`rustjail::erros` was removed in a previous commit, hence some external crates
like `error_chain` are no longger required, update Cargo.toml and Cargo.lock
to reflect these changes.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Don't use `rustjail::errors` for error handling, since it's not
thread safe and there are better alternatives like `anyhow`.
`anyhow` attaches context to help the person troubleshooting
the error understand where things went wrong, for example:
Current error messages:
```
No such file or directory (os error 2)
```
With `anyhow`:
```
Error: Failed to read config.json
Caused by:
No such file or directory (os error 2)
```
fixes#641
Signed-off-by: Julio Montes <julio.montes@intel.com>
anyhow provides `anyhow::Error`, a trait object based error type for
easy idiomatic error handling in Rust applications
Signed-off-by: Julio Montes <julio.montes@intel.com>
Use `.to_string` to wrap up `caps::errors::Error`s since they are not
thread safe, otherwise `cargo build` will fail with the following error:
```
doesn't satisfy `caps::errors::Error: std::marker::Sync`
```
Signed-off-by: Julio Montes <julio.montes@intel.com>
Return `anyhow::Result` from all the functions in this directory.
Add function `io_error_kind_eq` to compare an `anyhow::Error` with an
`io::Error`, this function downcast the `anyhow::Error`.
Signed-off-by: Julio Montes <julio.montes@intel.com>
anyhow provides `anyhow::Error`, a trait object based error type for
easy idiomatic error handling in Rust applications.
Signed-off-by: Julio Montes <julio.montes@intel.com>
I noticed the spelling mistake while reviewing another change and
doing a "grep" for "privilege" that turned up nothing.
Fixes: #671
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Anyone can collaborate in the Kata Containers project, so instead of
adding her/his name and email to the Cargo.toml files, use
`The Kata Containers community` as name and
`kata-dev@lists.katacontainers.io` as email.
fixes#643
Signed-off-by: Julio Montes <julio.montes@intel.com>
For ephemeral storage handler, it should return an
empty string instead of the mount destination.
Fixes: #635
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Allow the default (VSOCK) ttRPC server address to be changed using a new
`KATA_AGENT_SERVER_ADDR` environment variable (for testing and
debugging).
Fixes: #552.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Scan guest hooks upon creating new sandbox and append
them to guest OCI spec before running containers.
Fixes: #485
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
The logic for the debug console meant that if the debug console was
_disabled_, the agent was guaranteed to crash on function exit due to
the unsafe code block. Fixed by simplifying the code to use the standard
`Option` idiom for optional values.
Fixes: #554.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Don't create a thread to wait for the ttRPC server to end - it isn't
required as the operation should be blocked on.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Print a simple version string rather than delaying the output
to display a structured version string. The structured output
is potentially more useful but:
- This output is not consistent with other components.
- Delaying the output makes `--version` unusable in some
environments (since a lot of setup is called before the
version string can be output).
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
When creating a container process/exec process, it should set the
"HOME" env for this process by getting from /etc/passwd.
Fixes: #498
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
When do bind mount for container's volumes, the propagation
flags should be mount/set after bind mount.
Fixes: #530
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
For docker in docker scenario, the nested container created
has entry "b *:* m" in the list of devices it is allowed to access
under /sys/fs/cgroup/devices/docker/{ctrid}/devices.list.
This entry was causing issues while starting a nested container
as we were denying "m" access to the rootfs block devices.
With this change we add back "m" access, the container would be
allowed to create a device node for the rootfs device but will
not have read-write access to the created device node.
This fixes the docker in docker use case while still making sure
the container is not allowed read/write access to the rootfs.
Note, this could also be fixed by simply skipping {"Type : "b"}
while creating the device cgroup with libcontainer.
But this seems to be undocumented behaviour at this point,
hence refrained from taking this approach.
Fixes#426
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Add support shareProcessNamespace.
BTW, this commit only support shared pid namespace by
sharing the infrastructure pause container's pid namespace
with other containers, instead of creating a new pid
namespace different from pause container.
Fixes: #342
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
