rustjail: mount misc cgroup failed on Linux 5.13 #4610
Labels
Projects
Comments
cyyzero
added
bug
|
@cyyzero |
|
@ManaSugi Got it. I will use an older kernel. |
bpradipt
added a commit
to bpradipt/cloud-api-adaptor
that referenced
this issue
Dec 6, 2022
Ref issue: kata-containers/kata-containers#4610 Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
knrt10
pushed a commit
to confidential-containers/cloud-api-adaptor
that referenced
this issue
Dec 6, 2022
Ref issue: kata-containers/kata-containers#4610 Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
whitebrandy
added a commit
to whitebrandy/cloud-api-adaptor
that referenced
this issue
Dec 17, 2022
Now that we are using legacy cgroups... kata-containers/kata-containers#4610 Fixes: confidential-containers#431 Signed-off-by: Bandan Das <bsd@redhat.com>
snir911
pushed a commit
to confidential-containers/cloud-api-adaptor
that referenced
this issue
Dec 19, 2022
Now that we are using legacy cgroups... kata-containers/kata-containers#4610 Fixes: #431 Signed-off-by: Bandan Das <bsd@redhat.com>
mattarnoatibm
added a commit
to mattarnoatibm/cloud-api-adaptor
that referenced
this issue
Jan 3, 2023
* proto: Add TTRPC proto for VM info
This patch add TTRPC proto definition for querying VM ID
of a pod VM. Each cloud provider may implement this service
to provide VM information.
Fixes #112
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* aws: Add support for AWS AMI generation using packer tool
Fixes: #6
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* ibmcloud: remove internal sandbox data at the end of StopVM method
Fixes: #123
Signed-off-by: Da Li Liu <liudali@cn.ibm.com>
* deploy: Add artifacts to create pre-install container image
Fixes: #121
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* deploy: Add artifacts to create runtime payload container image
Fixes: #121
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* deploy: Add deployment manifests
Fixes: #121
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* deploy: Add README for operator install and payload image creation
Fixes: #121
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* deploy: Ignore built binaries
Fixes: #121
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* ibmcloud: create kubelet dir for CSI node plugin
Fixes: #128
Signed-off-by: Lei Li <cdlleili@cn.ibm.com>
* libvirt: remove mac address generation
libvirt can generate an unique mac address if the network
section of the XML does not mention it. To simplify the code,
remove the mac generation logic from the libvirt provider.
Fixes: #117
Signed-off-by: Bandan Das <bsd@redhat.com>
* proxy: fetch imageName from digest via cri grpc
Fixes: #126
Signed-off-by: huoqifeng <huoqif@cn.ibm.com>
* aws: Use caller's context
Fixes: #131
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* ibmcloud|aws: Mask cloud configuration sensitive fields
- Created tests to check approach works as designed
- Added utility function to redact provided fields
- Add redacting implementation for IBM cloud and AWS config type
Partial Fixes: #83 (Doesn't solve `ps -ef | grep cloud-api-adaptor` exposure)
Signed-Off-By: James Tumber <james.tumber@ibm.com>
* go: Update go.sum
Reflect updates in the kata-containers CCv0-peerpod branch.
Fixes #141
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* ibmcloud: add cri_runtime_endpoint variable
Fixes: #139
Signed-off-by: huoqifeng <huoqif@cn.ibm.com>
* ibmcloud: Add --workdir option
Add an option to change working directory to store
temporary QCOW2 images. We can speed up image
builds by storing temporary images on tmpfs.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* ibmcloud: Add SUDO variable
We can build a pod VM image with a non-root user as follows.
make SUDO=sudo build
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* ibmcloud: Run update-grub
Fixes #143
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* libvirt: Fix context handling
Fixes: #131
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* ibmcloud: Fix context handling
Fixes: #131
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* ibmcloud: switch to golang 1.18 for containerd
Fixes: #146
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* golang: bump up golang version
Fixes:#146
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* ci: bump up golang version
Fixes:#146
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* pkg/util: Implement agent protocol redirector
Implement a common library for redirecting agent
protocol RPC calls.
Fixes: #150
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* pkg/adaptor: Refactor proxy service with agentproto.Redirector
Use the agent proto redirector library in the agent proxy
of cloud-api-adaptor.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* pkg/forwarder: Rename pacakges for refactoring
The packages in agent-protocol-forwarder have confusing names.
This change refactors such package names.
pkg/forwarder/daemon.go daemon.Daemon
-> pkg/forwarder/forwarder.go forwarder.Daemon
pkg/forwarder/agent/agent.go agent.Forwarder
-> pkg/forwarder/interceptor/interceptor.go interceptor.Interceptor
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* pkg/forwarder: Refactor to use redirector package
This change add a agent proxy service in
agent-protocol-forwarder.
Fixes #152
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* pkg/forwarder: Add agent proto logging
Add logging for the following methods.
* CreateContainer
* StartContainer
* RemoveContainer
* CreateSandbox
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* pkg: Move DNS workaround to forwarder
This patch moves the workaround for the DNS issue
from cloud-api-adaptor to agent-protocol-forwarder.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* pkg/forwarder: Specify netns in container spec
This patch inserts a network namespace path into the container
spec, so that kata-agent creates containers in the specified
network namespace.
