This reverts commit 800ee5cd88.
As the Jenkins TDX CI is running on a system with a TDX stack called
"2022ww44", we should keep the QEMU / kernel / OVMF versions matching
what's provided in that stack.
The reason we were able to update this on `main` is because the GHA TDX
CI is running on a TDX stack called "2023ww01", but we have decided to
NOT take the bullet, NOT updating the Jenkins CI in order to avoid
unexepected breakages.
This regression was introduced as part of the last CCv0 merge to main,
and would've been caught by the CI, and should've been caught by the
reviewer (myself :-)), but CI was having a hard time to even build the
compoenents and I wrote in the PR and I'm quoting it here: "I rather
deal with possible breakages on this later on, than block this PR to get
in." ... and here we are. :-)
Fixes: #6884
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This reverts commit 3018c9ad51.
As the Jenkins TDX CI is running on a system with a TDX stack called
"2022ww44", we should keep the QEMU / kernel / OVMF versions matching
what's provided in that stack.
The reason we were able to update this on `main` is because the GHA TDX
CI is running on a TDX stack called "2023ww01", but we have decided to
NOT take the bullet, NOT updating the Jenkins CI in order to avoid
unexepected breakages.
This regression was introduced as part of the last CCv0 merge to main,
and would've been caught by the CI, and should've been caught by the
reviewer (myself :-)), but CI was having a hard time to even build the
compoenents and I wrote in the PR and I'm quoting it here: "I rather
deal with possible breakages on this later on, than block this PR to get
in." ... and here we are. :-)
Fixes: #6884
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This reverts commit 20ab2c2420.
As the Jenkins TDX CI is running on a system with a TDX stack called
"2022ww44", we should keep the QEMU / kernel / OVMF versions matching
what's provided in that stack.
The reason we were able to update this on `main` is because the GHA TDX
CI is running on a TDX stack called "2023ww01", but we have decided to
NOT take the bullet, NOT updating the Jenkins CI in order to avoid
unexepected breakages.
This regression was introduced as part of the last CCv0 merge to main,
and would've been caught by the CI, and should've been caught by the
reviewer (myself :-)), but CI was having a hard time to even build the
compoenents and I wrote in the PR and I'm quoting it here: "I rather
deal with possible breakages on this later on, than block this PR to get
in." ... and here we are. :-)
Fixes: #6884
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This reverts commit f33345c311.
As the Jenkins TDX CI is running on a system with a TDX stack called
"2022ww44", we should keep the QEMU / kernel / OVMF versions matching
what's provided in that stack.
The reason we were able to update this on `main` is because the GHA TDX
CI is running on a TDX stack called "2023ww01", but we have decided to
NOT take the bullet, NOT updating the Jenkins CI in order to avoid
unexepected breakages.
This regression was introduced as part of the last CCv0 merge to main,
and would've been caught by the CI, and should've been caught by the
reviewer (myself :-)), but CI was having a hard time to even build the
compoenents and I wrote in the PR and I'm quoting it here: "I rather
deal with possible breakages on this later on, than block this PR to get
in." ... and here we are. :-)
Fixes: #6884
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This partially reverts commit 054174d3e6
As the Jenkins TDX CI is running on a system with a TDX stack called
"2022ww44", we should keep the QEMU / kernel / OVMF versions matching
what's provided in that stack.
The reason we were able to update this on `main` is because the GHA TDX
CI is running on a TDX stack called "2023ww01", but we have decided to
NOT take the bullet, NOT updating the Jenkins CI in order to avoid
unexepected breakages.
This regression was introduced as part of the last CCv0 merge to main,
and would've been caught by the CI, and should've been caught by the
reviewer (myself :-)), but CI was having a hard time to even build the
compoenents and I wrote in the PR and I'm quoting it here: "I rather
deal with possible breakages on this later on, than block this PR to get
in." ... and here we are. :-)
Fixes: #6884
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
In preparation for CoCo 0.5 release, updated td-shim to
commit 10568bab569bc40034cc973f26fbb0a768dcc3e3
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
In preparation for CoCo 0.5 release, updated attestation-agent to
commit c939d211fe5ac497715008e36161aff20cabb6e6
Fixes#6650
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Let's update the OVMF for TDX version to what's the latest tested
release of the Intel TDX tools with Kata Containers.
This change requires a newer version of `nasm` than the one provided by
the container used to build the project. This change will also be
needed for SEV-SNP and was originally done by Alex Carter (thanks!).
