We want to launch the KVM launcher tool (qemu?) with an SELinux label, similar
to what we do with libvirt.
Currently when I use kata with Podman, it complains if we specify a label that
kata does not support SELinux labels. What I would like to do is have kata just
use this label to apply to the KVM launcher. Then I will work to generate a new
policy type (container_kvm_t) that will allow the KVM Launcher tool to do its
thing, but prevent breakout.
Fixes: #2501
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
All the other caps are inverted (not supported by default).
Make fs sharing not supported by default and let hypervisors
expose if it supports it.
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Some changes in Firecracker v0.21.1 is incompatible with the old versions.
So we need to update the minimum supported FC version to v0.21.1
Fixes: #2504
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
When sandbox id is too long, it will incur error of overlong firecracker
API unix socket.
In Linux, sun_path could maximumly contains 108 bytes in size.
http://man7.org/linux/man-pages/man7/unix.7.html
So here we try to truncate FC id to only keep the size of UUID(128bit).
Fixes: #2504
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Firecracker has changed default API socket path to `/run/firecracker.socket`.
This path also applies when running with the jailer.
Related PR: https://github.com/firecracker-microvm/firecracker/pull/1500
kata is letting jailer automatically create API socket, so we need to
change api socket path from `/api.socket` to `/run/firecracker.socket` accordingly.
Fixes: #2504
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Firecracker has removed redundant `--seccomp-level` jailer parameter
since it can be simply forwarded to the Firecracker executable using
"end of command options" convention.
Related PR: https://github.com/firecracker-microvm/firecracker/pull/1491
Since kata is just using default seccomp level for firecracker, here
then we just removed the setting for jailer.
Fixes: #2504
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
The default chrootBaseDir "/run/vc" in many distributions is mounted
with `noexec` flag, which will bring 'permission denied' error
when running kata-containers with jailer.
Therefore, we decided to remount the jailerRoot dir with exec when setting
up a new firecracker sandbox and umount it when cleaning up.
Fixes: #2511
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
originally, we forcefully set any bind-mount with `private` propagation
type, and it's not applied for all scenarios. e.g. we need to provide
`slave` or `shared` propagation type for bind-mounts in setting up jail
house.
Here, we add another parameter `pgtype` in func bindMount for providing
customized propagation parameters.
Fixes: #2511
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
When we used jailer to launch firecracker, kata container failed due
to the following causes:
1. new flag `--config-file` belongs to the jailed firecracker,
so, adhering to the `end of command options` convention, we need to
give `--config-file` a prefix `--`.
2. The path of the config file(`fcConfig.json`) should be also
relative to the jailed firecracker.
3. Since we do the configuration before func `fcInit` now, we also need
to bring `jailer check` ahead.
4. The config file should be umounted and cleaned up.
Fixes: #2362
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
New command-line parameter for firecracker v0.19.0, named `--config-file`,
which represents the path to a file that contains a JSON which can be
used for configuring and starting a microVM without sending any API
requests.
Fixes: #2199
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
func checkVersion could be called anywhere, not always after
DescribeInstance `\` API request, so it should be more independent.
We could also get version number from `firecracker --version` command.
Fixes: #2199
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Since we decide to adopt config file to configure, we could bypass
API Ready state.
Here, we also create a new config ready state: `cfReady`, to represent
configuration part is done.
Fixes: #2199
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
For shimv2 case, when hypervisor's debug option set, log out
the firecracker's console output which contains the kernel boot
logs; thus it would be easy for system panic debugging.
When agent debug was enabled by passing "agent.log=debug" to
kernel parameter, it will also log out the agent logs from
the console output.
Fixes: #2201
Signed-off-by: lifupan <lifupan@gmail.com>
Firecracker have its own logging scheme, providing two fifo files with log
and metrics info.
We should extract error info for better debugging.
