To keep runtime-rs up to date, we will merge main into runtime-rs every
week.
Fixes: #4790
Signed-off-by: Zhongtao Hu <zhongtaohu.tim@linux.alibaba.com>
Fixes#4764
versions: update rust version to fix ccv0 attestation-agent build error
static-checks: kata tools, libs, and agent fixes
Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
when the default_vcpus is greater than the default_maxvcpus, the default
vcpu number should be set equal to the default_maxvcpus.
Fixes: #4712
Signed-off-by: Zhongtao Hu <zhongtaohu.tim@linux.alibaba.com>
New nix is supporting UMOUNT_NOFOLLOW, upgrade nix
version to use this flag instead of the self-defined flag.
Fixes: #4670
Signed-off-by: liubin <liubin0329@gmail.com>
1. support annotation for runtime.name, hypervisor_name, agent_name.
2. fix parse memory from annotation
Signed-off-by: Zhongtao Hu <zhongtaohu.tim@linux.alibaba.com>
1. service: Responsible for processing services, such as task service, image service
2. Responsible for implementing different runtimes, such as Virt-container,
Linux-container, Wasm-container
Fixes: #3785
Signed-off-by: Quanwei Zhou <quanweiZhou@linux.alibaba.com>
1. support async.
2. update ttrpc and protobuf
update ttrpc to 0.6.0
update protobuf to 2.23.0
3. support trans from oci
Fixes: #3746
Signed-off-by: Quanwei Zhou <quanweiZhou@linux.alibaba.com>
Implement reflink_copy() to copy file by reflink, and fallback to normal
file copy.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
Signed-off-by: Eryu Guan <eguan@linux.alibaba.com>
The kata-sys-util crate is a collection of modules that provides helpers
and utilities used by multiple Kata Containers components.
Fixes: #3305
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
1. modify default values for hypervisor
2. change the variable name
3. check the min memory limit
Signed-off-by: Zhongtao Hu <zhongtaohu.tim@linux.alibaba.com>
1. Some Nit problems are fixed
2. Make the code more readable
3. Modify some implementation details
Signed-off-by: Zhongtao Hu <zhongtaohu.tim@linux.alibaba.com>
If there is a parse error when we are trying to get the annotations, we
will return Result<Option<type>> to handle that.
Signed-off-by: Zhongtao Hu <zhongtaohu.tim@linux.alibaba.com>
loading from empty string is only used to identity that the config is
not initialized yet, so Option<TomlConfig> is a better option
Signed-off-by: Zhongtao Hu <zhongtaohu.tim@linux.alibaba.com>
Some annotations are used to override hypervisor configurations, and you
know it's dangerous. We must be careful when overriding hypervisor configuration
by annotations, to avoid security flaws.
There are two existing mechanisms to prevent attacks by annotations:
1) config.hypervisor.enable_annotations defines the allowed annotation
keys for config.hypervisor.
2) config.hyperisor.xxxx_paths defines allowd values for specific keys.
The access methods for config.hypervisor.xxx enforces the permisstion
checks for above rules.
To update conifg, traverse the annotation hashmap,check if the key is enabled in hypervisor or not.
If it is enabled. For path related annotation, check whether it is valid or not
before updating conifg. For cpu and memory related annotation, check whether it
is more than or less than the limitation for DB and qemu beforing updating config.
If it is not enabled, there will be three possibilities, agent related
annotation, runtime related annotation and hypervisor related annotation
but not enabled. The function will handle agent and runtime annotation
first, then the option left will be the invlaid hypervisor, err message
will be returned.
add more edge cases tests for updating config
clean up unused functions, delete unused files and fix warnings
Fixes: #3523
Signed-off-by: Zhongtao Hu <zhongtaohu.tim@linux.alibaba.com>
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
The TomlConfig structure is a parsed form of Kata configuration file,
but it's a little inconveneient to access those configuration
information directly. So introduce a wrapper KataConfig to easily
access those configuration information.
Two singletons of KataConfig is provided:
- KATA_DEFAULT_CONFIG: the original version directly loaded from Kata
configuration file.
- KATA_ACTIVE_CONFIG: the active version is the KATA_DEFAULT_CONFIG
patched by annotations.
So the recommended to way to use these two singletons:
- Load TomlConfig from configuration file and set it as the default one.
- Clone the default one and patch it with values from annotations.
- Use the default one for permission checks, such as to check for
allowed annotation keys/values.
- The patched version may be set as the active one or passed to clients.
- The clients directly accesses information from the active/passed one,
and do not need to check annotation for override.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
Add structures to load Kata agent configuration from configuration files.
Also define a mechanism for vendor to extend the Kata configuration
structure.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
Add structures to load Kata hypevisor configuration from configuration
files. Also define a mechanisms to:
1) for hypervisors to handle the configuration info.
2) for vendor to extend the Kata configuration structure.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
Signed-off-by: Zhongtao Hu <zhongtaohu.tim@linux.alibaba.com>
