Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

runtime: Empty string for initrd not allowed for IBM Z Secure Execution #8692

Closed
BbolroC opened this issue Dec 18, 2023 · 0 comments · Fixed by #8693
Closed

runtime: Empty string for initrd not allowed for IBM Z Secure Execution #8692

BbolroC opened this issue Dec 18, 2023 · 0 comments · Fixed by #8693
Labels
bug Incorrect behaviour needs-review Needs to be assessed by the team.
Projects
Issue backlog

Comments

@BbolroC
Copy link
Member

BbolroC commented Dec 18, 2023

Description of problem

While verifying a document for IBM Z Secure Execution (SE) in #7146, it was observed that a kata container failed due to the following reason:

Type     Reason                  Age               From     Message
  ----     ------                  ----              ----     -------
  Warning  FailedCreatePodSandBox  3s (x4 over 38s)  kubelet  Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create containerd task: failed to create shim task: one of image and initrd must be set: unknown

It appears that when handling the image/initrd asset (as per issue #7716), we overlooked a specific rule for IBM Z SE systems. This rule, established by issue #3923, states that no initrd should be configured. We need to make the rule valid again.
@BbolroC BbolroC added bug Incorrect behaviour needs-review Needs to be assessed by the team. labels Dec 18, 2023
BbolroC added a commit to BbolroC/kata-containers that referenced this issue Dec 18, 2023
@BbolroC
runtime: Allow no initrd path for IBM Z Secure Execution
5904d34 
This is to reintroduce a configuration rule for IBM Z Secure Execution,
where no initrd path should be configured. For the TEE of interest,
only a kernel image should be specified with `confidential_guest=true`.

Fixes: kata-containers#8692

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
@BbolroC BbolroC mentioned this issue Dec 18, 2023
Merged
@katacontainersbot katacontainersbot moved this from To do to In progress in Issue backlog Dec 18, 2023
BbolroC added a commit to BbolroC/kata-containers that referenced this issue Dec 18, 2023
@BbolroC
runtime: Allow no initrd path for IBM Z Secure Execution
043f3b8 
This is to reintroduce a configuration rule for IBM Z Secure Execution,
where no initrd path should be configured. For the TEE of interest,
only a kernel image should be specified with `confidential_guest=true`.

Fixes: kata-containers#8692

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
BbolroC added a commit to BbolroC/kata-containers that referenced this issue Dec 18, 2023
@BbolroC
runtime: Allow no initrd path for IBM Z Secure Execution
e1dc739 
This is to reintroduce a configuration rule for IBM Z Secure Execution,
where no initrd path should be configured. For the TEE of interest,
only a kernel image should be specified with `confidential_guest=true`.

Fixes: kata-containers#8692

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
BbolroC added a commit to BbolroC/kata-containers that referenced this issue Dec 18, 2023
@BbolroC
runtime: Allow no initrd path for IBM Z Secure Execution
b9c2c00 
This is to reintroduce a configuration rule for IBM Z Secure Execution,
where no initrd path should be configured. For the TEE of interest,
only a kernel image should be specified with `confidential_guest=true`.

Fixes: kata-containers#8692

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
BbolroC added a commit to BbolroC/kata-containers that referenced this issue Dec 19, 2023
@BbolroC
runtime: Allow no initrd path for IBM Z Secure Execution
540a2a7 
This is to reintroduce a configuration rule for IBM Z Secure Execution,
where no initrd path should be configured. For the TEE of interest,
only a kernel image should be specified with `confidential_guest=true`.

Fixes: kata-containers#8692

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Incorrect behaviour needs-review Needs to be assessed by the team.
Projects
Issue backlog
  
In progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

runtime: Allow no initrd path for IBM Z Secure Execution BbolroC/kata-containers
1 participant
@BbolroC