mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-05-18 13:46:06 +00:00
8516029270
Add build-modules-volume.sh to package signed kernel modules into a standalone ext4 disk image that can be attached to a kata guest VM as a secondary block device. This allows loading out-of-tree modules without modifying the dm-verity measured rootfs. The rootfs image and its root hash remain unchanged. The script optionally supports dm-verity on the modules volume itself (-V flag), providing defense-in-depth alongside kernel module signing. Security risks documented in the script header: - Without dm-verity, the volume relies solely on kernel module signing (CONFIG_MODULE_SIG_FORCE) for integrity. - With dm-verity, the hash must be verified during attestation to provide actual security benefit. - Host-side file permissions on the volume image must prevent unauthorized modification. Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Kata Containers packaging
Introduction
Kata Containers currently supports packages for many distributions. Tooling to aid in creating these packages are contained within this repository.
Build in a container
Kata build artifacts are available within a container image, created by a
Dockerfile. Reference DaemonSets are provided in
kata-deploy, which make installation of Kata Containers in a
running Kubernetes Cluster very straightforward.
Build static binaries
See the static build documentation.
Build Kata Containers Kernel
Build QEMU
Create a Kata Containers release
See the release documentation.
Packaging scripts
See the scripts documentation.
Credits
Kata Containers packaging uses packagecloud for package hosting.