-
Notifications
You must be signed in to change notification settings - Fork 376
clh: Complete the 'seccomp' filter list based on the workload from Kata's CI #2901
Comments
As a first run of my local VM on the failing tests reported by the CI (e.g. |
/cc @jcvenegas @amshinde |
We kept observing instabilities from CLH CI jobs periodically (kata 1.x). To separate the random failures caused by `seccomp` from other failures, this patch disables the 'seccomp' option from clh in kata for now. We will bring this option back after completing the 'seccomp' filter lists based on Kata's CI workload. Details are tracked in the following two issues: kata-containers/runtime#2899 and kata-containers/runtime#2901 We are facing the similar challenge to stabilize CI jobs related to cloud-hypervisor in Kata 2.0. We are disabling the `seccomp` option here for the same reason. Related issue: kata-containers/tests#2813 Fixes: kata-containers#614 Signed-off-by: Bo Chen <chen.bo@intel.com>
@likebreath - I think we can close this issue now? |
@jodh-intel Let's keep this one before I do more experiments on whether the |
Hi @likebreath - can we close now? |
This issue is being automatically closed as Kata Containers 1.x has now reached EOL (End of Life). This means it is no longer being maintained.
This decision was discussed by the @kata-containers/architecture-committee and has been announced via the Kata Containers mailing list:
If you believe this issue still applies to Kata Containers 2.x, please open an issue against the Kata Containers 2.x repository, pointing to this one, providing details to allow us to migrate it. |
Which feature do you think can be improved?
As discussed in the issue #2899, the incomplete list of
seccomp
filter from cloud-hypervisor can introduce (random) failures in our CI jobs. As a workaround, theseccomp
option of clh is temporarily disabled in kata.How can it be improved?
We should collect the missing
syscall
triggered by Kata's CI workload, and added them to clh'sseccomp
filter list. Once we have a complete list (for kata's CI workload), we should bring theseccomp
option of clh back to kata, so that we can leverage this security feature from clh.The text was updated successfully, but these errors were encountered: