It disconnects the agent connection and removes the sandbox
from global sandbox list.
A new option `LongLiveConn` is also added to kata
agent's configuration. When set, the API caller is expected
to call sandbox.Release() to drop the agent connection explicitly.
`proxyBuiltIn` is moved out of agent state because we can always
retrieve it from sandbox config instead.
Fixes: #217
Signed-off-by: Peng Tao <bergwolf@gmail.com>
Don't Attempt to create file below `/dev` when running as non-`root`.
Move the logic into a new `TestIsHostDeviceCreateFile` test and skip
unless `root.`
Fixes#242.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
The k8s test creates a log file in /dev under
/dev/termination-log, which is not the right place to create
logs, but we need to handle this. With this commit, we handle
regular files under /dev by passing them as 9p shares. All other
special files including device files and directories
are not passed as 9p shares as these are specific to the host.
Any operations on these in the guest would fail anyways.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Since we want to handle certain files in /dev for k8s case,
remove /dev from the mounts list that we ignore.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
This reverts commit 08909b2213.
We should not be passing any bind-mounts from /dev, /sys and /proc.
Mounting these from the host inside the container does not make
sense as these files are relevant to the host OS.
Fixes#219
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Pass the slot address while attaching bridges. This is needed
to determine the pci/e address of devices that are attached
to the bridge.
Fixes#210
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
processListContainer is called by the ps command implementation to
list the processes running inside a containers, this patch implements
this function in the kata agent
fixes#129
Signed-off-by: Julio Montes <julio.montes@intel.com>
When imported, the vc files carried in the 'full style' apache
license text, but the standard for kata is to use SPDX style.
Update the relevant files to SPDX.
Fixes: #227
Signed-off-by: Graham whaley <graham.whaley@intel.com>
After we rename pod to sandbox, still there are some codes left which
will cause some misunderstanding.Such as,`p` in short of `pod` left in
`sandbox.go`.So we need to channge it into `s` in short of `sandbox`.
Fixes:#230
Related: #200
Signed-off-by: Haomin Tsai <caihaomin@huawei.com>
Disable cpuset and cpumem constraints as this is not properly
supported yet.
If we add "cpuset_cpus" and "cpuset_mems" to the container.json,
kata-runtime failed to start, so we need to disable them.
Fixes: #221.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
Those different files were all calling into a go routine that was
eventually reporting some result through a go channel. The problem
was the way those routine were implemented, as they were hanging
around forever. Indeed, nothing was actually listening to the channel
in some cases, and those routines never ended.
This was one of the problem detected by the fact that our unit tests
needed more time to pass because when they were all run in parallel,
the resources consumed by those routines were increasing the time
for other tests to complete.
Fixes#208
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Because of the bad design of the cc_proxy_mock go routine, we were
leaving an infinite loop running into this go routine behind. This
was consuming a lot of resources and it was obviously slowing down
the tests being run in parallel. That's one of the reason we were
hitting the 10 seconds timeout when running go tests.
Fixes#208
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
When using noopShim type from the unit tests, we were ending up
getting a PID 1000, and when checking if the shim was around, we
were always expecting the shim to be "not running", based on the
fact that the process was not there anymore. Unfortunately, this
was a very wrong assumption because we cannot control which PIDs
are running or not on the system. The way to simplify this is to
return a PID 0 in case of noopShim, processed as a special case
by the function waitForShim().
Fixes#208
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Communicate to the agent the number of vCPUs that were hot added,
allowing to the agent wait for the creation of all vCPUs.
fixes#90
Signed-off-by: Julio Montes <julio.montes@intel.com>
As agreed in [the kata containers API
design](https://github.com/kata-containers/documentation/blob/master/design/kata-api-design.md),
we need to rename pod notion to sandbox. The patch is a bit big but the
actual change is done through the script:
```
sed -i -e 's/pod/sandbox/g' -e 's/Pod/Sandbox/g' -e 's/POD/SB/g'
```
The only expections are `pod_sandbox` and `pod_container` annotations,
since we already pushed them to cri shims, we have to use them unchanged.
