Enable io.katacontainers.config.hypervisor.enable_iommu annotation by default #4330
Assignees
Labels
Projects
Comments
dgibson
added
bug
dgibson
added a commit
to dgibson/kata-containers
that referenced
this issue
May 28, 2022
…default Since kata-containers#902 the `io.katacontainers.config.hypervisor` pod annotations have only been permitted if explicitly allowed in the global configuration. The default global configuration allows no such annotations. That's important because several of those annotations would cause Kata to execute arbitrary binaries, and so were wildly unsafe. However, this is inconvenient for the `io.katacontainers.config.hypervisor.enable_iommu` annotation specifically, which controls whether the sandbox VM includes a vIOMMU. A guest side vIOMMU is necessary to implement VFIO passthrough devices with `vfio_mode = vfio`, so enabling that mode of operation currently requires a global configuration change, and can't just be enabled per-pod. Unlike some of the other hypervisor annotations, the `enable_iommu` annotation is quite safe. By default the vIOMMU is not present, so allowing a user to override it for a pod only improves their facilities for isolation. Even if the global default were changed to enable the vIOMMU, that doesn't compel the guest kernel to use it, so allowing a user to disable the vIOMMU doesn't materially affect isolation either. Therefore, allow the io.katacontainers.config.hypervisor.enable_iommu annotation to work in the default configurations. fixes kata-containers#4330 Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
dgibson
added a commit
to dgibson/kata-containers
that referenced
this issue
May 28, 2022
Since kata-containers#902 the `io.katacontainers.config.hypervisor` pod annotations have only been permitted if explicitly allowed in the global configuration. The default global configuration allows no such annotations. That's important because several of those annotations would cause Kata to execute arbitrary binaries, and so were wildly unsafe. However, this is inconvenient for the `io.katacontainers.config.hypervisor.enable_iommu` annotation specifically, which controls whether the sandbox VM includes a vIOMMU. A guest side vIOMMU is necessary to implement VFIO passthrough devices with `vfio_mode = vfio`, so enabling that mode of operation currently requires a global configuration change, and can't just be enabled per-pod. Unlike some of the other hypervisor annotations, the `enable_iommu` annotation is quite safe. By default the vIOMMU is not present, so allowing a user to override it for a pod only improves their facilities for isolation. Even if the global default were changed to enable the vIOMMU, that doesn't compel the guest kernel to use it, so allowing a user to disable the vIOMMU doesn't materially affect isolation either. Therefore, allow the io.katacontainers.config.hypervisor.enable_iommu annotation to work in the default configurations. fixes kata-containers#4330 Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
dgibson
added a commit
to dgibson/kata-containers
that referenced
this issue
May 28, 2022
Since kata-containers#902 the `io.katacontainers.config.hypervisor` pod annotations have only been permitted if explicitly allowed in the global configuration. The default global configuration allows no such annotations. That's important because several of those annotations would cause Kata to execute arbitrary binaries, and so were wildly unsafe. However, this is inconvenient for the `io.katacontainers.config.hypervisor.enable_iommu` annotation specifically, which controls whether the sandbox VM includes a vIOMMU. A guest side vIOMMU is necessary to implement VFIO passthrough devices with `vfio_mode = vfio`, so enabling that mode of operation currently requires a global configuration change, and can't just be enabled per-pod. Unlike some of the other hypervisor annotations, the `enable_iommu` annotation is quite safe. By default the vIOMMU is not present, so allowing a user to override it for a pod only improves their facilities for isolation. Even if the global default were changed to enable the vIOMMU, that doesn't compel the guest kernel to use it, so allowing a user to disable the vIOMMU doesn't materially affect isolation either. Therefore, allow the io.katacontainers.config.hypervisor.enable_iommu annotation to work in the default configurations. fixes kata-containers#4330 Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
dgibson
added a commit
to dgibson/kata-containers
that referenced
this issue
May 28, 2022
Since kata-containers#902 the `io.katacontainers.config.hypervisor` pod annotations have only been permitted if explicitly allowed in the global configuration. The default global configuration allows no such annotations. That's important because several of those annotations would cause Kata to execute arbitrary binaries, and so were wildly unsafe. However, this is inconvenient for the `io.katacontainers.config.hypervisor.enable_iommu` annotation specifically, which controls whether the sandbox VM includes a vIOMMU. A guest side vIOMMU is necessary to implement VFIO passthrough devices with `vfio_mode = vfio`, so enabling that mode of operation currently requires a global configuration change, and can't just be enabled per-pod. Unlike some of the other hypervisor annotations, the `enable_iommu` annotation is quite safe. By default the vIOMMU is not present, so allowing a user to override it for a pod only improves their facilities for isolation. Even if the global default were changed to enable the vIOMMU, that doesn't compel the guest kernel to use it, so allowing a user to disable the vIOMMU doesn't materially affect isolation either. Therefore, allow the io.katacontainers.config.hypervisor.enable_iommu annotation to work in the default configurations. fixes kata-containers#4330 Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
dgibson
added a commit
to dgibson/kata-containers
that referenced
this issue
May 30, 2022
Since kata-containers#902 the `io.katacontainers.config.hypervisor` pod annotations have only been permitted if explicitly allowed in the global configuration. The default global configuration allows no such annotations. That's important because several of those annotations would cause Kata to execute arbitrary binaries, and so were wildly unsafe. However, this is inconvenient for the `io.katacontainers.config.hypervisor.enable_iommu` annotation specifically, which controls whether the sandbox VM includes a vIOMMU. A guest side vIOMMU is necessary to implement VFIO passthrough devices with `vfio_mode = vfio`, so enabling that mode of operation currently requires a global configuration change, and can't just be enabled per-pod. Unlike some of the other hypervisor annotations, the `enable_iommu` annotation is quite safe. By default the vIOMMU is not present, so allowing a user to override it for a pod only improves their facilities for isolation. Even if the global default were changed to enable the vIOMMU, that doesn't compel the guest kernel to use it, so allowing a user to disable the vIOMMU doesn't materially affect isolation either. Therefore, allow the io.katacontainers.config.hypervisor.enable_iommu annotation to work in the default configurations. fixes kata-containers#4330 Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
dgibson
added a commit
to dgibson/kata-containers
that referenced
this issue
May 31, 2022
Since kata-containers#902 the `io.katacontainers.config.hypervisor` pod annotations have only been permitted if explicitly allowed in the global configuration. The default global configuration allows no such annotations. That's important because several of those annotations would cause Kata to execute arbitrary binaries, and so were wildly unsafe. However, this is inconvenient for the `io.katacontainers.config.hypervisor.enable_iommu` annotation specifically, which controls whether the sandbox VM includes a vIOMMU. A guest side vIOMMU is necessary to implement VFIO passthrough devices with `vfio_mode = vfio`, so enabling that mode of operation currently requires a global configuration change, and can't just be enabled per-pod. Unlike some of the other hypervisor annotations, the `enable_iommu` annotation is quite safe. By default the vIOMMU is not present, so allowing a user to override it for a pod only improves their facilities for isolation. Even if the global default were changed to enable the vIOMMU, that doesn't compel the guest kernel to use it, so allowing a user to disable the vIOMMU doesn't materially affect isolation either. Therefore, allow the io.katacontainers.config.hypervisor.enable_iommu annotation to work in the default configurations. fixes kata-containers#4330 Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
dgibson
added a commit
to dgibson/kata-containers
that referenced
this issue
Jun 4, 2022
Since kata-containers#902 the `io.katacontainers.config.hypervisor` pod annotations have only been permitted if explicitly allowed in the global configuration. The default global configuration allows no such annotations. That's important because several of those annotations would cause Kata to execute arbitrary binaries, and so were wildly unsafe. However, this is inconvenient for the `io.katacontainers.config.hypervisor.enable_iommu` annotation specifically, which controls whether the sandbox VM includes a vIOMMU. A guest side vIOMMU is necessary to implement VFIO passthrough devices with `vfio_mode = vfio`, so enabling that mode of operation currently requires a global configuration change, and can't just be enabled per-pod. Unlike some of the other hypervisor annotations, the `enable_iommu` annotation is quite safe. By default the vIOMMU is not present, so allowing a user to override it for a pod only improves their facilities for isolation. Even if the global default were changed to enable the vIOMMU, that doesn't compel the guest kernel to use it, so allowing a user to disable the vIOMMU doesn't materially affect isolation either. Therefore, allow the io.katacontainers.config.hypervisor.enable_iommu annotation to work in the default configurations. fixes kata-containers#4330 Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description of problem
Since #902 the
io.katacontainers.config.hypervisorpod annotations have only been permitted if explicitly allowed in the global configuration. The default global configuration allows no such annotations. That's important because several of those annotations would cause Kata to execute arbitrary binaries, and so were wildly unsafe.However, this is inconvenient for the
io.katacontainers.config.hypervisor.enable_iommuannotation specifically, which controls whether the sandbox VM includes a vIOMMU. A guest side vIOMMU is necessary to implement VFIO passthrough devices withvfio_mode = vfio, so enabling that mode of operation requires a global configuration change.Unlike some of the other hypervisor annotations, the
enable_iommuannotation is quite safe. By default the vIOMMU is not present, so allowing a user to override it for a pod only improves their facilities for isolation. Even if the global default were changed to enable the vIOMMU, that doesn't compel the guest kernel to use it, so allowing a user to disable the vIOMMU doesn't materially affect isolation either.The text was updated successfully, but these errors were encountered: