github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2026-05-13 02:30:07 +00:00
Code Issues Projects Releases Wiki Activity
Files
1a0fbbfa323736c63ca71677624dcc03c151edaf
kata-containers/versions.yaml
Mikko Ylinen 412a384aad versions: update kernel-confidential to Linux v6.16.1 
Linux v6.16 brings some useful features for the confidential guests.
Most importantly, it adds an ABI to extend runtime measurement registers
(RTMR) for the TEE platforms supporting it. This is currently enabled
on Intel TDX only.

The kernel version bump from v6.12.x to v6.16 forces some CONFIG_*
changes too:

MEMORY_HOTPLUG_DEFAULT_ONLINE was dropped in favor of more config
choices. The equivalent option is MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO.

X86_5LEVEL was made unconditional. Since this was only a TDX
configuration, dropping it completely as part of v6.16 is fine.

CRYPTO_NULL2 was merged with CRYPTO_NULL. This was only added in
confidential guest fragments (cryptsetup) so we can drop it in this update.

CRYPTO_FIPS now depends on CRYPTO_SELFTESTS which further depends on
EXPERT which we don't have. Enable both in a separate config fragment
for confidential guests. This can be moved to a common setting once
other targets bump to post v6.16.

CRYPTO_SHA256_SSE3 arch optimizations were reworked and are now enabled
by default. Instead of adding it to whitelist.conf, just drop it completely
since it was only enabled as part of "measured boot" feature for
confidential guests. CONFIG_CRYPTO_CRC32_S390 was reworked the same way.
In this case, whitelist.conf is needed.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2025-08-20 11:32:48 +03:00

467 lines
15 KiB
YAML
Raw Blame History

#
# Copyright (c) 2018-2023 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
---
description: |
This file contains version details that are used by various
repositories for setting up the correct environment to run
tests and package components.
format: |
Each entry in this file MUST conform to the following format:
<group>:
description: "<brief-description>"
notes: "<notes>"
<project>:
description: "<brief-description>"
notes: "<notes>"
url: "<project-url>"
issue: "<bug-url>"
commit: "<commit>"
version: "<version>"
uscan-opts: "<optional uscan options>"
uscan-url: "<url regex for uscan to list versions>"
release: "<version>"
branch: "<git-branch>"
meta:
<key-1>: "<value-1>"
<key-n>: "<value-n>"
Notes:
- All sections (except "meta") MUST include a description where
applicable. This is expected to be a brief summary.
- A section MAY specify a "notes" section which may be multi-line.
It is expected to be expand on the information specified in
"description".
- All sections (except "meta") MUST include a URL where applicable.
- A section MAY specify a bug URL using the "issue" field.
- A section MAY define a "meta" section to store additional
information about a project or group.
- Each entry MUST specify ATLEAST one of "commit", "version", "release"
and "branch".
- WARNING: Gotcha alert! Remember to double-quote all strings
(except multi-line strings)! This avoids the possibility of a
version containing a period being treated as a floating point
number (and truncated!)
- NOTE: For the uscan related entries, refer to the following uscan pages:
https://manpages.debian.org/stretch/devscripts/uscan.1.en.html
https://wiki.debian.org/debian/watch
Particularly note the 'Common mistakes' section.
Also note, if you place the uscan strings on single lines in this file then
'\'s need to be '\'d, so are replaced with '\\', but this does not apply
for '>-' multi line entries, which can then use the normal uscan syntax.
assets:
description: "Additional required system elements"
hypervisor:
description: "Component used to create virtual machines"
cloud_hypervisor:
description: "Cloud Hypervisor is an open source Virtual Machine Monitor"
url: "https://github.com/cloud-hypervisor/cloud-hypervisor"
uscan-url: >-
https://github.com/cloud-hypervisor/cloud-hypervisor/tags.*/v?(\d\S+)\.tar\.gz
version: "v47.0"
firecracker:
description: "Firecracker micro-VMM"
url: "https://github.com/firecracker-microvm/firecracker"
uscan-url: >-
https://github.com/firecracker-microvm/firecracker/tags
.*/v?(\d\S+)\.tar\.gz
version: "v1.12.1"
qemu:
description: "VMM that uses KVM"
url: "https://github.com/qemu/qemu"
version: "v10.0.3"
tag: "v10.0.3"
# Do not include any non-full release versions
# Break the line *without CR or space being appended*, to appease
# yamllint, and note the deliberate ' ' at the end of the expression.
uscan-opts: "opts=uversionmangle=s/(\\d)[_\\.\\-\\+]?\
((RC|rc|pre|dev|beta|alpha)\\d*)$/$1~$2/ "
uscan-url: >-
https://github.com/qemu/qemu/tags
.*/v?(\d\S+)\.tar\.gz
qemu-snp-experimental:
description: "QEMU with GPU+SNP support"
url: "https://github.com/confidential-containers/qemu.git"
tag: "gpu-snp-20250211"
qemu-tdx-experimental:
description: "QEMU with GPU+TDX support"
url: "https://github.com/confidential-containers/qemu.git"
tag: "gpu-tdx-20250211"
stratovirt:
description: "StratoVirt is an lightweight opensource VMM"
url: "https://github.com/openeuler-mirror/stratovirt"
version: "v2.3.0"
image:
description: |
Root filesystem disk image used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/kata-containers/tools/osbuilder"
architecture:
aarch64:
name: "ubuntu"
version: "noble" # 24.04 LTS
nvidia-gpu:
name: "ubuntu"
version: "noble" # 24.04 LTS
nvidia-gpu-confidential:
name: "ubuntu"
version: "noble" # 24.04 LTS
ppc64le:
name: "ubuntu"
version: "noble" # 24.04 LTS
s390x:
name: "ubuntu"
version: "noble" # 24.04 LTS
confidential:
name: "ubuntu"
version: "noble" # 24.04 LTS
x86_64:
name: "ubuntu"
version: "noble" # 24.04 LTS
confidential:
name: "ubuntu"
version: "noble" # 24.04 LTS
mariner:
name: "cbl-mariner"
version: "3.0"
nvidia-gpu:
name: "ubuntu"
version: "noble" # 24.04 LTS
nvidia-gpu-confidential:
name: "ubuntu"
version: "noble" # 24.04 LTS
initrd:
description: |
Root filesystem initrd used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/kata-containers/tools/osbuilder"
architecture:
aarch64:
name: "alpine"
version: "3.18"
nvidia-gpu:
name: "ubuntu"
version: "noble" # 24.04 LTS
nvidia-gpu-confidential:
name: "ubuntu"
version: "noble" # 24.04 LTS
# Do not use Alpine on ppc64le & s390x, the agent cannot use musl because
# there is no such Rust target
ppc64le:
name: "ubuntu"
version: "noble" # 24.04 LTS
s390x:
name: "ubuntu"
version: "noble" # 24.04 LTS
confidential:
name: "ubuntu"
version: "noble" # 24.04 LTS
x86_64:
name: "alpine"
version: "3.18"
confidential:
name: "ubuntu"
version: "noble" # 24.04 LTS
nvidia-gpu:
name: "ubuntu"
version: "noble" # 24.04 LTS
nvidia-gpu-confidential:
name: "ubuntu"
version: "noble" # 24.04 LTS
kernel:
description: "Linux kernel optimised for virtual machines"
url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
version: "v6.12.42"
confidential:
description: "Linux kernel with x86_64 TEEs (SNP and TDX) support"
url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
version: "v6.16.1"
kernel-arm-experimental:
description: "Linux kernel with cpu/mem hotplug support on arm64"
url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"
version: "v5.15.138"
kernel-dragonball-experimental:
description: "Linux kernel with Dragonball VMM optimizations like upcall"
url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
version: "v6.12.42"
externals:
description: "Third-party projects used by the system"
busybox:
desc: "The Swiss Army Knife of Embedded Linux"
version: "1.36.1"
url: "https://busybox.net/downloads"
helm:
description: "Kubernetes package manager"
url: "https://get.helm.sh/"
version: "v3.15.2"
cni-plugins:
description: "CNI network plugins"
url: "https://github.com/containernetworking/plugins"
version: "v1.2.0"
coco-guest-components:
description: "Provides attested key unwrapping for image decryption"
url: "https://github.com/confidential-containers/guest-components/"
version: "1a521e14b8c0a039ae7ae98f520fcb5020d95dec"
toolchain: "1.85.1"
coco-trustee:
description: "Provides attestation and secret delivery components"
url: "https://github.com/confidential-containers/trustee"
version: "beb4ce9346bc7f9a7ff0f686eb868472767ad8fb"
# image / ita_image and image_tag / ita_image_tag must be in sync
image: "ghcr.io/confidential-containers/staged-images/kbs"
image_tag: "beb4ce9346bc7f9a7ff0f686eb868472767ad8fb"
ita_image: "ghcr.io/confidential-containers/staged-images/kbs-ita-as"
ita_image_tag: "beb4ce9346bc7f9a7ff0f686eb868472767ad8fb-x86_64"
toolchain: "1.85.1"
crio:
description: |
OCI-based Kubernetes Container Runtime Interface implementation
url: "https://github.com/cri-o/cri-o"
branch: "release-1.23"
containerd:
description: |
Containerd for Kubernetes Container Runtime Interface.
url: "github.com/containerd/containerd"
tarball_url: "https://github.com/containerd/containerd/releases/download"
# containerd from v1.5.0 used the path unix socket
# instead of abstract socket, thus kata wouldn's support the containerd's
# version older than them.
version: "v1.7.25"
lts: "v1.7"
active: "v2.0"
# keep the latest version to make the current PR ci work, once it was
# merged,we can remove the latest version.
latest: "v2.0"
critools:
description: "CLI tool for Container Runtime Interface (CRI)"
url: "https://github.com/kubernetes-sigs/cri-tools"
version: "1.23.0"
# As we don't want to disrupt what we have on the `tests` repo, let's
# create a "latest" entry and use that for the GitHub actions tests.
latest: "v1.29"
runc:
description: "CLI tool for spawning and running containers"
url: "https://github.com/opencontainers/runc"
latest: "v1.2"
cryptsetup:
description: "A utility used to setup disk encryption, integrity protection"
url: "https://gitlab.com/cryptsetup/cryptsetup"
version: "v2.5.0"
gperf:
description: "GNU gperf is a perfect hash function generator"
url: "http://ftpmirror.gnu.org/gperf/"
version: "3.1"
hadolint:
description: "the dockerfile linter used by static-checks"
url: "https://github.com/hadolint/hadolint"
version: "2.12.0"
lvm2:
description: "LVM2 and device-mapper tools and libraries"
url: "https://github.com/lvmteam/lvm2"
version: "v2_03_16"
# This is only used for CRI-O.
# kata-deploy tests rely on the latest version of k0s.
k0s:
description: "K0s Kubernetes distribution, used in cri-o testing"
url: "https://get.k0s.sh"
version: "v1.31.5+k0s.0"
kubernetes:
description: "Kubernetes project container manager"
url: "https://github.com/kubernetes/kubernetes"
# regexp formed to match 'd.tar.gz', deliberately to not match any alpha or
# beta type releases
uscan-url: >-
