mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-07-02 07:02:16 +00:00
This makes the runtime share the host Kubelet emptyDir folder with the guest instead of the agent creating an empty folder in the container rootfs. Doing so enables the Kubelet to track emptyDir usage and evict greedy pods. In other words, with virtio-fs the container rootfs uses host storage whether this is true or false, however with true, Kata uses the k8s emptyDir folder so the sizeLimit is properly enforced by k8s. Addresses the ephemeral storage part of #12203. History: * Initially, emptyDirs are slow because they are shared from the host with 9p. https://github.com/kata-containers/runtime/issues/1472 * To address above, emptyDirs are hardcoded to be created by the agent in the pause container's rootfs, potentially leveraging devicemapper and improving perf. https://github.com/kata-containers/runtime/pull/1485 * The previous PR regressed an (interesting?) use case where emptyDirs were used to share data from the host to the guest, so the behavior was made configurable and `disable_guest_empty_dir = false` is introduced, defaulting to the behavior of the previous PR. https://github.com/kata-containers/kata-containers/pull/2056 * Another resource accounting regression remains which is addressed in this PR. Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
1164 lines
38 KiB
Makefile
1164 lines
38 KiB
Makefile
#
|
|
# Copyright (c) 2018-2019 Intel Corporation
|
|
# Copyright (c) 2021 Adobe Inc.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
include golang.mk
|
|
|
|
#Get ARCH.
|
|
ifeq ($(ARCH),)
|
|
ifneq (,$(golang_version_raw))
|
|
override ARCH = $(shell go env GOARCH)
|
|
else
|
|
override ARCH = $(shell uname -m)
|
|
endif
|
|
endif
|
|
ifeq ($(ARCH),x86_64)
|
|
override ARCH = amd64
|
|
override EDK2_NAME = ovmf
|
|
endif
|
|
ifeq ($(ARCH),aarch64)
|
|
override ARCH = arm64
|
|
override EDK2_NAME = aavmf
|
|
endif
|
|
ifeq ($(ARCH),riscv64gc)
|
|
override ARCH = riscv64
|
|
endif
|
|
|
|
ARCH_DIR = arch
|
|
ARCH_FILE_SUFFIX = -options.mk
|
|
ARCH_FILE = $(ARCH_DIR)/$(ARCH)$(ARCH_FILE_SUFFIX)
|
|
ARCH_FILES = $(wildcard arch/*$(ARCH_FILE_SUFFIX))
|
|
ALL_ARCHES = $(patsubst $(ARCH_DIR)/%$(ARCH_FILE_SUFFIX),%,$(ARCH_FILES))
|
|
|
|
# Build as safely as possible
|
|
export CGO_CPPFLAGS = -D_FORTIFY_SOURCE=2 -fstack-protector
|
|
|
|
ifeq (,$(realpath $(ARCH_FILE)))
|
|
$(error "ERROR: invalid architecture: '$(ARCH)'")
|
|
else
|
|
# Load architecture-dependent settings
|
|
include $(ARCH_FILE)
|
|
endif
|
|
|
|
PROJECT_TYPE = kata
|
|
PROJECT_NAME = Kata Containers
|
|
PROJECT_TAG = kata-containers
|
|
PROJECT_ORG = $(PROJECT_TAG)
|
|
PROJECT_URL = https://github.com/$(PROJECT_ORG)
|
|
PROJECT_BUG_URL = $(PROJECT_URL)/kata-containers/issues/new
|
|
|
|
# list of scripts to install
|
|
SCRIPTS :=
|
|
|
|
# list of binaries to install
|
|
BINLIST :=
|
|
BINLIBEXECLIST :=
|
|
|
|
BIN_PREFIX = $(PROJECT_TYPE)
|
|
PROJECT_DIR = $(PROJECT_TAG)
|
|
IMAGENAME = $(PROJECT_TAG).img
|
|
IMAGECONFIDENTIALNAME = $(PROJECT_TAG)-confidential.img
|
|
INITRDNAME = $(PROJECT_TAG)-initrd.img
|
|
INITRDCONFIDENTIALNAME = $(PROJECT_TAG)-initrd-confidential.img
|
|
|
|
IMAGENAME_NV = $(PROJECT_TAG)-nvidia-gpu.img
|
|
IMAGENAME_CONFIDENTIAL_NV = $(PROJECT_TAG)-nvidia-gpu-confidential.img
|
|
|
|
TARGET = $(BIN_PREFIX)-runtime
|
|
RUNTIME_OUTPUT = $(CURDIR)/$(TARGET)
|
|
RUNTIME_DIR = $(CLI_DIR)/$(TARGET)
|
|
BINLIST += $(TARGET)
|
|
|
|
DESTDIR ?= /
|
|
|
|
ifeq ($(PREFIX),)
|
|
PREFIX := /usr
|
|
EXEC_PREFIX := $(PREFIX)/local
|
|
else
|
|
EXEC_PREFIX := $(PREFIX)
|
|
endif
|
|
# Prefix where depedencies are installed
|
|
PREFIXDEPS := $(PREFIX)
|
|
BINDIR := $(EXEC_PREFIX)/bin
|
|
QEMUBINDIR := $(PREFIXDEPS)/bin
|
|
CLHBINDIR := $(PREFIXDEPS)/bin
|
|
FCBINDIR := $(PREFIXDEPS)/bin
|
|
STRATOVIRTBINDIR := $(PREFIXDEPS)/bin
|
|
SYSCONFDIR := /etc
|
|
LOCALSTATEDIR := /var
|
|
|
|
LIBEXECDIR := $(PREFIXDEPS)/libexec
|
|
SHAREDIR := $(PREFIX)/share
|
|
DEFAULTSDIR := $(SHAREDIR)/defaults
|
|
|
|
COLLECT_SCRIPT = data/kata-collect-data.sh
|
|
|
|
# @RUNTIME_NAME@ should be replaced with the target in generated files
|
|
RUNTIME_NAME = $(TARGET)
|
|
|
|
GENERATED_FILES += $(COLLECT_SCRIPT)
|
|
GENERATED_VARS = \
|
|
VERSION \
|
|
CONFIG_QEMU_IN \
|
|
CONFIG_QEMU_COCO_DEV_IN \
|
|
CONFIG_QEMU_NVIDIA_GPU_IN \
|
|
CONFIG_QEMU_NVIDIA_GPU_SNP_IN \
|
|
CONFIG_QEMU_NVIDIA_GPU_TDX_IN \
|
|
CONFIG_QEMU_TDX_IN \
|
|
CONFIG_QEMU_SNP_IN \
|
|
CONFIG_QEMU_CCA_IN \
|
|
CONFIG_CLH_IN \
|
|
CONFIG_FC_IN \
|
|
CONFIG_STRATOVIRT_IN \
|
|
CONFIG_REMOTE_IN \
|
|
CONFIG_QEMU_SE_IN \
|
|
$(USER_VARS)
|
|
SCRIPTS += $(COLLECT_SCRIPT)
|
|
SCRIPTS_DIR := $(BINDIR)
|
|
|
|
BASH_COMPLETIONS := data/completions/bash/kata-runtime
|
|
BASH_COMPLETIONSDIR := $(SHAREDIR)/bash-completion/completions
|
|
|
|
PKGDATADIR := $(PREFIXDEPS)/share/$(PROJECT_DIR)
|
|
PKGRUNDIR := $(LOCALSTATEDIR)/run/$(PROJECT_DIR)
|
|
PKGLIBEXECDIR := $(LIBEXECDIR)/$(PROJECT_DIR)
|
|
|
|
KERNELDIR := $(PKGDATADIR)
|
|
|
|
IMAGEPATH := $(PKGDATADIR)/$(IMAGENAME)
|
|
IMAGECONFIDENTIALPATH := $(PKGDATADIR)/$(IMAGECONFIDENTIALNAME)
|
|
INITRDPATH := $(PKGDATADIR)/$(INITRDNAME)
|
|
INITRDCONFIDENTIALPATH := $(PKGDATADIR)/$(INITRDCONFIDENTIALNAME)
|
|
|
|
IMAGEPATH_NV := $(PKGDATADIR)/$(IMAGENAME_NV)
|
|
IMAGEPATH_CONFIDENTIAL_NV := $(PKGDATADIR)/$(IMAGENAME_CONFIDENTIAL_NV)
|
|
|
|
ROOTFSTYPE_EXT4 := \"ext4\"
|
|
ROOTFSTYPE_XFS := \"xfs\"
|
|
ROOTFSTYPE_EROFS := \"erofs\"
|
|
DEFROOTFSTYPE := $(ROOTFSTYPE_EXT4)
|
|
|
|
FIRMWAREPATH :=
|
|
FIRMWAREVOLUMEPATH :=
|
|
|
|
FIRMWAREPATH_NV :=
|
|
ifeq ($(ARCH),amd64)
|
|
FIRMWAREPATH_NV := $(PREFIXDEPS)/share/$(EDK2_NAME)/OVMF.fd
|
|
endif
|
|
ifeq ($(ARCH),arm64)
|
|
FIRMWAREPATH_NV := $(PREFIXDEPS)/share/$(EDK2_NAME)/AAVMF_CODE.fd
|
|
endif
|
|
|
|
FIRMWARETDVFPATH := $(PREFIXDEPS)/share/ovmf/OVMF.inteltdx.fd
|
|
FIRMWARETDVFPATH_NV := $(FIRMWARETDVFPATH)
|
|
FIRMWARETDVFVOLUMEPATH :=
|
|
|
|
FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd
|
|
FIRMWARESNPPATH_NV := $(FIRMWARESNPPATH)
|
|
|
|
KERNELVERITYPARAMS ?= ""
|
|
KERNELVERITYPARAMS_NV ?= ""
|
|
KERNELVERITYPARAMS_CONFIDENTIAL_NV ?= ""
