZXNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBXYWl0UHJvY2Vzc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFdyaXRlU3RyZWFtUmVxdWVzdCA6PSB0cnVlCgpkZWZhdWx0IEV4ZWNQcm9jZXNzUmVxdWVzdCA6PSBmYWxzZQo=
io.katacontainers.config.hypervisor.cc_init_data: H4sIAAAAAAAAA42UTW/TQBCG7/4Vq/QQOCQKQXCo1ENIAkRqiGWnpBJCaGKP7RXrXTM7DnV/PRMiVUh07R582J3H8/XO7AnJa2fVjRrNpm+ms1EEpnSkuarPd76C+bv3oyj6lgPD92jUOKOzbkpYupEA4/E4ulJL13Sky4rVq+y1ms/mb9VWZ+S8K1iM1DgClijRlcBpvLqf3OoMrcfJJkfLutBI12rRQFbhZD6dCRfJ4SeUqOSz/OMSNopyLKA1rBZ5vkjiLyhBj458gr9a9KyubxRTi/9i6W9oQualcR5TzrUNElLZR20waCcExqWzDNoi9WMp2PzoHkLQSi7JdQPUJ+QtMuksWLQQu912fZK+BZHz7QolaRN0c6s9bywjFZBhL5W4lsPEFuvPjhvTlh+6mNwx2MudNdLDZXwnf4SYGFo/3O64NWZTy+SEgAQhT1lECQZKsHan4UgXLGUw+FWTzHjh0woIt661HGxJgh4xT0RoV6/w1IO19XAOKfJFTxmxva6DRQsX/12jIKBLC0Y0Er2DuUutxMM5nak9QaZt2cOwf4En1ww42nN3OK+w14/B4u+a/CWLesHWTYU1Eph+GS/w0470Y/1LcgDNA40/yKOMzw/tE7N+wOx/NwUYj9H5qf4DsX93tO4FAAA=
spec:
runtimeClassName: kata
containers:
@@ -66,7 +79,7 @@ Create the pod:
$ kubectl apply -f pod1.yaml
```
While creating the Pod sandbox, the Kata Shim will notice the `io.katacontainers.config.agent.policy` annotation and will send the Policy document to the Kata Agent - by sending a `SetPolicy` request. Note that this request will fail if the default Policy, included in the Guest image, doesn't allow this `SetPolicy` request. If the `SetPolicy` request is rejected by the Guest, the Kata Shim will fail to start the Pod sandbox.
While creating the Pod sandbox, the Kata Shim will notice the `io.katacontainers.config.hypervisor.cc_init_data` annotation and will create the init data device on the host and mount it on the guest as a block device. The agent then reads the init data struct from this device and sets the policy if present.
# How is the Policy being enforced?

318
src/agent/Cargo.lock generated
View File

@@ -508,6 +508,15 @@ dependencies = [
"wyz",
]
[[package]]
name = "block-buffer"
version = "0.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4152116fd6e9dadb291ae18fc1ec3575ed6d84c29642d97890f4b4a3417297e4"
dependencies = [
"generic-array",
]
[[package]]
name = "block-buffer"
version = "0.10.4"
@@ -889,6 +898,16 @@ dependencies = [
"typenum",
]
[[package]]
name = "crypto-mac"
version = "0.11.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b1d1a86f49236c215f271d40892d5fc950490551400b02ef360692c29815c714"
dependencies = [
"generic-array",
"subtle",
]
[[package]]
name = "darling"
version = "0.14.4"
@@ -958,6 +977,19 @@ dependencies = [
"syn 2.0.101",
]
[[package]]
name = "dashmap"
version = "5.5.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "978747c1d849a7d2ee5e8adc0159961c48fb7e5db2f06af6723b80123bb53856"
dependencies = [
"cfg-if",
"hashbrown 0.14.5",
"lock_api",
"once_cell",
"parking_lot_core",
]
[[package]]
name = "deranged"
version = "0.4.0"
@@ -1020,13 +1052,22 @@ dependencies = [
"syn 2.0.101",
]
[[package]]
name = "digest"
version = "0.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066"
dependencies = [
"generic-array",
]
[[package]]
name = "digest"
version = "0.10.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
dependencies = [
"block-buffer",
"block-buffer 0.10.4",
"crypto-common",
]
@@ -1479,6 +1520,12 @@ dependencies = [
"ahash 0.7.8",
]
[[package]]
name = "hashbrown"
version = "0.14.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1"
[[package]]
name = "hashbrown"
version = "0.15.3"
@@ -1524,6 +1571,16 @@ version = "0.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
[[package]]
name = "hmac"
version = "0.11.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2a2a2320eb7ec0ebe8da8f744d7812d9fc4cb4d09344ac01898dbcb6a20ae69b"
dependencies = [
"crypto-mac",
"digest 0.9.0",
]
[[package]]
name = "home"
version = "0.5.9"
@@ -1854,6 +1911,17 @@ dependencies = [
"windows-sys 0.48.0",
]
[[package]]
name = "io-uring"
version = "0.7.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b86e202f00093dcba4275d4636b93ef9dd75d025ae560d2521b45ea28ab49013"
dependencies = [
"bitflags 2.9.0",
"cfg-if",
"libc",
]
[[package]]
name = "iovec"
version = "0.1.4"
@@ -1996,16 +2064,16 @@ dependencies = [
"libc",
"log",
"logging",
"mem-agent",
"mem-agent-lib",
"netlink-packet-core",
"netlink-packet-route",
"netlink-sys 0.7.0",
"nix 0.24.3",
"nix 0.26.4",
"oci-spec",
"opentelemetry",
"procfs 0.12.0",
"prometheus",
"protobuf 3.7.2",
"protobuf",
"protocols",
"regex",
"rstest",
@@ -2019,7 +2087,7 @@ dependencies = [
"serde",
"serde_json",
"serial_test",
"sha2",
"sha2 0.10.9",
"slog",
"slog-scope",
"slog-stdlog",
@@ -2069,7 +2137,7 @@ dependencies = [
"lazy_static",
"libc",
"mockall",
"nix 0.24.3",
"nix 0.26.4",
"oci-spec",
"once_cell",
"pci-ids",
@@ -2103,7 +2171,7 @@ dependencies = [
"serde",
"serde-enum-str",
"serde_json",
"sha2",
"sha2 0.10.9",
"slog",
"slog-scope",
"sysinfo",
@@ -2180,6 +2248,23 @@ version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9a7cbbd4ad467251987c6e5b47d53b11a5a05add08f2447a9e2d70aef1e0d138"
[[package]]
name = "libsystemd"
version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6f4f0b5b062ba67aa075e331de778082c09e66b5ef32970ea5a1e9c37c9555d1"
dependencies = [
"hmac",
"libc",
"log",
"nix 0.23.2",
"once_cell",
"serde",
"sha2 0.9.9",
"thiserror 1.0.69",
"uuid 0.8.2",
]
[[package]]
name = "libz-sys"
version = "1.1.22"
@@ -2243,11 +2328,18 @@ dependencies = [
"serde_json",
"slog",
"slog-async",
"slog-journald",
"slog-json",
"slog-scope",
"slog-term",
]
[[package]]
name = "maplit"
version = "1.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3e2e65a1a2e43cfcb47a895c4c8b10d1f4a61097f9f254f183aee60cad9c651d"
[[package]]
name = "matchers"
version = "0.0.1"
@@ -2258,14 +2350,14 @@ dependencies = [
]
[[package]]
name = "mem-agent"
version = "0.1.0"
name = "mem-agent-lib"
version = "0.2.0"
dependencies = [
"anyhow",
"async-trait",
"chrono",
"lazy_static",
"nix 0.23.2",
"maplit",
"nix 0.30.1",
"page_size",
"slog",
"slog-scope",
@@ -2507,6 +2599,18 @@ dependencies = [
"libc",
]
[[package]]
name = "nix"
version = "0.30.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "74523f3a35e05aba87a1d978330aef40f67b0304ac79c1c00b294c9830543db6"
dependencies = [
"bitflags 2.9.0",
"cfg-if",
"cfg_aliases",
"libc",
]
[[package]]
name = "nom"
version = "7.1.3"
@@ -2686,6 +2790,12 @@ version = "1.21.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
[[package]]
name = "opaque-debug"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
[[package]]
name = "opentelemetry"
version = "0.14.0"
@@ -2738,17 +2848,6 @@ version = "2.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f38d5652c16fde515bb1ecef450ab0f6a219d619a7274976324d5e377f7dceba"
[[package]]
name = "parking_lot"
version = "0.11.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7d17b78036a60663b797adeaee46f5c9dfebb86948d1255007a1d6be0271ff99"
dependencies = [
"instant",
"lock_api",
"parking_lot_core 0.8.6",
]
[[package]]
name = "parking_lot"
version = "0.12.3"
@@ -2756,21 +2855,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f1bf18183cf54e8d6059647fc3063646a1801cf30896933ec2311622cc4b9a27"
dependencies = [
"lock_api",
"parking_lot_core 0.9.10",
]
[[package]]
name = "parking_lot_core"
version = "0.8.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "60a2cfe6f0ad2bfc16aefa463b497d5c7a5ecd44a23efa72aa342d90177356dc"
dependencies = [
"cfg-if",
"instant",
"libc",
"redox_syscall 0.2.16",
"smallvec",
"winapi",
"parking_lot_core",
]
[[package]]
@@ -2781,7 +2866,7 @@ checksum = "1e401f977ab385c9e4e3ab30627d6f26d00e2c73eef317493c4ec6d468726cf8"
dependencies = [
"cfg-if",
"libc",
"redox_syscall 0.5.12",
"redox_syscall",
"smallvec",
"windows-targets 0.52.6",
]
@@ -3072,22 +3157,21 @@ dependencies = [
[[package]]
name = "procfs"
version = "0.16.0"
version = "0.17.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "731e0d9356b0c25f16f33b5be79b1c57b562f141ebfcdb0ad8ac2c13a24293b4"
checksum = "cc5b72d8145275d844d4b5f6d4e1eef00c8cd889edb6035c21675d1bb1f45c9f"
dependencies = [
"bitflags 2.9.0",
"hex",
"lazy_static",
"procfs-core",
"rustix 0.38.44",
]
[[package]]
name = "procfs-core"
version = "0.16.0"
version = "0.17.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2d3554923a69f4ce04c4a754260c338f505ce22642d3830e049a399fc2059a29"
checksum = "239df02d8349b06fc07398a3a1697b06418223b1c7725085e801e7c0fc6a12ec"
dependencies = [
"bitflags 2.9.0",
"hex",
@@ -3095,19 +3179,19 @@ dependencies = [
[[package]]
name = "prometheus"
version = "0.13.4"
version = "0.14.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3d33c28a30771f7f96db69893f78b857f7450d7e0237e9c8fc6427a81bae7ed1"
checksum = "3ca5326d8d0b950a9acd87e6a3f94745394f62e4dae1b1ee22b2bc0c394af43a"
dependencies = [
"cfg-if",
"fnv",
"lazy_static",
"libc",
"memchr",
"parking_lot 0.12.3",
"procfs 0.16.0",
"protobuf 2.28.0",
"thiserror 1.0.69",
"parking_lot",
"procfs 0.17.0",
"protobuf",
"thiserror 2.0.12",
]
[[package]]
@@ -3161,12 +3245,6 @@ dependencies = [
"prost",
]
[[package]]
name = "protobuf"
version = "2.28.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "106dd99e98437432fed6519dedecfade6a06a73bb7b2a1e019fdd2bee5778d94"
[[package]]
name = "protobuf"
version = "3.7.2"
@@ -3178,15 +3256,6 @@ dependencies = [
"thiserror 1.0.69",
]
[[package]]
name = "protobuf-codegen"
version = "2.28.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "033460afb75cf755fcfc16dfaed20b86468082a2ea24e05ac35ab4a099a017d6"
dependencies = [
"protobuf 2.28.0",
]
[[package]]
name = "protobuf-codegen"
version = "3.7.2"
@@ -3195,7 +3264,7 @@ checksum = "5d3976825c0014bbd2f3b34f0001876604fe87e0c86cd8fa54251530f1544ace"
dependencies = [
"anyhow",
"once_cell",
"protobuf 3.7.2",
"protobuf",
"protobuf-parse",
"regex",
"tempfile",
@@ -3211,7 +3280,7 @@ dependencies = [
"anyhow",
"indexmap 2.9.0",
"log",
"protobuf 3.7.2",
"protobuf",
"protobuf-support",
"tempfile",
"thiserror 1.0.69",
@@ -3233,7 +3302,7 @@ version = "0.1.0"
dependencies = [
"async-trait",
"oci-spec",
"protobuf 3.7.2",
"protobuf",
"serde",
"serde_json",
"ttrpc",
@@ -3311,15 +3380,6 @@ dependencies = [
"getrandom 0.2.16",
]
[[package]]
name = "redox_syscall"
version = "0.2.16"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fb5a58c1855b4b6819d59012155603f0b22ad30cad752600aadfcb695265519a"
dependencies = [
"bitflags 1.3.2",
]
[[package]]
name = "redox_syscall"
version = "0.5.12"
@@ -3369,7 +3429,7 @@ dependencies = [
"ahash 0.8.12",
"fluent-uri 0.3.2",
"once_cell",
"parking_lot 0.12.3",
"parking_lot",
"percent-encoding",
"serde_json",
]
@@ -3500,7 +3560,7 @@ dependencies = [
"rkyv_derive",
"seahash",
"tinyvec",
"uuid",
"uuid 1.16.0",
]
[[package]]
@@ -3669,10 +3729,10 @@ dependencies = [
"lazy_static",
"libc",
"libseccomp",
"nix 0.24.3",
"nix 0.26.4",
"oci-spec",
"path-absolutize",
"protobuf 3.7.2",
"protobuf",
"protocols",
"regex",
"rlimit",
@@ -3882,20 +3942,23 @@ dependencies = [
[[package]]
name = "serial_test"
version = "0.5.1"
version = "0.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e0bccbcf40c8938196944a3da0e133e031a33f4d6b72db3bda3cc556e361905d"
checksum = "1c789ec87f4687d022a2405cf46e0cd6284889f1839de292cadeb6c6019506f2"
dependencies = [
"dashmap",
"futures",
"lazy_static",
"parking_lot 0.11.2",
"log",
"parking_lot",
"serial_test_derive",
]
[[package]]
name = "serial_test_derive"
version = "0.5.1"
version = "0.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b2acd6defeddb41eb60bb468f8825d0cfd0c2a76bc03bfd235b6a1dc4f6a1ad5"
checksum = "b64f9e531ce97c88b4778aad0ceee079216071cffec6ac9b904277f8f92e7fe3"
dependencies = [
"proc-macro2",
"quote",
@@ -3910,7 +3973,20 @@ checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba"
dependencies = [
"cfg-if",
"cpufeatures",
"digest",
"digest 0.10.7",
]
[[package]]
name = "sha2"
version = "0.9.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4d58a1e1bf39749807d89cf2d98ac2dfa0ff1cb3faa38fbb64dd88ac8013d800"
dependencies = [
"block-buffer 0.9.0",
"cfg-if",
"cpufeatures",
"digest 0.9.0",
"opaque-debug",
]
[[package]]
@@ -3921,7 +3997,7 @@ checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
dependencies = [
"cfg-if",
"cpufeatures",
"digest",
"digest 0.10.7",
]
[[package]]
@@ -3962,12 +4038,9 @@ checksum = "56199f7ddabf13fe5074ce809e7d3f42b42ae711800501b5b16ea82ad029c39d"
[[package]]
name = "slab"
version = "0.4.9"
version = "0.4.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8f92a496fb766b417c996b9c5e57daf2f7ad3b0bebe1ccfca4856390e3d3bb67"
dependencies = [
"autocfg",
]
checksum = "7a2ae44ef20feb57a68b23d846850f861394c2e02dc425a50098ae8c90267589"
[[package]]
name = "slash-formatter"
@@ -3993,6 +4066,16 @@ dependencies = [
"thread_local",
]
[[package]]
name = "slog-journald"
version = "2.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "83e14eb8c2f5d0c8fc9fbac40e6391095e4dc5cb334f7dce99c75cb1919eb39c"
dependencies = [
"libsystemd",
"slog",
]
[[package]]
name = "slog-json"
version = "2.6.1"
@@ -4132,6 +4215,12 @@ dependencies = [
"winapi",
]
[[package]]
name = "subtle"
version = "2.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601"
[[package]]
name = "syn"
version = "1.0.109"
@@ -4233,7 +4322,7 @@ checksum = "8f50febec83f5ee1df3015341d8bd429f2d1cc62bcba7ea2076759d315084683"
name = "test-utils"
version = "0.1.0"
dependencies = [
"nix 0.24.3",
"nix 0.26.4",
]
[[package]]
@@ -4344,17 +4433,19 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
[[package]]
name = "tokio"
version = "1.45.0"
version = "1.46.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2513ca694ef9ede0fb23fe71a4ee4107cb102b9dc1930f6d0fd77aae068ae165"
checksum = "0cc3a2344dafbe23a245241fe8b09735b521110d30fcefbbd5feb1797ca35d17"
dependencies = [
"backtrace",
"bytes 1.10.1",
"io-uring",
"libc",
"mio",
"parking_lot 0.12.3",
"parking_lot",
"pin-project-lite",
"signal-hook-registry",
"slab",
"socket2 0.5.9",
"tokio-macros",
"windows-sys 0.52.0",
@@ -4580,8 +4671,8 @@ dependencies = [
"libc",
"log",
"nix 0.26.4",
"protobuf 3.7.2",
"protobuf-codegen 3.7.2",
"protobuf",
"protobuf-codegen",
"thiserror 1.0.69",
"tokio",
"tokio-vsock 0.4.0",
@@ -4590,30 +4681,28 @@ dependencies = [
[[package]]
name = "ttrpc-codegen"
version = "0.5.0"
version = "0.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cdc0529f65223eca94fc5830e7d552d0d152ff42b74aff5c641edac39592f41f"
checksum = "0e5c657ef5cea6f6c6073c1be0787ba4482f42a569d4821e467daec795271f86"
dependencies = [
"home",
"protobuf 2.28.0",
"protobuf-codegen 3.7.2",
"protobuf",
"protobuf-codegen",
"protobuf-support",
"ttrpc-compiler",
]
[[package]]
name = "ttrpc-compiler"
version = "0.7.0"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9be3fb2fe509cb9c0099b3b5551b759ae714f2dde56dfc713f2a5bda8c16064a"
checksum = "3aa71f4a44711b3b9cc10ed0c7e239ff0fe4b8e6c900a142fb3bb26401385718"
dependencies = [
"derive-new",
"home",
"prost",
"prost-build",
"prost-types",
"protobuf 2.28.0",
"protobuf-codegen 2.28.0",
"protobuf",
"protobuf-codegen",
"tempfile",
]
@@ -4693,6 +4782,15 @@ version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
[[package]]
name = "uuid"
version = "0.8.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bc5cf98d8186244414c848017f0e2676b3fcb46807f6668a97dfe67359a3c4b7"
dependencies = [
"serde",
]
[[package]]
name = "uuid"
version = "1.16.0"
@@ -4706,7 +4804,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "23b082222b4f6619906941c17eb2297fff4c2fb96cb60164170522942a200bd8"
dependencies = [
"outref",
"uuid",
"uuid 1.16.0",
"vsimd",
]
@@ -4930,7 +5028,7 @@ version = "0.1.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb"
dependencies = [
"windows-sys 0.48.0",
"windows-sys 0.59.0",
]
[[package]]

9
src/agent/Cargo.toml
View File

@@ -13,13 +13,14 @@ lazy_static = "1.3.0"
ttrpc = { version = "0.8.4", features = ["async"], default-features = false }
protobuf = "3.7.2"
libc = "0.2.94"
nix = "0.24.2"
# Notes: nix needs to stay in sync with libs
nix = "0.26.4"
capctl = "0.2.0"
