Pass span context through ttRPC metadata, that
agent can get parent from the context to create
new sub-spans.
Fixes: #1968
Signed-off-by: bin <bin@hyper.sh>
Use common functions wrapping logic of getting values
from annotations, parsing bool/uint32/uint64 and setting
to struct fields.
Fixes: #2082
Signed-off-by: bin <bin@hyper.sh>
Since the rpc spec used an interface to represen the ErrnoRet,
thus the transform function of OCItoGRPC should take care of
this case.
Depends-on: github.com/kata-containers/tests#3629
Fixes: #1441
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
Fix the mismatch bring by the upgrading of vendor of containerd,
cgroup and runtime spec.
Fixes: #1441
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
To workaround virtiofs' lack of inotify support, we'll special case
particular mounts which are typically watched, and pass on information
to the agent so it can ensure that the mount presented to the container
is indeed watchable (see applicable agent commit).
This commit will:
- identify watchable mounts based on file count and mount source
- create a watchable-bind storage object for these mounts to
communicate intent to the agent
- update the OCI spec to take the updated watchable mount source into account
Unit tests added and updated for the newly introduced
functionality/functions.
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
There's no reason to pass the paths; they can be
determined when they are actually used.
Let's make the return values more comparable to the other mount handling
functions (we'll add storage object in future commit), and pass the mount maps as
function parameters.
...No functional changes here...
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Architectures that do not support memory hotplugging will fail when
memory limits are set because that amount is hotplugged. Issue a warning
instead. The long-term solution is virtio-mem.
Fixes: #1412
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Currently the virtio-mem device is hotplugged on the root bus.
This doesn't work for PCIe machines like q35.
Hotplug the virtio-mem device into the pci bridge instead.
Fixes#1953
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Keeping around two different x86 machines has no added value
and require more tests and maintenance. Prefer the q35 machine
since it has more features and drop the pc machine.
Fixes#1953
Depends-on: github.com/kata-containers/tests#3586
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
We should update golang proto files.
These changes are updated using libprotoc v3.6.1.
Fixes: #2064
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
To print the correct value of kernel parameters, the log field
value should not be a function name. And for that qemuArchBase
doesn't contain debug flag, so the log contains debug/non-debug
parameters.
Fixes: #2048
Signed-off-by: bin <bin@hyper.sh>
`memory_offset` is used to increase the maximum amount of memory
supported in a VM, this offset is equal to the NVDIMM/PMEM device that
is hot added, in real use case workloads such devices are bigger than
4G, which is the current limit (uint32).
fixes#2006
Signed-off-by: Julio Montes <julio.montes@intel.com>
Since SEV support has been added, an implementation mistake was also
added to TestQemuAmd64AppendProtectionDevice.
appendProtectionDevice() will, as it name says, append the protection
device to whatever was there previously. So, when SEV was added, we
broke the comparison done for TDX as we didn't append the expected
output for TDX with what we already had for SEV.
This should be enough to get the tests passing.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Remove storeSandbox() at the end of createSandboxFromConfig(),
because this callchain createSandboxFromConfig -> createContainers
has already calls storeSandbox().
This can improve the startup speed of the container,
even just for a little.
Fixes: #1980
Signed-off-by: Liang Zhou <zhoul110@chinatelecom.cn>
Secure Execution is a confidential computing technology on s390x (IBM Z
& LinuxONE). Enable the correspondent virtualization technology in QEMU
(where it is referred to as "Protected Virtualization").
- Introduce enableProtection and appendProtectionDevice functions for
QEMU s390x.
- Introduce CheckCmdline to check for "prot_virt=1" being present on the
kernel command line.
- Introduce CPUFacilities and avilableGuestProtection for hypervisor
s390x to check for CPU support.
Fixes: #1771
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Previously, all consts were in single lines in
virtcontainers/qemu_s390x.go. Put them into a const block.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Trace spans erroneously set the network model to default in all cases.
Add function to return network model string and use it to set attribute
in spans.
Fixes#1878
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Add sandbox, container, and hypervisor IDs to trace spans. Note that
some spans in sandbox.go are created with a trace() call from api.go.
These spans have additional attributes set after span creation to
overwrite the api attributes.
Fixes#1878
Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
Export proc stats for virtiofsd.
This commit only adds for hypervisors that have support for it.
- qemu
- cloud-hypervisor
Fixes: #1926
Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
It is in real life usage as we put non constrained sandbox processes
(like shim) in a separate cgroup path.
Fixes: #1944
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
CloudHypervisor is using virtiofsd.go to manage virtiofsd process,
but qemu has its code in qemu.go. This commit let qemu to re-use
code in virtiofsd.go to reduce code and improve maintenanceability.
Fixes: #1933
Signed-off-by: bin <bin@hyper.sh>
