mirror of
https://github.com/aljazceru/kata-containers.git
synced 2026-01-18 13:54:29 +01:00
4510aeaa91
Note: only for online-kbs configuration Fixes #5782 Signed-off-by: Jim Cadden <jcadden@ibm.com>
346 lines
16 KiB
Go
346 lines
16 KiB
Go
// Copyright (c) 2017 Intel Corporation
|
|
//
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
//
|
|
|
|
package annotations
|
|
|
|
const (
|
|
kataAnnotationsPrefix = "io.katacontainers."
|
|
kataConfAnnotationsPrefix = kataAnnotationsPrefix + "config."
|
|
kataAnnotHypervisorPrefix = kataConfAnnotationsPrefix + "hypervisor."
|
|
kataAnnotPreAttestationPrefix = kataConfAnnotationsPrefix + "pre_attestation."
|
|
kataAnnotSevPrefix = kataConfAnnotationsPrefix + "sev."
|
|
kataAnnotContainerPrefix = kataAnnotationsPrefix + "container."
|
|
|
|
//
|
|
// OCI
|
|
//
|
|
|
|
// BundlePathKey is the annotation key to fetch the OCI configuration file path.
|
|
BundlePathKey = kataAnnotationsPrefix + "pkg.oci.bundle_path"
|
|
|
|
// ContainerTypeKey is the annotation key to fetch container type.
|
|
ContainerTypeKey = kataAnnotationsPrefix + "pkg.oci.container_type"
|
|
|
|
SandboxConfigPathKey = kataAnnotationsPrefix + "config_path"
|
|
)
|
|
|
|
// Annotations related to Confidential Containers (CoCo)
|
|
const (
|
|
//
|
|
// Assets
|
|
//
|
|
// GuestPreAttestation toggled pre_attestation functionality on/off
|
|
GuestPreAttestation = kataAnnotPreAttestationPrefix + "enabled"
|
|
|
|
// GuestPreAttestationURI set the remote URL for online-kbs
|
|
GuestPreAttestationURI = kataAnnotPreAttestationPrefix + "uri"
|
|
|
|
// SEVGuestPolicy set the AMD SEV guest policy
|
|
SEVGuestPolicy = kataAnnotSevPrefix + "policy"
|
|
)
|
|
|
|
// Annotations related to Hypervisor configuration
|
|
const (
|
|
//
|
|
// Assets
|
|
//
|
|
KataAnnotationHypervisorPrefix = kataAnnotHypervisorPrefix
|
|
|
|
// KernelPath is a sandbox annotation for passing a per container path pointing at the kernel needed to boot the container VM.
|
|
KernelPath = kataAnnotHypervisorPrefix + "kernel"
|
|
|
|
// ImagePath is a sandbox annotation for passing a per container path pointing at the guest image that will run in the container VM.
|
|
ImagePath = kataAnnotHypervisorPrefix + "image"
|
|
|
|
// InitrdPath is a sandbox annotation for passing a per container path pointing at the guest initrd image that will run in the container VM.
|
|
InitrdPath = kataAnnotHypervisorPrefix + "initrd"
|
|
|
|
// HypervisorPath is a sandbox annotation for passing a per container path pointing at the hypervisor that will run the container VM.
|
|
HypervisorPath = kataAnnotHypervisorPrefix + "path"
|
|
|
|
// HypervisorCtlPath is a sandbox annotation for passing a per container path pointing at the hypervisor control binary that will run the container VM.
|
|
HypervisorCtlPath = kataAnnotHypervisorPrefix + "ctlpath"
|
|
|
|
// JailerPath is a sandbox annotation for passing a per container path pointing at the jailer that will constrain the container VM.
|
|
JailerPath = kataAnnotHypervisorPrefix + "jailer_path"
|
|
|
|
// CtlPath is a sandbox annotation for passing a per container path pointing at the acrn ctl binary
|
|
CtlPath = kataAnnotHypervisorPrefix + "ctlpath"
|
|
|
|
// FirmwarePath is a sandbox annotation for passing a per container path pointing at the guest firmware that will run the container VM.
|
|
FirmwarePath = kataAnnotHypervisorPrefix + "firmware"
|
|
|
|
// FirmwareVolumePath is a sandbox annotation for passing a per container path pointing at the guest firmware volume
|
|
// that will be passed to the container VM.
