From de8fe25dd5d1c1c715ad1ab200a99b9565e2b5f2 Mon Sep 17 00:00:00 2001
From: Bo Chen <chen.bo@intel.com>
Date: Thu, 20 Feb 2020 07:40:40 -0800
Subject: [PATCH 1/2] clh: Update CLH to stable/v0.5.x

Use CLH branch stable/v0.5.x, and also re-generate the openAPI client
code with the new 'cloud-hypervisor.yaml'.

Fixes: #2488

Signed-off-by: Bo Chen <chen.bo@intel.com>
---
 versions.yaml                                 |  2 +-
 .../client/.openapi-generator/VERSION         |  2 +-
 .../cloud-hypervisor/client/api/openapi.yaml  | 31 +++++++++++++++++++
 .../client/docs/DiskConfig.md                 |  4 +++
 .../client/model_disk_config.go               |  4 +++
 .../cloud-hypervisor/cloud-hypervisor.yaml    | 11 +++++++
 6 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/versions.yaml b/versions.yaml
index caf17f4661..8e5084f89c 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -75,7 +75,7 @@ assets:
       url: "https://github.com/cloud-hypervisor/cloud-hypervisor"
       uscan-url: >-
         https://github.com/cloud-hypervisor/cloud-hypervisor/tags.*/v?(\d\S+)\.tar\.gz
-      version: "v0.5.0"
+      version: "stable/v0.5.x"
 
     firecracker:
       description: "Firecracker micro-VMM"
diff --git a/virtcontainers/pkg/cloud-hypervisor/client/.openapi-generator/VERSION b/virtcontainers/pkg/cloud-hypervisor/client/.openapi-generator/VERSION
index 58592f031f..bfbf77eb7f 100644
--- a/virtcontainers/pkg/cloud-hypervisor/client/.openapi-generator/VERSION
+++ b/virtcontainers/pkg/cloud-hypervisor/client/.openapi-generator/VERSION
@@ -1 +1 @@
-4.2.3-SNAPSHOT
\ No newline at end of file
+4.3.0-SNAPSHOT
\ No newline at end of file
diff --git a/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml b/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml
index ff93543b6e..edb23b1f3d 100644
--- a/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml
+++ b/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml
@@ -156,12 +156,20 @@ components:
           disks:
           - path: path
             num_queues: 5
+            readonly: false
             iommu: false
             queue_size: 5
+            vhost_socket: vhost_socket
+            vhost_user: false
+            wce: true
           - path: path
             num_queues: 5
+            readonly: false
             iommu: false
             queue_size: 5
+            vhost_socket: vhost_socket
+            vhost_user: false
+            wce: true
           cpus:
             boot_vcpus: 1
             max_vcpus: 1
@@ -275,12 +283,20 @@ components:
         disks:
         - path: path
           num_queues: 5
+          readonly: false
           iommu: false
           queue_size: 5
+          vhost_socket: vhost_socket
+          vhost_user: false
+          wce: true
         - path: path
           num_queues: 5
+          readonly: false
           iommu: false
           queue_size: 5
+          vhost_socket: vhost_socket
+          vhost_user: false
+          wce: true
         cpus:
           boot_vcpus: 1
           max_vcpus: 1
@@ -477,11 +493,18 @@ components:
       example:
         path: path
         num_queues: 5
+        readonly: false
         iommu: false
         queue_size: 5
+        vhost_socket: vhost_socket
+        vhost_user: false
+        wce: true
       properties:
         path:
           type: string
+        readonly:
+          default: false
+          type: boolean
         iommu:
           default: false
           type: boolean
@@ -491,6 +514,14 @@ components:
         queue_size:
           default: 128
           type: integer
+        vhost_user:
+          default: false
+          type: boolean
+        vhost_socket:
+          type: string
+        wce:
+          default: true
+          type: boolean
       required:
       - path
       type: object
diff --git a/virtcontainers/pkg/cloud-hypervisor/client/docs/DiskConfig.md b/virtcontainers/pkg/cloud-hypervisor/client/docs/DiskConfig.md
index 25930b1299..9345f0bfc8 100644
--- a/virtcontainers/pkg/cloud-hypervisor/client/docs/DiskConfig.md
+++ b/virtcontainers/pkg/cloud-hypervisor/client/docs/DiskConfig.md
@@ -5,9 +5,13 @@
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **Path** | **string** |  | 
+**Readonly** | **bool** |  | [optional] [default to false]
 **Iommu** | **bool** |  | [optional] [default to false]
 **NumQueues** | **int32** |  | [optional] [default to 1]
 **QueueSize** | **int32** |  | [optional] [default to 128]
+**VhostUser** | **bool** |  | [optional] [default to false]
+**VhostSocket** | **string** |  | [optional] 
+**Wce** | **bool** |  | [optional] [default to true]
 
