Commit Graph

1086 Commits

Author SHA1 Message Date
Peng Tao
1f5b229bef runtime: remove FIXME in SandboxState about CgroupPath
It is in real life usage as we put non constrained sandbox processes
(like shim) in a separate cgroup path.

Fixes: #1944
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-05-29 13:17:14 +08:00
Peng Tao
fee0004ad4 runtime: remove TODO about hot add memory in qemu.go
Already addressed by https://github.com/kata-containers/runtime/pull/786

Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-05-29 11:15:50 +08:00
Peng Tao
2e29ef9cab runtime: remove TODO comment from StatusContainer
It is no longer valid as containerd already doesn't treat container pid
as host process pid.

Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2021-05-29 11:10:32 +08:00
Fabiano Fidêncio
c3f6c88668 Merge pull request #1915 from quanweiZhou/fix_start_container_failed_when_drop_all_caps
agent: fix start container failed when dropping all capabilities
2021-05-24 14:13:52 +02:00
Tim Zhang
005e5ddedc Merge pull request #1905 from ManaSugi/del_underscore_var
agent: Remove unnecessary underscore(_) variables
2021-05-24 17:39:48 +08:00
quanweiZhou
3e4ebe10ac agent: fix start container failed when dropping all capabilities
When starting a container and dropping all capabilities,
the init child process has no permission to read the exec.fifo
file because the parent set the file mode 0o622. So change the exec.fifo file mode to 0o644.

fixes #1913

Signed-off-by: quanweiZhou <quanweiZhou@linux.alibaba.com>
2021-05-22 17:33:49 +08:00
Eric Ernst
7f1030d303 sandbox-bindmount: persist mount information
Without this, if the shim dies, we will not have a reliable way to
identify what mounts should be cleaned up if `containerd-shim-kata-v2
cleanup` is called for the sandbox.

Before this, if you `ctr run` with a sandbox bindmount defined and SIGKILL the
containerd-shim-kata-v2, you'll notice the sandbox bindmount left on
host.

With this change, the shim is able to get the sandbox bindmount
information from disk and do the appropriate cleanup.

Fixes #1896

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-05-21 12:54:35 -07:00
Eric Ernst
089a7484e1 sandbox: Cleanup if failure to setup sandbox-bindmount occurs
If for any reason there's an error when trying to setup the sandbox
bindmounts, make sure we roll back any mounts already created when
setting up the sandbox.

Without this, we'd leave shared directory mount and potentially
sandbox-bindmounts on the host.

Fixes: #1895

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-05-21 12:54:35 -07:00
Manabu Sugimoto
20a382c158 agent: Remove unnecessary underscore(_) variables
We should remove underscore(_) prefixed variables when ? operator is
used.

Fixes: #1903

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2021-05-21 17:45:34 +09:00
Fabiano Fidêncio
f52468bea7 agent/agent-ctl: Replace prctl crate by the capctl one
While evaluating the possibility of having kata-agent statically linked
to the GNU libc, we've ended up facing some issues with prctl.

When debugging the issues, we figured out that the crate hasn't been
maintained since 2015 and that the capctl one is a good 1:1 replacement
for what we need.

Fixes: #1844

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-05-19 20:16:26 +02:00
Fabiano Fidêncio
8aefc79314 agent: Perform a cargo update
While in the beginning of the development cycle, let's perform a `cargo
update`.

Fixes: #1883

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-05-19 09:43:17 +02:00
Peng Tao
f6c5f7c0ef Merge pull request #1844 from lifupan/main
rustjail: separated the propagation flags from mount flags
2021-05-14 10:25:35 +08:00
Peng Tao
35151f1786 runtime: sandbox delete should succeed after verifying sandbox state
Otherwise we might block delete and create orphan containers.

Fixes: #1039

Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-05-13 14:05:49 -07:00
fupan.lfp
e5fe572f51 rustjail: separated the propagation flags from mount flags
Since the propagation flags couldn't be combinted with the
standard mount flags, and they should be used with the remount,
thus it's better to split them from the standard mount flags.

Fixes: #1699

Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
2021-05-13 23:53:52 +08:00
Bin Liu
cc4748fa64 Merge pull request #1829 from Tim-Zhang/fix-reap
agent: avoid reaping the exit signal of execute_hook in the reaper
2021-05-12 17:24:25 +08:00
Bin Liu
15778a17e5 Merge pull request #1828 from Tim-Zhang/move-dep
agent: move the dependency tempfile to the dev-dependencies section
2021-05-12 17:21:50 +08:00
Tim Zhang
a5bb383cf3 agent: avoid reaping the exit signal of execute_hook in the reaper
Fixes: #1826

Signed-off-by: Tim Zhang <tim@hyper.sh>
2021-05-12 14:40:20 +08:00
Tim Zhang
ce7a5ba22e agent: move the dependency tempfile to the dev-dependencies section
The tempfile is only used by tests.

Fixes: #1827

Signed-off-by: Tim Zhang <tim@hyper.sh>
2021-05-12 14:39:58 +08:00
Fabiano Fidêncio
ac61e60492 Merge pull request #1790 from snir911/configure_timeout
runtime: make dialing timeout configurable
2021-05-11 16:52:05 +02:00
Bin Liu
bffb099d99 Merge pull request #1816 from egernst/get-sandbox-metrics-cli
Get sandbox metrics cli
2021-05-11 13:10:30 +08:00
Samuel Ortiz
2c4e4ca1ac Merge pull request #1590 from devimc/2021-02-02/ConfidentialComputing
Support TDx
2021-05-10 22:19:40 +02:00
Eric Ernst
8068a4692f kata-runtime: add metrics command
For easier debug, let's add subcommand to kata-runtime for gathering
metrics associated with a given sandbox.

kata-runtime metrics --sandbox-id foobar

Fixes: #1815

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-05-10 10:45:10 -07:00
Eric Ernst
3787306107 kata-monitor: export get stats for sandbox
Gathering stats for a given sandbox is pretty useful; let's export a
function from katamonitor pkg to do this.

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-05-10 08:53:56 -07:00
Snir Sheriber
01b56d6cbf runtime: make dialing timeout configurable
allow to set dialing timeout in configuration.toml
default is 30s

Fixes: #1789
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
2021-05-10 16:39:37 +03:00
Eric Ernst
3caed6f88d runtime: shim: dedup client, socket addr code
(1) Add an accessor function, SocketAddress, to the shim-v2 code for
determining the shim's abstract domain socket address, given the sandbox
ID.

(2) In kata monitor, create a function, BuildShimClient, for obtaining the appropriate
http.Client for communicating with the shim's monitoring endpoint.

(3) Update the kata CLI and kata-monitor code to make use of these.

(4) Migrate some kata monitor methods to be functions, in order to ease
future reuse.

(5) drop unused namespace from functions where it is no longer needed.

Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2021-05-07 15:20:37 -07:00
Fabiano Fidêncio
4bc006c8a4 runtime: Short the shim-monitor path
Instead of having something like
"/containerd-shim/$namespace/$sandboxID/shim-monitor.sock", let's change
the approach to:
* create the file in a more neutral location "/run/vc", instead of
  "/containerd-shim";
* drop the namespace, as the sandboxID should be unique;
* remove ".sock" from the socket name.

This will result on a name that looks like:
"/run/vc/$sandboxID/shim-monitor"

Fixes: #497

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-05-07 14:20:35 -07:00
Tim Zhang
1bfc426a2b Merge pull request #1784 from liubin/fix/1783-delete-un-used-fn
agent: delete code which is no longer used
2021-05-07 14:25:26 +08:00
Fabiano Fidêncio
2436839fa7 Merge pull request #1749 from liubin/fix/1748-delete-tracing-in-cli
cli: delete tracing code for kata-runtime binary
2021-05-07 08:17:16 +02:00
Tim Zhang
75648b0770 Merge pull request #1745 from liubin/fix/1744-add-doc-for-enable_pprof
docs: add per-Pod Kata configurations for `enable_pprof`
2021-05-07 13:45:34 +08:00
Fupan Li
70e1d44262 Merge pull request #1800 from teawater/fix_vm
Fix issue of virtio-mem
2021-05-07 13:08:12 +08:00
Fupan Li
487e165093 Merge pull request #1778 from snir911/patch_nofile
Set fixed NOFILE limit value for kata-agent
2021-05-07 13:06:10 +08:00
Chelsea Mafrica
3e8137399c Merge pull request #1805 from liubin/fix/1804-select-sandbox-ctx
runtime: use s.ctx instead ctx for checking cancellation
2021-05-06 09:51:47 -07:00
Chelsea Mafrica
917665ab6d Merge pull request #1751 from liubin/fix/1750-fix-comments
runtime: fix some comments
2021-05-06 08:42:15 -07:00
Julio Montes
4f61f4b490 virtcontainers: Support TDX
Add support for Intel TDX confidential guests

fixes #1332

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-05-06 10:09:05 -05:00
Julio Montes
0affe8860d virtcontainers: define confidential guest framework
Define the structure and functions needed to support confidential
guests, this commit doesn't add support for any specific technology,
support for TDX, SEV, PEF and others will be added in following
commits.

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-05-06 10:09:05 -05:00
Julio Montes
539afba03d runtime: define config options to enable confidential computing
Define config options to enable or disable confidential computing and
its features, for example:
* Image service offloading
* Image decryption keys

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-05-06 10:09:05 -05:00
bin
79831fafaf runtime: use s.ctx instead ctx for checking cancellation
s.ctx should be used for checking cancellation, and the
local ctx is used for tracing.

Fixes: #1804

Signed-off-by: bin <bin@hyper.sh>
2021-05-06 17:22:53 +08:00
bin
f6d5fbf9ba runtime: fix some comments
This commint include two types of fixes for comments
in src/runtime/containerd-shim-v2/start.go.

- Update comment for calling of watchOOMEvents.
- Comments without heading spaces.

Fixes: #1750

Signed-off-by: bin <bin@hyper.sh>
2021-05-06 17:12:52 +08:00
Hui Zhu
7f7c3fc8ec qemu.go: qemu: resizeMemory: Fix virtio-mem resize overflow issue
This commit change sizeByte from uint32 to uint64 to fix overflow issue.

Fixes: #1796

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-05-06 14:13:50 +08:00
Hui Zhu
c9053ea3fb qemu.go: qemu: setupVirtioMem: let sizeMB be multiple of 2Mib
Got:
FATA[0000] run pod sandbox: rpc error: code = Unknown desc = failed to
create containerd task: Add 189759MB virtio-mem-pci fail QMP command
failed: backend memory size must be multiple of 0x200000: unknown

This commit let sizeMB be multiple of 2Mib to fix the issue.

Fixes: #1796

Signed-off-by: Hui Zhu <teawater@antfin.com>
2021-05-06 14:13:48 +08:00
Snir Sheriber
a188577ebf agent: Set fixed NOFILE limit value for kata-agent
Some applications may fail if NOFILE limit is set to unlimited.
Although in some environments this value is explicitly overridden,
lets set it to a more sane value in case it doesn't.

Fixes #1715
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
2021-05-04 15:06:11 +03:00
Julio Montes
88cf3db601 runtime: implement CPUFlags function
`CPUFlags` returns a map with all the CPU flags, these CPU flags
may help us to identiry whether a system support confidential computing
or not.

Signed-off-by: Julio Montes <julio.montes@intel.com>
2021-05-03 09:33:13 -05:00
Eric Ernst
1c0d3afd55 Merge pull request #1754 from Jakob-Naucke/fix-virtiofs-s390x
virtcontainers: Fix virtio-fs on s390x
2021-04-30 09:28:12 -07:00
Fabiano Fidêncio
2e0221125a Merge pull request #1780 from likebreath/0429/clh_v15.0
versions: Upgrade to cloud-hypervisor v15.0
2021-04-30 18:20:36 +02:00
Fabiano Fidêncio
29fdfcfebc Merge pull request #1725 from liubin/liubin/1724-not-return-if-get-api-socket-failed
clh: return error if apiSocketPath failed
2021-04-30 18:16:45 +02:00
Fabiano Fidêncio
dc23adcd50 Merge pull request #1743 from alrs/fix-runtime-err
runtime: fix dropped error
2021-04-30 18:15:22 +02:00
bin
d601ae3446 agent: delete not used comments
Delete comments meanless or make people confusion.

Fixes: #1783

Signed-off-by: bin <bin@hyper.sh>
2021-04-30 19:37:55 +08:00
bin
6038da1903 agent: delete rustjail/src/configs directory
This directory is not used anymore.

Fixes: #1783

Signed-off-by: bin <bin@hyper.sh>
2021-04-30 19:18:03 +08:00
bin
84ee8aa8b2 agent: delete not used functions
In file src/agent/rustjail/src/validator.rs,
these two functions are not used:
- get_namespace_path
- check_host_ns

Fixes: #1783

Signed-off-by: bin <bin@hyper.sh>
2021-04-30 19:17:41 +08:00
Fabiano Fidêncio
bd486f7bf3 Merge pull request #1720 from ManaSugi/update-seccomp-spec
agent: Update seccomp configuration for errnoRet and flags
2021-04-30 10:52:42 +02:00