When force is true, ignore any guest related errors. This can
be used to stop a sandbox when hypervisor process is dead.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
When a container is paused and something goes terribly
wrong, we still need to be able to clean thing up. A paused
container should be able to transit to stopped state as well
so that we can delete it properly.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Add jailer support to configuration files.
Also enable jailer by default in Kata containers.
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
ACRN hypervisor is a type-1 hypervisor and this patch
adds support to check and validate if the system is
capable of running kata containers with ACRN hypervisor.
Depends-on: github.com/kata-containers/tests#1793
v3->v4:
Implemented a generic way to identify hypervisor and
test VM creation.
v2->v3:
1. Removed cgo structs and defined go structs.
2. Suppressed lint warnings due to unused createVM struct.
v1->v2:
1. Created an issue #1784 to address TODO item.
2. Fixed formatting of the log message.
3. Currently ACRN is only supported on amd64. So
moved ACRN specific code to kata-check_amd64.go.
Fixes: #1778
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
This patch covers the following aspects,
1. Add ACRN as a supported hypervisor for amd64 architecture.
2. Build and install configuration file for ACRN hypervisor.
v1->v2:
1. Deleted autogenerated configuration-acrn.toml.
2. Trimmed configuration options not used by ACRN.
Fixes: #1778
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
Auger Eric's latest patches about "ARM virt: Initial RAM expansion
and extended memory map"(https://patchwork.kernel.org/cover/10835377/)
paves the way to device memory, which is the foundation for NVDIMM and
memory hotplug.
This new feature on qemu kinds of depends on host kernel's new feature
on dynamic IPA range(https://lwn.net/Articles/750176/).
The availability of this feature is advertised by a new kvm cap
KVM_CAP_ARM_VM_IPA_SIZE. When supported, this capability returns the
maximum IPA shift supported by the host. The supported IPA size on
a host could be different from the system's PARange indicated
by the CPUs (e.g, kernel limit on the PA size).
Fixes: #1796
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
As virtio v1.1 spec states:
The guest_cid configuration field MUST be fetched to determine the current CID when a VIRTIO_VSOCK_EVENT_TRANSPORT_RESET event is received.
Existing connections MUST be shut down when a VIRTIO_VSOCK_EVENT_TRANSPORT_RESET event is received.
Listen connections MUST remain operational with the current CID when a VIRTIO_VSOCK_EVENT_TRANSPORT_RESET event is received.
We should be able to use vm templating together with vsock easily, as
qemu already sends VIRTIO_VSOCK_EVENT_TRANSPORT_RESET event to guest.
Fixes: #1773
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
proxy will never be use with the Firecracker VMM. Keeping this header
will result in runtime failures, since the configuration will be parsed
on the path searched for.
Since vsock will always be used, remove the proxy section.
Fixes: #1761
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
A file based memory backend mapped to the host, fot eg: '/dev/shm' will
be used by virtio-fs for performance reasons. This change is a generic
implementation of that for kata. This will be enabled default for
virtio-fs negating the need to enable hugepages in that scenario. This
option can be used without virtio-fs by setting 'file_mem_backend' to
the location in the configuration file. Default value is an empty
string.
Fixes: #1656
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
nemu needs to be configured with:
`machine_type = "virt"` by default.
In addition, this commit removes
`machine_accelerators="virt"` which was added instead
of `machine_type` in a previous commit.
Fixes: #1707.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
We should refine unit test which involves func SupportsVsocks and newly
reconstructed struct kernelModule.
Fixes: #1512
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Since we prefer vsock over virtio serial port, we add 'vhost_vsock'
in kernel mosules list.
But vhost_vsock.ko shouldn't be the definitely required kernel modules,
afterall, we could also use virtio serial port.
if kata-env shows SupportsVSocks as false, users could run kata-check
to manually load vhost_vsock.ko and get detailed info(errors)
Fixes: #1512
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
- For initial offering of virtiofsd, hugepages are required
- use the qemu hypervisor type for configuration template
- decrease virtiofs cache size from 8192 to 1024, to better support
running with virtio-fs on smaller machines while hugepages are required.
- For initial experimental release, utilize virtio-serial instead of
vsock
Fixes: #1662
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
NEMU requires a unique runtime configuration. Add support for utilizing
a configuration-nemu.toml
Fixes: #1647
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
It's useful to know whether virtio-9p or virtio-fs is being used. Add
the status to the kata-env output.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Several cache modes are supported by virtio-fs. They affect the
performance and consistency characteristics of the file system.