scan_fmt = "0.2.6"
scopeguard = "1.0.0"
thiserror = "1.0.26"
regex = "1.10.5"
serial_test = "0.5.1"
serial_test = "0.10.0"
url = "2.5.0"
derivative = "2.2.0"
const_format = "0.2.30"
@@ -30,7 +31,7 @@ async-recursion = "0.3.2"
futures = "0.3.30"
# Async runtime
tokio = { version = "1.44.2", features = ["full"] }
tokio = { version = "1.46.1", features = ["full"] }
tokio-vsock = "0.3.4"
netlink-sys = { version = "0.7.0", features = ["tokio_socket"] }
@@ -49,7 +50,7 @@ slog-stdlog = "4.0.0"
log = "0.4.11"
cfg-if = "1.0.0"
prometheus = { version = "0.13.0", features = ["process"] }
prometheus = { version = "0.14.0", features = ["process"] }
procfs = "0.12.0"
anyhow = "1"

7
src/agent/Makefile
View File

@@ -217,4 +217,11 @@ codecov-html: check_tarpaulin
##TARGET generate-protocols: generate/update grpc agent protocols
generate-protocols:
image=$$(docker build -q \
--build-arg GO_VERSION=$$(yq '.languages.golang.version' $(CURDIR)/../../versions.yaml) \
--build-arg PROTOC_VERSION=$$(yq '.externals.protoc.version' $(CURDIR)/../../versions.yaml | grep -oE "[0-9.]+") \
--build-arg PROTOC_GEN_GO_VERSION=$$(yq '.externals.protoc-gen-go.version' $(CURDIR)/../../versions.yaml) \
--build-arg TTRPC_VERSION=$$(yq '.externals.ttrpc.version' $(CURDIR)/../../versions.yaml) \
$(CURDIR)/../../tools/packaging/static-build/codegen) && \
docker run --rm --workdir /kata/src/agent -v $(CURDIR)/../..:/kata --user $(shell id -u) $$image \
../libs/protocols/hack/update-generated-proto.sh all

38
src/agent/rustjail/src/container.rs
View File

@@ -32,6 +32,7 @@ use crate::cgroups::{DevicesCgroupInfo, Manager};
use crate::console;
use crate::log_child;
use crate::process::Process;
use crate::process::ProcessOperations;
#[cfg(feature = "seccomp")]
use crate::seccomp;
use crate::selinux;
@@ -261,7 +262,7 @@ pub struct LinuxContainer {
pub init_process_start_time: u64,
pub uid_map_path: String,
pub gid_map_path: String,
pub processes: HashMap<pid_t, Process>,
pub processes: HashMap<String, Process>,
pub status: ContainerStatus,
pub created: SystemTime,
pub logger: Logger,
@@ -933,17 +934,13 @@ impl BaseContainer for LinuxContainer {
}
fn processes(&self) -> Result<Vec<i32>> {
Ok(self.processes.keys().cloned().collect())
Ok(self.processes.values().map(|p| p.pid).collect())
}
fn get_process(&mut self, eid: &str) -> Result<&mut Process> {
for (_, v) in self.processes.iter_mut() {
if eid == v.exec_id.as_str() {
return Ok(v);
}
}
Err(anyhow!("invalid eid {}", eid))
self.processes
.get_mut(eid)
.ok_or_else(|| anyhow!("invalid eid {}", eid))
}
fn stats(&self) -> Result<StatsContainerResponse> {
@@ -967,6 +964,12 @@ impl BaseContainer for LinuxContainer {
async fn start(&mut self, mut p: Process) -> Result<()> {
let logger = self.logger.new(o!("eid" => p.exec_id.clone()));
// Check if exec_id is already in use to prevent collisions
if self.processes.contains_key(p.exec_id.as_str()) {
return Err(anyhow!("exec_id '{}' already exists", p.exec_id));
}
let tty = p.tty;
let fifo_file = format!("{}/{}", &self.root, EXEC_FIFO_FILENAME);
info!(logger, "enter container.start!");
@@ -1235,7 +1238,7 @@ impl BaseContainer for LinuxContainer {
let spec = self.config.spec.as_mut().unwrap();
update_namespaces(&self.logger, spec, p.pid)?;
}
self.processes.insert(p.pid, p);
self.processes.insert(p.exec_id.clone(), p);
info!(logger, "wait on child log handler");
let _ = log_handler
@@ -1261,13 +1264,13 @@ impl BaseContainer for LinuxContainer {
let spec = self.config.spec.as_ref().unwrap();
let st = self.oci_state()?;
for pid in self.processes.keys() {
match signal::kill(Pid::from_raw(*pid), Some(Signal::SIGKILL)) {
for process in self.processes.values() {
match signal::kill(process.pid(), Some(Signal::SIGKILL)) {
Err(Errno::ESRCH) => {
info!(
self.logger,
"kill encounters ESRCH, pid: {}, container: {}",
pid,
process.pid(),
self.id.clone()
);
continue;
@@ -2084,10 +2087,11 @@ mod tests {
#[tokio::test]
async fn test_linuxcontainer_get_process() {
let _ = new_linux_container_and_then(|mut c: LinuxContainer| {
c.processes.insert(
1,
Process::new(&sl(), &oci::Process::default(), "123", true, 1, None).unwrap(),
);
let process =
Process::new(&sl(), &oci::Process::default(), "123", true, 1, None).unwrap();
let exec_id = process.exec_id.clone();
c.processes.insert(exec_id, process);
let p = c.get_process("123");
assert!(p.is_ok(), "Expecting Ok, Got {:?}", p);
Ok(())

49
src/agent/src/confidential_data_hub/mod.rs
View File

@@ -22,6 +22,8 @@ use protocols::{
};
use safe_path::scoped_join;
use std::fs;
use std::fs::File;
use std::io::{self, Read};
use std::path::Path;
use std::{os::unix::fs::symlink, path::PathBuf};
use tokio::sync::OnceCell;
@@ -235,8 +237,8 @@ pub async fn unseal_file(path: &str) -> Result<()> {
}
let secret_name = entry.file_name();
let contents = fs::read_to_string(&target_path)?;
if contents.starts_with(SEALED_SECRET_PREFIX) {
if content_starts_with_prefix(&target_path, SEALED_SECRET_PREFIX).await? {
let contents = fs::read_to_string(&target_path)?;
// Get the directory name of the sealed secret file
let dir_name = target_path
.parent()
@@ -262,6 +264,17 @@ pub async fn unseal_file(path: &str) -> Result<()> {
Ok(())
}
pub async fn content_starts_with_prefix(path: &Path, prefix: &str) -> io::Result<bool> {
let mut file = File::open(path)?;
let mut buffer = vec![0u8; prefix.len()];
match file.read_exact(&mut buffer) {
Ok(()) => Ok(buffer == prefix.as_bytes()),
Err(ref e) if e.kind() == io::ErrorKind::UnexpectedEof => Ok(false),
Err(e) => Err(e),
}
}
pub async fn secure_mount(
volume_type: &str,
options: &std::collections::HashMap<String, String>,
@@ -294,7 +307,7 @@ mod tests {
use std::fs::File;
use std::io::{Read, Write};
use std::sync::Arc;
use tempfile::tempdir;
use tempfile::{tempdir, NamedTempFile};
use test_utils::skip_if_not_root;
use tokio::signal::unix::{signal, SignalKind};
struct TestService;
@@ -416,4 +429,34 @@ mod tests {
rt.shutdown_background();
std::thread::sleep(std::time::Duration::from_secs(2));
}
#[tokio::test]
async fn test_content_starts_with_prefix() {
// Normal case: content matches the prefix
let mut f = NamedTempFile::new().unwrap();
write!(f, "sealed.hello_world").unwrap();
assert!(content_starts_with_prefix(f.path(), "sealed.")
.await
.unwrap());
// Does not match the prefix
let mut f2 = NamedTempFile::new().unwrap();
write!(f2, "notsealed.hello_world").unwrap();
assert!(!content_starts_with_prefix(f2.path(), "sealed.")
.await
.unwrap());
// File length < prefix.len()
let mut f3 = NamedTempFile::new().unwrap();
write!(f3, "seal").unwrap();
assert!(!content_starts_with_prefix(f3.path(), "sealed.")
.await
.unwrap());
// Empty file
let f4 = NamedTempFile::new().unwrap();
assert!(!content_starts_with_prefix(f4.path(), "sealed.")
.await
.unwrap());
}
}

6
src/agent/src/config.rs
View File

@@ -202,7 +202,7 @@ macro_rules! config_override {
}
};
($builder:ident, $config:ident, $field:ident, $func: ident) => {
($builder:ident, $config:ident, $field:ident, $func:ident) => {
if let Some(v) = $builder.$field {
$config.$field = $func(&v)?;
}
@@ -661,8 +661,8 @@ impl AgentConfig {
self.server_addr = addr;
}
if let Ok(addr) = env::var(LOG_LEVEL_ENV_VAR) {
if let Ok(level) = logrus_to_slog_level(&addr) {
if let Ok(level) = env::var(LOG_LEVEL_ENV_VAR) {
if let Ok(level) = logrus_to_slog_level(&level) {
self.log_level = level;
}
}

14
src/agent/src/main.rs
View File

@@ -30,6 +30,7 @@ use nix::unistd::{self, dup, sync, Pid};
use std::env;
use std::ffi::OsStr;
use std::fs::{self, File};
use std::io::ErrorKind;
use std::os::unix::fs::{self as unixfs, FileTypeExt};
use std::os::unix::io::AsRawFd;
use std::path::Path;
@@ -465,8 +466,17 @@ fn attestation_binaries_available(logger: &Logger, procs: &GuestComponentsProcs)
_ => vec![],
};
for binary in binaries.iter() {
if !Path::new(binary).exists() {
warn!(logger, "{} not found", binary);
let exists = Path::new(binary)
.try_exists()
.unwrap_or_else(|error| match error.kind() {
ErrorKind::NotFound => {
warn!(logger, "{} not found", binary);
false
}
_ => panic!("Path existence check failed for '{}': {}", binary, error),
});
if !exists {
return false;
}
}

10
src/agent/src/rpc.rs
View File

@@ -554,7 +554,7 @@ impl AgentService {
req: protocols::agent::WaitProcessRequest,
) -> Result<protocols::agent::WaitProcessResponse> {
let cid = req.container_id;
let eid = req.exec_id;
let mut eid = req.exec_id;
let mut resp = WaitProcessResponse::new();
info!(
@@ -587,7 +587,7 @@ impl AgentService {
.get_container(&cid)
.ok_or_else(|| anyhow!("Invalid container id"))?;
let p = match ctr.processes.get_mut(&pid) {
let p = match ctr.processes.values_mut().find(|p| p.pid == pid) {
Some(p) => p,
None => {
// Lost race, pick up exit code from channel
@@ -600,6 +600,8 @@ impl AgentService {
}
};
eid = p.exec_id.clone();
// need to close all fd
// ignore errors for some fd might be closed by stream
p.cleanup_process_stream();
@@ -611,7 +613,7 @@ impl AgentService {
let _ = s.send(p.exit_code).await;
}
ctr.processes.remove(&pid);
ctr.processes.remove(&eid);
Ok(resp)
}
@@ -2670,7 +2672,7 @@ mod tests {
}
linux_container
.processes
.insert(exec_process_id, exec_process);
.insert(exec_process.exec_id.clone(), exec_process);
sandbox.add_container(linux_container);
}

49
src/agent/src/sandbox.rs
View File

@@ -272,8 +272,10 @@ impl Sandbox {
pub fn find_process(&mut self, pid: pid_t) -> Option<&mut Process> {
for (_, c) in self.containers.iter_mut() {
if let Some(p) = c.processes.get_mut(&pid) {
return Some(p);
for p in c.processes.values_mut() {
if p.pid == pid {
return Some(p);
}
}
}
@@ -286,9 +288,11 @@ impl Sandbox {
.ok_or_else(|| anyhow!(ERR_INVALID_CONTAINER_ID))?;
if eid.is_empty() {
let init_pid = ctr.init_process_pid;
return ctr
.processes
.get_mut(&ctr.init_process_pid)
.values_mut()
.find(|p| p.pid == init_pid)
.ok_or_else(|| anyhow!("cannot find init process!"));
}
@@ -1014,23 +1018,26 @@ mod tests {
linux_container.init_process_pid = 1;
linux_container.id = cid.to_string();
// add init process
linux_container.processes.insert(
1,
Process::new(&logger, &oci::Process::default(), "1", true, 1, None).unwrap(),
);
let mut init_process =
Process::new(&logger, &oci::Process::default(), "1", true, 1, None).unwrap();
init_process.pid = 1;
linux_container
.processes
.insert("1".to_string(), init_process);
// add exec process
linux_container.processes.insert(
123,
Process::new(
&logger,
&oci::Process::default(),
"exec-123",
false,
1,
None,
)
.unwrap(),
);
let mut exec_process = Process::new(
&logger,
&oci::Process::default(),
"exec-123",
false,
1,
None,
)
.unwrap();
exec_process.pid = 123;
linux_container
.processes
.insert("exec-123".to_string(), exec_process);
s.add_container(linux_container);
@@ -1081,8 +1088,8 @@ mod tests {
.unwrap();
// processes interally only have pids when manually set
test_process.pid = test_pid;
linux_container.processes.insert(test_pid, test_process);
let test_exec_id = test_process.exec_id.clone();
linux_container.processes.insert(test_exec_id, test_process);
s.add_container(linux_container);

540
src/dragonball/Cargo.lock generated
View File

@@ -143,7 +143,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "190baaad529bcfbde9e1a19022c42781bdb6ff9de25721abdb8fd98c0807730b"
dependencies = [
"libc",
"thiserror",
"thiserror 1.0.48",
]
[[package]]
@@ -266,7 +266,7 @@ dependencies = [
"lazy_static",
"libc",
"nix 0.23.2",
"thiserror",
"thiserror 1.0.48",
"vm-memory",
"vmm-sys-util",
]
@@ -275,7 +275,7 @@ dependencies = [
name = "dbs-allocator"
version = "0.1.1"
dependencies = [
"thiserror",
"thiserror 1.0.48",
]
[[package]]
@@ -285,8 +285,8 @@ dependencies = [
"kvm-bindings",
"kvm-ioctls",
"libc",
"memoffset",
"thiserror",
"memoffset 0.6.5",
"thiserror 1.0.48",
"vm-memory",
"vmm-sys-util",
]
@@ -302,7 +302,7 @@ dependencies = [
"kvm-ioctls",
"lazy_static",
"libc",
"thiserror",
"thiserror 1.0.48",
"vm-fdt",
"vm-memory",
]
@@ -311,7 +311,7 @@ dependencies = [
name = "dbs-device"
version = "0.2.0"
dependencies = [
"thiserror",
"thiserror 1.0.48",
]
[[package]]
@@ -354,7 +354,7 @@ dependencies = [
"kvm-ioctls",
"libc",
"log",
"thiserror",
"thiserror 1.0.48",
"vfio-bindings",
"vfio-ioctls",
"vm-memory",
@@ -366,7 +366,7 @@ version = "0.1.0"
dependencies = [
"kvm-bindings",
"serde_json",
"thiserror",
"thiserror 1.0.48",
"vmm-sys-util",
]
@@ -378,7 +378,7 @@ dependencies = [
"dbs-utils",
"dbs-virtio-devices",
"log",
"thiserror",
"thiserror 1.0.48",
"timerfd",
]
@@ -392,7 +392,7 @@ dependencies = [
"log",
"serde",
"serde_json",
"thiserror",
"thiserror 1.0.48",
"timerfd",
"vmm-sys-util",
]
@@ -423,7 +423,7 @@ dependencies = [
"sendfd",
"serde",
"serde_json",
"thiserror",
"thiserror 1.0.48",
"threadpool",
"timerfd",
"vhost",
@@ -491,6 +491,17 @@ dependencies = [
"winapi",
]
[[package]]
name = "displaydoc"
version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.104",
]
[[package]]
name = "downcast-rs"
version = "1.2.0"
@@ -536,7 +547,7 @@ dependencies = [
"slog-scope",
"slog-term",
"test-utils",
"thiserror",
"thiserror 1.0.48",
"tracing",
"vfio-bindings",
"vfio-ioctls",
@@ -653,9 +664,9 @@ checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
[[package]]
name = "form_urlencoded"
version = "1.2.0"
version = "1.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a62bc1cf6f830c2ec14a513a9fb124d0a213a629668a4186f329db21fe045652"
checksum = "e13624c2627564efccf4934284bdd98cbaa14e79b0b5a141218e507b3a823456"
dependencies = [
"percent-encoding",
]
@@ -914,13 +925,110 @@ dependencies = [
]
[[package]]
name = "idna"
version = "0.4.0"
name = "icu_collections"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7d20d6b07bfbc108882d88ed8e37d39636dcc260e15e30c45e6ba089610b917c"
checksum = "200072f5d0e3614556f94a9930d5dc3e0662a652823904c3a75dc3b0af7fee47"
dependencies = [
"unicode-bidi",
"unicode-normalization",
"displaydoc",
"potential_utf",
"yoke",
"zerofrom",
"zerovec",
]
[[package]]
name = "icu_locale_core"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0cde2700ccaed3872079a65fb1a78f6c0a36c91570f28755dda67bc8f7d9f00a"
dependencies = [
"displaydoc",
"litemap",
"tinystr",
"writeable",
"zerovec",
]
[[package]]
name = "icu_normalizer"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "436880e8e18df4d7bbc06d58432329d6458cc84531f7ac5f024e93deadb37979"
dependencies = [
"displaydoc",
"icu_collections",
"icu_normalizer_data",
"icu_properties",
"icu_provider",
"smallvec",
"zerovec",
]
[[package]]
name = "icu_normalizer_data"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "00210d6893afc98edb752b664b8890f0ef174c8adbb8d0be9710fa66fbbf72d3"
[[package]]
name = "icu_properties"
version = "2.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "016c619c1eeb94efb86809b015c58f479963de65bdb6253345c1a1276f22e32b"
dependencies = [
"displaydoc",
"icu_collections",
"icu_locale_core",
"icu_properties_data",
"icu_provider",
"potential_utf",
"zerotrie",
"zerovec",
]
[[package]]
name = "icu_properties_data"
version = "2.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "298459143998310acd25ffe6810ed544932242d3f07083eee1084d83a71bd632"
[[package]]
name = "icu_provider"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "03c80da27b5f4187909049ee2d72f276f0d9f99a42c306bd0131ecfe04d8e5af"
dependencies = [
"displaydoc",
"icu_locale_core",
"stable_deref_trait",
"tinystr",
"writeable",
"yoke",
"zerofrom",
"zerotrie",
"zerovec",
]
[[package]]
name = "idna"
version = "1.0.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "686f825264d630750a544639377bae737628043f20d38bbc029e8f29ea968a7e"
dependencies = [
"idna_adapter",
"smallvec",
"utf8_iter",
]
[[package]]
name = "idna_adapter"
version = "1.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344"
dependencies = [
"icu_normalizer",
"icu_properties",
]
[[package]]
@@ -1050,12 +1158,6 @@ dependencies = [
"vm-memory",
]
[[package]]
name = "linux-raw-sys"
version = "0.1.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f051f77a7c8e6957c0696eac88f26b0117e54f52d3fc682ab19397a8812846a4"
[[package]]
name = "linux-raw-sys"
version = "0.3.8"
@@ -1068,6 +1170,12 @@ version = "0.4.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d26c52dbd32dccf2d10cac7725f8eae5296885fb5703b261f7d0a0739ec807ab"
[[package]]
name = "litemap"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956"
[[package]]
name = "lock_api"
version = "0.4.10"
@@ -1119,6 +1227,15 @@ dependencies = [
"autocfg",
]
[[package]]
name = "memoffset"
version = "0.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5de893c32cde5f383baa4c04c5d6dbdd735cfd4a794b0debdb2bb1b421da5ff4"
dependencies = [
"autocfg",
]
[[package]]
name = "mime"
version = "0.3.17"
@@ -1185,7 +1302,7 @@ dependencies = [
"cc",
"cfg-if",
"libc",
"memoffset",
"memoffset 0.6.5",
]
[[package]]
@@ -1197,7 +1314,20 @@ dependencies = [
"bitflags 1.3.2",
"cfg-if",
"libc",
"memoffset",
"memoffset 0.6.5",
]
[[package]]
name = "nix"
version = "0.26.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "598beaf3cc6fdd9a5dfb1630c2800c7acd31df7aaf0f565796fba2b53ca1af1b"
dependencies = [
"bitflags 1.3.2",
"cfg-if",
"libc",
"memoffset 0.7.1",
"pin-utils",
]
[[package]]
@@ -1331,9 +1461,9 @@ checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d"
[[package]]
name = "openssl"
version = "0.10.72"
version = "0.10.73"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fedfea7d58a1f73118430a55da6a286e7b044961736ce96a16a17068ea25e5da"
checksum = "8505734d46c8ab1e19a1dce3aef597ad87dcb4c37e7188231769bd6bd51cebf8"
dependencies = [
"bitflags 2.4.0",
"cfg-if",
@@ -1352,7 +1482,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.32",
"syn 2.0.104",
]
[[package]]
@@ -1372,9 +1502,9 @@ dependencies = [
[[package]]
name = "openssl-sys"
version = "0.9.108"
version = "0.9.109"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e145e1651e858e820e4860f7b9c5e169bc1d8ce1c86043be79fa7b7634821847"
checksum = "90096e2e47630d78b7d1c20952dc621f957103f8bc2c8359ec81290d75238571"
dependencies = [
"cc",
"libc",
@@ -1408,9 +1538,9 @@ dependencies = [
[[package]]
name = "percent-encoding"
version = "2.3.0"
version = "2.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9b2a4787296e9989611394c33f193f676704af1686e70b8f8033ab5ba9a35a94"
checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
[[package]]
name = "pin-project-lite"
@@ -1430,6 +1560,15 @@ version = "0.3.27"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964"
[[package]]
name = "potential_utf"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e5a7c30837279ca13e7c867e9e40053bc68740f988cb07f7ca6df43cc734b585"
dependencies = [
"zerovec",
]
[[package]]
name = "powerfmt"
version = "0.2.0"
@@ -1438,9 +1577,9 @@ checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
[[package]]
name = "proc-macro2"
version = "1.0.66"
version = "1.0.95"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "18fb31db3f9bddb2ea821cde30a9f70117e3f119938b5ee630b7403aa6e2ead9"
checksum = "02b3e5e68a3a1a02aad3ec490a98007cbc13c37cbe84a3cd7b8e406d76e7f778"
dependencies = [
"unicode-ident",
]
@@ -1462,22 +1601,31 @@ dependencies = [
[[package]]
name = "procfs"
version = "0.14.2"
version = "0.17.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b1de8dacb0873f77e6aefc6d71e044761fcc68060290f5b1089fcdf84626bb69"
checksum = "cc5b72d8145275d844d4b5f6d4e1eef00c8cd889edb6035c21675d1bb1f45c9f"
dependencies = [
"bitflags 1.3.2",
"byteorder",
"bitflags 2.4.0",
"hex",
"procfs-core",
"rustix 0.38.25",
]
[[package]]
name = "procfs-core"
version = "0.17.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "239df02d8349b06fc07398a3a1697b06418223b1c7725085e801e7c0fc6a12ec"
dependencies = [
"bitflags 2.4.0",
"hex",
"lazy_static",
"rustix 0.36.17",
]
[[package]]
name = "prometheus"
version = "0.13.3"
version = "0.14.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "449811d15fbdf5ceb5c1144416066429cf82316e2ec8ce0c1f6f8a02e7bbcf8c"
checksum = "3ca5326d8d0b950a9acd87e6a3f94745394f62e4dae1b1ee22b2bc0c394af43a"
dependencies = [
"cfg-if",
"fnv",
@@ -1485,22 +1633,36 @@ dependencies = [
"libc",
"memchr",
"parking_lot",
"procfs 0.14.2",
"procfs 0.17.0",
"protobuf",
"thiserror",
"thiserror 2.0.12",
]
[[package]]
name = "protobuf"
version = "2.28.0"
version = "3.7.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "106dd99e98437432fed6519dedecfade6a06a73bb7b2a1e019fdd2bee5778d94"
checksum = "d65a1d4ddae7d8b5de68153b48f6aa3bba8cb002b243dbdbc55a5afbc98f99f4"
dependencies = [
"once_cell",
"protobuf-support",
"thiserror 1.0.48",
]
[[package]]
name = "protobuf-support"
version = "3.7.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3e36c2f31e0a47f9280fb347ef5e461ffcd2c52dd520d8e216b52f93b0b0d7d6"
dependencies = [
"thiserror 1.0.48",
]
[[package]]
name = "quote"
version = "1.0.33"
version = "1.0.40"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5267fca4496028628a95160fc423a33e8b2e6af8a5302579e322e4b520293cae"
checksum = "1885c039570dc00dcb4ff087a89e185fd56bae234ddc7f056a945bf36467248d"
dependencies = [
"proc-macro2",
]
@@ -1537,7 +1699,7 @@ checksum = "b033d837a7cf162d7993aded9304e30a83213c648b6e389db233191f891e5c2b"
dependencies = [
"getrandom 0.2.10",
"redox_syscall 0.2.16",
"thiserror",
"thiserror 1.0.48",
]
[[package]]
@@ -1592,20 +1754,6 @@ version = "0.1.23"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d626bb9dae77e28219937af045c257c28bfd3f69333c512553507f5f9798cb76"
[[package]]
name = "rustix"
version = "0.36.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "305efbd14fde4139eb501df5f136994bb520b033fa9fbdce287507dc23b8c7ed"
dependencies = [
"bitflags 1.3.2",
"errno",
"io-lifetimes",
"libc",
"linux-raw-sys 0.1.4",
"windows-sys 0.45.0",
]
[[package]]
name = "rustix"
version = "0.37.28"
@@ -1718,7 +1866,7 @@ checksum = "4eca7ac642d82aa35b60049a6eccb4be6be75e599bd2e9adb5f875a737654af2"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.32",
"syn 2.0.104",
]
[[package]]
@@ -1774,12 +1922,9 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
[[package]]
name = "slab"
version = "0.4.9"
version = "0.4.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8f92a496fb766b417c996b9c5e57daf2f7ad3b0bebe1ccfca4856390e3d3bb67"
dependencies = [
"autocfg",
]
checksum = "7a2ae44ef20feb57a68b23d846850f861394c2e02dc425a50098ae8c90267589"
[[package]]
name = "slog"
@@ -1825,9 +1970,9 @@ dependencies = [
[[package]]
name = "smallvec"
version = "1.11.0"
version = "1.15.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "62bb4feee49fdd9f707ef802e22365a35de4b7b299de4763d44bfea899442ff9"
checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
[[package]]
name = "socket2"
@@ -1839,6 +1984,12 @@ dependencies = [
"windows-sys 0.52.0",
]
[[package]]
name = "stable_deref_trait"
version = "1.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"
[[package]]
name = "subtle"
version = "2.5.0"
@@ -1858,15 +2009,26 @@ dependencies = [
[[package]]
name = "syn"
version = "2.0.32"
version = "2.0.104"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "239814284fd6f1a4ffe4ca893952cdd93c224b6a1571c9a9eadd670295c0c9e2"
checksum = "17b6f705963418cdb9927482fa304bc562ece2fdd4f616084c50b7023b435a40"
dependencies = [
"proc-macro2",
"quote",
"unicode-ident",
]
[[package]]
name = "synstructure"
version = "0.13.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.104",
]
[[package]]
name = "take_mut"
version = "0.2.2"
@@ -1912,7 +2074,7 @@ dependencies = [
name = "test-utils"
version = "0.1.0"
dependencies = [
"nix 0.24.3",
"nix 0.26.4",
]
[[package]]
@@ -1921,7 +2083,16 @@ version = "1.0.48"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9d6d7a740b8a666a7e828dd00da9c0dc290dff53154ea77ac109281de90589b7"
dependencies = [
"thiserror-impl",
"thiserror-impl 1.0.48",
]
[[package]]
name = "thiserror"
version = "2.0.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "567b8a2dae586314f7be2a752ec7474332959c6460e02bde30d702a66d488708"
dependencies = [
"thiserror-impl 2.0.12",
]
[[package]]
@@ -1932,7 +2103,18 @@ checksum = "49922ecae66cc8a249b77e68d1d0623c1b2c514f0060c27cdc68bd62a1219d35"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.32",
"syn 2.0.104",
]
[[package]]
name = "thiserror-impl"
version = "2.0.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7f7cf42b4507d8ea322120659672cf1b9dbb93f8f2d4ecfd6e51350ff5b17a1d"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.104",
]
[[package]]
@@ -1995,20 +2177,15 @@ dependencies = [
]
[[package]]
name = "tinyvec"
version = "1.6.0"
name = "tinystr"
version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50"
checksum = "5d4f6d1145dcb577acf783d4e601bc1d76a13337bb54e6233add580b07344c8b"
dependencies = [
"tinyvec_macros",
"displaydoc",
"zerovec",
]
[[package]]
name = "tinyvec_macros"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
[[package]]
name = "tokio"
version = "1.44.2"
@@ -2033,7 +2210,7 @@ checksum = "6e06d43f1345a3bcd39f6a56dbb7dcab2ba47e68e8ac134855e7e2bdbaf8cab8"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.32",
"syn 2.0.104",
]
[[package]]
@@ -2094,7 +2271,7 @@ checksum = "1b1ffbcf9c6f6b99d386e7444eb608ba646ae452a36b39737deb9663b610f662"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.32",
"syn 2.0.104",
]
[[package]]
@@ -2118,38 +2295,29 @@ version = "1.16.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "497961ef93d974e23eb6f433eb5fe1b7930b659f06d12dec6fc44a8f554c0bba"
[[package]]
name = "unicode-bidi"
version = "0.3.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460"
[[package]]
name = "unicode-ident"
version = "1.0.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "301abaae475aa91687eb82514b328ab47a211a533026cb25fc3e519b86adfc3c"
[[package]]
name = "unicode-normalization"
version = "0.1.22"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921"
dependencies = [
"tinyvec",
]
[[package]]
name = "url"
version = "2.4.1"
version = "2.5.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "143b538f18257fac9cad154828a57c6bf5157e1aa604d4816b5995bf6de87ae5"
checksum = "32f8b686cadd1473f4bd0117a5d28d36b1ade384ea9b5069a1c40aefed7fda60"
dependencies = [
"form_urlencoded",
"idna",
"percent-encoding",
]
[[package]]
name = "utf8_iter"
version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
[[package]]
name = "vcpkg"
version = "0.2.15"
@@ -2179,7 +2347,7 @@ dependencies = [
"kvm-ioctls",
"libc",
"log",
"thiserror",
"thiserror 2.0.12",
"vfio-bindings",
"vm-memory",
"vmm-sys-util",
@@ -2293,7 +2461,7 @@ dependencies = [
"once_cell",
"proc-macro2",
"quote",
"syn 2.0.32",
"syn 2.0.104",
"wasm-bindgen-shared",
]
@@ -2327,7 +2495,7 @@ checksum = "54681b18a46765f095758388f2d0cf16eb8d4169b639ab575a8f5693af210c7b"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.32",
"syn 2.0.104",
"wasm-bindgen-backend",
"wasm-bindgen-shared",
]
@@ -2379,15 +2547,6 @@ dependencies = [
"windows-targets 0.48.5",
]
[[package]]
name = "windows-sys"
version = "0.45.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0"
dependencies = [
"windows-targets 0.42.2",
]
[[package]]
name = "windows-sys"
version = "0.48.0"
@@ -2406,21 +2565,6 @@ dependencies = [
"windows-targets 0.52.6",
]
[[package]]
name = "windows-targets"
version = "0.42.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8e5180c00cd44c9b1c88adb3693291f1cd93605ded80c250a75d472756b4d071"
dependencies = [
"windows_aarch64_gnullvm 0.42.2",
"windows_aarch64_msvc 0.42.2",
"windows_i686_gnu 0.42.2",
"windows_i686_msvc 0.42.2",
"windows_x86_64_gnu 0.42.2",
"windows_x86_64_gnullvm 0.42.2",
"windows_x86_64_msvc 0.42.2",
]
[[package]]
name = "windows-targets"
version = "0.48.5"
@@ -2452,12 +2596,6 @@ dependencies = [
"windows_x86_64_msvc 0.52.6",
]
[[package]]
name = "windows_aarch64_gnullvm"
version = "0.42.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8"
[[package]]
name = "windows_aarch64_gnullvm"
version = "0.48.5"
@@ -2470,12 +2608,6 @@ version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
[[package]]
name = "windows_aarch64_msvc"
version = "0.42.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43"
[[package]]
name = "windows_aarch64_msvc"
version = "0.48.5"
@@ -2488,12 +2620,6 @@ version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
[[package]]
name = "windows_i686_gnu"
version = "0.42.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f"
[[package]]
name = "windows_i686_gnu"
version = "0.48.5"
@@ -2512,12 +2638,6 @@ version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
[[package]]
name = "windows_i686_msvc"
version = "0.42.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060"
[[package]]
name = "windows_i686_msvc"
version = "0.48.5"
@@ -2530,12 +2650,6 @@ version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
[[package]]
name = "windows_x86_64_gnu"
version = "0.42.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36"
[[package]]
name = "windows_x86_64_gnu"
version = "0.48.5"
@@ -2548,12 +2662,6 @@ version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
[[package]]
name = "windows_x86_64_gnullvm"
version = "0.42.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3"
[[package]]
name = "windows_x86_64_gnullvm"
version = "0.48.5"
@@ -2566,12 +2674,6 @@ version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
[[package]]
name = "windows_x86_64_msvc"
version = "0.42.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0"
[[package]]
name = "windows_x86_64_msvc"
version = "0.48.5"
@@ -2603,6 +2705,12 @@ dependencies = [
"bitflags 2.4.0",
]
[[package]]
name = "writeable"
version = "0.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ea2f10b9bb0928dfb1b42b65e1f9e36f7f54dbdf08457afefb38afcdec4fa2bb"
[[package]]
name = "xattr"
version = "1.0.1"
@@ -2612,6 +2720,84 @@ dependencies = [
"libc",
]
[[package]]
name = "yoke"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5f41bb01b8226ef4bfd589436a297c53d118f65921786300e427be8d487695cc"
dependencies = [
"serde",
"stable_deref_trait",
"yoke-derive",
"zerofrom",
]
[[package]]
name = "yoke-derive"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "38da3c9736e16c5d3c8c597a9aaa5d1fa565d0532ae05e27c24aa62fb32c0ab6"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.104",
"synstructure",
]
[[package]]
name = "zerofrom"
version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5"
dependencies = [
"zerofrom-derive",
]
[[package]]
name = "zerofrom-derive"
version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.104",
"synstructure",
]
[[package]]
name = "zerotrie"
version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "36f0bbd478583f79edad978b407914f61b2972f5af6fa089686016be8f9af595"
dependencies = [
"displaydoc",
"yoke",
"zerofrom",
]
[[package]]
name = "zerovec"
version = "0.11.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4a05eb080e015ba39cc9e23bbe5e7fb04d5fb040350f99f34e338d5fdd294428"
dependencies = [
"yoke",
"zerofrom",
"zerovec-derive",
]
[[package]]
name = "zerovec-derive"
version = "0.11.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5b96237efa0c878c64bd89c436f661be4e46b2f3eff1ebb976f7ef2321d2f58f"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.104",
]
[[package]]
name = "zstd"
version = "0.11.2+zstd.1.5.2"

2
src/dragonball/Cargo.toml
View File

@@ -87,7 +87,7 @@ linux-loader = {workspace = true}
log = "0.4.14"
nix = "0.24.2"
procfs = "0.12.0"
prometheus = { version = "0.13.0", features = ["process"] }
prometheus = { version = "0.14.0", features = ["process"] }
seccompiler = {workspace = true}
serde = "1.0.27"
serde_derive = "1.0.27"

2
src/dragonball/dbs_device/src/device_manager.rs
View File

@@ -102,7 +102,7 @@ use crate::resources::Resource;
use crate::{DeviceIo, IoAddress, IoSize, PioAddress};
/// Error types for `IoManager` related operations.
#[derive(Error, Debug)]
#[derive(Error, Debug, PartialEq)]
pub enum Error {
/// The inserting device overlaps with a current device.
#[error("device address conflicts with existing devices")]

73
src/dragonball/dbs_interrupt/src/notifier.rs
View File

@@ -5,7 +5,9 @@
use std::any::Any;
use std::io::Error;
use std::sync::atomic::{AtomicU16, Ordering};
use std::sync::Arc;
use std::sync::Mutex;
use vmm_sys_util::eventfd::EventFd;
@@ -121,6 +123,77 @@ mod msi {
}
}
/// Vector value used to disable MSI for a queue.
pub const VIRTQ_MSI_NO_VECTOR: u16 = 0xffff;
#[derive(Clone, PartialEq, Debug, Copy)]
pub enum VirtioInterruptType {
Config,
Queue(u16),
}
#[derive(Clone)]
pub struct VirtioNotifierMsix {
pub(crate) config_vector: Arc<AtomicU16>,
pub(crate) queues_vectors: Arc<Mutex<Vec<u16>>>,
pub(crate) interrupt_source_group: Arc<Box<dyn InterruptSourceGroup>>,
pub(crate) interrupt_type: VirtioInterruptType,
}
impl VirtioNotifierMsix {
pub fn new(
config_vector: Arc<AtomicU16>,
queues_vectors: Arc<Mutex<Vec<u16>>>,
interrupt_source_group: Arc<Box<dyn InterruptSourceGroup>>,
interrupt_type: VirtioInterruptType,
) -> Self {
VirtioNotifierMsix {
config_vector,
queues_vectors,
interrupt_source_group,
interrupt_type,
}
}
}
impl InterruptNotifier for VirtioNotifierMsix {
fn notify(&self) -> std::result::Result<(), std::io::Error> {
let vector = match self.interrupt_type {
VirtioInterruptType::Config => self.config_vector.load(Ordering::Acquire),
VirtioInterruptType::Queue(queue_index) => {
self.queues_vectors.lock().unwrap()[queue_index as usize]
}
};
if vector == VIRTQ_MSI_NO_VECTOR {
return Ok(());
}
self.interrupt_source_group
.trigger(vector as InterruptIndex)
}
fn notifier(&self) -> Option<&EventFd> {
let vector = match self.interrupt_type {
VirtioInterruptType::Config => self.config_vector.load(Ordering::Acquire),
VirtioInterruptType::Queue(queue_index) => {
self.queues_vectors.lock().unwrap()[queue_index as usize]
}
};
if vector == VIRTQ_MSI_NO_VECTOR {
return None;
}
self.interrupt_source_group
.notifier(vector as InterruptIndex)
}
fn as_any(&self) -> &dyn Any {
self
}
fn clone_boxed(&self) -> Box<dyn InterruptNotifier> {
Box::new(self.clone())
}
}
/// Struct to discard interrupts.
#[derive(Copy, Clone, Debug, Default)]
pub struct NoopNotifier {}

8
src/dragonball/dbs_pci/Cargo.toml
View File

@@ -16,6 +16,8 @@ thiserror = "1"
dbs-allocator = { workspace = true }
dbs-boot = { workspace = true }
dbs-device = { workspace = true }
dbs-address-space = { workspace = true }
dbs-virtio-devices = { workspace = true }
dbs-interrupt = { workspace = true, features = [
"kvm-irq",
"kvm-legacy-irq",
@@ -23,12 +25,18 @@ dbs-interrupt = { workspace = true, features = [
] }
downcast-rs = "1.2.0"
byteorder = "1.4.3"
serde = "1.0.27"
vm-memory = {workspace = true}
kvm-ioctls = {workspace = true}
kvm-bindings = {workspace = true}
vfio-ioctls = {workspace = true}
vfio-bindings = {workspace = true}
libc = "0.2.39"
vmm-sys-util = {workspace = true}
virtio-queue = {workspace = true}
dbs-utils = {workspace = true}
[dev-dependencies]
dbs-arch = { workspace = true }

21
src/dragonball/dbs_pci/src/lib.rs
View File

@@ -21,7 +21,7 @@
//! - PCI configuration: a common framework to emulator PCI configuration space header.
//! - PCI MSI/MSIx: structs to emulate PCI MSI/MSIx capabilities.
use std::sync::Arc;
use std::sync::{Arc, Mutex};
use dbs_device::device_manager::IoManagerContext;
use dbs_interrupt::KvmIrqManager;
@@ -58,8 +58,17 @@ pub use msix::{MsixCap, MsixState, MSIX_TABLE_ENTRY_SIZE};
mod vfio;
pub use vfio::{VfioPciDevice, VfioPciError, VENDOR_NVIDIA};
mod virtio_pci;
pub use virtio_pci::{VirtioPciDevice, VirtioPciDeviceError, CAPABILITY_BAR_SIZE};
mod pci_address;
use dbs_virtio_devices::VirtioDevice;
pub use pci_address::PciAddress;
mod pci_common_config;
/// Error codes related to PCI root/bus/device operations.
#[derive(Debug, thiserror::Error)]
#[derive(Debug, thiserror::Error, PartialEq)]
pub enum Error {
/// Failed to activate the PCI root/bus/device.
#[error("failed to activate PCI device, {0:?}")]
@@ -110,6 +119,9 @@ pub enum Error {
/// PCI ROM BAR address is invalid.
#[error("address {0} size {1} too big")]
RomBarAddressInvalid(u64, u64),
/// Invalid parameter
#[error("invalid pci device address")]
InvalidParameter,
}
/// Specialized `Result` for PCI related operations.
@@ -130,3 +142,8 @@ pub fn fill_config_data(data: &mut [u8]) {
*pos = 0xff;
}
}
/// we only support one pci bus
pub const PCI_BUS_DEFAULT: u8 = 0;
type ArcMutexBoxDynVirtioDevice<AS, Q, R> = Arc<Mutex<Box<dyn VirtioDevice<AS, Q, R>>>>;

100
src/dragonball/dbs_pci/src/pci_address.rs Normal file
View File

@@ -0,0 +1,100 @@
// Copyright (C) 2024 Alibaba Cloud. All rights reserved.
//
// Copyright (C) 2025 Ant Group. All rights reserved.
//
// SPDX-License-Identifier: Apache-2.0 OR BSD-3-Clause
use std::cmp::Ordering;
use std::fmt;
use crate::{Error, Result};
const PCI_MAX_DEV_ID: u8 = 0x1f;
const PCI_MAX_FUNC_ID: u8 = 0x7;
#[derive(Copy, Clone, PartialEq, Eq, Hash)]
pub struct PciAddress {
/// Bus number, in the range [0, 0xff].
bus: u8,
/// Device id, in the range [0x0, 0x1f].
dev: u8,
/// Function id, in the range [0x0, 0x7].
func: u8,
}
impl PartialOrd for PciAddress {
fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
Some(self.cmp(other))
}
}
impl Ord for PciAddress {
fn cmp(&self, other: &Self) -> Ordering {
// Compare in the order of bus -> dev -> func.
self.bus
.cmp(&other.bus)
.then_with(|| self.dev.cmp(&other.dev))
.then_with(|| self.func.cmp(&other.func))
}
}
impl PciAddress {
/// Create a new PCI address from bus and device/function id.
///
/// * `bus`: PCI bus number, in the range \[0x0, 0xff\].
/// * `dev`: PCI device id, in the range \[0x0, 0x1f\].
/// * `func`: PCI function id, in the range \[0x0, 0x7\].
pub fn new(bus: u8, dev: u8, func: u8) -> Result<Self> {
if dev > PCI_MAX_DEV_ID || func > PCI_MAX_FUNC_ID {
return Err(Error::InvalidParameter);
}
Ok(PciAddress { bus, dev, func })
}
/// Get PCI device id on the PCI bus, which is in [0x0, 0x1f]
pub fn dev_id(&self) -> u8 {
self.dev
}
/// Get PCI device function id, which is in [0x0, 0x7].
pub fn func_id(&self) -> u8 {
self.func
}
/// Get PCI device bus number, which is in [0x0, 0xff].
pub fn bus_id(&self) -> u8 {
self.bus
}
}
impl fmt::Debug for PciAddress {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
write!(
f,
"PciAddress: {:02x}:{:02x}.{:02x}",
self.bus, self.dev, self.func
)
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_pci_address() {
// test invlaid device id
assert_eq!(PciAddress::new(0, 32, 0), Err(Error::InvalidParameter));
// test invalid function id
assert_eq!(PciAddress::new(0, 0, 8), Err(Error::InvalidParameter));
// test pci address
let (bus, dev, func) = (3, 5, 4);
let address = PciAddress::new(bus, dev, func).unwrap();
assert_eq!(address.bus_id(), bus);
assert_eq!(address.dev_id(), dev);
assert_eq!(address.func_id(), func);
}
}

507
src/dragonball/dbs_pci/src/pci_common_config.rs Normal file
View File

@@ -0,0 +1,507 @@
// Copyright 2018 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE-BSD-3-Clause file.
//
// Copyright © 2019 Intel Corporation
//
// SPDX-License-Identifier: Apache-2.0 AND BSD-3-Clause
//
// Copyright (C) 2024 Alibaba Cloud. All rights reserved.
//
// Copyright (C) 2025 Ant Group. All rights reserved.
//
// SPDX-License-Identifier: Apache-2.0 or BSD-3-Clause
use std::sync::atomic::{AtomicU16, Ordering};
use std::sync::{Arc, Mutex};
use byteorder::{ByteOrder, LittleEndian};
use log::{error, trace, warn};
use serde::{Deserialize, Serialize};
use virtio_queue::QueueT;
use vm_memory::{GuestAddressSpace, GuestMemoryRegion};
use crate::ArcMutexBoxDynVirtioDevice;
use dbs_virtio_devices::VirtioQueueConfig;
#[derive(Clone, Serialize, Deserialize)]
pub struct VirtioPciCommonConfigState {
pub driver_status: u8,
pub config_generation: u8,
pub device_feature_select: u32,
pub driver_feature_select: u32,
pub queue_select: u16,
pub msix_config: u16,
pub msix_queues: Vec<u16>,
}
/* The standard layout for the ring is a continuous chunk of memory which looks
* like this. We assume num is a power of 2.
*
* struct vring
* {
* // The actual descriptors (16 bytes each)
* struct vring_desc desc[num];
*
* // A ring of available descriptor heads with free-running index.
* __virtio16 avail_flags;
* __virtio16 avail_idx;
* __virtio16 available[num];
* __virtio16 used_event_idx;
*
* // Padding to the next align boundary.
* char pad[];
*
* // A ring of used descriptor heads with free-running index.
* __virtio16 used_flags;
* __virtio16 used_idx;
* struct vring_used_elem used[num];
* __virtio16 avail_event_idx;
* };
* struct vring_desc {
* __virtio64 addr;
* __virtio32 len;
* __virtio16 flags;
* __virtio16 next;
* };
*
* struct vring_avail {
* __virtio16 flags;
* __virtio16 idx;
* __virtio16 ring[];
* };
*
* // u32 is used here for ids for padding reasons.
* struct vring_used_elem {
* // Index of start of used descriptor chain.
* __virtio32 id;
* // Total length of the descriptor chain which was used (written to)
* __virtio32 len;
* };
*
* Kernel header used for this reference: include/uapi/linux/virtio_ring.h
* Virtio Spec: https://docs.oasis-open.org/virtio/virtio/v1.2/csd01/virtio-v1.2-csd01.html
*
*/
/// Contains the data for reading and writing the common configuration structure of a virtio PCI
/// device.
///
/// * Registers:
///
/// ** About the whole device.
/// le32 device_feature_select; // 0x00 // read-write
/// le32 device_feature; // 0x04 // read-only for driver
/// le32 driver_feature_select; // 0x08 // read-write
/// le32 driver_feature; // 0x0C // read-write
/// le16 msix_config; // 0x10 // read-write
/// le16 num_queues; // 0x12 // read-only for driver
/// u8 device_status; // 0x14 // read-write (driver_status)
/// u8 config_generation; // 0x15 // read-only for driver
///
/// ** About a specific virtqueue.
/// le16 queue_select; // 0x16 // read-write
/// le16 queue_size; // 0x18 // read-write, power of 2, or 0.
/// le16 queue_msix_vector; // 0x1A // read-write
/// le16 queue_enable; // 0x1C // read-write (Ready)
/// le16 queue_notify_off; // 0x1E // read-only for driver
/// le64 queue_desc; // 0x20 // read-write
/// le64 queue_avail; // 0x28 // read-write
/// le64 queue_used; // 0x30 // read-write
pub struct VirtioPciCommonConfig {
pub driver_status: u8,
pub config_generation: u8,
pub device_feature_select: u32,
pub driver_feature_select: u32,
pub queue_select: u16,
pub msix_config: Arc<AtomicU16>,
pub msix_queues: Arc<Mutex<Vec<u16>>>,
}
impl VirtioPciCommonConfig {
pub fn new(state: VirtioPciCommonConfigState) -> Self {
VirtioPciCommonConfig {
driver_status: state.driver_status,
config_generation: state.config_generation,
device_feature_select: state.device_feature_select,
driver_feature_select: state.driver_feature_select,
queue_select: state.queue_select,
msix_config: Arc::new(AtomicU16::new(state.msix_config)),
msix_queues: Arc::new(Mutex::new(state.msix_queues)),
}
}
// TODO(fupan): use for live upgrade later
#[allow(dead_code)]
fn state(&self) -> VirtioPciCommonConfigState {
VirtioPciCommonConfigState {
driver_status: self.driver_status,
config_generation: self.config_generation,
device_feature_select: self.device_feature_select,
driver_feature_select: self.driver_feature_select,
queue_select: self.queue_select,
msix_config: self.msix_config.load(Ordering::Acquire),
msix_queues: self.msix_queues.lock().unwrap().clone(),
}
}
fn read_common_config_byte(&self, offset: u64) -> u8 {
trace!("read_common_config_byte: offset 0x{:x}", offset);
// The driver is only allowed to do aligned, properly sized access.
match offset {
0x14 => self.driver_status,
0x15 => self.config_generation,
_ => {
warn!("invalid virtio config byte read: 0x{:x}", offset);
0
}
}
}
fn write_common_config_byte(&mut self, offset: u64, value: u8) {
trace!(
"write_common_config_byte: offset 0x{:x} value 0x{:x}",
offset,
value
);
match offset {
0x14 => self.driver_status = value,
_ => {
warn!("invalid virtio config byte write: 0x{:x}", offset);
}
}
}
fn read_common_config_word<Q: QueueT + 'static>(
&self,
offset: u64,
queues: &[VirtioQueueConfig<Q>],
) -> u16 {
trace!("read_common_config_word: offset 0x{:x}", offset);
match offset {
0x10 => self.msix_config.load(Ordering::Acquire),
0x12 => queues.len() as u16, // num_queues
0x16 => self.queue_select,
0x18 => self.with_queue(queues, |q| q.max_size()).unwrap_or(0),
0x1a => self.msix_queues.lock().unwrap()[self.queue_select as usize],
0x1c => u16::from(self.with_queue(queues, |q| q.ready()).unwrap_or(false)),
0x1e => self.queue_select, // notify_off
_ => {
warn!("invalid virtio register word read: 0x{:x}", offset);
0
}
}
}
fn write_common_config_word<Q: QueueT + 'static>(
&mut self,
offset: u64,
value: u16,
queues: &mut [VirtioQueueConfig<Q>],
) {
trace!(
"write_common_config_word: offset 0x{:x} value 0x{:x}",
offset,
value
);
match offset {
0x10 => self.msix_config.store(value, Ordering::Release),
0x16 => self.queue_select = value,
0x18 => self.with_queue_mut(queues, |q| q.set_size(value)),
0x1a => self.msix_queues.lock().unwrap()[self.queue_select as usize] = value,
0x1c => self.with_queue_mut(queues, |q| {
let ready = value == 1;
q.set_ready(ready);
}),
_ => {
warn!("invalid virtio register word write: 0x{:x}", offset);
}
}
}
fn read_common_config_dword<
AS: GuestAddressSpace + 'static,
Q: QueueT + 'static,
R: 'static + GuestMemoryRegion,
>(
&self,
offset: u64,
device: ArcMutexBoxDynVirtioDevice<AS, Q, R>,
) -> u32 {
trace!("read_common_config_dword: offset 0x{:x}", offset);
match offset {
0x00 => self.device_feature_select,
0x04 => {
// Only 64 bits of features (2 pages) are defined for now, so limit
// device_feature_select to avoid shifting by 64 or more bits.
let locked_device = device.lock().unwrap();
if self.device_feature_select < 2 {
locked_device.get_avail_features(self.device_feature_select)
} else {
0
}
}
0x08 => self.driver_feature_select,
_ => {
warn!("invalid virtio register dword read: 0x{:x}", offset);
0
}
}
}
fn write_common_config_dword<
AS: GuestAddressSpace + 'static,
Q: QueueT + 'static,
R: 'static + GuestMemoryRegion,
>(
&mut self,
offset: u64,
value: u32,
queues: &mut [VirtioQueueConfig<Q>],
device: ArcMutexBoxDynVirtioDevice<AS, Q, R>,
) {
trace!(
"write_common_config_dword: offset 0x{:x} value 0x{:x}",
offset,
value
);
match offset {
0x00 => self.device_feature_select = value,
0x08 => self.driver_feature_select = value,
0x0c => {
if self.driver_feature_select < 2 {
let mut locked_device = device.lock().unwrap();
locked_device.set_acked_features(self.driver_feature_select, value);
} else {
warn!(
"invalid ack_features (page {}, value 0x{:x})",
self.driver_feature_select, value
);
}
}
0x20 => self.with_queue_mut(queues, |q| q.set_desc_table_address(Some(value), None)),
0x24 => self.with_queue_mut(queues, |q| q.set_desc_table_address(None, Some(value))),
0x28 => self.with_queue_mut(queues, |q| q.set_avail_ring_address(Some(value), None)),
0x2c => self.with_queue_mut(queues, |q| q.set_avail_ring_address(None, Some(value))),
0x30 => self.with_queue_mut(queues, |q| q.set_used_ring_address(Some(value), None)),
0x34 => self.with_queue_mut(queues, |q| q.set_used_ring_address(None, Some(value))),
_ => {
warn!("invalid virtio register dword write: 0x{:x}", offset);
}
}
}
fn read_common_config_qword(&self, _offset: u64) -> u64 {
trace!("read_common_config_qword: offset 0x{:x}", _offset);
0 // Assume the guest has no reason to read write-only registers.
