Skip to content
This repository has been archived by the owner. It is now read-only.
1.13.0-alpha0
cd63aac
Compare
Choose a tag to compare

Initial alpha release for 1.13.0.

agent Changes

Shortlog

d7a57c6 release: Kata Containers 1.13.0-alpha0
09af1d8 github: Add github actions
d66fcb8 rootBusPath: create rootBusPath dynamically.
23bd1c7 ci: install docker 19.03 for arm64 to let build image go

proxy Changes

Shortlog

cc28a02 release: Kata Containers 1.13.0-alpha0
969eafa actions: Use actions/checkout@v2 with depth 0
82bedcc actions: Define TRAVIS_BRANCH
b8adeef github: Enable github actions

runtime Changes

Shortlog

f8e1406 snap: add GH actions jobs to release the snap package
a303554 release: Kata Containers 1.13.0-alpha0
b2956f3 blk-dev: hotplug read only if applicable
8b74066 volumes: cleanup, minimal refactoring
cf32518 govmm: revendor to get latest changes
188424a vendor: update govmm from intel to kata-containers
a91deab virtcontainers: Append max_ports to virtio-serial device
7b1d678 qemu: no state to save if QEMU isn't running
664f1b2 ACPI: enable acpi for arm64 on qemu
cafd967 Gopkg: update govmm to involve pflash in
0fb409d github: Add github actions
11c8c19 versions: Update firecracker to 0.21.3
bcf29ba build: Remove default hypervisor message from build
0279c81 shimv2: Add tracing to shimv2
c963777 cli: check modules and permissions before loading a module
f2ff670 cli: don't fail if rate limit is exceeded
ba5ca59 versions: Bump the newest-version of OpenShift
27c558e version: add new docker version entry for agent test on arm
c56af73 virtcontainers: Don't set Ctty
559ba41 runtime: sleep 1 second after GetOOMEvent failed
e4a68a7 runtime: clh: update cloud-hypervisor
02af5c9 runtime: clh: disable virtiofs DAX when FS cache size is 0
fc6beea release: Fix release candidate to major version upgrade check
8fbf9aa tests: Ensure semver build metadata is ignored
df99deb release: Make error format string consistent
38fc74c tests: Update assets test to adapt to recent changes
fc412ad makefile: Enable hypervisor annotations by default
f89fac9 config: Rename 'runtime' to 'runtimeConfig'
cf3a7eb config: Improve comments in configuration file templates
31f0ed5 config: Make configuration file comments consistent
1a7eeb6 annotations: Correct unit tests to validate new protections
2235d5d annotations: Split addHypervisorOverrides to reduce complexity
151e6fc annotations: Add unit test for checkPathIsInGlobs
ad9ce3f annotations: Add unit test for regexpContains function
90ff89e runtime: Fix firecracker config
612fb2c makefile: Add missing generated vars to USER_VARS
979e630 makefile: Improve names of config entries for annotation checks
d412a7f annotations: Give better names to local variabes in search functions
58de2c5 annotations: Rename checkPathIsInGlobList with checkPathIsInGlobs
849f17c config: Add better comments in the template files
bce2528 config: Whitelist hypervisor annotations by name
2417d0b config: Use glob instead of regexp to match paths in annotations
1e036c8 annotations: Fix typo in comment
5ee9b20 config: Add makefile variables for path lists
ed56c9d config: Protect file_mem_backend against annotation attacks
2f0360b config: Protect vhost_user_store_path against annotation attacks
fba4619 config: Add security warning on configuration examples
92065d8 config: Protect ctlpath from annotation attack
0d5273a config: Protect jailer_path annotation
b588faf config: Add examples for path_list configuration
b2d64b6 annotations: Simplify negative logic
d823b3d config: Add hypervisor path override through annotations
e2a4015 config: Fix typo in function name
22e89f6 config: Protect virtio_fs_daemon annotation
11e737d config: Add 'List' alternates for hypervisor configuration paths
b44b1ba runtime: Add s.newStore.Destroy before defer
fac58a7 clh: let clh config build for arm64
7739905 runtime: mount shared mountpoint readonly
509eb6f runtime: readonly mounts should be readonly bindmount on the host
4ce09fb hypervisor: Remove unused methods
6a5eb0d annotations: Improve asset annotation handling
7d9860d annotations: Add missing hypervisor control annotation
f53406f asset: Formatting, grammar and whitespace
2696323 runtime: mount shared mountpoint readonly
750419c runtime: readonly mounts should be readonly bindmount on the host
bc1d883 versions: Update cloud-hypervisor to release v0.11.0
120e616 runtime: Ignore ENOENT in kill/delete
ec26e48 clh: Consolidate the code path for device unplug
0ffaeeb network: Fix error reporting in listRoutes()
b86e904 network: Correct error reporting in listInterfaces()
5069ea4 gitignore: Ignore cli/containerd-shim-kata-v2/config-generated.go
3596058 vhost-user-blk: Use PciPath type for vhost user devices
64751f3 block: Use PciPath type through block code
3e58971 network: Use PciPath type through network handling
bfbfab3 network: Allow convertToInterface to fail
185b3ab device: Introduce PciSlot and PciPath types
1c0dccb vendor: Update vendored agent code
141de5c arm64: correct bridge type for QEMUVIRT machine

