# Copyright (c) 2022 Intel Corporation # # SPDX-License-Identifier: Apache-2.0 # XXX: WARNING: this file is auto-generated. # XXX: # XXX: Source file: "@CONFIG_CLH_IN@" # XXX: Project: # XXX: Name: @PROJECT_NAME@ # XXX: Type: @PROJECT_TYPE@ [hypervisor.cloud-hypervisor] path = "@CLHPATH@" kernel = "@KERNELPATH_CLH@" image = "@IMAGEPATH@" # rootfs filesystem type: # - ext4 (default) # - xfs # - erofs rootfs_type=@DEFROOTFSTYPE@ # Block storage driver to be used for the VM rootfs is backed # by a block device. vm_rootfs_driver = "@VMROOTFSDRIVER_CLH@" # Enable confidential guest support. # Toggling that setting may trigger different hardware features, ranging # from memory encryption to both memory and CPU-state encryption and integrity. # The Kata Containers runtime dynamically detects the available feature set and # aims at enabling the largest possible one, returning an error if none is # available, or none is supported by the hypervisor. # # Known limitations: # * Does not work by design: # - CPU Hotplug # - Memory Hotplug # - NVDIMM devices # # Supported TEEs: # * Intel TDX # # Default false # confidential_guest = true # Path to the firmware. # If you want Cloud Hypervisor to use a specific firmware, set its path below. # This is option is only used when confidential_guest is enabled. # # For more information about firmwared that can be used with specific TEEs, # please, refer to: # * Intel TDX: # - td-shim: https://github.com/confidential-containers/td-shim # # firmware = "@FIRMWAREPATH@" # List of valid annotation names for the hypervisor # Each member of the list is a regular expression, which is the base name # of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path" enable_annotations = @DEFENABLEANNOTATIONS@ # List of valid annotations values for the hypervisor # Each member of the list is a path pattern as described by glob(3). # The default if not set is empty (all annotations rejected.) # Your distribution recommends: @CLHVALIDHYPERVISORPATHS@ valid_hypervisor_paths = @CLHVALIDHYPERVISORPATHS@ # List of valid annotations values for ctlpath # The default if not set is empty (all annotations rejected.) # Your distribution recommends: # valid_ctlpaths = # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having # trouble running pre-2.15 glibc. # # WARNING: - any parameter specified here will take priority over the default # parameter value of the same name used to start the virtual machine. # Do not set values here unless you understand the impact of doing so as you # may stop the virtual machine from booting. # To see the list of default parameters, enable hypervisor debug, create a # container and look for 'default-kernel-parameters' log entries. kernel_params = "@KERNELPARAMS@" # Default number of vCPUs per SB/VM: # unspecified or 0 --> will be set to 1 # < 0 --> will be set to the actual number of physical cores # > 0 <= number of physical cores --> will be set to the specified number # > number of physical cores --> will be set to the actual number of physical cores default_vcpus = @DEFVCPUS@ # Default maximum number of vCPUs per SB/VM: # unspecified or == 0 --> will be set to the actual number of physical cores or to the maximum number # of vCPUs supported by KVM if that number is exceeded # > 0 <= number of physical cores --> will be set to the specified number # > number of physical cores --> will be set to the actual number of physical cores or to the maximum number # of vCPUs supported by KVM if that number is exceeded # WARNING: Depending of the architecture, the maximum number of vCPUs supported by KVM is used when # the actual number of physical cores is greater than it. # WARNING: Be aware that this value impacts the virtual machine's memory footprint and CPU # the hotplug functionality. For example, `default_maxvcpus = 240` specifies that until 240 vCPUs # can be added to a SB/VM, but the memory footprint will be big. Another example, with # `default_maxvcpus = 8` the memory footprint will be small, but 8 will be the maximum number of # vCPUs supported by the SB/VM. In general, we recommend that you do not edit this variable, # unless you know what are you doing. default_maxvcpus = @DEFMAXVCPUS@ # Default memory size in MiB for SB/VM. # If unspecified then it will be set @DEFMEMSZ@ MiB. default_memory = @DEFMEMSZ@ # Shared file system type: # - virtio-fs # - virtio-fs-nydus # - none shared_fs = "@DEFSHAREDFS_CLH_VIRTIOFS@" # Path to vhost-user-fs daemon. virtio_fs_daemon = "@DEFVIRTIOFSDAEMON@" # Default size of DAX cache in MiB virtio_fs_cache_size = @DEFVIRTIOFSCACHESIZE@ # Extra args for virtiofsd daemon # # Format example: # ["-o", "arg1=xxx,arg2", "-o", "hello world", "--arg3=yyy"] # Examples: # Set virtiofsd log level to debug : ["-o", "log_level=debug"] or ["-d"] # # see `virtiofsd -h` for possible options. virtio_fs_extra_args = @DEFVIRTIOFSEXTRAARGS@ # Cache mode: # # - never # Metadata, data, and pathname lookup are not cached in guest. They are # always fetched from host and any changes are immediately pushed to host. # # - auto # Metadata and pathname lookup cache expires after a configured amount of # time (default is 1 second). Data is cached while the file is open (close # to open consistency). # # - always # Metadata, data, and pathname lookup are cached in guest and never expire. virtio_fs_cache = "@DEFVIRTIOFSCACHE@" # Bridges can be used to hot plug devices. # Limitations: # * Currently only pci bridges are supported # * Until 30 devices per bridge can be hot plugged. # * Until 5 PCI bridges can be cold plugged per VM. # This limitation could be a bug in the kernel # Default number of bridges per SB/VM: # unspecified or 0 --> will be set to @DEFBRIDGES@ # > 1 <= 5 --> will be set to the specified number # > 5 --> will be set to 5 default_bridges = @DEFBRIDGES@ # Reclaim guest freed memory. # Enabling this will result in the VM balloon device having f_reporting=on set. # Then the hypervisor will use it to reclaim guest freed memory. # This is useful for reducing the amount of memory used by a VM. # Enabling this feature may sometimes reduce the speed of memory access in # the VM. # # Default false #reclaim_guest_freed_memory = true # Block device driver to be used by the hypervisor when a container's storage # is backed by a block device or a file. This driver facilitates attaching the # storage directly to the guest VM. block_device_driver = "virtio-blk-pci" # Specifies cache-related options for block devices. # Denotes whether use of O_DIRECT (bypass the host page cache) is enabled. # Default false #block_device_cache_direct = true # Enable pre allocation of VM RAM, default false # Enabling this will result in lower container density # as all of the memory will be allocated and locked # This is useful when you want to reserve all the memory # upfront or in the cases where you want memory latencies # to be very predictable # Default false #enable_mem_prealloc = true # Enable huge pages for VM RAM, default false # Enabling this will result in the VM memory # being allocated using huge pages. # This is useful when you want to use vhost-user network # stacks within the container. This will automatically # result in memory pre allocation #enable_hugepages = true # Disable the 'seccomp' feature from Cloud Hypervisor or firecracker, default false # disable_seccomp = true # This option changes the default hypervisor and kernel parameters # to enable debug output where available. # # Default false #enable_debug = true # Disable the customizations done in the runtime when it detects # that it is running on top a VMM. This will result in the runtime # behaving as it would when running on bare metal. # #disable_nesting_checks = true # Path to OCI hook binaries in the *guest rootfs*. # This does not affect host-side hooks which must instead be added to # the OCI spec passed to the runtime. # # You can create a rootfs with hooks by customizing the osbuilder scripts: # https://github.com/kata-containers/kata-containers/tree/main/tools/osbuilder # # Hooks must be stored in a subdirectory of guest_hook_path according to their # hook type, i.e. "guest_hook_path/{prestart,poststart,poststop}". # The agent will scan these directories for executable files and add them, in # lexicographical order, to the lifecycle of the guest container. # Hooks are executed in the runtime namespace of the guest. See the official documentation: # https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks # Warnings will be logged if any error is encountered while scanning for hooks, # but it will not abort container execution. #guest_hook_path = "/usr/share/oci/hooks" # Enable swap in the guest. Default false. # When enable_guest_swap is enabled, insert a raw file to the guest as the swap device. #enable_guest_swap = true # If enable_guest_swap is enabled, the swap device will be created in the guest # at this path. Default "/run/kata-containers/swap". #guest_swap_path = "/run/kata-containers/swap" # The percentage of the total memory to be used as swap device. # Default 100. #guest_swap_size_percent = 100 # The threshold in seconds to create swap device in the guest. # Kata will wait guest_swap_create_threshold_secs seconds before creating swap device. # Default 60. #guest_swap_create_threshold_secs = 60 [agent.@PROJECT_TYPE@] container_pipe_size=@PIPESIZE@ # If enabled, make the agent display debug-level messages. # (default: disabled) #enable_debug = true # Enable agent tracing. # # If enabled, the agent will generate OpenTelemetry trace spans. # # Notes: # # - If the runtime also has tracing enabled, the agent spans will be # associated with the appropriate runtime parent span. # - If enabled, the runtime will wait for the container to shutdown, # increasing the container shutdown time slightly. # # (default: disabled) #enable_tracing = true # Enable debug console. # If enabled, user can connect guest OS running inside hypervisor # through "kata-runtime exec " command #debug_console_enabled = true # Agent dial timeout in millisecond. # (default: 10) #dial_timeout_ms = 10 # Agent reconnect timeout in millisecond. # Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 300) # If you find pod cannot connect to the agent when starting, please # consider increasing this value to increase the retry times. # You'd better not change the value of dial_timeout_ms, unless you have an # idea of what you are doing. # (default: 3000) #reconnect_timeout_ms = 3000 [agent.