}
fn write_common_config_qword<Q: QueueT + 'static>(
&mut self,
offset: u64,
value: u64,
queues: &mut [VirtioQueueConfig<Q>],
) {
trace!(
"write_common_config_qword: offset 0x{:x}, value 0x{:x}",
offset,
value
);
let low = Some((value & 0xffff_ffff) as u32);
let high = Some((value >> 32) as u32);
match offset {
0x20 => self.with_queue_mut(queues, |q| q.set_desc_table_address(low, high)),
0x28 => self.with_queue_mut(queues, |q| q.set_avail_ring_address(low, high)),
0x30 => self.with_queue_mut(queues, |q| q.set_used_ring_address(low, high)),
_ => {
warn!("invalid virtio register qword write: 0x{:x}", offset);
}
}
}
fn with_queue<U, F, Q>(&self, queues: &[VirtioQueueConfig<Q>], f: F) -> Option<U>
where
F: FnOnce(&Q) -> U,
Q: QueueT + 'static,
{
queues.get(self.queue_select as usize).map(|q| f(&q.queue))
}
fn with_queue_mut<F: FnOnce(&mut Q), Q: QueueT + 'static>(
&self,
queues: &mut [VirtioQueueConfig<Q>],
f: F,
) {
if let Some(queue) = queues.get_mut(self.queue_select as usize) {
f(&mut queue.queue);
}
}
pub fn read<
AS: GuestAddressSpace + 'static,
Q: QueueT + 'static,
R: 'static + GuestMemoryRegion,
>(
&self,
offset: u64,
data: &mut [u8],
queues: &[VirtioQueueConfig<Q>],
device: ArcMutexBoxDynVirtioDevice<AS, Q, R>,
) {
assert!(data.len() <= 8);
match data.len() {
1 => {
let v = self.read_common_config_byte(offset);
data[0] = v;
}
2 => {
let v = self.read_common_config_word(offset, queues);
LittleEndian::write_u16(data, v);
}
4 => {
let v = self.read_common_config_dword(offset, device);
LittleEndian::write_u32(data, v);
}
8 => {
let v = self.read_common_config_qword(offset);
LittleEndian::write_u64(data, v);
}
_ => error!("invalid data length for virtio read: len {}", data.len()),
}
}
pub fn write<
AS: GuestAddressSpace + 'static,
Q: QueueT + 'static,
R: 'static + GuestMemoryRegion,
>(
&mut self,
offset: u64,
data: &[u8],
queues: &mut [VirtioQueueConfig<Q>],
device: ArcMutexBoxDynVirtioDevice<AS, Q, R>,
) {
assert!(data.len() <= 8);
match data.len() {
1 => self.write_common_config_byte(offset, data[0]),
2 => self.write_common_config_word(offset, LittleEndian::read_u16(data), queues),
4 => {
self.write_common_config_dword(offset, LittleEndian::read_u32(data), queues, device)
}
8 => self.write_common_config_qword(offset, LittleEndian::read_u64(data), queues),
_ => error!("invalid data length for virtio write: len {}", data.len()),
}
}
}
#[cfg(test)]
mod tests {
use super::super::virtio_pci::tests::{DummyDevice, DUMMY_FEATURES};
use super::*;
use dbs_virtio_devices::VirtioDevice;
use virtio_queue::QueueSync;
use vm_memory::{GuestMemoryMmap, GuestRegionMmap};
#[test]
fn write_base_regs() {
let regs_state = VirtioPciCommonConfigState {
driver_status: 0xaa,
config_generation: 0x55,
device_feature_select: 0x0,
driver_feature_select: 0x0,
queue_select: 0xff,
msix_config: 0,
msix_queues: vec![0; 3],
};
let mut regs = VirtioPciCommonConfig::new(regs_state);
let dev: Arc<
Mutex<Box<dyn VirtioDevice<Arc<GuestMemoryMmap>, QueueSync, GuestRegionMmap>>>,
> = Arc::new(Mutex::new(Box::new(DummyDevice::new())));
let mut queues = Vec::new();
queues.push(VirtioQueueConfig::create(2, 0).unwrap());
queues.push(VirtioQueueConfig::create(2, 1).unwrap());
// Can set all bits of driver_status.
regs.write(0x14, &[0x55], &mut queues, Arc::clone(&dev));
let mut read_back = vec![0x00];
regs.read(0x14, &mut read_back, &queues, Arc::clone(&dev));
assert_eq!(read_back[0], 0x55);
// The config generation register is read only.
regs.write(0x15, &[0xaa], &mut queues, Arc::clone(&dev));
let mut read_back = vec![0x00];
regs.read(0x15, &mut read_back, &queues, Arc::clone(&dev));
assert_eq!(read_back[0], 0x55);
// Device features is read-only and passed through from the device.
regs.write(0x04, &[0, 0, 0, 0], &mut queues, Arc::clone(&dev));
let mut read_back = vec![0, 0, 0, 0];
regs.read(0x04, &mut read_back, &queues, Arc::clone(&dev));
assert_eq!(LittleEndian::read_u32(&read_back), DUMMY_FEATURES as u32);
// Read device features with device_feature_select as 0
regs.write(0x00, &[0, 0, 0, 0], &mut queues, Arc::clone(&dev));
let mut read_back = vec![0, 0, 0, 0];
regs.read(0x04, &mut read_back, &queues, Arc::clone(&dev));
assert_eq!(LittleEndian::read_u32(&read_back), DUMMY_FEATURES as u32);
// Read device features with device_feature_select as 1
regs.write(0x00, &[1, 0, 0, 0], &mut queues, Arc::clone(&dev));
let mut read_back = vec![0, 0, 0, 0];
regs.read(0x04, &mut read_back, &queues, Arc::clone(&dev));
assert_eq!(
LittleEndian::read_u32(&read_back),
(DUMMY_FEATURES >> 32) as u32
);
// Feature select registers are read/write.
regs.write(0x00, &[1, 2, 3, 4], &mut queues, Arc::clone(&dev));
let mut read_back = vec![0, 0, 0, 0];
regs.read(0x00, &mut read_back, &queues, Arc::clone(&dev));
assert_eq!(LittleEndian::read_u32(&read_back), 0x0403_0201);
regs.write(0x08, &[1, 2, 3, 4], &mut queues, Arc::clone(&dev));
let mut read_back = vec![0, 0, 0, 0];
regs.read(0x08, &mut read_back, &queues, Arc::clone(&dev));
assert_eq!(LittleEndian::read_u32(&read_back), 0x0403_0201);
// 'queue_select' can be read and written.
regs.write(0x16, &[0xaa, 0x55], &mut queues, Arc::clone(&dev));
let mut read_back = vec![0x00, 0x00];
regs.read(0x16, &mut read_back, &queues, Arc::clone(&dev));
assert_eq!(read_back[0], 0xaa);
assert_eq!(read_back[1], 0x55);
// write msix_queues by queue_select 2
regs.write(0x16, &[0x02, 0x00], &mut queues, Arc::clone(&dev));
regs.write(0x1a, &[0xbb, 0xcc], &mut queues, Arc::clone(&dev));
let mut read_back = vec![0x00, 0x00];
regs.read(0x1a, &mut read_back, &queues, Arc::clone(&dev));
assert_eq!(read_back[0], 0xbb);
assert_eq!(read_back[1], 0xcc);
// 'msix_config' can be read and written.
regs.write(0x10, &[0xdd, 0xee], &mut queues, Arc::clone(&dev));
let mut read_back = vec![0x00, 0x00];
regs.read(0x10, &mut read_back, &queues, Arc::clone(&dev));
assert_eq!(read_back[0], 0xdd);
assert_eq!(read_back[1], 0xee);
// 'queue_size' can be read and set.
let mut read_back = vec![0x00, 0x00];
// queue_select is 2 and queues[2] is None, so queue_size is 0
regs.read(0x18, &mut read_back, &queues, Arc::clone(&dev));
assert_eq!(read_back[0], 0x00);
assert_eq!(read_back[1], 0x00);
// queue_select is 1, so queue_size is 2
regs.write(0x16, &[0x01, 0x00], &mut queues, Arc::clone(&dev));
regs.read(0x18, &mut read_back, &queues, Arc::clone(&dev));
assert_eq!(read_back[0], 0x02);
assert_eq!(read_back[1], 0x00);
}
}

42
src/dragonball/dbs_pci/src/vfio.rs
View File

@@ -888,7 +888,7 @@ pub struct VfioPciDeviceState<C: PciSystemContext> {
vfio_path: String,
interrupt: Interrupt,
vfio_dev: Arc<VfioDevice>,
context: Weak<C>,
context: Arc<Mutex<C>>,
configuration: PciConfiguration,
device: Option<Weak<dyn DeviceIo>>,
regions: Vec<Region>,
@@ -904,7 +904,7 @@ impl<C: PciSystemContext> VfioPciDeviceState<C> {
vfio_path: String,
vfio_dev: Arc<VfioDevice>,
bus: Weak<PciBus>,
context: Weak<C>,
context: Arc<Mutex<C>>,
vendor_device_id: u32,
clique_id: Option<u8>,
vfio_container: Arc<VfioContainer>,
@@ -1277,11 +1277,7 @@ impl<C: PciSystemContext> VfioPciDeviceState<C> {
}
fn register_regions(&mut self, vm: &Arc<VmFd>) -> Result<()> {
let ctx = self
.context
.upgrade()
.ok_or(VfioPciError::BusIsDropped)?
.get_device_manager_context();
let ctx = self.context.lock().unwrap().get_device_manager_context();
let mut tx = ctx.begin_tx();
for region in self.regions.iter_mut() {
@@ -1336,22 +1332,7 @@ impl<C: PciSystemContext> VfioPciDeviceState<C> {
}
fn unregister_regions(&mut self, vm: &Arc<VmFd>) -> Result<()> {
// This routine handle VfioPciDevice dropped but not unmap memory
if self.context.upgrade().is_none() {
for region in self.regions.iter_mut() {
if region.mappable() {
region.unmap(vm, &self.vfio_container)?;
}
}
return Ok(());
}
let ctx = self
.context
.upgrade()
.ok_or(VfioPciError::BusIsDropped)?
.get_device_manager_context();
let ctx = self.context.lock().unwrap().get_device_manager_context();
let mut tx = ctx.begin_tx();
for region in self.regions.iter_mut() {
@@ -1380,11 +1361,8 @@ impl<C: PciSystemContext> VfioPciDeviceState<C> {
} else {
// Safe to unwrap because activate() has set self.device to a valid value.
let device = self.device.as_ref().unwrap().clone();
let ctx: <C as PciSystemContext>::D = self
.context
.upgrade()
.ok_or(VfioPciError::BusIsDropped)?
.get_device_manager_context();
let ctx: <C as PciSystemContext>::D =
self.context.lock().unwrap().get_device_manager_context();
let mut tx = ctx.begin_tx();
if let Err(e) = region.retrap(
@@ -1561,7 +1539,7 @@ impl<C: PciSystemContext> VfioPciDevice<C> {
path: String,
bus: Weak<PciBus>,
device: VfioDevice,
context: Weak<C>,
context: Arc<Mutex<C>>,
vm_fd: Arc<VmFd>,
vendor_device_id: u32,
clique_id: Option<u8>,
@@ -1649,11 +1627,7 @@ impl<C: PciSystemContext> VfioPciDevice<C> {
state.interrupt.add_msi_irq_resource(base, size);
}
let irq_manager = state
.context
.upgrade()
.ok_or(VfioPciError::BusIsDropped)?
.get_interrupt_manager();
let irq_manager = state.context.lock().unwrap().get_interrupt_manager();
state.interrupt.initialize(irq_manager)?;
#[cfg(target_arch = "aarch64")]
self.set_device_id(&mut state);

1637
src/dragonball/dbs_pci/src/virtio_pci.rs Normal file
View File

File diff suppressed because it is too large Load Diff

1
src/dragonball/dbs_utils/src/net/mac.rs
View File

@@ -146,7 +146,6 @@ mod tests {
assert!(MacAddr::from_bytes(&src3[..]).is_err());
}
#[cfg(feature = "with-serde")]
#[test]
fn test_mac_addr_serialization_and_deserialization() {
let mac: MacAddr =

2
src/dragonball/dbs_virtio_devices/src/lib.rs
View File

@@ -145,6 +145,8 @@ pub enum ActivateError {
#[cfg(feature = "vhost")]
#[error("Vhost activate error")]
VhostActivate(vhost_rs::Error),
#[error("VirtioPci error")]
VirtioPci,
}
impl std::convert::From<Error> for ActivateError {

1
src/dragonball/dbs_virtio_devices/src/mmio/mmio_state.rs
View File

@@ -371,6 +371,7 @@ where
}
let _ = self.intr_mgr.reset();
self.unregister_ioevent_doorbell();
self.unregister_ioevent();
self.features_select = 0;
self.acked_features_select = 0;

12
src/dragonball/dbs_virtio_devices/src/vsock/mod.rs
View File

@@ -313,8 +313,8 @@ mod tests {
pub struct TestContext {
pub cid: u64,
pub mem: GuestMemoryMmap,
pub mem_size: usize,
pub epoll_manager: EpollManager,
pub _mem_size: usize,
pub _epoll_manager: EpollManager,
pub device: Vsock<Arc<GuestMemoryMmap>, TestMuxer>,
}
@@ -327,8 +327,8 @@ mod tests {
Self {
cid: CID,
mem,
mem_size: MEM_SIZE,
epoll_manager: epoll_manager.clone(),
_mem_size: MEM_SIZE,
_epoll_manager: epoll_manager.clone(),
device: Vsock::new_with_muxer(
CID,
Arc::new(defs::QUEUE_SIZES.to_vec()),
@@ -394,7 +394,7 @@ mod tests {
EventHandlerContext {
guest_rxvq,
guest_txvq,
guest_evvq,
_guest_evvq: guest_evvq,
queues,
epoll_handler: None,
device: Vsock::new_with_muxer(
@@ -422,7 +422,7 @@ mod tests {
pub queues: Vec<VirtioQueueConfig<QueueSync>>,
pub guest_rxvq: GuestQ<'a>,
pub guest_txvq: GuestQ<'a>,
pub guest_evvq: GuestQ<'a>,
pub _guest_evvq: GuestQ<'a>,
pub mem: Arc<GuestMemoryMmap>,
}

55
src/dragonball/src/api/v1/vmm_action.rs
View File

@@ -17,7 +17,6 @@ use tracing::instrument;
use crate::error::{Result, StartMicroVmError, StopMicrovmError};
use crate::event_manager::EventManager;
use crate::tracer::{DragonballTracer, TraceError, TraceInfo};
use crate::vcpu::VcpuManagerError;
use crate::vm::{CpuTopology, KernelConfigInfo, VmConfigInfo};
use crate::vmm::Vmm;
@@ -55,6 +54,8 @@ pub use crate::device_manager::virtio_net_dev_mgr::{
};
#[cfg(feature = "virtio-vsock")]
pub use crate::device_manager::vsock_dev_mgr::{VsockDeviceConfigInfo, VsockDeviceError};
#[cfg(feature = "host-device")]
use crate::vcpu::VcpuManagerError;
#[cfg(feature = "hotplug")]
pub use crate::vcpu::{VcpuResizeError, VcpuResizeInfo};
@@ -204,6 +205,10 @@ pub enum VmmAction {
/// input. This action can only be called before the microVM has booted.
InsertBlockDevice(BlockDeviceConfigInfo),
#[cfg(any(feature = "virtio-blk", feature = "vhost-user-blk"))]
/// Prepare to remove a block device that already exists
PrepareRemoveBlockDevice(String),
#[cfg(any(feature = "virtio-blk", feature = "vhost-user-blk"))]
/// Remove a new block device for according to given drive_id
RemoveBlockDevice(String),
@@ -355,6 +360,10 @@ impl VmmService {
self.add_block_device(vmm, event_mgr, block_device_config)
}
#[cfg(any(feature = "virtio-blk", feature = "vhost-user-blk"))]
VmmAction::PrepareRemoveBlockDevice(blkdev_id) => {
self.prepare_remove_block_device(vmm, &blkdev_id)
}
#[cfg(any(feature = "virtio-blk", feature = "vhost-user-blk"))]
VmmAction::UpdateBlockDevice(blk_update) => {
self.update_blk_rate_limiters(vmm, blk_update)
}
@@ -663,10 +672,17 @@ impl VmmService {
VmmActionError::Block(BlockDeviceError::UpdateNotAllowedPostBoot)
})?;
let (sender, receiver) = mpsc::channel();
let vmm_data = if ctx.is_hotplug() {
VmmData::SyncHotplug((sender.clone(), receiver))
} else {
VmmData::Empty
};
vm.device_manager_mut()
.block_manager
.insert_device(ctx, config)
.map(|_| VmmData::Empty)
.insert_device(ctx, config, sender.clone())
.map(|_| vmm_data)
.map_err(VmmActionError::Block)
}
@@ -687,6 +703,38 @@ impl VmmService {
.map_err(VmmActionError::Block)
}
// using upcall to unplug the block device in the guest
#[cfg(any(feature = "virtio-blk", feature = "vhost-user-blk"))]
fn prepare_remove_block_device(
&mut self,
vmm: &mut Vmm,
blockdev_id: &str,
) -> VmmRequestResult {
let vm = vmm.get_vm_mut().ok_or(VmmActionError::HostDeviceConfig(
VfioDeviceError::InvalidVMID,
))?;
info!("prepare_remove_block_device: {:?}", blockdev_id);
let ctx = vm.create_device_op_context(None).map_err(|e| {
info!("create device op context error: {:?}", e);
if let StartMicroVmError::MicroVMAlreadyRunning = e {
VmmActionError::HostDeviceConfig(VfioDeviceError::UpdateNotAllowedPostBoot)
} else if let StartMicroVmError::UpcallServerNotReady = e {
VmmActionError::UpcallServerNotReady
} else {
VmmActionError::StartMicroVm(e)
}
})?;
let (sender, receiver) = mpsc::channel();
vm.device_manager_mut()
.block_manager
.prepare_remove_device(&ctx, blockdev_id, sender.clone())
.map(|_| VmmData::SyncHotplug((sender, receiver)))
.map_err(VmmActionError::Block)
}
#[cfg(any(feature = "virtio-blk", feature = "vhost-user-blk"))]
// Remove the device
#[instrument(skip(self, event_mgr))]
@@ -1525,6 +1573,7 @@ mod tests {
queue_size: 256,
use_shared_irq: None,
use_generic_irq: None,
use_pci_bus: Some(true),
}),
InstanceState::Uninitialized,
&|result| {

241
src/dragonball/src/device_manager/blk_dev_mgr.rs
View File

@@ -7,19 +7,28 @@
// found in the THIRD-PARTY file.
//! Device manager for virtio-blk and vhost-user-blk devices.
use std::collections::{vec_deque, VecDeque};
use std::convert::TryInto;
use std::fs::OpenOptions;
use std::os::unix::fs::OpenOptionsExt;
use std::os::unix::io::AsRawFd;
use std::path::{Path, PathBuf};
use std::sync::mpsc::Sender;
use std::sync::Arc;
use std::{
collections::{vec_deque, VecDeque},
sync::mpsc,
};
use dbs_device::DeviceIo;
use dbs_pci::VirtioPciDevice;
use dbs_upcall::{DevMgrResponse, UpcallClientResponse};
use dbs_virtio_devices as virtio;
use dbs_virtio_devices::block::{aio::Aio, io_uring::IoUring, Block, LocalFile, Ufile};
#[cfg(feature = "vhost-user-blk")]
use dbs_virtio_devices::vhost::vhost_user::block::VhostUserBlock;
use serde_derive::{Deserialize, Serialize};
use virtio_queue::QueueSync;
use vm_memory::GuestRegionMmap;
use crate::address_space_manager::GuestAddressSpaceImpl;
use crate::config_manager::{ConfigItem, DeviceConfigInfo, RateLimiterConfigInfo};
@@ -190,6 +199,8 @@ pub struct BlockDeviceConfigInfo {
pub use_shared_irq: Option<bool>,
/// Use generic irq
pub use_generic_irq: Option<bool>,
/// Use pci bus
pub use_pci_bus: Option<bool>,
}
impl std::default::Default for BlockDeviceConfigInfo {
@@ -208,6 +219,7 @@ impl std::default::Default for BlockDeviceConfigInfo {
rate_limiter: None,
use_shared_irq: None,
use_generic_irq: None,
use_pci_bus: None,
}
}
}
@@ -349,6 +361,7 @@ impl BlockDeviceMgr {
&mut self,
mut ctx: DeviceOpContext,
config: BlockDeviceConfigInfo,
sender: mpsc::Sender<Option<i32>>,
) -> std::result::Result<(), BlockDeviceError> {
if !cfg!(feature = "hotplug") && ctx.is_hotplug {
return Err(BlockDeviceError::UpdateNotAllowedPostBoot);
@@ -380,31 +393,68 @@ impl BlockDeviceMgr {
return Ok(());
}
let mut slot = 0;
let use_generic_irq = config.use_generic_irq.unwrap_or(USE_GENERIC_IRQ);
match config.device_type {
BlockDeviceType::RawBlock => {
let device = Self::create_blk_device(&config, &mut ctx)
.map_err(BlockDeviceError::Virtio)?;
let dev = DeviceManager::create_mmio_virtio_device(
device,
&mut ctx,
config.use_shared_irq.unwrap_or(self.use_shared_irq),
config.use_generic_irq.unwrap_or(USE_GENERIC_IRQ),
)
.map_err(BlockDeviceError::DeviceManager)?;
self.update_device_by_index(index, Arc::clone(&dev))?;
let dev = if let Some(true) = config.use_pci_bus {
let pci_dev = DeviceManager::create_virtio_pci_device(
device,
&mut ctx,
use_generic_irq,
)
.map_err(BlockDeviceError::DeviceManager)?;
let (_, devfn) = DeviceManager::get_pci_device_info(&pci_dev)?;
slot = devfn >> 3;
pci_dev
} else {
DeviceManager::create_mmio_virtio_device(
device,
&mut ctx,
config.use_shared_irq.unwrap_or(self.use_shared_irq),
use_generic_irq,
)
.map_err(BlockDeviceError::DeviceManager)?
};
let callback: Option<Box<dyn Fn(UpcallClientResponse) + Send>> =
Some(Box::new(move |_| {
// send the pci device slot to caller.
let _ = sender.send(Some(slot as i32));
}));
self.update_device_by_index(index, dev.clone())?;
// live-upgrade need save/restore device from info.device.
self.info_list[index].set_device(dev.clone());
ctx.insert_hotplug_mmio_device(&dev, None).map_err(|e| {
let mut cleanup = |e, ctx: DeviceOpContext| -> BlockDeviceError {
let logger = ctx.logger().new(slog::o!());
self.remove_device(ctx, &config.drive_id).unwrap();
error!(
logger,
"failed to hot-add virtio block device {}, {:?}",
"failed to hot-add pci virtio block device {}, {:?}",
&config.drive_id,
e
);
BlockDeviceError::DeviceManager(e)
})
};
if let Some(true) = config.use_pci_bus {
let _ = ctx
.insert_hotplug_pci_device(&dev, callback)
.map_err(|e| cleanup(e, ctx))?;
Ok(())
} else {
ctx.insert_hotplug_mmio_device(&dev, callback)
.map_err(|e| cleanup(e, ctx))
}
}
#[cfg(feature = "vhost-user-blk")]
BlockDeviceType::Spool | BlockDeviceType::Spdk => {
@@ -417,8 +467,13 @@ impl BlockDeviceMgr {
config.use_generic_irq.unwrap_or(USE_GENERIC_IRQ),
)
.map_err(BlockDeviceError::DeviceManager)?;
let callback: Option<Box<dyn Fn(UpcallClientResponse) + Send>> =
Some(Box::new(move |_| {
let _ = sender.send(None);
}));
self.update_device_by_index(index, Arc::clone(&dev))?;
ctx.insert_hotplug_mmio_device(&dev, None).map_err(|e| {
ctx.insert_hotplug_mmio_device(&dev, callback).map_err(|e| {
let logger = ctx.logger().new(slog::o!());
self.remove_device(ctx, &config.drive_id).unwrap();
error!(
@@ -450,15 +505,25 @@ impl BlockDeviceMgr {
info.config.drive_id,
info.config.path_on_host.to_str().unwrap_or("<unknown>")
);
let use_shared_irq = info.config.use_shared_irq.unwrap_or(self.use_shared_irq);
let use_generic_irq = info.config.use_generic_irq.unwrap_or(USE_GENERIC_IRQ);
let device = Self::create_blk_device(&info.config, ctx)
.map_err(BlockDeviceError::Virtio)?;
let device = DeviceManager::create_mmio_virtio_device(
device,
ctx,
info.config.use_shared_irq.unwrap_or(self.use_shared_irq),
info.config.use_generic_irq.unwrap_or(USE_GENERIC_IRQ),
)
.map_err(BlockDeviceError::RegisterBlockDevice)?;
let device = if let Some(true) = info.config.use_pci_bus {
DeviceManager::create_virtio_pci_device(device, ctx, use_generic_irq)
.map_err(BlockDeviceError::RegisterBlockDevice)?
} else {
DeviceManager::create_mmio_virtio_device(
device,
ctx,
use_shared_irq,
use_generic_irq,
)
.map_err(BlockDeviceError::RegisterBlockDevice)?
};
info.device = Some(device);
}
#[cfg(feature = "vhost-user-blk")]
@@ -496,7 +561,7 @@ impl BlockDeviceMgr {
while let Some(mut info) = self.info_list.pop_back() {
info!(ctx.logger(), "remove drive {}", info.config.drive_id);
if let Some(device) = info.device.take() {
DeviceManager::destroy_mmio_virtio_device(device, ctx)?;
DeviceManager::destroy_virtio_device(device, ctx)?;
}
}
@@ -510,6 +575,62 @@ impl BlockDeviceMgr {
}
}
/// prepare to remove device
pub fn prepare_remove_device(
&self,
ctx: &DeviceOpContext,
blockdev_id: &str,
result_sender: Sender<Option<i32>>,
) -> Result<(), BlockDeviceError> {
if !cfg!(feature = "hotplug") {
return Err(BlockDeviceError::UpdateNotAllowedPostBoot);
}
info!(ctx.logger(), "prepare remove block device");
let callback: Option<Box<dyn Fn(UpcallClientResponse) + Send>> =
Some(Box::new(move |result| match result {
UpcallClientResponse::DevMgr(response) => {
if let DevMgrResponse::Other(resp) = response {
if let Err(e) = result_sender.send(Some(resp.result)) {
log::error!("send upcall result failed, due to {:?}!", e);
}
}
}
UpcallClientResponse::UpcallReset => {
if let Err(e) = result_sender.send(None) {
log::error!("send upcall result failed, due to {:?}!", e);
}
}
#[allow(unreachable_patterns)]
_ => {
log::debug!("this arm should only be triggered under test");
}
}));
let device_index = self
.get_index_of_drive_id(blockdev_id)
.ok_or(BlockDeviceError::InvalidDeviceId(blockdev_id.to_string()))?;
let info = &self.info_list[device_index];
if let Some(device) = info.device.as_ref() {
if let Some(_mmio_dev) = device.as_any().downcast_ref::<DbsMmioV2Device>() {
if callback.is_some() {
ctx.remove_hotplug_mmio_device(device, callback)?;
}
} else if let Some(_pci_dev) = device.as_any().downcast_ref::<VirtioPciDevice<
GuestAddressSpaceImpl,
QueueSync,
GuestRegionMmap,
>>() {
if callback.is_some() {
ctx.remove_hotplug_pci_device(device, callback)?;
}
}
}
Ok(())
}
/// remove a block device, it basically is the inverse operation of `insert_device``
pub fn remove_device(
&mut self,
@@ -524,7 +645,7 @@ impl BlockDeviceMgr {
Some(mut info) => {
info!(ctx.logger(), "remove drive {}", info.config.drive_id);
if let Some(device) = info.device.take() {
DeviceManager::destroy_mmio_virtio_device(device, &mut ctx)
DeviceManager::destroy_virtio_device(device, &mut ctx)
.map_err(BlockDeviceError::DeviceManager)?;
}
}
@@ -783,7 +904,7 @@ impl BlockDeviceMgr {
pub fn update_device_by_index(
&mut self,
index: usize,
device: Arc<DbsMmioV2Device>,
device: Arc<dyn DeviceIo>,
) -> Result<(), BlockDeviceError> {
if let Some(info) = self.info_list.get_mut(index) {
info.device = Some(device);
@@ -818,6 +939,21 @@ impl BlockDeviceMgr {
.map(|_p| ())
.map_err(|_e| BlockDeviceError::BlockEpollHanderSendFail);
}
} else if let Some(pci_dev) = device.as_any().downcast_ref::<VirtioPciDevice<
GuestAddressSpaceImpl,
QueueSync,
GuestRegionMmap,
>>() {
let inner_dev = pci_dev.device();
if let Some(blk_dev) = inner_dev
.as_any()
.downcast_ref::<virtio::block::Block<GuestAddressSpaceImpl>>()
{
return blk_dev
.set_patch_rate_limiters(new_cfg.bytes(), new_cfg.ops())
.map(|_p| ())
.map_err(|_e| BlockDeviceError::BlockEpollHanderSendFail);
}
}
Ok(())
}
@@ -848,6 +984,7 @@ mod tests {
use super::*;
use crate::device_manager::tests::create_address_space;
use crate::test_utils::tests::create_vm_for_test;
use std::sync::mpsc::channel;
#[test]
fn test_block_device_type() {
@@ -887,14 +1024,16 @@ mod tests {
queue_size: 128,
use_shared_irq: None,
use_generic_irq: None,
use_pci_bus: Some(true),
};
let mut vm = crate::vm::tests::create_vm_instance();
let ctx = DeviceOpContext::create_boot_ctx(&vm, None);
let (sender, _receiver) = channel();
assert!(vm
.device_manager_mut()
.block_manager
.insert_device(ctx, dummy_block_device.clone(),)
.insert_device(ctx, dummy_block_device.clone(), sender)
.is_ok());
assert_eq!(vm.device_manager().block_manager.info_list.len(), 1);
@@ -961,10 +1100,12 @@ mod tests {
queue_size: 128,
use_shared_irq: None,
use_generic_irq: None,
use_pci_bus: Some(true),
};
let (sender, _receiver) = channel();
vm.device_manager_mut()
.block_manager
.insert_device(device_op_ctx, dummy_block_device)
.insert_device(device_op_ctx, dummy_block_device, sender)
.unwrap();
let cfg = BlockDeviceConfigUpdateInfo {
@@ -1037,14 +1178,16 @@ mod tests {
queue_size: 128,
use_shared_irq: None,
use_generic_irq: None,
use_pci_bus: Some(true),
};
let mut vm = crate::vm::tests::create_vm_instance();
let ctx = DeviceOpContext::create_boot_ctx(&vm, None);
let (sender, _receiver) = channel();
assert!(vm
.device_manager_mut()
.block_manager
.insert_device(ctx, dummy_block_device.clone(),)
.insert_device(ctx, dummy_block_device.clone(), sender)
.is_ok());
assert_eq!(vm.device_manager().block_manager.info_list.len(), 1);
@@ -1077,6 +1220,7 @@ mod tests {
queue_size: 128,
use_shared_irq: None,
use_generic_irq: None,
use_pci_bus: Some(true),
};
let dummy_file_2 = TempFile::new().unwrap();
@@ -1095,19 +1239,21 @@ mod tests {
queue_size: 128,
use_shared_irq: None,
use_generic_irq: None,
use_pci_bus: Some(true),
};
let mut vm = crate::vm::tests::create_vm_instance();
let ctx = DeviceOpContext::create_boot_ctx(&vm, None);
let (sender, _receiver) = channel();
vm.device_manager_mut()
.block_manager
.insert_device(ctx, root_block_device_1)
.insert_device(ctx, root_block_device_1, sender.clone())
.unwrap();
let ctx = DeviceOpContext::create_boot_ctx(&vm, None);
assert!(vm
.device_manager_mut()
.block_manager
.insert_device(ctx, root_block_device_2)
.insert_device(ctx, root_block_device_2, sender)
.is_err());
}
@@ -1131,6 +1277,7 @@ mod tests {
queue_size: 128,
use_shared_irq: None,
use_generic_irq: None,
use_pci_bus: Some(true),
};
let dummy_file_2 = TempFile::new().unwrap();
@@ -1149,6 +1296,7 @@ mod tests {
queue_size: 128,
use_shared_irq: None,
use_generic_irq: None,
use_pci_bus: Some(true),
};
let dummy_file_3 = TempFile::new().unwrap();
@@ -1167,6 +1315,7 @@ mod tests {
queue_size: 128,
use_shared_irq: None,
use_generic_irq: None,
use_pci_bus: Some(true),
};
let mut vm = crate::vm::tests::create_vm_instance();
@@ -1186,23 +1335,24 @@ mod tests {
assert!(vm.device_manager().block_manager.has_root_block_device(),);
assert!(!vm.device_manager().block_manager.has_part_uuid_root());
assert_eq!(vm.device_manager().block_manager.info_list.len(), 3);
let (sender, _receiver) = channel();
let ctx = DeviceOpContext::create_boot_ctx(&vm, None);
vm.device_manager_mut()
.block_manager
.insert_device(ctx, root_block_device)
.insert_device(ctx, root_block_device, sender.clone())
.unwrap();
let ctx = DeviceOpContext::create_boot_ctx(&vm, None);
vm.device_manager_mut()
.block_manager
.insert_device(ctx, dummy_block_device_2)
.insert_device(ctx, dummy_block_device_2, sender.clone())
.unwrap();
let ctx = DeviceOpContext::create_boot_ctx(&vm, None);
vm.device_manager_mut()
.block_manager
.insert_device(ctx, dummy_block_device_3)
.insert_device(ctx, dummy_block_device_3, sender.clone())
.unwrap();
}
@@ -1226,6 +1376,7 @@ mod tests {
queue_size: 128,
use_shared_irq: None,
use_generic_irq: None,
use_pci_bus: Some(true),
};
let dummy_file_2 = TempFile::new().unwrap();
@@ -1244,6 +1395,7 @@ mod tests {
queue_size: 128,
use_shared_irq: None,
use_generic_irq: None,
use_pci_bus: Some(true),
};
let dummy_file_3 = TempFile::new().unwrap();
@@ -1262,24 +1414,26 @@ mod tests {
queue_size: 128,
use_shared_irq: None,
use_generic_irq: None,
use_pci_bus: Some(true),
};
let mut vm = crate::vm::tests::create_vm_instance();
let ctx = DeviceOpContext::create_boot_ctx(&vm, None);
let (sender, _receiver) = channel();
vm.device_manager_mut()
.block_manager
.insert_device(ctx, dummy_block_device_2.clone())
.insert_device(ctx, dummy_block_device_2.clone(), sender.clone())
.unwrap();
let ctx = DeviceOpContext::create_boot_ctx(&vm, None);
vm.device_manager_mut()
.block_manager
.insert_device(ctx, dummy_block_device_3.clone())
.insert_device(ctx, dummy_block_device_3.clone(), sender.clone())
.unwrap();
let ctx = DeviceOpContext::create_boot_ctx(&vm, None);
vm.device_manager_mut()
.block_manager
.insert_device(ctx, root_block_device.clone())
.insert_device(ctx, root_block_device.clone(), sender.clone())
.unwrap();
assert!(vm.device_manager().block_manager.has_root_block_device(),);
@@ -1322,6 +1476,7 @@ mod tests {
queue_size: 128,
use_shared_irq: None,
use_generic_irq: None,
use_pci_bus: Some(true),
};
let dummy_file_2 = TempFile::new().unwrap();
@@ -1340,20 +1495,22 @@ mod tests {
queue_size: 128,
use_shared_irq: None,
use_generic_irq: None,
use_pci_bus: Some(true),
};
let mut vm = crate::vm::tests::create_vm_instance();
let (sender, _receiver) = channel();
// Add 2 block devices.
let ctx = DeviceOpContext::create_boot_ctx(&vm, None);
vm.device_manager_mut()
.block_manager
.insert_device(ctx, root_block_device)
.insert_device(ctx, root_block_device, sender.clone())
.unwrap();
let ctx = DeviceOpContext::create_boot_ctx(&vm, None);
vm.device_manager_mut()
.block_manager
.insert_device(ctx, dummy_block_device_2.clone())
.insert_device(ctx, dummy_block_device_2.clone(), sender.clone())
.unwrap();
// Get index zero.
@@ -1384,7 +1541,7 @@ mod tests {
let ctx = DeviceOpContext::create_boot_ctx(&vm, None);
vm.device_manager_mut()
.block_manager
.insert_device(ctx, dummy_block_device_2.clone())
.insert_device(ctx, dummy_block_device_2.clone(), sender.clone())
.unwrap();
let index = vm
@@ -1407,7 +1564,7 @@ mod tests {
assert!(vm
.device_manager_mut()
.block_manager
.insert_device(ctx, dummy_block_device_2.clone(),)
.insert_device(ctx, dummy_block_device_2.clone(), sender.clone())
.is_err());
// Update with 2 root block devices.
@@ -1417,7 +1574,7 @@ mod tests {
assert!(vm
.device_manager_mut()
.block_manager
.insert_device(ctx, dummy_block_device_2,)
.insert_device(ctx, dummy_block_device_2, sender.clone())
.is_err(),);
// Switch roots and add a PARTUUID for the new one.