shim Changes

Shortlog

c80f776 release: Kata Containers 1.13.0-alpha0
59eebf3 github: Enable github actions

Compatibility with Docker

Kata Containers 1.13.0-alpha0 is compatible with Docker v18.06-ce

Compatibility with CRI-O

Kata Containers 1.13.0-alpha0 is compatible with CRI-O 0eec454168e381e460b3d6de07bf50bfd9b0d082

Compatibility with cri-containerd

Kata Containers 1.13.0-alpha0 is compatible with cri-contaienrd 3a4acfbc99aa976849f51a8edd4af20ead51d8d7

OCI Runtime Specification

Kata Containers 1.13.0-alpha0 support the OCI Runtime Specification v1.0.0-rc5

Compatibility with Kubernetes

Kata Containers 1.13.0-alpha0 is compatible with Kubernetes 1.17.3-00

Kata Linux Containers image

Agent version: 1.13.0-alpha0

Default Image Guest OS:

description: |
Root filesystem disk image used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/osbuilder"
architecture:
aarch64:
name: "ubuntu"
version: "latest"
ppc64le:
name: "centos"
version: "latest"
s390x:
name: "ubuntu"
version: "latest"
x86_64:
name: "clearlinux"
version: "latest"
meta:
image-type: "clearlinux"

Default Initrd Guest OS:

description: |
Root filesystem initrd used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/osbuilder"
architecture:
aarch64:
name: "alpine"
version: "3.12"
ppc64le:
name: "alpine"
version: "3.12"
s390x:
name: "alpine"
version: "3.12"
x86_64:
name: "alpine"
version: "3.12"

Kata Linux Containers Kernel

Kata Containers 1.13.0-alpha0 suggest to use the Linux kernel v5.4.60
See the kernel suggested Guest Kernel patches
See the kernel suggested Guest Kernel config

Installation

Follow the Kata installation instructions.

Issues & limitations

More information Limitations

1.12.1
b967088
Compare
Choose a tag to compare

agent Changes

No relevant changes.

Shortlog

d8bd47b release: Kata Containers 1.12.1
74b0dd1 github: Enable github actions

proxy Changes

Not relevant changes.

Shortlog

3091fa6 release: Kata Containers 1.12.1
5d18fd1 github: Enable github actions

runtime Changes

Few fixes:

  • handle/remove error messages for qemu state save as well as OOM messages
  • minor bug fixes around cleanup
  • updating Firecracker
  • Adding RO blk device support

Shortlog

ecf3c63 release: Kata Containers 1.12.1
f4cf009 qemu: no state to save if QEMU isn't running
dcaabed blk-dev: hotplug read only if applicable
76ca708 volumes: cleanup, minimal refactoring
41f88c6 govmm: revendor to get latest changes
a8d2089 vendor: update govmm from intel to kata-containers
201bc7d versions: Update firecracker to 0.21.3
da4c432 runtime: sleep 1 second after GetOOMEvent failed

shim Changes

No relevant changes.

