github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2026-03-18 02:32:26 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: github:topic/wainersm/fix_coco_stability_tests
Branches Tags
github:main github:dependabot/cargo/src/agent/tracing-667a7af472 github:dependabot/cargo/src/agent/tracing-95423bd0ce github:dependabot/cargo/src/agent/clap-e796154cfe github:dependabot/cargo/src/agent/clap-f572f62cb7 github:mahuber/nv-initrd-delete github:dependabot/cargo/src/agent/const_format-0.2.35 github:dependabot/cargo/src/tools/kata-ctl/strum-0.27.1 github:dependabot/cargo/src/agent/strum-0.27.1 github:zizmor-update-to-1.20 github:dependabot/go_modules/src/runtime/github.com/go-openapi/runtime-0.29.2 github:topic/re-enable-sandbox-api-tests github:sprt/fidencio/conf-local-storage github:topic/genpolicy-distribute-different-settings-rather-than-patching-for-ci github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.10.0 github:topic/build-kernel-do-not-expected-a-modules-tarball-for-vanilla-kernel github:dependabot/go_modules/src/runtime/k8s.io/cri-api-0.35.2 github:dependabot/cargo/src/tools/kata-ctl/toml-0.9.8 github:dependabot/cargo/src/tools/agent-ctl/toml-0.9.11spec-1.1.0 github:dependabot/cargo/src/libs/toml-1.0.3 github:dependabot/cargo/src/agent/toml-0.9.6 github:dependabot/go_modules/src/runtime/github.com/go-openapi/errors-0.22.6 github:dependabot/cargo/src/agent/tokio-c49fc46c2e github:dependabot/cargo/src/agent/tracing-9421c2f3ac github:topic/tests-try-crio github:topic/tests-lower-the-load-on-aks github:sprt/disable-pmem github:topic/ci-lower-secrets-required github:disable-guest-empty-dir github:topic/oras-cache-still-not-working github:bump-to-go-1.25 github:topic/re-enable-sandboxapi-tests github:topic/main-no-cache github:topic/kata-deploy-upgrade github:copilot/replace-gperf-url-with-urls github:dependabot/github_actions/actions/attest-build-provenance-3.2.0 github:dependabot/github_actions/docker/login-action-3.7.0 github:stale-issues-by-date github:dependabot/github_actions/tim-actions/wip-check-1.1.0 github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.9.0 github:dependabot/github_actions/actions/download-artifact-7.0.0 github:topic/arm64-increase-runner-timeout github:decouple-kernel-rootfs github:topic/ovmf-tdx github:dependabot/cargo/kvm-ioctls-0.24.0 github:ci-test github:topic/move-builder-images-to-quay.io github:runtime-rs-stability-test github:runtime-rs-policy-debug github:numa-topology github:topic/stability-rs github:dependabot/cargo/vmm-sys-util-0.15.0 github:dependabot/cargo/vm-memory-0.16.2 github:fupan_test github:topic/tests-experimental-force-guest-pull-test-authenticated-registries github:fupan_tests github:dependabot/cargo/src/agent/tracing-subscriber-0.3.20 github:fupan_nontee_test github:sprt-patch-2 github:sprt/test-pr-up github:sprt/cleanup-policy-settings github:fix-create-container-timeout github:zvonkok-patch-1 github:amd64-nvidia-gpu-cicd-part2 github:burgerdev/codegen-test github:kata-tests-gh-cli-trigger github:topic/wainersm-ci_setup_kubectl github:topic/wainersm/fix_coco_stability_tests github:sprt/remove-ci-env github:revert-11466-blockfile github:saul/updateimg github:sprt/fix-validate-ok-to-test github:sprt-patch-1
github:3.28.0 github:3.27.0 github:3.26.0 github:3.25.0 github:3.24.0 github:3.23.0 github:3.22.0 github:3.21.0 github:3.20.0 github:3.19.1 github:3.19.0 github:3.18.0 github:3.17.0 github:3.16.0 github:3.15.0 github:3.14.0 github:3.13.0 github:3.12.0 github:3.11.0 github:3.10.1 github:3.10.0 github:3.9.0 github:3.8.0 github:3.7.0 github:3.6.0 github:3.5.0 github:3.4.0 github:release-3.4.0 github:3.3.0-test github:3.3.0 github:CC-0.8.1 github:CC-0.8.0 github:3.2.0 github:3.3.0-alpha0 github:3.2.0-rc0 github:3.2.0-alpha4 github:CC-0.7.0 github:3.1.3 github:CC-0.6.0 github:3.2.0-alpha3 github:3.2.0-alpha2 github:3.1.2 github:3.2.0-alpha1 github:3.1.1 github:CC-0.5.0 github:3.2.0-alpha0 github:3.1.0 github:CC-0.4.0 github:3.0.2 github:3.1.0-rc0 github:CC-0.3.0 github:3.0.1 github:3.1.0-alpha1 github:CC-0.2.0 github:3.0.0 github:3.1.0-alpha0 github:2.5.2 github:3.0.0-rc1 github:3.0.0-rc0 github:3.0.0-alpha1 github:untagged-b5b6198308b02e3a2666 github:2.5.1 github:3.0.0-alpha0 github:2.5.0 github:2.4.3 github:2.5.0-rc0 github:2.4.2 github:2.5.0-alpha2 github:2.5.0-alpha1 github:2.4.1 github:2.4.0 github:2.5.0-alpha0 github:2.4.0-rc0 github:2.3.3 github:2.3.2 github:2.4.0-alpha2 github:2.3.1 github:2.4.0-alpha1 github:2.3.0 github:2.4.0-alpha0 github:2.3.0-rc1 github:2.2.3 github:2.3.0-rc0 github:2.2.2 github:2.3.0-alpha2 github:2.2.1 github:2.3.0-alpha1 github:2.3.0-alpha0 github:2.2.0 github:2.2.0-rc0 github:2.2.0-alpha1 github:2.1.1 github:2.2.0-alpha0 github:2.1.0 github:2.0.4 github:2.1.0-rc0 github:2.0.3 github:2.1.0-alpha2 github:2.1.0-alpha0 github:2.1.0-alpha1 github:2.1-alpha1 github:2.0.2 github:1.13.0-alpha0 github:2.0.1 github:1.12.1 github:2.1-alpha0 github:1.11.5 github:1.12.0 github:1.12.0-rc0 github:1.11.4 github:1.10.8 github:2.0.0 github:2.0.0-rc1 github:untagged-c2a61792b39392572d0f github:2.0.0-rc0 github:1.11.3 github:1.10.7 github:1.12.0-alpha1 github:2.0.0-alpha3 github:1.10.6 github:1.11.2 github:1.12.0-alpha0 github:2.0.0-alpha2 github:1.10.5 github:1.11.1 github:2.0.0-alpha1 github:1.11.0 github:1.10.4 github:1.9.7 github:1.10.3 github:1.11.0-rc0 github:1.9.6 github:1.11.0-alpha1 github:1.10.1 github:1.9.5 github:1.11.0-alpha0 github:1.9.4 github:1.10.0 github:1.9.3 github:1.10.0-rc0 github:1.9.0-rc0 github:1.9.0-alpha2 github:1.9.0-alpha0 github:stable-1.8.2 github:stable-1.8-test.0
..
compare: github:kata-tests-gh-cli-trigger
Branches Tags
github:main github:dependabot/cargo/src/agent/tracing-667a7af472 github:dependabot/cargo/src/agent/tracing-95423bd0ce github:dependabot/cargo/src/agent/clap-e796154cfe github:dependabot/cargo/src/agent/clap-f572f62cb7 github:mahuber/nv-initrd-delete github:dependabot/cargo/src/agent/const_format-0.2.35 github:dependabot/cargo/src/tools/kata-ctl/strum-0.27.1 github:dependabot/cargo/src/agent/strum-0.27.1 github:zizmor-update-to-1.20 github:dependabot/go_modules/src/runtime/github.com/go-openapi/runtime-0.29.2 github:topic/re-enable-sandbox-api-tests github:sprt/fidencio/conf-local-storage github:topic/genpolicy-distribute-different-settings-rather-than-patching-for-ci github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.10.0 github:topic/build-kernel-do-not-expected-a-modules-tarball-for-vanilla-kernel github:dependabot/go_modules/src/runtime/k8s.io/cri-api-0.35.2 github:dependabot/cargo/src/tools/kata-ctl/toml-0.9.8 github:dependabot/cargo/src/tools/agent-ctl/toml-0.9.11spec-1.1.0 github:dependabot/cargo/src/libs/toml-1.0.3 github:dependabot/cargo/src/agent/toml-0.9.6 github:dependabot/go_modules/src/runtime/github.com/go-openapi/errors-0.22.6 github:dependabot/cargo/src/agent/tokio-c49fc46c2e github:dependabot/cargo/src/agent/tracing-9421c2f3ac github:topic/tests-try-crio github:topic/tests-lower-the-load-on-aks github:sprt/disable-pmem github:topic/ci-lower-secrets-required github:disable-guest-empty-dir github:topic/oras-cache-still-not-working github:bump-to-go-1.25 github:topic/re-enable-sandboxapi-tests github:topic/main-no-cache github:topic/kata-deploy-upgrade github:copilot/replace-gperf-url-with-urls github:dependabot/github_actions/actions/attest-build-provenance-3.2.0 github:dependabot/github_actions/docker/login-action-3.7.0 github:stale-issues-by-date github:dependabot/github_actions/tim-actions/wip-check-1.1.0 github:dependabot/go_modules/src/runtime/github.com/containerd/containerd/api-1.9.0 github:dependabot/github_actions/actions/download-artifact-7.0.0 github:topic/arm64-increase-runner-timeout github:decouple-kernel-rootfs github:topic/ovmf-tdx github:dependabot/cargo/kvm-ioctls-0.24.0 github:ci-test github:topic/move-builder-images-to-quay.io github:runtime-rs-stability-test github:runtime-rs-policy-debug github:numa-topology github:topic/stability-rs github:dependabot/cargo/vmm-sys-util-0.15.0 github:dependabot/cargo/vm-memory-0.16.2 github:fupan_test github:topic/tests-experimental-force-guest-pull-test-authenticated-registries github:fupan_tests github:dependabot/cargo/src/agent/tracing-subscriber-0.3.20 github:fupan_nontee_test github:sprt-patch-2 github:sprt/test-pr-up github:sprt/cleanup-policy-settings github:fix-create-container-timeout github:zvonkok-patch-1 github:amd64-nvidia-gpu-cicd-part2 github:burgerdev/codegen-test github:kata-tests-gh-cli-trigger github:topic/wainersm-ci_setup_kubectl github:topic/wainersm/fix_coco_stability_tests github:sprt/remove-ci-env github:revert-11466-blockfile github:saul/updateimg github:sprt/fix-validate-ok-to-test github:sprt-patch-1
github:3.28.0 github:3.27.0 github:3.26.0 github:3.25.0 github:3.24.0 github:3.23.0 github:3.22.0 github:3.21.0 github:3.20.0 github:3.19.1 github:3.19.0 github:3.18.0 github:3.17.0 github:3.16.0 github:3.15.0 github:3.14.0 github:3.13.0 github:3.12.0 github:3.11.0 github:3.10.1 github:3.10.0 github:3.9.0 github:3.8.0 github:3.7.0 github:3.6.0 github:3.5.0 github:3.4.0 github:release-3.4.0 github:3.3.0-test github:3.3.0 github:CC-0.8.1 github:CC-0.8.0 github:3.2.0 github:3.3.0-alpha0 github:3.2.0-rc0 github:3.2.0-alpha4 github:CC-0.7.0 github:3.1.3 github:CC-0.6.0 github:3.2.0-alpha3 github:3.2.0-alpha2 github:3.1.2 github:3.2.0-alpha1 github:3.1.1 github:CC-0.5.0 github:3.2.0-alpha0 github:3.1.0 github:CC-0.4.0 github:3.0.2 github:3.1.0-rc0 github:CC-0.3.0 github:3.0.1 github:3.1.0-alpha1 github:CC-0.2.0 github:3.0.0 github:3.1.0-alpha0 github:2.5.2 github:3.0.0-rc1 github:3.0.0-rc0 github:3.0.0-alpha1 github:untagged-b5b6198308b02e3a2666 github:2.5.1 github:3.0.0-alpha0 github:2.5.0 github:2.4.3 github:2.5.0-rc0 github:2.4.2 github:2.5.0-alpha2 github:2.5.0-alpha1 github:2.4.1 github:2.4.0 github:2.5.0-alpha0 github:2.4.0-rc0 github:2.3.3 github:2.3.2 github:2.4.0-alpha2 github:2.3.1 github:2.4.0-alpha1 github:2.3.0 github:2.4.0-alpha0 github:2.3.0-rc1 github:2.2.3 github:2.3.0-rc0 github:2.2.2 github:2.3.0-alpha2 github:2.2.1 github:2.3.0-alpha1 github:2.3.0-alpha0 github:2.2.0 github:2.2.0-rc0 github:2.2.0-alpha1 github:2.1.1 github:2.2.0-alpha0 github:2.1.0 github:2.0.4 github:2.1.0-rc0 github:2.0.3 github:2.1.0-alpha2 github:2.1.0-alpha0 github:2.1.0-alpha1 github:2.1-alpha1 github:2.0.2 github:1.13.0-alpha0 github:2.0.1 github:1.12.1 github:2.1-alpha0 github:1.11.5 github:1.12.0 github:1.12.0-rc0 github:1.11.4 github:1.10.8 github:2.0.0 github:2.0.0-rc1 github:untagged-c2a61792b39392572d0f github:2.0.0-rc0 github:1.11.3 github:1.10.7 github:1.12.0-alpha1 github:2.0.0-alpha3 github:1.10.6 github:1.11.2 github:1.12.0-alpha0 github:2.0.0-alpha2 github:1.10.5 github:1.11.1 github:2.0.0-alpha1 github:1.11.0 github:1.10.4 github:1.9.7 github:1.10.3 github:1.11.0-rc0 github:1.9.6 github:1.11.0-alpha1 github:1.10.1 github:1.9.5 github:1.11.0-alpha0 github:1.9.4 github:1.10.0 github:1.9.3 github:1.10.0-rc0 github:1.9.0-rc0 github:1.9.0-alpha2 github:1.9.0-alpha0 github:stable-1.8.2 github:stable-1.8-test.0

88 Commits
topic/wain ... kata-tests

Author SHA1 Message Date
stevenhorsman
f60dd4891d DO NOT MERGE: Comment out tests for a reduced CI burden 2025-07-17 14:51:19 +01:00
stevenhorsman
01e65b804a WIP: workflows: Trigger CI tests with gh cli 
- We are hitting limitations where gh can only call actions with 20 workflow jobs,
so split out the CI test jobs as separate workflows and call them once the required
artifacts are created.

- Note: This commit updates the test runs to use the source branch
workflows, rather than target branch that we have at the moment,
we need to think about this pretty carefully to check there isn't
any secuirty concerns here (I think there aren't as we are already
vulnerable in this respect)

WIP: Run the workflow on the ref, or the `main` version?
 2025-07-17 14:51:19 +01:00
stevenhorsman
b6d5820434 tests: Add gha-helper function with trigger action 
Add a script for triggering a gha action given the workflow file,
ref and input json, so we can reduce duplicated code in our workflow file
and make it easier to update in a single place
 2025-07-17 14:51:19 +01:00
Fabiano Fidêncio
6dabb3683f Merge pull request #10961 from zvonkok/shellcheck-zero 
shellcheck: fix kernel/build.sh
 2025-07-17 12:59:00 +02:00
Steve Horsman
405f5283f0 Merge pull request #11573 from arvindskumar99/versions_comment 
OVMF: Making comment in versions.yaml for SEV-SNP
 2025-07-17 10:11:58 +01:00
Fabiano Fidêncio
32d40849fa Merge pull request #11577 from Xynnn007/bump-gc 
deps(chore): bump guest-components to candidate v0.14.0
 2025-07-17 11:08:36 +02:00
Zvonko Kaiser
ca4f96ed00 shellcheck: fix kernel/build.sh 
Refactor code to make shellcheck happy

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-17 10:15:41 +02:00
Xynnn007
82b890349d deps(chore): bump guest-components to candidate v0.14.0 
This new version of gc fixes s390x attestation, also introduces registry
configuration setting directly via initdata.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
 2025-07-17 10:19:02 +08:00
Fupan Li
75d23b8884 Merge pull request #11504 from lifupan/fix_fd_leak 
agent: fix the issue of parent writer pipe fd leak
 2025-07-16 18:29:24 +08:00
Fupan Li
83f54eec52 agent: fix the issue of parent writer pipe fd leak 
Sometimes, containers or execs do not use stdin, so there is no chance
to add parent stdin to the process's writer hashmap, resulting in the
parent stdin's fd not being closed when the process is cleaned up later.

Therefore, when creating a process, first explicitly add parent stdin to
the wirter hashmap. Make sure that the parent stdin's fd can be closed
when the process is cleaned up later.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-07-16 16:15:31 +08:00
Fupan Li
752c8b611e Merge pull request #11575 from Tim-Zhang/fix-runk-build 
runk: Fix build errors
 2025-07-16 15:23:58 +08:00
Arvind Kumar
2a52351822 OVMF: Making comment in versions.yaml for SEV-SNP 
Adding comment to versions.yaml to indicate that the ovmf-sev is also
used by AMD SEV-SNP, as per the discussion in
https://github.com/kata-containers/kata-containers/pull/11561.

Signed-off-by: Arvind Kumar <arvinkum@amd.com>
 2025-07-16 06:35:21 +02:00
Tim Zhang
c8183a2c14 runk: rename imported crate from users to uzers 
To adapt the new crate name and fix build errors
introduced in the commit 39f51b4c6d

Fixes: #11574

Signed-off-by: Tim Zhang <tim@hyper.sh>
 2025-07-16 11:35:39 +08:00
Fabiano Fidêncio
9cebbab29d Merge pull request #11335 from zvonkok/fix-kata-deploy.sh 
gpu: Fix kata deploy.sh
 2025-07-15 19:50:44 +02:00
Fabiano Fidêncio
c8b7a51d72 Merge pull request #11082 from zvonkok/debug-kernel 
kernel: debug config
 2025-07-15 19:04:15 +02:00
Zvonko Kaiser
c56c896fc6 qemu: remove the experimental suffix for qemu-snp 
We switched to vanilla QEMU for the CPU SNP use-case.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-15 16:49:58 +02:00
Zvonko Kaiser
a282fa6865 gpu: Add TDX related runtime adjustments 
We have the QEMU adjustments for SNP but missing those for TDX

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-15 16:49:56 +02:00
Zvonko Kaiser
0d2993dcfd kernel: bump kernel version 
Obligatory kernel version bump

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-15 16:48:23 +02:00
Zvonko Kaiser
a4597672c0 kernel: Add KERNEL_DEBUG_ENABLED to build scripts 
We want to be able to build a debug version of the kernel for various
use-cases like debugging, tracing and others.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-15 16:48:03 +02:00
Fabiano Fidêncio
b7af7f344b Merge pull request #11569 from Xynnn007/bump-coco 
deps(chore): update guest-components and trustee
 2025-07-15 16:34:23 +02:00
Fabiano Fidêncio
aac555eeff Merge pull request #11571 from fidencio/topic/fix-nvidia-gpu-initrd-cache 
build: Fix cache for nvidia-gpu-initrd builds
 2025-07-15 16:28:03 +02:00
Fabiano Fidêncio
4415a47fff Merge pull request #11557 from Apokleos/fix-initdata 
runtime-rs: Fix initdata length field missing when create block
 2025-07-15 16:22:45 +02:00
Fabiano Fidêncio
11c744c5c3 Merge pull request #11567 from zvonkok/remove-gpu-admin-tools 
Remove gpu admin tools
 2025-07-15 15:11:56 +02:00
Fabiano Fidêncio
fa7598f6ec Merge pull request #11568 from zvonkok/tdx-qemu-path 
gpu: Add  proper TDX config path
 2025-07-15 14:54:13 +02:00
Fabiano Fidêncio
3e86f3a95c build: Rename rootfs-nvidia-* to fix cache issues 
The convention for rootfs-* names is:
* rootfs-${image_type}-${special_build}

If this is not followed, cache will never work as expected, leading to
building the initrd / image on every single build, which is specially
constly when building the nvidia specific targets.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-15 14:48:45 +02:00
alex.lyn
56c0c172fa runtime-rs: Fix initdata length field missing when create block 
The init data could not be read properly within kata-agent because the
data length field was omitted, a consequence of a mismatch in the data
write format.

Fixes #11556

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-15 19:22:17 +08:00
Fabiano Fidêncio
b76efa2a25 Merge pull request #11564 from BbolroC/make-qemu-coco-dev-s390x-required 
ci: Make qemu-coco-dev for s390x (zVSI) required again
 2025-07-15 12:04:18 +02:00
Xynnn007
4da31bf2f9 agent: deliver initdata toml to attestation agent 
Now AA supports to receive initdata toml plaintext and deliver it in the
attestation. This patch creates a file under
'/run/confidential-containers/initdata'
to store the initdata toml and give it to AA process.

When we have a separate component to handle initdata, we will move the
logic to that component.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
 2025-07-15 17:10:56 +08:00
Steve Horsman
d219fc20e1 Merge pull request #11555 from stevenhorsman/rust-advisory-fixes-pre-3.19.0 
Rust advisory fixes pre 3.19.0
 2025-07-15 09:11:33 +01:00
Hui Zhu
3577e4bb43 Merge pull request #11480 from teawater/update_ma 
mem-agent: Update to https://github.com/teawater/mem-agent/tree/kata-20250627
 2025-07-15 15:22:10 +08:00
Xynnn007
19001af1e2 deps(chore): update guest-components and trustee 
to the version of pre v0.14.0

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
 2025-07-15 09:12:47 +08:00
teawater
028f25ac84 mem-agent: Update to kata-20250627 
Update to https://github.com/teawater/mem-agent/tree/kata-20250627.

The commit list:
3854b3a Update nix version from 0.23.2 to 0.30.1
d9a4ced Update tokio version from 1.33 to 1.45.1
9115c4d run_eviction_single_config: Simplify check evicted pages after
	eviction
68b48d2 get_swappiness: Use a rounding method to obtain the swappiness
	value
14c4508 run_eviction_single_config: Add max_seq and min_seq check with
	each info
8a3a642 run_eviction_single_config: Move infov update to main loop
b6d30cf memcg.rs: run_aging_single_config: Fix error of last_inc_time
	check
54fce7e memcg.rs: Update anon eviction code
41c31bf cgroup.rs: Fix build issue with musl
0d6aa77 Remove lazy_static from dependencies
a66711d memcg.rs: update_and_add: Fix memcg not work after set memcg
	issue
cb932b1 Add logs and change some level of some logs
93c7ad8 Add per-cgroup and per-numa config support
092a75b Remove all Cargo.lock to support different versions of rust
540bf04 Update mem-agent-srv, mem-agent-ctl and mem-agent-lib to
	v0.2.0
81f39b2 compact.rs: Change default value of compact_sec_max to 300
c455d47 compact.rs: Fix psi_path error with cgroup v2 issue
6016e86 misc.rs: Fix log error
ded90e9 Set mem-agent-srv and mem-agent-ctl as bin

Fixes: #11478

Signed-off-by: teawater <zhuhui@kylinos.cn>
 2025-07-15 08:57:41 +08:00
Zvonko Kaiser
90bc749a19 gpu: Add proper TDX config path 
This was missed during the GPU TDX experimental enablement

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-14 23:26:28 +00:00
Zvonko Kaiser
da17b06d28 gpu: Pin toolkit version 
New versions have incompatibilites, pin toolkit to a working
version

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-14 22:07:21 +00:00
Zvonko Kaiser
97a4a1574e gpu: Remove gpu-admin-tools 
NVRC got a new feature reading the CC mode directly from register

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-14 21:59:31 +00:00
stevenhorsman
18597588c0 agent: Bump cdi version 
Bump cdi version to the pick up fixes to:
- RUSTSEC-2025-0024
- RUSTSEC-2025-0023
- RUSTSEC-2024-0370

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-14 16:54:30 +01:00
stevenhorsman
661d88b11f versions: Bump oci-spec 
Try bumping oci-spec to 0.8.1 as it included fixes for vulnerabilities
including RUSTSEC-2024-0370

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-14 16:54:30 +01:00
Fabiano Fidêncio
579d373623 Merge pull request #11521 from stevenhorsman/idna-1.0.4-bump 
versions: Bump idna crate to >= 1.0.3
 2025-07-14 17:39:30 +02:00
Fabiano Fidêncio
f5decea13e Merge pull request #11550 from stevenhorsman/runtime-rs-bump-chrono-0.4.41 
runtime-rs | trace-forwarder: Bump chrono crate version
 2025-07-14 16:45:58 +02:00
Steve Horsman
0fa2cd8202 Merge pull request #11519 from wainersm/tests_teardown_common 
tests/k8s: instrument some tests for debugging
 2025-07-14 13:20:01 +01:00
Hyounggyu Choi
a224b4f9e4 ci: Make qemu-coco-dev for s390x (zVSI) required again 
As the following job has passed 10 days in a row for the nightly test:

```
kata-containers-ci-on-push / run-k8s-tests-on-zvsi / run-k8s-tests (nydus, qemu-coco-dev, kubeadm)
```

this commit makes the job required again.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
 2025-07-14 11:03:54 +02:00
Wainer dos Santos Moschetta
f0f1974e14 tests/k8s: call teardown_common in k8s-parallel.bats 
The teardown_common will print the description of the running pods, kill
them all and print the system's syslogs afterwards.

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
 2025-07-12 10:13:51 +01:00
Wainer dos Santos Moschetta
8dfeed77cd tests/k8s: add handler for Job in set_node() 
Set the node in the spec template of a Job manifest, allowing to use
set_node() on tests like k8s-parallel.bats

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
 2025-07-12 10:13:51 +01:00
Wainer dos Santos Moschetta
806d63d1d8 tests/k8s: call teardown_common in k8s-credentials-secrets.bats 
The teardown_common will print the description of the running pods, kill
them all and print the system's syslogs afterwards.

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
 2025-07-12 10:13:51 +01:00
Wainer dos Santos Moschetta
c8f40fe12c tests/k8s: call teardown_common in k8s-sandbox-vcpus-allocation.bats 
The teardown_common will print the description of the running pods, kill
them all and print the system's syslogs afterwards.

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
 2025-07-12 10:13:51 +01:00
Fabiano Fidêncio
4a79c2520d Merge pull request #11491 from Apokleos/default-blk-driver 
runtime-rs: Change default block device driver from virtio-scsi to virtio-blk-*
 2025-07-11 23:14:13 +02:00
alex.lyn
9cc14e4908 runtime-rs: Update block device driver docs within configuration 
The previous description for the `block_device_driver` was inaccurate or
outdated. This commit updates the documentation to provide a more
precise explanation of its function.

Fixes #11488

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-11 17:40:58 +02:00
alex.lyn
92160c82ff runtime-rs: Change block device driver defualt with virtio-blk-* 
When we run a kata pod with runtime-rs/qemu and with a default
configuration toml, it will fail with error "unsupported driver type
virtio-scsi".
As virtio-scsi within runtime-rs is not so popular, we set default block
device driver with `virtio-blk-*`.

Fixes #11488

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-11 17:40:58 +02:00
Steve Horsman
878e50f978 Merge pull request #11554 from fidencio/topic/fix-version-file-on-release 
gh: Fix released VERSION file
 2025-07-11 09:20:06 +01:00
Fabiano Fidêncio
fb22e873cd gh: Fix released VERSION file 
The `/opt/kata/VERSION` file, which is created using `git describe
--tags`, requires the newly released tag to be updated in order to be
accurate.

To do so, let's add a `fetch-tags: true` to the checkout action used
during the `create-kata-tarball` job.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-11 09:47:11 +02:00
Alex Lyn
87e41e2a09 Merge pull request #11549 from stevenhorsman/bump-remove_dir_all 
runtime-rs: Switch tempdir to tempfile
 2025-07-11 13:46:12 +08:00
Alex Lyn
f22272b8f7 Merge pull request #11540 from Apokleos/coldplug-vfio-clh 
runtime-rs: Add vfio support with coldplug for cloud-hypervisor
 2025-07-11 10:33:59 +08:00
RuoqingHe
7cd4e3278a Merge pull request #11545 from RuoqingHe/remove-lockfile-for-libs 
libs: Remove lockfile for libs
 2025-07-10 21:56:10 +08:00
stevenhorsman
c740896b1c trace-forwarder: Bump chrono crate version 
Bump chrono version to drop time@0.1.43 and remediate
vulnerability CVE-2020-26235

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-10 14:55:20 +01:00
stevenhorsman
3916507553 runtime-rs: Bump chrono crate version 
Bump chrono version to drop time@0.1.45 and remediate
vulnerability CVE-2020-26235

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-10 13:47:05 +01:00
stevenhorsman
c5ceae887b runtime-rs: Switch tempdir to tempfile 
tempdir hasn't been updated for seven years and pulls in
remove_dir_all@0.5.3 which has security advisory
GHSA-mc8h-8q98-g5hr, so replace this with using tempfile,
which the crate got merged into and we use elsewhere in the
project

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-10 12:16:35 +01:00
Ruoqing He
4039506740 libs: Ignore Cargo.lock in libs workspace 
Ignore Cargo.lock in `libs` to prevent developers from accidentally
track lock files in `libs` workspace.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-07-10 09:31:45 +00:00
alex.lyn
3fbe493edc runtime-rs: Convert host devices within VmConfig for cloud-hypervisor 
This PR adds support for adding a network device before starting the
cloud-hypervisor VM.
This commit will get the host devices from NamedHypervisorConfig and
assign it to VmConfig's devices which is for vfio devices when clh
starts launching.
And with this, it successfully finish the vfio devices conversion from
a generic Hypervisor config to a clh specific VmConfig.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-07-10 16:33:43 +08:00
alex.lyn
0b5b8f549d runtime-rs: Introduce a field host_devices within NamedHypervisorConfig 
This commit introduce `host_devices` to help convert vfio devices from
a generic hypervisor config to a cloud-hypervisor specific VmConfig.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-07-10 16:33:41 +08:00
alex.lyn
d37183d754 runtime-rs: Add vfio support with coldplug for cloud-hypervisor 
This PR adds support for adding a vfio device before starting the
cloud-hypervisor VM (or cold-plug vfio device).

This commit changes "pending_devices" for clh implementation via adding
DeviceType::Vfio() into pending_devices. And it will get shared host devices
after correctly handling vfio devices (Specially for primary device).

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-07-10 16:32:21 +08:00
Ruoqing He
ffa3a5a15e libs: Remove Cargo.lock 
crates in `libs` workspace do not ship binaries, they are just libraries
for other workspace to reference, the `Cargo.lock` file hence would not
take effect. Removing Cargo.lock for `libs` workspace.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
 2025-07-10 03:14:55 +00:00
Fabiano Fidêncio
c68eb58f3f Merge pull request #11529 from fidencio/topic/only-use-fixed-version-of-k0s-for-crio 
tests: k0s: Always use latest version, apart from CRI-O tests
 2025-07-09 18:47:18 +02:00
Hyounggyu Choi
09297b7955 Merge pull request #11537 from BbolroC/set-sharedfs-to-none-for-ibm-sel 
runtime/runtime-rs: Set shared_fs to none for IBM SEL in config file
 2025-07-09 18:30:08 +02:00
Hyounggyu Choi
bca31d5a4d runtime/runtime-rs: Set shared_fs to none for IBM SEL in config file 
In line with configuration for other TEEs, shared_fs should
be set to none for IBM SEL. This commit updates the value for
runtime/runtime-rs.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
 2025-07-09 14:22:28 +02:00
Fabiano Fidêncio
5f17e61d11 tests: kata-deploy: Remove --wait from helm uninstall 
As we're using a `kubectl wait --timeout ...` to check whether the
kata-deploy pod's been deleted or not, let's remove the `--wait` from
the `helm uninstall ...` call as k0s tests were failing because the
`kubectl wait --timeout...` was starting after the pod was deleted,
making the test fail.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-09 14:01:30 +02:00
Fabiano Fidêncio
842e17b756 tests: k0s: Always use latest version, apart from CRI-O tests 
We've been pinning a specific version of k0s for CRI-O tests, which may
make sense for CRI-O, but doesn't make sense at all when it comes to
testing that we can install kata-deploy on latest k0s (and currently our
test for that is broken).

Let's bump to the latest, and from this point we start debugging,
instead of debugging on an ancient version of the project.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-09 13:27:18 +02:00
Steve Horsman
7bc25b0259 Merge pull request #11494 from katexochen/p/opa-1.6 
versions: bump opa 1.5.1 -> 1.6.0
 2025-07-09 11:45:54 +01:00
Steve Horsman
967f66f677 Merge pull request #11380 from arvindskumar99/sev-deprecation 
Sev deprecation
 2025-07-09 11:38:13 +01:00
stevenhorsman
f96b8fb690 kata-ctl: Update expected test failure message 
Update expected error after url crate bump

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-09 11:34:27 +01:00
stevenhorsman
b7bf46fdfa versions: Bump idna crate to >= 1.0.4 
Bump url, reqwests and idna crates in order to move away from
idna <1.0.3 and remediate CVE-2024-12224.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
 2025-07-09 11:34:27 +01:00
Xuewei Niu
b8838140d0 Merge pull request #11527 from StevenFryto/fix-runtime-rootless-bugs 
runtime: Fix rootlessDir not correctly set in rootless VMM mode
 2025-07-09 16:40:11 +08:00
Steve Horsman
990c4e68ee Merge pull request #11523 from wainersm/ci_setup_kubectl 
workflows: adopting azure/setup-kubectl
 2025-07-09 09:09:38 +01:00
stevenfryto
3c7a670129 runtime: Fix rootlessDir not correctly set in rootless VMM mode 
Previously, the rootlessDir variable in `src/runtime/virtcontainers/pkg/rootless.go` was initialized at
package load time using `os.Getenv("XDG_RUNTIME_DIR")`. However, in rootless
VMM mode, the correct value of $XDG_RUNTIME_DIR is set later during runtime
using os.Setenv(), so rootlessDir remained empty.

This patch defers the initialization of rootlessDir until the first call
to `GetRootlessDir()`, ensuring it always reflects the current environment
value of $XDG_RUNTIME_DIR.

Fixes: #11526

Signed-off-by: stevenfryto <sunzitai_1832@bupt.edu.cn>
 2025-07-09 09:51:48 +08:00
Wainer dos Santos Moschetta
e4da3b84a3 workflows: adopting azure/setup-kubectl 
There are workflows that rely on `az aks install-cli` to get kubectl
installed. There is a well-known problem on install-cli, related with
API usage rate limit, that has recently caused the command to fail
quite often.

This is replacing install-cli with the azure/setup-kubectl github
action which has no such as rate limit problem.

While here, removed the install_cli() function from gha-run-k8s-common.sh
so avoid developers using it by mistake in the future.

Fixes #11463
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
 2025-07-08 15:15:54 -03:00
Alex Lyn
294b2c1c10 Merge pull request #11528 from Apokleos/remote-initdata 
runtime-rs: add initdata annotation for remote hypervisor
 2025-07-08 09:13:13 +08:00
Arvind Kumar
afedad0965 kernel: Removing SEV kernel packages 
Removing kernel config files realting
to SEV as part of the SEV deprecation
efforts.

Co-authored-by: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
Signed-off-by: Arvind Kumar <arvinkum@amd.com>
 2025-07-07 11:21:11 -05:00
Arvind Kumar
ecac3d2d28 runtime: Removing runtime logic for SEV 
Removing runtime SEV functionality,
such as the kbs, ovmf, VMSA handling,
and SEV configs as part of deprecating
SEV from kata.

Co-authored-by: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
Signed-off-by: Arvind Kumar <arvinkum@amd.com>
 2025-07-07 11:17:32 -05:00
Arvind Kumar
8eebcef8fb tests: Removing testing framework for SEV 
Removing files pertaining to SEV from
the CI framework.

Co-authored-by: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
Signed-off-by: Arvind Kumar <arvinkum@amd.com>
 2025-07-07 11:17:32 -05:00
Arvind Kumar
675ea86aba kata-deploy: Removing SEV from kata-deploy 
Removing files related to SEV, responsible for
installing and configuring Kata containers.

Co-authored-by: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
Signed-off-by: Arvind Kumar <arvinkum@amd.com>
 2025-07-07 11:17:32 -05:00
Paul Meyer
ff7ac58579 versions: bump opa 1.5.1 -> 1.6.0 
Bumping opa to latest release.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
 2025-07-07 14:19:08 +02:00
alex.lyn
fcaade24f4 runtime-rs: add initdata annotation for remote hypervisor 
Add init data annotation within preparing remote hypervisor annotations
when prepare vm, so that it can be passed within CreateVMRequest.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
 2025-07-07 12:46:05 +01:00
Fabiano Fidêncio
110f68a0f1 Merge pull request #11530 from fidencio/topic/tests-fix-runtime-class-check 
tests: runtimeclasses: Adjust gpu runtimeclasses
 2025-07-07 13:42:46 +02:00
Fabiano Fidêncio
2c2995b7b0 tests: runtimeclasses: Adjust gpu runtimeclasses 
679cc9d47c was merged and bumped the
podoverhead for the gpu related runtimeclasses. However, the bump on the
`kata-runtimeClasses.yaml` as overlooked, making our tests fail due to
that discrepancy.

