aljaz/kata-containers
1
0
Fork 0
mirror of https://github.com/aljazceru/kata-containers.git synced 2026-01-20 06:44:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

CCv0: Merge from main -- August 1st

Browse Source 
Conflicts:
	src/runtime/pkg/katautils/config.go
	src/runtime/virtcontainers/container.go
	src/runtime/virtcontainers/hypervisor.go
	src/runtime/virtcontainers/qemu_arch_base.go
	src/runtime/virtcontainers/sandbox.go
	tests/integration/kubernetes/gha-run.sh
	tests/integration/kubernetes/setup.sh
	tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml
	tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
	tools/packaging/kata-deploy/scripts/kata-deploy.sh
	tools/packaging/kernel/kata_config_version
	versions.yaml

Fixes: #7433

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This commit is contained in:
Fabiano Fidêncio
2023-08-01 17:14:17 +02:00
parent 431c3630f2 1a94aad44f
commit 7164ced4dc
426 changed files with 64309 additions and 2456 deletions
Download Patch File Download Diff File Expand all files Collapse all files

197
src/tools/kata-ctl/Cargo.lock generated
View File

@@ -33,6 +33,21 @@ dependencies = [
"memchr",
]
[[package]]
name = "android-tzdata"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0"
[[package]]
name = "android_system_properties"
version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
dependencies = [
"libc",
]
[[package]]
name = "anstream"
version = "0.2.6"
@@ -187,6 +202,34 @@ version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
[[package]]
name = "cgroups-rs"
version = "0.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5b098e7c3a70d03c288fa0a96ccf13e770eb3d78c4cc0e1549b3c13215d5f965"
dependencies = [
"libc",
"log",
"nix 0.25.1",
"regex",
"thiserror",
]
[[package]]
name = "chrono"
version = "0.4.26"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ec837a71355b28f6556dbd569b37b3f363091c0bd4b2e735674521b4c5fd9bc5"
dependencies = [
"android-tzdata",
"iana-time-zone",
"js-sys",
"num-traits",
"time 0.1.45",
"wasm-bindgen",
"winapi",
]
[[package]]
name = "clap"
version = "4.2.1"
@@ -230,6 +273,12 @@ version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8a2dd5a6fe8c6e3502f568a6353e5273bbb15193ad9a89e457b9970798efbea1"
[[package]]
name = "common-path"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2382f75942f4b3be3690fe4f86365e9c853c1587d6ee58212cebf6e2a9ccd101"
[[package]]
name = "concolor-override"
version = "1.0.0"
@@ -358,6 +407,17 @@ dependencies = [
"libc",
]
[[package]]
name = "fail"
version = "0.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fe5e43d0f78a42ad591453aedb1d7ae631ce7ee445c7643691055a9ed8d3b01c"
dependencies = [
"log",
"once_cell",
"rand",
]
[[package]]
name = "fastrand"
version = "1.8.0"
@@ -500,7 +560,7 @@ checksum = "c85e1d9ab2eadba7e5040d4e09cbd6d072b76a557ad64e797c2cb9d4da21d7e4"
dependencies = [
"cfg-if",
"libc",
"wasi",
"wasi 0.11.0+wasi-snapshot-preview1",
]
[[package]]
@@ -676,6 +736,29 @@ dependencies = [
"tokio",
]
[[package]]
name = "iana-time-zone"
version = "0.1.57"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2fad5b825842d2b38bd206f3e81d6957625fd7f0a361e345c30e01a0ae2dd613"
dependencies = [
"android_system_properties",
"core-foundation-sys",
"iana-time-zone-haiku",
"js-sys",
"wasm-bindgen",
"windows",
]
[[package]]
name = "iana-time-zone-haiku"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
dependencies = [
"cc",
]
[[package]]
name = "idna"
version = "0.3.0"
@@ -778,6 +861,7 @@ dependencies = [
"epoll",
"futures",
"hyper",