|
|
FirmwareVolumePath = kataAnnotHypervisorPrefix + "firmware_volume"
|
|
|
|
// KernelHash is a sandbox annotation for passing a container kernel image SHA-512 hash value.
|
|
KernelHash = kataAnnotHypervisorPrefix + "kernel_hash"
|
|
|
|
// ImageHash is an sandbox annotation for passing a container guest image SHA-512 hash value.
|
|
ImageHash = kataAnnotHypervisorPrefix + "image_hash"
|
|
|
|
// InitrdHash is an sandbox annotation for passing a container guest initrd SHA-512 hash value.
|
|
InitrdHash = kataAnnotHypervisorPrefix + "initrd_hash"
|
|
|
|
// HypervisorHash is an sandbox annotation for passing a container hypervisor binary SHA-512 hash value.
|
|
HypervisorHash = kataAnnotHypervisorPrefix + "hypervisor_hash"
|
|
|
|
// HypervisorCtlHash is a sandbox annotation for passing a container hypervisor control binary SHA-512 hash value.
|
|
HypervisorCtlHash = kataAnnotHypervisorPrefix + "hypervisorctl_hash"
|
|
|
|
// JailerHash is an sandbox annotation for passing a jailer binary SHA-512 hash value.
|
|
JailerHash = kataAnnotHypervisorPrefix + "jailer_hash"
|
|
|
|
// FirmwareHash is an sandbox annotation for passing a container guest firmware SHA-512 hash value.
|
|
FirmwareHash = kataAnnotHypervisorPrefix + "firmware_hash"
|
|
|
|
// FirmwareVolumeHash is an sandbox annotation for passing a container guest firmware volume SHA-512 hash value.
|
|
FirmwareVolumeHash = kataAnnotHypervisorPrefix + "firmware_volume_hash"
|
|
|
|
// AssetHashType is the hash type used for assets verification
|
|
AssetHashType = kataAnnotationsPrefix + "asset_hash_type"
|
|
|
|
//
|
|
// Generic annotations
|
|
//
|
|
|
|
// KernelParams is a sandbox annotation for passing additional guest kernel parameters.
|
|
KernelParams = kataAnnotHypervisorPrefix + "kernel_params"
|
|
|
|
// MachineType is a sandbox annotation to specify the type of machine being emulated by the hypervisor.
|
|
MachineType = kataAnnotHypervisorPrefix + "machine_type"
|
|
|
|
// MachineAccelerators is a sandbox annotation to specify machine specific accelerators for the hypervisor.
|
|
MachineAccelerators = kataAnnotHypervisorPrefix + "machine_accelerators"
|
|
|
|
// CPUFeatures is a sandbox annotation to specify cpu specific features.
|
|
CPUFeatures = kataAnnotHypervisorPrefix + "cpu_features"
|
|
|
|
// DisableVhostNet is a sandbox annotation to specify if vhost-net is not available on the host.
|
|
DisableVhostNet = kataAnnotHypervisorPrefix + "disable_vhost_net"
|
|
|
|
// EnableVhostUserStore is a sandbox annotation to specify if vhost-user-blk/scsi is abailable on the host
|
|
EnableVhostUserStore = kataAnnotHypervisorPrefix + "enable_vhost_user_store"
|
|
|
|
// VhostUserStorePath is a sandbox annotation to specify the directory path where vhost-user devices
|
|
// related folders, sockets and device nodes should be.
|
|
VhostUserStorePath = kataAnnotHypervisorPrefix + "vhost_user_store_path"
|
|
|
|
// VhostUserDeviceReconnect is a sandbox annotation to specify the timeout for reconnecting on
|
|
// non-server sockets when the remote end goes away.
|
|
VhostUserDeviceReconnect = kataAnnotHypervisorPrefix + "vhost_user_reconnect_timeout_sec"
|
|
|
|
// GuestHookPath is a sandbox annotation to specify the path within the VM that will be used for 'drop-in' hooks.
|
|
GuestHookPath = kataAnnotHypervisorPrefix + "guest_hook_path"
|
|
|
|
// DisableImageNvdimm is a sandbox annotation to specify use of nvdimm device for guest rootfs image.