Let's just adjust the values here and move on.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-07 11:43:40 +02:00
Fabiano Fidêncio
ef545eed86 Merge pull request #11513 from lifupan/dragonball_6.12.x 
tools: port the dragonball kernel patch to 6.12.x
 2025-07-07 10:31:49 +02:00
Steve Horsman
d291e9bda0 Merge pull request #11336 from zvonkok/fix-podoverhead 
gpu: Update runtimeClasses for correct podoverhead
 2025-07-07 09:20:07 +01:00
Fabiano Fidêncio
a2faf93211 kernel: Bump to v6.12.36 
As that's the latest releasesd LTS.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
 2025-07-06 23:48:20 +02:00
Fupan Li
fd21c9df59 tools: port the dragonball kernel patch to 6.12.x 
Backport the dragonball's kernel patches to
6.12.x kernel version.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
 2025-07-06 23:48:20 +02:00
Zvonko Kaiser
679cc9d47c gpu: Update runtimeClasses for correct podoverhead 
We cannot only rely only on default_cpu and default_memory in the
config, default is 1 and 2Gi but we need some overhead for QEMU and
the other related binaries running as the pod overhead. Especially
when QEMU is hot-plugging GPUs, CPUs, and memory it can consume more
memory.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
 2025-07-04 12:20:15 -04:00
134 changed files with 5439 additions and 9057 deletions
Expand all files Collapse all files

1
.github/actionlint.yaml vendored
View File

@@ -19,7 +19,6 @@ self-hosted-runner:
- metrics
- ppc64le
- riscv-builder
- sev
- sev-snp
- s390x
- s390x-large

5
.github/workflows/build-kata-static-tarball-amd64.yaml vendored
View File

@@ -168,8 +168,8 @@ jobs:
- rootfs-image-mariner
- rootfs-initrd
- rootfs-initrd-confidential
- rootfs-nvidia-gpu-initrd
- rootfs-nvidia-gpu-confidential-initrd
- rootfs-initrd-nvidia-gpu
- rootfs-initrd-nvidia-gpu-confidential
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
@@ -327,6 +327,7 @@ jobs:
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
fetch-tags: true
persist-credentials: false
- name: Rebase atop of the latest target branch
run: |

3
.github/workflows/build-kata-static-tarball-arm64.yaml vendored
View File

@@ -145,7 +145,7 @@ jobs:
asset:
- rootfs-image
- rootfs-initrd
- rootfs-nvidia-gpu-initrd
- rootfs-initrd-nvidia-gpu
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
@@ -297,6 +297,7 @@ jobs:
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
fetch-tags: true
persist-credentials: false
- name: Rebase atop of the latest target branch
run: |

1
.github/workflows/build-kata-static-tarball-ppc64le.yaml vendored
View File

@@ -240,6 +240,7 @@ jobs:
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
fetch-tags: true
persist-credentials: false
- name: Rebase atop of the latest target branch
run: |

1
.github/workflows/build-kata-static-tarball-s390x.yaml vendored
View File

@@ -326,6 +326,7 @@ jobs:
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
fetch-tags: true
persist-credentials: false
- name: Rebase atop of the latest target branch
run: |

7
.github/workflows/ci-devel.yaml vendored
View File

@@ -8,10 +8,11 @@ permissions:
jobs:
kata-containers-ci-on-push:
permissions:
contents: read
packages: write
id-token: write
actions: write
attestations: write
contents: read
id-token: write
packages: write
uses: ./.github/workflows/ci.yaml
with:
commit-hash: ${{ github.sha }}

7
.github/workflows/ci-nightly.yaml vendored
View File

@@ -13,10 +13,11 @@ permissions:
jobs:
kata-containers-ci-on-push:
permissions:
contents: read
packages: write
id-token: write
actions: write
attestations: write
contents: read
id-token: write
packages: write
uses: ./.github/workflows/ci.yaml
with:
commit-hash: ${{ github.sha }}

7
.github/workflows/ci-on-push.yaml vendored
View File

@@ -33,10 +33,11 @@ jobs:
needs: skipper
if: ${{ needs.skipper.outputs.skip_build != 'yes' }}
permissions:
contents: read
packages: write
id-token: write
actions: write
attestations: write
contents: read
id-token: write
packages: write
uses: ./.github/workflows/ci.yaml
with:
commit-hash: ${{ github.event.pull_request.head.sha }}

634
.github/workflows/ci.yaml vendored
View File

@@ -71,112 +71,112 @@ jobs:
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
build-kata-static-tarball-arm64:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
# build-kata-static-tarball-arm64:
# permissions:
# contents: read
# packages: write
# id-token: write
# attestations: write
# uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
publish-kata-deploy-payload-arm64:
needs: build-kata-static-tarball-arm64
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with:
tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-arm64
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
runner: ubuntu-22.04-arm
arch: arm64
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
# publish-kata-deploy-payload-arm64:
# needs: build-kata-static-tarball-arm64
# permissions:
# contents: read
# packages: write
# uses: ./.github/workflows/publish-kata-deploy-payload.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# registry: ghcr.io
# repo: ${{ github.repository_owner }}/kata-deploy-ci
# tag: ${{ inputs.tag }}-arm64
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# runner: ubuntu-22.04-arm
# arch: arm64
# secrets:
# QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
build-kata-static-tarball-s390x:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
secrets:
CI_HKD_PATH: ${{ secrets.ci_hkd_path }}
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
# build-kata-static-tarball-s390x:
# permissions:
# contents: read
# packages: write
# id-token: write
# attestations: write
# uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# secrets:
# CI_HKD_PATH: ${{ secrets.ci_hkd_path }}
# QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
build-kata-static-tarball-ppc64le:
permissions:
contents: read
packages: write
uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
# build-kata-static-tarball-ppc64le:
# permissions:
# contents: read
# packages: write
# uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# secrets:
# QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
build-kata-static-tarball-riscv64:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-riscv64.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
# build-kata-static-tarball-riscv64:
# permissions:
# contents: read
# packages: write
# id-token: write
# attestations: write
# uses: ./.github/workflows/build-kata-static-tarball-riscv64.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# secrets:
# QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
publish-kata-deploy-payload-s390x:
needs: build-kata-static-tarball-s390x
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with:
tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-s390x
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
runner: s390x
arch: s390x
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
# publish-kata-deploy-payload-s390x:
# needs: build-kata-static-tarball-s390x
# permissions:
# contents: read
# packages: write
# uses: ./.github/workflows/publish-kata-deploy-payload.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# registry: ghcr.io
# repo: ${{ github.repository_owner }}/kata-deploy-ci
# tag: ${{ inputs.tag }}-s390x
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# runner: s390x
# arch: s390x
# secrets:
# QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
publish-kata-deploy-payload-ppc64le:
needs: build-kata-static-tarball-ppc64le
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with:
tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-ppc64le
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
runner: ppc64le
arch: ppc64le
secrets:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
# publish-kata-deploy-payload-ppc64le:
# needs: build-kata-static-tarball-ppc64le
# permissions:
# contents: read
# packages: write
# uses: ./.github/workflows/publish-kata-deploy-payload.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# registry: ghcr.io
# repo: ${{ github.repository_owner }}/kata-deploy-ci
# tag: ${{ inputs.tag }}-ppc64le
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# runner: ppc64le
# arch: ppc64le
# secrets:
# QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
build-and-publish-tee-confidential-unencrypted-image:
permissions:
@@ -275,29 +275,61 @@ jobs:
run-kata-monitor-tests:
if: ${{ inputs.skip-test != 'yes' }}
runs-on: ubuntu-22.04
needs: build-kata-static-tarball-amd64
uses: ./.github/workflows/run-kata-monitor-tests.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
env:
GH_TOKEN: ${{ github.token }}
permissions:
actions: write # Permission to trigger the gh workflows
steps:
- name: Checkout the code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
- name: Trigger kata monitor tests
run: |
./tests/gha-helper.sh trigger-and-check-workflow \
run-kata-monitor-tests.yaml \
${{ github.ref }} \
${{ github.sha }} \
'{
"artifact-run-id":"${{ github.run_id }}",
"tarball-suffix":"-${{ inputs.tag }}",
"commit-hash":"${{ inputs.commit-hash }}",
"target-branch":"${{ inputs.target-branch }}"
}'
run-k8s-tests-on-aks:
if: ${{ inputs.skip-test != 'yes' }}
runs-on: ubuntu-22.04
needs: publish-kata-deploy-payload-amd64
uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
with:
tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-amd64
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
secrets:
AZ_APPID: ${{ secrets.AZ_APPID }}
AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
env:
GH_TOKEN: ${{ github.token }}
permissions:
actions: write # Permission to trigger the gh workflows
steps:
- name: Checkout the code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
- name: Trigger run-k8s-tests-on-aks workflow
run: |
./tests/gha-helper.sh trigger-and-check-workflow \
run-k8s-tests-on-aks.yaml \
${{ github.ref }} \
${{ github.sha }} \
'{
"artifact-run-id":"${{ github.run_id }}",
"tarball-suffix":"-${{ inputs.tag }}",
"registry":"ghcr.io",
"repo":"${{ github.repository_owner }}/kata-deploy-ci",
"tag":"${{ inputs.tag }}-amd64",
"commit-hash":"${{ inputs.commit-hash }}",
"pr-number":"${{ inputs.pr-number }}",
"target-branch":"${{ inputs.target-branch }}"
}'
run-k8s-tests-on-amd64:
if: ${{ inputs.skip-test != 'yes' }}
@@ -311,194 +343,206 @@ jobs:
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
run-k8s-tests-on-arm64:
if: ${{ inputs.skip-test != 'yes' }}
needs: publish-kata-deploy-payload-arm64
uses: ./.github/workflows/run-k8s-tests-on-arm64.yaml
with:
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-arm64
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
# run-k8s-tests-on-arm64:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: publish-kata-deploy-payload-arm64
# uses: ./.github/workflows/run-k8s-tests-on-arm64.yaml
# with:
# registry: ghcr.io
# repo: ${{ github.repository_owner }}/kata-deploy-ci
# tag: ${{ inputs.tag }}-arm64
# commit-hash: ${{ inputs.commit-hash }}
# pr-number: ${{ inputs.pr-number }}
# target-branch: ${{ inputs.target-branch }}
run-kata-coco-tests:
if: ${{ inputs.skip-test != 'yes' }}
runs-on: ubuntu-22.04
needs:
- publish-kata-deploy-payload-amd64
- build-and-publish-tee-confidential-unencrypted-image
- publish-csi-driver-amd64
uses: ./.github/workflows/run-kata-coco-tests.yaml
with:
tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-amd64
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
secrets:
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
AZ_APPID: ${{ secrets.AZ_APPID }}
AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
ITA_KEY: ${{ secrets.ITA_KEY }}
- publish-kata-deploy-payload-amd64
- build-and-publish-tee-confidential-unencrypted-image
- publish-csi-driver-amd64
env:
GH_TOKEN: ${{ github.token }}
permissions:
actions: write # Permission to trigger the gh workflows
steps:
- name: Checkout the code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
- name: Trigger kata-coco-tests for amd64 arch
run: |
./tests/gha-helper.sh trigger-and-check-workflow \
run-kata-coco-tests.yaml \
${{ github.ref }} \
${{ github.sha }} \
'{
"artifact-run-id":"${{ github.run_id }}",
"tarball-suffix":"-${{ inputs.tag }}",
"registry":"ghcr.io",
"repo":"${{ github.repository_owner }}/kata-deploy-ci",
"tag":"${{ inputs.tag }}-amd64",
"commit-hash":"${{ inputs.commit-hash }}",
"pr-number":"${{ inputs.pr-number }}",
"target-branch":"${{ inputs.target-branch }}"
}'
run-k8s-tests-on-zvsi:
if: ${{ inputs.skip-test != 'yes' }}
needs: [publish-kata-deploy-payload-s390x, build-and-publish-tee-confidential-unencrypted-image]
uses: ./.github/workflows/run-k8s-tests-on-zvsi.yaml
with:
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-s390x
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
secrets:
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
# run-k8s-tests-on-zvsi:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: [publish-kata-deploy-payload-s390x, build-and-publish-tee-confidential-unencrypted-image]
# uses: ./.github/workflows/run-k8s-tests-on-zvsi.yaml
# with:
# registry: ghcr.io
# repo: ${{ github.repository_owner }}/kata-deploy-ci
# tag: ${{ inputs.tag }}-s390x
# commit-hash: ${{ inputs.commit-hash }}
# pr-number: ${{ inputs.pr-number }}
# target-branch: ${{ inputs.target-branch }}
# secrets:
# AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
run-k8s-tests-on-ppc64le:
if: ${{ inputs.skip-test != 'yes' }}
needs: publish-kata-deploy-payload-ppc64le
uses: ./.github/workflows/run-k8s-tests-on-ppc64le.yaml
with:
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-ppc64le
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
# run-k8s-tests-on-ppc64le:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: publish-kata-deploy-payload-ppc64le
# uses: ./.github/workflows/run-k8s-tests-on-ppc64le.yaml
# with:
# registry: ghcr.io
# repo: ${{ github.repository_owner }}/kata-deploy-ci
# tag: ${{ inputs.tag }}-ppc64le
# commit-hash: ${{ inputs.commit-hash }}
# pr-number: ${{ inputs.pr-number }}
# target-branch: ${{ inputs.target-branch }}
run-kata-deploy-tests:
if: ${{ inputs.skip-test != 'yes' }}
needs: [publish-kata-deploy-payload-amd64]
uses: ./.github/workflows/run-kata-deploy-tests.yaml
with:
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-amd64
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
# run-kata-deploy-tests:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: [publish-kata-deploy-payload-amd64]
# uses: ./.github/workflows/run-kata-deploy-tests.yaml
# with:
# registry: ghcr.io
# repo: ${{ github.repository_owner }}/kata-deploy-ci
# tag: ${{ inputs.tag }}-amd64
# commit-hash: ${{ inputs.commit-hash }}
# pr-number: ${{ inputs.pr-number }}
# target-branch: ${{ inputs.target-branch }}
run-metrics-tests:
# Skip metrics tests whilst runner is broken
if: false
# if: ${{ inputs.skip-test != 'yes' }}
needs: build-kata-static-tarball-amd64
uses: ./.github/workflows/run-metrics.yaml
with:
registry: ghcr.io
repo: ${{ github.repository_owner }}/kata-deploy-ci
tag: ${{ inputs.tag }}-amd64
commit-hash: ${{ inputs.commit-hash }}
pr-number: ${{ inputs.pr-number }}
target-branch: ${{ inputs.target-branch }}
# run-metrics-tests:
# # Skip metrics tests whilst runner is broken
# if: false
# # if: ${{ inputs.skip-test != 'yes' }}
# needs: build-kata-static-tarball-amd64
# uses: ./.github/workflows/run-metrics.yaml
# with:
# registry: ghcr.io
# repo: ${{ github.repository_owner }}/kata-deploy-ci
# tag: ${{ inputs.tag }}-amd64
# commit-hash: ${{ inputs.commit-hash }}
# pr-number: ${{ inputs.pr-number }}
# target-branch: ${{ inputs.target-branch }}
run-basic-amd64-tests:
if: ${{ inputs.skip-test != 'yes' }}
needs: build-kata-static-tarball-amd64
uses: ./.github/workflows/basic-ci-amd64.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
# run-basic-amd64-tests:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: build-kata-static-tarball-amd64
# uses: ./.github/workflows/basic-ci-amd64.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
run-basic-s390x-tests:
if: ${{ inputs.skip-test != 'yes' }}
needs: build-kata-static-tarball-s390x
uses: ./.github/workflows/basic-ci-s390x.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
# run-basic-s390x-tests:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: build-kata-static-tarball-s390x
# uses: ./.github/workflows/basic-ci-s390x.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
run-cri-containerd-amd64:
if: ${{ inputs.skip-test != 'yes' }}
needs: build-kata-static-tarball-amd64
strategy:
fail-fast: false
matrix:
params: [
{ containerd_version: lts, vmm: clh },
{ containerd_version: lts, vmm: dragonball },
{ containerd_version: lts, vmm: qemu },
{ containerd_version: lts, vmm: stratovirt },
{ containerd_version: lts, vmm: cloud-hypervisor },
{ containerd_version: lts, vmm: qemu-runtime-rs },
{ containerd_version: active, vmm: clh },
{ containerd_version: active, vmm: dragonball },
{ containerd_version: active, vmm: qemu },
{ containerd_version: active, vmm: stratovirt },
{ containerd_version: active, vmm: cloud-hypervisor },
{ containerd_version: active, vmm: qemu-runtime-rs },
]
uses: ./.github/workflows/run-cri-containerd-tests.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
runner: ubuntu-22.04
arch: amd64
containerd_version: ${{ matrix.params.containerd_version }}
vmm: ${{ matrix.params.vmm }}
# run-cri-containerd-amd64:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: build-kata-static-tarball-amd64
# strategy:
# fail-fast: false
# matrix:
# params: [
# { containerd_version: lts, vmm: clh },
# { containerd_version: lts, vmm: dragonball },
# { containerd_version: lts, vmm: qemu },
# { containerd_version: lts, vmm: stratovirt },
# { containerd_version: lts, vmm: cloud-hypervisor },
# { containerd_version: lts, vmm: qemu-runtime-rs },
# { containerd_version: active, vmm: clh },
# { containerd_version: active, vmm: dragonball },
# { containerd_version: active, vmm: qemu },
# { containerd_version: active, vmm: stratovirt },
# { containerd_version: active, vmm: cloud-hypervisor },
# { containerd_version: active, vmm: qemu-runtime-rs },
# ]
# uses: ./.github/workflows/run-cri-containerd-tests.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# runner: ubuntu-22.04
# arch: amd64
# containerd_version: ${{ matrix.params.containerd_version }}
# vmm: ${{ matrix.params.vmm }}
run-cri-containerd-s390x:
if: ${{ inputs.skip-test != 'yes' }}
needs: build-kata-static-tarball-s390x
strategy:
fail-fast: false
matrix:
params: [
{ containerd_version: active, vmm: qemu },
{ containerd_version: active, vmm: qemu-runtime-rs },
]
uses: ./.github/workflows/run-cri-containerd-tests.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
runner: s390x-large
arch: s390x
containerd_version: ${{ matrix.params.containerd_version }}
vmm: ${{ matrix.params.vmm }}
# run-cri-containerd-s390x:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: build-kata-static-tarball-s390x
# strategy:
# fail-fast: false
# matrix:
# params: [
# { containerd_version: active, vmm: qemu },
# { containerd_version: active, vmm: qemu-runtime-rs },
# ]
# uses: ./.github/workflows/run-cri-containerd-tests.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# runner: s390x-large
# arch: s390x
# containerd_version: ${{ matrix.params.containerd_version }}
# vmm: ${{ matrix.params.vmm }}
run-cri-containerd-tests-ppc64le:
if: ${{ inputs.skip-test != 'yes' }}
needs: build-kata-static-tarball-ppc64le
strategy:
fail-fast: false
matrix:
params: [
{ containerd_version: active, vmm: qemu },
]
uses: ./.github/workflows/run-cri-containerd-tests.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
runner: ppc64le
arch: ppc64le
containerd_version: ${{ matrix.params.containerd_version }}
vmm: ${{ matrix.params.vmm }}
# run-cri-containerd-tests-ppc64le:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: build-kata-static-tarball-ppc64le
# strategy:
# fail-fast: false
# matrix:
# params: [
# { containerd_version: active, vmm: qemu },
# ]
# uses: ./.github/workflows/run-cri-containerd-tests.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# runner: ppc64le
# arch: ppc64le
# containerd_version: ${{ matrix.params.containerd_version }}
# vmm: ${{ matrix.params.vmm }}
run-cri-containerd-tests-arm64:
if: ${{ inputs.skip-test != 'yes' }}
needs: build-kata-static-tarball-arm64
strategy:
fail-fast: false
matrix:
params: [
{ containerd_version: active, vmm: qemu },
]
uses: ./.github/workflows/run-cri-containerd-tests.yaml
with:
tarball-suffix: -${{ inputs.tag }}
commit-hash: ${{ inputs.commit-hash }}
target-branch: ${{ inputs.target-branch }}
runner: arm64-non-k8s
arch: arm64
containerd_version: ${{ matrix.params.containerd_version }}
vmm: ${{ matrix.params.vmm }}
# run-cri-containerd-tests-arm64:
# if: ${{ inputs.skip-test != 'yes' }}
# needs: build-kata-static-tarball-arm64
# strategy:
# fail-fast: false
# matrix:
# params: [
# { containerd_version: active, vmm: qemu },
# ]
# uses: ./.github/workflows/run-cri-containerd-tests.yaml
# with:
# tarball-suffix: -${{ inputs.tag }}
# commit-hash: ${{ inputs.commit-hash }}
# target-branch: ${{ inputs.target-branch }}
# runner: arm64-non-k8s
# arch: arm64
# containerd_version: ${{ matrix.params.containerd_version }}
# vmm: ${{ matrix.params.vmm }}

51
.github/workflows/run-k8s-tests-on-aks.yaml vendored
View File

@@ -2,6 +2,11 @@ name: CI | Run kubernetes tests on AKS
on:
workflow_call:
inputs:
artifact-run-id:
description: "The run id where the artifact was uploaded"
required: false
type: string
default: ${{ github.run_id }}
tarball-suffix:
required: false
type: string
@@ -32,6 +37,41 @@ on:
required: true
AZ_SUBSCRIPTION_ID:
required: true
workflow_dispatch:
inputs:
artifact-run-id:
description: "The workflow run id where the artifact was uploaded"
required: true
type: string
tarball-suffix:
description: "The suffix of the kata tarball to use"
required: false
type: string
registry:
description: "The oci container registry to install kata-deploy from"
required: true
type: string
repo:
description: "The oci container repository/image to install kata-deploy from"
required: true
type: string
tag:
description: "The oci container image tag to install kata-deploy using"
required: true
type: string
pr-number:
description: "Identifier used to distinguish between PRs/dev/nightly tests"
required: true
type: string
commit-hash:
description: "The code to checkout for testing"
required: false
type: string
target-branch:
description: "The target branch to rebase on and ensure the tests are up-to-date"
required: false
type: string
default: ""
permissions:
@@ -101,13 +141,18 @@ jobs:
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
run-id: ${{ inputs.artifact-run-id }}
github-token: ${{ github.token }}
repository: ${{ github.repository}}
path: kata-artifacts
- name: Install kata
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
- name: Download Azure CLI
run: bash tests/integration/kubernetes/gha-run.sh install-azure-cli
uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
with:
version: 'latest'
- name: Log into the Azure account
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
@@ -129,7 +174,9 @@ jobs:
run: bash tests/integration/kubernetes/gha-run.sh install-bats
- name: Install `kubectl`
run: bash tests/integration/kubernetes/gha-run.sh install-kubectl
uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
with:
version: 'latest'
- name: Download credentials for the Kubernetes CLI to use them
run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials

2
.github/workflows/run-k8s-tests-on-amd64.yaml vendored
View File

@@ -79,6 +79,8 @@ jobs:
- name: Deploy ${{ matrix.k8s }}
run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
env:
CONTAINER_RUNTIME: ${{ matrix.container_runtime }}
- name: Configure the ${{ matrix.snapshotter }} snapshotter
if: matrix.snapshotter != ''

6
.github/workflows/run-kata-coco-stability-tests.yaml vendored
View File

@@ -114,7 +114,9 @@ jobs:
run: bash tests/integration/kubernetes/gha-run.sh install-bats
- name: Install `kubectl`
run: bash tests/integration/kubernetes/gha-run.sh install-kubectl
uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
with:
version: 'latest'
- name: Download credentials for the Kubernetes CLI to use them
run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials
@@ -136,7 +138,7 @@ jobs:
run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
- name: Run stability tests
timeout-minutes: 350
timeout-minutes: 300
run: bash tests/stability/gha-stability-run.sh run-tests
- name: Delete AKS cluster

336
.github/workflows/run-kata-coco-tests.yaml vendored
View File

@@ -2,6 +2,11 @@ name: CI | Run kata coco tests
on:
workflow_call:
inputs:
artifact-run-id:
description: "The run id where the artifact was uploaded"
required: false
type: string
default: ${{ github.run_id }}
tarball-suffix:
required: false
type: string
@@ -35,182 +40,216 @@ on:
required: true
ITA_KEY:
required: true
workflow_dispatch:
inputs:
artifact-run-id:
description: "The workflow run id where the artifact was uploaded"
required: true
type: string
tarball-suffix:
description: "The suffix of the kata tarball to use"
required: false
type: string
registry:
description: "The oci container registry to install kata-deploy from"
required: true
type: string
repo:
description: "The oci container repository/image to install kata-deploy from"
required: true
type: string
tag:
description: "The oci container image tag to install kata-deploy using"
required: true
type: string
pr-number:
description: "Identifier used to distinguish between PRs/dev/nightly tests"
required: true
type: string
commit-hash:
description: "The code to checkout for testing"
required: false
type: string
target-branch:
description: "The target branch to rebase on and ensure the tests are up-to-date"
required: false
type: string
default: ""
permissions:
contents: read
id-token: write
jobs:
run-k8s-tests-on-tdx:
strategy:
fail-fast: false
matrix:
vmm:
- qemu-tdx
snapshotter:
- nydus
pull-type:
- guest-pull
runs-on: tdx
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
DOCKER_TAG: ${{ inputs.tag }}
GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBERNETES: "vanilla"
USING_NFD: "true"
KBS: "true"
K8S_TEST_HOST_TYPE: "baremetal"
KBS_INGRESS: "nodeport"
SNAPSHOTTER: ${{ matrix.snapshotter }}
PULL_TYPE: ${{ matrix.pull-type }}
AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
ITA_KEY: ${{ secrets.ITA_KEY }}
AUTO_GENERATE_POLICY: "yes"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
persist-credentials: false
# run-k8s-tests-on-tdx:
# strategy:
# fail-fast: false
# matrix:
# vmm:
# - qemu-tdx
# snapshotter:
# - nydus
# pull-type:
# - guest-pull
# runs-on: tdx
# env:
# DOCKER_REGISTRY: ${{ inputs.registry }}
# DOCKER_REPO: ${{ inputs.repo }}
# DOCKER_TAG: ${{ inputs.tag }}
# GH_PR_NUMBER: ${{ inputs.pr-number }}
# KATA_HYPERVISOR: ${{ matrix.vmm }}
# KUBERNETES: "vanilla"
# USING_NFD: "true"
# KBS: "true"
# K8S_TEST_HOST_TYPE: "baremetal"
# KBS_INGRESS: "nodeport"
# SNAPSHOTTER: ${{ matrix.snapshotter }}
# PULL_TYPE: ${{ matrix.pull-type }}
# AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
# AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
# ITA_KEY: ${{ secrets.ITA_KEY }}
# AUTO_GENERATE_POLICY: "yes"
# steps:
# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# with:
# ref: ${{ inputs.commit-hash }}
# fetch-depth: 0
# persist-credentials: false
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
# - name: Rebase atop of the latest target branch
# run: |
# ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
# env:
# TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Deploy Snapshotter
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
# - name: Deploy Snapshotter
# timeout-minutes: 5
# run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
- name: Deploy Kata
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-tdx
# - name: Deploy Kata
# timeout-minutes: 10
# run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-tdx
- name: Uninstall previous `kbs-client`
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
# - name: Uninstall previous `kbs-client`
# timeout-minutes: 10
# run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
- name: Deploy CoCo KBS
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
# - name: Deploy CoCo KBS
# timeout-minutes: 10
# run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
- name: Install `kbs-client`
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
# - name: Install `kbs-client`
# timeout-minutes: 10
# run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
- name: Deploy CSI driver
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
# - name: Deploy CSI driver
# timeout-minutes: 5
# run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
- name: Run tests
timeout-minutes: 100
run: bash tests/integration/kubernetes/gha-run.sh run-tests
# - name: Run tests
# timeout-minutes: 100
# run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Delete kata-deploy
if: always()
run: bash tests/integration/kubernetes/gha-run.sh cleanup-tdx
# - name: Delete kata-deploy
# if: always()
# run: bash tests/integration/kubernetes/gha-run.sh cleanup-tdx
- name: Delete Snapshotter
if: always()
run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
# - name: Delete Snapshotter
# if: always()
# run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
- name: Delete CoCo KBS
if: always()
run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
# - name: Delete CoCo KBS
# if: always()
# run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
- name: Delete CSI driver
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
# - name: Delete CSI driver
# timeout-minutes: 5
# run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
# AMD has deprecated SEV support on Kata and henceforth SNP will be the only feature supported for Kata Containers.
run-k8s-tests-sev-snp:
strategy:
fail-fast: false
matrix:
vmm:
- qemu-snp
snapshotter:
- nydus
pull-type:
- guest-pull
runs-on: sev-snp
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
DOCKER_TAG: ${{ inputs.tag }}
GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBECONFIG: /home/kata/.kube/config
KUBERNETES: "vanilla"
USING_NFD: "false"
KBS: "true"
KBS_INGRESS: "nodeport"
K8S_TEST_HOST_TYPE: "baremetal"
SNAPSHOTTER: ${{ matrix.snapshotter }}
PULL_TYPE: ${{ matrix.pull-type }}
AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
AUTO_GENERATE_POLICY: "yes"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
persist-credentials: false
# run-k8s-tests-sev-snp:
# strategy:
# fail-fast: false
# matrix:
# vmm:
# - qemu-snp
# snapshotter:
# - nydus
# pull-type:
# - guest-pull
# runs-on: sev-snp
# env:
# DOCKER_REGISTRY: ${{ inputs.registry }}
# DOCKER_REPO: ${{ inputs.repo }}
# DOCKER_TAG: ${{ inputs.tag }}
# GH_PR_NUMBER: ${{ inputs.pr-number }}
# KATA_HYPERVISOR: ${{ matrix.vmm }}
# KUBECONFIG: /home/kata/.kube/config
# KUBERNETES: "vanilla"
# USING_NFD: "false"
# KBS: "true"
# KBS_INGRESS: "nodeport"
# K8S_TEST_HOST_TYPE: "baremetal"
# SNAPSHOTTER: ${{ matrix.snapshotter }}
# PULL_TYPE: ${{ matrix.pull-type }}
# AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
# AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
# AUTO_GENERATE_POLICY: "yes"
# steps:
# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# with:
# ref: ${{ inputs.commit-hash }}
# fetch-depth: 0
# persist-credentials: false
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
# - name: Rebase atop of the latest target branch
# run: |
# ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
# env:
# TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Deploy Snapshotter
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
# - name: Deploy Snapshotter
# timeout-minutes: 5
# run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
- name: Deploy Kata
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-snp
# - name: Deploy Kata
# timeout-minutes: 10
# run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-snp
- name: Uninstall previous `kbs-client`
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
# - name: Uninstall previous `kbs-client`
# timeout-minutes: 10
# run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
- name: Deploy CoCo KBS
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
# - name: Deploy CoCo KBS
# timeout-minutes: 10
# run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
- name: Install `kbs-client`
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
# - name: Install `kbs-client`
# timeout-minutes: 10
# run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
- name: Deploy CSI driver
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
# - name: Deploy CSI driver
# timeout-minutes: 5
# run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
- name: Run tests
timeout-minutes: 50
run: bash tests/integration/kubernetes/gha-run.sh run-tests
# - name: Run tests
# timeout-minutes: 50
# run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Delete kata-deploy
if: always()
run: bash tests/integration/kubernetes/gha-run.sh cleanup-snp
# - name: Delete kata-deploy
# if: always()
# run: bash tests/integration/kubernetes/gha-run.sh cleanup-snp
- name: Delete Snapshotter
if: always()
run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
# - name: Delete Snapshotter
# if: always()
# run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
- name: Delete CoCo KBS
if: always()
run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
# - name: Delete CoCo KBS
# if: always()
# run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
- name: Delete CSI driver
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
# - name: Delete CSI driver
# timeout-minutes: 5
# run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
# Generate jobs for testing CoCo on non-TEE environments
run-k8s-tests-coco-nontee:
@@ -264,6 +303,9 @@ jobs:
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
run-id: ${{ inputs.artifact-run-id }}
github-token: ${{ github.token }}
repository: ${{ github.repository}}
path: kata-artifacts
- name: Install kata
@@ -292,7 +334,9 @@ jobs:
run: bash tests/integration/kubernetes/gha-run.sh install-bats
- name: Install `kubectl`
run: bash tests/integration/kubernetes/gha-run.sh install-kubectl
uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
with:
version: 'latest'
- name: Download credentials for the Kubernetes CLI to use them
run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials

4
.github/workflows/run-kata-deploy-tests-on-aks.yaml vendored
View File

@@ -95,7 +95,9 @@ jobs:
run: bash tests/functional/kata-deploy/gha-run.sh install-bats
- name: Install `kubectl`
run: bash tests/functional/kata-deploy/gha-run.sh install-kubectl
uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
with:
version: 'latest'
- name: Download credentials for the Kubernetes CLI to use them
run: bash tests/functional/kata-deploy/gha-run.sh get-cluster-credentials

27
.github/workflows/run-kata-monitor-tests.yaml vendored
View File

@@ -2,6 +2,11 @@ name: CI | Run kata-monitor tests
on:
workflow_call:
inputs:
artifact-run-id:
description: "The run id where the artifact was uploaded"
required: false
type: string
default: ${{ github.run_id }}
tarball-suffix:
required: false
type: string
@@ -12,6 +17,25 @@ on:
required: false
type: string
default: ""
workflow_dispatch:
inputs:
artifact-run-id:
description: "The workflow run id where the artifact was uploaded"
required: true
type: string
tarball-suffix:
description: "Identifier used to distinguish between PRs/dev/nightly tests"
required: false
type: string
commit-hash:
description: "The code to checkout for testing"
required: false
type: string
target-branch:
description: "The target branch to rebase on and ensure the tests are up-to-date"
required: false
type: string
default: ""
permissions:
contents: read
@@ -59,6 +83,9 @@ jobs:
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
run-id: ${{ inputs.artifact-run-id }}
github-token: ${{ github.token }}
repository: ${{ github.repository}}
path: kata-artifacts
- name: Install kata

292
src/agent/Cargo.lock generated
View File

@@ -455,11 +455,11 @@ dependencies = [
[[package]]
name = "bit-set"
version = "0.5.3"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0700ddab506f33b20a03b13996eccd309a48e5ff77d0d95926aa0210fb4e95f1"
checksum = "08807e080ed7f9d5433fa9b275196cfc35414f66a0c79d864dc51a0d825231a3"
dependencies = [
"bit-vec",
"bit-vec 0.8.0",
]
[[package]]
@@ -468,6 +468,12 @@ version = "0.6.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb"
[[package]]
name = "bit-vec"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5e764a1d40d510daf35e07be9eb06e75770908c27d411ee6c92109c9840eaaf7"
[[package]]
name = "bitflags"
version = "1.3.2"
@@ -524,6 +530,12 @@ dependencies = [
"piper",
]
[[package]]
name = "borrow-or-share"
version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3eeab4423108c5d7c744f4d234de88d18d636100093ae04caf4825134b9c3a32"
[[package]]
name = "borsh"
version = "1.5.7"
@@ -647,7 +659,7 @@ dependencies = [
[[package]]
name = "cdi"
version = "0.1.0"
source = "git+https://github.com/cncf-tags/container-device-interface-rs?rev=fba5677a8e7cc962fc6e495fcec98d7d765e332a#fba5677a8e7cc962fc6e495fcec98d7d765e332a"
source = "git+https://github.com/cncf-tags/container-device-interface-rs?rev=3b1e83dda5efcc83c7a4f134466ec006b37109c9#3b1e83dda5efcc83c7a4f134466ec006b37109c9"
dependencies = [
"anyhow",
"clap",
@@ -1062,6 +1074,15 @@ version = "1.15.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"
[[package]]
name = "email_address"
version = "0.2.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e079f19b08ca6239f47f8ba8509c11cf3ea30095831f7fed61441475edd8c449"
dependencies = [
"serde",
]
[[package]]
name = "enumflags2"
version = "0.7.11"
@@ -1150,9 +1171,9 @@ dependencies = [
[[package]]
name = "fancy-regex"
version = "0.13.0"
version = "0.14.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "531e46835a22af56d1e3b66f04844bed63158bc094a628bec1d321d9b4c44bf2"
checksum = "6e24cb5a94bcae1e5408b0effca5cd7172ea3c5755049c5f3af4cd283a165298"
dependencies = [
"bit-set",
"regex-automata 0.4.9",
@@ -1174,18 +1195,6 @@ version = "2.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"
[[package]]
name = "filetime"
version = "0.2.25"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "35c0522e981e68cbfa8c3f978441a5f34b30b96e146b33cd3359176b50fe8586"
dependencies = [
"cfg-if",
"libc",
"libredox",
"windows-sys 0.59.0",
]
[[package]]
name = "fixedbitset"
version = "0.2.0"
@@ -1212,6 +1221,17 @@ dependencies = [
"bitflags 1.3.2",
]
[[package]]
name = "fluent-uri"
version = "0.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1918b65d96df47d3591bed19c5cca17e3fa5d0707318e4b5ef2eae01764df7e5"
dependencies = [
"borrow-or-share",
"ref-cast",
"serde",
]
[[package]]
name = "fnv"
version = "1.0.7"
@@ -1398,10 +1418,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "335ff9f135e4384c8150d6f27c6daed433577f86b4750418338c01a1a2528592"
dependencies = [
"cfg-if",
"js-sys",
"libc",
"wasi 0.11.0+wasi-snapshot-preview1",
"wasm-bindgen",
]
[[package]]
@@ -1796,6 +1814,17 @@ dependencies = [
"tokio",
]
[[package]]
name = "inotify"
version = "0.11.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f37dccff2791ab604f9babef0ba14fbe0be30bd368dc541e2b08d07c8aa908f3"
dependencies = [
"bitflags 2.9.0",
"inotify-sys",
"libc",
]
[[package]]
name = "inotify-sys"
version = "0.1.5"
@@ -1866,15 +1895,6 @@ version = "1.70.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf"
[[package]]
name = "iso8601"
version = "0.6.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c5c177cff824ab21a6f41079a4c401241c4e8be14f316c4c6b07d5fca351c98d"
dependencies = [
"nom 8.0.0",
]
[[package]]
name = "itertools"
version = "0.10.5"
@@ -1918,39 +1938,36 @@ version = "0.4.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1c6e529149475ca0b2820835d3dce8fcc41c6b943ca608d32f35b449255e4627"
dependencies = [
"fluent-uri",
"fluent-uri 0.1.4",
"serde",
"serde_json",
]
[[package]]
name = "jsonschema"
version = "0.18.3"
version = "0.30.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fa0f4bea31643be4c6a678e9aa4ae44f0db9e5609d5ca9dc9083d06eb3e9a27a"
checksum = "f1b46a0365a611fbf1d2143104dcf910aada96fafd295bab16c60b802bf6fa1d"
dependencies = [
"ahash 0.8.12",
"anyhow",
"base64 0.22.1",
"bytecount",
"clap",
"email_address",
"fancy-regex",
"fraction",
"getrandom 0.2.16",
"iso8601",
"idna",
"itoa",
"memchr",
"num-cmp",
"num-traits",
"once_cell",
"parking_lot 0.12.3",
"percent-encoding",
"referencing",
"regex",
"regex-syntax 0.8.5",
"reqwest",
"serde",
"serde_json",
"time",
"url",
"uuid",
"uuid-simd",
]
[[package]]
@@ -2007,8 +2024,8 @@ dependencies = [
"slog-scope",
"slog-stdlog",
"slog-term",
"strum",
"strum_macros",
"strum 0.26.3",
"strum_macros 0.26.4",
"tempfile",
"test-utils",
"thiserror 1.0.69",
@@ -2143,7 +2160,6 @@ checksum = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d"
dependencies = [
"bitflags 2.9.0",
"libc",
"redox_syscall 0.5.12",
]
[[package]]
@@ -2310,18 +2326,6 @@ dependencies = [
"adler2",
]
[[package]]
name = "mio"
version = "0.8.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a4a650543ca06a924e8b371db273b2756685faae30f8487da1b56505a8f78b0c"
dependencies = [
"libc",
"log",
"wasi 0.11.0+wasi-snapshot-preview1",
"windows-sys 0.48.0",
]
[[package]]
name = "mio"
version = "1.0.3"
@@ -2329,6 +2333,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd"
dependencies = [
"libc",
"log",
"wasi 0.11.0+wasi-snapshot-preview1",
"windows-sys 0.52.0",
]
@@ -2512,34 +2517,30 @@ dependencies = [
"minimal-lexical",
]
[[package]]
name = "nom"
version = "8.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "df9761775871bdef83bee530e60050f7e54b1105350d6884eb0fb4f46c2f9405"
dependencies = [
"memchr",
]
[[package]]
name = "notify"
version = "6.1.1"
version = "8.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6205bd8bb1e454ad2e27422015fb5e4f2bcc7e08fa8f27058670d208324a4d2d"
checksum = "3163f59cd3fa0e9ef8c32f242966a7b9994fd7378366099593e0e73077cd8c97"
dependencies = [
"bitflags 2.9.0",
"crossbeam-channel",
"filetime",
"fsevent-sys",
"inotify",
"inotify 0.11.0",
"kqueue",
"libc",
"log",
"mio 0.8.11",
"mio",
"notify-types",
"walkdir",
"windows-sys 0.48.0",
"windows-sys 0.60.2",
]
[[package]]
name = "notify-types"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5e0826a989adedc2a244799e823aece04662b66609d96af8dff7ac6df9a8925d"
[[package]]
name = "ntapi"
version = "0.4.1"
@@ -2664,26 +2665,26 @@ dependencies = [
[[package]]
name = "oci-spec"
version = "0.6.8"
version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3f5a3fe998d50101ae009351fec56d88a69f4ed182e11000e711068c2f5abf72"
checksum = "57e9beda9d92fac7bf4904c34c83340ef1024159faee67179a04e0277523da33"
dependencies = [
"const_format",
"derive_builder",
"getset",
"once_cell",
"regex",
"serde",
"serde_json",
"strum",
"strum_macros",
"thiserror 1.0.69",
"strum 0.27.1",
"strum_macros 0.27.1",
"thiserror 2.0.12",
]
[[package]]
name = "once_cell"
version = "1.19.0"
version = "1.21.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92"
checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
[[package]]
name = "opentelemetry"
@@ -2716,10 +2717,10 @@ dependencies = [
]
[[package]]
name = "os_str_bytes"
version = "6.6.1"
name = "outref"
version = "0.5.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e2355d85b9a3786f481747ced0e0ff2ba35213a1f9bd406ed906554d7af805a1"
checksum = "1a80800c0488c3a21695ea981a54918fbb37abf04f4d0720c453632255e2ff0e"
[[package]]
name = "page_size"
@@ -2822,7 +2823,7 @@ version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d88ae3281b415d856e9c2ddbcdd5961e71c1a3e90138512c04d720241853a6af"
dependencies = [
"nom 7.1.3",
"nom",
"phf",
"phf_codegen",
"proc-macro2",
@@ -3023,30 +3024,6 @@ dependencies = [
"toml_edit 0.22.26",
]
[[package]]
name = "proc-macro-error"
version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
dependencies = [
"proc-macro-error-attr",
"proc-macro2",
"quote",
"syn 1.0.109",
"version_check",
]
[[package]]
name = "proc-macro-error-attr"
version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
dependencies = [
"proc-macro2",
"quote",
"version_check",
]
[[package]]
name = "proc-macro-error-attr2"
version = "2.0.0"
@@ -3364,10 +3341,44 @@ dependencies = [
]
[[package]]
name = "regex"
version = "1.10.6"
name = "ref-cast"
version = "1.0.24"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4219d74c6b67a3654a9fbebc4b419e22126d13d2f3c4a07ee0cb61ff79a79619"
checksum = "4a0ae411dbe946a674d89546582cea4ba2bb8defac896622d6496f14c23ba5cf"
dependencies = [
"ref-cast-impl",
]
[[package]]
name = "ref-cast-impl"
version = "1.0.24"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1165225c21bff1f3bbce98f5a1f889949bc902d3575308cc7b0de30b4f6d27c7"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.101",
]
[[package]]
name = "referencing"
version = "0.30.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c8eff4fa778b5c2a57e85c5f2fe3a709c52f0e60d23146e2151cbef5893f420e"
dependencies = [
"ahash 0.8.12",
"fluent-uri 0.3.2",
"once_cell",
"parking_lot 0.12.3",
"percent-encoding",
"serde_json",
]
[[package]]
name = "regex"
version = "1.11.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191"
dependencies = [
"aho-corasick",
"memchr",
@@ -3647,13 +3658,13 @@ dependencies = [
"anyhow",
"async-trait",
"awaitgroup",
"bit-vec",
"bit-vec 0.6.3",
"capctl",
"caps",
"cfg-if",
"cgroups-rs",
"futures",
"inotify",
"inotify 0.9.6",
"kata-sys-util",
"lazy_static",
"libc",
@@ -4079,6 +4090,12 @@ version = "0.26.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8fec0f0aef304996cf250b31b5a10dee7980c85da9d759361292b8bca5a18f06"
[[package]]
name = "strum"
version = "0.27.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f64def088c51c9510a8579e3c5d67c65349dcf755e5479ad3d010aa6454e2c32"
[[package]]
name = "strum_macros"
version = "0.26.4"
@@ -4092,6 +4109,19 @@ dependencies = [
"syn 2.0.101",
]
[[package]]
name = "strum_macros"
version = "0.27.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c77a8c5abcaf0f9ce05d62342b7d298c346515365c36b673df4ebe3ced01fde8"
dependencies = [
"heck 0.5.0",
"proc-macro2",
"quote",
"rustversion",
"syn 2.0.101",
]
[[package]]
name = "subprocess"
version = "0.2.9"
@@ -4321,7 +4351,7 @@ dependencies = [
"backtrace",
"bytes 1.10.1",
"libc",
"mio 1.0.3",
"mio",
"parking_lot 0.12.3",
"pin-project-lite",
"signal-hook-registry",
@@ -4669,6 +4699,17 @@ version = "1.16.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "458f7a779bf54acc9f347480ac654f68407d3aab21269a6e3c9f922acd9e2da9"
[[package]]
name = "uuid-simd"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "23b082222b4f6619906941c17eb2297fff4c2fb96cb60164170522942a200bd8"
dependencies = [
"outref",
"uuid",
"vsimd",
]
[[package]]
name = "valuable"
version = "0.1.1"
@@ -4693,6 +4734,12 @@ version = "0.9.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
[[package]]
name = "vsimd"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c3082ca00d5a5ef149bb8b555a72ae84c9c59f7250f013ac822ac2e49b19c64"
[[package]]
name = "vsock"
version = "0.2.6"
@@ -4883,7 +4930,7 @@ version = "0.1.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb"
dependencies = [
"windows-sys 0.59.0",
"windows-sys 0.48.0",
]
[[package]]
@@ -4985,7 +5032,7 @@ checksum = "4286ad90ddb45071efd1a66dfa43eb02dd0dfbae1545ad6cc3c51cf34d7e8ba3"
dependencies = [
"windows-result 0.3.2",
"windows-strings 0.3.1",
"windows-targets 0.53.0",
"windows-targets 0.53.2",
]
[[package]]
@@ -5051,6 +5098,15 @@ dependencies = [
"windows-targets 0.52.6",
]
[[package]]
name = "windows-sys"
version = "0.60.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f2f500e4d28234f72040990ec9d39e3a6b950f9f22d3dba18416c35882612bcb"
dependencies = [
"windows-targets 0.53.2",
]
[[package]]
name = "windows-targets"
version = "0.48.5"
@@ -5084,9 +5140,9 @@ dependencies = [
[[package]]
name = "windows-targets"
version = "0.53.0"
version = "0.53.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b1e4c7e8ceaaf9cb7d7507c974735728ab453b67ef8f18febdd7c11fe59dca8b"
checksum = "c66f69fcc9ce11da9966ddb31a40968cad001c5bedeb5c2b82ede4253ab48aef"
dependencies = [
"windows_aarch64_gnullvm 0.53.0",
"windows_aarch64_msvc 0.53.0",

6
src/agent/Cargo.toml
View File

@@ -8,7 +8,7 @@ license = "Apache-2.0"
rust-version = "1.85.1"
[workspace.dependencies]
oci-spec = { version = "0.6.8", features = ["runtime"] }
oci-spec = { version = "0.8.1", features = ["runtime"] }
lazy_static = "1.3.0"
ttrpc = { version = "0.8.4", features = ["async"], default-features = false }
protobuf = "3.7.2"
@@ -80,7 +80,7 @@ kata-agent-policy = { path = "policy" }
rustjail = { path = "rustjail" }
vsock-exporter = { path = "vsock-exporter" }
mem-agent = { path = "../mem-agent" }
mem-agent = { path = "../mem-agent", package = "mem-agent-lib" }
kata-sys-util = { path = "../libs/kata-sys-util" }
kata-types = { path = "../libs/kata-types" }
@@ -163,7 +163,7 @@ strum.workspace = true
strum_macros.workspace = true
# Agent Policy
cdi = { git = "https://github.com/cncf-tags/container-device-interface-rs", rev = "fba5677a8e7cc962fc6e495fcec98d7d765e332a" }
cdi = { git = "https://github.com/cncf-tags/container-device-interface-rs", rev = "3b1e83dda5efcc83c7a4f134466ec006b37109c9" }
# Local dependencies
kata-agent-policy = { workspace = true, optional = true }

4
src/agent/rustjail/src/container.rs
View File

@@ -2081,8 +2081,8 @@ mod tests {
});
}
#[test]
fn test_linuxcontainer_get_process() {
#[tokio::test]
async fn test_linuxcontainer_get_process() {
let _ = new_linux_container_and_then(|mut c: LinuxContainer| {
c.processes.insert(
1,

9
src/agent/rustjail/src/process.rs
View File

@@ -179,6 +179,11 @@ impl Process {
p.parent_stdin = Some(pstdin);
p.stdin = Some(stdin);
// Make sure the parent stdin writer be inserted into
// p.writes hashmap, thus the cleanup_process_stream can
// cleanup and close the parent stdin fd.
let _ = p.get_writer(StreamType::ParentStdin);
// These pipes are necessary as the stdout/stderr of the child process
// cannot be a socket. Otherwise, some images relying on the /dev/stdout(stderr)
// and /proc/self/fd/1(2) will fail to boot as opening an existing socket
@@ -308,8 +313,8 @@ mod tests {
assert_eq!(max_size, actual_size);
}
#[test]
fn test_process() {
#[tokio::test]
async fn test_process() {
let id = "abc123rgb";
let init = true;
let process = Process::new(

38
src/agent/src/config.rs
View File

@@ -323,31 +323,31 @@ impl FromStr for AgentConfig {
mem_agent_config_override!(
agent_config_builder.mem_agent_memcg_disable,
mac.memcg_config.disabled
mac.memcg_config.default.disabled
);
mem_agent_config_override!(
agent_config_builder.mem_agent_memcg_swap,
mac.memcg_config.swap
mac.memcg_config.default.swap
);
mem_agent_config_override!(
agent_config_builder.mem_agent_memcg_swappiness_max,
mac.memcg_config.swappiness_max
mac.memcg_config.default.swappiness_max
);
mem_agent_config_override!(
agent_config_builder.mem_agent_memcg_period_secs,
mac.memcg_config.period_secs
mac.memcg_config.default.period_secs
);
mem_agent_config_override!(
agent_config_builder.mem_agent_memcg_period_psi_percent_limit,
mac.memcg_config.period_psi_percent_limit
mac.memcg_config.default.period_psi_percent_limit
);
mem_agent_config_override!(
agent_config_builder.mem_agent_memcg_eviction_psi_percent_limit,
mac.memcg_config.eviction_psi_percent_limit
mac.memcg_config.default.eviction_psi_percent_limit
);
mem_agent_config_override!(
agent_config_builder.mem_agent_memcg_eviction_run_aging_count_min,
mac.memcg_config.eviction_run_aging_count_min
mac.memcg_config.default.eviction_run_aging_count_min
);
mem_agent_config_override!(
@@ -549,43 +549,43 @@ impl AgentConfig {
parse_cmdline_param!(
param,
MEM_AGENT_MEMCG_DISABLE,
mac.memcg_config.disabled,
mac.memcg_config.default.disabled,
get_number_value
);
parse_cmdline_param!(
param,
MEM_AGENT_MEMCG_SWAP,
mac.memcg_config.swap,
mac.memcg_config.default.swap,
get_number_value
);
parse_cmdline_param!(
param,
MEM_AGENT_MEMCG_SWAPPINESS_MAX,
mac.memcg_config.swappiness_max,
mac.memcg_config.default.swappiness_max,
get_number_value
);
parse_cmdline_param!(
param,
MEM_AGENT_MEMCG_PERIOD_SECS,
mac.memcg_config.period_secs,
mac.memcg_config.default.period_secs,
get_number_value
);
parse_cmdline_param!(
param,
MEM_AGENT_MEMCG_PERIOD_PSI_PERCENT_LIMIT,
mac.memcg_config.period_psi_percent_limit,
mac.memcg_config.default.period_psi_percent_limit,
get_number_value
);
parse_cmdline_param!(
param,
MEM_AGENT_MEMCG_EVICTION_PSI_PERCENT_LIMIT,
mac.memcg_config.eviction_psi_percent_limit,
mac.memcg_config.default.eviction_psi_percent_limit,
get_number_value
);
parse_cmdline_param!(
param,
MEM_AGENT_MEMCG_EVICTION_RUN_AGING_COUNT_MIN,
mac.memcg_config.eviction_run_aging_count_min,
mac.memcg_config.default.eviction_run_aging_count_min,
get_number_value
);
parse_cmdline_param!(
@@ -1408,7 +1408,10 @@ mod tests {
contents: "agent.mem_agent_enable=1\nagent.mem_agent_memcg_period_secs=300",
mem_agent: Some(MemAgentConfig {
memcg_config: mem_agent::memcg::Config {
period_secs: 300,
default: mem_agent::memcg::SingleConfig {
period_secs: 300,
..Default::default()
},
..Default::default()
},
..Default::default()
@@ -1419,7 +1422,10 @@ mod tests {
contents: "agent.mem_agent_enable=1\nagent.mem_agent_memcg_period_secs=300\nagent.mem_agent_compact_order=6",
mem_agent: Some(MemAgentConfig {
memcg_config: mem_agent::memcg::Config {
period_secs: 300,
default: mem_agent::memcg::SingleConfig {
period_secs: 300,
..Default::default()
},
..Default::default()
},
compact_config: mem_agent::compact::Config {

15
src/agent/src/initdata.rs
View File

@@ -27,6 +27,9 @@ const AA_CONFIG_KEY: &str = "aa.toml";
const CDH_CONFIG_KEY: &str = "cdh.toml";
const POLICY_KEY: &str = "policy.rego";
/// The path of initdata toml
pub const INITDATA_TOML_PATH: &str = concatcp!(INITDATA_PATH, "/initdata.toml");
/// The path of AA's config file
pub const AA_CONFIG_PATH: &str = concatcp!(INITDATA_PATH, "/aa.toml");
@@ -95,7 +98,7 @@ pub async fn read_initdata(device_path: &str) -> Result<Vec<u8>> {
}
pub struct InitdataReturnValue {
pub digest: Vec<u8>,
pub _digest: Vec<u8>,
pub _policy: Option<String>,
}
@@ -122,7 +125,11 @@ pub async fn initialize_initdata(logger: &Logger) -> Result<Option<InitdataRetur
info!(logger, "Initdata version: {}", initdata.version());
initdata.validate()?;
let digest = match initdata.algorithm() {
tokio::fs::write(INITDATA_TOML_PATH, &initdata_content)
.await
.context("write initdata toml failed")?;
let _digest = match initdata.algorithm() {
"sha256" => Sha256::digest(&initdata_content).to_vec(),
"sha384" => Sha384::digest(&initdata_content).to_vec(),
"sha512" => Sha512::digest(&initdata_content).to_vec(),
@@ -143,10 +150,10 @@ pub async fn initialize_initdata(logger: &Logger) -> Result<Option<InitdataRetur
info!(logger, "write CDH config from initdata");
}
debug!(logger, "Initdata digest: {}", STANDARD.encode(&digest));
debug!(logger, "Initdata digest: {}", STANDARD.encode(&_digest));
let res = InitdataReturnValue {
digest,
_digest,
_policy: initdata.get_coco_data(POLICY_KEY).cloned(),
};

10
src/agent/src/main.rs
View File

@@ -19,7 +19,6 @@ extern crate scopeguard;
extern crate slog;
use anyhow::{anyhow, bail, Context, Result};
use base64::Engine;
use cfg_if::cfg_if;
use clap::Parser;
use const_format::concatcp;
@@ -485,12 +484,9 @@ async fn launch_guest_component_procs(
debug!(logger, "spawning attestation-agent process {}", AA_PATH);
let mut aa_args = vec!["--attestation_sock", AA_ATTESTATION_URI];
let initdata_parameter;
if let Some(initdata_return_value) = initdata_return_value {
initdata_parameter =
base64::engine::general_purpose::STANDARD.encode(&initdata_return_value.digest);
aa_args.push("--initdata");
aa_args.push(&initdata_parameter);
if initdata_return_value.is_some() {
aa_args.push("--initdata-toml");
aa_args.push(initdata::INITDATA_TOML_PATH);
}
launch_process(

21
src/agent/src/rpc.rs
View File

@@ -708,13 +708,15 @@ fn mem_agent_memcgconfig_to_memcg_optionconfig(
mc: &protocols::agent::MemAgentMemcgConfig,
) -> mem_agent::memcg::OptionConfig {
mem_agent::memcg::OptionConfig {
disabled: mc.disabled,
swap: mc.swap,
swappiness_max: mc.swappiness_max.map(|x| x as u8),
period_secs: mc.period_secs,
period_psi_percent_limit: mc.period_psi_percent_limit.map(|x| x as u8),
eviction_psi_percent_limit: mc.eviction_psi_percent_limit.map(|x| x as u8),
eviction_run_aging_count_min: mc.eviction_run_aging_count_min,
default: mem_agent::memcg::SingleOptionConfig {
disabled: mc.disabled,
swap: mc.swap,
swappiness_max: mc.swappiness_max.map(|x| x as u8),
period_secs: mc.period_secs,
period_psi_percent_limit: mc.period_psi_percent_limit.map(|x| x as u8),
eviction_psi_percent_limit: mc.eviction_psi_percent_limit.map(|x| x as u8),
eviction_run_aging_count_min: mc.eviction_run_aging_count_min,
},
..Default::default()
}
}
@@ -2621,11 +2623,6 @@ mod tests {
}),
..Default::default()
},
TestData {
has_fd: false,
result: Err(anyhow!(ERR_CANNOT_GET_WRITER)),
..Default::default()
},
];
for (i, d) in tests.iter().enumerate() {

1
src/libs/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
Cargo.lock

2821
src/libs/Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

2
src/libs/kata-sys-util/Cargo.toml
View File

@@ -32,7 +32,7 @@ pci-ids = "0.2.5"
mockall = "0.13.1"
kata-types = { path = "../kata-types" }
oci-spec = { version = "0.6.8", features = ["runtime"] }
oci-spec = { version = "0.8.1", features = ["runtime"] }
runtime-spec = { path = "../runtime-spec" }
safe-path = { path = "../safe-path" }

2
src/libs/kata-types/Cargo.toml
View File

@@ -31,7 +31,7 @@ sha2 = "0.10.8"
flate2 = { version = "1.0", features = ["zlib"] }
hex = "0.4"
oci-spec = { version = "0.6.8", features = ["runtime"] }
oci-spec = { version = "0.8.1", features = ["runtime"] }
safe-path = { path = "../safe-path" }
[dev-dependencies]

2
src/libs/protocols/Cargo.toml
View File

@@ -16,7 +16,7 @@ async-trait = { version = "0.1.42", optional = true }
protobuf = { version = "3.7.2" }
serde = { version = "1.0.130", features = ["derive"] }
serde_json = "1.0.68"
oci-spec = { version = "0.6.8", features = ["runtime"] }
oci-spec = { version = "0.8.1", features = ["runtime"] }
[build-dependencies]
ttrpc-codegen = "0.5.0"

5
src/mem-agent/.gitignore vendored
View File

@@ -1,5 +0,0 @@
/target
/example/target
/.vscode
.vscode-ctags

917
src/mem-agent/Cargo.lock generated
View File

@@ -1,917 +0,0 @@
# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
version = 4
[[package]]
name = "addr2line"
version = "0.21.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8a30b2e23b9e17a9f90641c7ab1549cd9b44f296d3ccbf309d2863cfe398a0cb"
dependencies = [
"gimli",
]
[[package]]
name = "adler"
version = "1.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe"
[[package]]
name = "android-tzdata"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0"
[[package]]
name = "android_system_properties"
version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
dependencies = [
"libc",
]
[[package]]
name = "anyhow"
version = "1.0.81"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0952808a6c2afd1aa8947271f3a60f1a6763c7b912d210184c5149b5cf147247"
[[package]]
name = "arc-swap"
version = "1.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7b3d0060af21e8d11a926981cc00c6c1541aa91dd64b9f881985c3da1094425f"
[[package]]
name = "async-trait"
version = "0.1.77"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c980ee35e870bd1a4d2c8294d4c04d0499e67bca1e4b5cefcc693c2fa00caea9"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "autocfg"
version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
[[package]]
name = "backtrace"
version = "0.3.69"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2089b7e3f35b9dd2d0ed921ead4f6d318c27680d4a5bd167b3ee120edb105837"
dependencies = [
"addr2line",
"cc",
"cfg-if",
"libc",
"miniz_oxide",
"object",
"rustc-demangle",
]
[[package]]
name = "bitflags"
version = "1.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
[[package]]
name = "bitflags"
version = "2.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de"
[[package]]
name = "bumpalo"
version = "3.15.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7ff69b9dd49fd426c69a0db9fc04dd934cdb6645ff000864d98f7e2af8830eaa"
[[package]]
name = "bytes"
version = "1.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a2bd12c1caf447e69cd4528f47f94d203fd2582878ecb9e9465484c4148a8223"
[[package]]
name = "cc"
version = "1.0.90"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8cd6604a82acf3039f1144f54b8eb34e91ffba622051189e71b781822d5ee1f5"
[[package]]
name = "cfg-if"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
[[package]]
name = "chrono"
version = "0.4.35"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8eaf5903dcbc0a39312feb77df2ff4c76387d591b9fc7b04a238dcf8bb62639a"
dependencies = [
"android-tzdata",
"iana-time-zone",
"js-sys",
"num-traits",
"wasm-bindgen",
"windows-targets 0.52.4",
]
[[package]]
name = "core-foundation-sys"
version = "0.8.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "06ea2b9bc92be3c2baa9334a323ebca2d6f074ff852cd1d7b11064035cd3868f"
[[package]]
name = "crossbeam-channel"
version = "0.5.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "82b8f8f868b36967f9606790d1903570de9ceaf870a7bf9fbbd3016d636a2cb2"
dependencies = [
"crossbeam-utils",
]
[[package]]
name = "crossbeam-utils"
version = "0.8.20"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "22ec99545bb0ed0ea7bb9b8e1e9122ea386ff8a48c0922e43f36d45ab09e0e80"
[[package]]
name = "deranged"
version = "0.3.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b42b6fa04a440b495c8b04d0e71b707c585f83cb9cb28cf8cd0d976c315e31b4"
dependencies = [
"powerfmt",
]
[[package]]
name = "dirs-next"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b98cf8ebf19c3d1b223e151f99a4f9f0690dca41414773390fc824184ac833e1"
dependencies = [
"cfg-if",
"dirs-sys-next",
]
[[package]]
name = "dirs-sys-next"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4ebda144c4fe02d1f7ea1a7d9641b6fc6b580adcfa024ae48797ecdeb6825b4d"
dependencies = [
"libc",
"redox_users",
"winapi",
]
[[package]]
name = "getrandom"
version = "0.2.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7"
dependencies = [
"cfg-if",
"libc",
"wasi",
]
[[package]]
name = "gimli"
version = "0.28.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4271d37baee1b8c7e4b708028c57d816cf9d2434acb33a549475f78c181f6253"
[[package]]
name = "hermit-abi"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fbf6a919d6cf397374f7dfeeea91d974c7c0a7221d0d0f4f20d859d329e53fcc"
[[package]]
name = "iana-time-zone"
version = "0.1.60"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e7ffbb5a1b541ea2561f8c41c087286cc091e21e556a4f09a8f6cbf17b69b141"
dependencies = [
"android_system_properties",
"core-foundation-sys",
"iana-time-zone-haiku",
"js-sys",
"wasm-bindgen",
"windows-core",
]
[[package]]
name = "iana-time-zone-haiku"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
dependencies = [
"cc",
]
[[package]]
name = "is-terminal"
version = "0.4.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "261f68e344040fbd0edea105bef17c66edf46f984ddb1115b775ce31be948f4b"
dependencies = [
"hermit-abi",
"libc",
"windows-sys",
]
[[package]]
name = "itoa"
version = "1.0.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d75a2a4b1b190afb6f5425f10f6a8f959d2ea0b9c2b1d79553551850539e4674"
[[package]]
name = "js-sys"
version = "0.3.69"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "29c15563dc2726973df627357ce0c9ddddbea194836909d655df6a75d2cf296d"
dependencies = [
"wasm-bindgen",
]
[[package]]
name = "lazy_static"
version = "1.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
[[package]]
name = "libc"
version = "0.2.172"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d750af042f7ef4f724306de029d18836c26c1765a54a6a3f094cbd23a7267ffa"
[[package]]
name = "libredox"
version = "0.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d"
dependencies = [
"bitflags 2.6.0",
"libc",
]
[[package]]
name = "lock_api"
version = "0.4.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3c168f8615b12bc01f9c17e2eb0cc07dcae1940121185446edc3744920e8ef45"
dependencies = [
"autocfg",
"scopeguard",
]
[[package]]
name = "log"
version = "0.4.21"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "90ed8c1e510134f979dbc4f070f87d4313098b704861a105fe34231c70a3901c"
[[package]]
name = "maplit"
version = "1.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3e2e65a1a2e43cfcb47a895c4c8b10d1f4a61097f9f254f183aee60cad9c651d"
[[package]]
name = "mem-agent"
version = "0.1.0"
dependencies = [
"anyhow",
"async-trait",
"chrono",
"lazy_static",
"maplit",
"nix",
"once_cell",
"page_size",
"slog",
"slog-async",
"slog-scope",
"slog-term",
"tokio",
]
[[package]]
name = "memchr"
version = "2.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "523dc4f511e55ab87b694dc30d0f820d60906ef06413f93d4d7a1385599cc149"
[[package]]
name = "memoffset"
version = "0.6.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5aa361d4faea93603064a027415f07bd8e1d5c88c9fbf68bf56a285428fd79ce"
dependencies = [
"autocfg",
]
[[package]]
name = "miniz_oxide"
version = "0.7.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9d811f3e15f28568be3407c8e7fdb6514c1cda3cb30683f15b6a1a1dc4ea14a7"
dependencies = [
"adler",
]
[[package]]
name = "mio"
version = "1.0.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd"
dependencies = [
"libc",
"wasi",
"windows-sys",
]
[[package]]
name = "nix"
version = "0.23.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8f3790c00a0150112de0f4cd161e3d7fc4b2d8a5542ffc35f099a2562aecb35c"
dependencies = [
"bitflags 1.3.2",
"cc",
"cfg-if",
"libc",
"memoffset",
]
[[package]]
name = "num-conv"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
[[package]]
name = "num-traits"
version = "0.2.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da0df0e5185db44f69b44f26786fe401b6c293d1907744beaa7fa62b2e5a517a"
dependencies = [
"autocfg",
]
[[package]]
name = "object"
version = "0.32.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a6a622008b6e321afc04970976f62ee297fdbaa6f95318ca343e3eebb9648441"
dependencies = [
"memchr",
]
[[package]]
name = "once_cell"
version = "1.19.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92"
[[package]]
name = "page_size"
version = "0.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "30d5b2194ed13191c1999ae0704b7839fb18384fa22e49b57eeaa97d79ce40da"
dependencies = [
"libc",
"winapi",
]
[[package]]
name = "parking_lot"
version = "0.12.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f"
dependencies = [
"lock_api",
"parking_lot_core",
]
[[package]]
name = "parking_lot_core"
version = "0.9.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4c42a9226546d68acdd9c0a280d17ce19bfe27a46bf68784e4066115788d008e"
dependencies = [
"cfg-if",
"libc",
"redox_syscall",
"smallvec",
"windows-targets 0.48.5",
]
[[package]]
name = "pin-project-lite"
version = "0.2.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8afb450f006bf6385ca15ef45d71d2288452bc3683ce2e2cacc0d18e4be60b58"
[[package]]
name = "powerfmt"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
[[package]]
name = "proc-macro2"
version = "1.0.79"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e835ff2298f5721608eb1a980ecaee1aef2c132bf95ecc026a11b7bf3c01c02e"
dependencies = [
"unicode-ident",
]
[[package]]
name = "quote"
version = "1.0.35"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "291ec9ab5efd934aaf503a6466c5d5251535d108ee747472c3977cc5acc868ef"
dependencies = [
"proc-macro2",
]
[[package]]
name = "redox_syscall"
version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa"
dependencies = [
"bitflags 1.3.2",
]
[[package]]
name = "redox_users"
version = "0.4.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ba009ff324d1fc1b900bd1fdb31564febe58a8ccc8a6fdbb93b543d33b13ca43"
dependencies = [
"getrandom",
"libredox",
"thiserror",
]
[[package]]
name = "rustc-demangle"
version = "0.1.23"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d626bb9dae77e28219937af045c257c28bfd3f69333c512553507f5f9798cb76"
[[package]]
name = "rustversion"
version = "1.0.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0e819f2bc632f285be6d7cd36e25940d45b2391dd6d9b939e79de557f7014248"
[[package]]
name = "scopeguard"
version = "1.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
[[package]]
name = "serde"
version = "1.0.210"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c8e3592472072e6e22e0a54d5904d9febf8508f65fb8552499a1abc7d1078c3a"
dependencies = [
"serde_derive",
]
[[package]]
name = "serde_derive"
version = "1.0.210"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "243902eda00fad750862fc144cea25caca5e20d615af0a81bee94ca738f1df1f"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "signal-hook-registry"
version = "1.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d8229b473baa5980ac72ef434c4415e70c4b5e71b423043adb4ba059f89c99a1"
dependencies = [
"libc",
]
[[package]]
name = "slog"
version = "2.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8347046d4ebd943127157b94d63abb990fcf729dc4e9978927fdf4ac3c998d06"
[[package]]
name = "slog-async"
version = "2.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "72c8038f898a2c79507940990f05386455b3a317d8f18d4caea7cbc3d5096b84"
dependencies = [
"crossbeam-channel",
"slog",
"take_mut",
"thread_local",
]
[[package]]
name = "slog-scope"
version = "4.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2f95a4b4c3274cd2869549da82b57ccc930859bdbf5bcea0424bc5f140b3c786"
dependencies = [
"arc-swap",
"lazy_static",
"slog",
]
[[package]]
name = "slog-term"
version = "2.9.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b6e022d0b998abfe5c3782c1f03551a596269450ccd677ea51c56f8b214610e8"
dependencies = [
"is-terminal",
"slog",
"term",
"thread_local",
"time",
]
[[package]]
name = "smallvec"
version = "1.13.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7"
[[package]]
name = "socket2"
version = "0.5.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "05ffd9c0a93b7543e062e759284fcf5f5e3b098501104bfbdde4d404db792871"
dependencies = [
"libc",
"windows-sys",
]
[[package]]
name = "syn"
version = "2.0.52"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b699d15b36d1f02c3e7c69f8ffef53de37aefae075d8488d4ba1a7788d574a07"
dependencies = [
"proc-macro2",
"quote",
"unicode-ident",
]
[[package]]
name = "take_mut"
version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f764005d11ee5f36500a149ace24e00e3da98b0158b3e2d53a7495660d3f4d60"
[[package]]
name = "term"
version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c59df8ac95d96ff9bede18eb7300b0fda5e5d8d90960e76f8e14ae765eedbf1f"
dependencies = [
"dirs-next",
"rustversion",
"winapi",
]
[[package]]
name = "thiserror"
version = "1.0.65"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5d11abd9594d9b38965ef50805c5e469ca9cc6f197f883f717e0269a3057b3d5"
dependencies = [
"thiserror-impl",
]
[[package]]
name = "thiserror-impl"
version = "1.0.65"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ae71770322cbd277e69d762a16c444af02aa0575ac0d174f0b9562d3b37f8602"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "thread_local"
version = "1.1.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b9ef9bad013ada3808854ceac7b46812a6465ba368859a37e2100283d2d719c"
dependencies = [
"cfg-if",
"once_cell",
]
[[package]]
name = "time"
version = "0.3.37"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "35e7868883861bd0e56d9ac6efcaaca0d6d5d82a2a7ec8209ff492c07cf37b21"
dependencies = [
"deranged",
"itoa",
"num-conv",
"powerfmt",
"serde",
"time-core",
"time-macros",
]
[[package]]
name = "time-core"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3"
[[package]]
name = "time-macros"
version = "0.2.19"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2834e6017e3e5e4b9834939793b282bc03b37a3336245fa820e35e233e2a85de"
dependencies = [
"num-conv",
"time-core",
]
[[package]]
name = "tokio"
version = "1.44.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e6b88822cbe49de4185e3a4cbf8321dd487cf5fe0c5c65695fef6346371e9c48"
dependencies = [
"backtrace",
"bytes",
"libc",
"mio",
"parking_lot",
"pin-project-lite",
"signal-hook-registry",
"socket2",
"tokio-macros",
"windows-sys",
]
[[package]]
name = "tokio-macros"
version = "2.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6e06d43f1345a3bcd39f6a56dbb7dcab2ba47e68e8ac134855e7e2bdbaf8cab8"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "unicode-ident"
version = "1.0.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b"
[[package]]
name = "wasi"
version = "0.11.0+wasi-snapshot-preview1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
[[package]]
name = "wasm-bindgen"
version = "0.2.92"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4be2531df63900aeb2bca0daaaddec08491ee64ceecbee5076636a3b026795a8"
dependencies = [
"cfg-if",
"wasm-bindgen-macro",
]
[[package]]
name = "wasm-bindgen-backend"
version = "0.2.92"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "614d787b966d3989fa7bb98a654e369c762374fd3213d212cfc0251257e747da"
dependencies = [
"bumpalo",
"log",
"once_cell",
"proc-macro2",
"quote",
"syn",
"wasm-bindgen-shared",
]
[[package]]
name = "wasm-bindgen-macro"
version = "0.2.92"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a1f8823de937b71b9460c0c34e25f3da88250760bec0ebac694b49997550d726"
dependencies = [
"quote",
"wasm-bindgen-macro-support",
]
[[package]]
name = "wasm-bindgen-macro-support"
version = "0.2.92"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e94f17b526d0a461a191c78ea52bbce64071ed5c04c9ffe424dcb38f74171bb7"
dependencies = [
"proc-macro2",
"quote",
"syn",
"wasm-bindgen-backend",
"wasm-bindgen-shared",
]
[[package]]
name = "wasm-bindgen-shared"
version = "0.2.92"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "af190c94f2773fdb3729c55b007a722abb5384da03bc0986df4c289bf5567e96"
[[package]]
name = "winapi"
version = "0.3.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
dependencies = [
"winapi-i686-pc-windows-gnu",
"winapi-x86_64-pc-windows-gnu",
]
[[package]]
name = "winapi-i686-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
[[package]]
name = "winapi-x86_64-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
[[package]]
name = "windows-core"
version = "0.52.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9"
dependencies = [
"windows-targets 0.52.4",
]
[[package]]
name = "windows-sys"
version = "0.52.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
dependencies = [
"windows-targets 0.52.4",
]
[[package]]
name = "windows-targets"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c"
dependencies = [
"windows_aarch64_gnullvm 0.48.5",
"windows_aarch64_msvc 0.48.5",
"windows_i686_gnu 0.48.5",
"windows_i686_msvc 0.48.5",
"windows_x86_64_gnu 0.48.5",
"windows_x86_64_gnullvm 0.48.5",
"windows_x86_64_msvc 0.48.5",
]
[[package]]
name = "windows-targets"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7dd37b7e5ab9018759f893a1952c9420d060016fc19a472b4bb20d1bdd694d1b"
dependencies = [
"windows_aarch64_gnullvm 0.52.4",
"windows_aarch64_msvc 0.52.4",
"windows_i686_gnu 0.52.4",
"windows_i686_msvc 0.52.4",
"windows_x86_64_gnu 0.52.4",
"windows_x86_64_gnullvm 0.52.4",
"windows_x86_64_msvc 0.52.4",
]
[[package]]
name = "windows_aarch64_gnullvm"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8"
[[package]]
name = "windows_aarch64_gnullvm"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bcf46cf4c365c6f2d1cc93ce535f2c8b244591df96ceee75d8e83deb70a9cac9"
[[package]]
name = "windows_aarch64_msvc"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc"
[[package]]
name = "windows_aarch64_msvc"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da9f259dd3bcf6990b55bffd094c4f7235817ba4ceebde8e6d11cd0c5633b675"
[[package]]
name = "windows_i686_gnu"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e"
[[package]]
name = "windows_i686_gnu"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b474d8268f99e0995f25b9f095bc7434632601028cf86590aea5c8a5cb7801d3"
[[package]]
name = "windows_i686_msvc"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406"
[[package]]
name = "windows_i686_msvc"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1515e9a29e5bed743cb4415a9ecf5dfca648ce85ee42e15873c3cd8610ff8e02"
[[package]]
name = "windows_x86_64_gnu"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e"
[[package]]
name = "windows_x86_64_gnu"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5eee091590e89cc02ad514ffe3ead9eb6b660aedca2183455434b93546371a03"
[[package]]
name = "windows_x86_64_gnullvm"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc"
[[package]]
name = "windows_x86_64_gnullvm"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "77ca79f2451b49fa9e2af39f0747fe999fcda4f5e241b2898624dca97a1f2177"
[[package]]
name = "windows_x86_64_msvc"
version = "0.48.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538"
[[package]]
name = "windows_x86_64_msvc"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "32b752e52a2da0ddfbdbcc6fceadfeede4c939ed16d13e648833a61dfb611ed8"

