kata-containers Changes

Major highlights of this release include:

• Support for io_uring as I/O mechanism for qemu
• Upgrade to Cloud Hypervisor v26.0
• Kernel upgrade to 5.19.2
• Several improvements in cloud-hypervisor support for Intel TDX
• Support for static resource management functionality in rust runtime
• Support for hugetlb cgroups in the guest
• Addition of cargo-deny to scan for vulnerabilities and license issues wrt rust crates.

Shortlog

d23779ec9 Revert "agent: fix unittests for arp neighbors" d340564d6 Revert "agent: use rtnetlink's neighbours API to add neighbors" 188d37bad kata-deploy: Add debug statement e879270a0 runtime-rs: add default agent/runtime/hypervisor for configuration 5f4f5f240 docs: fix unix socket address in agent-ctl doc 41ec71169 runtime-rs: split amend_spec function ff7c78e0e runtime-rs: static resource mgmt default to false 00f3a6de1 runtime-rs: make static resource mgmt idiomatic 4a54876dd runtime-rs: support static resource management functionality 52bbc3a4b cargo.lock: update crates to comply with checks aa581f4b2 cargo.toml: Add oci to src/libs workplace 7914da72c cargo.tomls: Added Apache 2.0 to cargo.tomls bed4aab7e github-actions: Add cargo-deny 373dac2db qemu: Keep passing BUILD_SUFFIX 59e3850bf qemu: create no_patches.txt file for SPR-BKC-QEMU-v2.5 54d6d0175 qemu: fix tdx qemu tarball directories 9997ab064 sandbox_test: Add test to verify memory hotplug behavior f390c122f sandbox: don't hotplug too much memory at once e0142db24 hypervisor: Add GetTotalMemoryMB to interface e83b82131 docs: Update url in the Developer Guide 0ab49b233 release: Kata Containers 3.0.0-alpha1 b1a8acad5 versions: Update cni plugins version 749a6a248 docs: Specify language in markdown for syntax highlight a1fdc0827 kernel: Re-work get_tee_kernel() a6581734c kernel: Whitelist cleanup cce99c5c7 runtime-rs: delete socket from shim command-line options c75970b81 dragonball: add more unit test for config manager dc32c4622 osbuilder: fix ubuntu initrd /dev/ttyS0 hang cc5f91dac osbuilder: add systemd symlinks for kata-agent 731d39df4 kernel: Add CONFIG_CGROUP_HUGETLB=y as part of the cgroup fragments f7d41e98c kata-deploy: export CI in the build container 4f90e3c87 kata-deploy: add dockerbuild/install_yq.sh to gitignore 96d903734 github-actions: Auto-backporting a355812e0 runtime-rs: fixed bug on core-sched error handling 591dfa4fe runtime-rs: add support for core scheduling 92f7d6bf8 ci: Use versions.yaml for the libseccomp b535bac9c runk: Add cli message for init command c08a8631e agent: add some logs for mount operation c1e3b8f40 govmm: Refactor qmp functions for adding block device 598884f37 govmm: Refactor code to get rid of redundant code 00860a7e4 qmp: Pass aio backend while adding block device e1b49d758 config: Add block aio as a supported annotation ed0f1d0b3 config: Add "block_device_aio" as a config option for qemu b6cd2348f govmm: Add io_uring as AIO type 81cdaf077 govmm: Correct documentation for Linux aio. 763ceeb7b logging: Replace nix::Error::EINVAL with more descriptive msgs 4ee2b99e1 kata-deploy: fix threading conflicts 0a6f0174f kernel: Ignore CONFIG_SPECULATION_MITIGATIONS for older kernels 6cf16c4f7 agent-ctl: fix clippy error 4b57c04c3 runtime-rs: support loading kernel modules in guest vm dc90eae17 qemu: Drop unnecessary tdx_guest kernel parameter d4b67613f clh: Use HVC console with TDX c0cb3cd4d clh: Avoid crashing when memory hotplug is not allowed 9f0a57c0e clh: Increase API and SandboxStop timeouts for TDX c142fa254 clh: Lift the sharedFS restriction used with TDX bdf8a57bd runk: Move delete logic to libcontainer a06d819b2 runtime: cri-o annotations have been moved to podman ffd1c1ff4 agent-ctl/trace-forwarder: udpate thread_local dependency 69080d76d agent/runk: update regex dependency e0ec09039 runtime-rs: update async-std dependency 326f1cc77 agent: enrich some error code path 4f53e010b agent: skip test_load_kernel_module if non-root f508c2909 runtime: constify splitIrqChipMachineOptions 2b0587db9 runtime: VMX is migratible in vm factory case fa09f0ec8 runtime: remove qemuPaths a6fbaac1b runk: add pause/resume commands 8e201501e kernel: fix for set_kmem_limit error 00aadfe20 kernel: SEV guest kernel upgrade to 5.19.2 0d9d8d63e kernel: upgrade guest kernel support to 5.19.2 57bd3f42d runtime-rs: plug drop-in decoding into config-loading code 87b97b699 runtime-rs: add filesystem-related part of drop-in handling cf785a1a2 runtime-rs: add core toml::Value tree merging 09672eb2d agent: do some rollback works if case of do_create_container failed 8ff5c10ac network: Fix error message for setting hardware address on TAP interface 3a597c274 runtime: clh: Use the new 'payload' interface 16baecc5b runtime: clh: Re-generate the client code 50ea07183 versions: Upgrade to Cloud Hypervisor v26.0 fcc1e0c61 runtime: tracing: End root span at end of trace 78231a36e ci: Update libseccomp version 338c28295 dep: update nix dependency 3829ab809 docs: Update CRI-O target link 34746496b libs/test-utils: share test code by create a new crate

Compatibility with CRI-O

Kata Containers 3.0.0-alpha1 is compatible with CRI-O

Compatibility with containerd

Kata Containers 3.0.0-alpha1 is compatible with contaienrd v1.5.2

OCI Runtime Specification

Kata Containers 3.0.0-alpha1 support the OCI Runtime Specification v1.0.0-rc5

Compatibility with Kubernetes

Kata Containers 3.0.0-alpha1 is compatible with Kubernetes 1.23.1-00

Libseccomp Notices

The kata-agent binaries inside the Kata Containers images provided with this release are statically linked with the following GNU LGPL-2.1 licensed libseccomp library.

• libseccomp

The kata-agent uses the libseccomp v2.5.4 which is not modified from the upstream version. However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.

If you want to use the kata-agent which is not statically linked with the library, you can build a custom kata-agent that does not use the library from sources. For the details, please check the developer guide.

Kata Linux Containers image

Agent version: 3.0.0-alpha1

Default Image Guest OS:

description: | Root filesystem disk image used to boot the guest virtual machine. url: "https://github.com/kata-containers/kata-containers/tools/osbuilder" architecture: aarch64: name: "ubuntu" version: "latest" ppc64le: name: "ubuntu" version: "latest" s390x: name: "ubuntu" version: "latest" x86_64: name: "clearlinux" version: "latest" meta: image-type: "clearlinux"

Default Initrd Guest OS:

description: | Root filesystem initrd used to boot the guest virtual machine. url: "https://github.com/kata-containers/kata-containers/tools/osbuilder" architecture: aarch64: name: "alpine" version: "3.15" ppc64le: name: "ubuntu" version: "20.04" s390x: name: "ubuntu" version: "20.04" x86_64: name: "alpine" version: "3.15"

Kata Linux Containers Kernel

Kata Containers 3.0.0-alpha1 suggest to use the Linux kernel v5.19.2 See the kernel suggested Guest Kernel patches See the kernel suggested Guest Kernel config

Installation

Follow the Kata installation instructions.

Issues & limitations

More information Limitations