rootless is used in katautils, cli and virtcontainers. It makes more sense
if it's part of virtcontainer, this way virtcontainers won't depend on other
runtime subpackages
Signed-off-by: Julio Montes <julio.montes@intel.com>
- add pcie-root-port device to qemu command line for q35
- hotplug a PCIe device into a PCIe Root Port
Fixes: #2432
Signed-off-by: Jimmy Xu <junming.xjm@antfin.com>
Recently, ARM CI frequently failed on the following golint error:
Error: pkg/rootless/rootless.go:57:2: comment on exported var
`IsRootless` should be of the form `IsRootless ...` (golint)
Fixes: #2434
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
libcontainer already has an API to detect if the runtime is running rootless.
Use libcontainer API instead of reinventing the wheel.
fixes#2415
Signed-off-by: Julio Montes <julio.montes@intel.com>
This commit adds qemu virtio-mem support.
Then qemu can use virtio-mem support memory resize.
To enable this function, need the Linux and the qemu that support
virtio-mem.
Use command "echo 1 > /proc/sys/vm/overcommit_memory" to enable memory
overcommitment of the Linux kernel. Because qemu virtio-mem device need
to allocate a lot of memory.
Set "enable_virtio_mem" of kata configuration to true.
Fixes: #2406
Signed-off-by: Hui Zhu <teawater@antfin.com>
To control whether an image rootfs is used as nvdimm device or just
plain virtio-block device.
Fixes: #2372
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
When kata-runtime was invoked as rootless by podman with
net=none, an empty net namespace path is provided.
kata-runtime was then trying to create a new network namespace
and bind-mounting it under /var/run/netns, resulting in a permission error.
Instead, with this commit, the runtime checks if it is
running rootless and instead creates network namespace bind mount
under rootless directory instead.
Fixes#2319
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
If no virtioFsCache type set in configuration file, virtiofsd will
not starts, which makes kata-container start fail if virtio-fs
as its shared file system.
Fixes: #2279
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
vhost-net backend is not supported by the Firecracker VMM. It doesn't
make sense to have this in the configuration, and we should explicitly
disable it.
Fixes: #2192
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
FIPS are a set of security standards for encryption algorithms
in user and kernel space among others.
Have Kata support this by starting the VM for a container
in FIPS mode on detecting that the host is running in FIPS mode.
Depends-on: github.com/kata-containers/packaging#788
Fixes#2170
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Introduce a constant for minimum memory requirement
in virtcontainers package, that can be used in config.
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Before using the default ctrsMapTrePath, check whether the runtime
is being ran rootlessly, and if so set the ctrsMapTreePath to the
rootlessRuntimeDir configured by the libpod rootless library.
Fixes: #1827
Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
Add the ability to check whether kata is running rootlessly or
not. Add the setup of the rootless directory located in the dir
/run/user/<UID> directory.
Fixes: #1874
Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
Co-developed-by: Marco Vedovati <mvedovati@suse.com>
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Fixes: #2023
We can get OCI spec config from bundle instead of annotations, so this
field isn't necessary.
Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>
Fixes: #2023
CompatOCISpec is used to gurantee backward compatbility for old runtime
specs, after we convert CompatOCISpec to standard specs.Spec, we should
use specs.Spec instead of CompatOCISpec, and CompatOCISpec should be
useless from then.
Spread usage of CompatOCISpec can make code structure confusing and making
the runtime spec usage non-standard. Besides, this can be the very first
step of removing CompatOCISpec from config's Annotations field.
Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>
add option to eneable only pod cgroup (SandboxCgroupOnly)
Depends-on: github.com/kata-containers/tests#1824
Fixes: #1879
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Refactor unit test so that podman can be used to run tests when docker
is not available.
Fixes: #2006
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Since virtio-fs is under active development, more
options will be added increasingly. To avaoid frequent
change on runtime side to handle option changes, use
one mingled arg to ease testing new option/feature of
virtiofsd.
See `virtiofsd -h` for more option details.
