This commit checks the size of "/dev/shm" for the sandbox container
which is then used to create the shared memory inside the guest.
kata agent then uses this size to set up a sandbox level ephemeral
storage for shm. The containers then simply bind mount this sandbox level
shm.
With this, we will now be able to support docker --shm-size option
as well have a shared shm within containers in a pod, since they are
supposed to be in the same IPC namespace.
Fixes#356
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Pause and resume container functions allow us to just pause/resume a
specific container not all the sanbox, in that way different containers
can be paused or running in the same sanbox.
Signed-off-by: Julio Montes <julio.montes@intel.com>
k8s provides a configuration for sharing PID namespace
among containers. In case of crio and cri plugin, an infra
container is started first. All following containers are
supposed to share the pid namespace of this container.
In case a non-empty pid namespace path is provided for a container,
we check for the above condition while creating a container
and pass this out to the kata agent in the CreatContainer
request as SandboxPidNs flag. We clear out the PID namespaces
in the configuration passed to the kata agent.
Fixes#343
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Events cli display container events such as cpu,
memory, and IO usage statistics.
By now OOM notifications and intel RDT are not fully supproted.
Fixes: #186
Signed-off-by: Haomin <caihaomin@huawei.com>
A Unix domain socket is limited to 107 usable bytes on Linux. However,
not all code creating socket paths was checking for this limits.
Created a new `utils.BuildSocketPath()` function (with tests) to
encapsulate the logic and updated all code creating sockets to use it.
Fixes#268.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
Update command is used to update container's resources at run time.
All constraints are applied inside the VM to each container cgroup.
By now only CPU constraints are fully supported, vCPU are hot added
or removed depending of the new constraint.
fixes#189
Signed-off-by: Julio Montes <julio.montes@intel.com>
Fixes#50
This is done for decoupling device management part from other parts.
It seperate device.go to several dirs and files:
```
virtcontainers/device
├── api
│ └── interface.go
├── config
│ └── config.go
├── drivers
│ ├── block.go
│ ├── generic.go
│ ├── utils.go
│ ├── vfio.go
│ ├── vhost_user_blk.go
│ ├── vhost_user.go
│ ├── vhost_user_net.go
│ └── vhost_user_scsi.go
└── manager
├── manager.go
└── utils.go
```
* `api` contains interface definition of device management, so upper level caller
should import and use the interface, and lower level should implement the interface.
it's bridge to device drivers and callers.
* `config` contains structed exported data.
* `drivers` contains specific device drivers including block, vfio and vhost user
devices.
* `manager` exposes an external management package with a `DeviceManager`.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
Store the PCI address of rootfs in case the rootfs is block
based and passed using virtio-block.
This helps up get rid of prdicting the device name inside the
container for the block device. The agent will determine the device
node name using the PCI address.
Fixes#266
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Store PCI address for a block device on hotplugging it via
virtio-blk. This address will be passed by kata agent in the
device "Id" field. The agent within the guest can then use this
to identify the PCI slot in the guest and create the device node
based on it.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
CI complains about cyclomatic complexity in sendReq.
warning: cyclomatic complexity 16 of function (*kataAgent).sendReq() is
high (> 15) (gocyclo)
Refactor it a bit to avoid such error. I'm not a big fan of the new code
but it is done so because golang does not support generics.
Signed-off-by: Peng Tao <bergwolf@gmail.com>
Currently we sometimes pass it as a pointer and other times not. As
a result, the view of sandbox across virtcontainers may not be the same
and it costs extra memory copy each time we pass it by value. Fix it
by ensuring sandbox is always passed by pointers.
Fixes: #262
Signed-off-by: Peng Tao <bergwolf@gmail.com>
It disconnects the agent connection and removes the sandbox
from global sandbox list.
A new option `LongLiveConn` is also added to kata
agent's configuration. When set, the API caller is expected
to call sandbox.Release() to drop the agent connection explicitly.
`proxyBuiltIn` is moved out of agent state because we can always
retrieve it from sandbox config instead.
Fixes: #217
Signed-off-by: Peng Tao <bergwolf@gmail.com>
processListContainer is called by the ps command implementation to
list the processes running inside a containers, this patch implements
this function in the kata agent
fixes#129
Signed-off-by: Julio Montes <julio.montes@intel.com>
When imported, the vc files carried in the 'full style' apache
license text, but the standard for kata is to use SPDX style.
Update the relevant files to SPDX.
Fixes: #227
Signed-off-by: Graham whaley <graham.whaley@intel.com>
Disable cpuset and cpumem constraints as this is not properly
supported yet.
If we add "cpuset_cpus" and "cpuset_mems" to the container.json,
kata-runtime failed to start, so we need to disable them.
Fixes: #221.
Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
Communicate to the agent the number of vCPUs that were hot added,
allowing to the agent wait for the creation of all vCPUs.
fixes#90
Signed-off-by: Julio Montes <julio.montes@intel.com>
As agreed in [the kata containers API
design](https://github.com/kata-containers/documentation/blob/master/design/kata-api-design.md),
we need to rename pod notion to sandbox. The patch is a bit big but the
actual change is done through the script:
```
sed -i -e 's/pod/sandbox/g' -e 's/Pod/Sandbox/g' -e 's/POD/SB/g'
```
The only expections are `pod_sandbox` and `pod_container` annotations,
since we already pushed them to cri shims, we have to use them unchanged.
Fixes: #199
Signed-off-by: Peng Tao <bergwolf@gmail.com>
The runtime already hot added the number of vCPUs needed by each container,
in order to have a better control over those resources, CPU constraints
must be applied.
fixes#203
Signed-off-by: Julio Montes <julio.montes@intel.com>
Check if a volume passed to the container with -v is a block device
file, and if so pass the block device by hotplugging it to the VM
instead of passing this as a 9pfs volume. This would give us
better performance.
Add block device associated with a volume to the list of
container devices, so that it is detached with all other devices
when the container is stopped with detachDevices()
Fixes#137
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
When specified, it does not spawn a new process to proxy kata grpc
connections. Instead, the yamux multiplexing functionality is builtin
in the kata agent dialer.
Signed-off-by: Peng Tao <bergwolf@gmail.com>
The rollback does not work as expected because the error has to be
checked from the defer itself.
Fixes#178
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
In case the container creation fails, we need a proper rollback
regarding the mounts previously performed.
Fixes#135
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
The kata_agent.go code breaks after the first /dev/shm. But in case
several are defined, the agent will crash since other /dev/shm will
be wrongly configured in the OCI spec mounts.
Fixes#127
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
After hot adding vCPUs in the POD, agent's funtion `onlineCPUMem`
must be called to request the agent to online the vCPUs
fixes#67
Signed-off-by: Julio Montes <julio.montes@intel.com>
We ignore routes that have an ipv6 destination, since kata agent
does not have support for ipv6 currently. We should do the same
for default route that has an ipv6 gateway address. We need to
revisit this once we start adding support for ipv6.
Fixes#58
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
This commit enables the support of virtio-scsi for block devices
used as root filesystem or as devices passed through the VM to be
used directly from the container.
Fixes#56
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
There is a shared directory shared through virtio-9p between the
host and guest OS. The version of the driver used matters as it
may improve a few things. In this case, using the specific version
9p2000.L does not result in any regression, and it fixes failures
related to symlinks being passed through 9p.
Fixes#56
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
This commit factorizes the code appending devices to the device list
provided to the Kata agent, in order to reduce the complexity of the
function createContainer().
Fixes#56
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
The Kata agent has been reworked regarding Storage and Device
structures recently. It now expect that Storage is going to be
used for both volumes/mounts and rootfs, while Device will be
exclusive to devices passed through the VM that should appear
inside the container.
This commit implements this new way of handling volumes and
devices.
Fixes#56
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Some virtcontainers pieces of code are importing virtcontainers
packages. We need to change those paths to point at
kata-containers/runtime/virtcontainers
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