13
src/mem-agent/Cargo.toml
View File

@@ -1,7 +1,7 @@
[package]
name = "mem-agent"
version = "0.1.0"
edition = "2018"
name = "mem-agent-lib"
version = "0.2.0"
edition = "2021"
[dependencies]
slog = "2.5.2"
@@ -9,13 +9,14 @@ slog-scope = "4.1.2"
anyhow = "1.0"
page_size = "0.6"
chrono = "0.4"
tokio = { version = "1.44.2", features = ["full"] }
tokio = { version = "1.45.1", features = ["full"] }
async-trait = "0.1"
lazy_static = "1.4"
nix = "0.23.2"
maplit = "1.0"
nix = { version = "0.30.1", features = ["fs", "sched"] }
[dev-dependencies]
maplit = "1.0"
slog-term = "2.9.0"
slog-async = "2.7"
once_cell = "1.9.0"
lazy_static = "1.4"

6
src/mem-agent/Makefile
View File

@@ -1,6 +0,0 @@
# Copyright (C) 2024 Ant group. All rights reserved.
#
# SPDX-License-Identifier: Apache-2.0
default:
cd example; cargo build --examples --target x86_64-unknown-linux-musl

1657
src/mem-agent/example/Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

36
src/mem-agent/example/Cargo.toml
View File

@@ -1,36 +0,0 @@
[package]
name = "mem-agent-bin"
version = "0.1.0"
edition = "2018"
[dependencies]
slog = "2.5.2"
slog-scope = "4.1.2"
slog-term = "2.9.0"
slog-async = "2.7"
clap = { version = "4.5.40", features = ["derive", "cargo"] }
anyhow = "1.0"
libc = "0.2"
page_size = "0.6"
chrono = "0.4"
maplit = "1.0"
ttrpc = { version = "0.8", features = ["async"] }
tokio = { version = "1.44.2", features = ["full"] }
async-trait = "0.1"
byteorder = "1.5"
protobuf = "3.7.2"
lazy_static = "1.4"
# Rust 1.68 doesn't support 0.5.9
home = "=0.5.5"
mem-agent = { path = "../" }
[[example]]
name = "mem-agent-srv"
path = "./srv.rs"
[[example]]
name = "mem-agent-ctl"
path = "./ctl.rs"
[build-dependencies]
ttrpc-codegen = "0.4"

29
src/mem-agent/example/build.rs
View File

@@ -1,29 +0,0 @@
// Copyright (C) 2024 Ant group. All rights reserved.
//
// SPDX-License-Identifier: Apache-2.0
use ttrpc_codegen::{Codegen, Customize, ProtobufCustomize};
fn main() -> Result<(), Box<dyn std::error::Error>> {
let protos = vec![
"protocols/protos/mem-agent.proto",
"protocols/protos/google/protobuf/empty.proto",
"protocols/protos/google/protobuf/timestamp.proto",
];
let protobuf_customized = ProtobufCustomize::default().gen_mod_rs(false);
Codegen::new()
.out_dir("protocols/")
.inputs(&protos)
.include("protocols/protos/")
.rust_protobuf()
.customize(Customize {
async_all: true,
..Default::default()
})
.rust_protobuf_customize(protobuf_customized.clone())
.run()?;
Ok(())
}

79
src/mem-agent/example/ctl.rs
View File

@@ -1,79 +0,0 @@
// Copyright (C) 2023 Ant group. All rights reserved.
//
// SPDX-License-Identifier: Apache-2.0
mod protocols;
mod share;
use anyhow::{anyhow, Result};
use protocols::empty;
use protocols::mem_agent_ttrpc;
use share::option::{CompactSetOption, MemcgSetOption};
use clap::Parser;
use ttrpc::r#async::Client;
#[derive(Debug, Parser)]
enum Command {
#[clap(name = "memcgstatus", about = "get memory cgroup status")]
MemcgStatus,
#[clap(name = "memcgset", about = "set memory cgroup")]
MemcgSet(MemcgSetOption),
#[clap(name = "compactset", about = "set compact")]
CompactSet(CompactSetOption),
}
#[derive(Parser, Debug)]
#[clap(name = "mem-agent-ctl", about = "Memory agent controler")]
struct Opt {
#[clap(long, default_value = "unix:///var/run/mem-agent.sock")]
addr: String,
#[clap(subcommand)]
command: Command,
}
#[tokio::main]
async fn main() -> Result<()> {
let opt = Opt::parse();
// setup client
let c = Client::connect(&opt.addr).unwrap();
let client = mem_agent_ttrpc::ControlClient::new(c.clone());
match opt.command {
Command::MemcgStatus => {
let mss = client
.memcg_status(ttrpc::context::with_timeout(0), &empty::Empty::new())
.await
.map_err(|e| anyhow!("client.memcg_status fail: {}", e))?;
for mcg in mss.mem_cgroups {
println!("{:?}", mcg);
for (numa_id, n) in mcg.numa {
if let Some(t) = n.last_inc_time.into_option() {
println!("{} {:?}", numa_id, share::misc::timestamp_to_datetime(t)?);
}
}
}
}
Command::MemcgSet(c) => {
let config = c.to_rpc_memcg_config();
client
.memcg_set(ttrpc::context::with_timeout(0), &config)
.await
.map_err(|e| anyhow!("client.memcg_status fail: {}", e))?;
}
Command::CompactSet(c) => {
let config = c.to_rpc_compact_config();
client
.compact_set(ttrpc::context::with_timeout(0), &config)
.await
.map_err(|e| anyhow!("client.memcg_status fail: {}", e))?;
}
}
Ok(())
}

8
src/mem-agent/example/protocols/mod.rs
View File

@@ -1,8 +0,0 @@
// Copyright (C) 2023 Ant group. All rights reserved.
//
// SPDX-License-Identifier: Apache-2.0
pub mod empty;
pub mod mem_agent;
pub mod mem_agent_ttrpc;
pub mod timestamp;

52
src/mem-agent/example/protocols/protos/google/protobuf/empty.proto
View File

@@ -1,52 +0,0 @@
// Protocol Buffers - Google's data interchange format
// Copyright 2008 Google Inc. All rights reserved.
// https://developers.google.com/protocol-buffers/
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following disclaimer
// in the documentation and/or other materials provided with the
// distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived from
// this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
syntax = "proto3";
package google.protobuf;
option csharp_namespace = "Google.Protobuf.WellKnownTypes";
option go_package = "types";
option java_package = "com.google.protobuf";
option java_outer_classname = "EmptyProto";
option java_multiple_files = true;
option objc_class_prefix = "GPB";
option cc_enable_arenas = true;
// A generic empty message that you can re-use to avoid defining duplicated
// empty messages in your APIs. A typical example is to use it as the request
// or the response type of an API method. For instance:
//
// service Foo {
// rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
// }
//
// The JSON representation for `Empty` is empty JSON object `{}`.
message Empty {}

138
src/mem-agent/example/protocols/protos/google/protobuf/timestamp.proto
View File

@@ -1,138 +0,0 @@
// Protocol Buffers - Google's data interchange format
// Copyright 2008 Google Inc. All rights reserved.
// https://developers.google.com/protocol-buffers/
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following disclaimer
// in the documentation and/or other materials provided with the
// distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived from
// this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
syntax = "proto3";
package google.protobuf;
option csharp_namespace = "Google.Protobuf.WellKnownTypes";
option cc_enable_arenas = true;
option go_package = "github.com/golang/protobuf/ptypes/timestamp";
option java_package = "com.google.protobuf";
option java_outer_classname = "TimestampProto";
option java_multiple_files = true;
option objc_class_prefix = "GPB";
// A Timestamp represents a point in time independent of any time zone or local
// calendar, encoded as a count of seconds and fractions of seconds at
// nanosecond resolution. The count is relative to an epoch at UTC midnight on
// January 1, 1970, in the proleptic Gregorian calendar which extends the
// Gregorian calendar backwards to year one.
//
// All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap
// second table is needed for interpretation, using a [24-hour linear
// smear](https://developers.google.com/time/smear).
//
// The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By
// restricting to that range, we ensure that we can convert to and from [RFC
// 3339](https://www.ietf.org/rfc/rfc3339.txt) date strings.
//
// # Examples
//
// Example 1: Compute Timestamp from POSIX `time()`.
//
// Timestamp timestamp;
// timestamp.set_seconds(time(NULL));
// timestamp.set_nanos(0);
//
// Example 2: Compute Timestamp from POSIX `gettimeofday()`.
//
// struct timeval tv;
// gettimeofday(&tv, NULL);
//
// Timestamp timestamp;
// timestamp.set_seconds(tv.tv_sec);
// timestamp.set_nanos(tv.tv_usec * 1000);
//
// Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`.
//
// FILETIME ft;
// GetSystemTimeAsFileTime(&ft);
// UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
//
// // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z
// // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z.
// Timestamp timestamp;
// timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL));
// timestamp.set_nanos((INT32) ((ticks % 10000000) * 100));
//
// Example 4: Compute Timestamp from Java `System.currentTimeMillis()`.
//
// long millis = System.currentTimeMillis();
//
// Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000)
// .setNanos((int) ((millis % 1000) * 1000000)).build();
//
//
// Example 5: Compute Timestamp from current time in Python.
//
// timestamp = Timestamp()
// timestamp.GetCurrentTime()
//
// # JSON Mapping
//
// In JSON format, the Timestamp type is encoded as a string in the
// [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the
// format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z"
// where {year} is always expressed using four digits while {month}, {day},
// {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional
// seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution),
// are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone
// is required. A proto3 JSON serializer should always use UTC (as indicated by
// "Z") when printing the Timestamp type and a proto3 JSON parser should be
// able to accept both UTC and other timezones (as indicated by an offset).
//
// For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past
// 01:30 UTC on January 15, 2017.
//
// In JavaScript, one can convert a Date object to this format using the
// standard
// [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString)
// method. In Python, a standard `datetime.datetime` object can be converted
// to this format using
// [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with
// the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use
// the Joda Time's [`ISODateTimeFormat.dateTime()`](
// http://www.joda.org/joda-time/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime%2D%2D
// ) to obtain a formatter capable of generating timestamps in this format.
//
//
message Timestamp {
// Represents seconds of UTC time since Unix epoch
// 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
// 9999-12-31T23:59:59Z inclusive.
int64 seconds = 1;
// Non-negative fractions of a second at nanosecond resolution. Negative
// second values with fractions must still have non-negative nanos values
// that count forward in time. Must be from 0 to 999,999,999
// inclusive.
int32 nanos = 2;
}

66
src/mem-agent/example/protocols/protos/mem-agent.proto
View File

@@ -1,66 +0,0 @@
// Copyright (C) 2023 Ant group. All rights reserved.
//
// SPDX-License-Identifier: Apache-2.0
syntax = "proto3";
package MemAgent;
import "google/protobuf/empty.proto";
import "google/protobuf/timestamp.proto";
service Control {
rpc MemcgStatus(google.protobuf.Empty) returns (MemcgStatusReply);
rpc MemcgSet(MemcgConfig) returns (google.protobuf.Empty);
rpc CompactSet(CompactConfig) returns (google.protobuf.Empty);
}
message EvictionCount {
uint64 page = 1;
uint64 no_min_lru_file = 2;
uint64 min_lru_inc = 3;
uint64 other_error = 4;
uint64 error = 5;
uint64 psi_exceeds_limit = 6;
}
message StatusNuma {
google.protobuf.Timestamp last_inc_time = 1;
uint64 max_seq = 2;
uint64 min_seq = 3;
uint64 run_aging_count = 4;
EvictionCount eviction_count = 5;
}
message MemCgroup {
uint32 id = 1;
uint64 ino = 2;
string path = 3;
uint64 sleep_psi_exceeds_limit = 4;
map<uint32, StatusNuma> numa = 5;
}
message MemcgStatusReply {
repeated MemCgroup mem_cgroups = 1;
}
message MemcgConfig {
optional bool disabled = 1;
optional bool swap = 2;
optional uint32 swappiness_max = 3;
optional uint64 period_secs = 4;
optional uint32 period_psi_percent_limit = 5;
optional uint32 eviction_psi_percent_limit = 6;
optional uint64 eviction_run_aging_count_min = 7;
}
message CompactConfig {
optional bool disabled = 1;
optional uint64 period_secs = 2;
optional uint32 period_psi_percent_limit = 3;
optional uint32 compact_psi_percent_limit = 4;
optional int64 compact_sec_max = 5;
optional uint32 compact_order = 6;
optional uint64 compact_threshold = 7;
optional uint64 compact_force_times = 8;
}

29
src/mem-agent/example/share/misc.rs
View File

@@ -1,29 +0,0 @@
// Copyright (C) 2023 Ant group. All rights reserved.
//
// SPDX-License-Identifier: Apache-2.0
use anyhow::{anyhow, Result};
use chrono::{DateTime, LocalResult, TimeZone, Utc};
use protobuf::well_known_types::timestamp::Timestamp;
pub fn datatime_to_timestamp(dt: DateTime<Utc>) -> Timestamp {
let seconds = dt.timestamp();
let nanos = dt.timestamp_subsec_nanos();
Timestamp {
seconds,
nanos: nanos as i32,
..Default::default()
}
}
#[allow(dead_code)]
pub fn timestamp_to_datetime(timestamp: Timestamp) -> Result<DateTime<Utc>> {
let seconds = timestamp.seconds;
let nanos = timestamp.nanos;
match Utc.timestamp_opt(seconds, nanos as u32) {
LocalResult::Single(t) => Ok(t),
_ => Err(anyhow!("Utc.timestamp_opt {} fail", timestamp)),
}
}

7
src/mem-agent/example/share/mod.rs
View File

@@ -1,7 +0,0 @@
// Copyright (C) 2023 Ant group. All rights reserved.
//
// SPDX-License-Identifier: Apache-2.0
pub mod misc;
pub mod option;
pub mod rpc;

146
src/mem-agent/example/share/option.rs
View File

@@ -1,146 +0,0 @@
// Copyright (C) 2024 Ant group. All rights reserved.
//
// SPDX-License-Identifier: Apache-2.0
use crate::protocols::mem_agent as rpc;
use clap::Parser;
#[derive(Debug, Parser)]
pub struct MemcgSetOption {
#[clap(long)]
memcg_disabled: Option<bool>,
#[clap(long)]
memcg_swap: Option<bool>,
#[clap(long)]
memcg_swappiness_max: Option<u8>,
#[clap(long)]
memcg_period_secs: Option<u64>,
#[clap(long)]
memcg_period_psi_percent_limit: Option<u8>,
#[clap(long)]
memcg_eviction_psi_percent_limit: Option<u8>,
#[clap(long)]
memcg_eviction_run_aging_count_min: Option<u64>,
}
impl MemcgSetOption {
#[allow(dead_code)]
pub fn to_rpc_memcg_config(&self) -> rpc::MemcgConfig {
let config = rpc::MemcgConfig {
disabled: self.memcg_disabled,
swap: self.memcg_swap,
swappiness_max: self.memcg_swappiness_max.map(|v| v as u32),
period_secs: self.memcg_period_secs,
period_psi_percent_limit: self.memcg_period_psi_percent_limit.map(|v| v as u32),
eviction_psi_percent_limit: self.memcg_eviction_psi_percent_limit.map(|v| v as u32),
eviction_run_aging_count_min: self.memcg_eviction_run_aging_count_min,
..Default::default()
};
config
}
#[allow(dead_code)]
pub fn to_mem_agent_memcg_config(&self) -> mem_agent::memcg::Config {
let mut config = mem_agent::memcg::Config {
..Default::default()
};
if let Some(v) = self.memcg_disabled {
config.disabled = v;
}
if let Some(v) = self.memcg_swap {
config.swap = v;
}
if let Some(v) = self.memcg_swappiness_max {
config.swappiness_max = v;
}
if let Some(v) = self.memcg_period_secs {
config.period_secs = v;
}
if let Some(v) = self.memcg_period_psi_percent_limit {
config.period_psi_percent_limit = v;
}
if let Some(v) = self.memcg_eviction_psi_percent_limit {
config.eviction_psi_percent_limit = v;
}
if let Some(v) = self.memcg_eviction_run_aging_count_min {
config.eviction_run_aging_count_min = v;
}
config
}
}
#[derive(Debug, Parser)]
pub struct CompactSetOption {
#[clap(long)]
compact_disabled: Option<bool>,
#[clap(long)]
compact_period_secs: Option<u64>,
#[clap(long)]
compact_period_psi_percent_limit: Option<u8>,
#[clap(long)]
compact_psi_percent_limit: Option<u8>,
#[clap(long)]
compact_sec_max: Option<i64>,
#[clap(long)]
compact_order: Option<u8>,
#[clap(long)]
compact_threshold: Option<u64>,
#[clap(long)]
compact_force_times: Option<u64>,
}
impl CompactSetOption {
#[allow(dead_code)]
pub fn to_rpc_compact_config(&self) -> rpc::CompactConfig {
let config = rpc::CompactConfig {
disabled: self.compact_disabled,
period_secs: self.compact_period_secs,
period_psi_percent_limit: self.compact_period_psi_percent_limit.map(|v| v as u32),
compact_psi_percent_limit: self.compact_psi_percent_limit.map(|v| v as u32),
compact_sec_max: self.compact_sec_max,
compact_order: self.compact_order.map(|v| v as u32),
compact_threshold: self.compact_threshold,
compact_force_times: self.compact_force_times,
..Default::default()
};
config
}
#[allow(dead_code)]
pub fn to_mem_agent_compact_config(&self) -> mem_agent::compact::Config {
let mut config = mem_agent::compact::Config {
..Default::default()
};
if let Some(v) = self.compact_disabled {
config.disabled = v;
}
if let Some(v) = self.compact_period_secs {
config.period_secs = v;
}
if let Some(v) = self.compact_period_psi_percent_limit {
config.period_psi_percent_limit = v;
}
if let Some(v) = self.compact_psi_percent_limit {
config.compact_psi_percent_limit = v;
}
if let Some(v) = self.compact_sec_max {
config.compact_sec_max = v;
}
if let Some(v) = self.compact_order {
config.compact_order = v;
}
if let Some(v) = self.compact_threshold {
config.compact_threshold = v;
}
if let Some(v) = self.compact_force_times {
config.compact_force_times = v;
}
config
}
}

221
src/mem-agent/example/share/rpc.rs
View File

@@ -1,221 +0,0 @@
// Copyright (C) 2023 Ant group. All rights reserved.
//
// SPDX-License-Identifier: Apache-2.0
use crate::protocols::mem_agent as rpc_mem_agent;
use crate::protocols::{empty, mem_agent_ttrpc};
use anyhow::{anyhow, Result};
use async_trait::async_trait;
use mem_agent::{agent, compact, memcg};
use slog_scope::{error, info};
use std::fs;
use std::os::unix::fs::PermissionsExt;
use std::sync::Arc;
use tokio::signal::unix::{signal, SignalKind};
use ttrpc::asynchronous::Server;
use ttrpc::error::Error;
use ttrpc::proto::Code;
#[derive(Debug)]
pub struct MyControl {
agent: agent::MemAgent,
}
impl MyControl {
#[allow(dead_code)]
pub fn new(agent: agent::MemAgent) -> Self {
Self { agent }
}
}
fn mem_cgroup_to_mem_cgroup_rpc(mcg: &memcg::MemCgroup) -> rpc_mem_agent::MemCgroup {
rpc_mem_agent::MemCgroup {
id: mcg.id as u32,
ino: mcg.ino as u64,
path: mcg.path.clone(),
sleep_psi_exceeds_limit: mcg.sleep_psi_exceeds_limit,
numa: mcg
.numa
.iter()
.map(|(numa_id, n)| {
(
*numa_id,
rpc_mem_agent::StatusNuma {
last_inc_time: protobuf::MessageField::some(
crate::share::misc::datatime_to_timestamp(n.last_inc_time),
),
max_seq: n.max_seq,
min_seq: n.min_seq,
run_aging_count: n.run_aging_count,
eviction_count: protobuf::MessageField::some(
rpc_mem_agent::EvictionCount {
page: n.eviction_count.page,
no_min_lru_file: n.eviction_count.no_min_lru_file,
min_lru_inc: n.eviction_count.min_lru_inc,
other_error: n.eviction_count.other_error,
error: n.eviction_count.error,
psi_exceeds_limit: n.eviction_count.psi_exceeds_limit,
..Default::default()
},
),
..Default::default()
},
)
})
.collect(),
..Default::default()
}
}
fn mem_cgroups_to_memcg_status_reply(
mgs: Vec<memcg::MemCgroup>,
) -> rpc_mem_agent::MemcgStatusReply {
let mem_cgroups: Vec<rpc_mem_agent::MemCgroup> = mgs
.iter()
.map(|x| mem_cgroup_to_mem_cgroup_rpc(&x))
.collect();
rpc_mem_agent::MemcgStatusReply {
mem_cgroups,
..Default::default()
}
}
fn memcgconfig_to_memcg_optionconfig(mc: &rpc_mem_agent::MemcgConfig) -> memcg::OptionConfig {
let moc = memcg::OptionConfig {
disabled: mc.disabled,
swap: mc.swap,
swappiness_max: mc.swappiness_max.map(|val| val as u8),
period_secs: mc.period_secs,
period_psi_percent_limit: mc.period_psi_percent_limit.map(|val| val as u8),
eviction_psi_percent_limit: mc.eviction_psi_percent_limit.map(|val| val as u8),
eviction_run_aging_count_min: mc.eviction_run_aging_count_min,
..Default::default()
};
moc
}
fn compactconfig_to_compact_optionconfig(
cc: &rpc_mem_agent::CompactConfig,
) -> compact::OptionConfig {
let coc = compact::OptionConfig {
disabled: cc.disabled,
period_secs: cc.period_secs,
period_psi_percent_limit: cc.period_psi_percent_limit.map(|val| val as u8),
compact_psi_percent_limit: cc.compact_psi_percent_limit.map(|val| val as u8),
compact_sec_max: cc.compact_sec_max,
compact_order: cc.compact_order.map(|val| val as u8),
compact_threshold: cc.compact_threshold,
compact_force_times: cc.compact_force_times,
..Default::default()
};
coc
}
#[async_trait]
impl mem_agent_ttrpc::Control for MyControl {
async fn memcg_status(
&self,
_ctx: &::ttrpc::r#async::TtrpcContext,
_: empty::Empty,
) -> ::ttrpc::Result<rpc_mem_agent::MemcgStatusReply> {
Ok(mem_cgroups_to_memcg_status_reply(
self.agent.memcg_status_async().await.map_err(|e| {
let estr = format!("agent.memcg_status_async fail: {}", e);
error!("{}", estr);
Error::RpcStatus(ttrpc::get_status(Code::INTERNAL, estr))
})?,
))
}
async fn memcg_set(
&self,
_ctx: &::ttrpc::r#async::TtrpcContext,
mc: rpc_mem_agent::MemcgConfig,
) -> ::ttrpc::Result<empty::Empty> {
self.agent
.memcg_set_config_async(memcgconfig_to_memcg_optionconfig(&mc))
.await
.map_err(|e| {
let estr = format!("agent.memcg_set_config_async fail: {}", e);
error!("{}", estr);
Error::RpcStatus(ttrpc::get_status(Code::INTERNAL, estr))
})?;
Ok(empty::Empty::new())
}
async fn compact_set(
&self,
_ctx: &::ttrpc::r#async::TtrpcContext,
cc: rpc_mem_agent::CompactConfig,
) -> ::ttrpc::Result<empty::Empty> {
self.agent
.compact_set_config_async(compactconfig_to_compact_optionconfig(&cc))
.await
.map_err(|e| {
let estr = format!("agent.compact_set_config_async fail: {}", e);
error!("{}", estr);
Error::RpcStatus(ttrpc::get_status(Code::INTERNAL, estr))
})?;
Ok(empty::Empty::new())
}
}
#[allow(dead_code)]
#[tokio::main]
pub async fn rpc_loop(agent: agent::MemAgent, addr: String) -> Result<()> {
let path = addr
.strip_prefix("unix://")
.ok_or(anyhow!("format of addr {} is not right", addr))?;
if std::path::Path::new(path).exists() {
return Err(anyhow!("addr {} is exist", addr));
}
let control = MyControl::new(agent);
let c = Box::new(control) as Box<dyn mem_agent_ttrpc::Control + Send + Sync>;
let c = Arc::new(c);
let service = mem_agent_ttrpc::create_control(c);
let mut server = Server::new().bind(&addr).unwrap().register_service(service);
let metadata = fs::metadata(path).map_err(|e| anyhow!("fs::metadata {} fail: {}", path, e))?;
let mut permissions = metadata.permissions();
permissions.set_mode(0o600);
fs::set_permissions(path, permissions)
.map_err(|e| anyhow!("fs::set_permissions {} fail: {}", path, e))?;
let mut interrupt = signal(SignalKind::interrupt())
.map_err(|e| anyhow!("signal(SignalKind::interrupt()) fail: {}", e))?;
let mut quit = signal(SignalKind::quit())
.map_err(|e| anyhow!("signal(SignalKind::quit()) fail: {}", e))?;
let mut terminate = signal(SignalKind::terminate())
.map_err(|e| anyhow!("signal(SignalKind::terminate()) fail: {}", e))?;
server
.start()
.await
.map_err(|e| anyhow!("server.start() fail: {}", e))?;
tokio::select! {
_ = interrupt.recv() => {
info!("mem-agent: interrupt shutdown");
}
_ = quit.recv() => {
info!("mem-agent: quit shutdown");
}
_ = terminate.recv() => {
info!("mem-agent: terminate shutdown");
}
};
server
.shutdown()
.await
.map_err(|e| anyhow!("server.shutdown() fail: {}", e))?;
fs::remove_file(&path).map_err(|e| anyhow!("fs::remove_file {} fail: {}", path, e))?;
Ok(())
}

95
src/mem-agent/example/srv.rs
View File

@@ -1,95 +0,0 @@
// Copyright (C) 2023 Ant group. All rights reserved.
//
// SPDX-License-Identifier: Apache-2.0
use anyhow::{anyhow, Result};
use clap::Parser;
use share::option::{CompactSetOption, MemcgSetOption};
use slog::{Drain, Level, Logger};
use slog_async;
use slog_scope::set_global_logger;
use slog_scope::{error, info};
use slog_term;
use std::fs::OpenOptions;
use std::io::BufWriter;
mod protocols;
mod share;
#[derive(Parser, Debug)]
#[clap(name = "mem-agent", about = "Memory agent")]
struct Opt {
#[clap(long, default_value = "unix:///var/run/mem-agent.sock")]
addr: String,
#[clap(long)]
log_file: Option<String>,
#[arg(long, default_value = "trace", value_parser = parse_slog_level)]
log_level: Level,
#[clap(flatten)]
memcg: MemcgSetOption,
#[clap(flatten)]
compact: CompactSetOption,
}
fn parse_slog_level(src: &str) -> Result<Level, String> {
match src.to_lowercase().as_str() {
"trace" => Ok(Level::Trace),
"debug" => Ok(Level::Debug),
"info" => Ok(Level::Info),
"warning" => Ok(Level::Warning),
"warn" => Ok(Level::Warning),
"error" => Ok(Level::Error),
_ => Err(format!("Invalid log level: {}", src)),
}
}
fn setup_logging(opt: &Opt) -> Result<slog_scope::GlobalLoggerGuard> {
let drain = if let Some(f) = &opt.log_file {
let log_file = OpenOptions::new()
.create(true)
.write(true)
.append(true)
.open(f)
.map_err(|e| anyhow!("Open log file {} fail: {}", f, e))?;
let buffered = BufWriter::new(log_file);
let decorator = slog_term::PlainDecorator::new(buffered);
let drain = slog_term::CompactFormat::new(decorator)
.build()
.filter_level(opt.log_level)
.fuse();
slog_async::Async::new(drain).build().fuse()
} else {
let decorator = slog_term::TermDecorator::new().stderr().build();
let drain = slog_term::CompactFormat::new(decorator)
.build()
.filter_level(opt.log_level)
.fuse();
slog_async::Async::new(drain).build().fuse()
};
let logger = Logger::root(drain, slog::o!());
Ok(set_global_logger(logger.clone()))
}
fn main() -> Result<()> {
// Check opt
let opt = Opt::parse();
let _ = setup_logging(&opt).map_err(|e| anyhow!("setup_logging fail: {}", e))?;
let memcg_config = opt.memcg.to_mem_agent_memcg_config();
let compact_config = opt.compact.to_mem_agent_compact_config();
let (ma, _rt) = mem_agent::agent::MemAgent::new(memcg_config, compact_config)
.map_err(|e| anyhow!("MemAgent::new fail: {}", e))?;
info!("MemAgent started");
share::rpc::rpc_loop(ma, opt.addr).map_err(|e| {
let estr = format!("rpc::rpc_loop fail: {}", e);
error!("{}", estr);
anyhow!("{}", estr)
})?;
Ok(())
}

74
src/mem-agent/src/agent.rs
View File

@@ -4,8 +4,9 @@
use crate::compact;
use crate::memcg::{self, MemCgroup};
use crate::{error, info};
use crate::{debug, error, info};
use anyhow::{anyhow, Result};
use std::collections::HashMap;
use std::thread;
use tokio::runtime::{Builder, Runtime};
use tokio::select;
@@ -27,7 +28,7 @@ enum AgentCmd {
enum AgentReturn {
Ok,
Err(anyhow::Error),
MemcgStatus(Vec<memcg::MemCgroup>),
MemcgStatus(HashMap<String, memcg::MemCgroup>),
}
async fn handle_agent_cmd(
@@ -44,7 +45,16 @@ async fn handle_agent_cmd(
ret_msg = AgentReturn::MemcgStatus(memcg.get_status().await);
false
}
AgentCmd::MemcgSet(opt) => memcg.set_config(opt).await,
AgentCmd::MemcgSet(opt) => match memcg.set_config(opt).await {
Ok(reset) => {
ret_msg = AgentReturn::Ok;
reset
}
Err(e) => {
ret_msg = AgentReturn::Err(e);
false
}
},
AgentCmd::CompactSet(opt) => comp.set_config(opt).await,
};
@@ -59,6 +69,11 @@ fn get_remaining_tokio_duration(memcg: &memcg::MemCG, comp: &compact::Compact) -
let memcg_d = memcg.get_remaining_tokio_duration();
let comp_d = comp.get_remaining_tokio_duration();
debug!(
"get_remaining_tokio_duration: memcg_d={:?}, comp_d={:?}",
memcg_d, comp_d
);
if memcg_d > comp_d {
comp_d
} else {
@@ -76,6 +91,11 @@ async fn async_get_remaining_tokio_duration(
let memcg_d = memcg_f.await;
let comp_d = comp_f.await;
debug!(
"async_get_remaining_tokio_duration: memcg_d={:?}, comp_d={:?}",
memcg_d, comp_d
);
if memcg_d > comp_d {
comp_d
} else {
@@ -84,16 +104,14 @@ async fn async_get_remaining_tokio_duration(
}
fn agent_work(mut memcg: memcg::MemCG, mut comp: compact::Compact) -> Result<Duration> {
let memcg_need_reset = if memcg.need_work() {
let memcg_work_list = memcg.get_timeout_list();
if memcg_work_list.len() > 0 {
info!("memcg.work start");
memcg
.work()
.work(&memcg_work_list)
.map_err(|e| anyhow!("memcg.work failed: {}", e))?;
info!("memcg.work stop");
true
} else {
false
};
}
let compact_need_reset = if comp.need_work() {
info!("compact.work start");
@@ -105,9 +123,8 @@ fn agent_work(mut memcg: memcg::MemCG, mut comp: compact::Compact) -> Result<Dur
false
};
if memcg_need_reset {
memcg.reset_timer();
}
memcg.reset_timers(&memcg_work_list);
if compact_need_reset {
comp.reset_timer();
}
@@ -136,6 +153,8 @@ impl MemAgentSleep {
}
fn set_sleep(&mut self, d: Duration) {
info!("MemAgentSleep::set_sleep: {:?}", d);
self.duration = d;
self.start_wait_time = Instant::now();
}
@@ -219,10 +238,17 @@ impl MemAgent {
memcg_config: memcg::Config,
compact_config: compact::Config,
) -> Result<(Self, Runtime)> {
let mg = memcg::MemCG::new(memcg_config)
let is_cg_v2 = crate::cgroup::is_cgroup_v2()?;
if is_cg_v2 {
info!("current host use cgroup v2");
} else {
info!("current host use cgroup v1");
}
let mg = memcg::MemCG::new(is_cg_v2, memcg_config)
.map_err(|e| anyhow!("memcg::MemCG::new fail: {}", e))?;
let comp = compact::Compact::new(compact_config)
let comp = compact::Compact::new(is_cg_v2, compact_config)
.map_err(|e| anyhow!("compact::Compact::new fail: {}", e))?;
let (cmd_tx, cmd_rx) = mpsc::channel(10);
@@ -295,7 +321,7 @@ impl MemAgent {
}
}
pub async fn memcg_status_async(&self) -> Result<Vec<MemCgroup>> {
pub async fn memcg_status_async(&self) -> Result<HashMap<String, MemCgroup>> {
let ret = self
.send_cmd_async(AgentCmd::MemcgStatus)
.await
@@ -323,10 +349,8 @@ mod tests {
#[test]
fn test_agent() {
let memcg_config = memcg::Config {
disabled: true,
..Default::default()
};
let mut memcg_config = memcg::Config::default();
memcg_config.default.disabled = true;
let compact_config = compact::Config {
disabled: true,
..Default::default()
@@ -337,10 +361,8 @@ mod tests {
tokio::runtime::Runtime::new()
.unwrap()
.block_on({
let memcg_config = memcg::OptionConfig {
period_secs: Some(120),
..Default::default()
};
let mut memcg_config = memcg::OptionConfig::default();
memcg_config.default.period_secs = Some(120);
ma.memcg_set_config_async(memcg_config)
})
.unwrap();
@@ -359,10 +381,8 @@ mod tests {
#[test]
fn test_agent_memcg_status() {
let memcg_config = memcg::Config {
disabled: true,
..Default::default()
};
let mut memcg_config = memcg::Config::default();
memcg_config.default.disabled = true;
let compact_config = compact::Config {
disabled: true,
..Default::default()