"kata-sys-util",
"kata-types",
"libc",
"logging",
@@ -805,6 +889,30 @@ dependencies = [
"vmm-sys-util",
]
[[package]]
name = "kata-sys-util"
version = "0.1.0"
dependencies = [
"anyhow",
"byteorder",
"cgroups-rs",
"chrono",
"common-path",
"fail",
"kata-types",
"lazy_static",
"libc",
"nix 0.24.3",
"oci",
"once_cell",
"rand",
"serde_json",
"slog",
"slog-scope",
"subprocess",
"thiserror",
]
[[package]]
name = "kata-types"
version = "0.1.0"
@@ -923,7 +1031,7 @@ checksum = "e5d732bc30207a6423068df043e3d02e0735b155ad7ce1a6f76fe2baa5b158de"
dependencies = [
"libc",
"log",
"wasi",
"wasi 0.11.0+wasi-snapshot-preview1",
"windows-sys 0.42.0",
]
@@ -1004,6 +1112,15 @@ dependencies = [
"static_assertions",
]
[[package]]
name = "num-traits"
version = "0.2.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd"
dependencies = [
"autocfg",
]
[[package]]
name = "num_cpus"
version = "1.15.0"
@@ -1163,6 +1280,12 @@ version = "0.3.26"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6ac9a59f73473f1b8d852421e59e64809f025994837ef743615c6d0c5b305160"
[[package]]
name = "ppv-lite86"
version = "0.2.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de"
[[package]]
name = "privdrop"
version = "0.5.3"
@@ -1319,6 +1442,36 @@ dependencies = [
"proc-macro2",
]
[[package]]
name = "rand"
version = "0.8.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
dependencies = [
"libc",
"rand_chacha",
"rand_core",
]
[[package]]
name = "rand_chacha"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
dependencies = [
"ppv-lite86",
"rand_core",
]
[[package]]
name = "rand_core"
version = "0.6.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
dependencies = [
"getrandom",
]
[[package]]
name = "redox_syscall"
version = "0.2.16"
@@ -1641,7 +1794,7 @@ dependencies = [
"serde",
"serde_json",
"slog",
"time",
"time 0.3.17",
]
[[package]]
@@ -1665,7 +1818,7 @@ dependencies = [
"slog",
"term",
"thread_local",
"time",
"time 0.3.17",
]
[[package]]
@@ -1721,6 +1874,16 @@ dependencies = [
"syn 1.0.107",
]
[[package]]
name = "subprocess"
version = "0.2.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0c2e86926081dda636c546d8c5e641661049d7562a68f5488be4a1f7f66f6086"
dependencies = [
"libc",
"winapi",
]
[[package]]
name = "syn"
version = "1.0.107"
@@ -1821,6 +1984,17 @@ dependencies = [
"once_cell",
]
[[package]]
name = "time"
version = "0.1.45"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1b797afad3f312d1c66a56d11d0316f916356d11bd158fbc6ca6389ff6bf805a"
dependencies = [
"libc",
"wasi 0.10.0+wasi-snapshot-preview1",
"winapi",
]
[[package]]
name = "time"
version = "0.3.17"
@@ -2114,6 +2288,12 @@ dependencies = [
"try-lock",
]
[[package]]
name = "wasi"
version = "0.10.0+wasi-snapshot-preview1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f"
[[package]]
name = "wasi"
version = "0.11.0+wasi-snapshot-preview1"
@@ -2248,6 +2428,15 @@ version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
[[package]]
name = "windows"
version = "0.48.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e686886bc078bc1b0b600cac0147aadb815089b6e4da64016cbd754b6342700f"
dependencies = [
"windows-targets 0.48.0",
]
[[package]]
name = "windows-sys"
version = "0.42.0"

1
src/tools/kata-ctl/Cargo.toml
View File

@@ -30,6 +30,7 @@ sys-info = "0.9.1"
shim-interface = { path = "../../libs/shim-interface"}
kata-types = { path = "../../libs/kata-types" }
kata-sys-util = { path = "../../../src/libs/kata-sys-util/" }
safe-path = { path = "../../libs/safe-path" }
agent = { path = "../../runtime-rs/crates/agent"}
serial_test = "0.5.1"