@@ -1435,6 +1592,7 @@ mod tests {
queue_size: 128,
use_shared_irq: None,
use_generic_irq: None,
use_pci_bus: Some(true),
};
let root_block_device_new = BlockDeviceConfigInfo {
path_on_host: dummy_path_2,
@@ -1450,16 +1608,17 @@ mod tests {
queue_size: 128,
use_shared_irq: None,
use_generic_irq: None,
use_pci_bus: Some(true),
};
let ctx = DeviceOpContext::create_boot_ctx(&vm, None);
vm.device_manager_mut()
.block_manager
.insert_device(ctx, root_block_device_old)
.insert_device(ctx, root_block_device_old, sender.clone())
.unwrap();
let ctx = DeviceOpContext::create_boot_ctx(&vm, None);
vm.device_manager_mut()
.block_manager
.insert_device(ctx, root_block_device_new)
.insert_device(ctx, root_block_device_new, sender.clone())
.unwrap();
assert!(vm.device_manager().block_manager.has_part_uuid_root);
}

2
src/dragonball/src/device_manager/mem_dev_mgr.rs
View File

@@ -310,7 +310,7 @@ impl MemDeviceMgr {
pub fn remove_devices(&self, ctx: &mut DeviceOpContext) -> Result<(), DeviceMgrError> {
for info in self.info_list.iter() {
if let Some(device) = &info.device {
DeviceManager::destroy_mmio_virtio_device(device.clone(), ctx)?;
DeviceManager::destroy_mmio_device(device.clone(), ctx)?;
}
}

407
src/dragonball/src/device_manager/mod.rs
View File

@@ -13,17 +13,19 @@ use arc_swap::ArcSwap;
use dbs_address_space::AddressSpace;
#[cfg(target_arch = "aarch64")]
use dbs_arch::{DeviceType, MMIODeviceInfo};
use dbs_boot::layout::MMIO_LOW_END;
use dbs_device::device_manager::{Error as IoManagerError, IoManager, IoManagerContext};
#[cfg(target_arch = "aarch64")]
use dbs_device::resources::DeviceResources;
use dbs_device::resources::Resource;
use dbs_device::DeviceIo;
use dbs_interrupt::KvmIrqManager;
use dbs_legacy_devices::ConsoleHandler;
#[cfg(all(feature = "host-device", target_arch = "aarch64"))]
use dbs_pci::PciBusResources;
#[cfg(feature = "dbs-virtio-devices")]
use dbs_pci::CAPABILITY_BAR_SIZE;
use dbs_utils::epoll_manager::EpollManager;
use kvm_ioctls::VmFd;
use log::error;
use virtio_queue::QueueSync;
#[cfg(feature = "dbs-virtio-devices")]
use dbs_device::resources::ResourceConstraint;
@@ -40,6 +42,7 @@ use dbs_virtio_devices::{
#[cfg(feature = "host-device")]
use dbs_pci::VfioPciDevice;
use dbs_pci::VirtioPciDevice;
#[cfg(all(feature = "hotplug", feature = "dbs-upcall"))]
use dbs_upcall::{
DevMgrRequest, DevMgrService, MmioDevRequest, PciDevRequest, UpcallClient, UpcallClientError,
@@ -57,6 +60,8 @@ use crate::resource_manager::ResourceManager;
use crate::vm::{KernelConfigInfo, Vm, VmConfigInfo};
use crate::IoManagerCached;
use vm_memory::GuestRegionMmap;
/// Virtual machine console device manager.
pub mod console_manager;
/// Console Manager for virtual machines console device.
@@ -131,6 +136,9 @@ macro_rules! info(
};
);
// The flag of whether to use the shared irq.
const USE_SHARED_IRQ: bool = true;
/// Errors related to device manager operations.
#[derive(Debug, thiserror::Error)]
pub enum DeviceMgrError {
@@ -173,13 +181,28 @@ pub enum DeviceMgrError {
HotplugDevice(#[source] UpcallClientError),
/// Failed to free device resource.
#[error("failed to free device resources: {0}")]
#[error("failed to allocate/free device resources: {0}")]
ResourceError(#[source] crate::resource_manager::ResourceError),
#[cfg(feature = "host-device")]
/// Error from Vfio Pci
#[error("failed to do vfio pci operation: {0:?}")]
VfioPci(#[source] dbs_pci::VfioPciError),
/// Error from Virtio Pci
#[error("failed to do virtio pci operation")]
VirtioPci,
/// PCI system manager error
#[error("Pci system manager error")]
PciSystemManager,
/// Dragonball pci system error
#[error("pci error: {0:?}")]
PciError(#[source] dbs_pci::Error),
/// Virtio Pci system error
#[error("virtio pci error: {0:?}")]
VirtioPciError(#[source] dbs_pci::VirtioPciDeviceError),
/// Unsupported pci device type
#[error("unsupported pci device type")]
InvalidPciDeviceType,
}
/// Specialized version of `std::result::Result` for device manager operations.
@@ -290,9 +313,10 @@ pub struct DeviceOpContext {
#[cfg(all(feature = "hotplug", feature = "dbs-upcall"))]
upcall_client: Option<Arc<UpcallClient<DevMgrService>>>,
#[cfg(feature = "dbs-virtio-devices")]
virtio_devices: Vec<Arc<DbsMmioV2Device>>,
virtio_devices: Vec<Arc<dyn DeviceIo>>,
#[cfg(feature = "host-device")]
vfio_manager: Option<Arc<Mutex<VfioDeviceMgr>>>,
pci_system_manager: Arc<Mutex<PciSystemManager>>,
vm_config: Option<VmConfigInfo>,
shared_info: Arc<RwLock<InstanceInfo>>,
}
@@ -343,6 +367,7 @@ impl DeviceOpContext {
shared_info,
#[cfg(feature = "host-device")]
vfio_manager: None,
pci_system_manager: device_mgr.pci_system_manager.clone(),
}
}
@@ -444,6 +469,11 @@ impl DeviceOpContext {
}
Ok(dev_info)
}
/// check the hotplug context
pub fn is_hotplug(&self) -> bool {
self.is_hotplug
}
}
#[cfg(all(feature = "hotplug", not(feature = "dbs-upcall")))]
@@ -513,7 +543,7 @@ impl DeviceOpContext {
pub(crate) fn insert_hotplug_mmio_device(
&self,
dev: &Arc<DbsMmioV2Device>,
dev: &Arc<dyn DeviceIo>,
callback: Option<Box<dyn Fn(UpcallClientResponse) + Send>>,
) -> Result<()> {
if !self.is_hotplug {
@@ -532,7 +562,7 @@ impl DeviceOpContext {
pub(crate) fn remove_hotplug_mmio_device(
&self,
dev: &Arc<DbsMmioV2Device>,
dev: &Arc<dyn DeviceIo>,
callback: Option<Box<dyn Fn(UpcallClientResponse) + Send>>,
) -> Result<()> {
if !self.is_hotplug {
@@ -630,6 +660,7 @@ pub struct DeviceManager {
vhost_user_net_manager: VhostUserNetDeviceMgr,
#[cfg(feature = "host-device")]
pub(crate) vfio_manager: Arc<Mutex<VfioDeviceMgr>>,
pub(crate) pci_system_manager: Arc<Mutex<PciSystemManager>>,
}
impl DeviceManager {
@@ -640,11 +671,25 @@ impl DeviceManager {
epoll_manager: EpollManager,
logger: &slog::Logger,
shared_info: Arc<RwLock<InstanceInfo>>,
) -> Self {
DeviceManager {
io_manager: Arc::new(ArcSwap::new(Arc::new(IoManager::new()))),
io_lock: Arc::new(Mutex::new(())),
irq_manager: Arc::new(KvmIrqManager::new(vm_fd.clone())),
) -> Result<Self> {
let irq_manager = Arc::new(KvmIrqManager::new(vm_fd.clone()));
let io_manager = Arc::new(ArcSwap::new(Arc::new(IoManager::new())));
let io_lock = Arc::new(Mutex::new(()));
let io_context = DeviceManagerContext::new(io_manager.clone(), io_lock.clone());
let mut mgr = PciSystemManager::new(irq_manager.clone(), io_context, res_manager.clone())?;
let requirements = mgr.resource_requirements();
let resources = res_manager
.allocate_device_resources(&requirements, USE_SHARED_IRQ)
.map_err(DeviceMgrError::ResourceError)?;
mgr.activate(resources)?;
let pci_system_manager = Arc::new(Mutex::new(mgr));
Ok(DeviceManager {
io_manager,
io_lock,
irq_manager,
res_manager,
vm_fd: vm_fd.clone(),
logger: logger.new(slog::o!()),
@@ -671,8 +716,13 @@ impl DeviceManager {
#[cfg(feature = "vhost-user-net")]
vhost_user_net_manager: VhostUserNetDeviceMgr::default(),
#[cfg(feature = "host-device")]
vfio_manager: Arc::new(Mutex::new(VfioDeviceMgr::new(vm_fd, logger))),
}
vfio_manager: Arc::new(Mutex::new(VfioDeviceMgr::new(
vm_fd,
pci_system_manager.clone(),
logger,
))),
pci_system_manager,
})
}
/// Get the underlying IoManager to dispatch IO read/write requests.
@@ -879,7 +929,7 @@ impl DeviceManager {
/// Start all registered devices when booting the associated virtual machine.
pub fn start_devices(
&mut self,
vm_as: &GuestAddressSpaceImpl,
#[allow(unused)] vm_as: &GuestAddressSpaceImpl,
) -> std::result::Result<(), StartMicroVmError> {
// It is safe because we don't expect poison lock.
#[cfg(feature = "host-device")]
@@ -899,6 +949,7 @@ impl DeviceManager {
address_space: Option<&AddressSpace>,
) -> Result<()> {
// create context for removing devices
#[allow(unused)]
let mut ctx = DeviceOpContext::new(
Some(epoll_mgr),
self,
@@ -1023,7 +1074,7 @@ impl DeviceManager {
}
#[cfg(feature = "dbs-virtio-devices")]
fn get_virtio_mmio_device_info(device: &Arc<DbsMmioV2Device>) -> Result<(u64, u64, u32)> {
fn get_virtio_mmio_device_info(device: &Arc<dyn DeviceIo>) -> Result<(u64, u64, u32)> {
let resources = device.get_assigned_resources();
let irq = resources
.get_legacy_irq()
@@ -1037,26 +1088,11 @@ impl DeviceManager {
Err(DeviceMgrError::GetDeviceResource)
}
/// Get pci bus resources for creating fdt.
#[cfg(feature = "host-device")]
pub fn get_pci_bus_resources(&self) -> Option<PciBusResources> {
let mut vfio_dev_mgr = self.vfio_manager.lock().unwrap();
let vfio_pci_mgr = vfio_dev_mgr.get_pci_manager();
vfio_pci_mgr.as_ref()?;
let pci_manager = vfio_pci_mgr.unwrap();
let ecam_space = pci_manager.get_ecam_space();
let bar_space = pci_manager.get_bar_space();
Some(PciBusResources {
ecam_space,
bar_space,
})
}
}
#[cfg(feature = "dbs-virtio-devices")]
impl DeviceManager {
fn get_virtio_device_info(device: &Arc<DbsMmioV2Device>) -> Result<(u64, u64, u32)> {
fn get_virtio_device_info(device: &Arc<dyn DeviceIo>) -> Result<(u64, u64, u32)> {
let resources = device.get_assigned_resources();
let irq = resources
.get_legacy_irq()
@@ -1078,7 +1114,7 @@ impl DeviceManager {
ctx: &mut DeviceOpContext,
use_shared_irq: bool,
use_generic_irq: bool,
) -> std::result::Result<Arc<DbsMmioV2Device>, DeviceMgrError> {
) -> std::result::Result<Arc<dyn DeviceIo>, DeviceMgrError> {
let features = DRAGONBALL_FEATURE_INTR_USED | DRAGONBALL_FEATURE_PER_QUEUE_NOTIFY;
DeviceManager::create_mmio_virtio_device_with_features(
device,
@@ -1096,7 +1132,7 @@ impl DeviceManager {
ctx: &mut DeviceOpContext,
use_shared_irq: bool,
use_generic_irq: bool,
) -> std::result::Result<Arc<DbsMmioV2Device>, DeviceMgrError> {
) -> std::result::Result<Arc<dyn DeviceIo>, DeviceMgrError> {
let features = DRAGONBALL_FEATURE_PER_QUEUE_NOTIFY;
DeviceManager::create_mmio_virtio_device_with_features(
device,
@@ -1115,7 +1151,7 @@ impl DeviceManager {
features: Option<u32>,
use_shared_irq: bool,
use_generic_irq: bool,
) -> std::result::Result<Arc<DbsMmioV2Device>, DeviceMgrError> {
) -> std::result::Result<Arc<dyn DeviceIo>, DeviceMgrError> {
// Every emulated Virtio MMIO device needs a 4K configuration space,
// and another 4K space for per queue notification.
const MMIO_ADDRESS_DEFAULT: ResourceConstraint = ResourceConstraint::MmioAddress {
@@ -1146,12 +1182,18 @@ impl DeviceManager {
Self::register_mmio_virtio_device(Arc::new(virtio_dev), ctx)
}
/// Teardown the Virtio MMIO transport layer device associated with the virtio backend device.
pub fn destroy_mmio_virtio_device(
fn destroy_mmio_device(
device: Arc<dyn DeviceIo>,
ctx: &mut DeviceOpContext,
) -> std::result::Result<(), DeviceMgrError> {
Self::destroy_mmio_device(device.clone(), ctx)?;
// unregister IoManager
Self::deregister_virtio_device(&device, ctx)?;
// unregister Resource manager
let resources = device.get_assigned_resources();
ctx.res_manager
.free_device_resources(&resources)
.map_err(DeviceMgrError::ResourceError)?;
let mmio_dev = device
.as_any()
@@ -1163,27 +1205,11 @@ impl DeviceManager {
Ok(())
}
fn destroy_mmio_device(
device: Arc<dyn DeviceIo>,
ctx: &mut DeviceOpContext,
) -> std::result::Result<(), DeviceMgrError> {
// unregister IoManager
Self::deregister_mmio_virtio_device(&device, ctx)?;
// unregister Resource manager
let resources = device.get_assigned_resources();
ctx.res_manager
.free_device_resources(&resources)
.map_err(DeviceMgrError::ResourceError)?;
Ok(())
}
/// Create an Virtio MMIO transport layer device for the virtio backend device.
pub fn register_mmio_virtio_device(
device: Arc<DbsMmioV2Device>,
device: Arc<dyn DeviceIo>,
ctx: &mut DeviceOpContext,
) -> std::result::Result<Arc<DbsMmioV2Device>, DeviceMgrError> {
) -> std::result::Result<Arc<dyn DeviceIo>, DeviceMgrError> {
let (mmio_base, mmio_size, irq) = Self::get_virtio_device_info(&device)?;
info!(
ctx.logger(),
@@ -1225,8 +1251,210 @@ impl DeviceManager {
}
}
/// Create an Virtio PCI transport layer device for the virtio backend device.
pub fn create_virtio_pci_device(
mut device: DbsVirtioDevice,
ctx: &mut DeviceOpContext,
use_generic_irq: bool,
) -> std::result::Result<Arc<dyn DeviceIo>, DeviceMgrError> {
let pci_system_manager = ctx.pci_system_manager.lock().unwrap();
// We always use 64bit bars, we don't support 32bit bar now
// We aligned to the size of the bar itself, refers to cloud-hypervisor
// https://github.com/cloud-hypervisor/cloud-hypervisor/commit/bfc65bff2a5bdb9aca7dcd3284a0ced0e5cc7db8
//
// Allocate virtio-pci config bar below MMIO_LOW_END.
// Each bridge PCI bridge only has two bridge windows:
// - One is non-prefetchable and located below `MMIO_LOW_END`.
// - The other is prefetchable and located above `MMIO_LOW_END`.
// In reference to `clh`, the config BAR is set as non-prefetchable.
// Therefore, it must be allocated below `MMIO_LOW_END`.
const DEFAULE_VIRTIO_PCI_CONFIG_BAR: ResourceConstraint = ResourceConstraint::MmioAddress {
range: Some((0, MMIO_LOW_END)),
align: CAPABILITY_BAR_SIZE,
size: CAPABILITY_BAR_SIZE,
};
// Virtio pci device always use msi-x, extend irq resources to other_requests
let mut other_requests = vec![];
VirtioPciDevice::get_interrupt_requirements(device.as_ref(), &mut other_requests);
// allocate device resources by pci_bus, MmioAddress + KvmSlot?
let mut device_requests = vec![];
device.get_resource_requirements(&mut device_requests, use_generic_irq);
// Extend KvmSlot resources to other_requests
for req in device_requests.iter() {
if !matches!(
req,
ResourceConstraint::PioAddress { .. } | ResourceConstraint::MmioAddress { .. }
) {
other_requests.push(*req);
}
}
// allocate PciMsixIrq and KvmSlot by res_manager
let other_resources = ctx
.res_manager
.allocate_device_resources(&other_requests, false)
.map_err(DeviceMgrError::ResourceError)?;
let pci_bus = pci_system_manager.pci_root_bus();
let dev_id = pci_system_manager
.new_device_id(None)
.ok_or(DeviceMgrError::VirtioPci)?;
// Allocate config bar resources by pci_bus
let default_config_req = vec![DEFAULE_VIRTIO_PCI_CONFIG_BAR];
let default_config_res = pci_bus
.allocate_resources(&default_config_req)
.map_err(DeviceMgrError::PciError)?;
assert!(default_config_res.get_all_resources().len() == 1);
// Allocate MmioAddress and PioAddress resource by pci bus, other resourece type will skip
let mut device_resource = pci_bus
.allocate_resources(&device_requests)
.map_err(DeviceMgrError::PciError)?;
// Extend PciMsixIrq and KvmSlot resources to device_resource
other_resources.get_all_resources().iter().for_each(|res| {
device_resource.append(res.clone());
});
// Do map for virtio share memory region by set_resource, this will use KvmSlot + MmioAddress resources, which should be allocated before
let _virito_shared_mem_list = device
.as_mut()
.set_resource(ctx.vm_fd.clone(), device_resource.clone())
.map_err(DeviceMgrError::Virtio)?;
// Extend config bar resources to device_resource
// Now device_resource contains all resources
default_config_res
.get_all_resources()
.iter()
.for_each(|res| {
device_resource.append(res.clone());
});
drop(pci_system_manager);
// new a virtio pci device
let mut virtio_dev = VirtioPciDevice::new(
ctx.vm_fd.clone(),
ctx.get_vm_as()?,
ctx.get_address_space()?,
ctx.irq_manager.clone(),
device_resource,
dev_id,
device,
true,
Arc::downgrade(&pci_bus),
default_config_res.get_all_resources()[0].clone(),
)
.map_err(DeviceMgrError::VirtioPciError)?;
virtio_dev
.alloc_bars()
.map_err(DeviceMgrError::VirtioPciError)?;
let arc_dev = Arc::new(virtio_dev);
pci_bus
.register_device(arc_dev.clone())
.map_err(DeviceMgrError::PciError)?;
Self::register_virtio_pci_device(arc_dev, ctx)
}
/// Create an Virtio PCI transport layer device for the virtio backend device.
