ee74231b1c
- libs/kata-types: adjust default_vcpus correctly - runtime-rs: delete duplicated PASSTHROUGH_FS_DIR const - Enable ACRN hypervisor support for Kata 2.x release - agent: reduce reference count for failed mount - agent: don't exit early if signal fails due to ESRCH - kata-sys-util: delete duplicated get_bundle_path - packaging: Mount $HOME/.docker in the 1st layer container - Upgrade to Cloud Hypervisor v27.0 - microvm: Remove kernel_irqchip=on option - kata-sys-util: fix typo `unknow` - dragonball: update ut for kernel config - versions: Update gperf url to avoid libseccomp random failures - versions: Update oci version - dragonball: fix no "as_str" error on Arm - tools: release: fix bogus version check - runtime-rs: update Cargo.lock - refactor(runtime-rs): Use RwLock in runtime-agent - runtime-rs: fix shim close_io call to support kubectl cp - runtime-rs: add comments for runtime-rs shared directory - workflow: trigger test-kata-deploy with pull_request and fix workflow_dispatch - Dragonball: update linux_loader to 0.6.0 - modify virtio_net_dev_mgr.rs wrong code comments - docs: Update urls in runk documentation - runtime-rs: support watchable mount - runtime-rs: debug console support in runtime - kata-deploy: ship the rustified runtime binary - runtime-rs: define VFIO unbind path as a const - runtime-rs: set agent timeout to 0 for stream RPCs - Added SNP-Support for Kata-Containers - packaging: fix typo in configure-hypervisor.sh - runtime/runtime-rs: update dependency - release: Revert kata-deploy changes after 3.0.0-rc0 release - runtime-rs: add test for StaticResource - runtime-rs: remove hardcoded string - docs: add README for runtime-rs hypervisor crate - runtime-rs: use Path.is_file to check regular files - osbuilder: Export directory variables for libseccomp - runtime-rs: add unit tests for network resource - runtime-rs/resource: use macro to reduce duplicated code - runtime-rs: fix incorrect comments - kernel: Add crypto kernel config for s390 - Non-root hypervisor uid reuse bug - Build-in Sandbox: update dragonball-sandbox dependencies - docs: Update url in virtualization document - dragonball: Fix problem that stdio console cannot connect to stdout - runtime-rs: call TomlConfig's validate function after load - feat(Shimmgmt): Shim management server and client53f209af4libs/kata-types: adjust default_vcpus correctlyef5a2dc3bagent: don't exit early if signal fails due to ESRCH435c8f181acrn: Enable ACRN hypervisor support for Kata 2.x releasec31cf7269agent: reduce reference count for failed mount4da743f90packaging: Mount $HOME/.docker in the 1st layer container067e2b1e3runtime: clh: Use the new API to boot with TDX firmware (td-shim)5d63fcf34runtime: clh: Re-generate the client codefe6107042versions: Upgrade to Cloud Hypervisor v27.017de94e11microvm: Remove kernel_irqchip=on option3aeaa6459runtime-rs: delete duplicated PASSTHROUGH_FS_DIR const43ae97233kata-sys-util: delete duplicated get_bundle_pathac0483122kata-sys-util: fix typo `unknow`a24127659versions: Update gperf url to avoid libseccomp random failuresa617a6348versions: Update oci version6d585d591dragonball: fix no "as_str" error on Arm421729f99tools: release: fix bogus version check457b0beafruntime-rs: update Cargo.lockf89ada2dedragonball: update ut for kernel config0e899669eruntime-rs: fix shim close_io call to support kubectl cp96cf21fadruntime-rs: add comments for runtime-rs shared directory9bd941098docs: Update urls in runk documentation90ecc015eDragonball: update linux_loader to 0.6.04a763925eruntime-rs: support watchable mountabc26b00bdragonball: modify wrong code comments modify virtio_net_dev_mgr.rs wrong code comments20bcaf0e3runtime-rs: set agent timeout to 0 for stream RPCs274de024cdocs: add README for runtime-rs hypervisor cratea4a23457cosbuilder: Export directory variables for libseccompd663f110dkata-deploy: get the config path from cri optionsc6b3dcb67kata-deploy: support kata-deploy for runtime-rs46965739aruntime-rs: remove hardcoded stringa394761a5kata-deploy: add installation for runtime-rs50299a329refactor(runtime-rs): Use RwLock in runtime agent9628c7df0runtime: update runc dependency7fbc88387runtime-rs: drop dependency on rustc-serializebf2be0cf7release: Revert kata-deploy changes after 3.0.0-rc0 releasee23bfd615runtime-rs: make function name more understandable426a43678runtime-rs: add unit test and eliminate raw string87959cb72runtime-rs: debug console support in runtimed55cf9ab7docs: Update url in virtualization document0399da677runtime-rs: update dependenciesf6f19917adragonball: update dragonball-sandbox dependencies2caee1f38runtime-rs: define VFIO unbind path as a const3f65ff2d0runtime-rs: fix incorrect comments9670a3caaruntime-rs: use Path.is_file to check regular filesd9e6eb11adocs: Guide to use SNP-VMs with Kata-Containersded60173druntime: Enable choice between AMD SEV and SNP22bda0838runtime: Support for AMD SEV-SNP VMsa2bbd2942kernel: Introduce SNP kernel0e69405e1docs: Developer-Guide updated105eda5b9runtime: Initrd path option added to configa8a8a28a3runtime-rs/resource: use macro to reduce duplicated code7622452f4Dragonball: Fix the problem about stdio console208233288runtime-rs: add test for