@PROJECT_TYPE@.mem_agent] # Control the mem-agent function enable or disable. # Default to false #mem_agent_enable = true # Control the mem-agent memcg function disable or enable # Default to false #memcg_disable = false # Control the mem-agent function swap enable or disable. # Default to false #memcg_swap = false # Control the mem-agent function swappiness max number. # Default to 50 #memcg_swappiness_max = 50 # Control the mem-agent memcg function wait period seconds # Default to 600 #memcg_period_secs = 600 # Control the mem-agent memcg wait period PSI percent limit. # If the percentage of memory and IO PSI stall time within # the memcg waiting period for a cgroup exceeds this value, # then the aging and eviction for this cgroup will not be # executed after this waiting period. # Default to 1 #memcg_period_psi_percent_limit = 1 # Control the mem-agent memcg eviction PSI percent limit. # If the percentage of memory and IO PSI stall time for a cgroup # exceeds this value during an eviction cycle, the eviction for # this cgroup will immediately stop and will not resume until # the next memcg waiting period. # Default to 1 #memcg_eviction_psi_percent_limit = 1 # Control the mem-agent memcg eviction run aging count min. # A cgroup will only perform eviction when the number of aging cycles # in memcg is greater than or equal to memcg_eviction_run_aging_count_min. # Default to 3 #memcg_eviction_run_aging_count_min = 3 # Control the mem-agent compact function disable or enable # Default to false #compact_disable = false # Control the mem-agent compaction function wait period seconds # Default to 600 #compact_period_secs = 600 # Control the mem-agent compaction function wait period PSI percent limit. # If the percentage of memory and IO PSI stall time within # the compaction waiting period exceeds this value, # then the compaction will not be executed after this waiting period. # Default to 1 #compact_period_psi_percent_limit = 1 # Control the mem-agent compaction function compact PSI percent limit. # During compaction, the percentage of memory and IO PSI stall time # is checked every second. If this percentage exceeds # compact_psi_percent_limit, the compaction process will stop. # Default to 5 #compact_psi_percent_limit = 5 # Control the maximum number of seconds for each compaction of mem-agent compact function. # Default to 180 #compact_sec_max = 180 # Control the mem-agent compaction function compact order. # compact_order is use with compact_threshold. # Default to 9 #compact_order = 9 # Control the mem-agent compaction function compact threshold. # compact_threshold is the pages number. # When examining the /proc/pagetypeinfo, if there's an increase in the # number of movable pages of orders smaller than the compact_order # compared to the amount following the previous compaction, # and this increase surpasses a certain threshold—specifically, # more than 'compact_threshold' number of pages. # Or the number of free pages has decreased by 'compact_threshold' # since the previous compaction. # then the system should initiate another round of memory compaction. # Default to 1024 #compact_threshold = 1024 # Control the mem-agent compaction function force compact times. # After one compaction, if there has not been a compaction within # the next compact_force_times times, a compaction will be forced # regardless of the system's memory situation. # If compact_force_times is set to 0, will do force compaction each time. # If compact_force_times is set to 18446744073709551615, will never do force compaction. # Default to 18446744073709551615 #compact_force_times = 18446744073709551615 # Create Container Request Timeout # This timeout value is used to set the maximum duration for the agent to process a CreateContainerRequest. # It's also used to ensure that workloads, especially those involving large image pulls within the guest, # have sufficient time to complete. # # Effective Timeout Determination: # The effective timeout for a CreateContainerRequest is determined by taking the minimum of the following two values: # - create_container_timeout: The timeout value configured for creating containers (default: 30,000 milliseconds). # - runtime-request-timeout: The timeout value specified in the Kubelet configuration described as the link below: # (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) # Defaults to @DEFCREATECONTAINERTIMEOUT@ second(s) # create_container_timeout = @DEFCREATECONTAINERTIMEOUT@ [runtime] # If enabled, the runtime will log additional debug messages to the # system log # (default: disabled) #enable_debug = true # If enabled, enabled, it means that 1) if the runtime exits abnormally, # the cleanup process will be skipped, and 2) the runtime will not exit # even if the health check fails. # This option is typically used to retain abnormal information for debugging. # (default: false) #keep_abnormal = true # Internetworking model # Determines how the VM should be connected to the # the container network interface # Options: # # - bridged (Deprecated) # Uses a linux bridge to interconnect the container interface to # the VM. Works for most cases except macvlan and ipvlan. # ***NOTE: This feature has been deprecated with plans to remove this # feature in the future. Please use other network models listed below. # # # - macvtap # Used when the Container network interface can be bridged using # macvtap. # # - none # Used when customize network. Only creates a tap device. No veth pair. # # - tcfilter # Uses tc filter rules to redirect traffic from the network interface # provided by plugin to a tap interface connected to the VM. # internetworking_model="@DEFNETWORKMODEL_CLH@" name="@RUNTIMENAME@" hypervisor_name="@HYPERVISOR_CLH@" agent_name="@PROJECT_TYPE@" # disable guest seccomp # Determines whether container seccomp profiles are passed to the virtual # machine and applied by the kata agent. If set to true, seccomp is not applied # within the guest # (default: true) disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) #enable_tracing = true # Set the full url to the Jaeger HTTP Thrift collector. # The default if not set will be "http://localhost:14268/api/traces" #jaeger_endpoint = "" # Sets the username to be used if basic auth is required for Jaeger. #jaeger_user = "" # Sets the password to be used if basic auth is required for Jaeger. #jaeger_password = "" # If enabled, the runtime will not create a network namespace for shim and hypervisor processes. # This option may have some potential impacts to your host. It should only be used when you know what you're doing. # `disable_new_netns` conflicts with `internetworking_model=bridged` and `internetworking_model=macvtap`. It works only # with `internetworking_model=none`. The tap device will be in the host network namespace and can connect to a bridge # (like OVS) directly. # (default: false) #disable_new_netns = true # if enabled, the runtime will add all the kata processes inside one dedicated cgroup. # The container cgroups in the host are not created, just one single cgroup per sandbox. # The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox. # The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation. # The sandbox cgroup is constrained if there is no container type annotation. # See: https://pkg.go.dev/github.com/kata-containers/kata-containers/src/runtime/virtcontainers#ContainerType sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY_CLH@ # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. # Supported experimental features: # (default: []) experimental=@DEFAULTEXPFEATURES@ # If enabled, user can run pprof tools with shim v2 process through kata-monitor. # (default: false) # enable_pprof = true # If enabled, the runtime will attempt to determine appropriate sandbox size (memory, CPU) before booting the virtual machine. In # this case, the runtime will not dynamically update the amount of memory and CPU in the virtual machine. This is generally helpful # when a hardware architecture or hypervisor solutions is utilized which does not support CPU and/or memory hotplug. # Compatibility for determining appropriate sandbox (VM) size: # - When running with pods, sandbox sizing information will only be available if using Kubernetes >= 1.23 and containerd >= 1.6. CRI-O # does not yet support sandbox sizing annotations. # - When running single containers using a tool like ctr, container sizing information will be available. static_sandbox_resource_mgmt=@DEFSTATICRESOURCEMGMT_CLH@ # If specified, sandbox_bind_mounts identifieds host paths to be mounted(ro, rw) into the sandboxes shared path. # This is only valid if filesystem sharing is utilized. The provided path(s) will be bindmounted into the shared fs directory. # If defaults are utilized, these mounts should be available in the guest at `/run/kata-containers/shared/containers/sandbox-mounts` # These will not be exposed to the container workloads, and are only provided for potential guest services. # Now it supports three kinds of bind mount format: # - "/path/to", default readonly mode. # - "/path/to:ro", readonly mode. # - "/path/to:rw", readwrite mode. sandbox_bind_mounts=@DEFBINDMOUNTS@ # Base directory of directly attachable network config. # Network devices for VM-based containers are allowed to be placed in the # host netns to eliminate as many hops as possible, which is what we # called a "Directly Attachable Network". The config, set by special CNI # plugins, is used to tell the Kata containers what devices are attached # to the hypervisor. # (default: /run/kata-containers/dans) dan_conf = "@DEFDANCONF@"