Fixes: #199
Signed-off-by: Peng Tao <bergwolf@gmail.com>
The runtime already hot added the number of vCPUs needed by each container,
in order to have a better control over those resources, CPU constraints
must be applied.
fixes#203
Signed-off-by: Julio Montes <julio.montes@intel.com>
Check if a volume passed to the container with -v is a block device
file, and if so pass the block device by hotplugging it to the VM
instead of passing this as a 9pfs volume. This would give us
better performance.
Add block device associated with a volume to the list of
container devices, so that it is detached with all other devices
when the container is stopped with detachDevices()
Fixes#137
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
All bind mounts are now passed to the guest with 9p.
We need to exclude /dev/shm, as this is passed as a bind mount
in the spec. We handle /dev/shm in the guest by allocating
memory for it on the guest side. Passing /dev/shm as a 9p mount
was causing it to be mounted twice.
Fixes#190
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
It tracks all existing pods in the current runtime. If the runtime
calls multiple APIs, it can reuse existing pod data structure instead
of re-construct it in every API call.
Signed-off-by: Peng Tao <bergwolf@gmail.com>
When specified, it does not spawn a new process to proxy kata grpc
connections. Instead, the yamux multiplexing functionality is builtin
in the kata agent dialer.
Signed-off-by: Peng Tao <bergwolf@gmail.com>
in order to make log-parser happy, mockcontainer must return
always a valid process with a fake PID, since log-parser checks
that PID value in the logs and it must be different to zero
Depends-on: github.com/kata-containers/tests#226
Signed-off-by: Julio Montes <julio.montes@intel.com>
Factorize configuration and hardware support for hotplugging block
devices into a single function and use that.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Use noopAgent in unit tests to add online fake resources.
Fix unit tests according with new changes introduced recently.
fixes#192
Signed-off-by: Julio Montes <julio.montes@intel.com>
The rollback does not work as expected because the error has to be
checked from the defer itself.
Fixes#178
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
In case the container creation fails, we need a proper rollback
regarding the mounts previously performed.
Fixes#135
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
In case the container creation fails, we need a proper rollback
regarding the mounts and hotplugs previously performed.
This patch also rework the hotplugDrive() function in order to
prevent createContainer() function complexity to exceed 15.
Fixes#135
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Fixes#140
`virtcontainers` had been moved from `github.com/containers/virtcontainers` to
`github.com/kata-containers/runtime/virtcontainers`, so we should remove legacy dependencies
of `github.com/containers/virtcontainers` from go imports and vendors.
Also some documents need to be modified.
Note: vendor is updated with `dep` tool with following command:
`$ dep ensure -update github.com/containers/virtcontainers`
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
Add a hypervisor configuration to specify if IO should
be handled in a separate thread. Add support for iothreads for
virtio-scsi for now. Since we attach all scsi drives to the
same scsi controller, all the drives will be handled in a separate
IO thread which would still give better performance.
Going forward we need to assess if adding more controllers and
attaching iothreasds to each of them with distributing drives
among teh scsi controllers should be done, based on more performance
analysis.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
If a container is not running, but created/ready instead, this means
a container process exists and that we can actually exec another
process inside this container. The container does not have to be
in running state.
Fixes#120
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
In case a consumer of virtcontainers tries to start/stop a container,
or stop a pod, and for some reasons, this fails, virtcontainers always
tries to delete everything related to the container or the pod before
it returns the error.
The caller of the runtime is the one responsible for cleaning things
up if something goes wrong, that's why this cleanup call is never
needed.
A real example of that is the case of cc-runtime and CRI-O, where this
cleanup prevented CRI-O from retrieving proper state of the container
after the failure, leading to the inability to stop and remove the
container and the VM afterwards.
Fixes#87
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