pub fn register_virtio_pci_device(
device: Arc<dyn DeviceIo>,
ctx: &DeviceOpContext,
) -> std::result::Result<Arc<dyn DeviceIo>, DeviceMgrError> {
let resources = device.get_trapped_io_resources();
let mut tx = ctx.io_context.begin_tx();
if let Err(e) = ctx
.io_context
.register_device_io(&mut tx, device.clone(), &resources)
{
ctx.io_context.cancel_tx(tx);
Err(DeviceMgrError::IoManager(e))
} else {
ctx.io_context.commit_tx(tx);
Ok(device)
}
}
/// Deregister Virtio device from IoManager
pub fn deregister_virtio_device(
device: &Arc<dyn DeviceIo>,
ctx: &mut DeviceOpContext,
) -> std::result::Result<(), DeviceMgrError> {
let resources = device.get_trapped_io_resources();
info!(
ctx.logger(),
"unregister pci virtio device: {:?}", resources
);
let mut tx = ctx.io_context.begin_tx();
if let Err(e) = ctx.io_context.unregister_device_io(&mut tx, &resources) {
ctx.io_context.cancel_tx(tx);
Err(DeviceMgrError::IoManager(e))
} else {
ctx.io_context.commit_tx(tx);
Ok(())
}
}
/// Destroy/Deregister resources for a Virtio PCI
fn destroy_pci_device(
device: Arc<dyn DeviceIo>,
ctx: &mut DeviceOpContext,
dev_id: u8,
) -> std::result::Result<(), DeviceMgrError> {
// unregister IoManager
Self::deregister_virtio_device(&device, ctx)?;
// unregister Resource manager
let resources = device.get_assigned_resources();
let mut system_resources = DeviceResources::new();
resources.iter().for_each(|res| {
if !matches!(
res,
Resource::PioAddressRange { .. } | Resource::MmioAddressRange { .. }
) {
system_resources.append(res.clone());
}
});
info!(
ctx.logger(),
"unregister resource {:?} from system resource manager for pci device",
system_resources
);
ctx.res_manager
.free_device_resources(&system_resources)
.map_err(DeviceMgrError::ResourceError)?;
let pci_system_manager = ctx.pci_system_manager.lock().unwrap();
let pci_bus = pci_system_manager.pci_root_bus();
info!(
ctx.logger(),
"unregister resource {:?} from pci bus resource manager for pci device", resources
);
pci_bus.free_resources(resources);
let _ = pci_system_manager.free_device_id(dev_id as u32);
let pci_dev = device
.as_any()
.downcast_ref::<VirtioPciDevice<GuestAddressSpaceImpl, QueueSync, GuestRegionMmap>>()
.ok_or(DeviceMgrError::InvalidOperation)?;
pci_dev.remove();
Ok(())
}
#[cfg(feature = "host-device")]
fn get_pci_device_info(device: &Arc<dyn DeviceIo>) -> Result<(u8, u8)> {
use virtio_queue::QueueSync;
if let Some(pci_dev) = device
.as_any()
.downcast_ref::<VfioPciDevice<PciSystemManager>>()
@@ -1243,10 +1471,41 @@ impl DeviceManager {
// together those 8 bits combined as devfn value
let devfn = (((slot) & 0x1f) << 3) | ((func) & 0x07);
return Ok((busno, devfn));
} else if let Some(pci_dev) = device.as_any().downcast_ref::<VirtioPciDevice<
GuestAddressSpaceImpl,
QueueSync,
GuestRegionMmap,
>>() {
// reference from kernel: include/uapi/linux/pci.h
let busno = pci_dev.bus_id().map_err(DeviceMgrError::VirtioPciError)?;
let slot = pci_dev.device_id();
let func = 0;
let devfn = (((slot) & 0x1f) << 3) | ((func) & 0x07);
return Ok((busno, devfn));
}
Err(DeviceMgrError::GetDeviceResource)
Err(DeviceMgrError::InvalidPciDeviceType)
}
/// Teardown the Virtio PCI or MMIO transport layer device associated with the virtio backend device.
pub fn destroy_virtio_device(
device: Arc<dyn DeviceIo>,
ctx: &mut DeviceOpContext,
) -> std::result::Result<(), DeviceMgrError> {
if let Some(mmio_dev) = device.as_any().downcast_ref::<DbsMmioV2Device>() {
Self::destroy_mmio_device(device.clone(), ctx)?;
mmio_dev.remove();
} else if let Some(pci_dev) = device.as_any().downcast_ref::<VirtioPciDevice<
GuestAddressSpaceImpl,
QueueSync,
GuestRegionMmap,
>>() {
Self::destroy_pci_device(device.clone(), ctx, pci_dev.device_id())?;
}
Ok(())
}
}
@@ -1275,7 +1534,9 @@ mod tests {
use dbs_address_space::{AddressSpaceLayout, AddressSpaceRegion, AddressSpaceRegionType};
use kvm_ioctls::Kvm;
use test_utils::skip_if_not_root;
use vm_memory::{GuestAddress, GuestUsize, MmapRegion};
#[cfg(feature = "virtio-fs")]
use vm_memory::MmapRegion;
use vm_memory::{GuestAddress, GuestUsize};
use super::*;
#[cfg(target_arch = "x86_64")]
@@ -1309,12 +1570,29 @@ mod tests {
String::from("1"),
)));
let irq_manager = Arc::new(KvmIrqManager::new(vm_fd.clone()));
let io_manager = Arc::new(ArcSwap::new(Arc::new(IoManager::new())));
let io_lock = Arc::new(Mutex::new(()));
let io_context = DeviceManagerContext::new(io_manager.clone(), io_lock.clone());
let mut mgr =
PciSystemManager::new(irq_manager.clone(), io_context, res_manager.clone())
.unwrap();
let requirements = mgr.resource_requirements();
let resources = res_manager
.allocate_device_resources(&requirements, USE_SHARED_IRQ)
.map_err(DeviceMgrError::ResourceError)
.unwrap();
mgr.activate(resources).unwrap();
let pci_system_manager = Arc::new(Mutex::new(mgr));
DeviceManager {
vm_fd: Arc::clone(&vm_fd),
con_manager: ConsoleManager::new(epoll_manager, &logger),
io_manager: Arc::new(ArcSwap::new(Arc::new(IoManager::new()))),
io_lock: Arc::new(Mutex::new(())),
irq_manager: Arc::new(KvmIrqManager::new(vm_fd.clone())),
io_manager,
io_lock,
irq_manager,
res_manager,
legacy_manager: None,
@@ -1337,7 +1615,12 @@ mod tests {
#[cfg(feature = "vhost-user-net")]
vhost_user_net_manager: VhostUserNetDeviceMgr::default(),
#[cfg(feature = "host-device")]
vfio_manager: Arc::new(Mutex::new(VfioDeviceMgr::new(vm_fd, &logger))),
vfio_manager: Arc::new(Mutex::new(VfioDeviceMgr::new(
vm_fd,
pci_system_manager.clone(),
&logger,
))),
pci_system_manager,
logger,
shared_info,

65
src/dragonball/src/device_manager/vfio_dev_mgr/mod.rs
View File

@@ -17,12 +17,11 @@ use std::ops::Deref;
use std::os::fd::RawFd;
use std::path::Path;
use std::sync::mpsc::Sender;
use std::sync::{Arc, Weak};
use std::sync::{Arc, Mutex, Weak};
use dbs_device::resources::Resource::LegacyIrq;
use dbs_device::resources::{DeviceResources, Resource, ResourceConstraint};
use dbs_device::DeviceIo;
use dbs_interrupt::KvmIrqManager;
use dbs_pci::{VfioPciDevice, VENDOR_NVIDIA};
use dbs_upcall::{DevMgrResponse, UpcallClientResponse};
use kvm_ioctls::{DeviceFd, VmFd};
@@ -37,8 +36,8 @@ use vm_memory::{
use super::StartMicroVmError;
use crate::address_space_manager::{GuestAddressSpaceImpl, GuestMemoryImpl};
use crate::config_manager::{ConfigItem, DeviceConfigInfo, DeviceConfigInfos};
use crate::device_manager::{DeviceManagerContext, DeviceMgrError, DeviceOpContext};
use crate::resource_manager::{ResourceError, ResourceManager};
use crate::device_manager::{DeviceMgrError, DeviceOpContext};
use crate::resource_manager::ResourceError;
// The flag of whether to use the shared irq.
const USE_SHARED_IRQ: bool = true;
@@ -230,7 +229,7 @@ pub struct VfioDeviceMgr {
info_list: DeviceConfigInfos<HostDeviceConfig>,
locked_vm_size: u64,
vfio_container: Option<Arc<VfioContainer>>,
pci_vfio_manager: Option<Arc<PciSystemManager>>,
pci_system_manager: Arc<Mutex<PciSystemManager>>,
pci_legacy_irqs: Option<HashMap<u8, u8>>,
nvidia_shared_irq: Option<u32>,
logger: slog::Logger,
@@ -238,13 +237,17 @@ pub struct VfioDeviceMgr {
impl VfioDeviceMgr {
/// Create a new VFIO device manager.
pub fn new(vm_fd: Arc<VmFd>, logger: &slog::Logger) -> Self {
pub fn new(
vm_fd: Arc<VmFd>,
pci_system_manager: Arc<Mutex<PciSystemManager>>,
logger: &slog::Logger,
) -> Self {
VfioDeviceMgr {
vm_fd,
info_list: DeviceConfigInfos::new(),
locked_vm_size: 0,
vfio_container: None,
pci_vfio_manager: None,
pci_system_manager,
pci_legacy_irqs: Some(HashMap::new()),
nvidia_shared_irq: None,
logger: logger.new(slog::o!()),
@@ -288,17 +291,6 @@ impl VfioDeviceMgr {
&mut self,
ctx: &mut DeviceOpContext,
) -> std::result::Result<(), StartMicroVmError> {
// create and attach pci root bus
#[cfg(all(feature = "hotplug", feature = "host-device"))]
if ctx.pci_hotplug_enabled {
let _ = self
.create_pci_manager(
ctx.irq_manager.clone(),
ctx.io_context.clone(),
ctx.res_manager.clone(),
)
.map_err(StartMicroVmError::CreateVfioDevice)?;
}
for (idx, info) in self.info_list.clone().iter().enumerate() {
self.create_device(&info.config, ctx, idx)
.map_err(StartMicroVmError::CreateVfioDevice)?;
@@ -574,12 +566,9 @@ impl VfioDeviceMgr {
"subsystem" => "vfio_dev_mgr",
"host_bdf" => &cfg.bus_slot_func,
);
// safe to get pci_manager
let pci_manager = self.create_pci_manager(
ctx.irq_manager.clone(),
ctx.io_context.clone(),
ctx.res_manager.clone(),
)?;
let pci_manager = self.get_pci_manager();
let pci_manager = pci_manager.lock().unwrap();
let pci_bus = pci_manager.pci_root_bus();
let id = pci_manager
.new_device_id(cfg.guest_dev_id)
@@ -607,7 +596,7 @@ impl VfioDeviceMgr {
sysfs_path,
Arc::downgrade(&pci_bus),
vfio_dev,
Arc::downgrade(self.get_pci_manager().unwrap()),
self.get_pci_manager(),
ctx.vm_fd.clone(),
cfg.vendor_device_id,
cfg.clique_id,
@@ -665,8 +654,8 @@ impl VfioDeviceMgr {
// safe to unwrap because pci vfio manager is already created
let _ = self
.pci_vfio_manager
.as_mut()
.pci_system_manager
.lock()
.unwrap()
.free_device_id(device_id)
.ok_or(VfioDeviceError::InvalidDeviceID(device_id))?;
@@ -698,27 +687,9 @@ impl VfioDeviceMgr {
Ok(())
}
pub(crate) fn create_pci_manager(
&mut self,
irq_manager: Arc<KvmIrqManager>,
io_context: DeviceManagerContext,
res_manager: Arc<ResourceManager>,
) -> Result<&mut Arc<PciSystemManager>> {
if self.pci_vfio_manager.is_none() {
let mut mgr = PciSystemManager::new(irq_manager, io_context, res_manager.clone())?;
let requirements = mgr.resource_requirements();
let resources = res_manager
.allocate_device_resources(&requirements, USE_SHARED_IRQ)
.or(Err(VfioDeviceError::NoResource))?;
mgr.activate(resources)?;
self.pci_vfio_manager = Some(Arc::new(mgr));
}
Ok(self.pci_vfio_manager.as_mut().unwrap())
}
/// Get the PCI manager to support PCI device passthrough
pub fn get_pci_manager(&mut self) -> Option<&mut Arc<PciSystemManager>> {
self.pci_vfio_manager.as_mut()
pub fn get_pci_manager(&mut self) -> Arc<Mutex<PciSystemManager>> {
self.pci_system_manager.clone()
}
}

28
src/dragonball/src/device_manager/vfio_dev_mgr/pci_vfio.rs
View File

@@ -12,14 +12,13 @@ use dbs_interrupt::KvmIrqManager;
use dbs_pci::ECAM_SPACE_LENGTH;
use dbs_pci::{create_pci_root_bus, PciBus, PciDevice, PciRootDevice, PciSystemContext};
use super::{Result, VfioDeviceError};
use super::DeviceMgrError;
#[cfg(target_arch = "aarch64")]
use crate::device_manager::vfio_dev_mgr::USE_SHARED_IRQ;
use crate::device_manager::DeviceManagerContext;
use crate::resource_manager::ResourceManager;
use dbs_pci::PCI_BUS_DEFAULT;
/// we only support one pci bus
pub const PCI_BUS_DEFAULT: u8 = 0;
/// The default mmio size for pci root bus.
const PCI_MMIO_DEFAULT_SIZE: u64 = 2048u64 << 30;
@@ -38,13 +37,13 @@ impl PciSystemManager {
irq_manager: Arc<KvmIrqManager>,
io_context: DeviceManagerContext,
res_manager: Arc<ResourceManager>,
) -> std::result::Result<Self, VfioDeviceError> {
) -> std::result::Result<Self, DeviceMgrError> {
let resources = PciSystemManager::allocate_root_device_resources(res_manager)?;
let pci_root = Arc::new(
PciRootDevice::create(PCI_BUS_DEFAULT, resources).map_err(VfioDeviceError::PciError)?,
PciRootDevice::create(PCI_BUS_DEFAULT, resources).map_err(DeviceMgrError::PciError)?,
);
let pci_root_bus =
create_pci_root_bus(PCI_BUS_DEFAULT).map_err(VfioDeviceError::PciError)?;
create_pci_root_bus(PCI_BUS_DEFAULT).map_err(DeviceMgrError::PciError)?;
Ok(PciSystemManager {
irq_manager,
@@ -58,7 +57,7 @@ impl PciSystemManager {
#[cfg(any(target_arch = "x86", target_arch = "x86_64"))]
fn allocate_root_device_resources(
_res_manager: Arc<ResourceManager>,
) -> Result<DeviceResources> {
) -> std::result::Result<DeviceResources, DeviceMgrError> {
let mut resources = DeviceResources::new();
resources.append(Resource::PioAddressRange {
// PCI CONFIG_ADDRESS port address 0xcf8 and uses 32 bits
@@ -76,7 +75,7 @@ impl PciSystemManager {
#[cfg(target_arch = "aarch64")]
fn allocate_root_device_resources(
res_manager: Arc<ResourceManager>,
) -> Result<DeviceResources> {
) -> std::result::Result<DeviceResources, DeviceMgrError> {
let requests = vec![ResourceConstraint::MmioAddress {
range: Some((0x0, 0xffff_ffff)),
align: 4096,
@@ -84,23 +83,26 @@ impl PciSystemManager {
}];
let resources = res_manager
.allocate_device_resources(&requests, USE_SHARED_IRQ)
.map_err(VfioDeviceError::AllocateDeviceResource)?;
.map_err(DeviceMgrError::ResourceError)?;
Ok(resources)
}
/// Activate the PCI subsystem.
pub fn activate(&mut self, resources: DeviceResources) -> Result<()> {
pub fn activate(
&mut self,
resources: DeviceResources,
) -> std::result::Result<(), DeviceMgrError> {
let bus_id = self.pci_root_bus.bus_id();
self.pci_root
.add_bus(self.pci_root_bus.clone(), bus_id)
.map_err(VfioDeviceError::PciError)?;
.map_err(DeviceMgrError::PciError)?;
PciRootDevice::activate(self.pci_root.clone(), &mut self.io_context)
.map_err(VfioDeviceError::PciError)?;
.map_err(DeviceMgrError::PciError)?;
self.pci_root_bus
.assign_resources(resources)
.map_err(VfioDeviceError::PciError)?;
.map_err(DeviceMgrError::PciError)?;
Ok(())
}

2
src/dragonball/src/device_manager/vhost_net_dev_mgr.rs
View File

@@ -256,7 +256,7 @@ impl VhostNetDeviceMgr {
info.config.iface_id
);
if let Some(device) = info.device.take() {
DeviceManager::destroy_mmio_virtio_device(device, ctx)?;
DeviceManager::destroy_mmio_device(device, ctx)?;
}
}

2
src/dragonball/src/device_manager/virtio_net_dev_mgr.rs
View File

@@ -382,7 +382,7 @@ impl VirtioNetDeviceMgr {
info.config.iface_id
);
if let Some(device) = info.device.take() {
DeviceManager::destroy_mmio_virtio_device(device, ctx)?;
DeviceManager::destroy_mmio_device(device, ctx)?;
}
}
Ok(())

2
src/dragonball/src/device_manager/vsock_dev_mgr.rs
View File

@@ -294,7 +294,7 @@ impl VsockDeviceMgr {
info.config.id
);
if let Some(device) = info.device.take() {
DeviceManager::destroy_mmio_virtio_device(device, ctx)?;
DeviceManager::destroy_mmio_device(device, ctx)?;
}
}
Ok(())

4
src/dragonball/src/error.rs
View File

@@ -77,6 +77,10 @@ pub enum Error {
/// Cannot open the VM file descriptor.
#[error(transparent)]
Vm(vm::VmError),
/// Fail to create device manager system
#[error("failed to create device manager system: {0}")]
DeviceMgrError(#[source] device_manager::DeviceMgrError),
}
/// Errors associated with starting the instance.

5
src/dragonball/src/vm/mod.rs
View File

@@ -35,7 +35,7 @@ use crate::address_space_manager::{
use crate::api::v1::{InstanceInfo, InstanceState};
use crate::device_manager::console_manager::DmesgWriter;
use crate::device_manager::{DeviceManager, DeviceMgrError, DeviceOpContext};
use crate::error::{LoadInitrdError, Result, StartMicroVmError, StopMicrovmError};
use crate::error::{Error, LoadInitrdError, Result, StartMicroVmError, StopMicrovmError};
use crate::event_manager::EventManager;
use crate::kvm_context::KvmContext;
use crate::resource_manager::ResourceManager;
@@ -228,7 +228,8 @@ impl Vm {
epoll_manager.clone(),
&logger,
api_shared_info.clone(),
);
)
.map_err(Error::DeviceMgrError)?;
Ok(Vm {
epoll_manager,

2
src/libs/kata-sys-util/Cargo.toml
View File

@@ -18,7 +18,7 @@ common-path = "=1.0.0"
fail = "0.5.0"
lazy_static = "1.4.0"
libc = "0.2.100"
nix = "0.24.2"
nix = "0.26.4"
once_cell = "1.9.0"
serde = { version = "1.0.138", features = ["derive"] }
serde_json = "1.0.73"

6
src/libs/kata-sys-util/src/hooks.rs
View File

@@ -375,7 +375,11 @@ mod tests {
fn build_oci_hook(self) -> oci::Hook {
let mut hook = oci::Hook::default();
hook.set_path(PathBuf::from(self.path));
hook.set_args(Some(self.args));
if self.args.is_empty() {
hook.set_args(None);
} else {
hook.set_args(Some(self.args));
}
hook.set_env(Some(self.env));
hook.set_timeout(self.timeout);

Some files were not shown because too many files have changed in this diff Show More