Fixes: #2023
CompatOCISpec is used to gurantee backward compatbility for old runtime
specs, after we convert CompatOCISpec to standard specs.Spec, we should
use specs.Spec instead of CompatOCISpec, and CompatOCISpec should be
useless from then.
Spread usage of CompatOCISpec can make code structure confusing and making
the runtime spec usage non-standard. Besides, this can be the very first
step of removing CompatOCISpec from config's Annotations field.
Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>
add option to eneable only pod cgroup (SandboxCgroupOnly)
Depends-on: github.com/kata-containers/tests#1824
Fixes: #1879
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Refactor unit test so that podman can be used to run tests when docker
is not available.
Fixes: #2006
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Since virtio-fs is under active development, more
options will be added increasingly. To avaoid frequent
change on runtime side to handle option changes, use
one mingled arg to ease testing new option/feature of
virtiofsd.
See `virtiofsd -h` for more option details.
Fixes: #1999
Signed-off-by: Eric Ren <renzhen@linux.alibaba.com>
The list of kernel modules can be passed to the runtime through the
configuration file or using OCI annotations. In both cases, a list paramentes
can be specified for each module.
fixes#1925
Signed-off-by: Julio Montes <julio.montes@intel.com>
Currently kata sets the init process to systemd even when it isn't installed,
the criteria to determinate whether systemd is used as init or not
is very odd, since kata only checks whether the `image` option is set in the
configuration file, unfortunately not all images have systemd installed.
Instead kata should rely on the guest kernel and `osbuilder` to use the right
init process. `osbuilder` creates a symbolic link to `systemd` or `kata-agent`
depending on the `AGENT_INIT` environment variable.
fixes#1937
Signed-off-by: Julio Montes <julio.montes@intel.com>
It is not really recommended to have nested vendor directories.
dep does not work well with nested directories:
https://github.com/golang/dep/issues/985
Recommendation is to use flatten the vendor directories.
Hence remove any nested vendor directories.
Fixes#1909
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Add jailer support to configuration files.
Also enable jailer by default in Kata containers.
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Firecracker provides a jailer to constrain the VMM. Use this
jailer to launch the firecracker VMM instead of launching it
directly from the kata-runtime.
The jailer will ensure that the firecracker VMM will run
in its own network and mount namespace. All assets required
by the VMM have to be present within these namespaces.
The assets need to be copied or bind mounted into the chroot
location setup by jailer in order for firecracker to access
these resouces. This includes files, device nodes and all
other assets.
Jailer automatically sets up the jail to have access to
kvm and vhost-vsock.
If a jailer is not available (i.e. not setup in the toml)
for a given hypervisor the runtime will act as the jailer.
Also enhance the hypervisor interface and unit tests to
include the network namespace. This allows the hypervisor
to choose how and where to lauch the VMM process, vs
virtcontainers directly launching the VMM process.
Fixes: #1129
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
This patch adds support for,
1. Extracting and configuring ACRN hypervisor from toml.
2. Add ACRN hypervisor ctl for controlling ACRN hypervisor.
This will be used for updating virtio-blk based
container rootfs using blk rescan feature.
v2->v3:
Fixed acrnctl path.
v1->v2:
Trimmed hypervisor config options as needed by ACRN.
Fixes: #1778
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
Add a log message for every trace span created, required by the tracing
tests to validate tracing is working.
Fixes: #1814.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
detail how kata work with libnetwork
1. kata create a new netns
2. with EnterNS, kata change netns to the created one.
3. in pre-start hook, kata will re-exec libnetwork process
libnetwork-setkey, and send self pid to it. libnetwork use
/proc/pid/ns/net to find the netns kata use, and set veth into the netns.
v1/v2 shim use the same way to create network, v1 can successful
because EnterNS changed both current thread and main thread's netns.
But use v2 shim, only changed current thread netns, main thread still
use host netns, so it fails. Looks like v1 just lucky to be successful.
In kata, `state.Pid` should be tid.
Fixes: #1788
Signed-off-by: Ace-Tang <aceapril@126.com>
As virtio v1.1 spec states:
The guest_cid configuration field MUST be fetched to determine the current CID when a VIRTIO_VSOCK_EVENT_TRANSPORT_RESET event is received.
Existing connections MUST be shut down when a VIRTIO_VSOCK_EVENT_TRANSPORT_RESET event is received.
Listen connections MUST remain operational with the current CID when a VIRTIO_VSOCK_EVENT_TRANSPORT_RESET event is received.
We should be able to use vm templating together with vsock easily, as
qemu already sends VIRTIO_VSOCK_EVENT_TRANSPORT_RESET event to guest.
Fixes: #1773
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
A file based memory backend mapped to the host, fot eg: '/dev/shm' will
be used by virtio-fs for performance reasons. This change is a generic
implementation of that for kata. This will be enabled default for
virtio-fs negating the need to enable hugepages in that scenario. This
option can be used without virtio-fs by setting 'file_mem_backend' to
the location in the configuration file. Default value is an empty
string.
Fixes: #1656
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
The systemd units and files that are not needed in Kata Containers,
are removed when the image is created, therefore we don't need to mask
them.
fixes#1704
Signed-off-by: Julio Montes <julio.montes@intel.com>
There are still some systemd units that fail to start for different
reasons. Disable these systemd units to improve boot time.
fixes#1686
Signed-off-by: Julio Montes <julio.montes@intel.com>
Add a few minimal documents to allow all the documentation in this
repository to be navigated from the top-level README.
Fixes#1681.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
We should refine unit test which involves func SupportsVsocks and newly
reconstructed struct kernelModule.
Fixes: #1512
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Added the following distro version constraints for parity with the
kernel version constraints:
- `NeedDistroVersionGE()`
- `NeedDistroVersionLE()`
- `NeedDistroVersionNotEquals()`
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Fix version comparison bug whereby the specified operator was being
applied to the wrong version number.
The version handling for distro and kernel versions was incorrect. This
was not clear as the internal logic was rather difficult to understand.
Renaming `constraintInvalid()` to `constraintValid()` and updating
`NotValid()` correspondingly makes the logic clearer and exposed the
bug, allowing it to be fixed.
Added two new tests to ensure correct behaviour:
- `TestConstraintNotValidKernelVersion()`
- `TestConstraintNotValidDistroVersion()`
Fixes#1653.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Previously, the comment on `NeedDistroVersionEquals()` erroneously
referred to `NeedDistroVersionLT()`.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
`TestConstraint.NotValid()` is really designed to be called once per
test. However, there is no reason it should not be possible to call
multiple times. But to allow for that secenario, any settings
from a previous `NotValid()` call need to be cleared.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Skip TestHostNetworkingRequested test as nsfs is not supported on
older kernel versions. Currently, CentOS has issues with this test a
is using a kernel version of 3.10 and to run this test we need a
kernel version greater than 3.19.
Fixes#1629
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
It's useful to know whether virtio-9p or virtio-fs is being used. Add
the status to the kata-env output.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Several cache modes are supported by virtio-fs. They affect the
performance and consistency characteristics of the file system.
For the time being cache="none" is recommended, but the other modes can
be experimented with.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Add VirtioFSCacheSize aka virtio_fs_cache_size option
to set the size (in MiB) of the DAX cache.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Enhance the `katatestutils` package to provide the ability to skip
tests based on either user or distro the tests are running on.
Fixes#1586.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Add a config option to select between virtio-9p and virtiofs. This
option currently has no effect and will be used in a later patch.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
