aljaz/kata-containers
1
0
Fork 0
mirror of https://github.com/aljazceru/kata-containers.git synced 2026-02-06 23:24:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
9,255 Commits 30 Branches 115 Tags
0ab49b233eec02ab0cc4b59da239a132001607bc
Commit Graph

1358 Commits

Author SHA1 Message Date
Archana Shinde
7d52934ec1 Merge pull request #4798 from amshinde/use-iouring-qemu 
Use iouring for qemu block devices
 2022-08-26 04:00:24 +05:30
Fabiano Fidêncio
ddc94e00b0 Merge pull request #4982 from fidencio/topic/improve-cloud-hypervisor-plus-tdx-support 
TDX: Get TDX working again with Cloud Hypervisor + a minor change on QEMU's code
 2022-08-25 08:53:10 +02:00
Fabiano Fidêncio
dc90eae17b qemu: Drop unnecessary tdx_guest kernel parameter 
With the current TDX kernel used with Kata Containers, `tdx_guest` is
not needed, as TDX_GUEST is now a kernel configuration.

With this in mind, let's just drop the kernel parameter.

Fixes: #4981

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
 2022-08-24 20:02:43 +02:00
Fabiano Fidêncio
d4b67613f0 clh: Use HVC console with TDX 
As right now the TDX guest kernel doesn't support "serial" console,
let's switch to using HVC in this case.

Fixes: #4980

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
 2022-08-24 20:02:40 +02:00
Fabiano Fidêncio
c0cb3cd4d8 clh: Avoid crashing when memory hotplug is not allowed 
The runtime will crash when trying to resize memory when memory hotplug
is not allowed.

This happens because we cannot simply set the hotplug amount to zero,
leading is to not set memory hotplug at all, and later then trying to
access the value of a nil pointer.

Fixes: #4979

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
 2022-08-24 20:02:22 +02:00
Fabiano Fidêncio
9f0a57c0eb clh: Increase API and SandboxStop timeouts for TDX 
While doing tests using `ctr`, I've noticed that I've been hitting those
timeouts more frequently than expected.

Till we find the root cause of the issue (which is *not* in the Kata
Containers), let's increase the timeouts when dealing with a
Confidential Guest.

Fixes: #4978

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
 2022-08-24 20:02:12 +02:00
Fabiano Fidêncio
c142fa2541 clh: Lift the sharedFS restriction used with TDX 
When booting the TDX kernel with `tdx_disable_filter`, as it's been done
for QEMU, VirtioFS can work without any issues.

Whether this will be part of the upstream kernel or not is a different
story, but it easily could make it there as Cloud Hypervisor relies on
the VIRTIO_F_IOMMU_PLATFORM feature, which forces the guest to use the
DMA API, making these devices compatible with TDX.

See Sebastien Boeuf's explanation of this in the
3c973fa7ce208e7113f69424b7574b83f584885d commit:
"""
By using DMA API, the guest triggers the TDX codepath to share some of
the guest memory, in particular the virtqueues and associated buffers so
that the VMM and vhost-user backends/processes can access this memory.
"""

Fixes: #4977

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
 2022-08-24 17:14:05 +02:00
Peng Tao
a06d819b24 runtime: cri-o annotations have been moved to podman 
Let's swith to depending on podman which also simplies indirect
dependency on kubernetes components. And it helps to avoid cri-o
security issues like CVE-2022-1708 as well.

Fixes: #4972
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
 2022-08-24 18:11:37 +08:00
Bin Liu
6551d4f25a Merge pull request #4051 from bergwolf/github/vmx-vm-factory 
enable vmx for vm factory
 2022-08-24 16:22:37 +08:00
Fabiano Fidêncio
9806ce8615 Merge pull request #4937 from chenhengqi/fix-error-msg 
network: Fix error message for setting hardware address on TAP interface
 2022-08-19 17:54:58 +02:00
Fabiano Fidêncio
828383bc39 Merge pull request #4933 from likebreath/0816/prepare_clh_v26.0 
Upgrade to Cloud Hypervisor v26.0
 2022-08-18 18:36:53 +02:00
Peng Tao
f508c2909a runtime: constify splitIrqChipMachineOptions 
A simple cleanup.

Signed-off-by: Peng Tao <bergwolf@hyper.sh>
 2022-08-18 10:09:20 +08:00
Peng Tao
2b0587db95 runtime: VMX is migratible in vm factory case 
We are not spinning up any L2 guests in vm factory, so the L1 guest
migration is expected to work even with VMX.

See https://www.linux-kvm.org/page/Nested_Guests

Fixes: #4050
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
 2022-08-18 10:08:43 +08:00
Peng Tao
fa09f0ec84 runtime: remove qemuPaths 
It is broken that it doesn't list QemuVirt machine type. In fact we
don't need it at all. Just drop it.

Signed-off-by: Peng Tao <bergwolf@hyper.sh>
 2022-08-18 10:06:10 +08:00
Bo Chen
3a597c2742 runtime: clh: Use the new 'payload' interface 
The new 'payload' interface now contains the 'kernel' and 'initramfs'
config.

Fixes: #4952

Signed-off-by: Bo Chen <chen.bo@intel.com>
 2022-08-17 12:23:43 -07:00
Bo Chen
16baecc5b1 runtime: clh: Re-generate the client code 
This patch re-generates the client code for Cloud Hypervisor v26.0.
Note: The client code of cloud-hypervisor's (CLH) OpenAPI is
automatically generated by openapi-generator [1-2].

[1] https://github.com/OpenAPITools/openapi-generator
[2] https://github.com/kata-containers/kata-containers/blob/main/src/runtime/virtcontainers/pkg/cloud-hypervisor/README.md

Fixes: #4952

Signed-off-by: Bo Chen <chen.bo@intel.com>
 2022-08-17 12:23:12 -07:00
Hengqi Chen
8ff5c10ac4 network: Fix error message for setting hardware address on TAP interface 
Error out with the correct interface name and hardware address instead.

Fixes: #4944

Signed-off-by: Hengqi Chen <chenhengqi@outlook.com>
 2022-08-17 16:42:07 +08:00
Chelsea Mafrica
fcc1e0c617 runtime: tracing: End root span at end of trace 
The root span should exist the duration of the trace. Defer ending span
until the end of the trace instead of end of function. Add the span to
the service struct to do so.

Fixes #4902

Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
 2022-08-12 13:15:39 -07:00
Bin Liu
cb7f9524be Merge pull request #4804 from openanolis/anolis/merge_runtime_rs_to_main 
runtime-rs:merge runtime rs to main
 2022-08-11 08:40:41 +08:00
Tim Zhang
4813a3cef9 Merge pull request #4711 from liubin/fix/4710-wait-nydusd-api-server-ready 
nydus: wait nydusd API server ready before mounting share fs
 2022-08-10 17:20:17 +08:00
liubin
2ae807fd29 nydus: wait nydusd API server ready before mounting share fs 
If the API server is not ready, the mount call will fail, so before
mounting share fs, we should wait the nydusd is started and
the API server is ready.

Fixes: #4710

Signed-off-by: liubin <liubin0329@gmail.com>
Signed-off-by: Bin Liu <bin@hyper.sh>
 2022-08-08 16:18:38 +08:00
Tim Zhang
8d4d98587f Merge pull request #4746 from liubin/fix/4745-add-log-field 
runtime: explicitly mark the source of the log is from qemu.log
 2022-08-08 15:21:01 +08:00
Archana Shinde
c1e3b8f40f govmm: Refactor qmp functions for adding block device 
Instead of passing a bunch of arguments to qmp functions for
adding block devices, use govmm BlockDevice structure to reduce these.

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
 2022-08-05 13:16:34 -07:00
Archana Shinde
598884f374 govmm: Refactor code to get rid of redundant code 
Get rid of redundant return values from function.
args and blockdevArgs used to return different values to maintain
compatilibity between qemu versions. These are exactly the same now.

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
 2022-08-05 13:16:34 -07:00
Archana Shinde
00860a7e43 qmp: Pass aio backend while adding block device 
Allow govmm to pass aio backend while adding block device.

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
 2022-08-05 13:16:34 -07:00
Archana Shinde
e1b49d7586 config: Add block aio as a supported annotation 
Allow Block AIO to be passed as a per pod annotation.

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
 2022-08-05 13:16:34 -07:00
Archana Shinde
ed0f1d0b32 config: Add "block_device_aio" as a config option for qemu 
This configuration will allow users to choose between different
I/O backends for qemu, with the default being io_uring.
This will allow users to fallback to a different I/O mechanism while
running on kernels olders than 5.1.

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
 2022-08-05 13:16:34 -07:00
chmod100
d8ad16a34e runtime: add unlock before return in sendReq 
Unlock is required before return, so there need to add unlock

Fixes: #4827

Signed-off-by: chmod100 <letfu@outlook.com>
 2022-08-05 13:30:12 +00:00
Archana Shinde
b6cd2348f5 govmm: Add io_uring as AIO type 
io_uring was introduced as a new kernel IO interface in kernel 5.1.
It is designed for higher performance than the older Linux AIO API.
This feature was added in qemu 5.0.

Fixes #4645

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
 2022-08-03 10:43:12 -07:00
Archana Shinde
81cdaf0771 govmm: Correct documentation for Linux aio. 
The comments for "native" aio are incorrect. Correct these.

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
 2022-08-03 10:41:50 -07:00
Zhongtao Hu
adfad44efe Merge remote-tracking branch 'origin/main' into runtime-rs-merge-tmp 
To keep runtime-rs up to date, we will merge main into runtime-rs every
week.

Fixes:#4776
Signed-off-by: Zhongtao Hu <zhongtaohu.tim@linux.alibaba.com>
 2022-08-01 11:12:48 +08:00
yaoyinnan
5c3155f7e2 runtime: Support for host cgroup v2 
Support cgroup v2 on the host. Update vendor containerd/cgroups to add cgroup v2.

Fixes: #3073

Signed-off-by: yaoyinnan <yaoyinnan@foxmail.com>
 2022-07-28 10:30:45 +08:00
Bin Liu
85f4e7caf6 runtime: explicitly mark the source of the log is from qemu.log 
In qemu.StopVM(), if debug is enabled, the shim will dump logs
from qemu.log, but users don't know which logs are from qemu.log
and shim itself. Adding some additional messages will
help users to distinguish these logs.

Fixes: #4745

Signed-off-by: Bin Liu <bin@hyper.sh>
 2022-07-26 16:08:59 +08:00
gntouts
56d49b5073 versions: Update Firecracker version to v1.1.0 
This patch upgrades Firecracker version from v0.23.4 to v1.1.0

* Generate swagger models for v1.1.0 (from firecracker.yaml)
* Replace ht_enabled param to smt (API change)
* Remove NUMA-related jailer param --node 0

Fixes: #4673
Depends-on: github.com/kata-containers/tests#4968

Signed-off-by: George Ntoutsos <gntouts@nubificus.co.uk>
Signed-off-by: Anastassios Nanos <ananos@nubificus.co.uk>
 2022-07-26 07:01:26 +00:00
Ji-Xinyou
62182db645 runtime-rs: add unit test for ipvlan endpoint 
Add unit test to check the integrity of IPVlanEndpoint::new(...)

Fixes: #4655
Signed-off-by: Ji-Xinyou <jerryji0414@outlook.com>
 2022-07-18 15:56:06 +08:00
wllenyj
274598ae56 kata-runtime: add dragonball config check support. 
add dragonball config check support.

Signed-off-by: wllenyj <wllenyj@linux.alibaba.com>
 2022-07-14 10:43:50 +08:00
Fabiano Fidêncio
be31207f6e clh: Don't crash if no network device is set by the upper layer 
`ctr` doesn't set a network device when creating the sandbox, which
leads to Cloud Hypervisor's driver crashing, see the log below:
```
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x55641c23b248]
goroutine 32 [running]:
github.com/kata-containers/kata-containers/src/runtime/virtcontainers.glob..func1(0xc000397900)
	/home/ubuntu/go/src/github.com/kata-containers/kata-containers/src/runtime/virtcontainers/clh.go:163 +0x128
github.com/kata-containers/kata-containers/src/runtime/virtcontainers.(*cloudHypervisor).vmAddNetPut(...)
	/home/ubuntu/go/src/github.com/kata-containers/kata-containers/src/runtime/virtcontainers/clh.go:1348
github.com/kata-containers/kata-containers/src/runtime/virtcontainers.(*cloudHypervisor).bootVM(0xc000397900, {0x55641c76dfc0, 0xc000454ae0})
	/home/ubuntu/go/src/github.com/kata-containers/kata-containers/src/runtime/virtcontainers/clh.go:1378 +0x5a2
github.com/kata-containers/kata-containers/src/runtime/virtcontainers.(*cloudHypervisor).StartVM(0xc000397900, {0x55641c76dff8, 0xc00044c240},
0x55641b8016fd)
        /home/ubuntu/go/src/github.com/kata-containers/kata-containers/src/runtime/virtcontainers/clh.go:659 +0x7ee
github.com/kata-containers/kata-containers/src/runtime/virtcontainers.(*Sandbox).startVM.func2()
        /home/ubuntu/go/src/github.com/kata-containers/kata-containers/src/runtime/virtcontainers/sandbox.go:1219 +0x190
github.com/kata-containers/kata-containers/src/runtime/virtcontainers.(*LinuxNetwork).Run.func1({0xc0004a8910, 0x3b})
        /home/ubuntu/go/src/github.com/kata-containers/kata-containers/src/runtime/virtcontainers/network_linux.go:319 +0x1b
github.com/kata-containers/kata-containers/src/runtime/virtcontainers.doNetNS({0xc000048440, 0xc00044c240}, 0xc0005d5b38)
        /home/ubuntu/go/src/github.com/kata-containers/kata-containers/src/runtime/virtcontainers/network_linux.go:1045 +0x163
github.com/kata-containers/kata-containers/src/runtime/virtcontainers.(*LinuxNetwork).Run(0xc000150c80, {0x55641c76dff8, 0xc00044c240}, 0xc00014e4e0)
	/home/ubuntu/go/src/github.com/kata-containers/kata-containers/src/runtime/virtcontainers/network_linux.go:318 +0x105
github.com/kata-containers/kata-containers/src/runtime/virtcontainers.(*Sandbox).startVM(0xc000107d40, {0x55641c76dff8, 0xc0005529f0})
	/home/ubuntu/go/src/github.com/kata-containers/kata-containers/src/runtime/virtcontainers/sandbox.go:1205 +0x65f
github.com/kata-containers/kata-containers/src/runtime/virtcontainers.createSandboxFromConfig({_, _}, {{0x0, 0x0, 0x0}, {0xc000385a00, 0x1, 0x1},
{0x55641d033260, 0x0, ...}, ...}, ...)
        /home/ubuntu/go/src/github.com/kata-containers/kata-containers/src/runtime/virtcontainers/api.go:91 +0x346
github.com/kata-containers/kata-containers/src/runtime/virtcontainers.CreateSandbox({_, _}, {{0x0, 0x0, 0x0}, {0xc000385a00, 0x1, 0x1},
{0x55641d033260, 0x0, ...}, ...}, ...)
        /home/ubuntu/go/src/github.com/kata-containers/kata-containers/src/runtime/virtcontainers/api.go:51 +0x150
github.com/kata-containers/kata-containers/src/runtime/virtcontainers.(*VCImpl).CreateSandbox(_, {_, _}, {{0x0, 0x0, 0x0}, {0xc000385a00, 0x1, 0x1},
{0x55641d033260, ...}, ...})
        /home/ubuntu/go/src/github.com/kata-containers/kata-containers/src/runtime/virtcontainers/implementation.go:35 +0x74
github.com/kata-containers/kata-containers/src/runtime/pkg/katautils.CreateSandbox({_, _}, {_, _}, {{0xc0004806c0, 0x9}, 0xc000140110, 0xc00000f7a0,
{0x0, 0x0}, ...}, ...)
        /home/ubuntu/go/src/github.com/kata-containers/kata-containers/src/runtime/pkg/katautils/create.go:175 +0x8b6
github.com/kata-containers/kata-containers/src/runtime/pkg/containerd-shim-v2.create({0x55641c76dff8, 0xc0004129f0}, 0xc00034a000, 0xc00036a000)
        /home/ubuntu/go/src/github.com/kata-containers/kata-containers/src/runtime/pkg/containerd-shim-v2/create.go:147 +0xdea
github.com/kata-containers/kata-containers/src/runtime/pkg/containerd-shim-v2.(*service).Create.func2()
        /home/ubuntu/go/src/github.com/kata-containers/kata-containers/src/runtime/pkg/containerd-shim-v2/service.go:401 +0x32
created by github.com/kata-containers/kata-containers/src/runtime/pkg/containerd-shim-v2.(*service).Create
        /home/ubuntu/go/src/github.com/kata-containers/kata-containers/src/runtime/pkg/containerd-shim-v2/service.go:400 +0x534
```

This bug has been introduced as part of the
https://github.com/kata-containers/kata-containers/pull/4312 PR, which
changed how we add the network device.

In order to avoid the crash, let's simply check whether we have a device
to be added before iterating the list of network devices.

Fixes: #4618

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
 2022-07-13 10:40:21 +02:00
Fabiano Fidêncio
dc3b6f6592 versions: Update Cloud Hypervisor to v25.0 
Cloud Hypervisor v25.0 has been released on July 7th, 2022, and brings
the following changes:

**ch-remote Improvements**
The ch-remote command has gained support for creating the VM from a JSON
config and support for booting and deleting the VM from the VMM.