Shortlog

d307e92 release: Kata Containers 1.12.1
1a21391 github: Enable github actions

Compatibility with Docker

Kata Containers 1.12.1 is compatible with Docker v18.06-ce

Compatibility with CRI-O

Kata Containers 1.12.1 is compatible with CRI-O 0eec454168e381e460b3d6de07bf50bfd9b0d082

Compatibility with cri-containerd

Kata Containers 1.12.1 is compatible with cri-contaienrd 3a4acfbc99aa976849f51a8edd4af20ead51d8d7

OCI Runtime Specification

Kata Containers 1.12.1 support the OCI Runtime Specification v1.0.0-rc5

Compatibility with Kubernetes

Kata Containers 1.12.1 is compatible with Kubernetes 1.17.3-00

Kata Linux Containers image

Agent version: 1.12.1

Default Image Guest OS:

description: |
Root filesystem disk image used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/osbuilder"
architecture:
aarch64:
name: "ubuntu"
version: "latest"
ppc64le:
name: "centos"
version: "latest"
s390x:
name: "ubuntu"
version: "latest"
x86_64:
name: "clearlinux"
version: "latest"
meta:
image-type: "clearlinux"

Default Initrd Guest OS:

description: |
Root filesystem initrd used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/osbuilder"
architecture:
aarch64:
name: "alpine"
version: "3.12"
ppc64le:
name: "alpine"
version: "3.12"
s390x:
name: "alpine"
version: "3.12"
x86_64:
name: "alpine"
version: "3.12"

Kata Linux Containers Kernel

Kata Containers 1.12.1 suggest to use the Linux kernel v5.4.60
See the kernel suggested Guest Kernel patches
See the kernel suggested Guest Kernel config

Installation

Follow the Kata installation instructions.

Issues & limitations

More information Limitations

1.12.0
439d131
Compare
Choose a tag to compare

Kata 1.12.0 is here!
It includes several features including a couple of security fixes. Users are encouraged to upgrade to this release.

Security fixes:

  • Readonly bind-mounts are now mounted read-only on the host. With this fix, mounts are protected at VM boundary not just the guest kernel. If a container escape were to occur, one would be able to write to a directory or file that was mounted read-only.
  • Certain annotations in kata can be used to execute pre-exiting binaries. This could be used to execute arbitrary binaries with the onus of validating these paths left to the stack about Kata. In this release, we added appropriate validations so that an admin can configure a list of file system paths that can be used to filter annotations that represent valid file names.

Features:

  • Added support for getOOMEvent GRPC agent API so OOM events can be retrieved from the agent.
  • We now detect and support static ARP entries that may be created by a network plugin.
  • Added support to hotplug block and vfio devices in cloud hypervisor.
  • Fixes were made to make sure systemd cgroups are detected and handled correctly.
  • OpenShift CI enabled on runtime repository.
  • Added a debug-only capability to run a debug container in the agent PID namespace.
  • Host cpuset support added for cpuset.cpus and cpuset.mems
  • Kernel LTS 5.4.60 supported with this release
  • Qemu updated to 5.0
  • Cloud-hypervisor updated to 0.11.0

agent Changes

Shortlog

5af1d61 release: Kata Containers 1.12.0
8f7c782 release: Kata Containers 1.12.0-rc0
05298d0 github: Remove issue template and use central one
9804b1e device: Generalize PCI paths to any number of bridges
134f55a device: Reorganize TestPciPathToSysfs
da4bc1d device: Introduce PciPath type, name things consistently
0eb612f device: Rename and clarify semantics of getDevicePCIAddress
8336b5b action: Improve porting checks
0a4d443 device: Simplify uevent matching in listenToUdevEvents()
bd4dcc5 device: Rename pciDeviceMap in sandbox struct
27ebdc9 device: Check type as well as major:minor when looking up devices
d88d468 device: Index all devices in spec before updating them
a48a062 network: Fix Could not create destination mount point: /etc/resolv.conf
427dc4e action: Require PR porting labels
5cc719a action: Add issue to project and move to "In progress" on linked PR
cef0a1e release: Kata Containers 1.12.0-alpha1
02d2f97 oci: Fix running of OCI hooks
abb006c RFC: namespaces: Allow container with agent PID namespace
5dc7ae4 device: Ease device access for rootfs device to allow node creation
96d8dd3 actions: Add action to perform checks for pull requests
b08eb7e release: Kata Containers 1.12.0-alpha0
c01192e device: Allow to use the predicted 'VmPath' when adding blk devices
a88af32 device: Do not allow container access to the nvdimm rootfs
42438f9 network: Add grpc method to add static arp neighbors
756de79 Makefile: do not use LDFLAGS to avoid environment contamination
1eb1abe channel: fix the issue of epoll_wait interrupted by signal
2aa833f agent: add grpc endpoint to retrieve oom events

proxy Changes

Shortlog

27b2fdc release: Kata Containers 1.12.0
f4db666 release: Kata Containers 1.12.0-rc0
16cf58a github: Remove issue template and use central one
e3df538 action: Improve porting checks
621fb82 action: Require PR porting labels
7e5a74c action: Fix in progress issue action
7dea9b4 action: Add issue to project and move to "In progress" on linked PR
57e322a release: Kata Containers 1.12.0-alpha1
9953a24 actions: Add action to perform checks for pull requests
c9c4883 release: Kata Containers 1.12.0-alpha0

runtime Changes

Shortlog

00ff192 release: Kata Containers 1.12.0
1e6c696 versions: Update cloud-hypervisor to release v0.11.0
d389fa4 tests: Update assets test to adapt to recent changes
fd59f15 makefile: Enable hypervisor annotations by default
b6f45c4 config: Rename 'runtime' to 'runtimeConfig'
18d9a1d config: Improve comments in configuration file templates
76a9542 config: Make configuration file comments consistent
40e2263 annotations: Correct unit tests to validate new protections
771865a annotations: Split addHypervisorOverrides to reduce complexity
d4b8f61 annotations: Add unit test for checkPathIsInGlobs
9b733a9 annotations: Add unit test for regexpContains function
ff869d5 runtime: Fix firecracker config
7a6cd2a makefile: Add missing generated vars to USER_VARS
622c288 makefile: Improve names of config entries for annotation checks
90b7cfb annotations: Give better names to local variabes in search functions
0609d2d annotations: Rename checkPathIsInGlobList with checkPathIsInGlobs
179325d config: Add better comments in the template files
fc300a3 config: Whitelist hypervisor annotations by name
b6d4683 config: Use glob instead of regexp to match paths in annotations
8c1199f annotations: Fix typo in comment
a390728 config: Add makefile variables for path lists
0624812 config: Protect file_mem_backend against annotation attacks
3317bf7 config: Protect vhost_user_store_path against annotation attacks
dc97a64 config: Add security warning on configuration examples
99ef2b6 config: Protect ctlpath from annotation attack
0243f40 config: Protect jailer_path annotation
b7c8905 config: Add examples for path_list configuration
f4dd729 annotations: Simplify negative logic
7542405 config: Add hypervisor path override through annotations
0330aa0 config: Fix typo in function name
802bc99 config: Protect virtio_fs_daemon annotation
06369f2 config: Add 'List' alternates for hypervisor configuration paths
7739905 runtime: mount shared mountpoint readonly
509eb6f runtime: readonly mounts should be readonly bindmount on the host
f03db9f static-checks: Correct the copyright format
7df99f3 arm64: correct bridge type for QEMUVIRT machine
a8e9cff gitignore: Ignore cli/containerd-shim-kata-v2/config-generated.go
b71211c runtime: Ignore ENOENT in kill/delete
ebf5f95 runtime: Add s.newStore.Destroy before defer
44871d2 hypervisor: Remove unused methods
f8e25a4 annotations: Improve asset annotation handling
fb6ca1f annotations: Add missing hypervisor control annotation
fa02f1b asset: Formatting, grammar and whitespace
3add5af release: Kata Containers 1.12.0-rc0
3f9f4b8 runtime: Don' call bindUnmountContainerRootfs for devicemapper device
cfedf35 runtime: Fix /var/lib/vc/sbs/${sid} dir residual
ab7f18d hypervisor: don't enforce a minimum memory setting
ec96409 shimv2: handle ctx passed by containerd
b90babb runtime: write oom file to notify CRI-O OOM occurred
e5f3b6d ci: clear travis config warnings
1e91677 virtiofsd: fix typo in test code
321d28e version: upgrade qemu version to v5.1.0 for arm64
2f1219f virtiofs: Disable DAX
e31c834 versions: Add newest-version for OpenShift
b5b8870 cpuset: don't set cpuset.mems in the guest
18c1a7f clh: Support VFIO device unplug
0f75801 clh: Remove unnecessary VmmPing
49bd162 versions: cloud-hypervisor: Bump to version 6d30fe05
62b0d5e clh: openapi: Tag the 'openapi-generator-cli' container to v4.3.1