6
src/tools/kata-ctl/src/arch/aarch64/mod.rs
View File

@@ -84,10 +84,4 @@ mod arch_specific {
// TODO: Not implemented
Ok(true)
}
#[allow(dead_code)]
// Guest protection is not supported on ARM64.
pub fn available_guest_protection() -> Result<check::GuestProtection, check::ProtectionError> {
Ok(check::GuestProtection::NoProtection)
}
}

18
src/tools/kata-ctl/src/arch/powerpc64le/mod.rs
View File

@@ -32,22 +32,4 @@ mod arch_specific {
// to get cpu details specific to powerpc architecture similar
// to the goloang implementation of function getCPUDetails()
}
pub fn host_is_vmcontainer_capable() -> Result<bool> {
// TODO: Not implemented
Ok(true)
}
pub fn available_guest_protection() -> Result<check::GuestProtection, check::ProtectionError> {
if !Uid::effective().is_root() {
return Err(check::ProtectionError::NoPerms);
}
let metadata = fs::metadata(PEF_SYS_FIRMWARE_DIR);
if metadata.is_ok() && metadata.unwrap().is_dir() {
Ok(check::GuestProtection::Pef)
}
Ok(check::GuestProtection::NoProtection)
}
}

92
src/tools/kata-ctl/src/arch/s390x/mod.rs
View File

@@ -12,9 +12,7 @@ mod arch_specific {
use crate::types::*;
use crate::utils;
use anyhow::{anyhow, Result};
use nix::unistd::Uid;
use slog::{info, o, warn};
use std::collections::HashMap;
use std::io::BufRead;
use std::io::BufReader;
@@ -37,15 +35,17 @@ mod arch_specific {
fn check_cpu() -> Result<()> {
info!(sl!(), "check CPU: s390x");
let cpu_info = check::get_single_cpu_info(check::PROC_CPUINFO, CPUINFO_DELIMITER)?;
let cpu_info =
kata_sys_util::cpu::get_single_cpu_info(check::PROC_CPUINFO, CPUINFO_DELIMITER)?;
let cpu_features = check::get_cpu_flags(&cpu_info, CPUINFO_FEATURES_TAG).map_err(|e| {
anyhow!(
"Error parsing CPU features, file {:?}, {:?}",
check::PROC_CPUINFO,
e
)
})?;
let cpu_features = kata_sys_util::cpu::get_cpu_flags(&cpu_info, CPUINFO_FEATURES_TAG)
.map_err(|e| {
anyhow!(
"Error parsing CPU features, file {:?}, {:?}",
check::PROC_CPUINFO,
e
)
})?;
let missing_cpu_features = check::check_cpu_flags(&cpu_features, CPU_FEATURES_REQ)?;
if !missing_cpu_features.is_empty() {
@@ -93,41 +93,6 @@ mod arch_specific {
Err(anyhow!("System is not capable of running a VM"))
}
#[allow(dead_code)]
fn retrieve_cpu_facilities() -> Result<HashMap<i32, bool>> {
let f = std::fs::File::open(check::PROC_CPUINFO)?;
let mut reader = BufReader::new(f);
let mut contents = String::new();
let facilities_field = "facilities";
let mut facilities = HashMap::new();
while reader.read_line(&mut contents)? > 0 {
let fields: Vec<&str> = contents.split_whitespace().collect();
if fields.len() < 2 {
contents.clear();
continue;
}
if !fields[0].starts_with(facilities_field) {
contents.clear();
continue;
}
let mut start = 1;
if fields[1] == ":" {
start = 2;
}
for field in fields.iter().skip(start) {
let bit = field.parse::<i32>()?;
facilities.insert(bit, true);
}
return Ok(facilities);
}
Ok(facilities)
}
#[allow(dead_code)]
pub fn check_cmd_line(
kernel_cmdline_path: &str,
@@ -174,41 +139,4 @@ mod arch_specific {
// to get cpu details specific to s390x architecture similar
// to the goloang implementation of function getS390xCPUDetails()
}
#[allow(dead_code)]
// Guest protection is not supported on ARM64.
pub fn available_guest_protection() -> Result<check::GuestProtection, check::ProtectionError> {
if !Uid::effective().is_root() {
return Err(check::ProtectionError::NoPerms)?;
}
let facilities = retrieve_cpu_facilities().map_err(|err| {
check::ProtectionError::CheckFailed(format!(
"Error retrieving cpu facilities file : {}",
err.to_string()
))
})?;
// Secure Execution
// https://www.kernel.org/doc/html/latest/virt/kvm/s390-pv.html
let se_cpu_facility_bit: i32 = 158;
if !facilities.contains_key(&se_cpu_facility_bit) {
return Ok(check::GuestProtection::NoProtection);
}
let cmd_line_values = vec!["1", "on", "y", "yes"];
let se_cmdline_param = "prot_virt";
let se_cmdline_present =
check_cmd_line("/proc/cmdline", se_cmdline_param, &cmd_line_values)
.map_err(|err| check::ProtectionError::CheckFailed(err.to_string()))?;
if !se_cmdline_present {
return Err(check::ProtectionError::InvalidValue(String::from(
"Protected Virtualization is not enabled on kernel command line!",
)));
}
Ok(check::GuestProtection::Se)
}
}