23
src/mem-agent/src/cgroup.rs Normal file
View File

@@ -0,0 +1,23 @@
// Copyright (C) 2025 Kylin Soft. All rights reserved.
//
// SPDX-License-Identifier: Apache-2.0
use anyhow::{anyhow, Result};
use nix::sys::statfs::statfs;
use std::path::Path;
#[cfg(target_env = "musl")]
const CGROUP2_SUPER_MAGIC: nix::sys::statfs::FsType = nix::sys::statfs::FsType(0x63677270);
#[cfg(not(target_env = "musl"))]
use nix::sys::statfs::CGROUP2_SUPER_MAGIC;
pub const CGROUP_PATH: &str = "/sys/fs/cgroup/";
pub const MEMCGS_V1_PATH: &str = "/sys/fs/cgroup/memory";
pub fn is_cgroup_v2() -> Result<bool> {
let cgroup_path = Path::new("/sys/fs/cgroup");
let stat =
statfs(cgroup_path).map_err(|e| anyhow!("statfs {:?} failed: {}", cgroup_path, e))?;
Ok(stat.filesystem_type() == CGROUP2_SUPER_MAGIC)
}

12
src/mem-agent/src/compact.rs
View File

@@ -2,6 +2,7 @@
//
// SPDX-License-Identifier: Apache-2.0
use crate::cgroup::CGROUP_PATH;
use crate::proc;
use crate::psi;
use crate::timer::Timeout;
@@ -59,7 +60,7 @@ impl Default for Config {
period_secs: 10 * 60,
period_psi_percent_limit: 1,
compact_psi_percent_limit: 5,
compact_sec_max: 30 * 60,
compact_sec_max: 5 * 60,
compact_order: PAGE_REPORTING_MIN_ORDER,
compact_threshold: 2 << PAGE_REPORTING_MIN_ORDER,
compact_force_times: std::u64::MAX,
@@ -238,7 +239,11 @@ pub struct Compact {
}
impl Compact {
pub fn new(mut config: Config) -> Result<Self> {
pub fn new(is_cg_v2: bool, mut config: Config) -> Result<Self> {
if is_cg_v2 {
config.psi_path = PathBuf::from(CGROUP_PATH);
}
config.psi_path =
psi::check(&config.psi_path).map_err(|e| anyhow!("psi::check failed: {}", e))?;
@@ -440,7 +445,8 @@ mod tests {
#[test]
fn test_compact() {
let mut c = Compact::new(Config::default()).unwrap();
let is_cg_v2 = crate::cgroup::is_cgroup_v2().unwrap();
let mut c = Compact::new(is_cg_v2, Config::default()).unwrap();
assert!(c.work().is_ok());
}
}

1
src/mem-agent/src/lib.rs
View File

@@ -3,6 +3,7 @@
// SPDX-License-Identifier: Apache-2.0
pub mod agent;
mod cgroup;
pub mod compact;
pub mod memcg;
mod mglru;

1053
src/mem-agent/src/memcg.rs
View File

File diff suppressed because it is too large Load Diff

18
src/mem-agent/src/mglru.rs
View File

@@ -2,8 +2,9 @@
//
// SPDX-License-Identifier: Apache-2.0
use crate::debug;
use crate::warn;
use crate::cgroup::CGROUP_PATH;
use crate::cgroup::MEMCGS_V1_PATH;
use crate::{debug, trace, warn};
use anyhow::{anyhow, Result};
use chrono::{DateTime, Duration, Utc};
use std::collections::HashMap;
@@ -17,7 +18,7 @@ const WORKINGSET_ANON: usize = 0;
const WORKINGSET_FILE: usize = 1;
const LRU_GEN_ENABLED_PATH: &str = "/sys/kernel/mm/lru_gen/enabled";
const LRU_GEN_PATH: &str = "/sys/kernel/debug/lru_gen";
const MEMCGS_PATH: &str = "/sys/fs/cgroup/memory";
pub const MAX_NR_GENS: u64 = 4;
fn lru_gen_head_parse(line: &str) -> Result<(usize, String)> {
let words: Vec<&str> = line.split_whitespace().map(|word| word.trim()).collect();
@@ -238,13 +239,18 @@ fn file_parse(
pub fn host_memcgs_get(
target_patchs: &HashSet<String>,
parse_line: bool,
is_cg_v2: bool,
) -> Result<HashMap<String, (usize, usize, HashMap<usize, MGenLRU>)>> {
let mgs = file_parse(target_patchs, parse_line)
.map_err(|e| anyhow!("mglru file_parse failed: {}", e))?;
let mut host_mgs = HashMap::new();
for (path, (id, mglru)) in mgs {
let host_path = PathBuf::from(MEMCGS_PATH).join(path.trim_start_matches('/'));
let host_path = if is_cg_v2 {
PathBuf::from(CGROUP_PATH).join(path.trim_start_matches('/'))
} else {
PathBuf::from(MEMCGS_V1_PATH).join(path.trim_start_matches('/'))
};
let metadata = match fs::metadata(host_path.clone()) {
Err(e) => {
@@ -301,7 +307,7 @@ pub fn run_aging(
"+ {} {} {} {} {}",
memcg_id, numa_id, max_seq, can_swap as i32, force_scan as i32
);
//trace!("send cmd {} to {}", cmd, LRU_GEN_PATH);
trace!("send cmd {} to {}", cmd, LRU_GEN_PATH);
fs::write(LRU_GEN_PATH, &cmd)
.map_err(|e| anyhow!("write file {} cmd {} failed: {}", LRU_GEN_PATH, cmd, e))?;
Ok(())
@@ -318,7 +324,7 @@ pub fn run_eviction(
"- {} {} {} {} {}",
memcg_id, numa_id, min_seq, swappiness, nr_to_reclaim
);
//trace!("send cmd {} to {}", cmd, LRU_GEN_PATH);
trace!("send cmd {} to {}", cmd, LRU_GEN_PATH);
fs::write(LRU_GEN_PATH, &cmd)
.map_err(|e| anyhow!("write file {} cmd {} failed: {}", LRU_GEN_PATH, cmd, e))?;
Ok(())

8
src/mem-agent/src/misc.rs
View File

@@ -9,14 +9,14 @@ pub fn sl() -> slog::Logger {
#[macro_export]
macro_rules! error {
($($arg:tt)*) => {
slog::info!(crate::misc::sl(), "{}", format_args!($($arg)*))
slog::error!(crate::misc::sl(), "{}", format_args!($($arg)*))
}
}
#[macro_export]
macro_rules! warn {
($($arg:tt)*) => {
slog::info!(crate::misc::sl(), "{}", format_args!($($arg)*))
slog::warn!(crate::misc::sl(), "{}", format_args!($($arg)*))
}
}
@@ -30,14 +30,14 @@ macro_rules! info {
#[macro_export]
macro_rules! trace {
($($arg:tt)*) => {
slog::info!(crate::misc::sl(), "{}", format_args!($($arg)*))
slog::trace!(crate::misc::sl(), "{}", format_args!($($arg)*))
}
}
#[macro_export]
macro_rules! debug {
($($arg:tt)*) => {
slog::info!(crate::misc::sl(), "{}", format_args!($($arg)*))
slog::debug!(crate::misc::sl(), "{}", format_args!($($arg)*))
}
}

2
src/mem-agent/src/psi.rs
View File

@@ -2,6 +2,7 @@
//
// SPDX-License-Identifier: Apache-2.0
use crate::cgroup::CGROUP_PATH;
use crate::info;
use anyhow::{anyhow, Result};
use chrono::{DateTime, Utc};
@@ -11,7 +12,6 @@ use std::fs::OpenOptions;
use std::io::{BufRead, BufReader};
use std::path::PathBuf;
const CGROUP_PATH: &str = "/sys/fs/cgroup/";
const MEM_PSI: &str = "memory.pressure";
const IO_PSI: &str = "io.pressure";

447
src/runtime-rs/Cargo.lock generated
View File

@@ -49,7 +49,7 @@ dependencies = [
"log",
"logging",
"nix 0.24.3",
"oci-spec",
"oci-spec 0.8.1",
"protobuf 3.7.2",
"protocols",
"serde",
@@ -528,17 +528,16 @@ dependencies = [
[[package]]
name = "chrono"
version = "0.4.26"
version = "0.4.41"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ec837a71355b28f6556dbd569b37b3f363091c0bd4b2e735674521b4c5fd9bc5"
checksum = "c469d952047f47f91b68d1cba3f10d63c11d73e4636f24f08daf0278abf01c4d"
dependencies = [
"android-tzdata",
"iana-time-zone",
"js-sys",
"num-traits",
"time 0.1.45",
"wasm-bindgen",
"winapi",
"windows-link",
]
[[package]]
@@ -572,7 +571,7 @@ dependencies = [
"kata-types",
"lazy_static",
"nix 0.24.3",
"oci-spec",
"oci-spec 0.8.1",
"persist",
"protobuf 3.7.2",
"protocols",
@@ -602,6 +601,26 @@ dependencies = [
"crossbeam-utils",
]
[[package]]
name = "const_format"
version = "0.2.34"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "126f97965c8ad46d6d9163268ff28432e8f6a1196a55578867832e3049df63dd"
dependencies = [
"const_format_proc_macros",
]
[[package]]
name = "const_format_proc_macros"
version = "0.2.34"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1d57c2eccfb16dbac1f4e61e206105db5820c9d26c3c472bc17c774259ef7744"
dependencies = [
"proc-macro2",
"quote",
"unicode-xid",
]
[[package]]
name = "constant_time_eq"
version = "0.3.0"
@@ -625,7 +644,7 @@ dependencies = [
"log",
"mio 0.8.11",
"nix 0.27.1",
"oci-spec",
"oci-spec 0.6.8",
"os_pipe",
"page_size",
"prctl",
@@ -634,7 +653,7 @@ dependencies = [
"signal-hook",
"signal-hook-tokio",
"thiserror 1.0.69",
"time 0.3.37",
"time",
"tokio",
"windows-sys 0.48.0",
]
@@ -1111,6 +1130,17 @@ dependencies = [
"winapi",
]
[[package]]
name = "displaydoc"
version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.96",
]
[[package]]
name = "dlv-list"
version = "0.3.0"
@@ -1309,9 +1339,9 @@ checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
[[package]]
name = "form_urlencoded"
version = "1.2.0"
version = "1.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a62bc1cf6f830c2ec14a513a9fb124d0a213a629668a4186f329db21fe045652"
checksum = "e13624c2627564efccf4934284bdd98cbaa14e79b0b5a141218e507b3a823456"
dependencies = [
"percent-encoding",
]
@@ -1499,14 +1529,14 @@ dependencies = [
[[package]]
name = "getset"
version = "0.1.2"
version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e45727250e75cc04ff2846a66397da8ef2b3db8e40e0cef4df67950a07621eb9"
checksum = "9cf0fc11e47561d47397154977bc219f4cf809b2974facc3ccb3b89e2436f912"
dependencies = [
"proc-macro-error",
"proc-macro-error2",
"proc-macro2",
"quote",
"syn 1.0.109",
"syn 2.0.96",
]
[[package]]
@@ -1770,7 +1800,7 @@ dependencies = [
"libc",
"logging",
"nix 0.24.3",
"oci-spec",
"oci-spec 0.8.1",
"path-clean",
"persist",
"protobuf 3.7.2",
@@ -1788,7 +1818,6 @@ dependencies = [
"shim-interface",
"slog",
"slog-scope",
"tempdir",
"test-utils",
"tests_utils",
"thiserror 1.0.69",
@@ -1822,6 +1851,92 @@ dependencies = [
"cc",
]
[[package]]
name = "icu_collections"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "200072f5d0e3614556f94a9930d5dc3e0662a652823904c3a75dc3b0af7fee47"
dependencies = [
"displaydoc",
"potential_utf",
"yoke",
"zerofrom",
"zerovec",
]
[[package]]
name = "icu_locale_core"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0cde2700ccaed3872079a65fb1a78f6c0a36c91570f28755dda67bc8f7d9f00a"
dependencies = [
"displaydoc",
"litemap",
"tinystr",
"writeable",
"zerovec",
]
[[package]]
name = "icu_normalizer"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "436880e8e18df4d7bbc06d58432329d6458cc84531f7ac5f024e93deadb37979"
dependencies = [
"displaydoc",
"icu_collections",
"icu_normalizer_data",
"icu_properties",
"icu_provider",
"smallvec",
"zerovec",
]
[[package]]
name = "icu_normalizer_data"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "00210d6893afc98edb752b664b8890f0ef174c8adbb8d0be9710fa66fbbf72d3"
[[package]]
name = "icu_properties"
version = "2.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "016c619c1eeb94efb86809b015c58f479963de65bdb6253345c1a1276f22e32b"
dependencies = [
"displaydoc",
"icu_collections",
"icu_locale_core",
"icu_properties_data",
"icu_provider",
"potential_utf",
"zerotrie",
"zerovec",
]
[[package]]
name = "icu_properties_data"
version = "2.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "298459143998310acd25ffe6810ed544932242d3f07083eee1084d83a71bd632"
[[package]]
name = "icu_provider"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "03c80da27b5f4187909049ee2d72f276f0d9f99a42c306bd0131ecfe04d8e5af"
dependencies = [
"displaydoc",
"icu_locale_core",
"stable_deref_trait",
"tinystr",
"writeable",
"yoke",
"zerofrom",
"zerotrie",
"zerovec",
]
[[package]]
name = "ident_case"
version = "1.0.1"
@@ -1830,12 +1945,23 @@ checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
[[package]]
name = "idna"
version = "0.4.0"
version = "1.0.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7d20d6b07bfbc108882d88ed8e37d39636dcc260e15e30c45e6ba089610b917c"
checksum = "686f825264d630750a544639377bae737628043f20d38bbc029e8f29ea968a7e"
dependencies = [
"unicode-bidi",
"unicode-normalization",
"idna_adapter",
"smallvec",
"utf8_iter",
]
[[package]]
name = "idna_adapter"
version = "1.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344"
dependencies = [
"icu_normalizer",
"icu_properties",
]
[[package]]
@@ -1982,7 +2108,7 @@ dependencies = [
"libc",
"mockall",
"nix 0.24.3",
"oci-spec",
"oci-spec 0.8.1",
"once_cell",
"pci-ids",
"rand 0.8.5",
@@ -2009,7 +2135,7 @@ dependencies = [
"hex",
"lazy_static",
"num_cpus",
"oci-spec",
"oci-spec 0.8.1",
"regex",
"safe-path 0.1.0",
"serde",
@@ -2116,6 +2242,12 @@ dependencies = [
"tokio",
]
[[package]]
name = "litemap"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956"
[[package]]
name = "lock_api"
version = "0.4.10"
@@ -2627,6 +2759,23 @@ dependencies = [
"thiserror 1.0.69",
]
[[package]]
name = "oci-spec"
version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "57e9beda9d92fac7bf4904c34c83340ef1024159faee67179a04e0277523da33"
dependencies = [
"const_format",
"derive_builder",
"getset",
"regex",
"serde",
"serde_json",
"strum 0.27.1",
"strum_macros 0.27.1",
"thiserror 2.0.11",
]
[[package]]
name = "once_cell"
version = "1.19.0"
@@ -2911,9 +3060,9 @@ dependencies = [
[[package]]
name = "percent-encoding"
version = "2.3.0"
version = "2.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9b2a4787296e9989611394c33f193f676704af1686e70b8f8033ab5ba9a35a94"
checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
[[package]]
name = "persist"
@@ -3032,6 +3181,15 @@ dependencies = [
"windows-sys 0.48.0",
]
[[package]]
name = "potential_utf"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e5a7c30837279ca13e7c867e9e40053bc68740f988cb07f7ca6df43cc734b585"
dependencies = [
"zerovec",
]
[[package]]
name = "powerfmt"
version = "0.2.0"
@@ -3090,27 +3248,25 @@ dependencies = [
]
[[package]]
name = "proc-macro-error"
version = "1.0.4"
name = "proc-macro-error-attr2"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
checksum = "96de42df36bb9bba5542fe9f1a054b8cc87e172759a1868aa05c1f3acc89dfc5"
dependencies = [
"proc-macro-error-attr",
"proc-macro2",
"quote",
"syn 1.0.109",
"version_check",
]
[[package]]
name = "proc-macro-error-attr"
version = "1.0.4"
name = "proc-macro-error2"
version = "2.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
checksum = "11ec05c52be0a07b08061f7dd003e7d7092e0472bc731b4af7bb1ef876109802"
dependencies = [
"proc-macro-error-attr2",
"proc-macro2",
"quote",
"version_check",
"syn 2.0.96",
]
[[package]]
@@ -3289,7 +3445,7 @@ name = "protocols"
version = "0.1.0"
dependencies = [
"async-trait",
"oci-spec",
"oci-spec 0.8.1",
"protobuf 3.7.2",
"serde",
"serde_json",
@@ -3532,15 +3688,6 @@ version = "0.8.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c08c74e62047bb2de4ff487b251e4a92e24f48745648451635cec7d591162d9f"
[[package]]
name = "remove_dir_all"
version = "0.5.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7"
dependencies = [
"winapi",
]
[[package]]
name = "rend"
version = "0.4.2"
@@ -3611,7 +3758,7 @@ dependencies = [
"netlink-sys",
"netns-rs",
"nix 0.24.3",
"oci-spec",
"oci-spec 0.8.1",
"persist",
"rand 0.8.5",
"rtnetlink",
@@ -3712,7 +3859,7 @@ dependencies = [
"logging",
"netns-rs",
"nix 0.25.1",
"oci-spec",
"oci-spec 0.8.1",
"opentelemetry",
"opentelemetry-jaeger",
"persist",
@@ -4105,7 +4252,7 @@ dependencies = [
"log",
"logging",
"nix 0.24.3",
"oci-spec",
"oci-spec 0.8.1",
"protobuf 3.7.2",
"rand 0.8.5",
"runtime-spec",
@@ -4235,7 +4382,7 @@ dependencies = [
"serde",
"serde_json",
"slog",
"time 0.3.37",
"time",
]
[[package]]
@@ -4270,14 +4417,14 @@ dependencies = [
"slog",
"term",
"thread_local",
"time 0.3.37",
"time",
]
[[package]]
name = "smallvec"
version = "1.11.0"
version = "1.15.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "62bb4feee49fdd9f707ef802e22365a35de4b7b299de4763d44bfea899442ff9"
checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
[[package]]
name = "socket2"
@@ -4299,6 +4446,12 @@ dependencies = [
"windows-sys 0.52.0",
]
[[package]]
name = "stable_deref_trait"
version = "1.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"
[[package]]
name = "static_assertions"
version = "1.1.0"
@@ -4326,6 +4479,12 @@ version = "0.26.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8fec0f0aef304996cf250b31b5a10dee7980c85da9d759361292b8bca5a18f06"
[[package]]
name = "strum"
version = "0.27.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f64def088c51c9510a8579e3c5d67c65349dcf755e5479ad3d010aa6454e2c32"
[[package]]
name = "strum_macros"
version = "0.24.3"
@@ -4352,6 +4511,19 @@ dependencies = [
"syn 2.0.96",
]
[[package]]
name = "strum_macros"
version = "0.27.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c77a8c5abcaf0f9ce05d62342b7d298c346515365c36b673df4ebe3ced01fde8"
dependencies = [
"heck 0.5.0",
"proc-macro2",
"quote",
"rustversion",
"syn 2.0.96",
]
[[package]]
name = "subprocess"
version = "0.2.9"
@@ -4390,6 +4562,17 @@ dependencies = [
"unicode-ident",
]
[[package]]
name = "synstructure"
version = "0.13.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.96",
]
[[package]]
name = "sysinfo"
version = "0.34.2"
@@ -4426,16 +4609,6 @@ dependencies = [
"xattr",
]
[[package]]
name = "tempdir"
version = "0.3.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "15f2b5fb00ccdf689e0149d1b1b3c03fead81c2b37735d812fa8bddbbf41b6d8"
dependencies = [
"rand 0.4.6",
"remove_dir_all",
]
[[package]]
name = "tempfile"
version = "3.19.1"
@@ -4554,17 +4727,6 @@ dependencies = [
"threadpool",
]
[[package]]
name = "time"
version = "0.1.45"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1b797afad3f312d1c66a56d11d0316f916356d11bd158fbc6ca6389ff6bf805a"
dependencies = [
"libc",
"wasi 0.10.0+wasi-snapshot-preview1",
"winapi",
]
[[package]]
name = "time"
version = "0.3.37"
@@ -4605,6 +4767,16 @@ dependencies = [
"rustix 0.37.28",
]
[[package]]
name = "tinystr"
version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5d4f6d1145dcb577acf783d4e601bc1d76a13337bb54e6233add580b07344c8b"
dependencies = [
"displaydoc",
"zerovec",
]
[[package]]
name = "tinyvec"
version = "1.6.0"
@@ -4899,33 +5071,24 @@ version = "1.16.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "497961ef93d974e23eb6f433eb5fe1b7930b659f06d12dec6fc44a8f554c0bba"
[[package]]
name = "unicode-bidi"
version = "0.3.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460"
[[package]]
name = "unicode-ident"
version = "1.0.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "301abaae475aa91687eb82514b328ab47a211a533026cb25fc3e519b86adfc3c"
[[package]]
name = "unicode-normalization"
version = "0.1.22"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921"
dependencies = [
"tinyvec",
]
[[package]]
name = "unicode-segmentation"
version = "1.10.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1dd624098567895118886609431a7c3b8f516e41d30e0643f03d94592a147e36"
[[package]]
name = "unicode-xid"
version = "0.2.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
[[package]]
name = "unix_socket2"
version = "0.5.4"
@@ -4937,9 +5100,9 @@ dependencies = [
[[package]]
name = "url"
version = "2.4.1"
version = "2.5.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "143b538f18257fac9cad154828a57c6bf5157e1aa604d4816b5995bf6de87ae5"
checksum = "32f8b686cadd1473f4bd0117a5d28d36b1ade384ea9b5069a1c40aefed7fda60"
dependencies = [
"form_urlencoded",
"idna",
@@ -4952,6 +5115,12 @@ version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5190c9442dcdaf0ddd50f37420417d219ae5261bbf5db120d0f9bab996c9cba1"
[[package]]
name = "utf8_iter"
version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
[[package]]
name = "uuid"
version = "0.4.0"
@@ -5045,7 +5214,7 @@ dependencies = [
"libc",
"logging",
"nix 0.24.3",
"oci-spec",
"oci-spec 0.8.1",
"persist",
"protobuf 3.7.2",
"resource",
@@ -5158,12 +5327,6 @@ dependencies = [
"try-lock",
]
[[package]]
name = "wasi"
version = "0.10.0+wasi-snapshot-preview1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f"
[[package]]
name = "wasi"
version = "0.11.0+wasi-snapshot-preview1"
@@ -5300,7 +5463,7 @@ version = "0.1.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb"
dependencies = [
"windows-sys 0.48.0",
"windows-sys 0.52.0",
]
[[package]]
@@ -5362,6 +5525,12 @@ dependencies = [
"syn 2.0.96",
]
[[package]]
name = "windows-link"
version = "0.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5e6ad25900d524eaabdbbb96d20b4311e1e7ae1699af4fb28c17ae66c80d798a"
[[package]]
name = "windows-result"
version = "0.1.2"
@@ -5604,6 +5773,12 @@ dependencies = [
"bitflags 2.9.0",
]
[[package]]
name = "writeable"
version = "0.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ea2f10b9bb0928dfb1b42b65e1f9e36f7f54dbdf08457afefb38afcdec4fa2bb"
[[package]]
name = "wyz"
version = "0.5.1"
@@ -5622,6 +5797,84 @@ dependencies = [
"libc",
]
[[package]]
name = "yoke"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5f41bb01b8226ef4bfd589436a297c53d118f65921786300e427be8d487695cc"
dependencies = [
"serde",
"stable_deref_trait",
"yoke-derive",
"zerofrom",
]
[[package]]
name = "yoke-derive"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "38da3c9736e16c5d3c8c597a9aaa5d1fa565d0532ae05e27c24aa62fb32c0ab6"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.96",
"synstructure",
]
[[package]]
name = "zerofrom"
version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5"
dependencies = [
"zerofrom-derive",
]
[[package]]
name = "zerofrom-derive"
version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.96",
"synstructure",
]
[[package]]
name = "zerotrie"
version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "36f0bbd478583f79edad978b407914f61b2972f5af6fa089686016be8f9af595"
dependencies = [
"displaydoc",
"yoke",
"zerofrom",
]
[[package]]
name = "zerovec"
version = "0.11.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4a05eb080e015ba39cc9e23bbe5e7fb04d5fb040350f99f34e338d5fdd294428"
dependencies = [
"yoke",
"zerofrom",
"zerovec-derive",
]
[[package]]
name = "zerovec-derive"
version = "0.11.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5b96237efa0c878c64bd89c436f661be4e46b2f3eff1ebb976f7ef2321d2f58f"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.96",
]
[[package]]
name = "zstd"
version = "0.11.2+zstd.1.5.2"

4
src/runtime-rs/Cargo.toml
View File

@@ -59,7 +59,7 @@ libc = "0.2"
log = "0.4.14"
netns-rs = "0.1.0"
nix = "0.24.2"
oci-spec = { version = "0.6.8", features = ["runtime"] }
oci-spec = { version = "0.8.1", features = ["runtime"] }
protobuf = "3.7.2"
rand = "0.8.4"
serde = { version = "1.0.145", features = ["derive"] }
@@ -73,4 +73,4 @@ tokio = "1.38.2"
tracing = "0.1.41"
tracing-opentelemetry = "0.18.0"
ttrpc = "0.8.4"
url = "2.3.1"
url = "2.5.4"

5
src/runtime-rs/Makefile
View File

@@ -311,13 +311,15 @@ ifneq (,$(QEMUCMD))
DEFSANDBOXCGROUPONLY_QEMU := false
ifeq ($(ARCH), s390x)
VMROOTFSDRIVER_QEMU := virtio-blk-ccw
DEFBLOCKSTORAGEDRIVER_QEMU := virtio-blk-ccw
else
VMROOTFSDRIVER_QEMU := virtio-pmem
DEFBLOCKSTORAGEDRIVER_QEMU := virtio-blk-pci
endif
DEFVCPUS_QEMU := 1
DEFMAXVCPUS_QEMU := 0
DEFSHAREDFS_QEMU_VIRTIOFS := virtio-fs
DEFBLOCKSTORAGEDRIVER_QEMU := virtio-scsi
DEFSHAREDFS_QEMU_SEL_VIRTIOFS := none
DEFBLOCKDEVICEAIO_QEMU := io_uring
DEFNETWORKMODEL_QEMU := tcfilter
DEFDISABLEGUESTSELINUX := true
@@ -472,6 +474,7 @@ USER_VARS += DEFBLOCKDEVICEAIO_QEMU
USER_VARS += DEFBLOCKSTORAGEDRIVER_FC
USER_VARS += DEFSHAREDFS_CLH_VIRTIOFS
USER_VARS += DEFSHAREDFS_QEMU_VIRTIOFS
USER_VARS += DEFSHAREDFS_QEMU_SEL_VIRTIOFS
USER_VARS += DEFVIRTIOFSDAEMON
USER_VARS += DEFVALIDVIRTIOFSDAEMONPATHS
USER_VARS += DEFVIRTIOFSCACHESIZE

5
src/runtime-rs/config/configuration-cloud-hypervisor.toml.in
View File

@@ -168,8 +168,9 @@ default_bridges = @DEFBRIDGES@
# Default false
#reclaim_guest_freed_memory = true
# Block storage driver to be used for the hypervisor in case the container
# rootfs is backed by a block device.
# Block device driver to be used by the hypervisor when a container's storage
# is backed by a block device or a file. This driver facilitates attaching the
# storage directly to the guest VM.
block_device_driver = "virtio-blk-pci"
# Specifies cache-related options for block devices.

8
src/runtime-rs/config/configuration-dragonball.toml.in
View File

@@ -118,9 +118,11 @@ default_memory = @DEFMEMSZ@
# > amount of physical RAM --> will be set to the actual amount of physical RAM
default_maxmemory = @DEFMAXMEMSZ@
# Block storage driver to be used for the hypervisor in case the container
# rootfs is backed by a block device. DB only supports virtio-blk.
# Block device driver to be used by the hypervisor when a container's storage
# is backed by a block device or a file. This driver facilitates attaching the
# storage directly to the guest VM.
#
# DB only supports virtio-blk-mmio.
block_device_driver = "@DEFBLOCKSTORAGEDRIVER_DB@"
# This option changes the default hypervisor and kernel parameters

12
src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in
View File

@@ -235,9 +235,15 @@ virtio_fs_extra_args = @DEFVIRTIOFSEXTRAARGS@
# Metadata, data, and pathname lookup are cached in guest and never expire.
virtio_fs_cache = "@DEFVIRTIOFSCACHE@"
# Block storage driver to be used for the hypervisor in case the container
# rootfs is backed by a block device. This is virtio-scsi, virtio-blk
# or nvdimm.
# Block device driver to be used by the hypervisor when a container's
# storage is backed by a block device or a file. This driver facilitates attaching
# the storage directly to the guest VM.
#
# Examples include:
# - virtio-blk-pci
# - virtio-blk-ccw
# - virtio-scsi
# - nvidmm
block_device_driver = "@DEFBLOCKSTORAGEDRIVER_QEMU@"
# aio is the I/O mechanism used by qemu

14
src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in
View File

@@ -170,7 +170,7 @@ disable_block_device_use = @DEFDISABLEBLOCK@
# - virtio-9p
# - virtio-fs-nydus
# - none
shared_fs = "@DEFSHAREDFS_QEMU_VIRTIOFS@"
shared_fs = "@DEFSHAREDFS_QEMU_SEL_VIRTIOFS@"
# Path to vhost-user-fs daemon.
virtio_fs_daemon = "@DEFVIRTIOFSDAEMON@"
@@ -211,9 +211,15 @@ virtio_fs_extra_args = @DEFVIRTIOFSEXTRAARGS@
# Metadata, data, and pathname lookup are cached in guest and never expire.
virtio_fs_cache = "@DEFVIRTIOFSCACHE@"
# Block storage driver to be used for the hypervisor in case the container
# rootfs is backed by a block device. This is virtio-scsi, virtio-blk
# or nvdimm.
# Block device driver to be used by the hypervisor when a container's storage
# is backed by a block device or a file. This driver facilitates attaching the
# storage directly to the guest VM.
#
# Examples include:
# - virtio-blk-pci
# - virtio-blk-ccw
# - virtio-scsi
# - nvidmm
block_device_driver = "@DEFBLOCKSTORAGEDRIVER_QEMU@"
# aio is the I/O mechanism used by qemu

8
src/runtime-rs/config/configuration-rs-fc.toml.in
View File

@@ -112,9 +112,11 @@ memory_slots = @DEFMEMSLOTS@
# > amount of physical RAM --> will be set to the actual amount of physical RAM
default_maxmemory = @DEFMAXMEMSZ_FC@
# Block storage driver to be used for the hypervisor in case the container
# rootfs is backed by a block device. This is virtio-scsi, virtio-blk
# or nvdimm.
# Block device driver to be used by the hypervisor when a container's storage
# is backed by a block device or a file. This driver facilitates attaching the
# storage directly to the guest VM.
#
# FC only supports virtio-blk-mmio.
block_device_driver = "@DEFBLOCKSTORAGEDRIVER_FC@"
# Specifies cache-related options will be set to block devices or not.

2
src/runtime-rs/crates/hypervisor/Cargo.toml
View File

@@ -33,7 +33,6 @@ oci-spec = { workspace = true }
futures = "0.3.25"
safe-path = "0.1.0"
crossbeam-channel = "0.5.6"
tempdir = "0.3.7"
qapi = { version = "0.14", features = ["qmp", "async-tokio-all"] }
qapi-spec = "0.3.1"
qapi-qmp = "0.14.0"
@@ -77,6 +76,7 @@ cloud-hypervisor = ["ch-config"]
[dev-dependencies]
serial_test = "2.0.0"
tempfile = { workspace = true }
# Local dev-dependencies
# Force the CH tests to run, even when the feature is not enabled for

2
src/runtime-rs/crates/hypervisor/ch-config/src/convert.rs
View File

@@ -109,6 +109,7 @@ impl TryFrom<NamedHypervisorConfig> for VmConfig {
let fs = n.shared_fs_devices;
let net = n.network_devices;
let host_devices = n.host_devices;
let cpus = CpusConfig::try_from((cfg.cpu_info, guest_protection_to_use.clone()))
.map_err(VmConfigError::CPUError)?;
@@ -197,6 +198,7 @@ impl TryFrom<NamedHypervisorConfig> for VmConfig {
payload,
fs,
net,
devices: host_devices,
pmem,
disks,
vsock: Some(vsock),

1
src/runtime-rs/crates/hypervisor/ch-config/src/lib.rs
View File

@@ -491,6 +491,7 @@ pub struct NamedHypervisorConfig {
pub shared_fs_devices: Option<Vec<FsConfig>>,
pub network_devices: Option<Vec<NetConfig>>,
pub host_devices: Option<Vec<DeviceConfig>>,
// Set to the available guest protection *iff* BOTH of the following
// conditions are true:

37
src/runtime-rs/crates/hypervisor/src/ch/inner_device.rs
View File

@@ -61,6 +61,7 @@ impl CloudHypervisorInner {
match device {
DeviceType::ShareFs(_) => self.pending_devices.insert(0, device.clone()),
DeviceType::Network(_) => self.pending_devices.insert(0, device.clone()),
DeviceType::Vfio(_) => self.pending_devices.insert(0, device.clone()),
_ => {
debug!(
sl!(),
@@ -365,9 +366,14 @@ impl CloudHypervisorInner {
pub(crate) async fn get_shared_devices(
&mut self,
) -> Result<(Option<Vec<FsConfig>>, Option<Vec<NetConfig>>)> {
) -> Result<(
Option<Vec<FsConfig>>,
Option<Vec<NetConfig>>,
Option<Vec<DeviceConfig>>,
)> {
let mut shared_fs_devices = Vec::<FsConfig>::new();
let mut network_devices = Vec::<NetConfig>::new();
let mut host_devices = Vec::<DeviceConfig>::new();
while let Some(dev) = self.pending_devices.pop() {
match dev {
@@ -382,11 +388,38 @@ impl CloudHypervisorInner {
let net_config = NetConfig::try_from(net_device.config)?;
network_devices.push(net_config);
}
DeviceType::Vfio(vfio_device) => {
// A device with multi-funtions, or a IOMMU group with one more
// devices, the Primary device is selected to be passed to VM.
// And the the first one is Primary device.
// safe here, devices is not empty.
let primary_device = vfio_device.devices.first().ok_or(anyhow!(
"Primary device list empty for vfio device {:?}",
vfio_device
))?;
let primary_device = primary_device.clone();
let sysfsdev = primary_device.sysfs_path.clone();
let device_config = DeviceConfig {
path: PathBuf::from(sysfsdev),
iommu: false,
..Default::default()
};
info!(
sl!(),
"get host_devices primary device {:?}", primary_device
);
host_devices.push(device_config);
}
_ => continue,
}
}
Ok((Some(shared_fs_devices), Some(network_devices)))
Ok((
Some(shared_fs_devices),
Some(network_devices),
Some(host_devices),
))
}
}

8
src/runtime-rs/crates/hypervisor/src/ch/inner_hypervisor.rs
View File

@@ -185,8 +185,7 @@ impl CloudHypervisorInner {
}
async fn boot_vm(&mut self) -> Result<()> {
let (shared_fs_devices, network_devices) = self.get_shared_devices().await?;
let (shared_fs_devices, network_devices, host_devices) = self.get_shared_devices().await?;
let socket = self
.api_socket
.as_ref()
@@ -215,6 +214,7 @@ impl CloudHypervisorInner {
guest_protection_to_use: self.guest_protection_to_use.clone(),
shared_fs_devices,
network_devices,
host_devices,
};
let cfg = VmConfig::try_from(named_cfg)?;
@@ -1093,7 +1093,7 @@ mod tests {
use test_utils::{assert_result, skip_if_not_root};
use std::fs::File;
use tempdir::TempDir;
use tempfile::Builder;
fn set_fake_guest_protection(protection: Option<GuestProtection>) {
let existing_ref = FAKE_GUEST_PROTECTION.clone();
@@ -1486,7 +1486,7 @@ mod tests {
let path_dir = "/tmp/proc";
let file_name = "1";
let tmp_dir = TempDir::new(path_dir).unwrap();
let tmp_dir = Builder::new().prefix("proc").tempdir().unwrap();
let file_path = tmp_dir.path().join(file_name);
let _tmp_file = File::create(file_path.as_os_str()).unwrap();
let file_path_name = file_path.as_path().to_str().map(|s| s.to_string());

7
src/runtime-rs/crates/hypervisor/src/remote/inner.rs
View File

@@ -14,7 +14,8 @@ use kata_types::{
cri_containerd::{SANDBOX_NAMESPACE_LABEL_KEY, SANDBOX_NAME_LABEL_KEY},
KATA_ANNO_CFG_HYPERVISOR_DEFAULT_GPUS, KATA_ANNO_CFG_HYPERVISOR_DEFAULT_GPU_MODEL,
KATA_ANNO_CFG_HYPERVISOR_DEFAULT_MEMORY, KATA_ANNO_CFG_HYPERVISOR_DEFAULT_VCPUS,
KATA_ANNO_CFG_HYPERVISOR_IMAGE_PATH, KATA_ANNO_CFG_HYPERVISOR_MACHINE_TYPE,
KATA_ANNO_CFG_HYPERVISOR_IMAGE_PATH, KATA_ANNO_CFG_HYPERVISOR_INIT_DATA,
KATA_ANNO_CFG_HYPERVISOR_MACHINE_TYPE,
},
capabilities::{Capabilities, CapabilityBits},
};
@@ -125,6 +126,10 @@ impl RemoteInner {
KATA_ANNO_CFG_HYPERVISOR_IMAGE_PATH.to_string(),
config.boot_info.image.to_string(),
);
annotations.insert(
KATA_ANNO_CFG_HYPERVISOR_INIT_DATA.to_string(),
config.security_info.initdata.to_string(),
);
annotations.insert(
KATA_ANNO_CFG_HYPERVISOR_DEFAULT_GPUS.to_string(),
config.remote_info.default_gpus.to_string(),

45
src/runtime-rs/crates/resource/src/coco_data/initdata_block.rs
View File

@@ -6,7 +6,7 @@
use flate2::{Compression, GzBuilder};
use std::{
fmt, fs,
io::{self, BufWriter, Seek, Write},
io::{self, BufWriter, Write},
path::{Path, PathBuf},
};
use tempfile::NamedTempFile;
@@ -159,7 +159,7 @@ fn create_compressed_block(
writer.write_all(MAGIC_HEADER)?;
info!(sl!(), "Magic header written: {:?}", MAGIC_HEADER);
// 7. Configure compression level and initialize GZ writer
// 7. First compress data to get the actual compressed size
let compression =
compression_level.map_or(Compression::best(), |lvl| Compression::new(lvl.min(9)));
@@ -169,22 +169,24 @@ fn create_compressed_block(
compression.level()
);
let mut gz = GzBuilder::new()
.filename("initdata.toml") // Embed original filename metadata
.comment("Generated by Confidential Containers")
.write(writer, compression);
// Compress data to a temporary buffer first to get the compressed size
let mut compressed_data = Vec::new();
{
let mut gz = GzBuilder::new()
.filename("initdata.toml") // Embed original filename metadata
.comment("Generated by Confidential Containers")
.write(&mut compressed_data, compression);
// 8. Write data in chunks to avoid large memory allocation
let mut bytes_written = 0;
for chunk in initdata.as_bytes().chunks(buffer_size) {
bytes_written += gz.write(chunk)?;
// Write data in chunks to avoid large memory allocation
for chunk in initdata.as_bytes().chunks(buffer_size) {
gz.write_all(chunk)?;
}
// Finalize compression
gz.finish()?;
}
info!(sl!(), "written {} bytes", bytes_written);
// 9. Finalize compression and retrieve writer
let mut writer = gz.finish()?;
let compressed_size = writer.stream_position()?;
let compressed_size = compressed_data.len() as u64;
info!(
sl!(),
"Data compressed: {} -> {} bytes (ratio: {:.2}%)",
@@ -193,8 +195,19 @@ fn create_compressed_block(
(compressed_size as f64 / initdata_size as f64) * 100.0
);
// 8. Write compressed data length (8 bytes, little-endian)
writer.write_all(&compressed_size.to_le_bytes())?;
info!(
sl!(),
"Compressed data length written: {} bytes", compressed_size
);
// 9. Write compressed data
writer.write_all(&compressed_data)?;
info!(sl!(), "Compressed data written");
// 10. Calculate padding for sector alignment
let current_pos = compressed_size;
let current_pos = MAGIC_HEADER.len() as u64 + 8 + compressed_size; // magic + length + data
let padding = (SECTOR_SIZE - (current_pos % SECTOR_SIZE)) % SECTOR_SIZE;
// 11. Zero-byte padding using small blocks

24
src/runtime/Makefile
View File

@@ -106,7 +106,6 @@ GENERATED_VARS = \
CONFIG_QEMU_NVIDIA_GPU_IN \
CONFIG_QEMU_NVIDIA_GPU_SNP_IN \
CONFIG_QEMU_NVIDIA_GPU_TDX_IN \
CONFIG_QEMU_SEV_IN \
CONFIG_QEMU_TDX_IN \
CONFIG_QEMU_SNP_IN \
CONFIG_CLH_IN \
@@ -149,7 +148,6 @@ FIRMWAREVOLUMEPATH :=
FIRMWARETDVFPATH := PLACEHOLDER_FOR_DISTRO_OVMF_WITH_TDX_SUPPORT
FIRMWARETDVFVOLUMEPATH :=
FIRMWARESEVPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd
FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd
ROOTMEASURECONFIG ?= ""
@@ -174,8 +172,7 @@ HYPERVISORS := $(HYPERVISOR_FC) $(HYPERVISOR_QEMU) $(HYPERVISOR_CLH) $(HYPERVISO
QEMUPATH := $(QEMUBINDIR)/$(QEMUCMD)
QEMUVALIDHYPERVISORPATHS := [\"$(QEMUPATH)\"]
#QEMUTDXPATH := $(QEMUBINDIR)/$(QEMUTDXCMD)
QEMUTDXPATH := PLACEHOLDER_FOR_DISTRO_QEMU_WITH_TDX_SUPPORT
QEMUTDXPATH := $(QEMUBINDIR)/$(QEMUTDXCMD)
QEMUTDXVALIDHYPERVISORPATHS := [\"$(QEMUTDXPATH)\"]
QEMUTDXQUOTEGENERATIONSERVICESOCKETPORT := 4050
@@ -238,12 +235,12 @@ DEFVALIDENTROPYSOURCES := [\"/dev/urandom\",\"/dev/random\",\"\"]
DEFDISABLEBLOCK := false
DEFSHAREDFS_CLH_VIRTIOFS := virtio-fs
DEFSHAREDFS_QEMU_VIRTIOFS := virtio-fs
# Please keep DEFSHAREDFS_QEMU_COCO_DEV_VIRTIOFS in sync with TDX/SEV/SNP
# Please keep DEFSHAREDFS_QEMU_COCO_DEV_VIRTIOFS in sync with TDX/SNP
DEFSHAREDFS_QEMU_COCO_DEV_VIRTIOFS := none
DEFSHAREDFS_STRATOVIRT_VIRTIOFS := virtio-fs
DEFSHAREDFS_QEMU_TDX_VIRTIOFS := none
DEFSHAREDFS_QEMU_SEV_VIRTIOFS := none
DEFSHAREDFS_QEMU_SNP_VIRTIOFS := none
DEFSHAREDFS_QEMU_SEL_VIRTIOFS := none
DEFVIRTIOFSDAEMON := $(LIBEXECDIR)/virtiofsd
DEFVALIDVIRTIOFSDAEMONPATHS := [\"$(DEFVIRTIOFSDAEMON)\"]
# Default DAX mapping cache size in MiB
@@ -345,18 +342,6 @@ ifneq (,$(QEMUCMD))
CONFIGS += $(CONFIG_QEMU_TDX)
CONFIG_FILE_QEMU_SEV = configuration-qemu-sev.toml
CONFIG_QEMU_SEV = config/$(CONFIG_FILE_QEMU_SEV)
CONFIG_QEMU_SEV_IN = $(CONFIG_QEMU_SEV).in
CONFIG_PATH_QEMU_SEV = $(abspath $(CONFDIR)/$(CONFIG_FILE_QEMU_SEV))
CONFIG_PATHS += $(CONFIG_PATH_QEMU_SEV)
SYSCONFIG_QEMU_SEV = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_QEMU_SEV))
SYSCONFIG_PATHS_SEV += $(SYSCONFIG_QEMU_SEV)
CONFIGS += $(CONFIG_QEMU_SEV)
CONFIG_FILE_QEMU_SNP = configuration-qemu-snp.toml
CONFIG_QEMU_SNP = config/$(CONFIG_FILE_QEMU_SNP)
CONFIG_QEMU_SNP_IN = $(CONFIG_QEMU_SNP).in
@@ -660,7 +645,6 @@ USER_VARS += KERNELPATH_FC
USER_VARS += KERNELPATH_STRATOVIRT
USER_VARS += KERNELVIRTIOFSPATH
USER_VARS += FIRMWAREPATH
USER_VARS += FIRMWARESEVPATH
USER_VARS += FIRMWARETDVFPATH
USER_VARS += FIRMWAREVOLUMEPATH
USER_VARS += FIRMWARETDVFVOLUMEPATH
@@ -728,8 +712,8 @@ USER_VARS += DEFSHAREDFS_QEMU_VIRTIOFS
USER_VARS += DEFSHAREDFS_QEMU_COCO_DEV_VIRTIOFS
USER_VARS += DEFSHAREDFS_STRATOVIRT_VIRTIOFS
USER_VARS += DEFSHAREDFS_QEMU_TDX_VIRTIOFS
USER_VARS += DEFSHAREDFS_QEMU_SEV_VIRTIOFS
USER_VARS += DEFSHAREDFS_QEMU_SNP_VIRTIOFS
USER_VARS += DEFSHAREDFS_QEMU_SEL_VIRTIOFS
USER_VARS += DEFVIRTIOFSDAEMON
USER_VARS += DEFVALIDVIRTIOFSDAEMONPATHS
USER_VARS += DEFVIRTIOFSCACHESIZE

2
src/runtime/config/configuration-qemu-se.toml.in
View File

@@ -164,7 +164,7 @@ disable_block_device_use = @DEFDISABLEBLOCK@
# - virtio-fs (default)
# - virtio-9p
# - virtio-fs-nydus
shared_fs = "@DEFSHAREDFS_QEMU_VIRTIOFS@"
shared_fs = "@DEFSHAREDFS_QEMU_SEL_VIRTIOFS@"
# Path to vhost-user-fs daemon.
virtio_fs_daemon = "@DEFVIRTIOFSDAEMON@"

636
src/runtime/config/configuration-qemu-sev.toml.in
View File

@@ -1,636 +0,0 @@
# Copyright 2022 Advanced Micro Devices, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# XXX: WARNING: this file is auto-generated.
# XXX:
# XXX: Source file: "@CONFIG_QEMU_SEV_IN@"
# XXX: Project:
# XXX: Name: @PROJECT_NAME@
# XXX: Type: @PROJECT_TYPE@
[hypervisor.qemu]
path = "@QEMUPATH@"
kernel = "@KERNELCONFIDENTIALPATH@"
initrd = "@INITRDCONFIDENTIALPATH@"
machine_type = "@MACHINETYPE@"
# Enable confidential guest support.
# Toggling that setting may trigger different hardware features, ranging
# from memory encryption to both memory and CPU-state encryption and integrity.
# The Kata Containers runtime dynamically detects the available feature set and
# aims at enabling the largest possible one, returning an error if none is
# available, or none is supported by the hypervisor.
#
# Known limitations:
# * Does not work by design:
# - CPU Hotplug
# - Memory Hotplug
# - NVDIMM devices
#
# Default false
confidential_guest = true
# Enable running QEMU VMM as a non-root user.
# By default QEMU VMM run as root. When this is set to true, QEMU VMM process runs as
# a non-root random user. See documentation for the limitations of this mode.
# rootless = true
# List of valid annotation names for the hypervisor
# Each member of the list is a regular expression, which is the base name
# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
enable_annotations = @DEFENABLEANNOTATIONS@
# List of valid annotations values for the hypervisor
# Each member of the list is a path pattern as described by glob(3).
# The default if not set is empty (all annotations rejected.)
# Your distribution recommends: @QEMUVALIDHYPERVISORPATHS@
valid_hypervisor_paths = @QEMUVALIDHYPERVISORPATHS@
# Optional space-separated list of options to pass to the guest kernel.
# For example, use `kernel_params = "vsyscall=emulate"` if you are having
# trouble running pre-2.15 glibc.
#
# WARNING: - any parameter specified here will take priority over the default
# parameter value of the same name used to start the virtual machine.
# Do not set values here unless you understand the impact of doing so as you
# may stop the virtual machine from booting.
# To see the list of default parameters, enable hypervisor debug, create a
# container and look for 'default-kernel-parameters' log entries.
kernel_params = "@KERNELPARAMS@"
# Path to the firmware.
# If you want that qemu uses the default firmware leave this option empty
firmware = "@FIRMWARESEVPATH@"
# Path to the firmware volume.
# firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
# as configuration) and FIRMWARE_CODE.fd (UEFI program image). UEFI variables
# can be customized per each user while UEFI code is kept same.
firmware_volume = "@FIRMWAREVOLUMEPATH@"
# Machine accelerators
# comma-separated list of machine accelerators to pass to the hypervisor.
# For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"`
machine_accelerators="@MACHINEACCELERATORS@"
# Qemu seccomp sandbox feature
# comma-separated list of seccomp sandbox features to control the syscall access.
# For example, `seccompsandbox= "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
# Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox
# Another note: enabling this feature may reduce performance, you may enable
# /proc/sys/net/core/bpf_jit_enable to reduce the impact. see https://man7.org/linux/man-pages/man8/bpfc.8.html
#seccompsandbox="@DEFSECCOMPSANDBOXPARAM@"
# CPU features
# comma-separated list of cpu features to pass to the cpu
# For example, `cpu_features = "pmu=off,vmx=off"
cpu_features="@CPUFEATURES@"
# Default number of vCPUs per SB/VM:
# unspecified or 0 --> will be set to @DEFVCPUS@
# < 0 --> will be set to the actual number of physical cores
# > 0 <= number of physical cores --> will be set to the specified number
# > number of physical cores --> will be set to the actual number of physical cores
default_vcpus = 1
# Default maximum number of vCPUs per SB/VM:
# unspecified or == 0 --> will be set to the actual number of physical cores or to the maximum number
# of vCPUs supported by KVM if that number is exceeded
# > 0 <= number of physical cores --> will be set to the specified number
# > number of physical cores --> will be set to the actual number of physical cores or to the maximum number
# of vCPUs supported by KVM if that number is exceeded
# WARNING: Depending of the architecture, the maximum number of vCPUs supported by KVM is used when
# the actual number of physical cores is greater than it.
# WARNING: Be aware that this value impacts the virtual machine's memory footprint and CPU
# the hotplug functionality. For example, `default_maxvcpus = 240` specifies that until 240 vCPUs
# can be added to a SB/VM, but the memory footprint will be big. Another example, with
# `default_maxvcpus = 8` the memory footprint will be small, but 8 will be the maximum number of
# vCPUs supported by the SB/VM. In general, we recommend that you do not edit this variable,
# unless you know what are you doing.
# NOTICE: on arm platform with gicv2 interrupt controller, set it to 8.
default_maxvcpus = @DEFMAXVCPUS@
# Bridges can be used to hot plug devices.
# Limitations:
# * Currently only pci bridges are supported
# * Until 30 devices per bridge can be hot plugged.
# * Until 5 PCI bridges can be cold plugged per VM.
# This limitation could be a bug in qemu or in the kernel
# Default number of bridges per SB/VM:
# unspecified or 0 --> will be set to @DEFBRIDGES@
# > 1 <= 5 --> will be set to the specified number
# > 5 --> will be set to 5
default_bridges = @DEFBRIDGES@
# Default memory size in MiB for SB/VM.
# If unspecified then it will be set @DEFMEMSZ@ MiB.
default_memory = @DEFMEMSZ@
#
# Default memory slots per SB/VM.
# If unspecified then it will be set @DEFMEMSLOTS@.
# This is will determine the times that memory will be hotadded to sandbox/VM.
#memory_slots = @DEFMEMSLOTS@
# Default maximum memory in MiB per SB / VM
# unspecified or == 0 --> will be set to the actual amount of physical RAM
# > 0 <= amount of physical RAM --> will be set to the specified number
# > amount of physical RAM --> will be set to the actual amount of physical RAM
default_maxmemory = @DEFMAXMEMSZ@
# The size in MiB will be plused to max memory of hypervisor.
# It is the memory address space for the NVDIMM device.
# If set block storage driver (block_device_driver) to "nvdimm",
# should set memory_offset to the size of block device.
# Default 0
#memory_offset = 0
# Specifies virtio-mem will be enabled or not.
# Please note that this option should be used with the command
# "echo 1 > /proc/sys/vm/overcommit_memory".
# Default false
#enable_virtio_mem = true
# Disable block device from being used for a container's rootfs.
# In case of a storage driver like devicemapper where a container's
# root file system is backed by a block device, the block device is passed
# directly to the hypervisor for performance reasons.
# This flag prevents the block device from being passed to the hypervisor,
# virtio-fs is used instead to pass the rootfs.
disable_block_device_use = @DEFDISABLEBLOCK@
# Shared file system type:
# - virtio-fs (default)
# - virtio-9p
# - virtio-fs-nydus
# - none
shared_fs = "@DEFSHAREDFS_QEMU_SEV_VIRTIOFS@"
# Path to vhost-user-fs daemon.
virtio_fs_daemon = "@DEFVIRTIOFSDAEMON@"
# List of valid annotations values for the virtiofs daemon
# The default if not set is empty (all annotations rejected.)
# Your distribution recommends: @DEFVALIDVIRTIOFSDAEMONPATHS@
valid_virtio_fs_daemon_paths = @DEFVALIDVIRTIOFSDAEMONPATHS@
# Default size of DAX cache in MiB
virtio_fs_cache_size = @DEFVIRTIOFSCACHESIZE@
# Extra args for virtiofsd daemon
#
# Format example:
# ["-o", "arg1=xxx,arg2", "-o", "hello world", "--arg3=yyy"]
# Examples:
# Set virtiofsd log level to debug : ["-o", "log_level=debug"] or ["-d"]
#
# see `virtiofsd -h` for possible options.
virtio_fs_extra_args = @DEFVIRTIOFSEXTRAARGS@
# Cache mode:
#
# - none
# Metadata, data, and pathname lookup are not cached in guest. They are
# always fetched from host and any changes are immediately pushed to host.
#
# - auto
# Metadata and pathname lookup cache expires after a configured amount of
# time (default is 1 second). Data is cached while the file is open (close
# to open consistency).
#
# - always
# Metadata, data, and pathname lookup are cached in guest and never expire.
virtio_fs_cache = "@DEFVIRTIOFSCACHE@"
# Block storage driver to be used for the hypervisor in case the container
# rootfs is backed by a block device. This is virtio-scsi, virtio-blk
# or nvdimm.
block_device_driver = "@DEFBLOCKSTORAGEDRIVER_QEMU@"
# Specifies cache-related options will be set to block devices or not.
# Default false
#block_device_cache_set = true
# Specifies cache-related options for block devices.
# Denotes whether use of O_DIRECT (bypass the host page cache) is enabled.
# Default false
#block_device_cache_direct = true
# Specifies cache-related options for block devices.
# Denotes whether flush requests for the device are ignored.
# Default false
#block_device_cache_noflush = true
# Enable iothreads (data-plane) to be used. This causes IO to be
# handled in a separate IO thread. This is currently only implemented
# for SCSI.
#
enable_iothreads = @DEFENABLEIOTHREADS@
# Enable pre allocation of VM RAM, default false
# Enabling this will result in lower container density
# as all of the memory will be allocated and locked
# This is useful when you want to reserve all the memory
# upfront or in the cases where you want memory latencies
# to be very predictable
# Default false
#enable_mem_prealloc = true
# Enable huge pages for VM RAM, default false
# Enabling this will result in the VM memory
# being allocated using huge pages.
# This is useful when you want to use vhost-user network
# stacks within the container. This will automatically
# result in memory pre allocation
#enable_hugepages = true
# Enable vhost-user storage device, default false
# Enabling this will result in some Linux reserved block type
# major range 240-254 being chosen to represent vhost-user devices.
enable_vhost_user_store = @DEFENABLEVHOSTUSERSTORE@
# The base directory specifically used for vhost-user devices.
# Its sub-path "block" is used for block devices; "block/sockets" is
# where we expect vhost-user sockets to live; "block/devices" is where
# simulated block device nodes for vhost-user devices to live.
vhost_user_store_path = "@DEFVHOSTUSERSTOREPATH@"
# Enable vIOMMU, default false
# Enabling this will result in the VM having a vIOMMU device
# This will also add the following options to the kernel's
# command line: intel_iommu=on,iommu=pt
#enable_iommu = true
# Enable IOMMU_PLATFORM, default false
# Enabling this will result in the VM device having iommu_platform=on set
#enable_iommu_platform = true
# List of valid annotations values for the vhost user store path
# The default if not set is empty (all annotations rejected.)
# Your distribution recommends: @DEFVALIDVHOSTUSERSTOREPATHS@
valid_vhost_user_store_paths = @DEFVALIDVHOSTUSERSTOREPATHS@
# Enable file based guest memory support. The default is an empty string which
# will disable this feature. In the case of virtio-fs, this is enabled
# automatically and '/dev/shm' is used as the backing folder.
# This option will be ignored if VM templating is enabled.
#file_mem_backend = "@DEFFILEMEMBACKEND@"
# List of valid annotations values for the file_mem_backend annotation
# The default if not set is empty (all annotations rejected.)
# Your distribution recommends: @DEFVALIDFILEMEMBACKENDS@
valid_file_mem_backends = @DEFVALIDFILEMEMBACKENDS@
# -pflash can add image file to VM. The arguments of it should be in format
# of ["/path/to/flash0.img", "/path/to/flash1.img"]
pflashes = []
# This option changes the default hypervisor and kernel parameters
# to enable debug output where available.
#
# Default false
#enable_debug = true
# Disable the customizations done in the runtime when it detects
# that it is running on top a VMM. This will result in the runtime
# behaving as it would when running on bare metal.
#
#disable_nesting_checks = true
# This is the msize used for 9p shares. It is the number of bytes
# used for 9p packet payload.
#msize_9p = @DEFMSIZE9P@
# If false and nvdimm is supported, use nvdimm device to plug guest image.
# Otherwise virtio-block device is used.
#
# nvdimm is not supported when `confidential_guest = true`.
disable_image_nvdimm = @DEFDISABLEIMAGENVDIMM@
# Before hot plugging a PCIe device, you need to add a pcie_root_port device.
# Use this parameter when using some large PCI bar devices, such as Nvidia GPU
# The value means the number of pcie_root_port
# Default 0
#pcie_root_port = 2
# If vhost-net backend for virtio-net is not desired, set to true. Default is false, which trades off
# security (vhost-net runs ring0) for network I/O performance.
#disable_vhost_net = true
#
# Default entropy source.
# The path to a host source of entropy (including a real hardware RNG)
# /dev/urandom and /dev/random are two main options.
# Be aware that /dev/random is a blocking source of entropy. If the host
# runs out of entropy, the VMs boot time will increase leading to get startup
# timeouts.
# The source of entropy /dev/urandom is non-blocking and provides a
# generally acceptable source of entropy. It should work well for pretty much
# all practical purposes.
#entropy_source= "@DEFENTROPYSOURCE@"
# List of valid annotations values for entropy_source
# The default if not set is empty (all annotations rejected.)
# Your distribution recommends: @DEFVALIDENTROPYSOURCES@
valid_entropy_sources = @DEFVALIDENTROPYSOURCES@
# Path to OCI hook binaries in the *guest rootfs*.
# This does not affect host-side hooks which must instead be added to
# the OCI spec passed to the runtime.
#
# You can create a rootfs with hooks by customizing the osbuilder scripts:
# https://github.com/kata-containers/kata-containers/tree/main/tools/osbuilder
#
# Hooks must be stored in a subdirectory of guest_hook_path according to their
# hook type, i.e. "guest_hook_path/{prestart,poststart,poststop}".
# The agent will scan these directories for executable files and add them, in
# lexicographical order, to the lifecycle of the guest container.
# Hooks are executed in the runtime namespace of the guest. See the official documentation:
# https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks
# Warnings will be logged if any error is encountered while scanning for hooks,
# but it will not abort container execution.
#guest_hook_path = "/usr/share/oci/hooks"
#
# Use rx Rate Limiter to control network I/O inbound bandwidth(size in bits/sec for SB/VM).
# In Qemu, we use classful qdiscs HTB(Hierarchy Token Bucket) to discipline traffic.
# Default 0-sized value means unlimited rate.
#rx_rate_limiter_max_rate = 0
# Use tx Rate Limiter to control network I/O outbound bandwidth(size in bits/sec for SB/VM).
# In Qemu, we use classful qdiscs HTB(Hierarchy Token Bucket) and ifb(Intermediate Functional Block)
# to discipline traffic.
# Default 0-sized value means unlimited rate.
#tx_rate_limiter_max_rate = 0
# Set where to save the guest memory dump file.
# If set, when GUEST_PANICKED event occurred,
# guest memeory will be dumped to host filesystem under guest_memory_dump_path,
# This directory will be created automatically if it does not exist.
#
# The dumped file(also called vmcore) can be processed with crash or gdb.
#
# WARNING:
# Dump guests memory can take very long depending on the amount of guest memory
# and use much disk space.
#guest_memory_dump_path="/var/crash/kata"
# If enable paging.
# Basically, if you want to use "gdb" rather than "crash",
# or need the guest-virtual addresses in the ELF vmcore,
# then you should enable paging.
#
# See: https://www.qemu.org/docs/master/qemu-qmp-ref.html#Dump-guest-memory for details
#guest_memory_dump_paging=false
# Enable swap in the guest. Default false.
# When enable_guest_swap is enabled, insert a raw file to the guest as the swap device
# if the swappiness of a container (set by annotation "io.katacontainers.container.resource.swappiness")
# is bigger than 0.
# The size of the swap device should be
# swap_in_bytes (set by annotation "io.katacontainers.container.resource.swap_in_bytes") - memory_limit_in_bytes.
# If swap_in_bytes is not set, the size should be memory_limit_in_bytes.
# If swap_in_bytes and memory_limit_in_bytes is not set, the size should
# be default_memory.
#enable_guest_swap = true
# use legacy serial for guest console if available and implemented for architecture. Default false
#use_legacy_serial = true
# disable applying SELinux on the VMM process (default false)
disable_selinux=@DEFDISABLESELINUX@
# disable applying SELinux on the container process
# If set to false, the type `container_t` is applied to the container process by default.
# Note: To enable guest SELinux, the guest rootfs must be CentOS that is created and built
# with `SELINUX=yes`.
# (default: true)
disable_guest_selinux=@DEFDISABLEGUESTSELINUX@
[factory]
# VM templating support. Once enabled, new VMs are created from template
# using vm cloning. They will share the same initial kernel, initramfs and
# agent memory by mapping it readonly. It helps speeding up new container
# creation and saves a lot of memory if there are many kata containers running
# on the same host.
#
# When disabled, new VMs are created from scratch.
#
# Note: Requires "initrd=" to be set ("image=" is not supported).
#
# Default false
#enable_template = true
# Specifies the path of template.
#
# Default "/run/vc/vm/template"
#template_path = "/run/vc/vm/template"
# The number of caches of VMCache:
# unspecified or == 0 --> VMCache is disabled
# > 0 --> will be set to the specified number
#
# VMCache is a function that creates VMs as caches before using it.
# It helps speed up new container creation.
# The function consists of a server and some clients communicating
# through Unix socket. The protocol is gRPC in protocols/cache/cache.proto.
# The VMCache server will create some VMs and cache them by factory cache.
# It will convert the VM to gRPC format and transport it when gets
# requestion from clients.
# Factory grpccache is the VMCache client. It will request gRPC format
# VM and convert it back to a VM. If VMCache function is enabled,
# kata-runtime will request VM from factory grpccache when it creates
# a new sandbox.
#
# Default 0
#vm_cache_number = 0
# Specify the address of the Unix socket that is used by VMCache.
#
# Default /var/run/kata-containers/cache.sock
#vm_cache_endpoint = "/var/run/kata-containers/cache.sock"
[agent.@PROJECT_TYPE@]
# If enabled, make the agent display debug-level messages.
# (default: disabled)
#enable_debug = true
# Enable agent tracing.
#
# If enabled, the agent will generate OpenTelemetry trace spans.
#
# Notes:
#
# - If the runtime also has tracing enabled, the agent spans will be
# associated with the appropriate runtime parent span.
# - If enabled, the runtime will wait for the container to shutdown,
# increasing the container shutdown time slightly.
#
# (default: disabled)
#enable_tracing = true
# Comma separated list of kernel modules and their parameters.
# These modules will be loaded in the guest kernel using modprobe(8).
# The following example can be used to load two kernel modules with parameters
# - kernel_modules=["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1", "i915 enable_ppgtt=0"]
# The first word is considered as the module name and the rest as its parameters.
# Container will not be started when:
# * A kernel module is specified and the modprobe command is not installed in the guest
# or it fails loading the module.
# * The module is not available in the guest or it doesn't met the guest kernel
# requirements, like architecture and version.
#
kernel_modules=[]
# Enable debug console.
# If enabled, user can connect guest OS running inside hypervisor
# through "kata-runtime exec <sandbox-id>" command
#debug_console_enabled = true
# Agent connection dialing timeout value in seconds
# (default: 90)
dial_timeout = 90
[runtime]
# If enabled, the runtime will log additional debug messages to the
# system log
# (default: disabled)
#enable_debug = true
#
# Internetworking model
# Determines how the VM should be connected to the
# the container network interface
# Options:
#
# - macvtap
# Used when the Container network interface can be bridged using
# macvtap.
#
# - none
# Used when customize network. Only creates a tap device. No veth pair.
#
# - tcfilter
# Uses tc filter rules to redirect traffic from the network interface
# provided by plugin to a tap interface connected to the VM.
#
internetworking_model="@DEFNETWORKMODEL_QEMU@"
# disable guest seccomp
# Determines whether container seccomp profiles are passed to the virtual
# machine and applied by the kata agent. If set to true, seccomp is not applied
# within the guest
# (default: true)
disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@
# Apply a custom SELinux security policy to the container process inside the VM.
# This is used when you want to apply a type other than the default `container_t`,
# so general users should not uncomment and apply it.
# (format: "user:role:type")
# Note: You cannot specify MCS policy with the label because the sensitivity levels and
# categories are determined automatically by high-level container runtimes such as containerd.
#guest_selinux_label="@DEFGUESTSELINUXLABEL@"
# If enabled, the runtime will create opentracing.io traces and spans.
# (See https://www.jaegertracing.io/docs/getting-started).
# (default: disabled)
#enable_tracing = true
# Set the full url to the Jaeger HTTP Thrift collector.
# The default if not set will be "http://localhost:14268/api/traces"
#jaeger_endpoint = ""
# Sets the username to be used if basic auth is required for Jaeger.
#jaeger_user = ""
# Sets the password to be used if basic auth is required for Jaeger.
#jaeger_password = ""
# If enabled, the runtime will not create a network namespace for shim and hypervisor processes.
# This option may have some potential impacts to your host. It should only be used when you know what you're doing.
# `disable_new_netns` conflicts with `internetworking_model=tcfilter` and `internetworking_model=macvtap`. It works only
# with `internetworking_model=none`. The tap device will be in the host network namespace and can connect to a bridge
# (like OVS) directly.
# (default: false)
#disable_new_netns = true
# if enabled, the runtime will add all the kata processes inside one dedicated cgroup.
# The container cgroups in the host are not created, just one single cgroup per sandbox.
# The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox.
# The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation.
# The sandbox cgroup is constrained if there is no container type annotation.
# See: https://pkg.go.dev/github.com/kata-containers/kata-containers/src/runtime/virtcontainers#ContainerType
sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@
# If enabled, the runtime will attempt to determine appropriate sandbox size (memory, CPU) before booting the virtual machine. In
# this case, the runtime will not dynamically update the amount of memory and CPU in the virtual machine. This is generally helpful
# when a hardware architecture or hypervisor solutions is utilized which does not support CPU and/or memory hotplug.
# Compatibility for determining appropriate sandbox (VM) size:
# - When running with pods, sandbox sizing information will only be available if using Kubernetes >= 1.23 and containerd >= 1.6. CRI-O
# does not yet support sandbox sizing annotations.
# - When running single containers using a tool like ctr, container sizing information will be available.
static_sandbox_resource_mgmt=@DEFSTATICRESOURCEMGMT_TEE@
# If specified, sandbox_bind_mounts identifieds host paths to be mounted (ro) into the sandboxes shared path.
# This is only valid if filesystem sharing is utilized. The provided path(s) will be bindmounted into the shared fs directory.
# If defaults are utilized, these mounts should be available in the guest at `/run/kata-containers/shared/containers/sandbox-mounts`
# These will not be exposed to the container workloads, and are only provided for potential guest services.
sandbox_bind_mounts=@DEFBINDMOUNTS@
# VFIO Mode
# Determines how VFIO devices should be be presented to the container.
# Options:
#
# - vfio
# Matches behaviour of OCI runtimes (e.g. runc) as much as
# possible. VFIO devices will appear in the container as VFIO
# character devices under /dev/vfio. The exact names may differ
# from the host (they need to match the VM's IOMMU group numbers
# rather than the host's)
#
# - guest-kernel
# This is a Kata-specific behaviour that's useful in certain cases.
# The VFIO device is managed by whatever driver in the VM kernel
# claims it. This means it will appear as one or more device nodes
# or network interfaces depending on the nature of the device.
# Using this mode requires specially built workloads that know how
# to locate the relevant device interfaces within the VM.
#
vfio_mode="@DEFVFIOMODE@"
# If enabled, the runtime will not create Kubernetes emptyDir mounts on the guest filesystem. Instead, emptyDir mounts will
# be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest.
disable_guest_empty_dir=@DEFDISABLEGUESTEMPTYDIR@
# Enabled experimental feature list, format: ["a", "b"].
# Experimental features are features not stable enough for production,
# they may break compatibility, and are prepared for a big version bump.
# Supported experimental features:
# (default: [])
experimental=@DEFAULTEXPFEATURES@
# If enabled, user can run pprof tools with shim v2 process through kata-monitor.
# (default: false)
# enable_pprof = true
# Indicates the CreateContainer request timeout needed for the workload(s)
# It using guest_pull this includes the time to pull the image inside the guest
# Defaults to @DEFCREATECONTAINERTIMEOUT@ second(s)
# Note: The effective timeout is determined by the lesser of two values: runtime-request-timeout from kubelet config
# (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) and create_container_timeout.
# In essence, the timeout used for guest pull=runtime-request-timeout<create_container_timeout?runtime-request-timeout:create_container_timeout.
create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
# Base directory of directly attachable network config.
# Network devices for VM-based containers are allowed to be placed in the
# host netns to eliminate as many hops as possible, which is what we
# called a "Directly Attachable Network". The config, set by special CNI
# plugins, is used to tell the Kata containers what devices are attached
# to the hypervisor.
# (default: /run/kata-containers/dans)
dan_conf = "@DEFDANCONF@"
# Enforce guest pull. This instructs the runtime to communicate to the agent via annotations that
# the container image should be pulled in the guest, without using an external snapshotter.
# This is an experimental feature and might be removed in the future.
experimental_force_guest_pull = @DEFFORCEGUESTPULL@

14
src/runtime/pkg/sev/README.md
View File

@@ -1,14 +0,0 @@
# AMD SEV confidential guest utilities
This package provides utilities for launching AMD SEV confidential guests.
## Calculating expected launch digests
The `CalculateLaunchDigest` function can be used to calculate the expected
SHA-256 of an SEV confidential guest given its firmware, kernel, initrd, and
kernel command-line.
### Unit test data
The [`testdata`](testdata) directory contains file used for testing
`CalculateLaunchDigest`.

33
src/runtime/pkg/sev/kbs/kbs.go
View File

@@ -1,33 +0,0 @@
// Copyright contributors to AMD SEV/-ES in Go
//
// SPDX-License-Identifier: Apache-2.0
//
// Package kbs can be used interact with simple-kbs, the key broker
// server for SEV and SEV-ES pre-attestation
package kbs
const (
Offline = "offline"
OfflineSecretType = "bundle"
OfflineSecretGuid = "e6f5a162-d67f-4750-a67c-5d065f2a9910"
Online = "online"
OnlineBootParam = "online_sev_kbc"
OnlineSecretType = "connection"
OnlineSecretGuid = "1ee27366-0c87-43a6-af48-28543eaf7cb0"
)
type GuestPreAttestationConfig struct {
Proxy string
Keyset string
LaunchId string
KernelPath string
InitrdPath string
FwPath string
KernelParameters string
CertChainPath string
SecretType string
SecretGuid string
Policy uint32
}

101
src/runtime/pkg/sev/ovmf.go
View File

@@ -1,101 +0,0 @@
// Copyright contributors to AMD SEV/-ES in Go
//
// SPDX-License-Identifier: Apache-2.0
package sev
import (
"bytes"
"encoding/binary"
"errors"
"os"
)
// GUID 96b582de-1fb2-45f7-baea-a366c55a082d
var ovmfTableFooterGuid = guidLE{0xde, 0x82, 0xb5, 0x96, 0xb2, 0x1f, 0xf7, 0x45, 0xba, 0xea, 0xa3, 0x66, 0xc5, 0x5a, 0x08, 0x2d}
// GUID 00f771de-1a7e-4fcb-890e-68c77e2fb44e
var sevEsResetBlockGuid = guidLE{0xde, 0x71, 0xf7, 0x00, 0x7e, 0x1a, 0xcb, 0x4f, 0x89, 0x0e, 0x68, 0xc7, 0x7e, 0x2f, 0xb4, 0x4e}
type ovmfFooterTableEntry struct {
Size uint16
Guid guidLE
}
type ovmf struct {
table map[guidLE][]byte
}
func NewOvmf(filename string) (ovmf, error) {
buf, err := os.ReadFile(filename)
if err != nil {
return ovmf{}, err
}
table, err := parseFooterTable(buf)
if err != nil {
return ovmf{}, err
}
return ovmf{table}, nil
}
// Parse the OVMF footer table and return a map from GUID to entry value
func parseFooterTable(data []byte) (map[guidLE][]byte, error) {
table := make(map[guidLE][]byte)
buf := new(bytes.Buffer)
err := binary.Write(buf, binary.LittleEndian, ovmfFooterTableEntry{})
if err != nil {
return table, err
}
entryHeaderSize := buf.Len()
// The OVMF table ends 32 bytes before the end of the firmware binary
startOfFooterTable := len(data) - 32 - entryHeaderSize
footerBytes := bytes.NewReader(data[startOfFooterTable:])
var footer ovmfFooterTableEntry
err = binary.Read(footerBytes, binary.LittleEndian, &footer)
if err != nil {
return table, err
}
if footer.Guid != ovmfTableFooterGuid {
// No OVMF footer table
return table, nil
}
tableSize := int(footer.Size) - entryHeaderSize
if tableSize < 0 {
return table, nil
}
tableBytes := data[(startOfFooterTable - tableSize):startOfFooterTable]
for len(tableBytes) >= entryHeaderSize {
tsize := len(tableBytes)
entryBytes := bytes.NewReader(tableBytes[tsize-entryHeaderSize:])
var entry ovmfFooterTableEntry
err := binary.Read(entryBytes, binary.LittleEndian, &entry)
if err != nil {
return table, err
}
if int(entry.Size) < entryHeaderSize {
return table, errors.New("Invalid entry size")
}
entryData := tableBytes[tsize-int(entry.Size) : tsize-entryHeaderSize]
table[entry.Guid] = entryData
tableBytes = tableBytes[:tsize-int(entry.Size)]
}
return table, nil
}
func (o *ovmf) tableItem(guid guidLE) ([]byte, error) {
value, ok := o.table[guid]
if !ok {
return []byte{}, errors.New("OVMF footer table entry not found")
}
return value, nil
}
func (o *ovmf) sevEsResetEip() (uint32, error) {
value, err := o.tableItem(sevEsResetBlockGuid)
if err != nil {
return 0, err
}
return binary.LittleEndian.Uint32(value), nil
}

203
src/runtime/pkg/sev/sev.go
View File

@@ -1,203 +0,0 @@
// Copyright contributors to AMD SEV/-ES in Go
//
// SPDX-License-Identifier: Apache-2.0
//
// Package sev can be used to compute the expected hash values for
// SEV/-ES pre-launch attestation
package sev
import (
"bytes"
"crypto/sha256"
"encoding/binary"
"io"
"os"
)
type guidLE [16]byte
// The following definitions must be identical to those in QEMU target/i386/sev.c
// GUID: 9438d606-4f22-4cc9-b479-a793d411fd21
var sevHashTableHeaderGuid = guidLE{0x06, 0xd6, 0x38, 0x94, 0x22, 0x4f, 0xc9, 0x4c, 0xb4, 0x79, 0xa7, 0x93, 0xd4, 0x11, 0xfd, 0x21}
// GUID: 4de79437-abd2-427f-b835-d5b172d2045b
var sevKernelEntryGuid = guidLE{0x37, 0x94, 0xe7, 0x4d, 0xd2, 0xab, 0x7f, 0x42, 0xb8, 0x35, 0xd5, 0xb1, 0x72, 0xd2, 0x04, 0x5b}
// GUID: 44baf731-3a2f-4bd7-9af1-41e29169781d
var sevInitrdEntryGuid = guidLE{0x31, 0xf7, 0xba, 0x44, 0x2f, 0x3a, 0xd7, 0x4b, 0x9a, 0xf1, 0x41, 0xe2, 0x91, 0x69, 0x78, 0x1d}
// GUID: 97d02dd8-bd20-4c94-aa78-e7714d36ab2a
var sevCmdlineEntryGuid = guidLE{0xd8, 0x2d, 0xd0, 0x97, 0x20, 0xbd, 0x94, 0x4c, 0xaa, 0x78, 0xe7, 0x71, 0x4d, 0x36, 0xab, 0x2a}
type sevHashTableEntry struct {
entryGuid guidLE
length uint16
hash [sha256.Size]byte
}
type sevHashTable struct {
tableGuid guidLE
length uint16
cmdline sevHashTableEntry
initrd sevHashTableEntry
kernel sevHashTableEntry
}
type paddedSevHashTable struct {
table sevHashTable
padding [8]byte
}
func fileSha256(filename string) (res [sha256.Size]byte, err error) {
f, err := os.Open(filename)
if err != nil {
return res, err
}
defer f.Close()
digest := sha256.New()
if _, err := io.Copy(digest, f); err != nil {
return res, err
}
copy(res[:], digest.Sum(nil))
return res, nil
}
func constructSevHashesTable(kernelPath, initrdPath, cmdline string) ([]byte, error) {
kernelHash, err := fileSha256(kernelPath)
if err != nil {
return []byte{}, err
}
initrdHash, err := fileSha256(initrdPath)
if err != nil {
return []byte{}, err
}
cmdlineHash := sha256.Sum256(append([]byte(cmdline), 0))
buf := new(bytes.Buffer)
err = binary.Write(buf, binary.LittleEndian, sevHashTableEntry{})
if err != nil {
return []byte{}, err
}
entrySize := uint16(buf.Len())
buf = new(bytes.Buffer)
err = binary.Write(buf, binary.LittleEndian, sevHashTable{})
if err != nil {
return []byte{}, err
}
tableSize := uint16(buf.Len())
ht := paddedSevHashTable{
table: sevHashTable{
tableGuid: sevHashTableHeaderGuid,
length: tableSize,
cmdline: sevHashTableEntry{
entryGuid: sevCmdlineEntryGuid,
length: entrySize,
hash: cmdlineHash,
},
initrd: sevHashTableEntry{
entryGuid: sevInitrdEntryGuid,
length: entrySize,
hash: initrdHash,
},
kernel: sevHashTableEntry{
entryGuid: sevKernelEntryGuid,
length: entrySize,
hash: kernelHash,
},
},
padding: [8]byte{0, 0, 0, 0, 0, 0, 0, 0},
}
htBuf := new(bytes.Buffer)
err = binary.Write(htBuf, binary.LittleEndian, ht)
if err != nil {
return []byte{}, err
}
return htBuf.Bytes(), nil
}
// CalculateLaunchDigest returns the sha256 encoded SEV launch digest based off
// the current firmware, kernel, initrd, and the kernel cmdline
func CalculateLaunchDigest(firmwarePath, kernelPath, initrdPath, cmdline string) (res [sha256.Size]byte, err error) {
f, err := os.Open(firmwarePath)
if err != nil {
return res, err
}
defer f.Close()
digest := sha256.New()
if _, err := io.Copy(digest, f); err != nil {
return res, err
}
// When used for confidential containers in kata-containers, kernelPath
// is always set (direct boot). However, this current package can also
// be used by other programs which may calculate launch digests of
// arbitrary SEV guests without SEV kernel hashes table.
if kernelPath != "" {
ht, err := constructSevHashesTable(kernelPath, initrdPath, cmdline)
if err != nil {
return res, err
}
digest.Write(ht)
}
copy(res[:], digest.Sum(nil))
return res, nil
}
// CalculateSEVESLaunchDigest returns the sha256 encoded SEV-ES launch digest
// based off the current firmware, kernel, initrd, and the kernel cmdline, and
// the number of vcpus and their type
func CalculateSEVESLaunchDigest(vcpus int, vcpuSig VCPUSig, firmwarePath, kernelPath, initrdPath, cmdline string) (res [sha256.Size]byte, err error) {
f, err := os.Open(firmwarePath)
if err != nil {
return res, err
}
defer f.Close()
digest := sha256.New()
if _, err := io.Copy(digest, f); err != nil {
return res, err
}
// When used for confidential containers in kata-containers, kernelPath
// is always set (direct boot). However, this current package can also
// be used by other programs which may calculate launch digests of
// arbitrary SEV guests without SEV kernel hashes table.
if kernelPath != "" {
ht, err := constructSevHashesTable(kernelPath, initrdPath, cmdline)
if err != nil {
return res, err
}
digest.Write(ht)
}
o, err := NewOvmf(firmwarePath)
if err != nil {
return res, err
}
resetEip, err := o.sevEsResetEip()
if err != nil {
return res, err
}
v := vmsaBuilder{uint64(resetEip), vcpuSig}
for i := 0; i < vcpus; i++ {
vmsaPage, err := v.buildPage(i)
if err != nil {
return res, err
}
digest.Write(vmsaPage)
}
copy(res[:], digest.Sum(nil))
return res, nil
}

54
src/runtime/pkg/sev/sev_test.go
View File

@@ -1,54 +0,0 @@
// Copyright contributors to AMD SEV/-ES in Go
//
// SPDX-License-Identifier: Apache-2.0
package sev
import (
"encoding/hex"
"testing"
)
func TestCalculateLaunchDigestWithoutKernelHashes(t *testing.T) {
ld, err := CalculateLaunchDigest("testdata/ovmf_suffix.bin", "", "", "")
if err != nil {
t.Fatalf("unexpected err value: %s", err)
}
hexld := hex.EncodeToString(ld[:])
if hexld != "b184e06e012366fd7b33ebfb361a515d05f00d354dca07b36abbc1e1e177ced5" {
t.Fatalf("wrong measurement: %s", hexld)
}
}
func TestCalculateLaunchDigestWithKernelHashes(t *testing.T) {
ld, err := CalculateLaunchDigest("testdata/ovmf_suffix.bin", "/dev/null", "/dev/null", "")
if err != nil {
t.Fatalf("unexpected err value: %s", err)
}
hexld := hex.EncodeToString(ld[:])
if hexld != "d59d7696efd7facfaa653758586e6120c4b6eaec3e327771d278cc6a44786ba5" {
t.Fatalf("wrong measurement: %s", hexld)
}
}
func TestCalculateLaunchDigestWithKernelHashesSevEs(t *testing.T) {
ld, err := CalculateSEVESLaunchDigest(1, SigEpycV4, "testdata/ovmf_suffix.bin", "/dev/null", "/dev/null", "")
if err != nil {
t.Fatalf("unexpected err value: %s", err)
}
hexld := hex.EncodeToString(ld[:])
if hexld != "7e5c26fb454621eb466978b4d0242b3c04b44a034de7fc0a2d8dac60ea2b6403" {
t.Fatalf("wrong measurement: %s", hexld)
}
}
func TestCalculateLaunchDigestWithKernelHashesSevEsAndSmp(t *testing.T) {
ld, err := CalculateSEVESLaunchDigest(4, SigEpycV4, "testdata/ovmf_suffix.bin", "/dev/null", "/dev/null", "")
if err != nil {
t.Fatalf("unexpected err value: %s", err)
}
hexld := hex.EncodeToString(ld[:])
if hexld != "b2111b0051fc3a06ec216899b2c78da99fb9d56c6ff2e8261dd3fe6cff79ecbc" {
t.Fatalf("wrong measurement: %s", hexld)
}
}

9
src/runtime/pkg/sev/testdata/README.md vendored
View File

@@ -1,9 +0,0 @@
# sev/testdata
The `ovmf_suffix.bin` contains the last 4KB of the `OVMF.fd` binary from edk2's
`OvmfPkg/AmdSev/AmdSevX64.dsc` build. To save space, we committed only the
last 4KB instead of the the full 4MB binary.
The end of the file contains a GUIDed footer table with entries that hold the
SEV-ES AP reset vector address, which is needed in order to compute VMSAs for
SEV-ES guests.

BIN
src/runtime/pkg/sev/testdata/ovmf_suffix.bin vendored
View File

Binary file not shown.

76
src/runtime/pkg/sev/vcpu_sigs.go
View File

@@ -1,76 +0,0 @@
// Copyright contributors to AMD SEV/-ES in Go
//
// SPDX-License-Identifier: Apache-2.0
package sev
type VCPUSig uint64
const (
// 'EPYC': family=23, model=1, stepping=2
SigEpyc VCPUSig = 0x800f12
// 'EPYC-v1': family=23, model=1, stepping=2
SigEpycV1 VCPUSig = 0x800f12
// 'EPYC-v2': family=23, model=1, stepping=2
SigEpycV2 VCPUSig = 0x800f12
// 'EPYC-IBPB': family=23, model=1, stepping=2
SigEpycIBPB VCPUSig = 0x800f12
// 'EPYC-v3': family=23, model=1, stepping=2
SigEpycV3 VCPUSig = 0x800f12
// 'EPYC-v4': family=23, model=1, stepping=2
SigEpycV4 VCPUSig = 0x800f12
// 'EPYC-Rome': family=23, model=49, stepping=0
SigEpycRome VCPUSig = 0x830f10
// 'EPYC-Rome-v1': family=23, model=49, stepping=0
SigEpycRomeV1 VCPUSig = 0x830f10
// 'EPYC-Rome-v2': family=23, model=49, stepping=0
SigEpycRomeV2 VCPUSig = 0x830f10
// 'EPYC-Rome-v3': family=23, model=49, stepping=0
SigEpycRomeV3 VCPUSig = 0x830f10
// 'EPYC-Milan': family=25, model=1, stepping=1
SigEpycMilan VCPUSig = 0xa00f11
// 'EPYC-Milan-v1': family=25, model=1, stepping=1
SigEpycMilanV1 VCPUSig = 0xa00f11
// 'EPYC-Milan-v2': family=25, model=1, stepping=1
SigEpycMilanV2 VCPUSig = 0xa00f11
)
// NewVCPUSig computes the CPU signature (32-bit value) from the given family,
// model, and stepping.
//
// This computation is described in AMD's CPUID Specification, publication #25481
// https://www.amd.com/system/files/TechDocs/25481.pdf
// See section: CPUID Fn0000_0001_EAX Family, Model, Stepping Identifiers
func NewVCPUSig(family, model, stepping uint32) VCPUSig {
var family_low, family_high uint32
if family > 0xf {
family_low = 0xf
family_high = (family - 0x0f) & 0xff
} else {
family_low = family
family_high = 0
}
model_low := model & 0xf
model_high := (model >> 4) & 0xf
stepping_low := stepping & 0xf
return VCPUSig((family_high << 20) |
(model_high << 16) |
(family_low << 8) |
(model_low << 4) |
stepping_low)
}

21
src/runtime/pkg/sev/vcpu_sigs_test.go
View File

@@ -1,21 +0,0 @@
// Copyright contributors to AMD SEV/-ES in Go
//
// SPDX-License-Identifier: Apache-2.0
package sev
import (
"testing"
)
func TestNewVCPUSig(t *testing.T) {
if NewVCPUSig(23, 1, 2) != SigEpyc {
t.Errorf("wrong EPYC CPU signature")
}
if NewVCPUSig(23, 49, 0) != SigEpycRome {
t.Errorf("wrong EPYC-Rome CPU signature")
}
if NewVCPUSig(25, 1, 1) != SigEpycMilan {
t.Errorf("wrong EPYC-Milan CPU signature")
}
}

172
src/runtime/pkg/sev/vmsa.go
View File

@@ -1,172 +0,0 @@
// Copyright contributors to AMD SEV/-ES in Go
//
// SPDX-License-Identifier: Apache-2.0
package sev
import (
"bytes"
"encoding/binary"
)
// VMCB Segment (struct vmcb_seg in the linux kernel)
type vmcbSeg struct {
selector uint16
attrib uint16
limit uint32
base uint64
}
// VMSA page
//
// The names of the fields are taken from struct sev_es_work_area in the linux kernel:
// https://github.com/AMDESE/linux/blob/sev-snp-v12/arch/x86/include/asm/svm.h#L318
// (following the definitions in AMD APM Vol 2 Table B-4)
type sevEsSaveArea struct {
es vmcbSeg
cs vmcbSeg
ss vmcbSeg
ds vmcbSeg
fs vmcbSeg
gs vmcbSeg
gdtr vmcbSeg
ldtr vmcbSeg
idtr vmcbSeg
tr vmcbSeg
vmpl0_ssp uint64 // nolint: unused
vmpl1_ssp uint64 // nolint: unused
vmpl2_ssp uint64 // nolint: unused
vmpl3_ssp uint64 // nolint: unused
u_cet uint64 // nolint: unused
reserved_1 [2]uint8 // nolint: unused
vmpl uint8 // nolint: unused
cpl uint8 // nolint: unused
reserved_2 [4]uint8 // nolint: unused
efer uint64
reserved_3 [104]uint8 // nolint: unused
xss uint64 // nolint: unused
cr4 uint64
cr3 uint64 // nolint: unused
cr0 uint64
dr7 uint64
dr6 uint64
rflags uint64
rip uint64
dr0 uint64 // nolint: unused
dr1 uint64 // nolint: unused
dr2 uint64 // nolint: unused
dr3 uint64 // nolint: unused
dr0_addr_mask uint64 // nolint: unused
dr1_addr_mask uint64 // nolint: unused
dr2_addr_mask uint64 // nolint: unused
dr3_addr_mask uint64 // nolint: unused
reserved_4 [24]uint8 // nolint: unused
rsp uint64 // nolint: unused
s_cet uint64 // nolint: unused
ssp uint64 // nolint: unused
isst_addr uint64 // nolint: unused
rax uint64 // nolint: unused
star uint64 // nolint: unused
lstar uint64 // nolint: unused
cstar uint64 // nolint: unused
sfmask uint64 // nolint: unused
kernel_gs_base uint64 // nolint: unused
sysenter_cs uint64 // nolint: unused
sysenter_esp uint64 // nolint: unused
sysenter_eip uint64 // nolint: unused
cr2 uint64 // nolint: unused
reserved_5 [32]uint8 // nolint: unused
g_pat uint64
dbgctrl uint64 // nolint: unused
br_from uint64 // nolint: unused
br_to uint64 // nolint: unused
last_excp_from uint64 // nolint: unused
last_excp_to uint64 // nolint: unused
reserved_7 [80]uint8 // nolint: unused
pkru uint32 // nolint: unused
reserved_8 [20]uint8 // nolint: unused
reserved_9 uint64 // nolint: unused
rcx uint64 // nolint: unused
rdx uint64
rbx uint64 // nolint: unused
reserved_10 uint64 // nolint: unused
rbp uint64 // nolint: unused
rsi uint64 // nolint: unused
rdi uint64 // nolint: unused
r8 uint64 // nolint: unused
r9 uint64 // nolint: unused
r10 uint64 // nolint: unused
r11 uint64 // nolint: unused
r12 uint64 // nolint: unused
r13 uint64 // nolint: unused
r14 uint64 // nolint: unused
r15 uint64 // nolint: unused
reserved_11 [16]uint8 // nolint: unused
guest_exit_info_1 uint64 // nolint: unused
guest_exit_info_2 uint64 // nolint: unused
guest_exit_int_info uint64 // nolint: unused
guest_nrip uint64 // nolint: unused
sev_features uint64
vintr_ctrl uint64 // nolint: unused
guest_exit_code uint64 // nolint: unused
virtual_tom uint64 // nolint: unused
tlb_id uint64 // nolint: unused
pcpu_id uint64 // nolint: unused
event_inj uint64 // nolint: unused
xcr0 uint64
reserved_12 [16]uint8 // nolint: unused
x87_dp uint64 // nolint: unused
mxcsr uint32 // nolint: unused
x87_ftw uint16 // nolint: unused
x87_fsw uint16 // nolint: unused
x87_fcw uint16 // nolint: unused
x87_fop uint16 // nolint: unused
x87_ds uint16 // nolint: unused
x87_cs uint16 // nolint: unused
x87_rip uint64 // nolint: unused
fpreg_x87 [80]uint8 // nolint: unused
fpreg_xmm [256]uint8 // nolint: unused
fpreg_ymm [256]uint8 // nolint: unused
unused [2448]uint8 // nolint: unused
}
type vmsaBuilder struct {
apEIP uint64
vcpuSig VCPUSig
}
func (v *vmsaBuilder) buildPage(i int) ([]byte, error) {
eip := uint64(0xfffffff0) // BSP (first vcpu)
if i > 0 {
eip = v.apEIP
}
saveArea := sevEsSaveArea{
es: vmcbSeg{0, 0x93, 0xffff, 0},
cs: vmcbSeg{0xf000, 0x9b, 0xffff, eip & 0xffff0000},
ss: vmcbSeg{0, 0x93, 0xffff, 0},
ds: vmcbSeg{0, 0x93, 0xffff, 0},
fs: vmcbSeg{0, 0x93, 0xffff, 0},
gs: vmcbSeg{0, 0x93, 0xffff, 0},
gdtr: vmcbSeg{0, 0, 0xffff, 0},
idtr: vmcbSeg{0, 0, 0xffff, 0},
ldtr: vmcbSeg{0, 0x82, 0xffff, 0},
tr: vmcbSeg{0, 0x8b, 0xffff, 0},
efer: 0x1000, // KVM enables EFER_SVME
cr4: 0x40, // KVM enables X86_CR4_MCE
cr0: 0x10,
dr7: 0x400,
dr6: 0xffff0ff0,
rflags: 0x2,
rip: eip & 0xffff,
g_pat: 0x7040600070406, // PAT MSR: See AMD APM Vol 2, Section A.3
rdx: uint64(v.vcpuSig),
sev_features: 0, // SEV-ES
xcr0: 0x1,
}
page := new(bytes.Buffer)
err := binary.Write(page, binary.LittleEndian, saveArea)
if err != nil {
return []byte{}, err
}
return page.Bytes(), nil
}

8
src/runtime/virtcontainers/hypervisor_linux_amd64.go
View File

@@ -10,8 +10,6 @@ import "os"
const (
tdxKvmParameterPath = "/sys/module/kvm_intel/parameters/tdx"
sevKvmParameterPath = "/sys/module/kvm_amd/parameters/sev"
snpKvmParameterPath = "/sys/module/kvm_amd/parameters/sev_snp"
)
@@ -30,12 +28,6 @@ func availableGuestProtection() (guestProtection, error) {
return snpProtection, nil
}
}
// SEV is supported and enabled when the kvm module `sev` parameter is set to `1` (or `Y` for linux >= 5.12)
if _, err := os.Stat(sevKvmParameterPath); err == nil {
if c, err := os.ReadFile(sevKvmParameterPath); err == nil && len(c) > 0 && (c[0] == '1' || c[0] == 'Y') {
return sevProtection, nil
}
}
return noneProtection, nil
}

9
src/runtime/virtcontainers/pkg/rootless/rootless.go
View File

@@ -38,7 +38,10 @@ var (
// XDG_RUNTIME_DIR defines the base directory relative to
// which user-specific non-essential runtime files are stored.
rootlessDir = os.Getenv("XDG_RUNTIME_DIR")
rootlessDir string
// Used for lazy initialization of rootlessDir
rootlessDirOnce sync.Once
rootlessLog = logrus.WithFields(logrus.Fields{
"source": "rootless",
@@ -82,5 +85,9 @@ func isRootlessFunc() bool {
// GetRootlessDir returns the path to the location for rootless
// container and sandbox storage
func GetRootlessDir() string {
rootlessDirOnce.Do(func() {
rootlessDir = os.Getenv("XDG_RUNTIME_DIR")
rootlessLog.WithField("rootlessDir", rootlessDir).Debug("initialized rootlessDir")
})
return rootlessDir
}

2
src/tools/agent-ctl/Cargo.toml
View File

@@ -13,7 +13,7 @@ license = "Apache-2.0"
[dependencies]
protocols = { path = "../../libs/protocols", features = ["with-serde"] }
rustjail = { path = "../../agent/rustjail" }
oci-spec = { version = "0.6.8", features = ["runtime"] }
oci-spec = { version = "0.8.1", features = ["runtime"] }
clap = { version = "4.5.40", features = ["derive", "cargo"] }
lazy_static = "1.4.0"

434
src/tools/genpolicy/Cargo.lock generated
View File

@@ -158,8 +158,8 @@ dependencies = [
"pin-project-lite",
"rustversion",
"serde",
"sync_wrapper",
"tower",
"sync_wrapper 0.1.2",
"tower 0.4.13",
"tower-layer",
"tower-service",
]
@@ -266,9 +266,12 @@ checksum = "f61dac84819c6588b558454b194026eb1f09c293b9036ae9b159e74e73ab6cf9"
[[package]]
name = "cc"
version = "1.0.79"
version = "1.2.27"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "50d30906286121d95be3d479533b458f87493b30a4b5f79a607db8f5d11aa91f"
checksum = "d487aa071b5f64da6f19a3e848e3578944b726ee5a4854b82172f02aa876bfdc"
dependencies = [
"shlex",
]
[[package]]
name = "cfg-if"
@@ -357,7 +360,7 @@ dependencies = [
"tokio",
"tonic",
"tonic-build 0.9.2",
"tower",
"tower 0.4.13",
]
[[package]]
@@ -545,15 +548,26 @@ checksum = "6184e33543162437515c2e2b48714794e37845ec9851711914eec9d308f6ebe8"
[[package]]
name = "digest"
version = "0.10.6"
version = "0.10.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8168378f4e5023e7218c89c891c0fd8ecdb5e5e4f18cb78f38cf245dd021e76f"
checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
dependencies = [
"block-buffer",
"crypto-common",
"subtle",
]
[[package]]
name = "displaydoc"
version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.58",
]
[[package]]
name = "doc-comment"
version = "0.3.3"
@@ -603,7 +617,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "976dd42dc7e85965fe702eb8164f21f450704bdde31faefd6471dba214cb594e"
dependencies = [
"libc",
"windows-sys 0.52.0",
"windows-sys 0.59.0",
]
[[package]]
@@ -679,11 +693,10 @@ checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
[[package]]
name = "form_urlencoded"
version = "1.0.1"
version = "1.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5fc25a87fa4fd2094bffb06925852034d90a17f0d1e05197d4956d3555752191"
checksum = "e13624c2627564efccf4934284bdd98cbaa14e79b0b5a141218e507b3a823456"
dependencies = [
"matches",
"percent-encoding",
]
@@ -805,7 +818,7 @@ dependencies = [
"tempfile",
"tokio",
"tonic",
"tower",
"tower 0.4.13",
"zerocopy",
]
@@ -1082,16 +1095,21 @@ dependencies = [
[[package]]
name = "hyper-util"
version = "0.1.10"
version = "0.1.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "df2dcfbe0677734ab2f3ffa7fa7bfd4706bfdc1ef393f2ee30184aed67e631b4"
checksum = "dc2fdfdbff08affe55bb779f33b053aa1fe5dd5b54c257343c17edfa55711bdb"
dependencies = [
"base64 0.22.1",
"bytes",
"futures-channel",
"futures-core",
"futures-util",
"http 1.2.0",
"http-body 1.0.1",
"hyper 1.6.0",
"ipnet",
"libc",
"percent-encoding",
"pin-project-lite",
"socket2",
"tokio",
@@ -1122,6 +1140,92 @@ dependencies = [
"cc",
]
[[package]]
name = "icu_collections"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "200072f5d0e3614556f94a9930d5dc3e0662a652823904c3a75dc3b0af7fee47"
dependencies = [
"displaydoc",
"potential_utf",
"yoke",
"zerofrom",
"zerovec",
]
[[package]]
name = "icu_locale_core"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0cde2700ccaed3872079a65fb1a78f6c0a36c91570f28755dda67bc8f7d9f00a"
dependencies = [
"displaydoc",
"litemap",
"tinystr",
"writeable",
"zerovec",
]
[[package]]
name = "icu_normalizer"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "436880e8e18df4d7bbc06d58432329d6458cc84531f7ac5f024e93deadb37979"
dependencies = [
"displaydoc",
"icu_collections",
"icu_normalizer_data",
"icu_properties",
"icu_provider",
"smallvec",
"zerovec",
]
[[package]]
name = "icu_normalizer_data"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "00210d6893afc98edb752b664b8890f0ef174c8adbb8d0be9710fa66fbbf72d3"
[[package]]
name = "icu_properties"
version = "2.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "016c619c1eeb94efb86809b015c58f479963de65bdb6253345c1a1276f22e32b"
dependencies = [
"displaydoc",
"icu_collections",
"icu_locale_core",
"icu_properties_data",
"icu_provider",
"potential_utf",
"zerotrie",
"zerovec",
]
[[package]]
name = "icu_properties_data"
version = "2.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "298459143998310acd25ffe6810ed544932242d3f07083eee1084d83a71bd632"
[[package]]
name = "icu_provider"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "03c80da27b5f4187909049ee2d72f276f0d9f99a42c306bd0131ecfe04d8e5af"
dependencies = [
"displaydoc",
"icu_locale_core",
"stable_deref_trait",
"tinystr",
"writeable",
"yoke",
"zerofrom",
"zerotrie",
"zerovec",
]
[[package]]
name = "ident_case"
version = "1.0.1"
@@ -1130,13 +1234,23 @@ checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
[[package]]
name = "idna"
version = "0.2.3"
version = "1.0.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "418a0a6fab821475f634efe3ccc45c013f742efe03d853e8d3355d5cb850ecf8"
checksum = "686f825264d630750a544639377bae737628043f20d38bbc029e8f29ea968a7e"
dependencies = [
"matches",
"unicode-bidi",
"unicode-normalization",
"idna_adapter",
"smallvec",
"utf8_iter",
]
[[package]]
name = "idna_adapter"
version = "1.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344"
dependencies = [
"icu_normalizer",
"icu_properties",
]
[[package]]
@@ -1171,9 +1285,19 @@ dependencies = [
[[package]]
name = "ipnet"
version = "2.7.1"
version = "2.11.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "30e22bd8629359895450b59ea7a776c850561b96a3b1d31321c1949d9e6c9146"
checksum = "469fb0b9cefa57e3ef31275ee7cacb78f2fdca44e4765491884a2b119d4eb130"
[[package]]
name = "iri-string"
version = "0.7.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dbc5ebe9c3a1a7a5127f920a418f7585e9e758e911d0466ed004f393b0e380b2"
dependencies = [
"memchr",
"serde",
]
[[package]]
name = "is-terminal"
@@ -1290,9 +1414,9 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
[[package]]
name = "libc"
version = "0.2.168"
version = "0.2.174"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5aaeb2981e0606ca11d79718f8bb01164f1d6ed75080182d3abf017e6d244b6d"
checksum = "1171693293099992e19cddea4e8b849964e9846f4acee11b3948bcc337be8776"
[[package]]
name = "libz-ng-sys"
@@ -1328,6 +1452,12 @@ version = "0.9.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cd945864f07fe9f5371a27ad7b52a172b4b499999f1d97574c9fa68373937e12"
[[package]]
name = "litemap"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956"
[[package]]
name = "lock_api"
version = "0.4.12"
@@ -1344,12 +1474,6 @@ version = "0.4.22"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24"
[[package]]
name = "matches"
version = "0.1.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2532096657941c2fea9c289d370a250971c689d4f143798ff67113ec042024a5"
[[package]]
name = "matchit"
version = "0.7.3"
@@ -1596,9 +1720,9 @@ dependencies = [
[[package]]
name = "percent-encoding"
version = "2.1.0"
version = "2.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d4fd5641d01c8f18a23da7b6fe29298ff4b55afcccdf78973b24cf3175fee32e"
checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
[[package]]
name = "petgraph"
@@ -1658,6 +1782,15 @@ version = "0.3.26"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6ac9a59f73473f1b8d852421e59e64809f025994837ef743615c6d0c5b305160"
[[package]]
name = "potential_utf"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e5a7c30837279ca13e7c867e9e40053bc68740f988cb07f7ca6df43cc734b585"
dependencies = [
"zerovec",
]
[[package]]
name = "ppv-lite86"
version = "0.2.17"
@@ -2026,9 +2159,9 @@ dependencies = [
[[package]]
name = "reqwest"
version = "0.12.4"
version = "0.12.22"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "566cafdd92868e0939d3fb961bd0dc25fcfaaed179291093b3d43e6b3150ea10"
checksum = "cbc931937e6ca3a06e3b6c0aa7841849b160a90351d6ab467a8b9b9959767531"
dependencies = [
"base64 0.22.1",
"bytes",
@@ -2040,29 +2173,27 @@ dependencies = [
"hyper 1.6.0",
"hyper-tls",
"hyper-util",
"ipnet",
"js-sys",
"log",
"mime",
"native-tls",
"once_cell",
"percent-encoding",
"pin-project-lite",
"rustls-pemfile",
"rustls-pki-types",
"serde",
"serde_json",
"serde_urlencoded",
"sync_wrapper",
"sync_wrapper 1.0.2",
"tokio",
"tokio-native-tls",
"tokio-util",
"tower 0.5.2",
"tower-http",
"tower-service",
"url",
"wasm-bindgen",
"wasm-bindgen-futures",
"wasm-streams",
"web-sys",
"winreg",
]
[[package]]
@@ -2108,16 +2239,7 @@ dependencies = [
"errno",
"libc",
"linux-raw-sys 0.9.4",
"windows-sys 0.52.0",
]
[[package]]
name = "rustls-pemfile"
version = "2.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
dependencies = [
"rustls-pki-types",
"windows-sys 0.59.0",
]
[[package]]
@@ -2281,6 +2403,12 @@ dependencies = [
"digest",
]
[[package]]
name = "shlex"
version = "1.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
[[package]]
name = "signal-hook-registry"
version = "1.4.2"
@@ -2324,14 +2452,20 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67"
[[package]]
name = "socket2"
version = "0.5.5"
version = "0.5.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7b5fac59a5cb5dd637972e5fca70daf0523c9067fcdc4842f053dae04a18f8e9"
checksum = "e22376abed350d73dd1cd119b57ffccad95b4e585a7cda43e286245ce23c0678"
dependencies = [
"libc",
"windows-sys 0.48.0",
"windows-sys 0.52.0",
]
[[package]]
name = "stable_deref_trait"
version = "1.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"
[[package]]
name = "strsim"
version = "0.11.1"
@@ -2359,9 +2493,9 @@ dependencies = [
[[package]]
name = "subtle"
version = "2.4.1"
version = "2.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601"
checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
[[package]]
name = "syn"
@@ -2391,6 +2525,26 @@ version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2047c6ded9c721764247e62cd3b03c09ffc529b2ba5b10ec482ae507a4a70160"
[[package]]
name = "sync_wrapper"
version = "1.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263"
dependencies = [
"futures-core",
]
[[package]]
name = "synstructure"
version = "0.13.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.58",
]
[[package]]
name = "tar"
version = "0.4.41"
@@ -2430,7 +2584,7 @@ dependencies = [
"getrandom 0.3.2",
"once_cell",
"rustix 1.0.7",
"windows-sys 0.52.0",
"windows-sys 0.59.0",
]
[[package]]
@@ -2468,6 +2622,16 @@ dependencies = [
"syn 2.0.58",
]
[[package]]
name = "tinystr"
version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5d4f6d1145dcb577acf783d4e601bc1d76a13337bb54e6233add580b07344c8b"
dependencies = [
"displaydoc",
"zerovec",
]
[[package]]
name = "tinyvec"
version = "1.6.0"
@@ -2545,16 +2709,15 @@ dependencies = [
[[package]]
name = "tokio-util"
version = "0.7.7"
version = "0.7.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5427d89453009325de0d8f342c9490009f76e999cb7672d77e46267448f7e6b2"
checksum = "66a539a9ad6d5d281510d5bd368c973d636c02dbf8a67300bfb6b950696ad7df"
dependencies = [
"bytes",
"futures-core",
"futures-sink",
"pin-project-lite",
"tokio",
"tracing",
]
[[package]]
@@ -2579,7 +2742,7 @@ dependencies = [
"prost 0.11.9",
"tokio",
"tokio-stream",
"tower",
"tower 0.4.13",
"tower-layer",
"tower-service",
"tracing",
@@ -2632,16 +2795,49 @@ dependencies = [
]
[[package]]
name = "tower-layer"
version = "0.3.2"
name = "tower"
version = "0.5.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c20c8dbed6283a09604c3e69b4b7eeb54e298b8a600d4d5ecb5ad39de609f1d0"
checksum = "d039ad9159c98b70ecfd540b2573b97f7f52c3e8d9f8ad57a24b916a536975f9"
dependencies = [
"futures-core",
"futures-util",
"pin-project-lite",
"sync_wrapper 1.0.2",
"tokio",
"tower-layer",
"tower-service",
]
[[package]]
name = "tower-http"
version = "0.6.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "adc82fd73de2a9722ac5da747f12383d2bfdb93591ee6c58486e0097890f05f2"
dependencies = [
"bitflags 2.4.1",
"bytes",
"futures-util",
"http 1.2.0",
"http-body 1.0.1",
"iri-string",
"pin-project-lite",
"tower 0.5.2",
"tower-layer",
"tower-service",
]
[[package]]
name = "tower-layer"
version = "0.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "121c2a6cda46980bb0fcd1647ffaf6cd3fc79a013de288782836f6df9c48780e"
[[package]]
name = "tower-service"
version = "0.3.2"
version = "0.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b6bc1c9ce2b5135ac7f93c72918fc37feb872bdc6a5533a8b85eb4b86bfdae52"
checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3"
[[package]]
name = "tracing"
@@ -2743,12 +2939,6 @@ dependencies = [
"version_check",
]
[[package]]
name = "unicode-bidi"
version = "0.3.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d54675592c1dbefd78cbd98db9bacd89886e1ca50692a0692baefffdeb92dd58"
[[package]]
name = "unicode-ident"
version = "1.0.7"
@@ -2772,15 +2962,21 @@ checksum = "1dd624098567895118886609431a7c3b8f516e41d30e0643f03d94592a147e36"
[[package]]
name = "url"
version = "2.3.0"
version = "2.5.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "22fe195a4f217c25b25cb5058ced57059824a678474874038dc88d211bf508d3"
checksum = "32f8b686cadd1473f4bd0117a5d28d36b1ade384ea9b5069a1c40aefed7fda60"
dependencies = [
"form_urlencoded",
"idna",
"percent-encoding",
]
[[package]]
name = "utf8_iter"
version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
[[package]]
name = "utf8parse"
version = "0.2.2"
@@ -3208,16 +3404,6 @@ version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
[[package]]
name = "winreg"
version = "0.52.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a277a57398d4bfa075df44f501a17cfdf8542d224f0d36095a2adc7aee4ef0a5"
dependencies = [
"cfg-if",
"windows-sys 0.48.0",
]
[[package]]
name = "wit-bindgen-rt"
version = "0.39.0"
@@ -3227,6 +3413,12 @@ dependencies = [
"bitflags 2.4.1",
]
[[package]]
name = "writeable"
version = "0.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ea2f10b9bb0928dfb1b42b65e1f9e36f7f54dbdf08457afefb38afcdec4fa2bb"
[[package]]
name = "xattr"
version = "1.3.1"
@@ -3247,6 +3439,30 @@ dependencies = [
"linked-hash-map",
]
[[package]]
name = "yoke"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5f41bb01b8226ef4bfd589436a297c53d118f65921786300e427be8d487695cc"
dependencies = [
"serde",
"stable_deref_trait",
"yoke-derive",
"zerofrom",
]
[[package]]
name = "yoke-derive"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "38da3c9736e16c5d3c8c597a9aaa5d1fa565d0532ae05e27c24aa62fb32c0ab6"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.58",
"synstructure",
]
[[package]]
name = "zerocopy"
version = "0.6.1"
@@ -3267,3 +3483,57 @@ dependencies = [
"quote",
"syn 1.0.109",
]
[[package]]
name = "zerofrom"
version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5"
dependencies = [
"zerofrom-derive",
]
[[package]]
name = "zerofrom-derive"
version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.58",
"synstructure",
]
[[package]]
name = "zerotrie"
version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "36f0bbd478583f79edad978b407914f61b2972f5af6fa089686016be8f9af595"
dependencies = [
"displaydoc",
"yoke",
"zerofrom",
]
[[package]]
name = "zerovec"
version = "0.11.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4a05eb080e015ba39cc9e23bbe5e7fb04d5fb040350f99f34e338d5fdd294428"
dependencies = [
"yoke",
"zerofrom",
"zerovec-derive",
]
[[package]]
name = "zerovec-derive"
version = "0.11.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5b96237efa0c878c64bd89c436f661be4e46b2f3eff1ebb976f7ef2321d2f58f"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.58",
]