3a1a70c github: Remove issue template and use central one
4cfaa8c versions: Update CLH to version v0.10.0
a707608 kata-check: check for newer release
7d3fff4 scripts: Don't use hard-coded crio config
8ef2946 sandbox: consider cpusets if quota is not enforced
0e0ef63 cpuset: support setting mems for sandbox
598b4fe ci/openshift-ci: Enable openshift-ci
22d4823 virtcontainers: fix delete sandbox failed problem
67be926 action: Require PR porting labels
5cb47f2 action: Add issue to project and move to "In progress" on linked PR
0868c2a virtcontainers: Add unit test for utils/compare.go
227cba6 sandbox: Disconnect from agent after VM shutdown
d3690ec release: Kata Containers 1.12.0-alpha1
dfb8ed7 clh: Disable the 'seccomp' option temporarily
e529c01 kernel: move to the latest LTS kernel 5.4.60
9bb8e36 shimv2: Add a "--version" cli option
ad78c6f build: Fold long clean line
6bf93b2 drivers: Correct isPCIeDevice logic
c87ff44 clh: Add some error handling for clh
3a0cd87 shimv2: fix the issue of close IO stream
44b58e4 clh: Add support to unplug block devices
03fb9c5 clh: Set 'Id' explicitly while hotplugging block device
3989786 clh: Provide cpu topology to API
40f4931 clh: opeanapi: update api for cloud hypervisor
0dcbbd8 versions: cloud-hypervisor 0.9.0
d803f07 versions: Update qemu-virtiofs to 5.0
3a4aec1 qemu: add annotations for iommu_platform for s390x virtio devices
9305ef7 vendor: Update govmm for s390x iommu_platform annoations
62529e3 virtcontainers: Add msg to existing utils unit tests
5debe06 virtcontainers: Add to utils unit tests
e8e1124 virtcontainers: Add unit test for types/container.go
cb49a57 namespace: Allow container to join pid namespace of agent
50085ca vendor: Vendor in github.com/kata-containers/agent
a7b98ac initrd: Increase Alpine Version to 3.12
a162469 qemu: Set govmmQemu NoReboot config Knob
b1cbf83 qemu: Add test for qemuConfig Knobs
0d5c05e vendor: update govmm
8802bd3 qemu: remove multidev in qemu/fsdev parameter on arm64
1e2a361 virtcontainers: Expand unit test coverage for asset
18fbde9 virtcontainers: Add function to capabilities test
695fa43 virtcontainers: 9p: shares multiple devices with only one export
50d96b3 vendor: update govmm
d889e9c virtcontainers: Add additional unit tests for sandbox
345d0c2 virtcontainers: Remove duplicate unit tests
d2fac4c virtcontainers: Move unit tests for types/sandbox.go
64bf3fe cgroups: remove unused SystemdCgroup variable and accessor/mutators
ad5484b cgroups: Add systemd detection when creating cgroup manager
790951a actions: Add action to perform checks for pull requests
b8238ce versions: Use new kata tag for virtiofs kernel
e71b05b virtcontainers: Add to bridges unit test
337f2e0 sandbox: Stop and clean up containers that fail to create
0f957fb virtcontainers: vhost-user-blk/scsi are block device nodes
8b4c299 sandbox: don't constrain cpus, mem only cpuset, devices
093aaa8 cgroups: add ability to update CPUSet
9fa2bf1 vendor: add cpuset package from kubernetes
1aa0cec virtcontainers: add method for calculating cpuset for sandbox
e0dc806 shimv2: Removing function as no longer used
624d13d shimv2 : Remove workaround for sharedPidNs
a3de452 release: Kata Containers 1.12.0-alpha0
c139a66 versions: update QEMU to 5.0.0
30b40f5 clh: Remove the use of deprecated '--memory file=' parameter
e02d5ef virtcontainers: print a warning when the device to append is not supported
5fccab7 virtcontainer/cgroup: create cgroup manager after creating the network
3c8c650 virtcontainers/network: Change signature of Enpoint Attach method
581ff97 drivers: change BindDevicetoVFIO signature
970ef45 device: support vfio cold plug
6532eaa device: add ColdPlug flag
26f8c14 vendor: update govmm
53a9d00 virtcontainers: Fix structured logging in cgroups package
c51baf8 shimv2: Use BUILDTAGS when building shimv2
651d5ff qemu: Fix kernel_irqchip=split option for IOMMU enabled sandbox
