2d29791c19
- Drop in cfg files support - agent: enhance get handled signal - oci: fix serde skip serializing condition - agent: Run OCI poststart hooks after a container is launched - agent: Replace some libc functions with nix ones - runtime: overwrite mount type to bind for bind mounts - build: Set safe.directory for runtime repo - ci/cd: update check-commit-message - Set safe.directory against tests repository - runtime: delete Console from Cmd type - Add `default_maxmemory` config option - shim: set a non-zero return code if the wait process call failed. - Refactor how hypervisor config validation is handled - packaging: Remove unused kata docker configure script - kata-with-k8s: Add cgroupDriver for containerd - shim: support shim v2 logging plugin - device package cleanup/refactor - versions: Update kernel to latest LTS version 5.15.48 - agent: Allow BUILD_TYPE=debug - Fix clippy warnings and update agent's vendored code - block: Leverage multiqueue for virtio-block - kernel: Add CONFIG_EFI=y as part of the TDX fragments - runtime: Add heuristic to get the right value(s) for mem-reserve - runtime: enable sandbox feature on qemu - snap: fix snap build on ppc64le - packaging: Remove unused publish kata image script - rootfs: Fix chronyd.service failing on boot - tracing: Remove whitespace from root span - workflow: Removing man-db, workflow kept failing - docs: Update outdated URLs and keep them available - runtime: fix error when trying to parse sandbox sizing annotations - snap: Fix debug cli option - deps: Resolve dependabot bumps of containerd, crossbeam-utils, regex - Allow Cloud Hypervisor to run under the `container_kvm_t` - docs: Update containerd url link - agent: refactor reading file timing for debugging - safe-path: fix clippy warning - kernel building: efi_secret module - runtime: Switch to using the rust version of virtiofsd (all arches but powerpc) - shim: change the log level for GetOOMEvent call failures - docs: Add more kata monitor details - Allow io.katacontainers.config.hypervisor.enable_iommu annotation by … - versions: Bump virtiofsd to v1.3.0 - docs: Add storage limits to arch doc - docs: Update source for cri-tools - tools: Enable extra detail on error - docs: Add agent-ctl examples sectionf4eea832arelease: Adapt kata-deploy for 2.5.0-rc00ddb34a38oci: fix serde skip serializing conditionfbb2e9bceagent: Replace some libc functions with nix onesacd3302beagent: Run OCI poststart hooks after a container is launched1f363a386runtime: overwrite mount type to bind for bind mounts4e48509edbuild: Set safe.directory for runtime repo48ccd4233ci: Set safe.directory against tests repository2a4fbd6d8agent: enhance get handled signal433816ccaci/cd: update check-commit-messagea5a25ed13runtime: delete Console from Cmd type96553e8bdruntime: Add documentation of drop-in config file fragmentsc656457e9runtime: Add tests of drop-in config file decoding99f5ca80fruntime: Plug drop-in decoding into decodeConfig()0f9856c46runtime: Scan drop-in directory, read files and decode them2c1efcc69runtime: Add helpers to copy fields between tomlConfig instances20f11877bruntime: Add framework to manipulate config structs via reflectionab5f1c956shim: set a non-zero return code if the wait process call failed.e5be5cb08runtime: device: cleanup outdated comments5f936f268virtcontainers: config validation is host specific323271403virtcontainers: Remove unused function0939f5181config: Expose default_maxmemory58ff2bd5cclh,qemu: Adapt to using default_maxmemory1a78c3df2packaging: Remove unused kata docker configure scriptafdc96042hypervisor: Add default_maxmemory configuration4e30e11b3shim: support shim v2 logging pluginbdf5e5229virtcontainers: validate hypervisor config outside of hypervisor itself469e09854katautils: don't do validation when loading hypervisor confige32bf5331device: deduplicate state structuresf97d9b45cruntime: device/persist: drop persist dependency from device pkgsf9e96c650runtime: device: move to top level package3880e0c07agent: refactor reading file timing for debuggingc70d3a2c3agent: Update the dependencies612fd79barandom: Fix "nonminimal-bool" clippy warningd4417f210netlink: Fix "or-fun-call" clippy warnings93874cb3bpackaging: Restrict kernel patches applied to top-level dir07b1367c2versions: Update kernel to latest LTS version 5.15.481b7d36fdbagent: Allow BUILD_TYPE=debug9ff10c083kernel: Add CONFIG_EFI=y as part of the TDX fragmentse227b4c40block: Leverage multiqueue for virtio-blocke7e7dc9dfruntime: Add heuristic to get the right value(s) for mem-reservec7dd10e5epackaging: Remove unused publish kata image script0bbbe7068snap: fix snap build on ppc64leef925d40cruntime: enable sandbox feature on qemu28995301btracing: Remove whitespace from root span9941588c0workflow: Removing man-db, workflow kept failing90a7763acsnap: Fix debug cli optiona305bafeedocs: Update outdated URLs and keep them availablebee770343docs: Update containerd url linkac5dbd859clh: Improve logging related to the net dev addition0b75522e1network: Set queues to 1 to ensure we get the network fds93b61e0f0network: Add FFI_NO_PI to the netlink flagsbf3ddc125clh: Pass the tuntap fds down to Cloud Hypervisor55ed32e92clh: Take care of the VmAdNetdPut request ourselves01fe09a4eclh: Hotplug the network devices2e0753833clh: Expose VmAddNetPut1ef0b7dedruntime: Switch to using the rust version of virtiofsd (all but power)bb26bd73bsafe-path: fix clippy warning1a5ba31cbagent: refactor reading file timing for debugging721ca72a6runtime: fix error when trying to parse sandbox sizing annotations9773838c0virtiofsd: export env vars needed for building itb0e090f40versions: Bump virtiofsd to v1.3.0db5048d52kernel: build efi_secret module for SEV1b845978fdocs: Add storage limits to arch doc412441308docs: Add more kata monitor detailseff4e1017shim: change the log level for GetOOMEvent call failures5d7fb7b7bbuild(deps): bump github.com/containerd/containerd in /src/runtimed0ca2fcbbbuild(deps): bump crossbeam-utils in /src/tools/trace-forwardera60dcff4dbuild(deps): bump regex from 1.5.4 to 1.5.6 in /src/tools/agent-ctldbf50672ebuild(deps): bump crossbeam-utils in /src/tools/agent-ctl8e2847bd5build(deps): bump crossbeam-utils from 0.8.6 to 0.8.8 in /src/libse9ada165fbuild(deps): bump regex from 1.5.4 to 1.5.5 in /src/agentadad9cef1build(deps): bump crossbeam-utils from 0.8.5 to 0.8.8 in /src/agent34bcef884docs: Add agent-ctl examples section815157bf0docs: Remove erroneous whitespacef5099620ftools: Enable extra detail on error8f10e13e0config: Allow enable_iommu pod annotation by default7ae11cad6docs: Update source for cri-tools0e2459d13docs: Add cgroupDriver for containerd1b7fd19acrootfs: Fix chronyd.service failing on boot Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
Kata Containers
Welcome to Kata Containers!
This repository is the home of the Kata Containers code for the 2.0 and newer releases.
If you want to learn about Kata Containers, visit the main Kata Containers website.
Introduction
Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs.
License
The code is licensed under the Apache 2.0 license. See the license file for further details.
Platform support
Kata Containers currently runs on 64-bit systems supporting the following technologies:
| Architecture | Virtualization technology |
|---|---|
x86_64, amd64 |
Intel VT-x, AMD SVM |
aarch64 ("arm64") |
ARM Hyp |
ppc64le |
IBM Power |
s390x |
IBM Z & LinuxONE SIE |
Hardware requirements
The Kata Containers runtime provides a command to determine if your host system is capable of running and creating a Kata Container:
$ kata-runtime check
Notes:
This command runs a number of checks including connecting to the network to determine if a newer release of Kata Containers is available on GitHub. If you do not wish this to check to run, add the
--no-network-checksoption.By default, only a brief success / failure message is printed. If more details are needed, the
--verboseflag can be used to display the list of all the checks performed.If the command is run as the
rootuser additional checks are run (including checking if another incompatible hypervisor is running). When running asroot, network checks are automatically disabled.
Getting started
See the installation documentation.
Documentation
See the official documentation including:
Configuration
Kata Containers uses a single configuration file which contains a number of sections for various parts of the Kata Containers system including the runtime, the agent and the hypervisor.
Hypervisors
See the hypervisors document and the Hypervisor specific configuration details.
Community
To learn more about the project, its community and governance, see the community repository. This is the first place to go if you wish to contribute to the project.
Getting help
See the community section for ways to contact us.
Raising issues
Please raise an issue in this repository.
Note: If you are reporting a security issue, please follow the vulnerability reporting process
Developers
See the developer guide.
Components
Main components
The table below lists the core parts of the project:
| Component | Type | Description |
|---|---|---|
| runtime | core | Main component run by a container manager and providing a containerd shimv2 runtime implementation. |
| agent | core | Management process running inside the virtual machine / POD that sets up the container environment. |
| documentation | documentation | Documentation common to all components (such as design and install documentation). |
| libraries | core | Library crates shared by multiple Kata Container components or published to crates.io |
| tests | tests | Excludes unit tests which live with the main code. |
Additional components
The table below lists the remaining parts of the project:
| Component | Type | Description |
|---|---|---|
| packaging | infrastructure | Scripts and metadata for producing packaged binaries (components, hypervisors, kernel and rootfs). |
| kernel | kernel | Linux kernel used by the hypervisor to boot the guest image. Patches are stored here. |
| osbuilder | infrastructure | Tool to create "mini O/S" rootfs and initrd images and kernel for the hypervisor. |
agent-ctl |
utility | Tool that provides low-level access for testing the agent. |
trace-forwarder |
utility | Agent tracing helper. |
runk |
utility | Standard OCI container runtime based on the agent. |
ci |
CI | Continuous Integration configuration files and scripts. |
katacontainers.io |
Source for the katacontainers.io site. |
Packaging and releases
Kata Containers is now available natively for most distributions. However, packaging scripts and metadata are still used to generate snap and GitHub releases. See the components section for further details.
Glossary of Terms
See the glossary of terms related to Kata Containers.