|
|
|
|
# Name of default configuration file the runtime will use.
|
|
CONFIG_FILE = configuration.toml
|
|
|
|
HYPERVISOR_FC = firecracker
|
|
HYPERVISOR_QEMU = qemu
|
|
HYPERVISOR_CLH = cloud-hypervisor
|
|
HYPERVISOR_STRATOVIRT = stratovirt
|
|
HYPERVISOR_REMOTE = remote
|
|
|
|
# Determines which hypervisor is specified in $(CONFIG_FILE).
|
|
DEFAULT_HYPERVISOR ?= $(HYPERVISOR_QEMU)
|
|
|
|
# List of hypervisors this build system can generate configuration for.
|
|
HYPERVISORS := $(HYPERVISOR_FC) $(HYPERVISOR_QEMU) $(HYPERVISOR_CLH) $(HYPERVISOR_STRATOVIRT) $(HYPERVISOR_REMOTE)
|
|
|
|
QEMUPATH := $(QEMUBINDIR)/$(QEMUCMD)
|
|
QEMUVALIDHYPERVISORPATHS := [\"$(QEMUPATH)\"]
|
|
|
|
QEMUTDXEXPERIMENTALPATH := $(QEMUBINDIR)/$(QEMUTDXEXPERIMENTALCMD)
|
|
QEMUTDXEXPERIMENTALVALIDHYPERVISORPATHS := [\"$(QEMUTDXEXPERIMENTALPATH)\"]
|
|
|
|
QEMUCCAEXPERIMENTALPATH := $(QEMUBINDIR)/$(QEMUCCAEXPERIMENTALCMD)
|
|
QEMUCCAEXPERIMENTALVALIDHYPERVISORPATHS := [\"$(QEMUCCAEXPERIMENTALPATH)\"]
|
|
|
|
QEMUTDXQUOTEGENERATIONSERVICESOCKETPORT := 0
|
|
|
|
QEMUSNPPATH := $(QEMUBINDIR)/$(QEMUSNPCMD)
|
|
QEMUSNPVALIDHYPERVISORPATHS := [\"$(QEMUSNPPATH)\"]
|
|
|
|
QEMUVIRTIOFSPATH := $(QEMUBINDIR)/$(QEMUVIRTIOFSCMD)
|
|
|
|
DEFCCAMEASUREMENTALGO := sha512
|
|
|
|
CLHPATH := $(CLHBINDIR)/$(CLHCMD)
|
|
CLHVALIDHYPERVISORPATHS := [\"$(CLHPATH)\"]
|
|
|
|
FCPATH = $(FCBINDIR)/$(FCCMD)
|
|
FCVALIDHYPERVISORPATHS := [\"$(FCPATH)\"]
|
|
FCJAILERPATH = $(FCBINDIR)/$(FCJAILERCMD)
|
|
FCVALIDJAILERPATHS = [\"$(FCJAILERPATH)\"]
|
|
|
|
STRATOVIRTPATH = $(STRATOVIRTBINDIR)/$(STRATOVIRTCMD)
|
|
STRATOVIRTVALIDHYPERVISORPATHS := [\"$(STRATOVIRTPATH)\"]
|
|
|
|
# Default number of vCPUs
|
|
DEFVCPUS := 1
|
|
# Default maximum number of vCPUs
|
|
DEFMAXVCPUS := 0
|
|
# Default memory size in MiB
|
|
DEFMEMSZ := 2048
|
|
# Default memory slots
|
|
# Cases to consider :
|
|
# - nvdimm rootfs image
|
|
# - preallocated memory
|
|
# - vm template memory
|
|
# - hugepage memory
|
|
DEFMEMSLOTS := 10
|
|
# Default maximum memory in MiB
|
|
DEFMAXMEMSZ := 0
|
|
#Default number of bridges
|
|
DEFBRIDGES := 1
|
|
# Security note: do not enable "virtio_fs_extra_args" by default.
|
|
# Allowing pods to pass arbitrary virtiofsd arguments can be abused for malicious host-side behavior.
|
|
DEFENABLEANNOTATIONS := [\"enable_iommu\", \"kernel_params\", \"kernel_verity_params\"]
|
|
DEFENABLEANNOTATIONS_COCO := [\"enable_iommu\", \"kernel_params\", \"kernel_verity_params\", \"default_vcpus\", \"default_memory\", \"cc_init_data\"]
|
|
DEFDISABLEGUESTSECCOMP := true
|
|
DEFDISABLEGUESTEMPTYDIR := true
|
|
DEFEMPTYDIRMODE := shared-fs
|
|
DEFEMPTYDIRMODE_COCO := block-encrypted
|
|
#Default experimental features enabled
|
|
DEFAULTEXPFEATURES := []
|
|
|
|
DEFDISABLESELINUX := false
|
|
|
|
# Default guest SELinux configuration
|
|
DEFDISABLEGUESTSELINUX := true
|
|
# Default is empty string "" to match the default golang (when commented out in config).
|
|
# Most users will want to set this to "system_u:system_r:container_t" for SELinux support.
|
|
DEFGUESTSELINUXLABEL :=
|
|
|
|
#Default SeccomSandbox param
|
|
#The same default policy is used by libvirt
|
|
# More explanation on https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg03348.html
|
|
#
|
|
# Default is empty string "" to match the default (when commented out in config).
|
|
# Most users will want to set this to "on,obsolete=deny,spawn=deny,resourcecontrol=deny"
|
|
# for better security. Note: "elevateprivileges=deny" doesn't work with daemonize option.
|
|
# Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox
|
|
DEFSECCOMPSANDBOXPARAM :=
|
|
|
|
#Default entropy source
|
|
DEFENTROPYSOURCE := /dev/urandom
|
|
DEFVALIDENTROPYSOURCES := [\"/dev/urandom\",\"/dev/random\",\"\"]
|
|
|
|
DEFDISABLEBLOCK := true
|
|
DEFSHAREDFS_CLH_VIRTIOFS := virtio-fs
|
|
DEFSHAREDFS_QEMU_VIRTIOFS := virtio-fs
|
|
# Please keep DEFSHAREDFS_QEMU_COCO_DEV_VIRTIOFS in sync with TDX/SNP
|
|
DEFSHAREDFS_QEMU_COCO_DEV_VIRTIOFS := none
|
|
DEFSHAREDFS_STRATOVIRT_VIRTIOFS := virtio-fs
|
|
DEFSHAREDFS_QEMU_TDX_VIRTIOFS := none
|
|
DEFSHAREDFS_QEMU_SNP_VIRTIOFS := none
|
|
DEFSHAREDFS_QEMU_SEL_VIRTIOFS := none
|
|
DEFSHAREDFS_QEMU_CCA_VIRTIOFS := none
|
|
DEFVIRTIOFSDAEMON := $(LIBEXECDIR)/virtiofsd
|
|
DEFVALIDVIRTIOFSDAEMONPATHS := [\"$(DEFVIRTIOFSDAEMON)\"]
|
|
# Default DAX mapping cache size in MiB
|
|
#if value is 0, DAX is not enabled
|
|
DEFVIRTIOFSCACHESIZE ?= 0
|
|
DEFVIRTIOFSCACHE ?= auto
|
|
DEFVIRTIOFSQUEUESIZE ?= 1024
|
|
# Format example:
|
|
# [\"-o\", \"arg1=xxx,arg2\", \"-o\", \"hello world\", \"--arg3=yyy\"]
|
|
#
|
|
# see `virtiofsd -h` for possible options.
|
|
# Make sure you quote args.
|
|
DEFVIRTIOFSEXTRAARGS ?= [\"--thread-pool-size=1\", \"--announce-submounts\"]
|
|
DEFENABLEIOTHREADS := false
|
|
DEFINDEPIOTHREADS := 0
|
|
DEFENABLEVHOSTUSERSTORE := false
|
|
DEFENABLEVIRTIOMEM ?= false
|
|
DEFVHOSTUSERSTOREPATH := $(PKGRUNDIR)/vhost-user
|
|
DEFVALIDVHOSTUSERSTOREPATHS := [\"$(DEFVHOSTUSERSTOREPATH)\"]
|
|
DEFMSIZE9P := 8192
|
|
DEFVFIOMODE := guest-kernel
|
|
|
|
# Default cgroup model
|
|
DEFSANDBOXCGROUPONLY ?= false
|
|
|
|
DEFSTATICRESOURCEMGMT ?= false
|
|
DEFSTATICRESOURCEMGMT_QEMU ?= false
|
|
ifeq ($(ARCH),arm64)
|
|
DEFSTATICRESOURCEMGMT_QEMU = true
|
|
endif
|
|
DEFSTATICRESOURCEMGMT_TEE = true
|
|
DEFSTATICRESOURCEMGMT_NV = true
|
|
|
|
DEFDISABLEIMAGENVDIMM ?= false
|
|
DEFDISABLEIMAGENVDIMM_NV = true
|
|
DEFDISABLEIMAGENVDIMM_CLH ?= true
|
|
|
|
DEFBINDMOUNTS := []
|
|
|
|
# Create Container Timeout in seconds
|
|
DEFCREATECONTAINERTIMEOUT ?= 60
|
|
|
|
# Default directory of directly attachable network config.
|
|
DEFDANCONF := /run/kata-containers/dans
|
|
|
|
DEFFORCEGUESTPULL := false
|
|
|
|
DEFKUBELETROOTDIR := /var/lib/kubelet
|
|
|
|
# Device cold plug
|
|
DEFPODRESOURCEAPISOCK := ""
|
|
DEFPODRESOURCEAPISOCK_NV := "$(DEFKUBELETROOTDIR)/pod-resources/kubelet.sock"
|
|
|
|
SED = sed
|
|
|
|
CLI_DIR = cmd
|
|
SHIMV2 = containerd-shim-kata-v2
|
|
SHIMV2_OUTPUT = $(CURDIR)/$(SHIMV2)
|
|
SHIMV2_DIR = $(CLI_DIR)/$(SHIMV2)
|
|
|
|
MONITOR = kata-monitor
|
|
MONITOR_OUTPUT = $(CURDIR)/$(MONITOR)
|
|
MONITOR_DIR = $(CLI_DIR)/kata-monitor
|
|
|
|
|
|
SOURCES := $(shell find . 2>&1 | grep -E '.*\.(c|h|go)$$')
|
|
VERSION := ${shell cat ./VERSION}
|
|
|
|
# List of configuration files to build and install
|
|
CONFIGS =
|
|
CONFIG_PATHS =
|
|
SYSCONFIG_PATHS =
|
|
|
|
# List of hypervisors known for the current architecture
|
|
KNOWN_HYPERVISORS =
|
|
|
|
ifneq (,$(QEMUCMD))
|
|
KNOWN_HYPERVISORS += $(HYPERVISOR_QEMU)
|
|
|
|
CONFIG_FILE_QEMU = configuration-qemu.toml
|
|
CONFIG_QEMU = config/$(CONFIG_FILE_QEMU)
|
|
CONFIG_QEMU_IN = $(CONFIG_QEMU).in
|
|
|
|
CONFIG_PATH_QEMU = $(abspath $(CONFDIR)/$(CONFIG_FILE_QEMU))
|
|
CONFIG_PATHS += $(CONFIG_PATH_QEMU)
|
|
|
|
SYSCONFIG_QEMU = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_QEMU))
|
|
SYSCONFIG_PATHS += $(SYSCONFIG_QEMU)
|
|
|
|
CONFIGS += $(CONFIG_QEMU)
|
|
|
|
# Begin configuration-qemu-coco-dev
|
|
CONFIG_FILE_QEMU_COCO_DEV = configuration-qemu-coco-dev.toml
|
|
CONFIG_QEMU_COCO_DEV = config/$(CONFIG_FILE_QEMU_COCO_DEV)
|
|
CONFIG_QEMU_COCO_DEV_IN = $(CONFIG_QEMU_COCO_DEV).in
|
|
|
|
SYSCONFIG_QEMU_COCO_DEV = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_QEMU_COCO_DEV))
|
|
SYSCONFIG_PATHS += $(SYSCONFIG_QEMU_COCO_DEV)
|
|
|
|
CONFIGS += $(CONFIG_QEMU_COCO_DEV)
|
|
# End configuration-qemu-coco-dev
|
|
|
|
CONFIG_FILE_QEMU_TDX = configuration-qemu-tdx.toml
|
|
CONFIG_QEMU_TDX = config/$(CONFIG_FILE_QEMU_TDX)
|
|
CONFIG_QEMU_TDX_IN = $(CONFIG_QEMU_TDX).in
|
|
|
|
CONFIG_PATH_QEMU_TDX = $(abspath $(CONFDIR)/$(CONFIG_FILE_QEMU_TDX))
|
|
CONFIG_PATHS += $(CONFIG_PATH_QEMU_TDX)
|
|
|
|
SYSCONFIG_QEMU_TDX = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_QEMU_TDX))
|
|
SYSCONFIG_PATHS_TDX += $(SYSCONFIG_QEMU_TDX)
|
|
|
|
CONFIGS += $(CONFIG_QEMU_TDX)
|
|
|
|
CONFIG_FILE_QEMU_SNP = configuration-qemu-snp.toml
|
|
CONFIG_QEMU_SNP = config/$(CONFIG_FILE_QEMU_SNP)
|
|
CONFIG_QEMU_SNP_IN = $(CONFIG_QEMU_SNP).in
|
|
|
|
CONFIG_PATH_QEMU_SNP = $(abspath $(CONFDIR)/$(CONFIG_FILE_QEMU_SNP))
|
|
CONFIG_PATHS += $(CONFIG_PATH_QEMU_SNP)
|
|
|
|
SYSCONFIG_QEMU_SNP = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_QEMU_SNP))
|
|
SYSCONFIG_PATHS_SNP += $(SYSCONFIG_QEMU_SNP)
|
|
|
|
CONFIGS += $(CONFIG_QEMU_SNP)
|
|
|
|
CONFIG_FILE_QEMU_CCA = configuration-qemu-cca.toml
|
|
CONFIG_QEMU_CCA = config/$(CONFIG_FILE_QEMU_CCA)
|
|
CONFIG_QEMU_CCA_IN = $(CONFIG_QEMU_CCA).in
|
|
|
|
CONFIG_PATH_QEMU_CCA = $(abspath $(CONFDIR)/$(CONFIG_FILE_QEMU_CCA))
|
|
CONFIG_PATHS += $(CONFIG_PATH_QEMU_CCA)
|
|
|
|
SYSCONFIG_QEMU_CCA = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_QEMU_CCA))
|
|
SYSCONFIG_PATHS_CCA += $(SYSCONFIG_QEMU_CCA)
|
|
|
|
CONFIGS += $(CONFIG_QEMU_CCA)
|
|
|
|
CONFIG_FILE_QEMU_NVIDIA_GPU = configuration-qemu-nvidia-gpu.toml
|
|
CONFIG_QEMU_NVIDIA_GPU = config/$(CONFIG_FILE_QEMU_NVIDIA_GPU)
|
|
CONFIG_QEMU_NVIDIA_GPU_IN = $(CONFIG_QEMU_NVIDIA_GPU).in
|
|
|
|
CONFIGS += $(CONFIG_QEMU_NVIDIA_GPU)
|
|
|
|
CONFIG_FILE_QEMU_NVIDIA_GPU_SNP = configuration-qemu-nvidia-gpu-snp.toml
|
|
CONFIG_QEMU_NVIDIA_GPU_SNP = config/$(CONFIG_FILE_QEMU_NVIDIA_GPU_SNP)
|
|
CONFIG_QEMU_NVIDIA_GPU_SNP_IN = $(CONFIG_QEMU_NVIDIA_GPU_SNP).in
|
|
|
|
CONFIG_PATH_QEMU_NVIDIA_GPU_SNP = $(abspath $(CONFDIR)/$(CONFIG_FILE_QEMU_NVIDIA_GPU_SNP))
|
|
CONFIG_PATHS += $(CONFIG_PATH_QEMU_NVIDIA_GPU_SNP)
|
|
|
|
SYSCONFIG_QEMU_NVIDIA_GPU_SNP = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_QEMU_NVIDIA_GPU_SNP))
|
|
SYSCONFIG_PATHS_SNP += $(SYSCONFIG_QEMU_NVIDIA_GPU_SNP)
|
|
|
|
CONFIGS += $(CONFIG_QEMU_NVIDIA_GPU_SNP)
|
|
|
|
CONFIG_FILE_QEMU_NVIDIA_GPU_TDX = configuration-qemu-nvidia-gpu-tdx.toml
|
|
CONFIG_QEMU_NVIDIA_GPU_TDX = config/$(CONFIG_FILE_QEMU_NVIDIA_GPU_TDX)
|
|
CONFIG_QEMU_NVIDIA_GPU_TDX_IN = $(CONFIG_QEMU_NVIDIA_GPU_TDX).in
|
|
|
|
CONFIG_PATH_QEMU_NVIDIA_GPU_TDX = $(abspath $(CONFDIR)/$(CONFIG_FILE_QEMU_NVIDIA_GPU_TDX))
|
|
CONFIG_PATHS += $(CONFIG_PATH_QEMU_NVIDIA_GPU_TDX)
|
|
|
|
SYSCONFIG_QEMU_NVIDIA_GPU_TDX = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_QEMU_NVIDIA_GPU_TDX))
|
|
SYSCONFIG_PATHS += $(SYSCONFIG_QEMU_NVIDIA_GPU_TDX)
|
|
|
|
CONFIGS += $(CONFIG_QEMU_NVIDIA_GPU_TDX)
|
|
|
|
CONFIG_FILE_REMOTE = configuration-remote.toml
|
|
CONFIG_REMOTE = config/$(CONFIG_FILE_REMOTE)
|
|
CONFIG_REMOTE_IN = $(CONFIG_REMOTE).in
|
|
|
|
CONFIG_PATH_REMOTE = $(abspath $(CONFDIR)/$(CONFIG_FILE_REMOTE))
|
|
CONFIG_PATHS += $(CONFIG_PATH_REMOTE)
|
|
|
|
SYSCONFIG_REMOTE = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_REMOTE))
|
|
SYSCONFIG_PATHS += $(SYSCONFIG_REMOTE)
|
|
|
|
CONFIGS += $(CONFIG_REMOTE)
|
|
|
|
CONFIG_FILE_QEMU_SE = configuration-qemu-se.toml
|
|
CONFIG_QEMU_SE = config/$(CONFIG_FILE_QEMU_SE)
|
|
CONFIG_QEMU_SE_IN = $(CONFIG_QEMU_SE).in
|
|
|
|
CONFIG_PATH_QEMU_SE = $(abspath $(CONFDIR)/$(CONFIG_FILE_QEMU_SE))
|
|
CONFIG_PATHS += $(CONFIG_PATH_QEMU_SE)
|
|
|
|
SYSCONFIG_QEMU_SE = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_QEMU_SE))
|
|
SYSCONFIG_PATHS += $(SYSCONFIG_QEMU_SE)
|
|
|
|
DEFVFIOMODE_SE = vfio
|
|
|
|
CONFIGS += $(CONFIG_QEMU_SE)
|
|
|
|
# qemu-specific options (all should be suffixed by "_QEMU")
|
|
DEFBLOCKSTORAGEDRIVER_QEMU := virtio-scsi
|
|
DEFBLOCKDEVICEAIO_QEMU := io_uring
|
|
DEFNETWORKMODEL_QEMU := tcfilter
|
|
|
|
# Normal: uncompressed (KERNELTYPE). Confidential: compressed (KERNELCONFIDENTIALTYPE).
|
|
KERNELTYPE = uncompressed
|
|
KERNELNAME = $(call MAKE_KERNEL_NAME,$(KERNELTYPE))
|
|
KERNELPATH = $(KERNELDIR)/$(KERNELNAME)
|
|
|
|
KERNELCONFIDENTIALTYPE = compressed
|
|
KERNELCONFIDENTIALNAME = $(call MAKE_KERNEL_NAME,$(KERNELCONFIDENTIALTYPE))
|
|
KERNELCONFIDENTIALPATH = $(KERNELDIR)/$(KERNELCONFIDENTIALNAME)
|
|
|
|
KERNELCONFIDENTIALTYPE_CCA = compressed
|
|
KERNELCONFIDENTIALNAME_CCA = $(call MAKE_KERNEL_CONFIDENTIAL_NAME,$(KERNELCONFIDENTIALTYPE_CCA))
|
|
KERNELCONFIDENTIALPATH_CCA = $(KERNELDIR)/$(KERNELCONFIDENTIALNAME_CCA)
|
|
|
|
KERNELSENAME = kata-containers-se.img
|
|
KERNELSEPATH = $(KERNELDIR)/$(KERNELSENAME)
|
|
|
|
# NVIDIA GPU specific options (all should be suffixed by _NV)
|
|
KERNELTYPE_NV = compressed
|
|
KERNELNAME_NV = $(call MAKE_KERNEL_NAME_NV,$(KERNELTYPE_NV))
|
|
KERNELPATH_NV = $(KERNELDIR)/$(KERNELNAME_NV)
|
|
KERNELNAME_CONFIDENTIAL_NV = $(call MAKE_KERNEL_NAME_NV,$(KERNELCONFIDENTIALTYPE))
|
|
KERNELPATH_CONFIDENTIAL_NV = $(KERNELDIR)/$(KERNELNAME_CONFIDENTIAL_NV)
|
|
|
|
DEFAULTVCPUS_NV = 1
|
|
DEFAULTMEMORY_NV = 8192
|
|
DEFAULTTIMEOUT_NV = 1200
|
|
DEFAULTLAUNCHPROCESSTIMEOUT_NV = 15
|
|
DEFAULTVFIOPORT_NV = root-port
|
|
DEFAULTPCIEROOTPORT_NV = 8
|
|
|
|
KERNELPARAMS_NV = "cgroup_no_v1=all"
|
|
KERNELPARAMS_NV += "pci=realloc"
|
|
KERNELPARAMS_NV += "pci=nocrs"
|
|
KERNELPARAMS_NV += "pci=assign-busses"
|
|
|
|
KERNELPARAMS_CONFIDENTIAL_NV = $(KERNELPARAMS_NV)
|
|
KERNELPARAMS_CONFIDENTIAL_NV += "nvrc.smi.srs=1"
|
|
|
|
# Setting this to false can lead to cgroup leakages in the host
|
|
# Best practice for production is to set this to true
|
|
DEFSANDBOXCGROUPONLY_NV = true
|
|
|
|
DEFENABLEVCPUPINNING_NV = true
|
|
|
|
DEFENABLENUMA_NV = true
|
|
|
|
# NVIDIA profile: rootfs filesystem type (erofs for read-only, compressed images)
|
|
DEFROOTFSTYPE_NV := $(ROOTFSTYPE_EROFS)
|
|
|
|
ifneq (,$(QEMUFW))
|
|
FIRMWAREPATH := $(PREFIXDEPS)/share/$(EDK2_NAME)/$(QEMUFW)
|
|
endif
|
|
ifneq (,$(QEMUFWVOL))
|
|
FIRMWAREVOLUMEPATH := $(PREFIXDEPS)/share/$(EDK2_NAME)/$(QEMUFWVOL)
|
|
endif
|
|
endif
|
|
|
|
ifneq (,$(CLHCMD))
|
|
KNOWN_HYPERVISORS += $(HYPERVISOR_CLH)
|
|
|
|
CONFIG_FILE_CLH = configuration-clh.toml
|
|
CONFIG_CLH = config/$(CONFIG_FILE_CLH)
|
|
CONFIG_CLH_IN = $(CONFIG_CLH).in
|
|
|
|
CONFIG_PATH_CLH = $(abspath $(CONFDIR)/$(CONFIG_FILE_CLH))
|
|
CONFIG_PATHS += $(CONFIG_PATH_CLH)
|
|
|
|
SYSCONFIG_CLH = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_CLH))
|
|
SYSCONFIG_PATHS += $(SYSCONFIG_CLH)
|
|
|
|
CONFIGS += $(CONFIG_CLH)
|
|
|
|
CONFIG_FILE_CLH_AZURE = configuration-clh-azure.toml
|
|
CONFIG_CLH_AZURE = config/$(CONFIG_FILE_CLH_AZURE)
|
|
CONFIG_CLH_AZURE_IN = $(CONFIG_CLH_AZURE).in
|
|
|
|
CONFIG_PATH_CLH_AZURE = $(abspath $(CONFDIR)/$(CONFIG_FILE_CLH_AZURE))
|
|
CONFIG_PATHS += $(CONFIG_PATH_CLH_AZURE)
|
|
|
|
SYSCONFIG_CLH_AZURE = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_CLH_AZURE))
|
|
SYSCONFIG_PATHS += $(SYSCONFIG_CLH_AZURE)
|
|
|
|
CONFIGS += $(CONFIG_CLH_AZURE)
|
|
|
|
# CLH-specific options (all should be suffixed by "_CLH")
|
|
# currently, huge pages are required for virtiofsd support
|
|
DEFNETWORKMODEL_CLH := tcfilter
|
|
IMAGEPATH_CLH_AZURE := $(PKGDATADIR)/kata-containers-mariner.img
|
|
KERNELPATH_CLH_AZURE := /usr/share/cloud-hypervisor/vmlinux.bin
|
|
DEFSTATICRESOURCEMGMT_CLH_AZURE := true
|
|
KERNELTYPE_CLH = uncompressed
|
|
KERNEL_NAME_CLH = $(call MAKE_KERNEL_NAME,$(KERNELTYPE_CLH))
|
|
KERNELPATH_CLH = $(KERNELDIR)/$(KERNEL_NAME_CLH)
|
|
endif
|
|
|
|
ifneq (,$(STRATOVIRTCMD))
|
|
KNOWN_HYPERVISORS += $(HYPERVISOR_STRATOVIRT)
|
|
|
|
CONFIG_FILE_STRATOVIRT = configuration-stratovirt.toml
|
|
CONFIG_STRATOVIRT = config/$(CONFIG_FILE_STRATOVIRT)
|
|
CONFIG_STRATOVIRT_IN = $(CONFIG_STRATOVIRT).in
|
|
|
|
CONFIG_PATH_STRATOVIRT = $(abspath $(CONFDIR)/$(CONFIG_FILE_STRATOVIRT))
|
|
CONFIG_PATHS += $(CONFIG_PATH_STRATOVIRT)
|
|
|
|
SYSCONFIG_STRATOVIRT = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_STRATOVIRT))
|
|
SYSCONFIG_PATHS += $(SYSCONFIG_STRATOVIRT)
|
|
|
|
CONFIGS += $(CONFIG_STRATOVIRT)
|
|
|
|
# stratovirt-specific options (all should be suffixed by "_STRATOVIRT")
|
|
DEFMACHINETYPE_STRATOVIRT := microvm
|
|
DEFBLOCKSTORAGEDRIVER_STRATOVIRT := virtio-mmio
|
|
DEFNETWORKMODEL_STRATOVIRT := tcfilter
|
|
DEFSTATICRESOURCEMGMT_STRATOVIRT = true
|
|
ifeq ($(ARCH),amd64)
|
|
KERNELTYPE_STRATOVIRT = compressed
|
|
endif
|
|
ifeq ($(ARCH),arm64)
|
|
KERNELTYPE_STRATOVIRT = uncompressed
|
|
endif
|
|
KERNEL_NAME_STRATOVIRT = $(call MAKE_KERNEL_NAME,$(KERNELTYPE_STRATOVIRT))
|
|
KERNELPATH_STRATOVIRT = $(KERNELDIR)/$(KERNEL_NAME_STRATOVIRT)
|
|
endif
|
|
|
|
ifneq (,$(FCCMD))
|
|
KNOWN_HYPERVISORS += $(HYPERVISOR_FC)
|
|
|
|
CONFIG_FILE_FC = configuration-fc.toml
|
|
CONFIG_FC = config/$(CONFIG_FILE_FC)
|
|
CONFIG_FC_IN = $(CONFIG_FC).in
|
|
|
|
CONFIG_PATH_FC = $(abspath $(CONFDIR)/$(CONFIG_FILE_FC))
|
|
CONFIG_PATHS += $(CONFIG_PATH_FC)
|
|
|
|
SYSCONFIG_FC = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_FC))
|
|
SYSCONFIG_PATHS += $(SYSCONFIG_FC)
|
|
|
|
CONFIGS += $(CONFIG_FC)
|
|
|
|
# firecracker-specific options (all should be suffixed by "_FC")
|
|
DEFBLOCKSTORAGEDRIVER_FC := virtio-mmio
|
|
DEFNETWORKMODEL_FC := tcfilter
|
|
DEFSTATICRESOURCEMGMT_FC = true
|
|
KERNELTYPE_FC = uncompressed
|
|
KERNEL_NAME_FC = $(call MAKE_KERNEL_NAME,$(KERNELTYPE_FC))
|
|
KERNELPATH_FC = $(KERNELDIR)/$(KERNEL_NAME_FC)
|
|
endif
|
|
|
|
ifeq (,$(KNOWN_HYPERVISORS))
|
|
$(error "ERROR: No hypervisors known for architecture $(ARCH) (looked for: $(HYPERVISORS))")
|
|
endif
|
|
|
|
ifeq (,$(findstring $(DEFAULT_HYPERVISOR),$(HYPERVISORS)))
|
|
$(error "ERROR: Invalid default hypervisor: '$(DEFAULT_HYPERVISOR)'")
|
|
endif
|
|
|
|
ifeq (,$(findstring $(DEFAULT_HYPERVISOR),$(KNOWN_HYPERVISORS)))
|
|
$(error "ERROR: Default hypervisor '$(DEFAULT_HYPERVISOR)' not known for architecture $(ARCH)")
|
|
endif
|
|
|
|
ifeq ($(DEFAULT_HYPERVISOR),$(HYPERVISOR_QEMU))
|
|
DEFAULT_HYPERVISOR_CONFIG = $(CONFIG_FILE_QEMU)
|
|
endif
|
|
|
|
ifeq ($(DEFAULT_HYPERVISOR),$(HYPERVISOR_QEMU_VIRTIOFS))
|
|
DEFAULT_HYPERVISOR_CONFIG = $(CONFIG_FILE_QEMU_VIRTIOFS)
|
|
endif
|
|
|
|
ifeq ($(DEFAULT_HYPERVISOR),$(HYPERVISOR_FC))
|
|
DEFAULT_HYPERVISOR_CONFIG = $(CONFIG_FILE_FC)
|
|
endif
|
|
|
|
ifeq ($(DEFAULT_HYPERVISOR),$(HYPERVISOR_CLH))
|
|
DEFAULT_HYPERVISOR_CONFIG = $(CONFIG_FILE_CLH)
|
|
endif
|
|
|
|
CONFDIR := $(DEFAULTSDIR)/$(PROJECT_DIR)
|
|
SYSCONFDIR := $(SYSCONFDIR)/$(PROJECT_DIR)
|
|
|
|
# Main configuration file location for stateless systems
|
|
CONFIG_PATH := $(abspath $(CONFDIR)/$(CONFIG_FILE))
|
|
|
|
# Secondary configuration file location. Note that this takes precedence
|
|
# over CONFIG_PATH.
|
|
SYSCONFIG := $(abspath $(SYSCONFDIR)/$(CONFIG_FILE))
|
|
|
|
SHAREDIR := $(SHAREDIR)
|
|
|
|
# list of variables the user may wish to override
|
|
USER_VARS += ARCH
|
|
USER_VARS += BINDIR
|
|
USER_VARS += CONFIG_CLH_IN
|
|
USER_VARS += CONFIG_FC_IN
|
|
USER_VARS += CONFIG_STRATOVIRT_IN
|
|
USER_VARS += CONFIG_PATH
|
|
USER_VARS += CONFIG_QEMU_IN
|
|
USER_VARS += CONFIG_REMOTE_IN
|
|
USER_VARS += DESTDIR
|
|
USER_VARS += DEFAULT_HYPERVISOR
|
|
USER_VARS += CLHPATH
|
|
USER_VARS += CLHVALIDHYPERVISORPATHS
|
|
USER_VARS += FIRMWAREPATH_CLH
|
|
USER_VARS += FCCMD
|
|
USER_VARS += FCPATH
|
|
USER_VARS += FCVALIDHYPERVISORPATHS
|
|
USER_VARS += FCJAILERPATH
|
|
USER_VARS += FCVALIDJAILERPATHS
|
|
USER_VARS += STRATOVIRTPATH
|
|
USER_VARS += STRATOVIRTVALIDHYPERVISORPATHS
|
|
USER_VARS += SYSCONFIG
|
|
USER_VARS += IMAGENAME
|
|
USER_VARS += IMAGECONFIDENTIALNAME
|
|
USER_VARS += IMAGEPATH
|
|
USER_VARS += IMAGEPATH_CLH_AZURE
|
|
USER_VARS += IMAGECONFIDENTIALPATH
|
|
USER_VARS += INITRDNAME
|
|
USER_VARS += INITRDCONFIDENTIALNAME
|
|
USER_VARS += INITRDPATH
|
|
USER_VARS += INITRDCONFIDENTIALPATH
|
|
USER_VARS += IMAGENAME_NV
|
|
USER_VARS += IMAGENAME_CONFIDENTIAL_NV
|
|
USER_VARS += IMAGEPATH_NV
|
|
USER_VARS += IMAGEPATH_CONFIDENTIAL_NV
|
|
USER_VARS += KERNELNAME_NV
|
|
USER_VARS += KERNELPATH_NV
|
|
USER_VARS += KERNELNAME_CONFIDENTIAL_NV
|
|
USER_VARS += KERNELPATH_CONFIDENTIAL_NV
|
|
USER_VARS += DEFAULTVCPUS_NV
|
|
USER_VARS += DEFAULTMEMORY_NV
|
|
USER_VARS += DEFAULTVFIOPORT_NV
|
|
USER_VARS += DEFAULTPCIEROOTPORT_NV
|
|
USER_VARS += KERNELPARAMS_NV
|
|
USER_VARS += KERNELPARAMS_CONFIDENTIAL_NV
|
|
USER_VARS += KERNELVERITYPARAMS_NV
|
|
USER_VARS += KERNELVERITYPARAMS_CONFIDENTIAL_NV
|
|
USER_VARS += DEFAULTTIMEOUT_NV
|
|
USER_VARS += DEFAULTLAUNCHPROCESSTIMEOUT_NV
|
|
USER_VARS += DEFSANDBOXCGROUPONLY_NV
|
|
USER_VARS += DEFENABLEVCPUPINNING_NV
|
|
USER_VARS += DEFENABLENUMA_NV
|
|
USER_VARS += DEFROOTFSTYPE_NV
|
|
USER_VARS += DEFROOTFSTYPE
|
|
USER_VARS += MACHINETYPE
|
|
USER_VARS += KERNELDIR
|
|
USER_VARS += KERNELTYPE
|
|
USER_VARS += KERNELTYPE_FC
|
|
USER_VARS += KERNELTYPE_CLH
|
|
USER_VARS += KERNELPATH
|
|
USER_VARS += KERNELCONFIDENTIALPATH
|
|
USER_VARS += KERNELCONFIDENTIALPATH_CCA
|
|
USER_VARS += KERNELSEPATH
|
|
USER_VARS += KERNELPATH_CLH
|
|
USER_VARS += KERNELPATH_CLH_AZURE
|
|
USER_VARS += KERNELPATH_FC
|
|
USER_VARS += KERNELPATH_STRATOVIRT
|
|
USER_VARS += KERNELVIRTIOFSPATH
|
|
USER_VARS += FIRMWAREPATH
|
|
USER_VARS += FIRMWAREPATH_NV
|
|
USER_VARS += FIRMWARETDVFPATH
|
|
USER_VARS += FIRMWAREVOLUMEPATH
|
|
USER_VARS += FIRMWARETDVFVOLUMEPATH
|
|
USER_VARS += FIRMWARESNPPATH
|
|
USER_VARS += FIRMWARETDVFPATH_NV
|
|
USER_VARS += FIRMWARESNPPATH_NV
|
|
USER_VARS += MACHINEACCELERATORS
|
|
USER_VARS += CPUFEATURES
|
|
USER_VARS += TDXCPUFEATURES
|
|
USER_VARS += DEFMACHINETYPE_CLH
|
|
USER_VARS += DEFMACHINETYPE_STRATOVIRT
|
|
USER_VARS += KERNELPARAMS
|
|
USER_VARS += KERNELVERITYPARAMS
|
|
USER_VARS += KERNELTDXPARAMS
|
|
USER_VARS += KERNELQEMUCOCODEVPARAMS
|
|
USER_VARS += LIBEXECDIR
|
|
USER_VARS += LOCALSTATEDIR
|
|
USER_VARS += PKGDATADIR
|
|
USER_VARS += PKGLIBEXECDIR
|
|
USER_VARS += PKGRUNDIR
|
|
USER_VARS += PREFIX
|
|
USER_VARS += PROJECT_BUG_URL
|
|
USER_VARS += PROJECT_NAME
|
|
USER_VARS += PROJECT_ORG
|
|
USER_VARS += PROJECT_PREFIX
|
|
USER_VARS += PROJECT_TAG
|
|
USER_VARS += PROJECT_TYPE
|
|
USER_VARS += PROJECT_URL
|
|
USER_VARS += QEMUBINDIR
|
|
USER_VARS += QEMUCMD
|
|
USER_VARS += QEMUTDXEXPERIMENTALCMD
|
|
USER_VARS += QEMUCCAEXPERIMENTALCMD
|
|
USER_VARS += QEMUSNPCMD
|
|
USER_VARS += QEMUPATH
|
|
USER_VARS += QEMUTDXEXPERIMENTALPATH
|
|
USER_VARS += QEMUTDXQUOTEGENERATIONSERVICESOCKETPORT
|
|
USER_VARS += QEMUSNPPATH
|
|
USER_VARS += QEMUCCAEXPERIMENTALPATH
|
|
USER_VARS += QEMUVALIDHYPERVISORPATHS
|
|
USER_VARS += QEMUTDXEXPERIMENTALVALIDHYPERVISORPATHS
|
|
USER_VARS += QEMUCCAVALIDHYPERVISORPATHS
|
|
USER_VARS += QEMUCCAEXPERIMENTALVALIDHYPERVISORPATHS
|
|
USER_VARS += QEMUSNPVALIDHYPERVISORPATHS
|
|
USER_VARS += QEMUVIRTIOFSCMD
|
|
USER_VARS += QEMUVIRTIOFSPATH
|
|
USER_VARS += RUNTIME_NAME
|
|
USER_VARS += SHAREDIR
|
|
USER_VARS += SYSCONFDIR
|
|
USER_VARS += DEFVCPUS
|
|
USER_VARS += DEFMAXVCPUS
|
|
USER_VARS += DEFMEMSZ
|
|
USER_VARS += DEFMEMSLOTS
|
|
USER_VARS += DEFMAXMEMSZ
|
|
USER_VARS += DEFBRIDGES
|
|
USER_VARS += DEFNETWORKMODEL_CLH
|
|
USER_VARS += DEFNETWORKMODEL_FC
|
|
USER_VARS += DEFNETWORKMODEL_QEMU
|
|
USER_VARS += DEFNETWORKMODEL_STRATOVIRT
|
|
USER_VARS += DEFDISABLEGUESTEMPTYDIR
|
|
USER_VARS += DEFEMPTYDIRMODE
|
|
USER_VARS += DEFEMPTYDIRMODE_COCO
|
|
USER_VARS += DEFDISABLEGUESTSECCOMP
|
|
USER_VARS += DEFDISABLESELINUX
|
|
USER_VARS += DEFDISABLEGUESTSELINUX
|
|
USER_VARS += DEFGUESTSELINUXLABEL
|
|
USER_VARS += DEFAULTEXPFEATURES
|
|
USER_VARS += DEFDISABLEBLOCK
|
|
USER_VARS += DEFBLOCKSTORAGEDRIVER_FC
|
|
USER_VARS += DEFBLOCKSTORAGEDRIVER_QEMU
|
|
USER_VARS += DEFBLOCKSTORAGEDRIVER_STRATOVIRT
|
|
USER_VARS += DEFBLOCKDEVICEAIO_QEMU
|
|
USER_VARS += DEFSHAREDFS_CLH_VIRTIOFS
|
|
USER_VARS += DEFSHAREDFS_QEMU_VIRTIOFS
|
|
USER_VARS += DEFSHAREDFS_QEMU_COCO_DEV_VIRTIOFS
|
|
USER_VARS += DEFSHAREDFS_STRATOVIRT_VIRTIOFS
|
|
USER_VARS += DEFSHAREDFS_QEMU_TDX_VIRTIOFS
|
|
USER_VARS += DEFSHAREDFS_QEMU_SNP_VIRTIOFS
|
|
USER_VARS += DEFSHAREDFS_QEMU_SEL_VIRTIOFS
|
|
USER_VARS += DEFVIRTIOFSDAEMON
|
|
USER_VARS += DEFVALIDVIRTIOFSDAEMONPATHS
|
|
USER_VARS += DEFVIRTIOFSCACHESIZE
|
|
USER_VARS += DEFVIRTIOFSCACHE
|
|
USER_VARS += DEFVIRTIOFSQUEUESIZE
|
|
USER_VARS += DEFVIRTIOFSEXTRAARGS
|
|
USER_VARS += DEFENABLEANNOTATIONS
|
|
USER_VARS += DEFENABLEANNOTATIONS_COCO
|
|
USER_VARS += DEFENABLEIOTHREADS
|
|
USER_VARS += DEFINDEPIOTHREADS
|
|
USER_VARS += DEFENABLEVIRTIOMEM
|
|
USER_VARS += DEFSECCOMPSANDBOXPARAM
|
|
USER_VARS += DEFENABLEVHOSTUSERSTORE
|
|
USER_VARS += DEFVHOSTUSERSTOREPATH
|
|
USER_VARS += DEFVALIDVHOSTUSERSTOREPATHS
|
|
USER_VARS += DEFMSIZE9P
|
|
USER_VARS += DEFENTROPYSOURCE
|
|
USER_VARS += DEFVALIDENTROPYSOURCES
|
|
USER_VARS += DEFSANDBOXCGROUPONLY
|
|
USER_VARS += DEFSTATICRESOURCEMGMT
|
|
USER_VARS += DEFSTATICRESOURCEMGMT_QEMU
|
|
USER_VARS += DEFSTATICRESOURCEMGMT_CLH
|
|
USER_VARS += DEFSTATICRESOURCEMGMT_CLH_AZURE
|
|
USER_VARS += DEFSTATICRESOURCEMGMT_FC
|
|
USER_VARS += DEFSTATICRESOURCEMGMT_STRATOVIRT
|
|
USER_VARS += DEFSTATICRESOURCEMGMT_TEE
|
|
USER_VARS += DEFSTATICRESOURCEMGMT_NV
|
|
USER_VARS += DEFBINDMOUNTS
|
|
USER_VARS += DEFCREATECONTAINERTIMEOUT
|
|
USER_VARS += DEFDANCONF
|
|
USER_VARS += DEFKUBELETROOTDIR
|
|
USER_VARS += DEFFORCEGUESTPULL
|
|
USER_VARS += DEFVFIOMODE
|
|
USER_VARS += DEFVFIOMODE_SE
|
|
USER_VARS += BUILDFLAGS
|
|
USER_VARS += DEFDISABLEIMAGENVDIMM
|
|
USER_VARS += DEFDISABLEIMAGENVDIMM_NV
|
|
USER_VARS += DEFDISABLEIMAGENVDIMM_CLH
|
|
USER_VARS += DEFCCAMEASUREMENTALGO
|
|
USER_VARS += DEFSHAREDFS_QEMU_CCA_VIRTIOFS
|
|
USER_VARS += DEFPODRESOURCEAPISOCK
|
|
USER_VARS += DEFPODRESOURCEAPISOCK_NV
|
|
|
|
V = @
|
|
Q = $(V:1=)
|
|
QUIET_BUILD = $(Q:@=@echo ' BUILD '$@;)
|
|
QUIET_CHECK = $(Q:@=@echo ' CHECK '$@;)
|
|
QUIET_CLEAN = $(Q:@=@echo ' CLEAN '$@;)
|
|
QUIET_GENERATE = $(Q:@=@echo ' GENERATE '$@;)
|
|
QUIET_INST = $(Q:@=@echo ' INSTALL '$@;)
|
|
QUIET_TEST = $(Q:@=@echo ' TEST '$@;)
|
|
|
|
BUILDTAGS :=
|
|
|
|
# go build common flags
|
|
BUILDFLAGS := -buildmode=pie ${BUILDTAGS}
|
|
|
|
# whether stipping the binary
|
|
ifeq ($(STRIP),yes)
|
|
KATA_LDFLAGS = -w -s
|
|
endif
|
|
|
|
ifeq ($(ARCH),s390x)
|
|
KATA_LDFLAGS += -extldflags=-Wl,--s390-pgste
|
|
endif
|
|
|
|
# Return non-empty string if specified directory exists
|
|
define DIR_EXISTS
|
|
$(shell test -d $(1) && echo "$(1)")
|
|
endef
|
|
|
|
# $1: name of architecture to display
|
|
define SHOW_ARCH
|
|
$(shell printf "\\t%s%s\\\n" "$(1)" $(if $(filter $(ARCH),$(1))," (default)",""))
|
|
endef
|
|
|
|
all: runtime containerd-shim-v2 monitor
|
|
|
|
# Targets that depend on .git-commit can use $(shell git rev-parse HEAD) to get a
|
|
# git revision string. They will only be rebuilt if the revision string
|
|
# actually changes.
|
|
.PHONY: .git-commit.tmp
|
|
.git-commit: .git-commit.tmp
|
|
@cmp $< $@ >/dev/null 2>&1 || cp $< $@
|
|
.git-commit.tmp:
|
|
@echo -n "$$(git rev-parse HEAD 2>/dev/null)" >$@
|
|
@test -n "$$(git status --porcelain --untracked-files=no)" && echo -n "-dirty" >>$@ || true
|
|
|
|
containerd-shim-v2: $(SHIMV2_OUTPUT)
|
|
|
|
monitor: $(MONITOR_OUTPUT)
|
|
|
|
runtime: $(RUNTIME_OUTPUT) $(CONFIGS)
|
|
.DEFAULT: default
|
|
|
|
build: all
|
|
|
|
#Install an executable file
|
|
# params:
|
|
# $1 : file to install
|
|
# $2 : directory path where file will be installed
|
|
define INSTALL_EXEC
|
|
install -D $1 $(DESTDIR)$2/$(notdir $1);
|
|
endef
|
|
|
|
# Install a configuration file
|
|
# params:
|
|
# $1 : file to install
|
|
# $2 : directory path where file will be installed
|
|
define INSTALL_CONFIG
|
|
install --mode 0644 -D $1 $(DESTDIR)$2/$(notdir $1);
|
|
endef
|
|
|
|
# Returns the name of the kernel file to use based on the provided KERNELTYPE.
|
|
# $1 : KERNELTYPE (compressed or uncompressed)
|
|
define MAKE_KERNEL_NAME
|
|
$(if $(findstring uncompressed,$1),vmlinux.container,vmlinuz.container)
|
|
endef
|
|
|
|
define MAKE_KERNEL_VIRTIOFS_NAME
|
|
$(if $(findstring uncompressed,$1),vmlinux-virtiofs.container,vmlinuz-virtiofs.container)
|
|
endef
|
|
|
|
define MAKE_KERNEL_CONFIDENTIAL_NAME
|
|
$(if $(findstring uncompressed,$1),vmlinux-confidential.container,vmlinuz-confidential.container)
|
|
endef
|
|
|
|
define MAKE_KERNEL_NAME_NV
|
|
$(if $(findstring uncompressed,$1),vmlinux-nvidia-gpu.container,vmlinuz-nvidia-gpu.container)
|
|
endef
|
|
|
|
GENERATED_FILES += pkg/katautils/config-settings.go
|
|
|
|
$(RUNTIME_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST) | show-summary
|
|
$(QUIET_BUILD)(cd $(RUNTIME_DIR) && go build -ldflags "$(KATA_LDFLAGS)" $(BUILDFLAGS) -o $@ .)
|
|
|
|
$(SHIMV2_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST)
|
|
$(QUIET_BUILD)(cd $(SHIMV2_DIR)/ && go build -ldflags "$(KATA_LDFLAGS)" $(BUILDFLAGS) -o $@ .)
|
|
|
|
$(MONITOR_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST) .git-commit
|
|
$(QUIET_BUILD)(cd $(MONITOR_DIR)/ && go build \
|
|
--ldflags "-X main.GitCommit=$(shell git rev-parse HEAD)" $(BUILDFLAGS) -o $@ .)
|
|
|
|
.PHONY: \
|
|
check \
|
|
coverage \
|
|
default \
|
|
install \
|
|
lint \
|
|
pre-commit \
|
|
show-header \
|
|
show-summary \
|
|
show-variables
|
|
|
|
$(TARGET).coverage: $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST)
|
|
$(QUIET_TEST)go test -o $@ -covermode count
|
|
|
|
GENERATED_FILES += $(CONFIGS)
|
|
|
|
$(GENERATED_FILES): %: %.in $(MAKEFILE_LIST) VERSION .git-commit
|
|
$(QUIET_GENERATE)$(SED) \
|
|
-e "s|@COMMIT@|$(shell git rev-parse HEAD)|g" \
|
|
$(foreach v,$(GENERATED_VARS),-e "s|@$v@|$($v)|g") \
|
|
$< > $@
|
|
|
|
generate-config: $(CONFIGS)
|
|
|
|
test: hook go-test
|
|
|
|
hook:
|
|
make -C pkg/katautils/mockhook
|
|
|
|
go-test: $(GENERATED_FILES)
|
|
go clean -testcache
|
|
$(QUIET_TEST)./go-test.sh
|
|
|
|
fast-test: $(GENERATED_FILES)
|
|
go clean -testcache
|
|
for s in $$(go list ./...); do if ! go test -failfast -v -p 1 $$s; then break; fi; done
|
|
|
|
GOLANGCI_LINT_FILE := ../../tests/.golangci.yml
|
|
GOLANGCI_LINT_NAME = golangci-lint
|
|
GOLANGCI_LINT_CMD := $(shell command -v $(GOLANGCI_LINT_NAME) 2>/dev/null)
|
|
lint: all
|
|
if [ -z $(GOLANGCI_LINT_CMD) ] ; \
|
|
then \
|
|
echo "ERROR: command $(GOLANGCI_LINT_NAME) not found. Please install it first." >&2; exit 1; \
|
|
fi
|
|
|
|
if [ -f $(GOLANGCI_LINT_FILE) ] ; \
|
|
then \
|
|
echo "running $(GOLANGCI_LINT_NAME)..."; \
|
|
$(GOLANGCI_LINT_NAME) run -c $(GOLANGCI_LINT_FILE) ; \
|
|
else \
|
|
echo "ERROR: file $(GOLANGCI_LINT_FILE) not found. You should clone https://github.com/kata-containers/tests to run $(GOLANGCI_LINT_NAME) locally." >&2; exit 1; \
|
|
fi;
|
|
|
|
pre-commit: lint fast-test
|
|
|
|
coverage:
|
|
go test -v -covermode=atomic -coverprofile=coverage.txt ./...
