The cgroup_parent path is expected to be absolute path,
add an '/' prefix to the passed cgroup_parent path to make
sure it's an absolute path.
Fixes: #336
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
Sometimes runtime will fail in onlining CPU process,
because when the runtime calls to QMP
`device_add`, QEMU doesn't allocate all vCPUs inmediatelly.
Fixes: #665
Signed-off-by: bin liu <bin@hyper.sh>
The linux kernel feature RANDOMIZE_BASE improved the security and at
the same time increased the memory footprint of a kata container,
this feature was enabled in kata-containers/packaging#1006.
In order to mitigate this increase in memory consumption, we can
boot container using the uncompressed kernel.
Reduce boot time by ~5%
Reduce KSM memory footprint by ~14%
Reduce noKSM memory footprint by ~27%
fixes#669
Signed-off-by: Julio Montes <julio.montes@intel.com>
`rustjail::erros` was removed in a previous commit, hence some external crates
like `error_chain` are no longger required, update Cargo.toml and Cargo.lock
to reflect these changes.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Don't use `rustjail::errors` for error handling, since it's not
thread safe and there are better alternatives like `anyhow`.
`anyhow` attaches context to help the person troubleshooting
the error understand where things went wrong, for example:
Current error messages:
```
No such file or directory (os error 2)
```
With `anyhow`:
```
Error: Failed to read config.json
Caused by:
No such file or directory (os error 2)
```
fixes#641
Signed-off-by: Julio Montes <julio.montes@intel.com>
anyhow provides `anyhow::Error`, a trait object based error type for
easy idiomatic error handling in Rust applications
Signed-off-by: Julio Montes <julio.montes@intel.com>
Use `.to_string` to wrap up `caps::errors::Error`s since they are not
thread safe, otherwise `cargo build` will fail with the following error:
```
doesn't satisfy `caps::errors::Error: std::marker::Sync`
```
Signed-off-by: Julio Montes <julio.montes@intel.com>
Return `anyhow::Result` from all the functions in this directory.
Add function `io_error_kind_eq` to compare an `anyhow::Error` with an
`io::Error`, this function downcast the `anyhow::Error`.
Signed-off-by: Julio Montes <julio.montes@intel.com>
anyhow provides `anyhow::Error`, a trait object based error type for
easy idiomatic error handling in Rust applications.
Signed-off-by: Julio Montes <julio.montes@intel.com>
I noticed the spelling mistake while reviewing another change and
doing a "grep" for "privilege" that turned up nothing.
Fixes: #671
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Currently, isPCIeDevice() attempts to determine if a (host) device is
PCI-Express capable by looking up its link speed via the PCI slots
information in sysfs. This is a) complicated and b) wrong. PCI-e
devices don't have to have slots information, so this frequently fails.
Instead determine if devices are PCI-e by checking for the presence of
PCIe extended configuration space by looking at the size of the "config"
file in sysfs.
Forward ported from 6bf93b23 in the Kata 1.x runtime repository.
Fixes: #611
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Add guide on how to pass a VFIO-AP device, such as Crypto Express cards
on IBM Z mainframes, to a Kata container. Like the documentation for
VFIO-PCI, this was put in the virtcontainers README.
Fixes: #658
Signed-off-by: Jakob-Naucke <jakob.naucke@ibm.com>
Recognise when a device to be hot-plugged is an IBM Adjunct Processor
(AP) device and execute VFIO AP hot-plug accordingly. Includes unittest
for recognising and uses CCW for addDeviceToBridge in hotplugVFIODevice
if appropriate.
Fixes: #491
Signed-off-by: Jakob-Naucke <jakob.naucke@ibm.com>
Co-authored-by: Julio Montes <julio.montes@intel.com>
Reviewed-by: Alice Frosi <afrosi@redhat.com>
Since we always build musl kata-agent, there is no need to build
it inside a musl container. We can just build on the host and then
copy the binary to the target rootfs.
There are still a lot to clean up and it should be made so for ALL
target distros instead of just alpine. But this is at least working
for alpine first.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Anyone can collaborate in the Kata Containers project, so instead of
adding her/his name and email to the Cargo.toml files, use
`The Kata Containers community` as name and
`kata-dev@lists.katacontainers.io` as email.
fixes#643
Signed-off-by: Julio Montes <julio.montes@intel.com>
For ephemeral storage handler, it should return an
empty string instead of the mount destination.
Fixes: #635
Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
for s390x virtio devices
Add iommu_platform annotations for qemu for ccw,
other supported devices can also make use of that.
Fixes#603
Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
We kept observing instabilities from CLH CI jobs periodically (kata
1.x). To separate the random failures caused by `seccomp` from other
failures, this patch disables the 'seccomp' option from clh in kata for
now. We will bring this option back after completing the 'seccomp'
filter lists based on Kata's CI workload. Details are tracked in the
following two issues:
https://github.com/kata-containers/runtime/issues/2899 and
https://github.com/kata-containers/runtime/issues/2901
We are facing the similar challenge to stabilize CI jobs related to
cloud-hypervisor in Kata 2.0. We are disabling the `seccomp` option here
for the same reason. Related issue:
https://github.com/kata-containers/tests/issues/2813Fixes: #614
Signed-off-by: Bo Chen <chen.bo@intel.com>
Allow the default (VSOCK) ttRPC server address to be changed using a new
`KATA_AGENT_SERVER_ADDR` environment variable (for testing and
debugging).
Fixes: #552.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Scan guest hooks upon creating new sandbox and append
them to guest OCI spec before running containers.
Fixes: #485
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
This is a re-vendor of intel/govmm, with support for hot-plugging IBM
Adjunct Processor (AP) devices over VFIO. This is necessary for
enabling AP device pass-through in Kata (see #491).
39c372a Add support for hot-plugging IBM VFIO-AP devices
f5bdd53 travis: disable amd64 jobs
1af1c0d github: enable github actions
4831c6e travis: Run coveralls after success
cf0f05d qemu: add iommu_platform knob for qemuParams
175ac49 typo fix
Fixes: #565
Signed-off-by: Jakob-Naucke <jakob.naucke@ibm.com>
When a one-shot pod dies in CRI-O, the shimv2 process isn't killed until
the pod is actually deleted, even though the VM is shut down. In this
case, the shim appears to busyloop when attempting to talk to the (now
dead) agent via VSOCK. To address this, we disconnect from the agent
after the VM is shut down.
This is especially catastrophic for one-shot pods that may persist for
hours or days, but it also applies to any shimv2 pod where Kata is
configured to use VSOCK for communication.
See github.com/kata-containers/runtime#2719 for details.
Fixes#2719
Signed-off-by: Evan Foster <efoster@adobe.com>
