Drop the bits for bridged networking in ACRN and change the default
to macvtap. We should eventually change this to tcfilter with additional
testing.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Routes with proto "kernel" are routes that are automatically added
by the kernel.
It is a route added automatically when you assign an address to an
interface which is not /32.
With this commit, these routes are ignored. The guest kernel
would add these routes on the guest side. A corresponding commit on the
agent side would no longer delete these routes while updating them.
Without this commit, netlink gives an error complaining that a route
already exists when you try to add a route with the same dest subnet.
Something like:
dest: 192.168.1.0/24 device:net1 source:192.168.1.217 scope:253
dest: 192.168.1.0/24 device:net2 source:192.168.1.218 scope:253
Depends-on: github.com/kata-containers/agent#624
Fixes: #1811
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
The list of kernel modules can be passed to the runtime through the
configuration file or using OCI annotations. In both cases, a list paramentes
can be specified for each module.
fixes#1925
Signed-off-by: Julio Montes <julio.montes@intel.com>
We start virtiofsd in foreground (-f option), so we should wait for it
to reclaim its resources to avoid zombie process when qemu or virtiofsd
got killed unexpectedly.
Fixes: #1934
Signed-off-by: Eryu Guan <eguan@linux.alibaba.com>
When virtio_fs_cache is set to none, the mount options for the folder
inside the guest should not contain the dax option else it leads to
invalid address errors and a crash of the daemon on the host.
Fixes: #1907
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
in create sandbox, if process error, should remove network without judge
NetNsCreated is true, since network is created by kata and should be
removed by kata, and network.Remove has judged if need to delete netns
depend on NetNsCreated
Fixes: #1920
Signed-off-by: Ace-Tang <aceapril@126.com>
CPU topology has changed in QEMU 4.1: socket > die > core > thread.
die option must be specified in order to hotplug CPUs on x86_64
Depends-on: github.com/kata-containers/packaging#657
fixes#1913
Signed-off-by: Julio Montes <julio.montes@intel.com>
Fixes#803
Merge "hypervisor.json" into "persist.json", so the new store can take
care of hypervisor data now.
Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>
For one thing, it is container specific resource so it should not
be cleaned up by the agent. For another thing, we can make container
stop to force cleanup these host mountpoints regardless of hypervisor
and agent liveness.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Then we can check hypervisor liveness in those cases to avoid long
timeout when connecting to the agent when hypervisor is dead.
For kata-agent, we still use the kata-proxy pid for the same purpose.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Once we have found the container, we should never fail SIGKILL.
It is possible to fail to send SIGKILL because hypervisor might
be gone already. If we fail SIGKILL, upper layer cannot really
proceed to clean things up.
Also there is no need to save sandbox here as we did not change
any state.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
When force is true, ignore any guest related errors. This can
be used to stop a sandbox when hypervisor process is dead.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Whenever we fail to connect, do not make any more attempts.
More attempts are possible during cleanup phase but we should
not try to connect any more there.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
When a container is paused and something goes terribly
wrong, we still need to be able to clean thing up. A paused
container should be able to transit to stopped state as well
so that we can delete it properly.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
It requires root to manipulate netns and otherwise fails
like below:
=== RUN TestStartNetworkMonitor
--- FAIL: TestStartNetworkMonitor (0.00s)
Error Trace: sandbox_test.go:1481
Error: Expected nil, but got: &errors.errorString{s:"Error switching to ns /proc/6648/task/6651/ns/net: operation not permitted"}
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Convert virtcontainers tests to testify/assert to make the virtcontainers
tests more readable.
fixes#156
Signed-off-by: Julio Montes <julio.montes@intel.com>
since some vendor id like 1ded can not be identified by virtio-pci
driver, so need to pass a specified vendor id to qemu.
Fixes: #1894
Signed-off-by: Ace-Tang <aceapril@126.com>
qemu upstream has x-ignore-shared that works similar
to our private bypass-shared-memory. We can use it to
implement the vm template feature.
Fixes: #1798
Depends-on: github.com/kata-containers/packaging#641
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Kata with virtio-fs fails to do memory hotplugging. This is caused by
the fact that hot plugged memory is always backed by
'memory-backend-ram' while virtio-fs expects it to be backed by file and
shared for it to be able to use the system the way it is intended. This
chnage allows using file based memory backend for virtio-fs, hugepages
or when the user prefers to use a file backed memory
Fixes: #1745
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
History: the previous version of kvm (unknown) and qemu-lite had an
issue using virtio 1.0 version when it came to device hotplug, which led
to the team to disable 1.0 version of virtio for hotplug (set
disable-modern=on). Please check
e99f6b2931
for further info.
We have since moved to QEMU4.0 and probably a later version of kvm as
default across all distros. This change is to move to virtio 1.0 for
hotplugging devices.
Fixes: #1870
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
Firecracker provides a jailer to constrain the VMM. Use this
jailer to launch the firecracker VMM instead of launching it
directly from the kata-runtime.
The jailer will ensure that the firecracker VMM will run
in its own network and mount namespace. All assets required
by the VMM have to be present within these namespaces.
The assets need to be copied or bind mounted into the chroot
location setup by jailer in order for firecracker to access
these resouces. This includes files, device nodes and all
other assets.
Jailer automatically sets up the jail to have access to
kvm and vhost-vsock.
If a jailer is not available (i.e. not setup in the toml)
for a given hypervisor the runtime will act as the jailer.
Also enhance the hypervisor interface and unit tests to
include the network namespace. This allows the hypervisor
to choose how and where to lauch the VMM process, vs
virtcontainers directly launching the VMM process.
Fixes: #1129
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Thist patch adds the following,
1. ACRN only supports virtio-blk and so the rootfs for the VM
sits at /dev/vda. So to get the container rootfs increment the
globalIndex by 1.
2. ACRN doesn't hot-plug container rootfs (but uses blkrescan) to
update the container rootfs. So the agent can be provided the virtpath
rather than the PCIaddr avoiding unneccessary rescaning to find the
virthpath.
v1->v2:
Removed the workaround of incrementing index for
virtio-blk device and addressed it acrn.
Fixes: #1778
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
This patch adds the following,
1. Implement Sandbox management APIs for ACRN.
2. Implement Sandbox operation APIs for ACRN.
3. Add support for hot-plugging virtio-blk based
(using blk rescan feature) container rootfs to ACRN.
4. Prime devices, image and kernel parameters for
launching VM using ACRN.
v2->v3:
Incrementing index to keep track of virtio-blk devices
created. This change removes the workaround introduced
in block.go.
v1->v2:
1. Created issue #1785 to address the UUID TODO item.
2. Removed dead code.
3. Fixed formatting of log messages.
4. Fixed year in copyright message.
5. Removed acrn_amd64.go file as there are no amd64 specific
changes. Moved the code to acrn_arch_base.go.
Fixes: #1778
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
This patch adds support for,
1. Extracting and configuring ACRN hypervisor from toml.
2. Add ACRN hypervisor ctl for controlling ACRN hypervisor.
This will be used for updating virtio-blk based
container rootfs using blk rescan feature.
v2->v3:
Fixed acrnctl path.
v1->v2:
Trimmed hypervisor config options as needed by ACRN.
Fixes: #1778
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
Fixed `TestSandboxCreationFromConfigRollbackFromCreateSandbox` which
requires that the hypervisor does not exist. Unfortunately, it does
exist (as a fake test binary), but isn't executable meaning although the
test failed (since an error is expected), rather than the expected
`ENOENT` error, the test was logging a message similar to the following
since the fake hypervisor exists with non-executable permissions:
```
Unable to launch /tmp/vc-tmp-526112270/hypervisor: fork/exec /tmp/vc-tmp-526112270/hypervisor: permission denied
```
Fixes: #1835.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Update the `TestQemuAddDeviceKataVSOCK` test so that it:
- Doesn't hard-code the file descriptor number.
- Cleans up after itself.
The latter issue was causing an odd error similar to the following in
the test output:
```
Unable to launch /tmp/vc-tmp-526112270/hypervisor: fork/exec /tmp/vc-tmp-526112270/hypervisor: permission denied
```
Partially fixes: #1835.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Kubernetes moved CRI document within the sig-node directory. Updating
README.md accordingly.
Fixes: #1837
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
With #1485, we moved the default medium empty-dir creation to the
sandbox rootfs. This worked for devicemapper, but in case of overlay
the "local" directory was being created outside the sandbox rootfs.
As a result we were seeing the behaviour seen in #1818.
Fixes#1818
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Update virtcontainer to use latest swagger definition.
Most changes are around mandatory parameters which need to be
passed in via pointers so that the absence of the same can be
detected (vs using default values).
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