2
src/tools/genpolicy/Cargo.toml
View File

@@ -52,7 +52,7 @@ serde-transcode = "1.1.1"
tokio = { version = "1.38.0", features = ["rt-multi-thread"] }
# OCI container specs.
oci-spec = { version = "0.6.8", features = ["runtime"] }
oci-spec = { version = "0.8.1", features = ["runtime"] }
# Kata Agent protocol.
protocols = { path = "../../libs/protocols", features = ["with-serde"] }

282
src/tools/kata-ctl/Cargo.lock generated
View File

@@ -669,6 +669,17 @@ dependencies = [
"winapi",
]
[[package]]
name = "displaydoc"
version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.39",
]
[[package]]
name = "downcast"
version = "0.11.0"
@@ -1141,6 +1152,92 @@ dependencies = [
"cc",
]
[[package]]
name = "icu_collections"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "200072f5d0e3614556f94a9930d5dc3e0662a652823904c3a75dc3b0af7fee47"
dependencies = [
"displaydoc",
"potential_utf",
"yoke",
"zerofrom",
"zerovec",
]
[[package]]
name = "icu_locale_core"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0cde2700ccaed3872079a65fb1a78f6c0a36c91570f28755dda67bc8f7d9f00a"
dependencies = [
"displaydoc",
"litemap",
"tinystr",
"writeable",
"zerovec",
]
[[package]]
name = "icu_normalizer"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "436880e8e18df4d7bbc06d58432329d6458cc84531f7ac5f024e93deadb37979"
dependencies = [
"displaydoc",
"icu_collections",
"icu_normalizer_data",
"icu_properties",
"icu_provider",
"smallvec",
"zerovec",
]
[[package]]
name = "icu_normalizer_data"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "00210d6893afc98edb752b664b8890f0ef174c8adbb8d0be9710fa66fbbf72d3"
[[package]]
name = "icu_properties"
version = "2.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "016c619c1eeb94efb86809b015c58f479963de65bdb6253345c1a1276f22e32b"
dependencies = [
"displaydoc",
"icu_collections",
"icu_locale_core",
"icu_properties_data",
"icu_provider",
"potential_utf",
"zerotrie",
"zerovec",
]
[[package]]
name = "icu_properties_data"
version = "2.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "298459143998310acd25ffe6810ed544932242d3f07083eee1084d83a71bd632"
[[package]]
name = "icu_provider"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "03c80da27b5f4187909049ee2d72f276f0d9f99a42c306bd0131ecfe04d8e5af"
dependencies = [
"displaydoc",
"icu_locale_core",
"stable_deref_trait",
"tinystr",
"writeable",
"yoke",
"zerofrom",
"zerotrie",
"zerovec",
]
[[package]]
name = "ident_case"
version = "1.0.1"
@@ -1149,12 +1246,23 @@ checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
[[package]]
name = "idna"
version = "0.5.0"
version = "1.0.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "634d9b1461af396cad843f47fdba5597a4f9e6ddd4bfb6ff5d85028c25cb12f6"
checksum = "686f825264d630750a544639377bae737628043f20d38bbc029e8f29ea968a7e"
dependencies = [
"unicode-bidi",
"unicode-normalization",
"idna_adapter",
"smallvec",
"utf8_iter",
]
[[package]]
name = "idna_adapter"
version = "1.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344"
dependencies = [
"icu_normalizer",
"icu_properties",
]
[[package]]
@@ -1402,6 +1510,12 @@ version = "0.9.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cd945864f07fe9f5371a27ad7b52a172b4b499999f1d97574c9fa68373937e12"
[[package]]
name = "litemap"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956"
[[package]]
name = "lock_api"
version = "0.4.11"
@@ -1874,6 +1988,15 @@ version = "0.3.27"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964"
[[package]]
name = "potential_utf"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e5a7c30837279ca13e7c867e9e40053bc68740f988cb07f7ca6df43cc734b585"
dependencies = [
"zerovec",
]
[[package]]
name = "powerfmt"
version = "0.2.0"
@@ -2310,9 +2433,9 @@ dependencies = [
[[package]]
name = "reqwest"
version = "0.11.22"
version = "0.11.27"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "046cd98826c46c2ac8ddecae268eb5c2e58628688a5fc7a2643704a73faba95b"
checksum = "dd67538700a17451e7cba03ac727fb961abb7607553461627b97de0b89cf4a62"
dependencies = [
"base64 0.21.5",
"bytes",
@@ -2338,6 +2461,7 @@ dependencies = [
"serde",
"serde_json",
"serde_urlencoded",
"sync_wrapper",
"system-configuration",
"tokio",
"tokio-native-tls",
@@ -2840,9 +2964,9 @@ dependencies = [
[[package]]
name = "smallvec"
version = "1.11.2"
version = "1.15.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4dccd0940a2dcdf68d092b8cbab7dc0ad8fa938bf95787e1b916b0e3d0e8e970"
checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
[[package]]
name = "socket2"
@@ -2854,6 +2978,12 @@ dependencies = [
"windows-sys 0.48.0",
]
[[package]]
name = "stable_deref_trait"
version = "1.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"
[[package]]
name = "strsim"
version = "0.11.1"
@@ -2942,6 +3072,23 @@ dependencies = [
"syn 2.0.39",
]
[[package]]
name = "sync_wrapper"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2047c6ded9c721764247e62cd3b03c09ffc529b2ba5b10ec482ae507a4a70160"
[[package]]
name = "synstructure"
version = "0.13.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.39",
]
[[package]]
name = "sys-info"
version = "0.9.1"
@@ -3096,6 +3243,16 @@ dependencies = [
"time-core",
]
[[package]]
name = "tinystr"
version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5d4f6d1145dcb577acf783d4e601bc1d76a13337bb54e6233add580b07344c8b"
dependencies = [
"displaydoc",
"zerovec",
]
[[package]]
name = "tinyvec"
version = "1.6.0"
@@ -3312,27 +3469,12 @@ version = "1.18.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1dccffe3ce07af9386bfd29e80c0ab1a8205a2fc34e4bcd40364df902cfa8f3f"
[[package]]
name = "unicode-bidi"
version = "0.3.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460"
[[package]]
name = "unicode-ident"
version = "1.0.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b"
[[package]]
name = "unicode-normalization"
version = "0.1.22"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921"
dependencies = [
"tinyvec",
]
[[package]]
name = "unicode-segmentation"
version = "1.10.1"
@@ -3353,9 +3495,9 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
[[package]]
name = "url"
version = "2.5.0"
version = "2.5.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "31e6302e3bb753d46e83516cae55ae196fc0c309407cf11ab35cc51a4c2a4633"
checksum = "32f8b686cadd1473f4bd0117a5d28d36b1ade384ea9b5069a1c40aefed7fda60"
dependencies = [
"form_urlencoded",
"idna",
@@ -3368,6 +3510,12 @@ version = "0.1.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "86bd8d4e895da8537e5315b8254664e6b769c4ff3db18321b297a1e7004392e3"
[[package]]
name = "utf8_iter"
version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
[[package]]
name = "utf8parse"
version = "0.2.1"
@@ -3856,6 +4004,12 @@ dependencies = [
"bitflags 2.9.0",
]
[[package]]
name = "writeable"
version = "0.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ea2f10b9bb0928dfb1b42b65e1f9e36f7f54dbdf08457afefb38afcdec4fa2bb"
[[package]]
name = "wyz"
version = "0.5.1"
@@ -3864,3 +4018,81 @@ checksum = "05f360fc0b24296329c78fda852a1e9ae82de9cf7b27dae4b7f62f118f77b9ed"
dependencies = [
"tap",
]
[[package]]
name = "yoke"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5f41bb01b8226ef4bfd589436a297c53d118f65921786300e427be8d487695cc"
dependencies = [
"serde",
"stable_deref_trait",
"yoke-derive",
"zerofrom",
]
[[package]]
name = "yoke-derive"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "38da3c9736e16c5d3c8c597a9aaa5d1fa565d0532ae05e27c24aa62fb32c0ab6"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.39",
"synstructure",
]
[[package]]
name = "zerofrom"
version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5"
dependencies = [
"zerofrom-derive",
]
[[package]]
name = "zerofrom-derive"
version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.39",
"synstructure",
]
[[package]]
name = "zerotrie"
version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "36f0bbd478583f79edad978b407914f61b2972f5af6fa089686016be8f9af595"
dependencies = [
"displaydoc",
"yoke",
"zerofrom",
]
[[package]]
name = "zerovec"
version = "0.11.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4a05eb080e015ba39cc9e23bbe5e7fb04d5fb040350f99f34e338d5fdd294428"
dependencies = [
"yoke",
"zerofrom",
"zerovec-derive",
]
[[package]]
name = "zerovec-derive"
version = "0.11.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5b96237efa0c878c64bd89c436f661be4e46b2f3eff1ebb976f7ef2321d2f58f"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.39",
]

22
src/tools/kata-ctl/Cargo.toml
View File

@@ -22,17 +22,17 @@ nix = "0.25.0"
strum = "0.24.1"
strum_macros = "0.24.3"
serde = { version = "1.0.149", features = ["derive"] }
url = "2.3.1"
url = "2.5.4"
futures = "0.3.24"
base64 = "0.13.0"
toml = "0.5.8"
sys-info = "0.9.1"
shim-interface = { path = "../../libs/shim-interface"}
shim-interface = { path = "../../libs/shim-interface" }
kata-types = { path = "../../libs/kata-types" }
kata-sys-util = { path = "../../../src/libs/kata-sys-util/" }
safe-path = { path = "../../libs/safe-path" }
agent = { path = "../../runtime-rs/crates/agent"}
agent = { path = "../../runtime-rs/crates/agent" }
serial_test = "0.5.1"
vmm-sys-util = "0.11.0"
epoll = "4.0.1"
@@ -54,16 +54,24 @@ lazy_static = "1.2"
# for log-parser
serde_yaml = "0.9"
ron = "0.8"
quick-xml = { version = "0.28", features = ["serialize"]}
quick-xml = { version = "0.28", features = ["serialize"] }
csv = "1.2"
serde_with = "2.3"
chrono = { version = "0.4", features = ["serde"]}
chrono = { version = "0.4", features = ["serde"] }
[target.'cfg(target_arch = "s390x")'.dependencies]
reqwest = { version = "0.11", default-features = false, features = ["json", "blocking", "native-tls"] }
reqwest = { version = "0.11", default-features = false, features = [
"json",
"blocking",
"native-tls",
] }
[target.'cfg(not(target_arch = "s390x"))'.dependencies]
reqwest = { version = "0.11", default-features = false, features = ["json", "blocking", "rustls-tls"] }
reqwest = { version = "0.11", default-features = false, features = [
"json",
"blocking",
"rustls-tls",
] }
[dev-dependencies]
semver = "1.0.12"

2
src/tools/kata-ctl/src/check.rs
View File

@@ -470,7 +470,7 @@ mod tests {
},
TestData {
test_url: "http://localhost :80",
expected: "builder error: invalid domain character",
expected: "builder error: invalid international domain name",
},
];

2
src/tools/runk/Cargo.toml
View File

@@ -12,7 +12,7 @@ rustjail = { path = "../../agent/rustjail", features = [
"standard-oci-runtime",
] }
runtime-spec = { path = "../../libs/runtime-spec" }
oci-spec = { version = "0.6.8", features = ["runtime"] }
oci-spec = { version = "0.8.1", features = ["runtime"] }
logging = { path = "../../libs/logging" }
liboci-cli = "0.0.4"
clap = { version = "4.5.40", features = ["derive", "cargo"] }

8
src/tools/runk/libcontainer/Cargo.toml
View File

@@ -7,9 +7,11 @@ license = "Apache-2.0"
edition = "2018"
[dependencies]
rustjail = { path = "../../../agent/rustjail", features = ["standard-oci-runtime"] }
rustjail = { path = "../../../agent/rustjail", features = [
"standard-oci-runtime",
] }
runtime-spec = { path = "../../../libs/runtime-spec" }
oci-spec = { version = "0.6.8", features = ["runtime"] }
oci-spec = { version = "0.8.1", features = ["runtime"] }
kata-sys-util = { path = "../../../libs/kata-sys-util" }
logging = { path = "../../../libs/logging" }
derive_builder = "0.10.2"
@@ -27,4 +29,4 @@ procfs = "0.14.0"
[dev-dependencies]
tempfile = "3.19.1"
test-utils = { path = "../../../libs/test-utils" }
protocols = { path ="../../../libs/protocols" }
protocols = { path = "../../../libs/protocols" }

2
src/tools/runk/src/commands/list.rs
View File

@@ -13,7 +13,7 @@ use std::fmt::Write as _;
use std::{fs, os::unix::prelude::MetadataExt, path::Path};
use std::{io, io::Write};
use tabwriter::TabWriter;
use users::get_user_by_uid;
use uzers::get_user_by_uid;
pub fn run(_: List, root: &Path, logger: &Logger) -> Result<()> {
let mut content = String::new();

265
src/tools/trace-forwarder/Cargo.lock generated
View File

@@ -2,6 +2,21 @@
# It is not intended for manual editing.
version = 4
[[package]]
name = "android-tzdata"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0"
[[package]]
name = "android_system_properties"
version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
dependencies = [
"libc",
]
[[package]]
name = "ansi_term"
version = "0.12.1"
@@ -137,16 +152,16 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
[[package]]
name = "chrono"
version = "0.4.20"
version = "0.4.41"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6127248204b9aba09a362f6c930ef6a78f2c1b2215f8a7b398c06e1083f17af0"
checksum = "c469d952047f47f91b68d1cba3f10d63c11d73e4636f24f08daf0278abf01c4d"
dependencies = [
"android-tzdata",
"iana-time-zone",
"js-sys",
"num-integer",
"num-traits",
"time 0.1.43",
"wasm-bindgen",
"winapi",
"windows-link",
]
[[package]]
@@ -176,12 +191,28 @@ version = "0.7.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b94f61472cee1439c0b966b47e3aca9ae07e45d070759512cd390ea2bebc6675"
[[package]]
name = "codespan-reporting"
version = "0.11.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3538270d33cc669650c4b093848450d380def10c331d38c768e34cac80576e6e"
dependencies = [
"termcolor",
"unicode-width",
]
[[package]]
name = "colorchoice"
version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75"
[[package]]
name = "core-foundation-sys"
version = "0.8.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
[[package]]
name = "crossbeam-channel"
version = "0.5.15"
@@ -197,6 +228,50 @@ version = "0.8.21"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28"
[[package]]
name = "cxx"
version = "1.0.97"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e88abab2f5abbe4c56e8f1fb431b784d710b709888f35755a160e62e33fe38e8"
dependencies = [
"cc",
"cxxbridge-flags",
"cxxbridge-macro",
"link-cplusplus",
]
[[package]]
name = "cxx-build"
version = "1.0.97"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c0c11acd0e63bae27dcd2afced407063312771212b7a823b4fd72d633be30fb"
dependencies = [
"cc",
"codespan-reporting",
"once_cell",
"proc-macro2",
"quote",
"scratch",
"syn 2.0.33",
]
[[package]]
name = "cxxbridge-flags"
version = "1.0.97"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8d3816ed957c008ccd4728485511e3d9aaf7db419aa321e3d2c5a2f3411e36c8"
[[package]]
name = "cxxbridge-macro"
version = "1.0.97"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a26acccf6f445af85ea056362561a24ef56cdc15fcc685f03aec50b9c702cb6d"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.33",
]
[[package]]
name = "deranged"
version = "0.3.11"
@@ -375,6 +450,31 @@ version = "0.5.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fc0fef456e4baa96da950455cd02c081ca953b141298e41db3fc7e36b1da849c"
[[package]]
name = "iana-time-zone"
version = "0.1.63"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b0c919e5debc312ad217002b8048a17b7d83f80703865bbfcfebb0458b0b27d8"
dependencies = [
"android_system_properties",
"core-foundation-sys",
"iana-time-zone-haiku",
"js-sys",
"log",
"wasm-bindgen",
"windows-core",
]
[[package]]
name = "iana-time-zone-haiku"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0703ae284fc167426161c2e3f1da3ea71d94b21bedbcc9494e92b28e334e3dca"
dependencies = [
"cxx",
"cxx-build",
]
[[package]]
name = "integer-encoding"
version = "1.1.7"
@@ -406,10 +506,11 @@ checksum = "1aab8fc367588b89dcee83ab0fd66b72b50b72fa1904d7095045ace2b0c81c35"
[[package]]
name = "js-sys"
version = "0.3.55"
version = "0.3.77"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7cc9ffccd38c451a86bf13657df244e9c3f37493cce8e5e21e940963777acc84"
checksum = "1cfaf33c695fc6e08064efbc1f72ec937429614f25eef83af942d0e227c3a28f"
dependencies = [
"once_cell",
"wasm-bindgen",
]
@@ -450,6 +551,15 @@ version = "0.2.172"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d750af042f7ef4f724306de029d18836c26c1765a54a6a3f094cbd23a7267ffa"
[[package]]
name = "link-cplusplus"
version = "1.0.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4a6f6da007f968f9def0d65a05b187e2960183de70c160204ecfccf0ee330212"
dependencies = [
"cc",
]
[[package]]
name = "linux-raw-sys"
version = "0.9.4"
@@ -513,16 +623,6 @@ version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
[[package]]
name = "num-integer"
version = "0.1.44"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d2cc698a63b549a70bc047073d2949cce27cd1c7b0a4a862d08a8031bc2801db"
dependencies = [
"autocfg",
"num-traits",
]
[[package]]
name = "num-traits"
version = "0.2.14"
@@ -792,6 +892,12 @@ version = "1.0.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "73b4b750c782965c211b42f022f59af1fbceabdd026623714f104152f1ec149f"
[[package]]
name = "scratch"
version = "1.0.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9f6280af86e5f559536da57a45ebc84948833b3bee313a7dd25232e09c878a52"
[[package]]
name = "serde"
version = "1.0.188"
@@ -889,7 +995,7 @@ dependencies = [
"slog",
"term",
"thread_local",
"time 0.3.37",
"time",
]
[[package]]
@@ -956,6 +1062,15 @@ dependencies = [
"winapi",
]
[[package]]
name = "termcolor"
version = "1.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "06794f8f6c5c898b3275aebefa6b8a1cb24cd2c6c79397ab15774837a0bc5755"
dependencies = [
"winapi-util",
]
[[package]]
name = "thiserror"
version = "1.0.30"
@@ -1007,16 +1122,6 @@ dependencies = [
"threadpool",
]
[[package]]
name = "time"
version = "0.1.43"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438"
dependencies = [
"libc",
"winapi",
]
[[package]]
name = "time"
version = "0.3.37"
@@ -1124,6 +1229,12 @@ version = "1.0.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b"
[[package]]
name = "unicode-width"
version = "0.1.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7dd6e30e90baa6f72411720665d41d89b9a3d039dc45b8faea1ddd07f617f6af"
[[package]]
name = "unicode-xid"
version = "0.2.2"
@@ -1169,34 +1280,35 @@ dependencies = [
[[package]]
name = "wasm-bindgen"
version = "0.2.78"
version = "0.2.100"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "632f73e236b219150ea279196e54e610f5dbafa5d61786303d4da54f84e47fce"
checksum = "1edc8929d7499fc4e8f0be2262a241556cfc54a0bea223790e71446f2aab1ef5"
dependencies = [
"cfg-if",
"once_cell",
"rustversion",
"wasm-bindgen-macro",
]
[[package]]
name = "wasm-bindgen-backend"
version = "0.2.78"
version = "0.2.100"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a317bf8f9fba2476b4b2c85ef4c4af8ff39c3c7f0cdfeed4f82c34a880aa837b"
checksum = "2f0a0651a5c2bc21487bde11ee802ccaf4c51935d0d3d42a6101f98161700bc6"
dependencies = [
"bumpalo",
"lazy_static",
"log",
"proc-macro2",
"quote",
"syn 1.0.82",
"syn 2.0.33",
"wasm-bindgen-shared",
]
[[package]]
name = "wasm-bindgen-macro"
version = "0.2.78"
version = "0.2.100"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d56146e7c495528bf6587663bea13a8eb588d39b36b679d83972e1a2dbbdacf9"
checksum = "7fe63fc6d09ed3792bd0897b314f53de8e16568c2b3f7982f468c0bf9bd0b407"
dependencies = [
"quote",
"wasm-bindgen-macro-support",
@@ -1204,22 +1316,25 @@ dependencies = [
[[package]]
name = "wasm-bindgen-macro-support"
version = "0.2.78"
version = "0.2.100"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7803e0eea25835f8abdc585cd3021b3deb11543c6fe226dcd30b228857c5c5ab"
checksum = "8ae87ea40c9f689fc23f209965b6fb8a99ad69aeeb0231408be24920604395de"
dependencies = [
"proc-macro2",
"quote",
"syn 1.0.82",
"syn 2.0.33",
"wasm-bindgen-backend",
"wasm-bindgen-shared",
]
[[package]]
name = "wasm-bindgen-shared"
version = "0.2.78"
version = "0.2.100"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0237232789cf037d5480773fe568aac745bfe2afbc11a863e97901780a6b47cc"
checksum = "1a05d73b933a847d6cccdda8f838a22ff101ad9bf93e33684f39c1f5f0eece3d"
dependencies = [
"unicode-ident",
]
[[package]]
name = "winapi"
@@ -1237,12 +1352,80 @@ version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
[[package]]
name = "winapi-util"
version = "0.1.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb"
dependencies = [
"windows-sys",
]
[[package]]
name = "winapi-x86_64-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
[[package]]
name = "windows-core"
version = "0.61.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c0fdd3ddb90610c7638aa2b3a3ab2904fb9e5cdbecc643ddb3647212781c4ae3"
dependencies = [
"windows-implement",
"windows-interface",
"windows-link",
"windows-result",
"windows-strings",
]
[[package]]
name = "windows-implement"
version = "0.60.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a47fddd13af08290e67f4acabf4b459f647552718f683a7b415d290ac744a836"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.33",
]
[[package]]
name = "windows-interface"
version = "0.59.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bd9211b69f8dcdfa817bfd14bf1c97c9188afa36f4750130fcdf3f400eca9fa8"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.33",
]
[[package]]
name = "windows-link"
version = "0.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5e6ad25900d524eaabdbbb96d20b4311e1e7ae1699af4fb28c17ae66c80d798a"
[[package]]
name = "windows-result"
version = "0.3.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "56f42bd332cc6c8eac5af113fc0c1fd6a8fd2aa08a0119358686e5160d0586c6"
dependencies = [
"windows-link",
]
[[package]]
name = "windows-strings"
version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "56e6c93f3a0c3b36176cb1327a4958a0353d5d166c2a35cb268ace15e91d3b57"
dependencies = [
"windows-link",
]
[[package]]
name = "windows-sys"
version = "0.59.0"

2
tests/functional/kata-deploy/kata-deploy.bats
View File

@@ -91,7 +91,7 @@ setup() {
teardown() {
pushd "${repo_root_dir}"
helm uninstall --namespace=kube-system kata-deploy --wait
helm uninstall --namespace=kube-system kata-deploy
kubectl -n kube-system wait --timeout=10m --for=delete -l name=kata-deploy pod
popd

85
tests/gha-helper.sh Executable file
View File

@@ -0,0 +1,85 @@
#!/usr/bin/env bash
#
# Copyright (c) 2025 IBM Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
set -o errexit
set -o nounset
set -o pipefail
[[ -n "${DEBUG:-}" ]] && set -o xtrace
function trigger_and_check_workflow() {
workflow=$1
ref=$2
sha=$3
input_json=$4
trigger_workflow "${workflow}" "${ref}" "${sha}" "${input_json}"
wait_for_workflow_result "${workflow}" "${sha}"
}
function trigger_workflow() {
workflow=$1
ref=$2
sha=$3
input_json=$4
echo "${input_json}" | gh workflow run "${workflow}" --ref "${ref}" --json
local max_tries=5
local interval=15
local i=0
echo "::group::waiting"
while true; do
url=$(gh run list --workflow="${workflow}" --json headSha,url \
--jq '.[] | select(.headSha == "'"${sha}"'") | .url')
[[ -n "${url}" ]] && break
i=$((i + 1))
[ ${i} -lt ${max_tries} ] && echo "url of workflow not found, retrying in ${interval} seconds" 1>&2 || break
sleep "${interval}"
done
echo "::endgroup::"
echo "Triggered workflow: ${url}"
}
function wait_for_workflow_result() {
workflow=$1
sha=$2
local max_tries=60
local interval=120
local i=0
echo "::group::waiting"
while true; do
conclusion=$(gh run list --workflow="${workflow}" --json headSha,conclusion \
--jq '.[] | select(.headSha == "'"${sha}"'") | .conclusion')
case "${conclusion}" in
"success") echo "::endgroup::\nJob finished successfully" && exit 0;;
"cancelled") echo "::endgroup::\nJJob cancelled" && exit 4;;
"failure") echo "::endgroup::\nJJob failed" && exit 8;;
*) ;;
esac
i=$((i + 1))
[ ${i} -lt ${max_tries} ] && echo "conclusion of workflow is ${conclusion}, retrying in ${interval} seconds" 1>&2 || break
sleep "${interval}"
done
echo "Waiting for the workflow to succeed timed out"
exit 16
}
function main() {
action="${1:-}"
case "${action}" in
trigger-workflow) trigger_workflow "${@:2}";;
trigger-and-check-workflow) trigger_and_check_workflow "${@:2}";;
wait-for-workflow-result) wait_for_workflow_result "${@:2}";;
*) >&2 echo "Invalid argument"; exit 2 ;;
esac
}
main "$@"

25
tests/gha-run-k8s-common.sh
View File

@@ -31,6 +31,7 @@ KATA_HOST_OS="${KATA_HOST_OS:-}"
KUBERNETES="${KUBERNETES:-}"
K8S_TEST_HOST_TYPE="${K8S_TEST_HOST_TYPE:-small}"
TEST_CLUSTER_NAMESPACE="${TEST_CLUSTER_NAMESPACE:-}"
CONTAINER_RUNTIME="${CONTAINER_RUNTIME:-containerd}"
function _print_instance_type() {
case "${K8S_TEST_HOST_TYPE}" in
@@ -135,10 +136,6 @@ function install_bats() {
sudo add-apt-repository --remove 'deb http://archive.ubuntu.com/ubuntu/ noble universe'
}
function install_kubectl() {
sudo az aks install-cli
}
# Install the kustomize tool in /usr/local/bin if it doesn't exist on
# the system yet.
#
@@ -196,16 +193,20 @@ function get_nodes_and_pods_info() {
}
function deploy_k0s() {
url=$(get_from_kata_deps ".externals.k0s.url")
k0s_version_param=""
version=$(get_from_kata_deps ".externals.k0s.version")
if [[ -n "${version}" ]]; then
k0s_version_param="K0S_VERSION=${version}"
if [[ "${CONTAINER_RUNTIME}" == "crio" ]]; then
url=$(get_from_kata_deps ".externals.k0s.url")
k0s_version_param=""
version=$(get_from_kata_deps ".externals.k0s.version")
if [[ -n "${version}" ]]; then
k0s_version_param="K0S_VERSION=${version}"
fi
curl -sSLf "${url}" | sudo "${k0s_version_param}" sh
else
curl -sSLf -sSLf https://get.k0s.sh | sudo sh
fi
curl -sSLf "${url}" | sudo "${k0s_version_param}" sh
# In this case we explicitly want word splitting when calling k0s
# with extra parameters.
# shellcheck disable=SC2086

3
tests/integration/kubernetes/confidential_common.sh
View File

@@ -10,7 +10,7 @@ source "${BATS_TEST_DIRNAME}/../../common.bash"
load "${BATS_TEST_DIRNAME}/confidential_kbs.sh"
SUPPORTED_TEE_HYPERVISORS=("qemu-sev" "qemu-snp" "qemu-tdx" "qemu-se")
SUPPORTED_TEE_HYPERVISORS=("qemu-snp" "qemu-tdx" "qemu-se")
SUPPORTED_NON_TEE_HYPERVISORS=("qemu-coco-dev")
function setup_unencrypted_confidential_pod() {
@@ -32,7 +32,6 @@ function setup_unencrypted_confidential_pod() {
# in order to identify whether the workload is running on a TEE environment
function get_remote_command_per_hypervisor() {
declare -A REMOTE_COMMAND_PER_HYPERVISOR
REMOTE_COMMAND_PER_HYPERVISOR[qemu-sev]="dmesg | grep \"Memory Encryption Features active:.*\(SEV$\|SEV \)\""
REMOTE_COMMAND_PER_HYPERVISOR[qemu-snp]="dmesg | grep \"Memory Encryption Features active:.*SEV-SNP\""
REMOTE_COMMAND_PER_HYPERVISOR[qemu-tdx]="cpuid | grep TDX_GUEST"
REMOTE_COMMAND_PER_HYPERVISOR[qemu-se]="cd /sys/firmware/uv; cat prot_virt_guest | grep 1"

1
tests/integration/kubernetes/gha-run.sh
View File

@@ -576,7 +576,6 @@ function main() {
install-bats) install_bats ;;
install-kata-tools) install_kata_tools ;;
install-kbs-client) install_kbs_client ;;
install-kubectl) install_kubectl ;;
get-cluster-credentials) get_cluster_credentials "" ;;
deploy-csi-driver) return 0 ;;
deploy-kata) deploy_kata ;;

11
tests/integration/kubernetes/k8s-credentials-secrets.bats
View File

@@ -6,16 +6,19 @@
#
load "${BATS_TEST_DIRNAME}/../../common.bash"
load "${BATS_TEST_DIRNAME}/lib.sh"
load "${BATS_TEST_DIRNAME}/tests_common.sh"
setup() {
[ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}"
[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
setup_common
get_pod_config_dir
# Add policy to pod-secret.yaml.
pod_yaml_file="${pod_config_dir}/pod-secret.yaml"
set_node "$pod_yaml_file" "$node"
pod_cmd="ls /tmp/secret-volume"
pod_exec_command=(sh -c "${pod_cmd}")
pod_policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
@@ -28,6 +31,7 @@ setup() {
# TODO: auto-generate policy for this pod YAML after solving
# https://github.com/kata-containers/kata-containers/issues/10033
pod_env_yaml_file="${pod_config_dir}/pod-secret-env.yaml"
set_node "$pod_env_yaml_file" "$node"
pod_env_cmd="printenv"
pod_env_exec_command=(sh -c "${pod_env_cmd}")
add_allow_all_policy_to_yaml "${pod_env_yaml_file}"
@@ -69,12 +73,9 @@ teardown() {
[ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}"
[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
# Debugging information
kubectl describe "pod/$pod_name"
kubectl describe "pod/$second_pod_name"
kubectl delete pod "$pod_name" "$second_pod_name"
kubectl delete secret "$secret_name"
delete_tmp_policy_settings_dir "${pod_policy_settings_dir}"
teardown_common "${node}" "${node_start_time:-}"
}

11
tests/integration/kubernetes/k8s-parallel.bats
View File

@@ -6,9 +6,11 @@
#
load "${BATS_TEST_DIRNAME}/../../common.bash"
load "${BATS_TEST_DIRNAME}/lib.sh"
load "${BATS_TEST_DIRNAME}/tests_common.sh"
setup() {
setup_common
get_pod_config_dir
job_name="jobtest"
names=( "test1" "test2" "test3" )
@@ -21,6 +23,7 @@ setup() {
for i in "${names[@]}"; do
yaml_file="${pod_config_dir}/job-$i.yaml"
sed "s/\$ITEM/$i/" ${pod_config_dir}/job-template.yaml > ${yaml_file}
set_node "$yaml_file" "$node"
auto_generate_policy "${policy_settings_dir}" "${yaml_file}"
done
}
@@ -44,13 +47,15 @@ setup() {
}
teardown() {
# Delete jobs
kubectl delete jobs -l jobgroup=${job_name}
# Remove generated yaml files
for i in "${names[@]}"; do
rm -f ${pod_config_dir}/job-$i.yaml
done
delete_tmp_policy_settings_dir "${policy_settings_dir}"
teardown_common
# Delete jobs
kubectl delete jobs -l jobgroup=${job_name}
}

Some files were not shown because too many files have changed in this diff Show More