Skip to content
This repository has been archived by the owner on May 12, 2021. It is now read-only.

clh: Complete the 'seccomp' filter list based on the workload from Kata's CI #2901

Closed
likebreath opened this issue Aug 25, 2020 · 6 comments
Closed

clh: Complete the 'seccomp' filter list based on the workload from Kata's CI #2901

likebreath opened this issue Aug 25, 2020 · 6 comments
Assignees
@likebreath
Labels
enhancement Improvement to an existing feature port-to-2.0 PRs that need to be ported to kata 2.0-dev branch
Projects
Issue backlog Cloud hypervisor integration

Comments

@likebreath
Copy link
Contributor

Which feature do you think can be improved?

As discussed in the issue #2899, the incomplete list of seccomp filter from cloud-hypervisor can introduce (random) failures in our CI jobs. As a workaround, the seccomp option of clh is temporarily disabled in kata.

How can it be improved?

We should collect the missing syscall triggered by Kata's CI workload, and added them to clh's seccomp filter list. Once we have a complete list (for kata's CI workload), we should bring the seccomp option of clh back to kata, so that we can leverage this security feature from clh.
@likebreath likebreath added enhancement Improvement to an existing feature needs-review Needs to be assessed by the team. labels Aug 25, 2020
@likebreath
Copy link
Contributor Author

As a first run of my local VM on the failing tests reported by the CI (e.g. CPU update constrains), I see the following missing syscall: brk. This syscall also contributed to the instability of cloud-hypervisor's CI. It was added to all worker threads of clh (after release v0.9.0).

@likebreath likebreath mentioned this issue Aug 25, 2020
Merged
@likebreath likebreath self-assigned this Aug 25, 2020
@likebreath likebreath mentioned this issue Aug 25, 2020
Closed
@likebreath
Copy link
Contributor Author

/cc @jcvenegas @amshinde

@likebreath likebreath added the port-to-2.0 PRs that need to be ported to kata 2.0-dev branch label Aug 26, 2020
likebreath added a commit to likebreath/kata-containers that referenced this issue Aug 26, 2020
@likebreath
clh: Disable the 'seccomp' option temporarily
4b62fc1 
We kept observing instabilities from CLH CI jobs periodically (kata
1.x). To separate the random failures caused by `seccomp` from other
failures, this patch disables the 'seccomp' option from clh in kata for
now. We will bring this option back after completing the 'seccomp'
filter lists based on Kata's CI workload. Details are tracked in the
following two issues:
kata-containers/runtime#2899 and
kata-containers/runtime#2901

We are facing the similar challenge to stabilize CI jobs related to
cloud-hypervisor in Kata 2.0. We are disabling the `seccomp` option here
for the same reason. Related issue:
kata-containers/tests#2813

Fixes: kata-containers#614

Signed-off-by: Bo Chen <chen.bo@intel.com>
@likebreath likebreath mentioned this issue Aug 26, 2020
Merged
@jodh-intel jodh-intel added this to To do in Issue backlog Sep 18, 2020
@jodh-intel jodh-intel moved this from To do to In progress in Issue backlog Sep 18, 2020
@likebreath likebreath mentioned this issue Sep 25, 2020
Closed
13 tasks
@jodh-intel
Copy link
Contributor

@likebreath - I think we can close this issue now?

@likebreath
Copy link
Contributor Author

@jodh-intel Let's keep this one before I do more experiments on whether the seccomp filter is now sufficient to run all the workload from kata's CI jobs. Also, as @amshinde advises, we will also provide an option for users to enable and disable the seccomp filter.

@jodh-intel
Copy link
Contributor

Hi @likebreath - can we close now?

@jodh-intel jodh-intel removed the needs-review Needs to be assessed by the team. label Dec 15, 2020
@fidencio
Copy link
Member

This issue is being automatically closed as Kata Containers 1.x has now reached EOL (End of Life). This means it is no longer being maintained.

Important:

All users should switch to the latest Kata Containers 2.x release to ensure they are using a maintained release that contains the latest security fixes, performance improvements and new features.

This decision was discussed by the @kata-containers/architecture-committee and has been announced via the Kata Containers mailing list:

If you believe this issue still applies to Kata Containers 2.x, please open an issue against the Kata Containers 2.x repository, pointing to this one, providing details to allow us to migrate it.

Cloud hypervisor integration automation moved this from Feature and Improvements to Done May 12, 2021
Issue backlog automation moved this from In progress to Done May 12, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@likebreath likebreath

Labels
enhancement Improvement to an existing feature port-to-2.0 PRs that need to be ported to kata 2.0-dev branch
Projects
Issue backlog
  
Done
Cloud hypervisor integration
  
Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fidencio @likebreath @jodh-intel