A `BlockDrive` can be used as pmem device, since they both are similar and
can be mounted in the same way in the guest. The `Pmem` attribute helps kata
to identify a pmem device and how it has to be hotplugged in the guest.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Implement function to get the pmem `DeviceInfo` from a volume.
`PmemDeviceInfo` return a new `DeviceInfo` object if a volume has a loop device
as backend and the backing file for such loop device contains the PFN signature,
needed to enable DAX in the guest.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Implement function the get the backing file from a loop device.
The backing file can be used as backend file for a NVDIMM device in the guest
Signed-off-by: Julio Montes <julio.montes@intel.com>
`GetDevicePathAndFsType` is a function to get the path and filesystem type
of a mount point from `/proc/mounts`.
Move `GetDevicePathAndFsType` to utils_linux since it's linux specific
and that way it can be used in other subpackages.
Signed-off-by: Julio Montes <julio.montes@intel.com>
The default chrootBaseDir "/run/vc" in many distributions is mounted
with `noexec` flag, which will bring 'permission denied' error
when running kata-containers with jailer.
Therefore, we decided to remount the jailerRoot dir with exec when setting
up a new firecracker sandbox and umount it when cleaning up.
Fixes: #2511
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
originally, we forcefully set any bind-mount with `private` propagation
type, and it's not applied for all scenarios. e.g. we need to provide
`slave` or `shared` propagation type for bind-mounts in setting up jail
house.
Here, we add another parameter `pgtype` in func bindMount for providing
customized propagation parameters.
Fixes: #2511
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Our CLH driver in kata defines its own constant variable 'maxClhVcpus'
which can conflict with the maximum number of vCPUs specified from the
kata configuration file 'clh.config.DefaultMaxVCPUs'. As the value from
kata configuration file is preferred anyway and the code on 'maxClhVcpus'
is not being used. We'd better remove it for better readability and
avoiding further confusions.
Fixes: #2528
Signed-off-by: Bo Chen <chen.bo@intel.com>
Kata-runtime can append vhost-user-blk device to the
device list of a container. And handle volumes who is
a block device and in VhostUserBlk type.
The vhost-user-blk device will be identified by its
PCI address by Kata-agent inside VM.
Fixes: #2380
Signed-off-by: Liu Xiaodong <xiaodong.liu@intel.com>
Reserved number of Linux device number 241 and 242
are used to identify vhost-user-blk and vhost-user-scsi
devices.
for example, after command:
mknod <Vhost-User-Dir>/block/devices/vhost-dev0 b 241 0
this node will be recognized as vhost-user-blk device.
Fixes: #2380
Signed-off-by: Liu Xiaodong <xiaodong.liu@intel.com>
Two parameters are used to set in toml file:
1. Set "enable_vhost_user_store = true" to indicate
that vhost-user storage device feature is enabled.
2. Set "vhost_user_store_path = <Vhost-User-Dir>".
vhost-user socket files will be under
"<Vhost-User-Dir>/block/sockets/"; and device node
for vhost-user device will be under
"<Vhost-User-Dir>/block/devices/"
The default value of "vhost_user_store_path" is
"/var/run/kata-containers/vhost-user/".
Fixes: #2380
Signed-off-by: Liu Xiaodong <xiaodong.liu@intel.com>
set rootfstype=ext4 to make kernel not do print errros like:
```
Mount option "data=ordered" incompatible with ext2
```
Depends-on: github.com/kata-containers/tests#2377
Fixes: #2524
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
This adds the `agent.container_pipe_size` annotation which allows
configuration of the size of the pipes for stdout/stderr for containers
inside the guest.
fixes#2467
Signed-off-by: Alex Price <aprice@atlassian.com>
Remove the rootfs bind dest and finally remove the created share
directory when stopping the container.
Fixes#2516
Signed-off-by: Li Yuxuan <liyuxuan04@baidu.com>
With the HTTP API 'vm.resize()', the CPU hotplug with CLH is much simpler
comparing with QEMU. This is because we don't need to distinguish adding from
removing CPUs.
Fixes: #2495
Depends-on: github.com/kata-containers/packaging#968
Depends-on: github.com/kata-containers/tests#2364
Signed-off-by: Bo Chen <chen.bo@intel.com>
The 'apiSocket' member in the CloudHypervisorState struct needs to be kept
across different executions of kata-runtime with persist HypervisorState, so
that kata-runtime can talk with the same running cloud-hypervisor through
HTTP/REST API calls.
Fixes: #2506
Signed-off-by: Bo Chen <chen.bo@intel.com>
This allows to reuse detached block index and ensures that the
index will not reach the limit of device(such as `maxSCSIDevices`)
after restarting containers many times in one pod.
Fixes: #2007
Signed-off-by: Li Yuxuan <liyuxuan04@baidu.com>
For one thing, we should not make kata's internal device type
exactly as govmm string by string.
For another thing, latest govmm changes the device driver strings
and it breaks kata in such a way but the fault is on kata side IMHO.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
cgroup manager is in charge to create and setup cgroups for
virtual containers, for example it adds /dev/kvm and
/dev/vhost-net to the list of cgroup devices in order to have
virtual containers working.
fixes#2438fixes#2419
Signed-off-by: Julio Montes <julio.montes@intel.com>
virtcontainers/pkg/cgroups contains functions and structures needed to deal
with cgroups and virtual containers
Signed-off-by: Julio Montes <julio.montes@intel.com>
We leverage the new openAPI knobs from CLH to set readonly for disk image
and we also pass kernel cmd to set guest root filesystem readonly.
Signed-off-by: Bo Chen <chen.bo@intel.com>
Use CLH branch stable/v0.5.x, and also re-generate the openAPI client
code with the new 'cloud-hypervisor.yaml'.
Fixes: #2488
Signed-off-by: Bo Chen <chen.bo@intel.com>
A malicious can trick us with a crafted container
rootfs symlink and make runtime umount other mountpoints.
Make sure we do not walk through symlinks when umounting.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
cloud-hypervisor uses `hybrid vsocks`, it is not needed to find a
context ID.
Fixes: #2481
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
By default virtcontainer auto-detects if the current process is running
rootless or not, but this behavior can change from commandline with the
--rootless option
fixes#2417
Signed-off-by: Julio Montes <julio.montes@intel.com>
GetDriver returns new PersistDriver according to current needs, a mock fs
driver is returned when mockTesting is enabled, a rootless fs is returned when
rootless is detected, otherwise a fs driver is used.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Mock FS driver can be used in unit testing to allow
Mock fs driver inherits from FS and may overwrite its methods. All files
and directories created by this driver are under a path accessible for all
users, this path is created under the system temporal directory.
Signed-off-by: Julio Montes <julio.montes@intel.com>