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Signed-off-by: Alex Carter <Alex.Carter@ibm.com>
Let's update the Kernel TDX version to what's the latest tested release
of the Intel TDX tools with Kata Containers.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Although we've been providing users a way to build kernel with TDX
support, this must be moved to its own experimental entry instead of how
it currently is.
The reason for that is because the patches are not yet merged into
kernel, and this is still an experimental build of the project.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's update the QEMU TDX version to what's the latest tested release of
the Intel TDX tools with Kata Containers.
In order to do such update, we had to relax the checks on the QEMU
version for some of the configuration options, as those were removed
right after the window was open for the 7.1.0 development (thus the
7.0.50 check).
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Although we've been providing users a way to build QEMU with TDX
support, this must be moved to its own experimental entry instead of how
it currently is.
The reason for that is because the patches are not yet merged into QEMU,
and this is still an experimental build of the project.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's adjust the kernel names in versions.yaml so those can match the
names used as part of the kata-deploy local build scripts.
Right now this doesn't bring any benefit nor drawback, but it'll make
our life easier later on in this same series.
Depends-on: github.com/kata-containers/tests#5534
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This PR updates the firecracker version being used in kata containers
versions.yaml
The changes in version 1.3.1 are
Added
Introduced T2CL (Intel) and T2A (AMD) CPU templates to provide
instruction set feature parity between Intel and AMD CPUs when using
these templates.
Added Graviton3 support (c7g instance type).
Changed
Improved error message when invalid network backend provided.
Improved TCP throughput by between 5% and 15% (depending on CPU) by using
scatter-gather I/O in the net device's TX path.
Upgraded Rust toolchain from 1.64.0 to 1.66.0.
Made seccompiler output bit-reproducible.
Fixed
Fixed feature flags in T2 CPU template on Intel Ice Lake.
Fixes#6482
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
This is the latest td-shim commit and the latest known working
attestation-agent commit.
Fixes: #6366
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Let's ensure we're building virtiofsd with a specific toolchain that's
known to not cause any issues, instead of always using the latest one.
On each bump of the virtiofsd, we'll make sure to adjust this according
to what's been used by the virtiofsd community.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Currently ubuntu is already the default distro for all the architectures
but x86_64, which uses clearlinux. However, our CI does *not* test the
clearlinux image we ship.
Taking a look at our CI code [0], we've been using ubuntu as base for
the tests for a few years already, if not forever.
The minimum we can do is to switch to distributing ubuntu, as the tested
rootfs-image, and then decide later on whether we should switch back to
clearlinux (once we switch our CI to using that, and make sure all tests
will be green), or if we move to slimmer distro, such as alpine.
[0]: 0a39dd1a01/.ci/install_kata_image.sh (L44)Fixes: #6303
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This PR updates the runc version. This new version include
changes in:
- Fix mounting via wrong proc fd. When the user and mount namespaces are
used, and the bind mount is followed by the cgroup mount in the spec,
the cgroup was mounted using the bind mount's mount fd.
- Switch kill() in libcontainer/nsenter to sane_kill().
- Fix "permission denied" error from runc run on noexec fs.
- Fix failed exec after systemctl daemon-reload. Due to a regression
in v1.1.3, the DeviceAllow=char-pts rwm rule was no longer added and
was causing an error open /dev/pts/0: operation not permitted: unknown when systemd was reloaded.
Fixes#6251
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
A known bug in qemu 7.2.0 causes a problem handling the kernel hashes argument and causes SEV container launching to fail.
Fixes: #6189
Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
- Remove umoci entry from versions
- Update the usage of skopeo to control the tooling we use to build
the pause image
Fixes: #
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
As QEMU released its v7.2.0 version in December last year, last do the
bump on our side.
A few configuration options have been removed between the v6.2.0 (the
version we currently use) and v7.2.0, so those have also been dropped
from our configure-hypervison.sh script (for this specific version).
Also, we're explicitly setting --disable-virtiofsd for the platforms
that we're testing using the rust version.
See: a8d6abe129/docs/about/deprecated.rst (virtiofsd)Fixes: #6102
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The attestation-agent had its v0.3.0 release earlier Today, following
the Confidential Containers v0.3.0 release process.
Let's bump it on our side, as we've already tested the version that
became this release.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
TD-Shim has released its v0.3.0 release earlier Today, following the
Confidential Containers v0.3.0 release.
Let's update it here. We need to also bump the toolchain to using the
nightly-2022-11-15
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