364435a clh: vsock: Use the updated VsockConfig
17d265a versions: Move to cloud-hypervisor v0.8.0
4ee382c qemu: Report all errors on virtiofsd execution
5a3b665 katatestutils: Use the configured virtiofs daemon path
2c34263 virtcontainers: Check the correct error variable for sandbox creation
c19daa5 qemu: Fix travis build failure for Power
5d442a2 qemu_arm64: Fix build failure
fdcd1f3 qemu: enable iommu on q35
66b54f8 qemu: support appending a vIOMMU device
401ad67 vendor: update govmm to bring iommu support
4645d3e virtiofsd: Use cache=auto
9ac3911 cli: Fix kata-env output on Power
6be76fc kata_agent: Add unit tests
5b96e01 clh: Clear the "PCIAddr" field while blk device hotplug
50c1dce kata_agent: Pass "VirtPath" with "PCIAddr" of blk devices to agent
aea29b6 kata_agent: Allow to use "VirtPath" as volume source for blk devices
e5a3211 clh: Allow add virtiofs args and cache options from config
49ebaa8 virtcontainers: drop deferred func for GetAndSetSandboxBlockIndex
379f19f qemu: Fix rtc parameter is not set to qemu
20fe3bb shimv2: check correct error variable for deferred func in service#StartShim
54e8fdb qemu: Fix Qemu binary path for Power across distros
e855d8d github: add auto comment bot
a3dec26 vc: make host shared path readonly
1d3e1ea qemu: Remove hard-coding of Qemu machine options for ppc64le
67d3e2c network: Detect and add static ARP entries
412dcbf vendor: Update agent to include AddARPNeighbors grpc method
6b32472 qemu: Remove PMU feature for Power (ppc64le) platform
e07a932 ci: Do not install virtcontainers with podman clh
f76d739 virtcontainers: GetOOMEvent should have no timeout
5e55272 clh: Set 'virtio-blk' as the default block device driver
c5f97b2 clh: Enable disk block device hotplug support
18662e1 qemu: Remove pmu limitation in nested virtualization of amd/ppc64le
41a06d4 build: Add "pmu=off" to default cpu_features option
f03c17d annotations: add cpu_features
0100af1 qemu: add cpu_features option
0b3a927 vendor: Update govmm
6c51754 clh: remove slow boot debug flags from kernel cmdline
160e3a7 clh: Remove vsock log port in kernel cmdline
e1ee00d clh: Improve hypervisor logging
882a823 virtiofsd: Improve logging
7b269ff qemu: Don't leak file descriptors in case of error
6aff077 virtcontainers: x86: Support microvm machine type
c98ef48 vendor: update govmm
bec32f6 utils: Fix case version check for stable releases
86f5810 shim: exit out of oom polling if unimplemented
b4833a4 virtcontainers: tests fix, nit fix
db28dcf shim: retrieve oom events after starting sandbox
86686b5 virtcontainers: add support for getOOMEvent agent endpoint to sandbox
ef8624b vendor: update agent
619ada2 clh: vsock: Supply the right VsockConfig to Vmconfig
9dbd929 versions: Move to cloud-hypervisor v0.7.0
3c4fe03 shm: handle shm mount backed by empty-dir memory volumes
7b5e8f6 clh: memory: remove pmem size argument
d4a9282 versions: Move to latest cloud-hypervisor
ee985a6 qemu: arm64: Set defaultGICVersion to 3 to limit the max vCPU number
4d4a153 qemu: arm64: Don't detect gic version by /proc/interrupts
d0dbd04 virtcontainers: Fix structured logging in device/config package
8d9fa47 virtcontainers: constrain runtime after creating network
017ac55 virtcontainers: update sandbox's device cgroup
1da6f22 virtcontainers: remove all the code related to HasCRIContainerType
389b374 virtcontainers: apply constraints to the sandbox cgroup
6377fc4 pkg/cgroups: update the list of devices for the hypervisor
042e7a2 pkg/cgroups: add methods to add and remove device from the cgroup
dc69d6e pkg/cgroups: implement functions to get information from a host device
eee0b09 device: add GetHostPath() to generic device
23aa94e logging: Fix structured logging in store package
868f687 versions: Remove golangci-lint and gometalinter entries
e36389e dax: enable dax on arm64
7e47046 vc: Version support check is ineffective in createSandbox
c4b5922 versions: Misc changes to descriptions

