mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-05-17 13:04:23 +00:00
6b802a4e30
Switch the NVIDIA GPU rootfs images (both standard and confidential) from ext4 to erofs (Enhanced Read-Only File System). Unlike ext4, which is a read-write filesystem mounted read-only by convention, erofs is structurally read-only -- no journal, no write metadata, no superblock write path. This eliminates accidental mutation and reduces the attack surface inside the guest VM, which is particularly important for confidential workloads using dm-verity. Introduce a DEFROOTFSTYPE_NV Makefile variable (set to erofs) for both Go and Rust runtimes, keeping the global DEFROOTFSTYPE as ext4 so non-NVIDIA configurations are unaffected. Update all six NVIDIA GPU configuration templates (base, SNP, TDX for both runtimes) to use @DEFROOTFSTYPE_NV@ instead of the global @DEFROOTFSTYPE@. Export FS_TYPE=erofs in install_image_nvidia_gpu() and install_image_nvidia_gpu_confidential() so the build pipeline produces erofs images via the image builder. Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Kata Containers packaging
Introduction
Kata Containers currently supports packages for many distributions. Tooling to aid in creating these packages are contained within this repository.
Build in a container
Kata build artifacts are available within a container image, created by a
Dockerfile. Reference DaemonSets are provided in
kata-deploy, which make installation of Kata Containers in a
running Kubernetes Cluster very straightforward.
Build static binaries
See the static build documentation.
Build Kata Containers Kernel
Build QEMU
Create a Kata Containers release
See the release documentation.
Packaging scripts
See the scripts documentation.
Credits
Kata Containers packaging uses packagecloud for package hosting.