Releases: kata-containers/kata-containers
Kata Containers 3.11.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent
binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent
uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-8d4e72f0d-107265821-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-c95ae5a50-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-aff3d98dd-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-74662a072-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.22.2-rust-1.75.0-9c8b20b2b-x86_64
- tools: quay.io/kata-containers/builders:tools-c20731226-df5e6e65b-0ce3f5fc6-0adf7a66c-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.72.0-musl-c99ba42d6-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- re-enable measured rootfs build & tests by @fidencio in #10466
- build: cache: Ensure shim-v2-root_hash.txt is in "${workdir}" by @fidencio in #10473
- runtime: log vm start error before cleanup by @koct9i in #10074
- Revert "tests: Add trap statement in kata doc script" by @stevenhorsman in #10475
- tests: Increase time to run stressng k8s tests by @GabyCT in #10462
- packaging: Remove kernel config repo variable as it is unused by @GabyCT in #10474
- gha: Switch KUBERNETES from k3s to kubeadm on s390x by @BbolroC in #10476
- runtime-rs: Add basic boilerplate for remote hypervisor by @Chasing1020 in #10225
- genpolicy: support darwin target by @burgerdev in #10425
- gha: Add missing steps in Kata stability workflow by @GabyCT in #10480
- ci: Use ubuntu for static building of kata tools. by @Sumynwa in #10442
- runtime: Add GPU annotations for remote hypervisor by @bpradipt in #10453
- docs: Update virtualization document by @GabyCT in #10482
- agent: perform attestation init w/o process launch by @mkulke in #10481
- gha: Fix source for gha stability run script by @GabyCT in #10485
- agent-ctl: Add support to test kata-agent's container creation APIs. by @Sumynwa in #10395
- tests: k8s: Update bats by @stevenhorsman in #10459
- builds: ovmf: Workaround Zeex repo becoming private by @fidencio in #10490
- image: Add suffix to image or initrd depending on the NVIDIA driver version by @zvonkok in #9480
- build: kernel: Teach our machinery to deal with -rc kernels by @fidencio in #10488
- agent: fix typo on getting EphemeralHandler size option by @fidencio in #10491
- ci: export CONTAINER_RUNTIME to the test scripts by @littlejawa in #10496
- ci: skip nginx connectivity test with qemu/crio by @littlejawa in #10495
- workflows: Use AUTO_GENERATE_POLICY for qemu-coco-dev by @fidencio in #10486
- gha: Add install kata tools as part of the stability workflow by @GabyCT in #10493
- runtime: Files are not synced between host and guest VMs by @squarti in #10500
- kata-agent: Add CDI support by @zvonkok in #9584
- metrics: Skip metrics on stratovirt by @stevenhorsman in #10505
- workflow: Remove/skip runk CI by @stevenhorsman in #10506
- tests: k8s: Update image pull timeout error by @stevenhorsman in #10498
- ci.ocp: Use the official python:3 container for sanity by @ldoktor in #10511
- tests: remove manifest v1 test by @Redent0r in #10517
- ci: tdx: kbs: Ensure https_proxy is taken in consideration by @fidencio in #10513
- gha: Hardcode ubuntu-22.04 instead of latest by @sprt in #10515
- gha: Get artifacts when installing kata tools in stability workflow by @GabyCT in #10508
- Reapply "runtime: confidential: Do not set the max_vcpu to cpu" by @fidencio in #10519
- ci: Temporarily skip SNP CI by @AdithyaKrishnan in #10539
- osbuilder: remove redundant env variable by @ncppd in #10521
- genpolicy: add state to policy by @Redent0r in #10431
- runtime: Set maxvcpus equal to vcpus for the static resources case by @alex-matei in #9195
- rootfs: Install missing clang in Ubuntu docker image by @mrIncompetent in #9407
- ci: tdx: Split jobs to run in 2 different machines by @fidencio in #10501
- kernel: add CONFIG_KEYS=y to enable kernel keyring by @Crypt0s in #10542
- agent: overwrite OCI process spec when overwriting pause image by @squarti in #10514
- runtime: fix comment to accurately reflect clh behavior by @Camelron in #10545
- release: Bump version to 3.11.0 by @stevenhorsman in #10552
- workflows: Remove skipping of artifact uploads by @stevenhorsman in #10562
New Contributors
- @koct9i made their first contribution in #10074
- @Chasing1020 made their first contribution in #10225
- @ncppd made their first contribution in #10521
- @mrIncompetent made their first contribution in #9407
- @Crypt0s made their first contribution in #10542
- @Camelron made their first contribution in #10545
Full Changelog: 3.10.1...3.11.0
Kata Containers 3.10.1
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent
binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent
uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-2b2d0f738-107265821-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-c95ae5a50-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-c99ba42d6-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-74662a072-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.22.2-rust-1.75.0-25c784c56-x86_64
- tools: quay.io/kata-containers/builders:tools-c06bf2e3b-fefcf7cfa-322846b36-bc195d758-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.72.0-musl-c99ba42d6-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- tools: Change PACKAGES var for cbl-mariner by @ms-mahuber in #10439
- workflows: Ensure shim-v2 is built as the last asset by @fidencio in #10446
- runtime: Failed to clean up resources when QEMU is terminated by @wtootw in #10208
- Add a specific workflow for testing the CI, without messing up with the "nightly" weather by @fidencio in #10449
- docs: Fix misspelling in CI documentation by @GabyCT in #10438
