The uuid file shouldn't be created at `/var` if running rootless.
Modify `VMUUIDStoragePath` to get a path accessible for non-root users
if running rootless.
fixes#2133
Signed-off-by: Julio Montes <julio.montes@intel.com>
Mount points, like `resolv.conf` and `hostname` are left in the
host when the cgroup creation fails.
Use `unmountHostMounts()` and `bindUnmountContainerRootfs()` in the rollback
function that is called when container's creation fails.
fixes#2108
Signed-off-by: Julio Montes <julio.montes@intel.com>
The domain name should be used as prefix for the annotations, for
kata containers the domain name is katacontainers.io, not kata-containers.io
fixes#2123
Signed-off-by: Julio Montes <julio.montes@intel.com>
Refactor so that all code to load state, devices, network
takes place at one place. This is in line with the experimental api
for new storage that also loads all the necessary items here all at once.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
The hypervisor.createSandbox may need to access the state.
For eg, ACRN today needs to access the block index to assign
it to the root image of the VM. Hence load this early on.
Fixes#2026
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
We have some issues trying to run `apt upgrade` on
a container that uses virtiofsd with `-o posix_lock`.
Add virtiofsd `-o no_posix_lock` argument to not use the
posix lock.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
In firecracker, there is no socket connected to /dev/console, so let's
use a vsock port to get agent's logs
Depends-on: github.com/kata-containers/shim#210
fixes#2103
Signed-off-by: Julio Montes <julio.montes@intel.com>
Log to syslog instead of stderr. This way all Kata and virtiofsd logs
are captured in syslog (or the systemd journal). This makes debugging
much easier.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
The new --fd=FDNUM file descriptor passing option eliminates the need to
wait for virtiofsd to create the vhost-user UNIX domain socket. This is
a nice simplification because we can remove the timeouts and stderr
parsing. There is no longer a race between launching virtiofsd and
launching QEMU, so we don't need to wait anymore.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
virtio-fs changed the mount command-line. Previously "mount none -o
tag=kataShared ..." was used. Now "mount kataShared ..." is used
instead.
Since the "kataShared" tag is used for both 9P and virtio-fs, rename the
variable so that it is not 9P-specific.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Fixes: #1993
For security reasons, let's make sure 'others' don't have access to the
firecracker hybrid vsock
fixes#2101
Signed-off-by: Julio Montes <julio.montes@intel.com>
Introduce a constant for minimum memory requirement
in virtcontainers package, that can be used in config.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Add support for annotations that allow us to custimise a subset
of the configurations provided in kata conf toml file.
This initial commit adds support for customising vcpus, default max
vcpus, memory and the kernel command line passed as Hypervisor
config.
Replaces #1695Fixes#1655
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
These annotations were missing from the list of what are
considered as assets. Add these to existing list.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Change the naming schema for existing annotations from
"com.github.containers.virtcontainers" to "io.kata-containers"
The hypervisor related annotations are changed to reflect this.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Unmount and unassign block device when it's required, that way the disk
can be unmounted and destroyed in the host.
fixes#1966
Signed-off-by: Julio Montes <julio.montes@intel.com>
Create a raw file and bind mount it to use it as disk is not needed,
instead a the raw file can be created at the jail path and use it directly
as disk, if a new container is added the real disk/device can be bind mounted
in the raw file.
Signed-off-by: Julio Montes <julio.montes@intel.com>
move device operations to a more generic place where they can be used
in any hypervisor implementation.
Signed-off-by: Julio Montes <julio.montes@intel.com>
The tuntap network device is for tuntap interfaces to connect
to the container. A specific use case is the slirp4netns tap
interface for rootless kata-runtime.
Fixes: #1878
Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
rootless execution does not yet support cgroups, so if running
rootlessly skip the cgroup creation and deletion.
Fixes: 1877
Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
Modify some path variables to be functions that return the path
with the rootless directory prefix if running rootlessly.
Fixes: #1827
Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
Do not add the "nvdimm" machine option to QEMU when the config specifies
a initrd file.
For arm64, this allows using a vanilla QEMU, where "virt" machine does
not support the "nvdimm" option.
Fixes: #2088
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
This patch adds support for getting the kata UUID from
acrn hypervisor and using these UUID to create a VM.
Fixes: #1785
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
When 'debug' is enabled, qemu's debug info is output
into qemu's log file. When lauching qemu failed, it's
better to log these debug info and return it directly
for debugging.
Fixes:#2042
Signed-off-by: lifupan <lifupan@gmail.com>
Kata support several hypervisor and not all hypervisor support the
same type of sockets, for example QEMU support vsock and unix sockets, while
firecracker only support hybrid vsocks, hence sockets generations should be
hypervisor specific
fixes#2027
Signed-off-by: Julio Montes <julio.montes@intel.com>