Fixes #109
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* image: Remove unused option
The -host-interface option is not used in the VXLAN
mode, so this patch removes it from systemd service
definitions.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* image: Stop using nsenter
This patch changes VM image build files to stop
using the nsenter command to specify a network
namespace for pod networking.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* build: Build cleanups
Few steps were missing from the docs which resulted in failed
builds for anyone starting with building the different components.
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* aws: add build tags
aws build tag was missing from the code files
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* ibmcloud: add build tags
ibmcloud build tag was missing from the code files
Fixes #156
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* ibmcloud: add skip_verify_console variable
Allows skipping of console output during verify
Fixes: #89
Signed-off-by: Georgina Kinge <georgina.kinge@ibm.com>
* aws: redact additional config fields
The access key id also needs to be redacted during logging.
Further, one of the logging statement was not redacting the fields
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* ibmcloud: Redact sensitive fields from service log
One of the logger statements was not redacting the sensitive fields.
Fixes: #160
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* aws: Make EC2 launch template name configurable
Fixes: #158
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* libvirt: create image using packer
Fixes:#148
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* libvirt: Update README to include image build instructions
Fixes:#148
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* install: Update images based on latest changes
Fixes: #162
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* install: run cloud-api-adaptor from within a pod
Supports only libvirt and aws cloud providers
- build the container image by running:
$ podman build --build-arg CLOUD_PROVIDER==<aws|libvirt> .
- deploy:
1. kubectl apply -f install/yamls/deploy.yaml
2. kustomize the cloud provided specific settings under install/overlays/<aws|libvirt>/kustomization.yaml
3. kubectl apply -k install/overlays/<aws|libvirt>
- delete:
$ kubectl delete -k install/overlays/<aws|libvirt>
* from kustomize POV install/yamls/ is the base and overlays are under install/overlays/*
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
Fixes: #5
* Makefile: add image deploy and delete targets
make image - build image using $engine and push it to $registry
make deploy - deploy peer-pods to a confgiured cluster according to
the pre-configured install/overlays/$(CLOUD_PROVIDER)/kustomization.yaml
make delete - deletes peer-pods
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* docs: cloud-api-adaptor in a pod installtion
and building instructions.
while here fix previous formatting
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* ci: fix test issue due to sudo usage
Fixes: #165
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* ibmcloud: set skip_verify_console in terraform configs
Fixes: #168
Set the skip_verify_console variable in the IBM Cloud
Terraform configurations.
Signed-off-by: Matthew Arnold <mattarno@uk.ibm.com>
* docs: update aws doc
mention installtion of packer's Amazon plugin
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* install: fix caa pod deployment
add missing kustomization.yaml file
update runtime-payload tag
modify Dockerfile to avoid shipping unnecessary files
Fixes: #170
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* gitignore: Add binaries to ignore
- Ignore cloud-api-adaptor and agent-protocol-forwarder binaries.
- Ignore .vscode directory.
Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
* azure: Add initial skeleton
- Add skaffold code.
- Add placeholder functions.
- Add azure config structs.
- Register azure driver.
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* azure: Provide command line options
Add azure specific command line options.
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* go: Update dependencies for azure
- Add azure SDK dependencies.
- Upgrade go version to 1.18
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* azure: Add network interface to the machine
Add code to create network network interface for the machine.
Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
* azure: Add a flag for public SSH key
Take the path to the public SSH key from the user.
Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
* azure: Create pod VM image using packer
- Add packer configs for Azure VM image creation.
- Add docs on building the image and using CAA.
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* azure: Add VM creation code
Add code to create VM instance with all the necessary parameters.
Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
* azure: Add VM deletion code
- Delete instance.
- Delete disk.
- Delete NIC.
Fixes: #120
Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
* install: disable suffix generation for configmap and secrets
Fixes: #173
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* go: Remove unnecesary replace directive in go.mod
go.mod has a replace directive for google.golang.org/genproto. This
is a workaround for a problem related to the TTRPC package. The problem
has been fixed, and we no longer need the workaround.
Fixes #175
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* go: Reintroduce workaround for TTRPC issue
This change reverts 540890f
Fixes #180
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* ibmcloud: Enable cross-region cos endpoints
- Allow the user to create and use a cross-region cos bucket
- Made uploads on slower networks more reliable by doing multipart uploads
Fixes #169
Signed-Off-By: James Tumber <james.tumber@ibm.com>
* doc: COS region selection documentation
Updated the README.md for the ibmcloud terraform end to end configuration.
Fixes #169
Signed-Off-By: James Tumber <james.tumber@ibm.com>
* aws: fix usage of aws-region command line param
Fixes: #178
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* Dockerfile: use same image for building and executing
as it's easy to miss dependencies during development
(such as ca certificates or protobuf)
Fixes: #182
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* install: enable installation when crio is used
set its configuration files etc..
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
Fixes: #184
* install: update runtime-payload image
to include latest commits and a shim patch to return actual
pid in GetPid
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* docs: remove installation caa as service instructions
as we use the caa in pod installation as default
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* install: allow libvirt ssh key authorization
by passing the ssh private key to the container
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
Fixes: #186
* webhook: update sdk and deps
Fixes: #190
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* webhook: Update install and dev instructions
Fixes: #190
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* install: add resource management webhook deployment instructions
Fixes: #190
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* build: bump go deps to fix build issues
Fixes: #194
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* install: add missing ssh_mount.yaml file
which is needed in order to mount the ssh key with libvirt
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
Fixes: #192
* ibmcloud: Embed pause container image
Fixes #196
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* doc: update readme
1. fix incorrect link to webhook doc
2. Add link to install guide in the main readme
3. Fix minor formatting issues
Fixes: #200
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* ibmcloud: Use normal Unix domain socket
Fixes #198
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* pkg: Improve error handling at dialing socket
This patch fixes incorrect error handling in the redirector,
and also introduces retry logic at dialing kata-agent.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* ibmcloud: Build static libseccomp for kata-agent
Fixes #206
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* ibmcloud: Define GOPATH for Ansible build
Fixes #208
Signed-off-by: Dave Hay <david_hay@uk.ibm.com>
* ibmcloud: Use variables for source code repos
This patch remove hard-coded source code repository
URLs and branch names, and introduce variables to
specify them. The default values are the original
hard-coded ones.
Fixes #211
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* ibmcloud: refactor the way that GOPATH is set
Fixes #213
Signed-off-by: Dave Hay <david_hay@uk.ibm.com>
* go: Update go.sum to use the upstream CCv0 branch
The PR of remote hypervisor support has been merged.
We can switch from the CCv0-peerpod branch at
https://github.com/yoheiueda/kata-containers
to the CCv0 branch at
https://github.com/kata-containers/kata-containers
Fixes #215
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* ibmcloud: Update Terraform to use upstream CCv0
Update the Terraform variables to specify the
upstream CCv0 branch.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* ci: Update workflows not to clone Kata repo
Kata containers repo is no longer necessary
to build cloud-api-adaptor.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* docker: Update Dockerfile to use the upstream CCv0
Checkout the upstream Kata Containers CCv0 branch
to build container image for cloud-api-adaptor.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* doc: Update documentation to use upstream CCv0
Update the repository URL for the CCv0 branch to the
upstream one.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* azure: add provider to documentation
Fixes #220
Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
* azure: remove SubnetName and VnetName flags
Fixes: #221
Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
* vsphere: Initial CAA implementation
Fixes #135
Signed-off-by: Cathy Avery <cavery@redhat.com>
* pkg/forwarder: create non-existing mount source dir
Fixes #128
Signed-off-by: Lei Li <cdlleili@cn.ibm.com>
* libvirt: embed pause container image in the pod VM image
Fixes: #202
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* aws: embed pause container image in the pod VM image
Fixes: #201
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* azure: embed pause container image in the pod VM image
Fixes: #203
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* install: Update runtime payload image with latest kata runtime changes
Fixes: #231
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* aws: fix copy-files.sh script to copy pause image
Fixes: #233
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* azure: fix copy-files.sh script to copy pause image
Fixes: #233
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* libvirt: fix copy-files.sh script to copy pause image
Fixes: #233
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* git: update top-level gitignore
Don't track different binaries used in the POD VM image
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* aws: Build static libseccomp for kata-agent for aws
Fixes: #234
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* libvirt: Build static libseccomp for kata-agent
Fixes: #234
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* azure: Build static libseccomp for kata-agent
Fixes: #234
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* vsphere: Add container image support for deployment
Fixes: #224
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* aws: allow pod VM creation without using a launch template
Fixes: #122
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* git: Update gitignore file to include only built binaries
The existing entries were resulting in ignoring changes to
few code files as well.
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* aws: Disable EC2 launchtemplate usage by default
Fixes: #122
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* aws: Update kustomization file
Fixes: #122
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* aws: remove templating from kustomization.yaml
as it's not used anymore
Fixes: #239
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* docs: update development prerequisites
with g++
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* build.sh: clean manifest cache after push
in all image build scripts
see: https://github.com/docker/cli/issues/954
Fixes: #242
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* aws: fix aws provider cloud image
Fixes: #245
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* cmd: remove logging of all parameters without redaction
Fixes: #247
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* vsphere: redact sensitive parameters from logging
redact username and password
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* podnetwork: Parameterize VXLAN port and ID
Fixes #244
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* ibmcloud: deploy ibmcloud provider as a pod
Fixes:#255
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* image: quote all the shell variables
Quote all the shell variables to prevent globbing and word splitting
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* install: Fix the volume spec in cri_runtime_endpoint.yaml file
The 'Socket' type need to be part of hostPath instead of volumes.
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* vsphere: Set data center before looking for template
Fixes #249
Signed-off-by: Cathy Avery <cavery@redhat.com>
* caa-pod: run in fedora container
to avoid old pkgs security risks
Fixes: #254
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* vsphere: Add option command line settings as defined by kustomization.yaml
Fixes #250
Signed-off-by: Cathy Avery <cavery@redhat.com>
* forwarder: log when processing pull image requests
Add logging at processing pull image requests.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* adaptor: do not send CID in a pull image request
Fixes #259
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* adaptor: Correct pod names reported by cri-o
cri-o reports sandbox names in the different
format than containerd.
This patch corrects pod names reported by cri-o so that
they are consistent with containerd.
Fixes #261
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* install: fix optionals var expansion in entrypoint.sh
Fixes: #266
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* ibmcloud: Use image.rs instead of skopeo
This patch removes the skopeo and umoci commands
from the pod VM image.
We can still install skopeo and umoci commands
by setting the optional variable USE_SKOPEO.
Fixes #256
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* aws: Use image.rs instead of skopeo
This patch removes the skopeo and umoci commands
from the pod VM image.
We can still install skopeo and umoci commands
by setting the optional variable USE_SKOPEO.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* libvirt: Use image.rs instead of skopeo
This patch removes the skopeo and umoci commands
from the pod VM image.
We can still install skopeo and umoci commands
by setting the optional variable USE_SKOPEO.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* azure: Use image.rs instead of skopeo
This patch removes the skopeo and umoci commands
from the pod VM image.
We can still install skopeo and umoci commands
by setting the optional variable USE_SKOPEO.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* proxy: parameterise pause image
Fixes: #268
This change paremeterizes the pause image with default set to existing
one.
This change makes it possible to proide a different pause image as
required by the K8s distribution, for example OpenShift
Also rearranged the hypervisor options for better readability
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* install: Add pause image option
Fixes: #268
Include pause image option for the configmap and the entrypoint script
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* Azure: update readme
Some information about routing table and adding routing table to VNET
subnet was missing.
Fixes: #270
Signed-off-by: Kautilya Tripathi <ktripathi@microsoft.com>
* util: Add CreateInstanceName function
This function generates a VM instance name from
sanitized values of node name, pod namespace, pod
name, and sandbox ID.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* ibmcloud: Sanitize strings when generating VM name
hvutil.CreateInstanceName sanitizes input string values,
and then generates a VM name.
Fixes #265
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* libvirt: Sanitize strings when generating VM name
hvutil.CreateInstanceName sanitizes input string values,
and then generates a VM name.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* aws: Sanitize strings when generating VM name
hvutil.CreateInstanceName sanitizes input string values,
and then generates a VM name.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* azure: Sanitize strings when generating VM name
hvutil.CreateInstanceName sanitizes input string values,
and then generates a VM name.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* vsphere: Sanitize strings when generating VM name
hvutil.CreateInstanceName sanitizes input string values,
and then generates a VM name.
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* webhook: allow configuration options via env variables
Fixes: #272
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* ibmcloud: cri-endpoint as optional
Align ibmcloud cri-endpoint handling with other providers to avoid duplication in optionals.
Fixes: #279
Signed-off-by: James Tumber <james.tumber@ibm.com>
* azure: populate sandbox vm name earlier
Fixes: #275
There might be a state in which the creation of a VM has been triggered
but the respective api call hasn't returned yet. If a create-vm call is
then cancelled at the call site due to a timeout, the VM resources will
not be garbage collected, because the sandbox's vm name has not been
populated yet.
Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
* webhook: Add env variables to deployment manifest
Fixes: #278
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* azure: mask sensitive fields in cloud config
- Use redacted config in log output
Partially Fixes #83
Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
* webhook: Remove duplicate golang imports
Fixes: #282
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* cmd: Take sensitive defaults from environment variables
Adds `os.Getenv` option to each sensitive field.
Fixes: #83
Signed-off-by: James Tumber <james.tumber@ibm.com>
* Azure: Create caa image
This adds CAA image for azure provider
Fixes: #226
Signed-off-by: Kautilya Tripathi <ktripathi@microsoft.com>
* Makefile: Add help target
This enables to list all the make targets and their descriptions using
the `make help` command.
Fixes: #288
Signed-off-by: Kautilya Tripathi <ktripathi@microsoft.com>
* image: Fix dependency for skopeo and umoci
Fixes #295
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* azure: Rename resource_group_name
resource_group is the azure standard, so changed it.
Fixes: #298
Signed-off-by: Kautilya Tripathi <ktripathi@microsoft.com>
* vsphere: Use session manager to issue keep alive pings to vcenter
Fixes #253
Signed-off-by: Cathy Avery <cavery@redhat.com>
* caa-peer-pods: Run as Daemonset
Fixes: #293
Signed-off-by: Kautilya Tripathi <ktripathi@microsoft.com>
* azure: use IMAGE_NAME for images
Final image that is built should have a generic name instead of
something random like uuid.
Signed-off-by: Kautilya Tripathi <ktripathi@microsoft.com>
* aws: use IMAGE_NAME for images
Final image that is build should have a generic name instead of
something random like uuid
Fixes: #300
Signed-off-by: Kautilya Tripathi <ktripathi@microsoft.com>
* docs: Update README and architecture diagram
Fixes: #303
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* webhook: update webhook manifest to avoid deadlock
Fixes: #305
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* operator: Update kustomize to use DaemonSet
Update the cri_runtime_endpoint kustomize patch to apply to
a DaemonSet called cloud-api-adaptor-daemonset rather than the
Deployment called cloud-api-adaptor-deployment to match the change in
#297
Fixes: #308
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
* Actions: Add jobs for building caa images
When the code is pushed to the staging branch, we need container images
for different cloud providers to be built automatically.
Fixes: #205
Signed-off-by: Kautilya Tripathi <ktripathi@microsoft.com>
* entrypoint: exec cloud-api-adaptor process
also use exec form in Dockerfile
Fixes: #289
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* install: fix optionals parameter handling in the entrypoint script
Fixes: #316
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* all: remove secrets from entrypoint.sh
These secrets can be passed in as environment variables.
Fixes: #313
Signed-off-by: James Tumber <james.tumber@ibm.com>
* libvirt: adapt ssh_mount to DaemonSet
Fixes: #293
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* hvutil: Truncate too long instance name
Fixes #323
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
* ibmcloud: Increase remote hypervisor timeout
Increase timeout to 10mins from default 1min to help not error when
pulling bigger images
Fixes: #334
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
* ibmcloud: Remove sig verification
Add agent image section to stop signature verification
being enabled
Fixes: #331
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
* aws: Remove sig verification
Add agent image section to stop signature verification
being enabled
Fixes: #331
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
* azure: Remove sig verification
Add agent image section to stop signature verification
being enabled
Fixes: #331
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
* libvirt: Remove sig verification
Add agent image section to stop signature verification
being enabled
Fixes: #331
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
* agent-config: Workaround for bug
Temp workaround for bug kata-containers/kata-containers#5590 to
allow endpoints to work in agnet-config.toml
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
* vsphere: Reauthorize session when session is invalidated due to error
Fixes #330
Signed-off-by: Cathy Avery <cavery@redhat.com>
* azure: rename AZURE_SECRET to AZURE_CLIENT_SECRET
Fixes: #340
The latter is the proper env name and it's also used in code.
Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
* all: remove redundant cri runtime endpoint configuration
Setting CRI_RUNTIME_ENDPOINT defines only the in-container side socket
path, the pre-defined default fixed address should work for both
containerd and crio.
Fixes: #333
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* CI: enhance with go check and escapes detect
Fixes: #320
Signed-off-by: Sam Yuan <yy19902439@126.com>
* aws: retrieve instance metadata from IMDS
if not explicitly set, retrieve subnet-id, region and key-name from
AWS Instance Metadata Service
Fixes: #315
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* aws: remove automatically retrieved variables
and fix entrypoint.sh
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* aws: retrieve security groups from IMDS
if was not set
NOTE: it allowed to retrieve multiple SGs
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* webhook: add kind-delete target
Running `make kind-delete` will delete the created kind cluster.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
* webhook: give some time to Kind fully start
Passing the --wait=120s argument to Kind so that it will be given some
time to be ready.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
* webhook: add automated tests and runner script
This added three Bats tests for the webhook:
- test it can mutate a pod
- test it should not mutate non-peerpods
- test default parameters can be changed
Being the last one skipped because it is not passing.
It is also introduced a runner script (run-local.sh) which will
bootstrap the test environment with Kind and afterwards run those tests.
At the end of the execution the cluster and created resources are
deleted, however, you can retain them by running the script in debug
mode:
$ ./tests/e2e/run-local.sh -d
However, the recommend way to run the e2e is with `make`:
$ make test-e2e
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
* github: add CI workflow for the webhook component
Added an github workflow that will run the end-to-end tests in case a
pull request change the webhook.
Fixes #291
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
* webhook: pin the k8s version created on kind-cluster
Ensure the k8s installed with kind is a known version than
the latest. The same version is used on the other non-e2e tests.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
* entrypoint: make optionals oneliner
for shorter functions
Fixes: #326
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* doc: add tips for network debugging
Fixes: #347
Signed-off-by: huoqifeng <huoqif@cn.ibm.com>
* docs: Update install instructions
Instead of using the binary and manually updating command line flags
when running CAA, users can make use of daemonset to run CAA now.
Fixes: #294
Signed-off-by: Kautilya Tripathi <ktripathi@microsoft.com>
* doc: add collaborations information
Fixes: #352
Signed-off-by: huoqifeng <huoqif@cn.ibm.com>
* doc: format collaboration info
Fixes: #352
Signed-off-by: huoqifeng <huoqif@cn.ibm.com>
* vsphere: use packer to create the podvm template
Mostly, derived from its libvirt counterpart, this script creates
an esx guest from a standard ubuntu iso and then converts it into a template.
Standard settings are in settings.auto.pkrvars.hcl. vsphere config is
expected in vsphere.auto.pkrvals.hcl which will be created by the Makefile
if not present; user-data.pkrtpl.hcl contains the autoinstall template.
The automated input of characters at boot to start autoinstall is kind of
flaky, the currently working sequence is defined in boot_command of the main
script.
Fixes: #337
Signed-off-by: Bandan Das <bsd@redhat.com>
* podnetwork: Handle network interface with multiple addresses
Fixes: #357
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* azure: remove manual route creation
When using Calico CNI, it was unexpectedly dropping VXLAN packets
unrelated to calico. To avoid manual route creation one has to configure
VXLAN encapsulation on calico and a new VXLAN UDP port is used rather
than the default one.
Fixes: #359
Signed-off-by: Kautilya Tripathi <ktripathi@microsoft.com>
* aws: enable overriding of default vxlan port via configmap
Fixes: #361
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* azure: enable overriding of default vxlan port via configmap
Fixes: #361
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* ibmcloud: enable overriding of default vxlan port via configmap
Fixes: #361
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* libvirt: enable overriding of default vxlan port via configmap
Fixes: #361
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* vsphere: enable overriding of default vxlan port via configmap
Fixes: #361
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* install: enable overriding of default vxlan port via configmap
Fixes: #361
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* ibmcloud: Update image mount points
Update the mount points of the directories that images
are unpacked into, to avoid the tmpfs size restrictions
Fixes: #338
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
* aws: Update image mount points
Update the mount points of the directories that images
are unpacked into, to avoid the tmpfs size restrictions
Fixes: #338
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
* azure: Update image mount points
Update the mount points of the directories that images
are unpacked into, to avoid the tmpfs size restrictions
Fixes: #338
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
* libvirt: Update image mount points
Update the mount points of the directories that images
are unpacked into, to avoid the tmpfs size restrictions
Fixes: #338
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
* vsphere: Update image mount points
Update the mount points of the directories that images
are unpacked into, to avoid the tmpfs size restrictions
Fixes: confidential-containers#338
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
* libvirt: update installation instructions
and volume creation required sizes
Fixes: #365
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* ibmcloud: Make keygen.sh work on MacOS
Use ssh-copy-id -f if the OS is MacOS (Darwin)
Fixes: #34
Signed-off-by: Matthew Arnold <mattarno@uk.ibm.com>
* aws: allow authentication against container image registries
from within the podvm
also, while here, update instructions
Fixes: #367
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* libvirt: allow authentication against container image registries
from within the podvm
Fixes: #367
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* azure: allow authentication against container image registries
from within the podvm
Fixes: #367
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* vsphere: allow authentication against container image registries
from within the podvm
Fixes: #367
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* all: introduce common image directory
- Adds Makefile which has the common code between providers
- Common files, copy-files.sh, services, etc
Each provider can implement their own targets as there is variation (build, push, etc)
Fixes #314
Signed-off-by: James Tumber <james.tumber@ibm.com>
* docs: Add network topology diagrams when using vxlan
Fixes: #373
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* podnetwork: Fix networking when using OVS
When using OVS (OpenvSwitch) based CNIs like openshift-sdn or
ovn-kubernetes, POD IPs are unreachable from the cluster nodes (worker
or controller).
There are two issues at play here
- OVS based CNIs uses flow rules specific to the mac address of pod. And
the pod mac address is used from the CNI created namespace on the worker
node. However the container process which runs in the Pod VM uses a
different mac address and unless the flow rules are updated with the mac
address from the Pod VM, Pod IP is not reachable from the cluster nodes
- Certain CNIs (eg ovn-kubernetes) disables ARP broadcast and uses the pod
mac address assigned by the CNI. However it doesn't matches with the mac
address used in Pod VM and hence packets are received by the Pod VM with
incorrect dst address over the vxlan tunnel
To fix the issues, this PR uses the CNI assigned MAC address for the POD
VM vxlan0 interface.
Fixes: #369
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* podnetwork: update test cases to use pod mac address
Fixes: #369
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* vsphere: Add redaction of private config info
Fixes #377
Signed-off-by: Cathy Avery <cavery@redhat.com>
* libvirt: Ensure pod VMs get unique DHCP ip
Remove machine-id when creating base qcow2 image for
Pod VM. This ensures that pod VMs created from the same image
gets unique DHCP ips
Fixes: #363
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* ibmcloud: Use common Makefile for image build
- Include podvm Makefile
- Remove duplicate code
Fixes: #382
Signed-off-by: James Tumber <james.tumber@ibm.com>
* ibmcloud: remove image files, replaced by podvm/files
Fixes: #382
Signed-off-by: James Tumber <james.tumber@ibm.com>
* vsphere: Ensure pod VMs get unique DHCP ip
Remove machine-id when creating base qcow2 image for
Pod VM. This ensures that pod VMs created from the same image
gets unique DHCP ips.
Backported from the libvirt version for #376
Fixes: #363
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
Signed-off-by: Bandan Das <bsd@redhat.com>
* libvirt: separate out the ubuntu packer template into a separate dir
Move ubuntu target to its own separate folder so that
we can keep the same call to packer build when we introduce
rhel. The IMAGE_FILE target in Makefile is also slightly changed so that it
can be reused when we introduce the rhel image build.
Packer limitations: Another reason for doing it this way is that packer
does not give an easy way to have two separate build scripts in the same
dir. We can either add all builders to the same script file or as we do here,
separate out the builds into their own dirs. It does add some code duplication,
specifically the variable definitions.
No functional change.
Fixes: #384
Signed-off-by: Bandan Das <bsd@redhat.com>
* libvirt: add option to build a rhel podvm image
Create a new qemu builder for handling rhel builds.
The provisioners also need slight modifications, mainly to
take care of selinux relabeling.
Fixes: #384
Signed-off-by: Bandan Das <bsd@redhat.com>
* ibmcloud: fix some strings for ibmcloud document
fixes: #392
Signed-off-by: Da Li Liu <liudali@cn.ibm.com>
* podvm: restart agent-protocol-forwarder on failure
RHEL 9 is encountering an issue where cloudconfig init hasn't
completed before agent-protocol-forwarder starts and it fails because it
can't find /peerpods/daemon.json. Restart the service on failure.
Fixes: #388
Suggested-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
Signed-off-by: Bandan Das <bsd@redhat.com>
* aws: use common makefile for generating the AMI image
Fixes: #399
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* podvm: unmount misc cgroup as its not handled by kata
Ref issue:
https://github.com/kata-containers/kata-containers/issues/4610
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* libvirt: remove ssh_mount.yaml
it's not needed as the ssh key mount configuration is defined globaly
Fixes: #401
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* vsphere: template: add a force flag option
Makes it convenient to overwrite the existing template without having
to manually delete it.
Fixes:#397
Signed-off-by: Bandan Das <bsd@redhat.com>
* vsphere: template: separate out ubuntu into its own dir
A couple of renames and the introduction of PODVM_DISTRO as we
have for libvirt. This makes sure that we can add other distros
to be run by packer.
Fixes: #397
Signed-off-by: Bandan Das <bsd@redhat.com>
* vsphere: template: add rhel podvm image
Creates a RHEL podvm packer template for vsphere from an installable iso.
Fixes: #397
Signed-off-by: Bandan Das <bsd@redhat.com>
* vsphere: Add error log statement to NewServer
Fixes #409
Signed-off-by: Cathy Avery <cavery@redhat.com>
* controller: add peer-pod-controller
This adds a controller to handle the peer-pod components lifecycle as
described in issue #328.
It is a minimal implementation and needs further improvement in the
future but it is enough to get started.
I propose that we include this in a subdirectory of peer-pod-controller
Fixes #328
Signed-off-by: Jens Freimann <jfreimann@redhat.com>
* podvm: Add support for creating podvm qcow2 image within container
Sample execution to build for libvirt provider:
cd podvm
docker build -t podvm_builder -f Dockerfile.podvm_builder .
docker build -t podvm_libvirt --build-arg BUILDER_IMG=localhost/podvm_builder:latest \
--build-arg CLOUD_PROVIDER=libvirt -f Dockerfile.podvm .
Sample execution to build for aws provider:
cd podvm
docker build -t podvm_builder -f Dockerfile.podvm_builder .
docker build -t podvm_aws --build-arg BUILDER_IMG=localhost/podvm_builder:latest \
--build-arg CLOUD_PROVIDER=aws -f Dockerfile.podvm .
Fixes: #391
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* libvirt: Build pod vm image from within the 'podvm' dir
Use the generic qcow2 generation method for libvirt
Sample execution
For non-container builds,
cd podvm
CLOUD_PROVIDER=libvirt make image
For container builds,
cd podvm
docker build -t podvm_builder -f Dockerfile.podvm_builder .
docker build -t podvm_libvirt --build-arg CLOUD_PROVIDER=libvirt \
--build-arg BUILDER_IMG=localhost/podvm_builder:latest -f Dockerfile.podvm .
Fixes: #391
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* git: Ignore binary files
Remove binary files from git tracking
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* podvm: Force code download to specific directory
Ensure the source code is explicitly downloaded to specific directories
kata-containers: source code for kata containers
cloud-api-adaptor: source code for remote hypervisor implementation
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* podvm: Allow overriding ubuntu image url via build arg
Allow overriding ubuntu image url and checksum via build
arguments
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* podvm: Add Attestation agent to make file
- Add attestation agent if AA_KBC has been set
- Add LIBC to the makefile
- Add steps to update the agent-config.toml
- Add default aa_kbc_params & update config automatically
Fixes: #390
Signed-off-by: Jordan Jackson <jordan.jackson@ibm.com>
* docs: Add steps for setting up the attestation agent in ibmcloud
- Update the readme to include the steps for setting up and running the agent
- including the steps for setting up authenticated registry support
Fixes: #390
Signed-off-by: Jordan Jackson <jordan.jackson@ibm.com>
* docs: Update AWS readme to use attestation agent
- Update readme to include how to setup the Attestation agent for authenticated registry
Signed-off-by: Jordan Jackson <jordan.jackson@ibm.com>
* install: avoid ccruntime configuration duplication
by using kustomize
Fixes: #410
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* vsphere: Make more inputs mandatory
vcenter url, datastore, and datacenter are now mandatory
Fixes #415
Signed-off-by: Cathy Avery <cavery@redhat.com>
* podvm: Fix incorrect download folder for kata containers
Fixes: #418
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* podvm: Add cleanup helper
- Delete the ttrpc server socket when it stops
This helps handle podvm restarts, including during podvm image creation.
Fixes: #420
Signed-off-by: James Tumber <james.tumber@ibm.com>
* controller: fix wrong go module import
This should have been changed before I sent the pull request. Change it
now to use code from this repo instead of my private github repo.
Fixes #423
Signed-off-by: Jens Freimann <jfreimann@redhat.com>
* ibmcloud: generate an IBM Secure Execution image
- add document for IBM Secure Execution support
- update build.sh script to generate an IBM Secure Execution image
- support multiple different host keys
- using luks encrypted root partition
fixes: #406
Signed-off-by: Da Li Liu <liudali@cn.ibm.com>
Co-authored-by: leilibj <cdlleili@cn.ibm.com>
* vsphere: template: workaround ks user bug
RHEL8 kickstarts do not seem to recognize the isencrypted flag to
user command. Use plaintext instead that works universally.
While at it, also make username/password configurable.
Fixes: #429
Signed-off-by: Bandan Das <bsd@redhat.com>
* controller: fix typo in environment variable for peerpods namespace
Fix a simple type that led to the cloud-api-adaptor daemon set not being
created.
Fixes #424
error message:
"Failed setting ControllerReference for cloud-api-adaptor DS"
Signed-off-by: Jens Freimann <jfreimann@redhat.com>
* vsphere: template: unmount misc cgroup as its not handled by kata
Now that we are using legacy cgroups...
https://github.com/kata-containers/kata-containers/issues/4610
Fixes: #431
Signed-off-by: Bandan Das <bsd@redhat.com>
* ibmcloud: build: fix missing ndb devices
Fix missing ndb devices the first time the cleanup
subroutine in the build.sh script is called due
to the ndb module not being loaded.
Fixes: #433
Signed-off-by: Matthew Arnold <mattarno@uk.ibm.com>
* all: inject passed auth.json credentials file to podvm
to authenticate with image registries, requires skopeo support
in the podvm
Fixes: #380
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* all: support image-rs registries authentication
by converting auth.json file to a resources file and pass it to
the offline kbc expected file path
requires AA_KBC="offline_fs_kbc" at image build
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* image: support aa-offline_fs_kbc-resources.json placing
so that it will be copied if provided at image build
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* all: update authenticated registries instructions
and merged common instructions
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
* podvm: Add support for building CentOS based podvm image
Following are key changes to support both CentOS and Ubuntu based podvm images
- Uses common cloud-init user specified via userdata
- Makes it configurable to specify LIBC for kata-agent/rust builds
- Separate distro specific Dockerfiles
- Disables login for the ssh user (peerpod)
Fixes: #434
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
* ibmcloud: Bump version of go
Instal version 1.19.3 of go in the Ansible playbook to match the
kata-containers minimum version
Fixes: #440
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
* ibmcloud: install: Add disable selinux to kata config
Add disable_guest_selinux = true to the kata
configuration on the k8s worker.
Fixes: #437
Signed-off-by: Matthew Arnold <mattarno@uk.ibm.com>
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
Signed-off-by: Da Li Liu <liudali@cn.ibm.com>
Signed-off-by: Lei Li <cdlleili@cn.ibm.com>
Signed-off-by: Bandan Das <bsd@redhat.com>
Signed-off-by: huoqifeng <huoqif@cn.ibm.com>
Signed-off-by: James Tumber <james.tumber@ibm.com>
Signed-off-by: Georgina Kinge <georgina.kinge@ibm.com>
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
Signed-off-by: Matthew Arnold <mattarno@uk.ibm.com>
Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
Signed-off-by: Dave Hay <david_hay@uk.ibm.com>
Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
Signed-off-by: Cathy Avery <cavery@redhat.com>
Signed-off-by: Kautilya Tripathi <ktripathi@microsoft.com>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Signed-off-by: Sam Yuan <yy19902439@126.com>
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Signed-off-by: Jens Freimann <jfreimann@redhat.com>
Signed-off-by: Jordan Jackson <jordan.jackson@ibm.com>
Co-authored-by: Yohei Ueda <yohei@jp.ibm.com>
Co-authored-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
Co-authored-by: Da Li Liu <liudali@cn.ibm.com>
Co-authored-by: Lei Li <cdlleili@cn.ibm.com>
Co-authored-by: Bandan Das <bsd@redhat.com>
Co-authored-by: huoqifeng <huoqif@cn.ibm.com>
Co-authored-by: James Tumber <james.tumber@ibm.com>
Co-authored-by: Georgina Kinge <georgina.kinge@ibm.com>
Co-authored-by: Snir Sheriber <ssheribe@redhat.com>
Co-authored-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
Co-authored-by: Dave Hay <david_hay@uk.ibm.com>
Co-authored-by: Magnus Kulke <magnuskulke@microsoft.com>
Co-authored-by: Cathy Avery <cavery@redhat.com>
Co-authored-by: Kautilya Tripathi <tripathi.kautilya@gmail.com>
Co-authored-by: Kautilya Tripathi <ktripathi@microsoft.com>
Co-authored-by: stevenhorsman <steven@uk.ibm.com>
Co-authored-by: Sam Yuan <yy19902439@126.com>
Co-authored-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Co-authored-by: snir911 <snir911@gmail.com>
Co-authored-by: Pradipta Banerjee <bpradipt@users.noreply.github.com>
Co-authored-by: Jens Freimann <jfreimann@redhat.com>
Co-authored-by: Jordan Jackson <jordan.jackson@ibm.com>
bpradipt
added a commit
to bpradipt/cloud-api-adaptor
that referenced
this issue
Aug 12, 2023
Ref issue: kata-containers/kata-containers#4610 Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
bpradipt
pushed a commit
to bpradipt/cloud-api-adaptor
that referenced
this issue
Aug 12, 2023
Now that we are using legacy cgroups... kata-containers/kata-containers#4610 Fixes: confidential-containers#431 Signed-off-by: Bandan Das <bsd@redhat.com>
wainersm
pushed a commit
to wainersm/cc-cloud-api-adaptor
that referenced
this issue
Sep 5, 2023
Ref issue: kata-containers/kata-containers#4610 Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
wainersm
pushed a commit
to wainersm/cc-cloud-api-adaptor
that referenced
this issue
Sep 5, 2023
Now that we are using legacy cgroups... kata-containers/kata-containers#4610 Fixes: confidential-containers#431 Signed-off-by: Bandan Das <bsd@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When I use runk to create a container at Ubuntu 20.04 with 5.13.0-52-generic kernel, It fails at mounting
/sys/fs/cgroup/misc/{container_id}into container. I found there is no/sys/fs/cgroup/misc/{container_id}on the host. Misc cgroup patch is just merged into Linux 5.13. Does cgroup-rs not support misc cgroup yet?The spec file is config.json
Log file is test.log (I added some extra output logs)
The text was updated successfully, but these errors were encountered: