kata-containers Changes

Shortlog

b0896126c release: Kata Containers 3.1.0-alpha1 74fa10a23 docs: remove duplicate sentences ebe5c5adf docs: Update virtiofsd build script in the developer guide Script to execute to build virtiofsd has been changed in #5426 but not in the doc. This commit update the developer guide. d14c3af35 dragonball: refactor legacy device initialization 21ec766d2 docs: add documents for using bundle to start container ca39a07a1 runtime-rs: enable start container from bundle 9f465a58a kernel: Add "unload" module to SEV config ae0dcacd4 tools: Add some new gitignore items 99485d871 shim: return hypervisor's pid not shim's pid a81ced0e3 upcall: add upcall into kernel build script f5c34ed08 Dragonball: introduce upcall fbf294da3 refactor(shim-mgmt): move client side to libs b5cfd0958 kata-ctl: Fixed format for check release options 8dbfc3dc8 kata-ctl: Fixed format for check release options f3091a9da kata-ctl: Add kata-ctl check release options 1f28ff683 runtime-rs: add binary to exercise shim proper w/o containerd dependencies eb8c9d38f runtime-rs: add launch of a simple qemu process to start_vm() 2f6d0d408 runtime-rs: support qemu in VirtContainer 1413dfe91 runtime-rs: add basic empty boilerplate for qemu driver a577df8b7 tools: Fix indentation on build kernel script 4661ea8d3 runtime-rs: fix standalone share fs 79cf38e6e runtime-rs: clear OCI spec namespace path 62f4603e8 runtime-rs: reset rdma cgroup 5b6596f54 runtime-rs: CreateContainerRequest has Default e9e82ce28 runtime-rs: fix is_pid_namespace_enabled check 78532154d docs: Add description for guest SELinux support c617bbe70 runtime: Pass SELinux policy for containers to the agent 935476928 agent: Add SELinux support for containers a75f99d20 osbuilder: Create guest image for SELinux a9c746f28 kernel: Add kernel configs for SELinux 8079a9732 kata-sys-util: fix issues where umount2 couldn't get the correct path 7fdbbcda8 agent: Drop the Option for LinuxContainer.cgroup_manager c5abc5ed4 config: speed up rng init when kernel boot for arm64 b087667ac kata-deploy: Fix the pod of kata deploy starts to occur an error 3e6114b2e tools: Fix indentation for ovmf script d04d45ea0 runtime: use pidfd to wait for processes on Linux e9ba0c11d runtime: use exponential backoff for process wait 71491a69c runtime: move process wait logic to another function 92ebe61fe runtime: reap force killed processes 0019d653d runtime-rs: fix high cpu 748f22e7d agent: remove sysinfo dependency fdf0a7bb1 runtime-rs: fix the issues mentioned in the code review 1d823c4f6 runtime-rs: umount and permission controls in sandbox level 527b87141 runtime-rs: bind mount volumes in sandbox level 46b38458a docs: Update the rust version in the installation documentation 9ccf2ebe8 agent: add signal value to log fb2c142f1 runtime-rs: fix some variable names and typos a5e4cad4b kata-ctl: add host check for aarch64 737420469 kata-ctl: fix dependency version conflict f7fc436be workflow: fix cargo-deny-runner.yaml syntax error d4321ab48 runtime: Add identification in version for runtime-rs 89574f03f workflow: call cargo in user's $PATH 67fe703ff runtime-rs: remove the version number from the commit display message e12db92e4 runk: Re-implement start operation using the agent codes f443b7853 build: update golang version to 1.19.3 86cb05883 snap: Fix snapcraft setup (unbreak snap releases) 1d93a9346 fix(agent): fix iptables binary path in guest 2edbe389d runtime-rs: moving only vCPU threads into sandbox controller cd85a44a0 tools: Remove extra tab spaces from kata deploy binaries script e723bad0a ci: let static checks don't depend on build 69aae0227 actions: use matrix to refactor static checks d7bb4b551 agent: support systemd cgroup for kata agent 340e24f17 actions: skip some job using "paths-ignore" filter 1dfd845f5 runtime: go fix code for 1.19 2426ea9bd doc: update runtime-rs "Build and Install" 4b45e1386 runtime: don't fail mkdir if the folder is already created cb199e0ec kernel: add CONFIG_X86_SGX into whitelist b987bbc57 runtime-rs: block on the current thread when setup the network 6b2ef66f0 runtime-rs: add conditional compile for virt-sandbox persist 30a7ebf43 runtime: Log invalid devices in QEMU config 2539f3186 runtime: Use containerd v1.6.8 a4099dab8 tools: Fix indentation of build static firecracker script abb9ebeec package: add nydus to release artifacts b53171b60 agent: check command before do test_ip_tables 3bb145c63 runtime: Support virtiofs queue size for qemu and make it configurable 993d05a42 docs: change mount-info.json to mountInfo.json 6c1e153a6 docs: update doc "NVIDIA GPU passthrough" d808adef9 runtime-rs: support vhost-vsock e80a9f09f utils: Add utility function to fetch the kernel version. a636d426d versions: update nydusd version c46814b26 runtime-rs:support nydus v5 and v6 36545aa81 runtime: clh: Re-generate the client code f4b02c224 versions: Upgrade to Cloud Hypervisor v28.0 e4a6fbadf docs: update doc "Setup swap device in guest kernel" 2f5f575a4 log-parser: Simplify check d94718fb3 runtime: Fix gofmt issues 16b837509 golang: Stop using io/ioutils 66aa330d0 versions: Update golangci-lint b3a4a1629 versions: bump containerd version eab8d6be1 build: update golang version to 1.19.2 e80dbc15d runtime-rs: workaround Dragonball compilation problem c3f1922df fix(fmt): fix cargo fmt to pass static check a04afab74 qemu: early exit from Check if the process was stopped 7e481f217 qemu: set stopped only if StopVM is successful 0e3ac66e7 clh: return faster with dead clh process from isClhRunning 9ef68e0c7 clh: fast exit from isClhRunning if the process was stopped 2631b08ff clh: don't try to stop clh multiple times 8be081730 tools: Fix indentation of build static virtiofsd script 3e9c3f12c docs: Fix configuration path 936fe35ac runtime-rs : fix shim source is ambiguous f45fe4f90 versions: update vmm-sys-util and related crates to v0.11.0 29c75cf12 runtime-rs: delete all cargo patches f8f97c1e2 feat(shim-mgmt): iptables handler 9f70a6949 tools: Remove empty spaces from build kernel script 57336835d dragonball: add more unit test for device manager 233370023 dragonball: add test utils. 2adb1c182 Dragonball: enable mem_file_path config into hugetlbfs process fef8e92af runtime-rs:add hypervisor interface capabilities daeee26a1 cloud-hypervisor: Fix GetThreadIDs function 40d514aa2 github: Parallelise static checks 27b191358 runtime-rs: blanks filled & fixes made to virtiofsd launch 2508d39b7 runtime: added vcpus pinning logics Core VCPU threads pinning logics for issue 4476. Also provided docs. b74c18024 runtime-rs: fix shared volume permission issue 16dca4ecd runk: Ignore an error when calling kill cmd with --all option df092185e runk: Upgrade libseccomp crate to v0.3.0 in Cargo.lock 990e6359b snap: Unbreak docker install ca69a9ad6 snap: Use metadata for dependencies 39363ffbf runtime: remove same function 0ed7da30d tools: Fix indentation of build static clh script 43fcb8fd0 virtiofsd: Not use "link-self-contained=yes" on s390x The compile option link-self-contained=yes asks rustc to use C library startup object files that come with the compiler, which are not available on the target s390x-unknown-linux-gnu. A build does not contain any startup files leading to a broken executable entry point (causing segmentation fault). c0f5bc81b cargo: Add Cargo.lock to version control 474927ec9 gitignore: Add gitignore file 699f821e1 utils: Add function to drop priveleges a6fb4e2a6 versions: bump golangci-lint version b015f34af runtime-rs: generate config files with the default target 219919e9f docs: Fix volumeMounts in SGX usage example 9d286af7b versions: Update Cloud Hypervisor to b4e39427080 144efd1a7 docs: update rust runtime installation guide cbd84c3f5 rustjail: Upgrade libseccomp crate to v0.3.0 748be0fe3 makefile: remove sudo when create symbolic link 44d8de892 agent: remove redundant checks 89e62d4ed shim: Ensure pagesize is set when reporting hugetbl stats e95089b71 kata-ctl: add basic cpu check for s390x 871d2cf2c kata-ctl: Limit running tests to x86 and use native-tls on s390x 9f2c7e47c Revert "kata-ctl: Disable network check on s390x" 081ee4871 agent: use NLM_F_REPLACE replace NLM_F_EXCL in rtnetlink abf4f9b29 docs: kata 3.0 Architecture fix readme content error 72738dc11 agent: validate hugepage size is supported f74e328ff Makefile: fix an typo in runtime-rs makefile 227e717d2 qemu: Re-work static-build Dockerfile 9c1ac3d45 runtime-rs: return port on agent-url req f205472b0 Makefile: regulate the comment style for the runtime-rs comments ac403cfa5 doc: Update how-to-run-kata-containers-with-SNP-VMs.md 00981b3c0 kata-ctl: Disable network check on s390x c322d1d12 kata-ctl: arch: Improve check call 0bc5baafb snap: Build virtiofsd using the kata-deploy scripts cb4ef4734 snap: Create a task for installing docker 7e5941c57 virtiofsd: Build inside a container 9717dc3f7 Dragonball: remove redundant comments in event manager 35d52d30f versions: Update TDX QEMU 4d9dd8790 runtime-rs: fix typo get_contaier_type to get_container_type 70676d4a9 kata-ctl: improve command descriptions for consistency 86ad832e3 runtime-rs: force shutdown shim process in it can't exit 9eb73d543 versions: Update TDX kernel 1f1901e05 dragonball: fix clippy warning for aarch64 a343c570e dragonball: enhance dragonball ci 6a64fb0eb ci: skip s390x for dragonball. a743e37da Dragonball: delete redundant comments in blk_dev_mgr 00a42f69c kata-ctl: cargo: 2021 -> 2018 fb6327474 kata-ctl: rustfmt + clippy fixes 2b345ba29 build: Add kata-ctl to tools list f7010b806 kata-ctl: docs: Write basic documentation 781e604c3 docs: Reference kata-ctl README 15c343cbf kata-ctl: Don't rely on system ssl libs c23584994 kata-ctl: clippy: Resolve warnings and reformat 133690434 kata-ctl: implement CLI argument --check-version-only eb5423cb7 kata-ctl: switch to use clap derive for CLI handling 018aa899c kata-ctl: Add cpu check 7c9f9a5a1 kata-ctl: Make arch test run at compile time b63ba66dc kata-ctl: Formatting tweaks cca7e32b5 kata-ctl: Lint fixes to allow the branch to be built 8e7bb8521 kata-ctl: add code for framework for arch 303fc8b11 kata-ctl: Add unit tests cases d0b33e9a3 versions: Add kata-ctl version entry 002b18054 kata-ctl: Add initial rust code for kata-ctl 8d4ced3c8 runtime-rs: support ephemeral storage for emptydir 862eaef86 docs: fix a typo in rust-runtime-installation-guide 26c043dee ci: Add dragonball test b62b18bf1 dragonball: fix clippy warning 2ddc948d3 Makefile: add dragonball components. 3fe81fe4a dragonball-ut: use skip_if_not_root to skip root case 72259f101 dragonball: add more unit test for vmm actions 046ddc646 readme: remove libraries mentioning

Compatibility with CRI-O

Kata Containers 3.1.0-alpha1 is compatible with CRI-O

Compatibility with containerd

Kata Containers 3.1.0-alpha1 is compatible with contaienrd v1.6.8

OCI Runtime Specification

Kata Containers 3.1.0-alpha1 support the OCI Runtime Specification v1.0.2

Compatibility with Kubernetes

Kata Containers 3.1.0-alpha1 is compatible with Kubernetes 1.23.1-00

Libseccomp Notices

The kata-agent binaries inside the Kata Containers images provided with this release are statically linked with the following GNU LGPL-2.1 licensed libseccomp library.

• libseccomp

The kata-agent uses the libseccomp v2.5.4 which is not modified from the upstream version. However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.

If you want to use the kata-agent which is not statically linked with the library, you can build a custom kata-agent that does not use the library from sources. For the details, please check the developer guide.

Kata Linux Containers image

Agent version: 3.1.0-alpha1

Default Image Guest OS:

description: | Root filesystem disk image used to boot the guest virtual machine. url: "https://github.com/kata-containers/kata-containers/tools/osbuilder" architecture: aarch64: name: "ubuntu" version: "latest" ppc64le: name: "ubuntu" version: "latest" s390x: name: "ubuntu" version: "latest" x86_64: name: "clearlinux" version: "latest" meta: image-type: "clearlinux"

Default Initrd Guest OS:

description: | Root filesystem initrd used to boot the guest virtual machine. url: "https://github.com/kata-containers/kata-containers/tools/osbuilder" architecture: aarch64: name: "alpine" version: "3.15"

Do not use Alpine on ppc64le & s390x, the agent cannot use musl because

there is no such Rust target

ppc64le: name: "ubuntu" version: "20.04" s390x: name: "ubuntu" version: "20.04" x86_64: name: "alpine" version: "3.15"

Kata Linux Containers Kernel

Kata Containers 3.1.0-alpha1 suggest to use the Linux kernel v5.19.2 See the kernel suggested Guest Kernel patches See the kernel suggested Guest Kernel config

Installation

Follow the Kata installation instructions.

Issues & limitations

More information Limitations