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
 
diff --git a/virtcontainers/pkg/cloud-hypervisor/client/model_disk_config.go b/virtcontainers/pkg/cloud-hypervisor/client/model_disk_config.go
index 7a34362203..79e56828a1 100644
--- a/virtcontainers/pkg/cloud-hypervisor/client/model_disk_config.go
+++ b/virtcontainers/pkg/cloud-hypervisor/client/model_disk_config.go
@@ -11,7 +11,11 @@ package openapi
 // DiskConfig struct for DiskConfig
 type DiskConfig struct {
 	Path string `json:"path"`
+	Readonly bool `json:"readonly,omitempty"`
 	Iommu bool `json:"iommu,omitempty"`
 	NumQueues int32 `json:"num_queues,omitempty"`
 	QueueSize int32 `json:"queue_size,omitempty"`
+	VhostUser bool `json:"vhost_user,omitempty"`
+	VhostSocket string `json:"vhost_socket,omitempty"`
+	Wce bool `json:"wce,omitempty"`
 }
diff --git a/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml b/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml
index c9a1192a0e..926e710a2c 100644
--- a/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml
+++ b/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml
@@ -274,6 +274,9 @@ components:
       properties:
         path:
           type: string
+        readonly:
+          type: boolean
+          default: false
         iommu:
           type: boolean
           default: false
@@ -283,6 +286,14 @@ components:
         queue_size:
           type: integer
           default: 128
+        vhost_user:
+          type: boolean
+          default: false
+        vhost_socket:
+          type: string
+        wce:
+          type: boolean
+          default: true
 
     NetConfig:
       type: object

From 12d10eb2dc341ceb2c946890812bb6e194f5d330 Mon Sep 17 00:00:00 2001
From: Bo Chen <chen.bo@intel.com>
Date: Thu, 20 Feb 2020 07:42:53 -0800
Subject: [PATCH 2/2] clh: Update clh driver to use the latest openAPI knobs

We leverage the new openAPI knobs from CLH to set readonly for disk image
and we also pass kernel cmd to set guest root filesystem readonly.

Signed-off-by: Bo Chen <chen.bo@intel.com>
---
 virtcontainers/clh.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/virtcontainers/clh.go b/virtcontainers/clh.go
index 67ac089c1d..dd5691d1a6 100644
--- a/virtcontainers/clh.go
+++ b/virtcontainers/clh.go
@@ -120,6 +120,7 @@ var clhKernelParams = []Param{
 	{"no_timer_check", ""}, // do not check broken timer IRQ resources
 	{"noreplace-smp", ""},  // do not replace SMP instructions
 	{"agent.log_vport", fmt.Sprintf("%d", vSockLogsPort)}, // tell the agent where to send the logs
+	{"rootflags", "data=ordered,errors=remount-ro ro"},    // mount the root filesystem as readonly
 }
 
 var clhDebugKernelParams = []Param{
@@ -248,7 +249,8 @@ func (clh *cloudHypervisor) createSandbox(ctx context.Context, id string, networ
 	}
 
 	disk := chclient.DiskConfig{
-		Path: imagePath,
+		Path:     imagePath,
+		Readonly: true,
 	}
 	clh.vmconfig.Disks = append(clh.vmconfig.Disks, disk)