169
src/tools/kata-ctl/src/arch/x86_64/mod.rs
View File

@@ -10,14 +10,10 @@ pub use arch_specific::*;
mod arch_specific {
use crate::check;
use crate::check::{GuestProtection, ProtectionError};
use crate::types::*;
use crate::utils;
use anyhow::{anyhow, Context, Result};
use nix::unistd::Uid;
use slog::{info, o, warn};
use std::fs;
use std::path::Path;
const CPUINFO_DELIMITER: &str = "\nprocessor";
const CPUINFO_FLAGS_TAG: &str = "flags";
@@ -93,15 +89,17 @@ mod arch_specific {
fn check_cpu(_args: &str) -> Result<()> {
info!(sl!(), "check CPU: x86_64");
let cpu_info = check::get_single_cpu_info(check::PROC_CPUINFO, CPUINFO_DELIMITER)?;
let cpu_info =
kata_sys_util::cpu::get_single_cpu_info(check::PROC_CPUINFO, CPUINFO_DELIMITER)?;
let cpu_flags = check::get_cpu_flags(&cpu_info, CPUINFO_FLAGS_TAG).map_err(|e| {
anyhow!(
"Error parsing CPU flags, file {:?}, {:?}",
check::PROC_CPUINFO,
e
)
})?;
let cpu_flags =
kata_sys_util::cpu::get_cpu_flags(&cpu_info, CPUINFO_FLAGS_TAG).map_err(|e| {
anyhow!(
"Error parsing CPU flags, file {:?}, {:?}",
check::PROC_CPUINFO,
e
)
})?;
// perform checks
// TODO: Perform checks based on hypervisor type
@@ -118,20 +116,6 @@ mod arch_specific {
Ok(())
}
fn retrieve_cpu_flags() -> Result<String> {
let cpu_info = check::get_single_cpu_info(check::PROC_CPUINFO, CPUINFO_DELIMITER)?;
let cpu_flags = check::get_cpu_flags(&cpu_info, CPUINFO_FLAGS_TAG).map_err(|e| {
anyhow!(
"Error parsing CPU flags, file {:?}, {:?}",
check::PROC_CPUINFO,
e
)
})?;
Ok(cpu_flags)
}
pub fn get_cpu_details() -> Result<(String, String)> {
utils::get_generic_cpu_details(check::PROC_CPUINFO)
}
@@ -145,68 +129,8 @@ mod arch_specific {
result.context("KVM check failed")
}
pub const TDX_SYS_FIRMWARE_DIR: &str = "/sys/firmware/tdx_seam/";
pub const TDX_CPU_FLAG: &str = "tdx";
pub const SEV_KVM_PARAMETER_PATH: &str = "/sys/module/kvm_amd/parameters/sev";
pub const SNP_KVM_PARAMETER_PATH: &str = "/sys/module/kvm_amd/parameters/sev_snp";
pub fn available_guest_protection() -> Result<GuestProtection, ProtectionError> {
if !Uid::effective().is_root() {
return Err(ProtectionError::NoPerms);
}
arch_guest_protection(
TDX_SYS_FIRMWARE_DIR,
TDX_CPU_FLAG,
SEV_KVM_PARAMETER_PATH,
SNP_KVM_PARAMETER_PATH,
)
}
pub fn arch_guest_protection(
tdx_path: &str,
tdx_flag: &str,
sev_path: &str,
snp_path: &str,
) -> Result<GuestProtection, ProtectionError> {
let flags =
retrieve_cpu_flags().map_err(|err| ProtectionError::CheckFailed(err.to_string()))?;
let metadata = fs::metadata(tdx_path);
if metadata.is_ok() && metadata.unwrap().is_dir() && flags.contains(tdx_flag) {
return Ok(GuestProtection::Tdx);
}
let check_contents = |file_name: &str| -> Result<bool, ProtectionError> {
let file_path = Path::new(file_name);
if !file_path.exists() {
return Ok(false);
}
let contents = fs::read_to_string(file_name).map_err(|err| {
ProtectionError::CheckFailed(format!("Error reading file {} : {}", file_name, err))
})?;
if contents == "Y" {
return Ok(true);
}
Ok(false)
};
if check_contents(snp_path)? {
return Ok(GuestProtection::Snp);
}
if check_contents(sev_path)? {
return Ok(GuestProtection::Sev);
}
Ok(GuestProtection::NoProtection)
}
fn running_on_vmm() -> Result<bool> {
match check::get_single_cpu_info(check::PROC_CPUINFO, CPUINFO_DELIMITER) {
match kata_sys_util::cpu::get_single_cpu_info(check::PROC_CPUINFO, CPUINFO_DELIMITER) {
Ok(cpu_info) => {
// check if the 'hypervisor' flag exist in the cpu features
let missing_hypervisor_flag = check::check_cpu_attribs(&cpu_info, VMM_FLAGS)?;
@@ -357,74 +281,3 @@ mod arch_specific {
Err(anyhow!("System is not capable of running a VM"))
}
}
#[cfg(target_arch = "x86_64")]
#[cfg(test)]
mod tests {
use super::*;
use crate::check;
use nix::unistd::Uid;
use std::fs;
use std::io::Write;
use tempfile::tempdir;
#[test]
fn test_available_guest_protection_no_privileges() {
if !Uid::effective().is_root() {
let res = available_guest_protection();
assert!(res.is_err());
assert_eq!(
"No permission to check guest protection",
res.unwrap_err().to_string()
);
}
}
fn test_arch_guest_protection_snp() {
// Test snp
let dir = tempdir().unwrap();
let snp_file_path = dir.path().join("sev_snp");
let path = snp_file_path.clone();
let mut snp_file = fs::File::create(snp_file_path).unwrap();
writeln!(snp_file, "Y").unwrap();
let actual =
arch_guest_protection("/xyz/tmp", TDX_CPU_FLAG, "/xyz/tmp", path.to_str().unwrap());
assert!(actual.is_ok());
assert_eq!(actual.unwrap(), check::GuestProtection::Snp);
writeln!(snp_file, "N").unwrap();
let actual =
arch_guest_protection("/xyz/tmp", TDX_CPU_FLAG, "/xyz/tmp", path.to_str().unwrap());
assert!(actual.is_ok());
assert_eq!(actual.unwrap(), check::GuestProtection::NoProtection);
}
fn test_arch_guest_protection_sev() {
// Test sev
let dir = tempdir().unwrap();
let sev_file_path = dir.path().join("sev");
let sev_path = sev_file_path.clone();
let mut sev_file = fs::File::create(sev_file_path).unwrap();
writeln!(sev_file, "Y").unwrap();
let actual = arch_guest_protection(
"/xyz/tmp",
TDX_CPU_FLAG,
sev_path.to_str().unwrap(),
"/xyz/tmp",
);
assert!(actual.is_ok());
assert_eq!(actual.unwrap(), check::GuestProtection::Sev);
writeln!(sev_file, "N").unwrap();
let actual = arch_guest_protection(
"/xyz/tmp",
TDX_CPU_FLAG,
sev_path.to_str().unwrap(),
"/xyz/tmp",
);
assert!(actual.is_ok());
assert_eq!(actual.unwrap(), check::GuestProtection::NoProtection);
}
}

91
src/tools/kata-ctl/src/check.rs
View File

@@ -16,8 +16,6 @@ use nix::{ioctl_write_int_bad, request_code_none};
use reqwest::header::{CONTENT_TYPE, USER_AGENT};
use serde::{Deserialize, Serialize};
use slog::{info, o};
use std::fmt;
use thiserror::Error;
#[cfg(any(target_arch = "x86_64"))]
use std::process::{Command, Stdio};
@@ -61,57 +59,6 @@ macro_rules! sl {
};
}
fn read_file_contents(file_path: &str) -> Result<String> {
let contents = std::fs::read_to_string(file_path)?;
Ok(contents)
}
// get_single_cpu_info returns the contents of the first cpu from
// the specified cpuinfo file by parsing based on a specified delimiter
pub fn get_single_cpu_info(cpu_info_file: &str, substring: &str) -> Result<String> {
let contents = read_file_contents(cpu_info_file)?;
if contents.is_empty() {
return Err(anyhow!(ERR_NO_CPUINFO));
}
let subcontents: Vec<&str> = contents.split(substring).collect();
let result = subcontents
.first()
.ok_or("error splitting contents of cpuinfo")
.map_err(|e| anyhow!(e))?
.to_string();
Ok(result)
}
// get_cpu_flags returns a string of cpu flags from cpuinfo, passed in
// as a string
#[cfg(any(target_arch = "s390x", target_arch = "x86_64"))]
pub fn get_cpu_flags(cpu_info: &str, cpu_flags_tag: &str) -> Result<String> {
if cpu_info.is_empty() {
return Err(anyhow!(ERR_NO_CPUINFO));
}
if cpu_flags_tag.is_empty() {
return Err(anyhow!("cpu flags delimiter string is empty"))?;
}
let subcontents: Vec<&str> = cpu_info.split('\n').collect();
for line in subcontents {
if line.starts_with(cpu_flags_tag) {
let line_data: Vec<&str> = line.split(':').collect();
let flags = line_data
.last()
.ok_or("error splitting flags in cpuinfo")
.map_err(|e| anyhow!(e))?
.to_string();
return Ok(flags);
}
}
Ok("".to_string())
}
// get_missing_strings searches for required (strings) in data and returns
// a vector containing the missing strings
#[cfg(any(target_arch = "s390x", target_arch = "x86_64"))]
@@ -149,43 +96,6 @@ pub fn check_cpu_attribs(
Ok(missing_attribs)
}
#[allow(dead_code)]
#[derive(Debug, PartialEq)]
pub enum GuestProtection {
NoProtection,
Tdx,
Sev,
Snp,
Pef,
Se,
}
impl fmt::Display for GuestProtection {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
match self {
GuestProtection::Tdx => write!(f, "tdx"),
GuestProtection::Sev => write!(f, "sev"),
GuestProtection::Snp => write!(f, "snp"),
GuestProtection::Pef => write!(f, "pef"),
GuestProtection::Se => write!(f, "se"),
GuestProtection::NoProtection => write!(f, "none"),
}
}
}
#[allow(dead_code)]
#[derive(Error, Debug)]
pub enum ProtectionError {
#[error("No permission to check guest protection")]
NoPerms,
#[error("Failed to check guest protection: {0}")]
CheckFailed(String),
#[error("Invalid guest protection value: {0}")]
InvalidValue(String),
}
pub fn run_network_checks() -> Result<()> {
Ok(())
}
@@ -397,6 +307,7 @@ mod tests {
use super::*;
#[cfg(any(target_arch = "x86_64"))]
use crate::types::{KernelModule, KernelParam, KernelParamType};
use kata_sys_util::cpu::{get_cpu_flags, get_single_cpu_info};
use semver::Version;
use slog::warn;
use std::fs;

3
src/tools/kata-ctl/src/ops/env_ops.rs
View File

@@ -9,6 +9,7 @@ use crate::arch::arch_specific;
use crate::args::EnvArgument;
use crate::ops::version;
use crate::utils;
use kata_sys_util::protection;
use kata_types::config::TomlConfig;
use anyhow::{anyhow, Context, Result};
@@ -251,7 +252,7 @@ fn get_host_info() -> Result<HostInfo> {
let memory_info = get_memory_info()?;
let guest_protection =
arch_specific::available_guest_protection().map_err(|e| anyhow!(e.to_string()))?;
protection::available_guest_protection().map_err(|e| anyhow!(e.to_string()))?;
let guest_protection = guest_protection.to_string();

3
src/tools/kata-ctl/src/utils.rs
View File

@@ -6,7 +6,6 @@
#![allow(dead_code)]
use crate::arch::arch_specific;
use crate::check::get_single_cpu_info;
use anyhow::{anyhow, Context, Result};
use std::fs;
@@ -106,7 +105,7 @@ pub fn get_distro_details(os_release: &str, os_release_clr: &str) -> Result<(Str
#[cfg(any(target_arch = "s390x", target_arch = "x86_64", target_arch = "aarch64"))]
pub fn get_generic_cpu_details(cpu_info_file: &str) -> Result<(String, String)> {
let cpu_info = get_single_cpu_info(cpu_info_file, "\n\n")?;
let cpu_info = kata_sys_util::cpu::get_single_cpu_info(cpu_info_file, "\n\n")?;
let lines = cpu_info.lines();
let mut vendor = String::new();
let mut model = String::new();

28
src/tools/runk/README.md
View File

@@ -175,6 +175,32 @@ $ sudo runk state test
$ sudo runk delete test
```
## Using `runk` from `Docker`
`runk` can run containers using [`Docker`](https://github.com/docker).
First, install `Docker` from package by following the
[`Docker` installation instructions](https://docs.docker.com/engine/install/).
### Running a container with `Docker` command line
Start the docker daemon:
```bash
$ sudo dockerd --experimental --add-runtime="runk=/usr/local/bin/runk"
```
> **Note:**
> Before starting the `dockerd`, you need to stop the normal docker daemon
> running on your environment (i.e., `systemctl stop docker`).
Launch a container in a different terminal:
```bash
$ sudo docker run -it --rm --runtime runk busybox sh
/ #
```
## Using `runk` from `Podman`
`runk` can run containers using [`Podman`](https://github.com/containers/podman).
@@ -192,7 +218,7 @@ $ sudo podman --runtime /usr/local/bin/runk run -it --rm busybox sh
> **Note:**
> `runk` does not support some commands except
> [OCI standard operations](https://github.com/opencontainers/runtime-spec/blob/main/runtime.md#operations)
> yet, so those commands do not work in `Podman`. Regarding commands currently
> yet, so those commands do not work in `Docker/Podman`. Regarding commands currently
> implemented in `runk`, see the [Status of `runk`](#status-of-runk) section.
## Using `runk` from `containerd`