StaticResourceadb33a412packaging: fix typo in configure-hypervisor.shf91431987runtime: store the user name in hypervisor config86a02c5f6kernel: Add crypto kernel config for s3905cafe2177runtime: make StopVM thread-safec3015927aruntime: add more debug logs for non-root user operation5add50aearuntime-rs: timeout for shim management client9f13496e1runtime-rs: shim management clientaaf6d6908runtime-rs: call TomlConfig's validate function after loade891295e1runtime-rs: shim management - agent-url59aeb776bruntime-rs: shim managementa828292b4runtime-rs: add unit tests for network resource7676cde0cworkflow: trigger test-kata-deploy with pull_requestf10827357workflow: require PR num input on test-kata-deploy workflow_dispatch 428d6dc80 workflow: Revert "workflow: trigger test-kata-deploy with pull_request" Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Kata Containers
Welcome to Kata Containers!
This repository is the home of the Kata Containers code for the 2.0 and newer releases.
If you want to learn about Kata Containers, visit the main Kata Containers website.
Introduction
Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs.
License
The code is licensed under the Apache 2.0 license. See the license file for further details.
Platform support
Kata Containers currently runs on 64-bit systems supporting the following technologies:
| Architecture | Virtualization technology |
|---|---|
x86_64, amd64 |
Intel VT-x, AMD SVM |
aarch64 ("arm64") |
ARM Hyp |
ppc64le |
IBM Power |
s390x |
IBM Z & LinuxONE SIE |
Hardware requirements
The Kata Containers runtime provides a command to determine if your host system is capable of running and creating a Kata Container:
$ kata-runtime check
Notes:
This command runs a number of checks including connecting to the network to determine if a newer release of Kata Containers is available on GitHub. If you do not wish this to check to run, add the
--no-network-checksoption.By default, only a brief success / failure message is printed. If more details are needed, the
--verboseflag can be used to display the list of all the checks performed.If the command is run as the
rootuser additional checks are run (including checking if another incompatible hypervisor is running). When running asroot, network checks are automatically disabled.
Getting started
See the installation documentation.
Documentation
See the official documentation including:
Configuration
Kata Containers uses a single configuration file which contains a number of sections for various parts of the Kata Containers system including the runtime, the agent and the hypervisor.
Hypervisors
See the hypervisors document and the Hypervisor specific configuration details.
Community
To learn more about the project, its community and governance, see the community repository. This is the first place to go if you wish to contribute to the project.
Getting help
See the community section for ways to contact us.
Raising issues
Please raise an issue in this repository.
Note: If you are reporting a security issue, please follow the vulnerability reporting process
Developers
See the developer guide.
Components
Main components
The table below lists the core parts of the project:
| Component | Type | Description |
|---|---|---|
| runtime | core | Main component run by a container manager and providing a containerd shimv2 runtime implementation. |
| runtime-rs | core | The Rust version runtime. |
| agent | core | Management process running inside the virtual machine / POD that sets up the container environment. |
| libraries | core | Library crates shared by multiple Kata Container components or published to crates.io |
dragonball |
core | An optional built-in VMM brings out-of-the-box Kata Containers experience with optimizations on container workloads |
| documentation | documentation | Documentation common to all components (such as design and install documentation). |
| libraries | core | Library crates shared by multiple Kata Container components or published to crates.io |
| tests | tests | Excludes unit tests which live with the main code. |
Additional components
The table below lists the remaining parts of the project:
| Component | Type | Description |
|---|---|---|
| packaging | infrastructure | Scripts and metadata for producing packaged binaries (components, hypervisors, kernel and rootfs). |
| kernel | kernel | Linux kernel used by the hypervisor to boot the guest image. Patches are stored here. |
| osbuilder | infrastructure | Tool to create "mini O/S" rootfs and initrd images and kernel for the hypervisor. |
agent-ctl |
utility | Tool that provides low-level access for testing the agent. |
trace-forwarder |
utility | Agent tracing helper. |
runk |
utility | Standard OCI container runtime based on the agent. |
ci |
CI | Continuous Integration configuration files and scripts. |
katacontainers.io |
Source for the katacontainers.io site. |
Packaging and releases
Kata Containers is now available natively for most distributions. However, packaging scripts and metadata are still used to generate snap and GitHub releases. See the components section for further details.
Glossary of Terms
See the glossary of terms related to Kata Containers.