https://github.com/kubernetes/kubernetes/tags
.*/v?([\d\.]+)\.tar\.gz
version: "1.23.1-00"
kustomize:
description: "Kubernetes native configuration management"
url: "https://github.com/kubernetes-sigs/kustomize"
version: "v5.3.0"
checksum:
amd64: "3ab32f92360d752a2a53e56be073b649abc1e7351b912c0fb32b960d1def854c"
arm64: "a1ec622d4adeb483e3cdabd70f0d66058b1e4bcec013c4f74f370666e1e045d8"
# yamllint disable-line rule:line-length
ppc64le: "946b1aa9325e7234157881fe2098e59c05c6834e56205bf6ec0a9a5fc83c9cc4"
s390x: "0b1a00f0e33efa2ecaa6cda9eeb63141ddccf97a912425974d6b65e66cf96cd4"
libseccomp:
description: "High level interface to Linux seccomp filter"
url: "https://github.com/seccomp/libseccomp"
version: "2.5.5"
pause:
description: "Kubernetes pause container image"
repo: "docker://registry.k8s.io/pause"
version: "3.9"
nydus:
description: "Nydus image acceleration service"
url: "https://github.com/dragonflyoss/image-service"
version: "v2.2.3"
nydus-snapshotter:
description: "Snapshotter for Nydus image acceleration service"
url: "https://github.com/containerd/nydus-snapshotter"
version: "v0.15.2"
opa:
description: "Open Policy Agent"
url: "https://github.com/open-policy-agent/opa"
version: "v1.6.0"
ovmf:
description: "Firmware, implementation of UEFI for virtual machines."
url: "https://github.com/tianocore/edk2"
x86_64:
description: "Vanilla firmware build"
version: "edk2-stable202411"
package: "OvmfPkg/OvmfPkgX64.dsc"
package_output_dir: "OvmfX64"
sev:
# Used by AMD SEV-SNP for measured direct boot
description: "AmdSev build needed for SEV measured direct boot."
version: "edk2-stable202411"
package: "OvmfPkg/AmdSev/AmdSevX64.dsc"
package_output_dir: "AmdSev"
arm64:
description: "UEFI for arm64 virtual machines."
version: "edk2-stable202411"
package: "ArmVirtPkg/ArmVirtQemu.dsc"
package_output_dir: "ArmVirtQemu-AARCH64"
protoc:
description: "Protobuf compiler"
url: "https://github.com/protocolbuffers/protobuf/releases"
version: "v21.12"
protoc-gen-go:
description: "Protobuf Go compiler"
url: "https://github.com/protocolbuffers/protobuf-go/releases"
version: "v1.28.1"
ttrpc:
description: "ttRPC libary and code generation utilities"
url: "https://github.com/containerd/ttrpc/releases"
version: "v1.2.7"
virtiofsd:
description: "vhost-user virtio-fs device backend written in Rust"
url: "https://gitlab.com/virtio-fs/virtiofsd"
version: "v1.13.1"
toolchain: "1.85.1"
meta:
# From https://gitlab.com/virtio-fs/virtiofsd/-/releases/v1.13.1,
# this is the link labelled virtiofsd-v1.13.1.zip
#
# yamllint disable-line rule:line-length
binary: "https://gitlab.com/-/project/21523468/uploads/05d4925181301a59b8c322cd9f9d44a7/virtiofsd-v1.13.1.zip"
xurls:
description: |
Tool used by the CI to check URLs in documents and code comments.
url: "mvdan.cc/xurls/v2/cmd/xurls"
version: "v2.5.0"
languages:
description: |
Details of programming languages required to build system
components.
golang:
description: "Google's 'go' language"
notes: "'version' is the default minimum version used by this project."
# When updating this, also update in go.mod files.
version: "1.23.12"
meta:
description: |
'newest-version' is the latest version known to work when
building Kata
newest-version: "1.23.12"
rust:
description: "Rust language"
notes: "'version' is the default minimum version used by this project."
# Keep in sync with rust-toolchain.toml
version: "1.85.1"
meta:
description: |
'newest-version' is the latest version known to work when
building Kata
newest-version: "1.85.1"
golangci-lint:
description: "golangci-lint"
notes: "'version' is the default minimum version used by this project."
url: "github.com/golangci/golangci-lint"
version: "1.64.8"
meta:
description: |
'newest-version' is the latest version known to work when
building Kata
newest-version: "1.64.8"
plugins:
description: |
Details of plugins required for the components or testing.
sriov-network-device:
description: |
The SR-IOV network device plugin is Kubernetes device plugin for
discovering and advertising SR-IOV virtual functions (VFs)
available on a Kubernetes host.
url: "https://github.com/k8snetworkplumbingwg/sriov-network-device-plugin"
version: "b7f6d3e0679796e907ecca88cfab0e32e326850d"
docker_images:
description: "Docker hub images used for testing"
nginx:
description: "Proxy server for HTTP, HTTPS, SMTP, POP3 and IMAP protocols"
url: "https://hub.docker.com/_/nginx/"
version: "1.15-alpine"
Reference in New Issue View Git Blame Copy Permalink