mirror of
https://github.com/aljazceru/kata-containers.git
synced 2025-12-26 02:24:21 +01:00
78ea50c36c
Firecracker provides a jailer to constrain the VMM. Use this jailer to launch the firecracker VMM instead of launching it directly from the kata-runtime. The jailer will ensure that the firecracker VMM will run in its own network and mount namespace. All assets required by the VMM have to be present within these namespaces. The assets need to be copied or bind mounted into the chroot location setup by jailer in order for firecracker to access these resouces. This includes files, device nodes and all other assets. Jailer automatically sets up the jail to have access to kvm and vhost-vsock. If a jailer is not available (i.e. not setup in the toml) for a given hypervisor the runtime will act as the jailer. Also enhance the hypervisor interface and unit tests to include the network namespace. This allows the hypervisor to choose how and where to lauch the VMM process, vs virtcontainers directly launching the VMM process. Fixes: #1129 Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
64 lines
2.7 KiB
Go
64 lines
2.7 KiB
Go
// Copyright (c) 2017 Intel Corporation
|
|
//
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
//
|
|
|
|
package annotations
|
|
|
|
const (
|
|
vcAnnotationsPrefix = "com.github.containers.virtcontainers."
|
|
|
|
// KernelPath is a sandbox annotation for passing a per container path pointing at the kernel needed to boot the container VM.
|
|
KernelPath = vcAnnotationsPrefix + "KernelPath"
|
|
|
|
// ImagePath is a sandbox annotation for passing a per container path pointing at the guest image that will run in the container VM.
|
|
ImagePath = vcAnnotationsPrefix + "ImagePath"
|
|
|
|
// InitrdPath is a sandbox annotation for passing a per container path pointing at the guest initrd image that will run in the container VM.
|
|
InitrdPath = vcAnnotationsPrefix + "InitrdPath"
|
|
|
|
// HypervisorPath is a sandbox annotation for passing a per container path pointing at the hypervisor that will run the container VM.
|
|
HypervisorPath = vcAnnotationsPrefix + "HypervisorPath"
|
|
|
|
// JailerPath is a sandbox annotation for passing a per container path pointing at the jailer that will constrain the container VM.
|
|
JailerPath = vcAnnotationsPrefix + "JailerPath"
|
|
|
|
// FirmwarePath is a sandbox annotation for passing a per container path pointing at the guest firmware that will run the container VM.
|
|
FirmwarePath = vcAnnotationsPrefix + "FirmwarePath"
|
|
|
|
// KernelHash is a sandbox annotation for passing a container kernel image SHA-512 hash value.
|
|
KernelHash = vcAnnotationsPrefix + "KernelHash"
|
|
|
|
// ImageHash is an sandbox annotation for passing a container guest image SHA-512 hash value.
|
|
ImageHash = vcAnnotationsPrefix + "ImageHash"
|
|
|
|
// InitrdHash is an sandbox annotation for passing a container guest initrd SHA-512 hash value.
|
|
InitrdHash = vcAnnotationsPrefix + "InitrdHash"
|
|
|
|
// HypervisorHash is an sandbox annotation for passing a container hypervisor binary SHA-512 hash value.
|
|
HypervisorHash = vcAnnotationsPrefix + "HypervisorHash"
|
|
|
|
// JailerHash is an sandbox annotation for passing a jailer binary SHA-512 hash value.
|
|
JailerHash = vcAnnotationsPrefix + "JailerHash"
|
|
|
|
// FirmwareHash is an sandbox annotation for passing a container guest firmware SHA-512 hash value.
|
|
FirmwareHash = vcAnnotationsPrefix + "FirmwareHash"
|
|
|
|
// AssetHashType is the hash type used for assets verification
|
|
AssetHashType = vcAnnotationsPrefix + "AssetHashType"
|
|
|
|
// ConfigJSONKey is the annotation key to fetch the OCI configuration.
|
|
ConfigJSONKey = vcAnnotationsPrefix + "pkg.oci.config"
|
|
|
|
// BundlePathKey is the annotation key to fetch the OCI configuration file path.
|
|
BundlePathKey = vcAnnotationsPrefix + "pkg.oci.bundle_path"
|
|
|
|
// ContainerTypeKey is the annotation key to fetch container type.
|
|
ContainerTypeKey = vcAnnotationsPrefix + "pkg.oci.container_type"
|
|
)
|
|
|
|
const (
|
|
// SHA512 is the SHA-512 (64) hash algorithm
|
|
SHA512 string = "sha512"
|
|
)
|