|
|
DisableImageNvdimm = kataAnnotHypervisorPrefix + "disable_image_nvdimm"
|
|
|
|
// HotplugVFIOOnRootBus is a sandbox annotation used to indicate if devices need to be hotplugged on the
|
|
// root bus instead of a bridge.
|
|
HotplugVFIOOnRootBus = kataAnnotHypervisorPrefix + "hotplug_vfio_on_root_bus"
|
|
|
|
// PCIeRootPort is used to indicate the number of PCIe Root Port devices
|
|
// The PCIe Root Port device is used to hot-plug the PCIe device
|
|
PCIeRootPort = kataAnnotHypervisorPrefix + "pcie_root_port"
|
|
|
|
// EntropySource is a sandbox annotation to specify the path to a host source of
|
|
// entropy (/dev/random, /dev/urandom or real hardware RNG device)
|
|
EntropySource = kataAnnotHypervisorPrefix + "entropy_source"
|
|
|
|
// UseLegacySerial sets legacy serial device for guest console if available and implemented for architecture
|
|
UseLegacySerial = kataAnnotHypervisorPrefix + "use_legacy_serial"
|
|
|
|
//
|
|
// CPU Annotations
|
|
//
|
|
|
|
// DefaultVCPUs is a sandbox annotation for passing the default vcpus assigned for a VM by the hypervisor.
|
|
DefaultVCPUs = kataAnnotHypervisorPrefix + "default_vcpus"
|
|
|
|
// DefaultVCPUs is a sandbox annotation that specifies the maximum number of vCPUs allocated for the VM by the hypervisor.
|
|
DefaultMaxVCPUs = kataAnnotHypervisorPrefix + "default_max_vcpus"
|
|
|
|
//
|
|
// Memory related annotations
|
|
//
|
|
|
|
// DefaultMemory is a sandbox annotation for the memory assigned for a VM by the hypervisor.
|
|
DefaultMemory = kataAnnotHypervisorPrefix + "default_memory"
|
|
|
|
// MemSlots is a sandbox annotation to specify the memory slots assigned to the VM by the hypervisor.
|
|
MemSlots = kataAnnotHypervisorPrefix + "memory_slots"
|
|
|
|
// MemOffset is a sandbox annotation that specifies the memory space used for nvdimm device by the hypervisor.
|
|
MemOffset = kataAnnotHypervisorPrefix + "memory_offset"
|
|
|
|
// VirtioMem is a sandbox annotation that is used to enable/disable virtio-mem.
|
|
VirtioMem = kataAnnotHypervisorPrefix + "enable_virtio_mem"
|
|
|
|
// MemPrealloc is a sandbox annotation that specifies the memory space used for nvdimm device by the hypervisor.
|
|
MemPrealloc = kataAnnotHypervisorPrefix + "enable_mem_prealloc"
|
|
|
|
// HugePages is a sandbox annotation to specify if the memory should be pre-allocated from huge pages
|
|
HugePages = kataAnnotHypervisorPrefix + "enable_hugepages"
|
|
|
|
// Iommu is a sandbox annotation to specify if the VM should have a vIOMMU device
|
|
IOMMU = kataAnnotHypervisorPrefix + "enable_iommu"
|
|
|
|
// Enable Hypervisor Devices IOMMU_PLATFORM
|
|
IOMMUPlatform = kataAnnotHypervisorPrefix + "enable_iommu_platform"
|
|
|
|
// FileBackedMemRootDir is a sandbox annotation to soecify file based memory backend root directory
|
|
FileBackedMemRootDir = kataAnnotHypervisorPrefix + "file_mem_backend"
|
|
|
|
//
|
|
// Shared File System related annotations
|
|
//
|
|
|
|
// Msize9p is a sandbox annotation to specify as the msize for 9p shares
|
|
Msize9p = kataAnnotHypervisorPrefix + "msize_9p"
|
|
|
|
// SharedFs is a sandbox annotation to specify the shared file system type, either virtio-9p or virtio-fs.
|
|
SharedFS = kataAnnotHypervisorPrefix + "shared_fs"
|
|
|
|
// VirtioFSDaemon is a sandbox annotations to specify virtio-fs vhost-user daemon path
|
|
VirtioFSDaemon = kataAnnotHypervisorPrefix + "virtio_fs_daemon"
|
|
|
|
// VirtioFSCache is a sandbox annotation to specify the cache mode for fs version cache
|
|
VirtioFSCache = kataAnnotHypervisorPrefix + "virtio_fs_cache"
|
|
|
|
// VirtioFSCacheSize is a sandbox annotation to specify the DAX cache size in MiB
|
|
VirtioFSCacheSize = kataAnnotHypervisorPrefix + "virtio_fs_cache_size"
|
|
|
|
// VirtioFSExtraArgs is a sandbox annotation to pass options to virtiofsd daemon
|
|
VirtioFSExtraArgs = kataAnnotHypervisorPrefix + "virtio_fs_extra_args"
|
|
|
|
//
|
|
// Block Device related annotations
|
|
//
|
|
|
|
// BlockDeviceDriver specifies the driver to be used for block device either VirtioSCSI or VirtioBlock
|
|
BlockDeviceDriver = kataAnnotHypervisorPrefix + "block_device_driver"
|
|
|
|
// BlockDeviceAIO specifies I/O mechanism to be used with VirtioBlock for qemu
|
|
BlockDeviceAIO = kataAnnotHypervisorPrefix + "block_device_aio"
|
|
|
|
// DisableBlockDeviceUse is a sandbox annotation that disallows a block device from being used.
|
|
DisableBlockDeviceUse = kataAnnotHypervisorPrefix + "disable_block_device_use"
|
|
|
|
// EnableIOThreads is a sandbox annotation to enable IO to be processed in a separate thread.
|
|
// Supported currently for virtio-scsi driver.
|
|
EnableIOThreads = kataAnnotHypervisorPrefix + "enable_iothreads"
|
|
|
|
// BlockDeviceCacheSet is a sandbox annotation that specifies cache-related options will be set to block devices or not.
|
|
BlockDeviceCacheSet = kataAnnotHypervisorPrefix + "block_device_cache_set"
|
|
|
|
// BlockDeviceCacheDirect is a sandbox annotation that specifies cache-related options for block devices.
|
|
// Denotes whether use of O_DIRECT (bypass the host page cache) is enabled.
|
|
BlockDeviceCacheDirect = kataAnnotHypervisorPrefix + "block_device_cache_direct"
|
|
|
|
// BlockDeviceCacheNoflush is a sandbox annotation that specifies cache-related options for block devices.
|
|
// Denotes whether flush requests for the device are ignored.
|
|
BlockDeviceCacheNoflush = kataAnnotHypervisorPrefix + "block_device_cache_noflush"
|
|
|
|
// RxRateLimiterMaxRate is a sandbox annotation that specifies max rate on network I/O inbound bandwidth.
|
|
RxRateLimiterMaxRate = kataAnnotHypervisorPrefix + "rx_rate_limiter_max_rate"
|
|
|
|
// TxRateLimiter is a sandbox annotation that specifies max rate on network I/O outbound bandwidth
|
|
TxRateLimiterMaxRate = kataAnnotHypervisorPrefix + "tx_rate_limiter_max_rate"
|
|
|
|
// EnableGuestSwap is a sandbox annotation to enable swap in the guest.
|
|
EnableGuestSwap = kataAnnotHypervisorPrefix + "enable_guest_swap"
|
|
|
|
// EnableRootlessHypervisor is a sandbox annotation to enable rootless hypervisor (only supported in QEMU currently).
|
|
EnableRootlessHypervisor = kataAnnotHypervisorPrefix + "rootless"
|
|
)
|
|
|
|
// Runtime related annotations
|
|
const (
|
|
kataAnnotRuntimePrefix = kataConfAnnotationsPrefix + "runtime."
|
|
|
|
// DisableGuestSeccomp is a sandbox annotation that determines if seccomp should be applied inside guest.
|
|
DisableGuestSeccomp = kataAnnotRuntimePrefix + "disable_guest_seccomp"
|
|
|
|
// GuestSeLinuxLabel is a SELinux security policy that is applied to a container process inside guest.
|
|
GuestSeLinuxLabel = kataAnnotRuntimePrefix + "guest_selinux_label"
|
|
|
|
// SandboxCgroupOnly is a sandbox annotation that determines if kata processes are managed only in sandbox cgroup.