For the time being cache="none" is recommended, but the other modes can
be experimented with.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Add VirtioFSCacheSize aka virtio_fs_cache_size option
to set the size (in MiB) of the DAX cache.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Add a config option to select between virtio-9p and virtiofs. This
option currently has no effect and will be used in a later patch.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
kata-runtime list command should list all valid container, not fail
when some containers information uncorrent, like rootfs not found.
Fixes: #1592
Signed-off-by: Ace-Tang <aceapril@126.com>
Add configuration options to support the various Kata agent tracing
modes and types. See the comments in the built configuration files for
details:
- `cli/config/configuration-fc.toml`
- `cli/config/configuration-qemu.toml`
Fixes#1369.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Previously, the agent behaviour was controlled entirely using the
`kernel_params=` config option. This mechanism suffers from a subtle
problem - the runtime is not aware of how the agent will behave.
From now on, all significant agent options will be controlled from the
agent section in the configuration file. This allows the runtime to be
more aware of -- and in control of -- such agent settings. It would also
allow the underlying kernel CLI options to be modified in the future if
required.
This PR adds the only useful agent option as an explicit option by
adding an `enable_debug=true` option to the Kata agent section in
`configuration.toml`. This allows controlling agent debug to be handled
in the same manner as the other debug options.
This change is somewhat foundational: it permits the agent to be handled
consistently with other config file sections which is useful, but
arguably not essential (the old way worked). However, the new way of
handling agent options will be essential when introducing agent tracing
control as the runtime must be aware of the agent trace mode to allow
the runtime to modify its behaviour accordingly.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Replace the two versions of `makeRuntimeConfigFileData()` with a single
`MakeRuntimeConfigFileData()` in a new `katatestutils` package and a new
`katautils.GetDefaultHypervisorConfig()` to query the default hypervisor
details.
This isn't ideal but a new package had to be created to avoid circular
dependencies. It was also required since test code cannot be exported
from a package.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
This reverts commit 196661bc0d.
Reverting because cri-o with devicemapper started
to fail after this commit was merged.
Fixes: #1574.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
We can use the same data structure to describe both of them.
So that we can handle them similarly.
Fixes: #1566
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Makefile had a template for cli/config-generated.go embedded inside it.
There is already a templating mechanism for .in files. Using a .in file
is cleaner since it avoids make's awkward interaction with shell
escaping and line splitting.
This patch moves the template into cli/config-generated.go.in and reuses
the existing .in file templating mechanism. Only the PKGRUNDIR variable
needs to be added.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Clear Containers proxy and shim are no longer supported. This
was mentioned in issue #1113. Their functionalities are thus
removed from the runtime.
Fixes#1419
Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
This commit adds a new gRPC function Status to CacheService. VMCache
server will reply the status of VMCache server.
Factory destroy will call gRPC Status to get the status of VMCache
server and output it when VMCache is enabled.
Fixes: #1395
Signed-off-by: Hui Zhu <teawater@hyper.sh>
VMCache server just can be stopped by ctrl-c without current commit.
This commit adds a new gRPC function Quit to CacheService. VMCache
server will stop by itself after 1 second when Quit is called.
Factory destroy will call gRPC Quit when VMCache is enabled.
Fixes: #1395
Signed-off-by: Hui Zhu <teawater@hyper.sh>
We don't really require nested nor unrestricted_guest to run. And there
is no point validating host cpu properties in UT.
Fixes: #1508
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
There is an issue that more than one VMCache server can run with same
vm_cache_endpoint file together.
The cause is factory try to remove vm_cache_endpoint file before VMCache
server runs.
Change it to check if vm_cache_endpoint file exists before VMCache server
runs to handle the issue.
Fixes: #1385
Signed-off-by: Hui Zhu <teawater@hyper.sh>
container's rootfs is a string type, which cannot represent a
block storage backed rootfs which hasn't been mounted.
Change it to a mount alike struct as below:
RootFs struct {
// Source specify the BlockDevice path
Source string
// Target specify where the rootfs is mounted if it has been mounted
Target string
// Type specifies the type of filesystem to mount.
Type string
// Options specifies zero or more fstab style mount options.
Options []string
// Mounted specifies whether the rootfs has be mounted or not
Mounted bool
}
If the container's rootfs has been mounted as before, then this struct can be
initialized as: RootFs{Target: <rootfs>, Mounted: true} to be compatible with
previous case.
Fixes:#1158
Signed-off-by: lifupan <lifupan@gmail.com>
After we switched golang linter to golangci-lint, we has extra 'deadcode'
linter check, and we need to remove this linter check for all
generic items.
Fixes: #1432
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
gometalinter is deprecated and will be archived April '19. The
suggestion is to switch to golangci-lint which is apparently 5x faster
than gometalinter.
Partially Fixes: #1377
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
