-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Runtime-rs merge main #4614
Merged
liubin
merged 60 commits into
kata-containers:runtime-rs
from
Tim-0731-Hzt:runtime-rs-merge-main
Jul 12, 2022
Merged
Runtime-rs merge main #4614
liubin
merged 60 commits into
kata-containers:runtime-rs
from
Tim-0731-Hzt:runtime-rs-merge-main
Jul 12, 2022
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit updates the "Run Kata Containers with Kubernetes" to include cgroupDriver configuration via "KubeletConfiguration". Without this setting kubeadm defaults to systemd cgroupDriver. Containerd with Kata cannot spawn conntainers with systemd cgroup driver. Fixes: kata-containers#4262 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
Policy for whats valid/invalid within the config varies by VMM, host, and by silicon architecture. Let's keep katautils simple for just translating a toml to the hypervisor config structure, and leave validation to virtcontainers. Without this change, we're doing duplicate validation. Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Depending on the user of it, the hypervisor from hypervisor interface could have differing view on what is valid or not. To help decouple, let's instead check the hypervisor config validity as part of the sandbox creation, rather than as part of the CreateVM call within the hypervisor interface implementation. Fixes: kata-containers#4251 Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Let's add a `default_maxmemory` configuration, which allows the admins to set the maximum amount of memory to be used by a VM, considering the initial amount + whatever ends up being hotplugged via the pod limits. By default this value is 0 (zero), and it means that the whole physical RAM is the limit. Fixes: kata-containers#4516 Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This PR removes an unused kata configure docker script which was used in packaging for kata 1.x but not longer being used in kata 2.x Fixes kata-containers#4546 Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
…er-info kata-with-k8s: Add cgroupDriver for containerd
…ddocker packaging: Remove unused kata docker configure script
Let's adapt Cloud Hypervisor's and QEMU's code to properly behave to the newly added `default_maxmemory` config. While implementing this, a change of behaviour (or a bug fix, depending on how you see it) has been introduced as if a pod requests more memory than the amount avaiable in the host, instead of failing to start the pod, we simply hotplug the maximum amount of memory available, mimicing better the runc behaviour. Fixes: kata-containers#4516 Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Expose the newly added `default_maxmemory` to the project's Makefile and to the configuration files. Fixes: kata-containers#4516 Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
While working on the previous commits, some of the functions become non-used. Let's simply remove them. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Ideally this config validation would be in a seperate package (katautils?), but that would introduce circular dependency since we'd call it from vc, and it depends on vc types (which, shouldn't be vc, but probably a hypervisor package instead). Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Prior device config move didn't update the comments. Let's address this, and make sure comments match the new path... Signed-off-by: Eric Ernst <eric_ernst@apple.com>
Return code is an int32 type, so if an error occurred, the default value may be zero, this value will be created as a normal exit code. Set return code to 255 will let the caller(for example Kubernetes) know that there are some problems with the pod/container. Fixes: kata-containers#4419 Signed-off-by: liubin <liubin0329@gmail.com>
For 'tomlConfig' substructures stored in Golang maps - 'hypervisor' and 'agent' - BurntSushi doesn't preserve their previous contents as it does for substructures stored directly (e.g. 'runtime'). We use reflection to work around this. This commit adds three primitive operations to work with struct fields identified by their `toml:"..."` tags - one to get a field value, one to set a field value and one to assign a source struct field value to the corresponding field of a target. Signed-off-by: Pavel Mores <pmores@redhat.com>
These functions take a TOML key - an array of individual components, e.g. ["agent" "kata" "enable_tracing"], as returned by BurntSushi - and two 'tomlConfig' instances. They copy the value of the struct field identified by the key from the source instance to the target one if necessary. This is only done if the TOML key points to structures stored in maps by 'tomlConfig', i.e. 'hypervisor' and 'agent'. Nothing needs to be done in other cases. Signed-off-by: Pavel Mores <pmores@redhat.com>
updateFromDropIn() uses the infrastructure built by previous commits to ensure no contents of 'tomlConfig' are lost during decoding. To do this, we preserve the current contents of our tomlConfig in a clone and decode a drop-in into the original. At this point, the original instance is updated but its Agent and/or Hypervisor fields are potentially damaged. To merge, we update the clone's Agent/Hypervisor from the original instance. Now the clone has the desired Agent/Hypervisor and the original instance has the rest, so to finish, we just need to move the clone's Agent/Hypervisor to the original. Signed-off-by: Pavel Mores <pmores@redhat.com>
Fixes kata-containers#4108 Signed-off-by: Pavel Mores <pmores@redhat.com>
The tests ensure that interactions between drop-ins and the base configuration.toml and among drop-ins themselves work as intended, basically that files are evaluated in the correct order (base file first, then drop-ins in alphabetical order) and the last one to set a specific key wins. Signed-off-by: Pavel Mores <pmores@redhat.com>
Added user manual for the drop-in config file fragments feature. Signed-off-by: Pavel Mores <pmores@redhat.com>
There is much code related to this property, but it is not used anymore. Fixes: kata-containers#4553 Signed-off-by: liubin <liubin0329@gmail.com>
…n-refactor Refactor how hypervisor config validation is handled
…us-if-wait-process-failed shim: set a non-zero return code if the wait process call failed.
Recently added check-commit-message to the tests repository. Minor changes were also made to action. For consistency's sake, copied changes over to here as well. tests - kata-containers/tests#4878 Minor Changes: 1. Body length check is now 75 and consistent with guidelines 2. Lines without spaces are not counted in body length check Fixes kata-containers#4559 Signed-off-by: Derek Lee <derlee@redhat.com>
For runC, send the signal to the init process directly. For kata, we try to send `SIGKILL` instead of `SIGTERM` when the process has not installed the handler for `SIGTERM`. The `is_signal_handled` function determine which signal the container process has been handled. But currently `is_signal_handled` is only catching (SigCgt). While the container process is ignoring (SigIgn) or blocking (SigBlk) also should not be converted from the `SIGTERM` to `SIGKILL`. For example, when using terminationGracePeriodSeconds the k8s will send SIGTERM first and then send `SIGKILL`, in this case, the container ignores the `SIGTERM`, so we should send the `SIGTERM` not the `SIGKILL` to the container. Fixes: kata-containers#4478 Signed-off-by: quanweiZhou <quanweiZhou@linux.alibaba.com>
Set `safe.directory` against `kata-containers/tests` repository before checkout because the user in the docker container is root, but the `tests` repository on the host machine is usually owned by the normal user. This works when we already have the `tests` repository which is not owned by root on the host machine and try to create a rootfs using Docker (`USE_DOCKER=true`). Fixes: kata-containers#4561 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
…axmemory Add `default_maxmemory` config option
…ed-console-from-container-config runtime: delete Console from Cmd type
Set safe.directory against tests repository
While doing a docker build for shim-v2, we see this: ``` fatal: unsafe repository ('/home/${user}/go/src/github.com/kata-containers/kata-containers' is owned by someone else) To add an exception for this directory, call: git config --global --add safe.directory /home/${user}/go/src/github.com/kata-containers/kata-containers ``` This is because the docker container build is run as root while the runtime repo is checked out as normal user. Unlike this error causing the rootfs build to error out, the error here does not really cause `make shim-v2-tarball` to fail. However its good to get rid of this error message showing during the make process. Fixes: kata-containers#4572 Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Some clients like nerdctl may pass mount type of none for volumes/bind mounts, this will lead to container start fails. Referring to runc, it overwrites the mount type to bind and ignores the input value. Fixes: kata-containers#4548 Signed-off-by: liubin <liubin0329@gmail.com>
As 2.5.0-rc0 has been released, let's switch the kata-deploy / kata-cleanup tags back to "latest", and re-add the kata-deploy-stable and the kata-cleanup-stable files. Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
So that we can add move info there and few people use such small terminals nowadays. Fixes: kata-containers#4596 Signed-off-by: Peng Tao <bergwolf@hyper.sh>
…h-bump # Kata Containers 2.5.0-rc0
Enable Kata runtime to handle `disable_selinux` flag properly in order to be able to change the status by the runtime configuration whether the runtime applies the SELinux label to VMM process. Fixes: kata-containers#4599 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
action: revert commit message limit to 150 bytes
Replaces calls of nproc with nproc with nproc ${CI:+--ignore 1} to run nproc with one less processing unit than the maximum to prevent DOS-ing the local machine. If process is being run in a container (determined via whether $CI is null), all processing units avaliable will be used. Fixes kata-containers#3967 Signed-off-by: Derek Lee <derlee@redhat.com>
While running make as non-privileged user, the make errors out with the following message: "INFO: Build cloud-hypervisor enabling the following features: tdx Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/create?fromImage=cloudhypervisor%2Fdev&tag=20220524-0": dial unix /var/run/docker.sock: connect: permission denied" Even though the user may be part of docker group, the clh build from source does a docker in docker build. It is necessary for the user of the nested container to be part of docker build for the build to succeed. Fixes kata-containers#4594 Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
tools/snap: simplify nproc
There is no independent CRI containerd plugin for new containerd, the related documentation should be updated too. Fixes: kata-containers#4605 Signed-off-by: liubin <liubin0329@gmail.com>
…loy-changes-after-2.5.0-rc0-release release: Revert kata-deploy changes after 2.5.0-rc0 release
katacontainersbot
added
the
size/huge
Largest and most complex task (probably needs breaking into small pieces)
label
Jul 7, 2022
Tim-0731-Hzt
force-pushed
the
runtime-rs-merge-main
branch
from
July 7, 2022 11:25
6e583a8
to
fb922af
Compare
…ri-containerd-plugin docs: delete CRI containerd plugin statement
This is not an issue when the build is run as non-privilged user. Marking these as safe in case where the build may be run as root or some other user. Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
This PR updates some url links related with containerd documentation. Fixes kata-containers#4615 Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
…inerddoc docs: Update URL links for containerd documentation
…ervisor-config runtime: Fix DisableSelinux config
jodh-intel
approved these changes
Jul 8, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @Tim-0731-Hzt.
lgtm
bergwolf
approved these changes
Jul 8, 2022
|
…-build Fix clh tarball build
Signed-off-by: Zhongtao Hu <zhongtaohu.tim@linux.alibaba.com>
Tim-0731-Hzt
force-pushed
the
runtime-rs-merge-main
branch
from
July 11, 2022 01:49
fb922af
to
0826a21
Compare
Seems is there any errors with this? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
To keep runtime-rs up to date, we will merge main into runtime-rs every week.
Fixes:#4613
Signed-off-by: Zhongtao Hu zhongtaohu.tim@linux.alibaba.com