Fixes: #2072
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Signed-off-by: Haibo Xu <haibo.xu@arm.com>
firecracker 0.19.0 API is not backward compatible, hence we need
to bump the firecracker minimum supported version to 0.19.0
Signed-off-by: Julio Montes <julio.montes@intel.com>
In firecracker, there is no socket connected to /dev/console, so let's
use a vsock port to get agent's logs
Depends-on: github.com/kata-containers/shim#210
fixes#2103
Signed-off-by: Julio Montes <julio.montes@intel.com>
For security reasons, let's make sure 'others' don't have access to the
firecracker hybrid vsock
fixes#2101
Signed-off-by: Julio Montes <julio.montes@intel.com>
Unmount and unassign block device when it's required, that way the disk
can be unmounted and destroyed in the host.
fixes#1966
Signed-off-by: Julio Montes <julio.montes@intel.com>
Create a raw file and bind mount it to use it as disk is not needed,
instead a the raw file can be created at the jail path and use it directly
as disk, if a new container is added the real disk/device can be bind mounted
in the raw file.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Kata support several hypervisor and not all hypervisor support the
same type of sockets, for example QEMU support vsock and unix sockets, while
firecracker only support hybrid vsocks, hence sockets generations should be
hypervisor specific
fixes#2027
Signed-off-by: Julio Montes <julio.montes@intel.com>
Currently only firecracker supports hybrid vsocks, change the implementation
to use hybrid vsocks in firecracker.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Add logger to the http transport to log the requests that the runtime writes
in the firecracker's socket. Enable debug it's enabled.
Signed-off-by: Julio Montes <julio.montes@intel.com>
so that for qemu, we can save and export virtiofsd pid,
and put it to the same cgroup as the qemu process.
Fixes: #1972
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
When guest panics or stops with unexpected internal
error, qemu process might still be running but we can
find out such situation with qmp. Then monitor can still
report such failures to watchers.
Fixes: #1963
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Fixes#803
Merge "hypervisor.json" into "persist.json", so the new store can take
care of hypervisor data now.
Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>
Firecracker provides a jailer to constrain the VMM. Use this
jailer to launch the firecracker VMM instead of launching it
directly from the kata-runtime.
The jailer will ensure that the firecracker VMM will run
in its own network and mount namespace. All assets required
by the VMM have to be present within these namespaces.
The assets need to be copied or bind mounted into the chroot
location setup by jailer in order for firecracker to access
these resouces. This includes files, device nodes and all
other assets.
Jailer automatically sets up the jail to have access to
kvm and vhost-vsock.
If a jailer is not available (i.e. not setup in the toml)
for a given hypervisor the runtime will act as the jailer.
Also enhance the hypervisor interface and unit tests to
include the network namespace. This allows the hypervisor
to choose how and where to lauch the VMM process, vs
virtcontainers directly launching the VMM process.
Fixes: #1129
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Update virtcontainer to use latest swagger definition.
Most changes are around mandatory parameters which need to be
passed in via pointers so that the absence of the same can be
detected (vs using default values).
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Let's define agnostic commonkernelRootParams for all hypervisors,
including qemu, firecracker, etc. for now, it has two scenarios,
one for NVDIMM, one for virtio-blk.
Fixes: #1642
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Make sure the hypervisor is stopped if startSandbox does not succeed, by
calling stopSandbox.
Fixes: #1636
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Setup rootfs to be RO both from the VMM point of view and the
VM point of view.
Fixes: #1632
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Firecracker does not support pci. It also uses kbd to implement reboot/reset.
Fix the kernel boot params to address this.
It also does not have good entropy at startup. Use the hardware random
number generator to support entropy.
Fixes: #1620
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Kata support specifing the default VM configuration via
configuration.toml. This allows the system or cluster admin
to choose the default (i.e minimum) size of the VM.
Add support in kata to respect the VM configuration for firecracker.
Also refactor some code to make error handling uniform.
Fixes: #1594
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Add support for v0.15.x. Change the drive naming scheme to match
the requirement of v0.15.x
Fixes: #1598
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