- tests: Add trap statement in kata doc script by @GabyCT in #10452
- workflows: devel: Follow-up on the manually triggered jobs by @fidencio in #10461
- agent: Correct rustjail device filemode permission typo by @skaegi in #10463
- release: Bump version to 3.10.1 by @stevenhorsman in #10467
- workflows: Possibly fix the release workflow by @fidencio in #10471
New Contributors
Full Changelog: 3.10.0...3.10.1
Kata Containers 3.10.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent
binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent
uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-2b2d0f738-107265821-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-c95ae5a50-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-c99ba42d6-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-74662a072-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.22.2-rust-1.75.0-25c784c56-x86_64
- tools: quay.io/kata-containers/builders:tools-c06bf2e3b-fefcf7cfa-3dabe0f5f-bc195d758-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.72.0-musl-c99ba42d6-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- gha: Increase timeout to run k8s tests on TDX by @GabyCT in #10336
- acrn: Drop support by @fidencio in #10239
- kata-deploy: clean up and fix docs for k0s by @sprt in #10335
- runtime-rs: fix the issue of using block_on by @lifupan in #10339
- tests: Fix loop device handling for exec_host() by @BbolroC in #10232
- doc: Update the release process by @stevenhorsman in #10337
- tools.kata-webhook: Specify runtime class using configMap by @Bickor in #10329
- Introduce cdi in runtime-rs by @Apokleos in #10146
- ci: don't require sudo for yq if already installed by @pawelpros in #10311
- runtime: add DAN support for VFIO network device in Go kata-runtime by @l8huang in #9977
- tests: Improve k8s negative tests by @BbolroC in #10328
- ci: Reorder webhook deployment by @ldoktor in #10345
- tests: Delete custom node debugger pod on EXIT by @BbolroC in #10348
- Some prepared work for sandbox api support by @lifupan in #10330
- runtime-rs: Notify containerd when process exits by @lsc2001 in #10293
- ci: Enable basic docker tests for runtime-rs by @lsc2001 in #10318
- tests: Minor improvement k8s tests by @BbolroC in #10346
- agent: fix the issue of setup sandbox pidns by @lifupan in #10351
- sandbox: refactor the sandbox init process by @lifupan in #10349
- runtime-rs: Port TAP implementation from dragonball by @sidneychang in #10219
- gha: Add ita_key as a github secret by @fidencio in #10357
- docs: Remove qemu information not longer valid by @GabyCT in #10342
- ci:tdx: Use an ITA key for TDX by @GabyCT in #10305
- runtime-rs: Add Configurable Compilation for Dragonball in Runtime-rs by @sidneychang in #10312
- tests: Add
k8s-block-volume
test to GHA CI by @sprt in #7165 - genpolicy: validate create sandbox storages by @Redent0r in #10340
- tests: Skip k8s-block-volume.bats for qemu-runtime-rs by @BbolroC in #10374
- metrics: Update fast footprint script to use grep by @GabyCT in #10369
- tests: k8s-policy-rc: remove default UID from YAML by @danmihai1 in #10370
- k8s: tests: Re-enable empty-dirs tests for TDX / coco-qemu-dev by @fidencio in #10371
- runtime-rs: add network device hotplugging to qemu-rs by @pmores in #10165
- k8s:kbs: Add trap statement to clean up tmp files by @GabyCT in #10375
- ci.ocp: Sort images according to git by @ldoktor in #10134
- osbuilder: Remove duplicated arch variable definition by @GabyCT in #10381
- CI: Select jobs by touched code by @ldoktor in #9637
- gha: enable AUTO_GENERATE_POLICY where needed by @danmihai1 in #10376
- tests: k8s: AUTO_GENERATE_POLICY=yes for local testing by @danmihai1 in #10384
- build: Fix RPM build fail due to AGENT_POLICY by @emanuellima1 in #10389
- image-builder: Remove unused variable by @GabyCT in #10383
- Support Confidential Sealed Secrets (as volume) by @ChengyuZhu6 in #10363
- local-build: add ability to build rootfs-image-mariner by @danmihai1 in #10390
- tools/osbuilder/tests: Add trap statement in test images script by @GabyCT in #10388
- Revert "agent:cdh: unittest for sealed secret as file" by @fidencio in #10404
- ci: mariner: Use the image instead of the initrd by @fidencio in #10396
- packaging: Remove unused variable in build kernel script by @GabyCT in #10407
- build: mariner: Remove the ability to build the marine initrd by @fidencio in #10397
- Kbs deploy overlays update by @stevenhorsman in #10401
- agent:cdh: fix unit tests about sealed secret by @ChengyuZhu6 in #10406
- kbs: ita: Ensure the proper image / image_tag is used for ITA by @fidencio in #10409
- tools/osbuilder/tests: Remove egrep in test images script by @GabyCT in #10415
- ci: Install build dependencies for building agent-ctl with image pull. by @Sumynwa in #10402
- genpolicy: read binaryData value as String by @3u13r in #10426
- ci: static_sandbox_resource_mgmt for cbl-mariner by @danmihai1 in #10416
- tests: k8s-inotify.bats improvements by @danmihai1 in #10417
- agent: config: Use rstest for unit tests by @stevenhorsman in #10412
- gha: Use a arch_to_golang variable to have uniformity by @GabyCT in #10428
- docs: Update CI documentation by @GabyCT in #10430
- runtime-rs: Use vCPU and memory values from config by @ananos in #10435
- ci: add provenance attestation for agent artifact by @mkulke in #10433
- ci: don't parse oci image for cached artifacts by @mkulke in #10437
- kata-agent: fixing bug of unable setting hostname correctly. by @Apokleos in #10421
- runtime-rs: support virtio-scsi device in qemu-rs by @pmores in #10420
- release: Bump VERSION to 3.10.0 by @gkurz in #10443
New Contributors
- @Bickor made their first contribution in #10329
- @pawelpros made their first contribution in #10311
- @lsc2001 made their first contribution in https:...
Kata Containers 3.9.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent
binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent
uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-2b2d0f738-107265821-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-c95ae5a50-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-c99ba42d6-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-74662a072-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.22.2-rust-1.75.0-25c784c56-x86_64
- tools: quay.io/kata-containers/builders:tools-593cbb871-eb1227f47-1597f8ba0-69535e545-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.72.0-musl-c99ba42d6-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- genpolicy: deny UpdateEphemeralMountsRequest by @Redent0r in #9911
- metrics: Remove unused variable in openvino script by @GabyCT in #10198
- kata-deploy: Rework the logic a little bit by @fidencio in #10194
- ci: commit-message-check: Take re-revert into consideration by @fidencio in #10196
- agent: kill child process when console socket closed by @soulfy in #10141
- Revert "tests: add image check before running coco tests" by @amshinde in #10207
- tests: Fix k8s test issues on s390x by @BbolroC in #10202
- agent/config: Make CDH_API_TIMEOUT configurable by @BbolroC in #10199
- kata-manager: Avoid docker rate-limit by @fidencio in #10209
- Upgrade to Cloud Hypervisor v41.0 by @likebreath in #10205
- metrics: Add OpenVINO general information into README by @GabyCT in #10201
- stability: Add kubernetes parallel test by @GabyCT in #10193
- runtime: Allow machine_type in kata config for remote hypervisors by @squarti in #10212
- runtime: check if cold_plug_vfio is enabled before create PhysicalEndpoint by @l8huang in #10210
- ci: reinstate Mariner host and guest kernel by @sprt in #10037
- gha: Add GHA workflow to run Kata CoCo stability tests by @GabyCT in #10214
- docs: Add oneDNN benchmark information to metrics README by @GabyCT in #10221
- genpolicy: add priorityClassName as a field in PodSpec interface by @Redent0r in #10160
- agent: image-rs: check xattrs for image unpacking by @amshinde in #10224
- metrics: Remove unused variable in oneDNN benchmark by @GabyCT in #10228
- agent: avoid policy.txt log without debug enabled by @danmihai1 in #10222
- ci: Transition GARM tests to free runners, pt. III by @sprt in #10038
- agent: Update image-rs to 02af65abc by @fidencio in #10236
- kata-deploy: helm: Add INSTALLATION_PREFIX by @fidencio in #10204
- ci: Remove stdio tests by @fidencio in #10238
- metrics: Remove metrics report for Kata Containers by @GabyCT in #10247
- agent:cdh: Refactor CDHClient usage and initialization by @ChengyuZhu6 in #10233
- helm: Several fixes, including some reasonable re-work on kata-deploy.sh script by @fidencio in #10192
- runtime: fix bad default machine_type for remote hypervisor by @squarti in #10250
- runtime: Don't error out about SNP cert path on non SNP platforms by @fidencio in #10254
- gha: Turn on KBS for qemu-coco-dev on s390x by @BbolroC in #10244
- versions: Update firecracker version to 1.8.0 by @GabyCT in #10229
- tests: Enable k8s soak stability test for Kata CoCo CI by @GabyCT in #10237
- genpolicy: support readonly hostpath by @Redent0r in #10251
- ci: Add workflow to run kata-agent api tests using kata-agent-ctl by @Sumynwa in #10263
- ci: send SIGKILL to kill kata components by @Sumynwa in #10255
- ci: Enable kata agent API tests by @Sumynwa in #10270
- genpolicy: add support for PodDisruptionBudget yaml by @Redent0r in #10268
- metrics: Update openVINO and oneDNN tests references by @GabyCT in #10267
- agent: Refactor storage handler registration by @ChengyuZhu6 in #10245
- Refine device management for kata-agent by @ChengyuZhu6 in #10213
- kata-deploy: Remove kata-cleanup unneeded vars by @fidencio in #10257
- runtime: qemu: tdx: Add support for setting mrconfigid / mrowner / mrownerconfig by @fidencio in #10272
- Add support of dragonball virtio-balloon free page reporting by @teawater in #10253
- tests: Increase timeout to wait for soak stability test deployment by @GabyCT in #10277
- runtime-rs: configuration-dragonball.toml.in: Remove duplication by @teawater in #10282
- runtime: Fix runtime/cdi panic with assignment to entry in nil map by @Apokleos in #10276
- ci: tdx: Adapt how we get the host IP by @fidencio in #10292
- agent-ctl: Refactor CopyFile Handler by @Sumynwa in #10271
- Bump guest-components / trustee to a version that supports ITA by @fidencio in #10294
- tests: Enable stressng k8s stability test for Kata CoCo CI by @GabyCT in #10289
- metrics: Remove unused remove img var in common script by @GabyCT in #10295
- genpolicy: fix and re-enable create container UID verification by @danmihai1 in #10291
- tests: Introduce retry mechanism for helm install by @BbolroC in #10309
- tests: Fix indentation in the cri containerd tests by @GabyCT in #10304
- tests: k8s-inotify: pod termination polling by @danmihai1 in #10316
- CoCo: Bump Coco components to 0.10 releases by @stevenhorsman in #10313
- Merge to main: supporting pull cosign signed images by @Xynnn007 in #10009
- doc: Update how-to-run-kata-containers-with-SE-VMs.md by @BbolroC in #10315
- local-build: Fix unbound variable issue for lib_se.sh by @BbolroC in #10321
- agent: add support to provide default agent policy via env by @Sumynwa in #10303
- kata-deploy: Switch Kubernetes URL by @stevenhorsman in #10323
- ci: Fix indentation of install libseccomp script by @GabyCT in #10324
*...
Kata Containers 3.8.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent
binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent
uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-d0b0004ce-107265821-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-c95ae5a50-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-c99ba42d6-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-74662a072-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.22.2-rust-1.75.0-25c784c56-x86_64
- tools: quay.io/kata-containers/builders:tools-c22ac4f72-a9b436f78-a78d82f4f-69535e545-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.72.0-musl-c99ba42d6-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- tests: Rebuild secure boot image for guest-pull-image-authenticated for IBM SE by @BbolroC in #10032
- metric: Upgrade blogbench to 1.2 by @amshinde in #10028
- ci: cleanup: Ignore nonexisting resources by @sprt in #9959
- genpolicy: container.exec_commands args validation by @danmihai1 in #10022
- tests: Call repack_secure_image() in set_metadata_annotation() by @BbolroC in #10034
- Implement hotplug support for physical endpoints by @amshinde in #8597
- runtime-rs: container: fix the issue of missing cleanup container by @lifupan in #10045
- gha: enable autogenerated policy testing on SEV and SEV-SNP by @Redent0r in #9835
- metrics: update avg reference values for blogbench. by @dborquez in #10040
- tests: k8s-credentials-secrets: policy for second pod by @danmihai1 in #10035
- Add kernel config for NVIDIA DPU/ConnectX adapter by @l8huang in #9620
- tests: Fix missing log on TDX by @ChengyuZhu6 in #10031
- dragonball: kernel gpu dragonball 6.1.x by @zvonkok in #9968
- gpu: rootfs/initrd build init by @zvonkok in #9920
- tools: Allow setting policy rego file via by @Redent0r in #9910
- ci: cache: Pass through RELEASE env by @stevenhorsman in #10053
- metrics: Update launch times to use grep -F by @GabyCT in #10060
- gpu: rootfs ubuntu build expansion by @zvonkok in #9919
- runtime-rs: add memory hotplugging support to qemu-rs by @pmores in #9965
- gha: Increase timeout to run CoCo tests by @ChengyuZhu6 in #10063
- docs: Update url links in kata nydus document by @GabyCT in #10054
- genpolicy: Add support for envFrom by @Redent0r in #9576
- tests: k8s: reuse policy exec variable by @danmihai1 in #10051
- runtime-rs: enhance debug info for agent connect. by @Apokleos in #10058
- Align kata oci spec with oci-spec-rs by @Apokleos in #9944
- Fix issue while adding multiple networks with nerdctl by @amshinde in #9899
- initdata: add initdata annotation in hypervisor config by @huoqifeng in #9988
- tee: osbuilder: Set /run to use 50% of the image with systemd by @fidencio in #10078
- genpolicy: validate each exec command line arg by @danmihai1 in #10069
- tests: k8s: minor policy tests clean-up by @danmihai1 in #10083
- runtime-rs : fix the issue of stop sandbox by @lifupan in #10043
- runtime-rs: enable dragonball hypervisor support initrd by @lifupan in #10024
- runtime-rs: Fix QEMU backend for runtime-rs by @ananos in #10052
- gha: Eradicate {pre,post}-action steps for s390x runners by @BbolroC in #10096
- ci: Fix rate limit error by migrating busybox_image by @AdithyaKrishnan in #10101
- gha: Restore cleanup-zvsi for s390x by @BbolroC in #10104
- tests: add image check before running coco tests by @ChengyuZhu6 in #10080
- GHA: Run k8s e2e tests for qemu-runtime-rs on s390x by @BbolroC in #10070
- version: bump trustee version by @ChengyuZhu6 in #10110
- ci: Temporarily remove arm64 builds by @fidencio in #10111
- metrics: Update memory tests to use grep -F by @GabyCT in #10099
- ci: Temporarily remove arm64 builds -- part II by @fidencio in #10117
- kata-manager: Ensure distro specific TDX config is set by @fidencio in #10114
- tests: k8s: Rotate & cleanup journal for every run by @fidencio in #10107
- tests: kbs: Add missing dependencies to install kbs cli by @GabyCT in #10116
- tests: Fix error with
kubectl debug
by @ChengyuZhu6 in #10102 - agent: fix the AllowRequestsFailingPolicy functionality by @danmihai1 in #10098
- ci: re-enable arm CI by @fidencio in #10123
- Fix metrics json results file by @dborquez in #10120
- genpolicy: reject create custom hook settings by @Redent0r in #10075
- ci: Remove jobs that are not running by @fidencio in #10125
- ci: Enable encrypted image tests for TEEs by @fidencio in #10124
- genpolicy: add --version flag by @Redent0r in #10121
- kata-deploy: Add Helm Chart by @zvonkok in #9880
- runtime: image-pull: Make it work with nerdctl by @fidencio in #10132
- genpolicy: add crate-scoped integration test by @burgerdev in #10068
- ci: Enable nerdctl tests for clh by @amshinde in #10089
- tools: Support for building qemu with linux aio by @hex2dec in #10129
- tests:k8s: Update image in kubectl debug for the exec host function by @GabyCT in #10127
- qemu: don't emit scsi parameter by @Freax13 in #10113
- ci: cache: Include kata version in artefact versions by @stevenhorsman in #10140
- tests: Update ubuntu image for stress Dockerfile by @GabyCT in #10142
- ci: Transition GARM tests to free runners, pt. II by @wainersm in #10007
- kata-manager: Only check files when tarball is not passed by @fidencio in #10149
- tests: Add kubernetes stress-ng tests by @GabyCT in #10154
- tests: Disable k8s file volume test by @GabyCT in https://github.com/kata-containers/kata-cont...
Kata Containers 3.7.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent
binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent
uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-d0b0004ce-107265821-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-c95ae5a50-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-c99ba42d6-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-259ec408b-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.22.2-rust-1.75.0-25c784c56-x86_64
- tools: quay.io/kata-containers/builders:tools-f31c1b121-6c1a2f01f-eb07f5ef5-c99ba42d6-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.72.0-musl-c99ba42d6-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- tests: Use selector rather than pod name for kubectl logs/describe by @BbolroC in #9862
- Tokio vulnerability bump by @stevenhorsman in #9860
- sandbox: fix the issue of failed to get the vmm master tid by @lifupan in #9834
- runtime-rs: add base qmp framework by @pmores in #9772
- kata-deploy: always copy ci/install_yq.sh by @wainersm in #9863
- ci: tdx: Disable TDX CI by @fidencio in #9869
- ci: gha no sudo ppc64 by @zvonkok in #9877
- runtime-rs: adjust qemu vm shutdown behaviour by @pmores in #9870
- ci: tdx: Use vanilla k8s instead of k3s by @fidencio in #9882
- qemu: upgrade to 8.2.4 by @ryansavino in #9149
- tests: nerdctl: Fix variables names and remove network by @GabyCT in #9874
- ci: tdx: Re-enable TDX CI by @fidencio in #9884
- runtime: Support policy in remote hypervisor by @stevenhorsman in #9881
- kernel: Add CONFIG_S390_UV_UAPI for s390x by @BbolroC in #9886
- gha: Do not fail when collecting artifacts by @GabyCT in #9845
- genpolicy: reject untested CreateContainer field values by @danmihai1 in #9856
- ci: remove sudo from s390x build by @zvonkok in #9876
- runtime: updates to qemu-coco-dev configuration by @wainersm in #9865
- ci: gha no sudo arm64 by @zvonkok in #9875
- CI: disable jobs that failed >= 50% on nightly CI recently - part 2 by @wainersm in #9857
- genpolicy: ignore SeccompProfile in PodSpec by @Redent0r in #9579
- metrics: Improve variable definition in memory inside containers script by @GabyCT in #9872
- runtime-rs: fix the bug of func count_files by @gaohuatao-1 in #9830
- workflow: coco: Add auth registry secret by @stevenhorsman in #9903
- genpolicy: allow specifying layer cache file by @3u13r in #9864
- ci: Add scheduled job to cleanup resources, pt. I by @sprt in #9898
- tests: attestation: Restrict sample policy use by @stevenhorsman in #9906
- ci.ocp: Ensure we smoke-test with the right runtime class by @ldoktor in #9887
- tests: Increase timeout to crictl calls on kata monitor tests by @GabyCT in #9897
- runtime-rs: remove attempt to access sandbox bundle from container bu… by @pmores in #9879
- kata-ctl: Update Cargo.lock by @gkurz in #9913
- gpu: Missing separator by @zvonkok in #9916
- tests: Increase interval and max_tries for kubectl_retry by @BbolroC in #9923
- versions: bump coco guest components and trustee by @fitzthum in #9896
- runtime: fix missing of VhostUserDeviceReconnect parameter assignment by @markyangcc in #9849
- rootfs: Fix spurious error by @zvonkok in #9918
- CI: Use multi-arch image for alpine-bash-curl by @BbolroC in #9936
- CI: Eliminate dependency on tests repo by @BbolroC in #9932
- gha: ci: Remove incorrect secrets line by @stevenhorsman in #9947
- Upgrade to Cloud Hypervisor v40.0 by @likebreath in #9930
- tests: Update help section in openvino test by @cmaf in #9949
- kata-deploy: fix qemu static build on ppc64le by @Amulyam24 in #9914
- ci: Temporarily disable kata-deploy and GARM tests by @sprt in #9941
- genpolicy: add topologySpreadConstraints support by @Redent0r in #9577
- ci: Add scheduled job to cleanup resources, pt. II by @sprt in #9909
- osbuilder: allow rootfs builds w/o git or version file deps by @ms-mahuber in #9825
- docs: Remove jenkins reference from unit testing presentation by @GabyCT in #9952
- metrics: Remove variable in sysbench that is not being used by @GabyCT in #9954
- genpolicy: allow some empty env vars by @Redent0r in #9907
- runtime-rs: firecracker hypervisor backend by @Pyrromanis in #8070
- tests: Fixes TEE timeout issue by @AdithyaKrishnan in #9943
- ci: Transition GARM tests to free runners, pt. I by @sprt in #9960
- Fix issues on CI about guest-pull by @ChengyuZhu6 in #9695
- gha: Fix pip installation for nerdctl GHA by @GabyCT in #9971
- Image rs bump to latest main by @stevenhorsman in #9828
- tests: Use variable already defined in metrics common script for stability tests by @GabyCT in #9966
- Support Confidential Sealed Secrets (as env vars) by @fitzthum in #9719
- tests: Extend vfio-ap hotplug test to use a zcrypttest tool by @BbolroC in #9859
- tests: cri-containerd: Ensure Docker isn't present by @sprt in #9976
- Add memory and vcpus info to metrics results by @dborquez in #9973
- metrics: Remove duplicate check of processes from memory test. by @dborquez in #9987
- cri-containerd: Remove use_devmapper variable for cri-containerd tests by @GabyCT in #9985
- gha: make run-k8s-tests-on-zvsi inherit secrets by @stevenhorsman in #9981
- runtime: pass certificates to get extended attestation report for SNP coco by @niteeshkd in #9806
- scripts: Eliminate CI variable as it is not longer used by @GabyCT in #9962
- runtime-rs: bugfix for root bus slot allocation by @Apokleos in https:/...
Kata Containers 3.6.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent
binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent
uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-d0b0004ce-c99ba42d6-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-c95ae5a50-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-c99ba42d6-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-c99ba42d6-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.22.2-rust-1.75.0-25c784c56-x86_64
- tools: quay.io/kata-containers/builders:tools-b6a28bd93-27685c91e-3a0247ed4-c99ba42d6-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.72.0-musl-c99ba42d6-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- gpu: Add build targets for GPU rootfs initrd/image by @zvonkok in #9618
- tests: Add k8s negative policy test by @GabyCT in #9438
- CI: Use
--abbrev=9
explicitly for abbreviated commit hash by @BbolroC in #9638 - gha: Fix indentation in gha run k8s common by @GabyCT in #9627
- metrics: Fix random write value for FIO by @GabyCT in #9610
- version: Bump nydus snapshotter to v0.13.13 by @ChengyuZhu6 in #9636
- deploy: Add artefact repository by @zvonkok in #9617
- Tag component caches by @stevenhorsman in #9550
- workflow: Remove if from env conditional by @stevenhorsman in #9644
- ci: cache: Fix unbound variable by @stevenhorsman in #9647
- metrics: Update launch times script by @GabyCT in #9615
- Caching tagging update part iii by @stevenhorsman in #9650
- tests: pull-image: Only skip tests for TEEs by @fidencio in #9613
- CI: Append arch type to initramfs-cryptsetup image by @BbolroC in #9655
- ci: cache: Filter out non-printable characters from tag by @stevenhorsman in #9659
- Fix launch times timestamp generation. by @dborquez in #9662
- Revert "ci: azure: Workaround azure cli installation script" by @fidencio in #9673
- TEEs: Use
shared_fs=none
for TDX by @fidencio in #9315 - fix: kata-deploy.sh VERSION_ID unbound-variable by @networkhermit in #9671
- gha: release: Set inherit secrets on tarball builds by @stevenhorsman in #9675
- genpolicy: detect empty string in ns as default by @malt3 in #9660
- gha: Add support to install KBS to k8s TDX GHA workflow by @GabyCT in #9452
- CI: Migrate vfio-ap test files from tests repo by @BbolroC in #9658
- runtime: Disable number of cpu comparison on remote hypervisor scenario by @ajaypvictor in #9657
- build(deps): bump github.com/containerd/containerd from 1.7.11 to 1.7.16 in /src/runtime in the go_modules group across 1 directory by @dependabot in #9635
- runtime: fix duplicated devices requested to the agent by @cncal in #9624
- runtime: Add missing check in ResizeMemory for CH by @cmaf in #9641
- runtime-rs: Drop some useless QEMU arguments by @gkurz in #9642
- runtime: tdx: Allow default_{cpu,memory} annotations by @fidencio in #9682
- runtime: Enable connection to Quote Generation Service (QGS) by @JakubLedworowski in #9653
- ci: cache: Add arch suffix to all cache tags by @stevenhorsman in #9684
- tests: Fix indentation in confidential common script by @GabyCT in #9685
- gha: Enable install kbs and coco components for TDX, but still skip the CDH test by @GabyCT in #9681
- metrics: Fix minvalue for boot time by @GabyCT in #9686
- tests/k8s: skip custom DNS tests on confidential jobs by @wainersm in #9696
- build(deps): bump golang.org/x/net from 0.24.0 to 0.25.0 in /src/runtime in the go_modules group across 1 directory by @dependabot in #9680
- tests/k8s: disable "fail-fast" behavior by default by @wainersm in #9698
- kata-agent: update env PCIDEVICE___INFO by @l8huang in #9605
- runtime-rs: Remove obsoleted dial_timeout config by @justxuewei in #9690
- runtime: make kata-runtime check error more understandable when /dev/kvm doesn't exist by @cncal in #9583
- agent: collect PCI address mapping for both vfio-pci-gk and vfio-pci device by @l8huang in #9687
- runtime-rs: add QMP support for Qemu(part I) by @Apokleos in #9604
- Adjust indentation in ifneq statements within Makefile in runtime-rs by @sidneychang in #9693
- runtime-rs: document architecture & implementation conventions in qem… by @pmores in #9656
- kata-agent: CreateContainer Hook by @zvonkok in #9268
- kata-deploy / kata-cleanup / ci: Fixes and improvements to kata-deploy / kata-cleanup and its usage in the CI by @fidencio in #9721
- gpu: reintroduce pcie_root_port and add pcie_switch_port by @zvonkok in #8861
- ci: ovmf without sudo by @zvonkok in #9727
- ci.ocp: Document openshift pipeline and manual bisection by @ldoktor in #9414
- vfio: Fix hot-unplug by @zvonkok in #9723
- ci: guest-components without sudo by @zvonkok in #9728
- metrics: Improve variable definition in memory usage script by @GabyCT in #9677
- ci: qemu no sudo by @zvonkok in #9736
- ci: tools no sudo by @zvonkok in #9733
- kata-manager: Copy cni files under /opt/cni by @amshinde in #9679
- ci: kernel no sudo by @zvonkok in #9730
- ci: build agent without sudo by @zvonkok in #9729
- ci: initramfs no sudo by @zvonkok in #9739
- ci: virtiofsd no sudo by @zvonkok in #9734
- ci: pause-image no sudo by @zvonkok in #9731
- ci: shim-v2 no sudo by @zvonkok in #9732
- ci: Fix tools builder images by @zvonkok in #9743
- runtime-rs: Add RNG to QEMU cmdline by @emanuellima1 in #9639
- ci: pin the nydus-snapshotter image version by @wainersm in #9746
- tests: enable guest-pull on all k8s tests for the qemu-coco-dev configuration by @wainersm in https:/...
Kata Containers 3.5.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent
binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent
uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-65c32735e-8724d7dee-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-4fc34323a-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-4292c4c3b-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-fe5adae5d-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.22.2-rust-1.72.0-04d021bd1-x86_64
- tools: quay.io/kata-containers/builders:tools-ddf6b367c-cc6b67110-b4360e7e3-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.72.0-musl-2205fb9d0-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- gha: move attestation tests to run-k8s-tests-coco-nontee by @wainersm in #9490
- agent: update cargo.lock by @danmihai1 in #9518
- runtime-rs: Update storage source for pci block devices by @amshinde in #9517
- passfd-io: fix FIFO opening and vsock handling by @Tim-Zhang in #9335
- runtime: Call CreateRuntime hooks at container creation time by @littlejawa in #9524
- CC: Enable guest-pull tests on non-TEE for s390x by @BbolroC in #9494
- clh: isClhRunning waits for full timeout when clh exits by @alex-matei in #9432
- kata-deploy: Stop append
log_level = "debug"
for CRI-O by @fidencio in #9535 - genpolicy: implement default methods for K8sResource trait by @arc9693 in #9428
- agent: use regorus instead of opa by @danmihai1 in #9510
- gha: Enable k8s tests for cloud hypervisor with devicemapper by @jodh-intel in #9525
- build: Fix tarball not building correctly in docker by @JakubLedworowski in #9549
- genpolicy: changing caching so the tool can run concurrently with itself by @Redent0r in #9530
- runtime-rs: Add RTC to QEMU cmdline by @emanuellima1 in #9519
- doc: fix missing document link by @cncal in #9528
- build: Update golang version to 1.22.2 by @BbolroC in #9562
- rootfs: Stop building and shipping OPA by @fidencio in #9559
- runtime-rs: support IOMMU in qemu VMs by @pmores in #9551
- workflow: static-checks: Skip commit checks for dependabout by @stevenhorsman in #9570
- runtime: new qemu-coco-dev configuration by @wainersm in #9552
- kata-deploy: configure debugging for crio by @littlejawa in #9573
- build: Build the shipped agent with policy enabled by @fidencio in #9563
- config: Add NVIDIA GPU SNP, TDX configuration files by @zvonkok in #9476
- tests: adapt Mariner CI to unblock CH v39 upgrade by @sprt in #9592
- build(deps): bump the go_modules group across 5 directories with 8 updates by @dependabot in #9568
- versions: Remove oci information from versions file by @GabyCT in #9600
- build: fix the confusing build message if yq doesn't exist in GOPATH/bin by @cncal in #9582
- runtime-rs: fix the issue of the leak of dead shim by @lifupan in #9598
- qemu: the error is logged only when it occurs by @cncal in #9601
- ci: Stop building TDX specific QEMU and OVMF by @fidencio in #9607
- db: fix the issue of failed to init pci root bus by @lifupan in #9596
- tests: pull-image: Don't run on TEEs by @fidencio in #9609
- kernel: Add caching of kernel-headers by @zvonkok in #9482
- tdx: Adapt kata-deploy to use QEMU / OVMF from the distros by @fidencio in #9608
- deploy: Add runtimeClasses relating to the NVIDIA GPU by @zvonkok in #9484
- deploy: Fix wrong pushing of artifacts by @zvonkok in #9616
- build: nvidia-gpu: Fix cache usage of the headers tarball by @fidencio in #9622
- release: Bump VERSIONS file to 3.5.0 by @fidencio in #9626
- runtime-rs: Fix constructing the RTC struct by @emanuellima1 in #9571
- debugging: adding a script and instructions for debugging the GO shim by @littlejawa in #9585
- kata-deploy: Fix tdx_not_supported call by @ldoktor in #9629
- local-build: Ensure the default rootfs is built with AGENT_POLICY=yes by @BbolroC in #9632
New Contributors
- @arc9693 made their first contribution in #9428
- @JakubLedworowski made their first contribution in #9549
- @emanuellima1 made their first contribution in #9519
- @cncal made their first contribution in #9528
Full Changelog: 3.4.0...3.5.0
Kata Containers 3.4.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent
binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent
uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-65c32735e-8724d7dee-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-4fc34323a-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-2ee03b5dc-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-fe5adae5d-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.19.3-rust-1.72.0-04d021bd1-x86_64
- tools: quay.io/kata-containers/builders:tools-77540503f-d915a79e2-9e01732f7-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.72.0-musl-2205fb9d0-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- docs: Update links in the Documentation Requirements document by @GabyCT in #9307
- gha: Update journal log names for kubernetes artifacts by @GabyCT in #9309
- gha: Fix nydus namespace clean up by @GabyCT in #9265
- Dragonballl: introduce MTRR regs support by @studychao in #9311
- tests: static checker: Add announce message by @jodh-intel in #9259
- agent: Add guest-pull to the list of agent features in announce() by @ChengyuZhu6 in #9312
- docs: Update libseccomp instructions in Developers Guide by @GabyCT in #9324
- Revert "release: Skip --generate-notes for this release" by @fidencio in #9321
- runtime-rs: ch: Implement full thread/tid/pid handling by @dborquez in #9255
- versions: Update nydus-snapshotter to v0.13.11 by @fidencio in #9337
- runtime-rs: Enable qemu on s390x by @BbolroC in #9280
- agent: Refactor unit tests to leverage rstest for parameterization by @ChengyuZhu6 in #9313
- runtime-rs/dragonball: add support building kernel with upcall and GPU hotplug by @Apokleos in #9244
- agent:image: Refactor code to improve memory efficiency of image service by @ChengyuZhu6 in #9325
- scripts: Fix unbound variables in k8s setup script by @GabyCT in #9329
- workflows: Build agent-opa for more archs by @stevenhorsman in #9356
- Remove additional links to tests directory by @cmaf in #9346
- docs: Add documents for kata guest image management by @ChengyuZhu6 in #9341
- Only tag and publish the release when it is fully ready by @gkurz in #9326
- Support to set timeout to pull large image in guest by @ChengyuZhu6 in #9332
- k8s: confidential: Update cpuid to its latest release by @fidencio in #9349
- runtime: remove unimplemented CoCo configurations by @fitzthum in #8046
- genpolicy: reduce policy debug prints by @danmihai1 in #9347
- runtime: remove stream copy infinite loop by @danmihai1 in #9367
- agent: Fix errors in
make check
by @c3d in #9345 - gha: Update journal log names for nerdctl artifacts by @GabyCT in #9358
- kata-agent: Change order of guest hook and bind mount processing by @Apokleos in #9275
- kata-agent: enabling cgroups-v2 by systemd.unified_cgroup_hierarchy by @Apokleos in #9383
- versions: Remove runc version information by @GabyCT in #9365
- gha: add GENPOLICY_PULL_METHOD by @Redent0r in #9385
- docs: Remove stale kernel information by @GabyCT in #9344
- versions: Remove conmon information from versions.yaml by @GabyCT in #9397
- gha: Define GH_PR_NUMBER variable in gha run k8s common script by @GabyCT in #9409
- tests: k8s-job: wait for job successful create by @danmihai1 in #9411
- gha: ensure unique resource group name by @Redent0r in #9413
- bugfix and refactor device increate count by @Apokleos in #8782
- tdx: Update TDX artefacts to be used with the Ubuntu 23.10 / CentOS 9 stream OSVs. by @fidencio in #8840
- tests: Support for kbs setup on kcli by @ldoktor in #9273
- metrics: Improve latency test cleanup by @GabyCT in #9419
- GHA: Implement secondary GITHUB_WORKSPACE cleanup on 1st failure by @BbolroC in #9415
- qemu: show the thread name when enable the hypervisor.debug option by @deagon in #9402
- docs: kata-manager: Update with latest details by @jodh-intel in #9372
- port attestation agent from CCv0 branch to main branch by @LindaYu17 in #8870
- agent:image: Support different pause image in the guest for guest pull by @ChengyuZhu6 in #9369
- gha: Bump various actions to use Node.js 20 by @gkurz in #9421
- katautils: check number of cores on the system intead of go runtime by @egernst in #9331
- tests: k8s: improve the Agent Policy tests by @danmihai1 in #9398
- docs: adding an initial CI documentation by @beraldoleal in #8988
- genpolicy: Add optional toggle to pull images using containerd by @Redent0r in #9185
- add onednn and openvino ml-benchmarks by @dborquez in #9391
- gha: Fix indentation in gha run script by @GabyCT in #9450
- tests: Improve the kbs_k8s_delete function by @GabyCT in #9423
- tests: k8s: inject agent policy failures by @danmihai1 in #9439
- agent: Fix the issue with the "test_new_fs_manager" test by @justxuewei in #9457
- CC: run guest-pull tests on non-TEE jobs by @wainersm in #9424
- gha: Define unbound PULL TYPE variable by @GabyCT in #9454
- agent: shutdown vm on exit when agent is used as init process by @alex-matei in #9430
- CI: Enable GHA cri-containerd workflow for runtime-rs with QEMU by @BbolroC in #9403
- kernel: Adjust s390x config for confidential containers by @BbolroC in #9469
- ci.ocp: Increase the MCP update time by @ldoktor in #9404
- version: Add coco name and version for {image,initrd} for s390x by @BbolroC in #9471
- gha: make run-kata-coco-tests inherit secrets by @wainersm in #9479
- runtime-rs: refactor qemu driver by @pmores in #9353
- tests: k8s: inject agent policy failures (part2) by @danmihai1 in https://github.com/kata-co...
Kata Containers 3.3.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent
binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent
uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-65c32735e-8724d7dee-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-4fc34323a-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-6bb2ea819-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-0538bbfc4-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.19.3-rust-1.72.0-a13eecf7f-x86_64
- tools: quay.io/kata-containers/builders:tools-b3b00e00a-9ef59488d-5bad18f9c-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.72.0-musl-2205fb9d0-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- metrics: Add parallel udp iperf3 benchmark by @GabyCT in #8278
- runtime-rs: fix a typo in device manager by @ZizhengBian in #8294
- AArch64: runtime: use pcie root port to do pci/pcie device hotplug by @jongwu in #7647
- dragonball: add metrics support for balloon device by @lisongqian in #7697
- kata-manager: Add clh config to containerd config file by @amshinde in #8281
- gha: add dependencies for spell checker by @cmaf in #8317
- runtime-rs: Add default configuration file for cloud-hypervisor by @amshinde in #8250
- tests/git-helper: cancel any previous rebase left halfway by @wainersm in #8322
- agent: use open_tree()/move_mount() to set up bind mounts between containers directly. by @h56983577 in #8033
- dragonball: add metrics support for legacy device by @lisongqian in #7695
- kata-runtime/kata-ctl: Add security details to output by @jodh-intel in #8314
- dragonball: add tracing feature for dragonball by @lisongqian in #7831
- utils: kata manager: Fix version checks by @jodh-intel in #8323
- Enable fio checkmetrics by @dborquez in #8202
- network: Fix network attach for ipvlan and macvlan by @amshinde in #8334
- agent: Skip flaky create_tmpfs on s390x by @BbolroC in #8289
- runtime-rs: Log system enhancement by @TimePrinciple in #8311
- docs: Fix broken links by @cmaf in #8255
- cargo: Agent cargo.lock updated by @amshinde in #8351
- release: Fully migrate from hub to gh by @gkurz in #8308
- gha: Add workflow to close stale PRs by @fidencio in #8348
- kata-manager: Fix deployment of containerd on architectures other than amd64. by @brianwang12 in #7057
- Docs: Fix Dragonball link by @sazzy4o in #8285
- gha: stale: Fix typo and allow manually triggering it by @fidencio in #8368
- kata-manager: Accept only "lts" or "active" as containerd versions by @fidencio in #8365
- runtime-rs: update device pci info for vfio and virtio-blk devices by @amshinde in #8284
- Updating containerd to a GogoProtobuf free version by @beraldoleal in #8061
- tests: fixes permission denied when running test by @beraldoleal in #8217
- runtime-rs: ch: Simplify VSOCK error handling by @jodh-intel in #8386
- agent: Restrict device access at upper node of container's cgroup by @justxuewei in #7531
- runtime-rs: Update status for pause and resume by @cmaf in #8023
- network: Fix network hotplug for ipvlan and macvlan endpoints for qemu and add tests by @amshinde in #8367
- runtime: Fix TestCheckHostIsVMContainerCapable unstablity issue by @justxuewei in #8389
- Upgrade to Cloud Hypervisor v36.0 by @likebreath in #8379
- gha: Fix regex used to get kubectl version from the k3s version by @fidencio in #8411
- kata-deploy: Allow users to set hypervisor annotations by @fidencio in #8404
- agent: update AGENT_THREADS metrics value by @gaohuatao-1 in #8370
- runtime-rs: fix a typo in shm by @studychao in #8169
- kata-manager: Add support for Docker CLI installation by @fidencio in #8376
- Update release process documentation by @gkurz in #8309
- utils: kata-manager: Ensure only one download URL by @jodh-intel in #8374
- docs: add agent policy documentation by @danmihai1 in #8406
- dragonball: Introduce vhost-net device by @justxuewei in #7675
- runtime-rs: ch: Fix TDX by @jodh-intel in #8419
- metrics: Fix function that completely stops kata containers before running a test by @dborquez in #8338
- utils: kata-manager: Add option to list versions by @jodh-intel in #8383
- ci: Re-add tracing tests and move docker/nerdctl to the basic-ci-amd64.yaml file by @fidencio in #8174
- gha: Remove docker and nerdctl tests from ci.yaml by @justxuewei in #8432
- runtime: Improve vCPU allocation for the VMMs by @fidencio in #7623
- kernel: Fix vsock packets drop when the driver initializes by @alex-matei in #8431
- dragonball: Remove vhost-net dependency on virtio-net by @justxuewei in #8426
- tests|gha: add nightly tests for s390x by @BbolroC in #7987
- gha: Keep kata tarballs for 15 days by @ldoktor in #8460
- tests: Enable stressng scalability test by @GabyCT in #8421
- metrics: Add iperf udp information to README by @GabyCT in #8453
- tests|gha: add containerd and k8s tests for s390x by @BbolroC in #7931
- StratoVirt: add support for a lightweight VMM StratoVirt in Kata by @WenyuanLau in #7796
- Fixes make check errors by @beraldoleal in #8345
- runitme-rs/bugfix: kata pod with multi-containers sharing one direct volume by @Apokleos in #8332
- kata-deploy: Set a default value for ALLOWED_HYPERVISOR_ANNOTATIONS by @BbolroC in #8478
- dragonball: Uniform the spelling of Virtio by @justxuewei in #8465
- Dragonball: add PCI bus and PCI interrupt support in mptable Spec by @studychao in #8451
- CC: Remote hypervisor merge to main by @stevenhorsman in #7046
*...