The old ones are carrying CVEs, do not use them.
PS: In order to update the modules, we're running `make handle_vendor`
target from the runtime's Makefile. This is now part of the CI and
ensures that the vendored code is up-to-date. It's important to note
that older versions of golang may generate different results for those,
but those versions are not supported anymore, so we're good to go with
what we have in the CI (1.15 and 1.16).
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Since the old ones are carrying CVEs. Do not use them.
PS: In order to update the modules, we're running `make handle_vendor`
target from the runtime's Makefile. This is now part of the CI and
ensures that the vendored code is up-to-date. It's important to note
that older versions of golang may generate different results for those,
but those versions are not supported anymore, so we're good to go with
what we have in the CI (1.15 and 1.16).
Fixes: #2338
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This PR updates the experimental documentation with the proper reference
to kata 2.x
Fixes#2317
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Pior our bump to runc 1.0.1 the manager's Set() would take a Config as
its parameter. Now it takes the Resources directly.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Previously part of the "system" namespace, the RunningInUserNS() has
been moved to the "userns" namespace.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Dependabot brought to us attention that we were still vendoring the runc
code which was affected by CVE-2021-30465.
Although the vulnerability doesn't seem to affect kata-containers, we
better keep our dependencies up-to-date anyways. With this in mind,
let's bump our runc dependency to the latest release.
Fixes: #2309
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Improve security by making rootfs image read-only, nobody
will be able to modify it from the guest.
fixes#1916
Signed-off-by: Julio Montes <julio.montes@intel.com>
Bring read-only nvdimm support
Shortlog:
335fa81 qemu: fix golangci-lint errors
61b6378 .github/workflows: reimplement github actions CI
9d6e797 go: support go modules
0d21263 qemu: support read-only nvdimm
ff34d28 qemu: Consistent parameter building
Signed-off-by: Julio Montes <julio.montes@intel.com>
Since the monitor socket used the unix socket path file,
which needed to be cleaned after the pod terminated,
thus put it into the sandbox data directory, and it
would be cleaned up once the sandbox termianted.
Fixes: #2269
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
This commit add option "enable_guest_swap" to config hypervisor.qemu.
It will enable swap in the guest. Default false.
When enable_guest_swap is enabled, insert a raw file to the guest as the
swap device if the swappiness of a container (set by annotation
"io.katacontainers.container.resource.swappiness") is bigger than 0.
The size of the swap device should be
swap_in_bytes (set by annotation
"io.katacontainers.container.resource.swap_in_bytes") - memory_limit_in_bytes.
If swap_in_bytes is not set, the size should be memory_limit_in_bytes.
If swap_in_bytes and memory_limit_in_bytes is not set, the size should be
default_memory.
Fixes: #2201
Signed-off-by: Hui Zhu <teawater@antfin.com>
This commit add code to handle the annotations
"io.katacontainers.container.resource.swappiness" and
"io.katacontainers.container.resource.swap_in_bytes".
It will set the value of "io.katacontainers.resource.swappiness" to
c.config.Resources.Memory.Swappiness and set the value of
"io.katacontainers.resource.swap_in_bytes" to
c.config.Resources.Memory.Swap.
Fixes: #2201
Signed-off-by: Hui Zhu <teawater@antfin.com>
ocispec.Annotations is dropped in ContainerConfig.
This commit let it to be set to containerConfig.Annotations in
ContainerConfig.
Fixes: #2201
Signed-off-by: Hui Zhu <teawater@antfin.com>
addSwap will create a swap file, hotplug it to hypervisor as a special
block device and let agent to setup it in the guest kernel.
removeSwap will remove the swap file.
Just QEMU support addSwap.
Fixes: #2201
Signed-off-by: Hui Zhu <teawater@antfin.com>
Add new fuction AddSwap. When agent get AddSwap, it will get the device
name from PCIPath and set the device as the swap device.
Fixes: #2201
Signed-off-by: Hui Zhu <teawater@antfin.com>
'FLAGS' hash map has bool to indicate if the flag should be cleared or
not. But in parse_mount_flags_and_options() we set the flag even 'clear'
is true. This results in a 'rw' mount being mounted as 'MS_RDONLY'.
Fixes: #2262
Signed-off-by: Eryu Guan <eguan@linux.alibaba.com>
Seems that at least some versions of container, when using ConifgPath,
still rely on the runtime options and its APIs from the not in use
anymore github.com/containerd/cri-containerd/pkg/api/runtimeoptions/v1.
The fact backward compat breaks when moving from the old to the new
runtime options, which happened as part of f60641a6e6d, strongly feels
like a containerd bug. Regardless, we can easily work this around on
our side without much hassle.
Just by importing old runtime options the unmarshalling doesn't break
anymore and we can easily check whether getting the options fails or not
and fallback to the old way if it does.
Fixes: #2258
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Commit 32c9ae1388 upgrade the
containerd vendor, which used the socket path to replace
the abstract socket address for socket listen and dial, and
there's an bug in containerd's abstract socket dialing.
Thus we should replace our monitor and exec socket server
with the socket path to fix this issue.
Fixes: #2238
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
It's better to check whether the destination file exists
before creating them, if it had been existed, then return
directly.
Fixes: #2247
Signed-off-by: fupan.lfp <fupan.lfp@antgroup.com>
Update to latest tokio to address RUSTSEC-2021-0072:
Task dropped in wrong thread when aborting `LocalSet` task
Update the toml to specify just 1.x for the tokio version.
Fixes: #2165
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Make the vsock-exporter async totally using tokio runtime.
And delay the timing of the connection to trace-forwarder so that
it is easy to reconnect when the connection was broken.
Fixes: #2234
Signed-off-by: Tim Zhang <tim@hyper.sh>
This has a similar intent as the go code, but not totally equal. For
the go code we want to ensure that the vendored code is up-to-date,
while here we want to ensure that `cargo vendor` actually works.
We happened to release a few tarballs where `cargo vendor` didn't work
and it causes some pain for downstream maintainers.
Related: #2159
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This has a similar intent as the go code, but not totally equal. For
the go code we want to ensure that the vendored code is up-to-date,
while here we want to ensure that `cargo vendor` actually works.
We happened to release a few tarballs where `cargo vendor` didn't work
and it causes some pain for downstream maintainers.
Related: #2159
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