|
|
SandboxCgroupOnly = kataAnnotRuntimePrefix + "sandbox_cgroup_only"
|
|
|
|
// EnableVCPUsPinning is a sandbox annotation that controls bundling between vCPU threads and CPUs
|
|
EnableVCPUsPinning = kataAnnotationsPrefix + "enable_vcpus_pinning"
|
|
|
|
// EnablePprof is a sandbox annotation that determines if pprof enabled.
|
|
EnablePprof = kataAnnotRuntimePrefix + "enable_pprof"
|
|
|
|
// Experimental is a sandbox annotation that determines if experimental features enabled.
|
|
Experimental = kataAnnotRuntimePrefix + "experimental"
|
|
|
|
// InterNetworkModel is a sandbox annotaion that determines how the VM should be connected to the
|
|
//the container network interface.
|
|
InterNetworkModel = kataAnnotRuntimePrefix + "internetworking_model"
|
|
|
|
// DisableNewNetNs is a sandbox annotation that determines if create a netns for hypervisor process.
|
|
DisableNewNetNs = kataAnnotRuntimePrefix + "disable_new_netns"
|
|
|
|
// VfioMode is a sandbox annotation to specify how attached VFIO devices should be treated
|
|
// Overrides the runtime.vfio_mode parameter in the global configuration.toml
|
|
VfioMode = kataAnnotRuntimePrefix + "vfio_mode"
|
|
)
|
|
|
|
// Agent related annotations
|
|
const (
|
|
kataAnnotAgentPrefix = kataConfAnnotationsPrefix + "agent."
|
|
|
|
// KernelModules is the annotation key for passing the list of kernel
|
|
// modules and their parameters that will be loaded in the guest kernel.
|
|
// Semicolon separated list of kernel modules and their parameters.
|
|
// These modules will be loaded in the guest kernel using modprobe(8).
|
|
// The following example can be used to load two kernel modules with parameters
|
|
///
|
|
// annotations:
|
|
// io.katacontainers.config.agent.kernel_modules: "e1000e InterruptThrottleRate=3000,3000,3000 EEE=1; i915 enable_ppgtt=0"
|
|
//
|
|
// The first word is considered as the module name and the rest as its parameters.
|
|
//
|
|
KernelModules = kataAnnotAgentPrefix + "kernel_modules"
|
|
|
|
// AgentTrace is a sandbox annotation to enable tracing for the agent.
|
|
AgentTrace = kataAnnotAgentPrefix + "enable_tracing"
|
|
|
|
// AgentContainerPipeSize is an annotation to specify the size of the pipes created for containers
|
|
AgentContainerPipeSize = kataAnnotAgentPrefix + ContainerPipeSizeOption
|
|
ContainerPipeSizeOption = "container_pipe_size"
|
|
ContainerPipeSizeKernelParam = "agent." + ContainerPipeSizeOption
|
|
)
|
|
|
|
// Container resource related annotations
|
|
const (
|
|
kataAnnotContainerResourcePrefix = kataAnnotContainerPrefix + "resource."
|
|
|
|
// ContainerResourcesSwappiness is a container annotation to specify the Resources.Memory.Swappiness
|
|
ContainerResourcesSwappiness = kataAnnotContainerResourcePrefix + "swappiness"
|
|
|
|
// ContainerResourcesSwapInBytes is a container annotation to specify the Resources.Memory.Swap
|
|
ContainerResourcesSwapInBytes = kataAnnotContainerResourcePrefix + "swap_in_bytes"
|
|
)
|
|
|
|
const (
|
|
// SHA512 is the SHA-512 (64) hash algorithm
|
|
SHA512 string = "sha512"
|
|
)
|
|
|
|
// Third-party annotations - annotations defined by other projects or k8s plugins
|
|
// but that can change Kata Containers behaviour.
|
|
|
|
const (
|
|
// This annotation enables SGX. Hardware-based isolation and memory encryption.
|
|
// Supported suffixes are: Ki | Mi | Gi | Ti | Pi | Ei . For example: 4Mi
|
|
// For more information about supported suffixes see https://physics.nist.gov/cuu/Units/binary.html
|
|
SGXEPC = "sgx.intel.com/epc"
|
|
)
|