9b863b0e01
- agent watchers: ensure uid/gid is preserved on copy/mkdir - clh: Rely on Cloud Hypervisor for generating the device ID - agent: add tests for create_logger_task function - runk: set BinaryName for runk for containerd - tools: Add a Rust-based standard OCI container runtime based on Kata agent - rustjail: add tests for parse_mount_table - Virtcontainers: Enable hot plugging vhost-user-blk device on ARM - docs: repropose direct-assigned volume - versions: change qemu tdx url and tag - doc: Update for NVIDIA GPUs - agent-ctl: Fix abstract socket connections - Implement network and disk rate limiter for Cloud Hypervisor - kata-deploy: Add support to RKE2 - docs: Update containerd link to installation guide - docs: remove pc machine type supports - Agent: Unit tests for random.rs - rustjail: Add tests for mount_grpc_to_oci - packaging: Fix broken path in `build-static-clh.sh` - Fix Go unit tests to clean up /tmp after themselves - rustjail: add tests for mount_from function - rustjail: Add tests for hooks_grpc_to_oci - agent: modify the type of swappiness to u64 - libs/safe-path: add crate to safely resolve fs paths - agent: move assert_result macro to test_utils file - rustjail: Add tests for root_grpc_to_oci - agent: add tests for mount_to_rootfs function - agent: add tests for update_container_namespaces - agent: add tests for is_signal_handled function - Upgrade to Cloud Hypervisor v23.0 - agent: best-effort removing mount point - test: Fix golangci-lint error for s390x - fsGroup support for direct-assigned volume - kata-monitor: add the README file - kata-monitor: update the hrefs in the debug/pprof index page - runtime: Base64 encode the direct volume mountInfo path - runtime: no need to write virtiofsd error to log - kata-monitor: add some links when generating pages for browsers - agent: Avoid agent panic when reading empty stats - docs: Update link to contributions guide - agent: add tests for mount_storage - agent: add test coverage for parse_mount_flags_and_options function - agent: add tests for do_write_stream function - runtime: delete debug option in virtiofsd - rustjail: add test coverage for process_grpc_to_oci function - agent: Allow the agent to be rebuilt with the change of Cargo features - protocols: add src/csi.rs to .gitignore - kata-runtime enable hugepage support - docs: Add a firecracker installation guide - runtime: Allow and require no initrd for SE - test: use `T.TempDir` to create temporary test directory - clh: Expose service offload configuration33a8b705clh: Rely on Cloud Hypervisor for generating the device ID70eda2faagent: watchers: ensure uid/gid is preserved on copy/mkdir7772f7ddrunk: set BinaryName for runk for containerd7ffe5a16docs: Direct-assigned volume design081f6de8versions: change qemu tdx url and tag666aee54docs: Add VSOCK localhost example for agent-ctl86d348e0docs: Use VM term in agent-ctl doc4b9b62bbagent-ctl: Fix abstract socket connectionsb6467dddclh: Expose disk rate limiter config7580bb5aclh: Expose net rate limiter configa88adabaclh: Cloud Hypervisor has a built-in Rate Limiter63c4da03clh: Implement the Disk RateLimiter logic511f7f82config: Add DiskRateLimiter* to Cloud Hypervisor5b18575dhypervisor: Add disk bandwidth and operations rate limiters1cf94692clh: Implement the Network RateLimiter logic00a5b1bdutils: Define DefaultRateLimiterRefillTimeMilliSecsbe1bb7e3utils: Move FC's function to revert bytes to utilsc9f6496dconfig: Add NetRateLimiter* to Cloud Hypervisor2d35e606hypervisor: Add network bandwidth and operations rate limitersb0e439cbrustjail: add tests for parse_mount_tableccb01839kata-deploy: Add support to RKE29d39362ekata-deploy: Reestructure the installing section18d27f79kata-deploy: Add a missing `$` prefix in the README6948b4b3docs: Update containerd link to installation guideb221a259tools: Add runk2c218a07agent: Modify Kata agent for runkdd4bd7f4doc: Added initial doc update for NV GPUs832c33d5docs: remove pc machine type supportsb658dccctools: fix typo in clh directory nameafbd60dapackaging: Fix clh build from source fall-back4b9e78b8rustjail: Add tests for mount_grpc_to_oci81f6b486agent: add tests for create_logger_task function96bc3ec2rustjail: Add tests for hooks_grpc_to_oci02395027agent: modify the type of swappiness to u641b931f42runtime: Allock mockfs storage to be placed in any directoryef6d54a7runtime: Let MockFSInit create a mock fs driver at any path5d8438e9runtime: Move mockfs control global into mockfs.go963d03earuntime: Export StoragePathSuffix1719a8b4runtime: Don't abuse MockStorageRootPath() for factory testsbec59f9eruntime: Make bind mount tests better clean up after themselvesf7ba21c8runtime: Clean up mock hook logs in tests90b2f5b7runtime: Make SetupOCIConfigFile clean up after itself2eeb5dc2runtime: Don't use fixed /tmp/mountPoint path0ad89ebdsafe-path: add more unit test casesb63774eclibs/safe-path: add crate to safely resolve fs pathsf385b21brustjail: add tests for mount_from function0e7f1a5eagent: move assert_result macro to test_utils file2256bcb6rustjail: Add tests for root_grpc_to_oci7b2ff026kata-monitor: add a README file29e569aavirtcontainers: clh: Re-generate the client code6012c197versions: Upgrade to Cloud Hypervisor v23.0aabcebbfagent: best-effort removing mount pointd136c9c2test: Fix golangci-lint error for s390x86977ff7kata-monitor: update the hrefs in the debug/pprof index page78f30c33agent: Avoid agent panic when reading empty stats6e79042aruntime: no need to write virtiofsd error to log9b6f24b2agent: add tests for mount_to_rootfs functionc3776b17agent: add tests for is_signal_handled function9c22d955agent: add tests for update_container_namespaces92c00c7eagent: fsGroup support for direct-assigned volume6e9e4e8cdocs: Update link to contributions guide532d5397runtime: fsGroup support for direct-assigned volume6a47b82cproto: fsGroup support for direct-assigned volume9d5e7ee0agent: add tests for mount_storagef8cc5d1akata-monitor: add some links when generating pages for browsersc31cd0e8rustjail: add test coverage for process_grpc_to_oci function1118a3d2agent: add test coverage for parse_mount_flags_and_options function9d5b03a1runtime: delete debug option in virtiofsdeff7c7e0agent: Allow the agent to be rebuilt with the change of Cargo featuresb975f2e8Virtcontainers: Enable hot plugging vhost-user-blk device on ARM962d05ecprotocols: add src/csi.rs to .gitignore354cd3b9runtime: Base64 encode the direct volume mountInfo path485aeabbagent: add tests for do_write_stream function4405b188docs: Add a firecracker installation guide98750d79clh: Expose service offload configuration59c7165etest: use `T.TempDir` to create temporary test directoryff17c756runtime: Allow and require no initrd for SE1cad3a46agent/random: Ensure data.len > 033c953acagent: Add test_ressed_rng_not_root39a35b69agent: Add test to random::reseed_rng()d8f39fb2agent/random: Rename RNDRESEEDRNG to RNDRESEEDCRNGa2f5c176runtime/virtcontainers: Pass the hugepages resources to agent Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Kata Containers
Welcome to Kata Containers!
This repository is the home of the Kata Containers code for the 2.0 and newer releases.
If you want to learn about Kata Containers, visit the main Kata Containers website.
Introduction
Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs.
License
The code is licensed under the Apache 2.0 license. See the license file for further details.
Platform support
Kata Containers currently runs on 64-bit systems supporting the following technologies:
| Architecture | Virtualization technology |
|---|---|
x86_64, amd64 |
Intel VT-x, AMD SVM |
aarch64 ("arm64") |
ARM Hyp |
ppc64le |
IBM Power |
s390x |
IBM Z & LinuxONE SIE |
Hardware requirements
The Kata Containers runtime provides a command to determine if your host system is capable of running and creating a Kata Container:
$ kata-runtime check
Notes:
This command runs a number of checks including connecting to the network to determine if a newer release of Kata Containers is available on GitHub. If you do not wish this to check to run, add the
--no-network-checksoption.By default, only a brief success / failure message is printed. If more details are needed, the
--verboseflag can be used to display the list of all the checks performed.If the command is run as the
rootuser additional checks are run (including checking if another incompatible hypervisor is running). When running asroot, network checks are automatically disabled.
Getting started
See the installation documentation.
Documentation
See the official documentation including:
Configuration
Kata Containers uses a single configuration file which contains a number of sections for various parts of the Kata Containers system including the runtime, the agent and the hypervisor.
Hypervisors
See the hypervisors document and the Hypervisor specific configuration details.
Community
To learn more about the project, its community and governance, see the community repository. This is the first place to go if you wish to contribute to the project.
Getting help
See the community section for ways to contact us.
Raising issues
Please raise an issue in this repository.
Note: If you are reporting a security issue, please follow the vulnerability reporting process
Developers
See the developer guide.
Components
Main components
The table below lists the core parts of the project:
| Component | Type | Description |
|---|---|---|
| runtime | core | Main component run by a container manager and providing a containerd shimv2 runtime implementation. |
| agent | core | Management process running inside the virtual machine / POD that sets up the container environment. |
| documentation | documentation | Documentation common to all components (such as design and install documentation). |
| libraries | core | Library crates shared by multiple Kata Container components or published to crates.io |
| tests | tests | Excludes unit tests which live with the main code. |
Additional components
The table below lists the remaining parts of the project:
| Component | Type | Description |
|---|---|---|
| packaging | infrastructure | Scripts and metadata for producing packaged binaries (components, hypervisors, kernel and rootfs). |
| kernel | kernel | Linux kernel used by the hypervisor to boot the guest image. Patches are stored here. |
| osbuilder | infrastructure | Tool to create "mini O/S" rootfs and initrd images and kernel for the hypervisor. |
agent-ctl |
utility | Tool that provides low-level access for testing the agent. |
trace-forwarder |
utility | Agent tracing helper. |
runk |
utility | Standard OCI container runtime based on the agent. |
ci |
CI | Continuous Integration configuration files and scripts. |
katacontainers.io |
Source for the katacontainers.io site. |
Packaging and releases
Kata Containers is now available natively for most distributions. However, packaging scripts and metadata are still used to generate snap and GitHub releases. See the components section for further details.
Glossary of Terms
See the glossary of terms related to Kata Containers.