**VM "Coredump" Support**
Under the guest_debug feature flag it is now possible to extract the memory
of the guest for use in debugging with e.g. the crash utility.
(https://github.com/cloud-hypervisor/cloud-hypervisor/issues/4012)

**Notable Bug Fixes**
* Always restore console mode on exit
  (https://github.com/cloud-hypervisor/cloud-hypervisor/issues/4249,
   https://github.com/cloud-hypervisor/cloud-hypervisor/issues/4248)
* Restore vCPUs in numerical order which fixes aarch64 snapshot/restore
  (https://github.com/cloud-hypervisor/cloud-hypervisor/issues/4244)
* Don't try and configure IFF_RUNNING on TAP devices
  (https://github.com/cloud-hypervisor/cloud-hypervisor/issues/4279)
* Propagate configured queue size through to vhost-user backend
  (https://github.com/cloud-hypervisor/cloud-hypervisor/issues/4286)
* Always Program vCPU CPUID before running the vCPU to fix running on Linux
  5.16
  (https://github.com/cloud-hypervisor/cloud-hypervisor/issues/4156)
* Enable ACPI MADT "Online Capable" flag for hotpluggable vCPUs to fix newer
  Linux guest

**Removals**
The following functionality has been removed:

* The mergeable option from the virtio-pmem support has been removed
  (https://github.com/cloud-hypervisor/cloud-hypervisor/issues/3968)
* The dax option from the virtio-fs support has been removed
  (https://github.com/cloud-hypervisor/cloud-hypervisor/issues/3889)

Fixes: #4641

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
 2022-07-12 14:47:58 +00:00
Manabu Sugimoto
4d89476c91 runtime: Fix DisableSelinux config 
Enable Kata runtime to handle `disable_selinux` flag properly in order
to be able to change the status by the runtime configuration whether the
runtime applies the SELinux label to VMM process.

Fixes: #4599
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
 2022-07-06 15:50:28 +09:00
Fabiano Fidêncio
071dd4c790 Merge pull request #4109 from pmores/drop-in-cfg-files-support 
Drop in cfg files support
 2022-07-05 22:21:24 +02:00
Peng Tao
a1de394e51 Merge pull request #4550 from liubin/fix/4548-overwrite-mount-type-for-bind-mount 
runtime: overwrite mount type to bind for bind mounts
 2022-07-04 19:56:26 +08:00
liubin
1f363a386c runtime: overwrite mount type to bind for bind mounts 
Some clients like nerdctl may pass mount type of none for volumes/bind mounts,
this will lead to container start fails.

Referring to runc, it overwrites the mount type to bind and ignores the input value.

Fixes: #4548

Signed-off-by: liubin <liubin0329@gmail.com>
 2022-07-01 12:13:01 +08:00
GabyCT
02a51e75a7 Merge pull request #4554 from liubin/fix/delete-not-used-console-from-container-config 
runtime: delete Console from Cmd type
 2022-06-30 11:40:07 -05:00
Fabiano Fidêncio
aa561b49f5 Merge pull request #4540 from fidencio/topic/default_maxmemory 
Add `default_maxmemory` config option
 2022-06-30 12:08:15 +02:00
GabyCT
2a94261df5 Merge pull request #4549 from liubin/fix/4419-set-status-if-wait-process-failed 
shim: set a non-zero return code if the wait process call failed.
 2022-06-29 17:04:53 -05:00
Fabiano Fidêncio
1e12d56512 Merge pull request #4469 from egernst/config-validation-refactor 
Refactor how hypervisor config validation is handled
 2022-06-29 14:42:11 +02:00
liubin
a5a25ed13d runtime: delete Console from Cmd type 
There is much code related to this property, but it is not used anymore.

Fixes: #4553

Signed-off-by: liubin <liubin0329@gmail.com>
 2022-06-29 17:36:32 +08:00
Pavel Mores
96553e8bd2 runtime: Add documentation of drop-in config file fragments 
Added user manual for the drop-in config file fragments feature.

Signed-off-by: Pavel Mores <pmores@redhat.com>
 2022-06-29 10:56:53 +02:00
Pavel Mores
c656457e90 runtime: Add tests of drop-in config file decoding 
The tests ensure that interactions between drop-ins and the base
configuration.toml and among drop-ins themselves work as intended,
basically that files are evaluated in the correct order (base file
first, then drop-ins in alphabetical order) and the last one to set
a specific key wins.

Signed-off-by: Pavel Mores <pmores@redhat.com>
 2022-06-29 09:54:39 +02:00
Pavel Mores
99f5ca80fc runtime: Plug drop-in decoding into decodeConfig() 
Fixes #4108

Signed-off-by: Pavel Mores <pmores@redhat.com>
 2022-06-29 09:54:38 +02:00