Fixes: #1999
Signed-off-by: Eric Ren <renzhen@linux.alibaba.com>
The list of kernel modules can be passed to the runtime through the
configuration file or using OCI annotations. In both cases, a list paramentes
can be specified for each module.
fixes#1925
Signed-off-by: Julio Montes <julio.montes@intel.com>
Currently kata sets the init process to systemd even when it isn't installed,
the criteria to determinate whether systemd is used as init or not
is very odd, since kata only checks whether the `image` option is set in the
configuration file, unfortunately not all images have systemd installed.
Instead kata should rely on the guest kernel and `osbuilder` to use the right
init process. `osbuilder` creates a symbolic link to `systemd` or `kata-agent`
depending on the `AGENT_INIT` environment variable.
fixes#1937
Signed-off-by: Julio Montes <julio.montes@intel.com>
It is not really recommended to have nested vendor directories.
dep does not work well with nested directories:
https://github.com/golang/dep/issues/985
Recommendation is to use flatten the vendor directories.
Hence remove any nested vendor directories.
Fixes#1909
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Add jailer support to configuration files.
Also enable jailer by default in Kata containers.
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
Firecracker provides a jailer to constrain the VMM. Use this
jailer to launch the firecracker VMM instead of launching it
directly from the kata-runtime.
The jailer will ensure that the firecracker VMM will run
in its own network and mount namespace. All assets required
by the VMM have to be present within these namespaces.
The assets need to be copied or bind mounted into the chroot
location setup by jailer in order for firecracker to access
these resouces. This includes files, device nodes and all
other assets.
Jailer automatically sets up the jail to have access to
kvm and vhost-vsock.
If a jailer is not available (i.e. not setup in the toml)
for a given hypervisor the runtime will act as the jailer.
Also enhance the hypervisor interface and unit tests to
include the network namespace. This allows the hypervisor
to choose how and where to lauch the VMM process, vs
virtcontainers directly launching the VMM process.
Fixes: #1129
Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
This patch adds support for,
1. Extracting and configuring ACRN hypervisor from toml.
2. Add ACRN hypervisor ctl for controlling ACRN hypervisor.
This will be used for updating virtio-blk based
container rootfs using blk rescan feature.
v2->v3:
Fixed acrnctl path.
v1->v2:
Trimmed hypervisor config options as needed by ACRN.
Fixes: #1778
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
Add a log message for every trace span created, required by the tracing
tests to validate tracing is working.
Fixes: #1814.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
detail how kata work with libnetwork
1. kata create a new netns
2. with EnterNS, kata change netns to the created one.
3. in pre-start hook, kata will re-exec libnetwork process
libnetwork-setkey, and send self pid to it. libnetwork use
/proc/pid/ns/net to find the netns kata use, and set veth into the netns.
v1/v2 shim use the same way to create network, v1 can successful
because EnterNS changed both current thread and main thread's netns.
But use v2 shim, only changed current thread netns, main thread still
use host netns, so it fails. Looks like v1 just lucky to be successful.
In kata, `state.Pid` should be tid.
Fixes: #1788
Signed-off-by: Ace-Tang <aceapril@126.com>
As virtio v1.1 spec states:
The guest_cid configuration field MUST be fetched to determine the current CID when a VIRTIO_VSOCK_EVENT_TRANSPORT_RESET event is received.
Existing connections MUST be shut down when a VIRTIO_VSOCK_EVENT_TRANSPORT_RESET event is received.
Listen connections MUST remain operational with the current CID when a VIRTIO_VSOCK_EVENT_TRANSPORT_RESET event is received.
We should be able to use vm templating together with vsock easily, as
qemu already sends VIRTIO_VSOCK_EVENT_TRANSPORT_RESET event to guest.
Fixes: #1773
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
A file based memory backend mapped to the host, fot eg: '/dev/shm' will
be used by virtio-fs for performance reasons. This change is a generic
implementation of that for kata. This will be enabled default for
virtio-fs negating the need to enable hugepages in that scenario. This
option can be used without virtio-fs by setting 'file_mem_backend' to
the location in the configuration file. Default value is an empty
string.
Fixes: #1656
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