|
|
go tool cover -html=coverage.txt -o coverage.html
|
|
|
|
install: all install-runtime install-containerd-shim-v2 install-monitor
|
|
|
|
install-bin: $(BINLIST)
|
|
$(QUIET_INST)$(foreach f,$(BINLIST),$(call INSTALL_EXEC,$f,$(BINDIR)))
|
|
|
|
install-runtime: runtime install-scripts install-completions install-configs install-bin
|
|
|
|
install-containerd-shim-v2: $(SHIMV2_OUTPUT)
|
|
$(QUIET_INST)$(call INSTALL_EXEC,$<,$(BINDIR))
|
|
|
|
install-monitor: $(MONITOR)
|
|
$(QUIET_INST)$(call INSTALL_EXEC,$<,$(BINDIR))
|
|
|
|
install-bin-libexec: $(BINLIBEXECLIST)
|
|
$(QUIET_INST)$(foreach f,$(BINLIBEXECLIST),$(call INSTALL_EXEC,$f,$(PKGLIBEXECDIR)))
|
|
|
|
install-configs: $(CONFIGS)
|
|
$(QUIET_INST)$(foreach f,$(CONFIGS),$(call INSTALL_CONFIG,$f,$(dir $(CONFIG_PATH))))
|
|
$(QUIET_INST)ln -sf $(DEFAULT_HYPERVISOR_CONFIG) $(DESTDIR)/$(CONFIG_PATH)
|
|
|
|
install-scripts: $(SCRIPTS)
|
|
$(QUIET_INST)$(foreach f,$(SCRIPTS),$(call INSTALL_EXEC,$f,$(SCRIPTS_DIR)))
|
|
|
|
install-completions:
|
|
$(QUIET_INST)install --mode 0644 -D $(BASH_COMPLETIONS) $(DESTDIR)/$(BASH_COMPLETIONSDIR)/$(notdir $(BASH_COMPLETIONS));
|
|
|
|
static-checks-build: $(GENERATED_FILES)
|
|
|
|
clean: clean-generated-files
|
|
$(QUIET_CLEAN)rm -f \
|
|
$(MONITOR) \
|
|
$(SHIMV2) \
|
|
$(TARGET) \
|
|
.git-commit .git-commit.tmp
|
|
|
|
clean-generated-files:
|
|
$(QUIET_CLEAN)rm -f $(GENERATED_FILES)
|
|
|
|
show-usage: show-header
|
|
@printf "• Overview:\n"
|
|
@printf "\n"
|
|
@printf "\tTo build $(TARGET), just run, \"make\".\n"
|
|
@printf "\n"
|
|
@printf "\tFor a verbose build, run \"make V=1\".\n"
|
|
@printf "\n"
|
|
@printf "• Additional targets:\n"
|
|
@printf "\n"
|
|
@printf "\tbuild : standard build (build everything).\n"
|
|
@printf "\ttest : run tests.\n"
|
|
@printf "\tpre-commit : run $(GOLANGCI_LINT_NAME) and tests locally.\n"
|
|
@printf "\tlint : run $(GOLANGCI_LINT_NAME).\n"
|
|
@printf "\tfast-test : run tests with failfast option.\n"
|
|
@printf "\tcheck : run code checks.\n"
|
|
@printf "\tclean : remove built files.\n"
|
|
@printf "\tclean-generated-files : remove generated files.\n"
|
|
@printf "\tcontainerd-shim-v2 : only build containerd shim v2.\n"
|
|
@printf "\tcoverage : run coverage tests.\n"
|
|
@printf "\tdefault : same as 'make build' (or just 'make').\n"
|
|
@printf "\tgenerate-config : create configuration file.\n"
|
|
@printf "\tinstall : install everything.\n"
|
|
@printf "\tinstall-containerd-shim-v2 : only install containerd shim v2 files.\n"
|
|
@printf "\tinstall-runtime : only install runtime files.\n"
|
|
@printf "\truntime : only build runtime.\n"
|
|
@printf "\tshow-arches : show supported architectures (ARCH variable values).\n"
|
|
@printf "\tshow-summary : show install locations.\n"
|
|
@printf "\n"
|
|
|
|
handle_help: show-usage show-summary show-variables show-footer
|
|
|
|
usage: handle_help
|
|
help: handle_help
|
|
|
|
show-variables:
|
|
@printf "• Variables affecting the build:\n\n"
|
|
@printf \
|
|
"$(foreach v,$(sort $(USER_VARS)),$(shell printf "\\t$(v)='$($(v))'\\\n"))"
|
|
@printf "\n"
|
|
|
|
show-header: .git-commit
|
|
@printf "%s - version %s (commit %s)\n\n" $(TARGET) $(VERSION) $(shell git rev-parse HEAD)
|
|
|
|
show-arches: show-header
|
|
@printf "Supported architectures (possible values for ARCH variable):\n\n"
|
|
@printf \
|
|
"$(foreach v,$(ALL_ARCHES),$(call SHOW_ARCH,$(v)))\n"
|
|
|
|
show-footer:
|
|
@printf "• Project:\n"
|
|
@printf "\tHome: $(PROJECT_URL)\n"
|
|
@printf "\tBugs: $(PROJECT_BUG_URL)\n\n"
|
|
|
|
show-summary: show-header
|
|
ifneq (,$(golang_version_raw))
|
|
@printf "• architecture:\n"
|
|
@printf "\tHost: $(HOST_ARCH)\n"
|
|
@printf "\tgolang: $(GOARCH)\n"
|
|
@printf "\tBuild: $(ARCH)\n"
|
|
@printf "\n"
|
|
@printf "• golang:\n"
|
|
@printf "\t"
|
|
@go version
|
|
else
|
|
@printf "• No GO command or GOPATH not set:\n"
|
|
@printf "\tCan only install prebuilt binaries\n"
|
|
endif
|
|
@printf "\n"
|
|
@printf "• hypervisors:\n"
|
|
@printf "\tDefault: $(DEFAULT_HYPERVISOR)\n"
|
|
@printf "\tKnown: $(sort $(HYPERVISORS))\n"
|
|
@printf "\tAvailable for this architecture: $(sort $(KNOWN_HYPERVISORS))\n"
|
|
@printf "\n"
|
|
@printf "• Summary:\n"
|
|
@printf "\n"
|
|
@printf "\tdestination install path (DESTDIR) : %s\n" $(abspath $(DESTDIR))
|
|
@printf "\tbinary installation path (BINDIR) : %s\n" $(abspath $(BINDIR))
|
|
@printf "\tbinaries to install :\n"
|
|
@printf \
|
|
"$(foreach b,$(sort $(BINLIST)),$(shell printf "\\t - $(abspath $(DESTDIR)/$(BINDIR)/$(b))\\\n"))"
|
|
@printf \
|
|
"$(foreach b,$(sort $(SHIMV2)),$(shell printf "\\t - $(abspath $(DESTDIR)/$(BINDIR)/$(b))\\\n"))"
|
|
@printf \
|
|
"$(foreach b,$(sort $(MONITOR)),$(shell printf "\\t - $(abspath $(DESTDIR)/$(BINDIR)/$(b))\\\n"))"
|
|
@printf \
|
|
"$(foreach b,$(sort $(BINLIBEXECLIST)),$(shell printf "\\t - $(abspath $(DESTDIR)/$(PKGLIBEXECDIR)/$(b))\\\n"))"
|
|
@printf \
|
|
"$(foreach s,$(sort $(SCRIPTS)),$(shell printf "\\t - $(abspath $(DESTDIR)/$(BINDIR)/$(s))\\\n"))"
|
|
@printf "\tconfigs to install (CONFIGS) :\n"
|
|
@printf \
|
|
"$(foreach c,$(sort $(CONFIGS)),$(shell printf "\\t - $(c)\\\n"))"
|
|
@printf "\tinstall paths (CONFIG_PATHS) :\n"
|
|
@printf \
|
|
"$(foreach c,$(sort $(CONFIG_PATHS)),$(shell printf "\\t - $(c)\\\n"))"
|
|
@printf "\talternate config paths (SYSCONFIG_PATHS) : %s\n"
|
|
@printf \
|
|
"$(foreach c,$(sort $(SYSCONFIG_PATHS)),$(shell printf "\\t - $(c)\\\n"))"
|
|
|
|
@printf "\tdefault install path for $(DEFAULT_HYPERVISOR) (CONFIG_PATH) : %s\n" $(abspath $(CONFIG_PATH))
|
|
@printf "\tdefault alternate config path (SYSCONFIG) : %s\n" $(abspath $(SYSCONFIG))
|
|
ifneq (,$(findstring $(HYPERVISOR_QEMU),$(KNOWN_HYPERVISORS)))
|
|
@printf "\t$(HYPERVISOR_QEMU) hypervisor path (QEMUPATH) : %s\n" $(abspath $(QEMUPATH))
|
|
endif
|
|
ifneq (,$(findstring $(HYPERVISOR_QEMU_VIRTIOFS),$(KNOWN_HYPERVISORS)))
|
|
@printf "\t$(HYPERVISOR_QEMU_VIRTIOFS) hypervisor path (QEMUVIRTIOFSPATH) : %s\n" $(abspath $(QEMUVIRTIOFSPATH))
|
|
endif
|
|
ifneq (,$(findstring $(HYPERVISOR_CLH),$(KNOWN_HYPERVISORS)))
|
|
@printf "\t$(HYPERVISOR_CLH) hypervisor path (CLHPATH) : %s\n" $(abspath $(CLHPATH))
|
|
endif
|
|
ifneq (,$(findstring $(HYPERVISOR_FC),$(KNOWN_HYPERVISORS)))
|
|
@printf "\t$(HYPERVISOR_FC) hypervisor path (FCPATH) : %s\n" $(abspath $(FCPATH))
|
|
endif
|
|
ifneq (,$(findstring $(HYPERVISOR_STRATOVIRT),$(KNOWN_HYPERVISORS)))
|
|
@printf "\t$(HYPERVISOR_STRATOVIRT) hypervisor path (STRATOVIRTPATH) : %s\n" $(abspath $(STRATOVIRTPATH))
|
|
endif
|
|
@printf "\tassets path (PKGDATADIR) : %s\n" $(abspath $(PKGDATADIR))
|
|
@printf "\tshim path (PKGLIBEXECDIR) : %s\n" $(abspath $(PKGLIBEXECDIR))
|
|
@printf "\n"
|