shim Changes

Shortlog

50e26ea release: Kata Containers 1.12.0
147a3ce release: Kata Containers 1.12.0-rc0
bdc7968 github: Remove issue template and use central one
b1f77fa action: Require PR porting labels
01f1f12 action: Add issue to project and move to "In progress" on linked PR
f8b3398 release: Kata Containers 1.12.0-alpha1
f5220a8 actions: Add action to perform checks for pull requests
866e33c release: Kata Containers 1.12.0-alpha0

Compatibility with Docker

Kata Containers 1.12.0 is compatible with Docker v18.06-ce

Compatibility with CRI-O

Kata Containers 1.12.0 is compatible with CRI-O 0eec454168e381e460b3d6de07bf50bfd9b0d082

Compatibility with cri-containerd

Kata Containers 1.12.0 is compatible with cri-contaienrd 3a4acfbc99aa976849f51a8edd4af20ead51d8d7

OCI Runtime Specification

Kata Containers 1.12.0 support the OCI Runtime Specification v1.0.0-rc5

Compatibility with Kubernetes

Kata Containers 1.12.0 is compatible with Kubernetes 1.17.3-00

Kata Linux Containers image

Agent version: 1.12.0

Default Image Guest OS:

description: |
Root filesystem disk image used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/osbuilder"
architecture:
aarch64:
name: "ubuntu"
version: "latest"
ppc64le:
name: "centos"
version: "latest"
s390x:
name: "ubuntu"
version: "latest"
x86_64:
name: "clearlinux"
version: "latest"
meta:
image-type: "clearlinux"

Default Initrd Guest OS:

description: |
Root filesystem initrd used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/osbuilder"
architecture:
aarch64:
name: "alpine"
version: "3.12"
ppc64le:
name: "alpine"
version: "3.12"
s390x:
name: "alpine"
version: "3.12"
x86_64:
name: "alpine"
version: "3.12"

Kata Linux Containers Kernel

Kata Containers 1.12.0 suggest to use the Linux kernel v5.4.60
See the kernel suggested Guest Kernel patches
See the kernel suggested Guest Kernel config

Installation

Follow the Kata installation instructions.

Issues & limitations

More information Limitations

1.11.5
2859866
Compare
Choose a tag to compare

This patch release include backports of security fixes and some bug fixes.

Security fixes included:

  • Readonly bind-mounts are now mounted read-only on the host. With this fix, mounts are protected at VM boundary not just the guest kernel. If a container escape were to occur, one would be able to write to a directory or file that was mounted read-only.
  • Certain annotations in kata can be used to execute pre-exiting binaries. This could be used to execute arbitrary binaries with the onus of validating these paths left to the stack about Kata. In this release, we added appropriate validations so that an admin can configure a list of file system paths that can be used to filter annotations that represent valid file names.

agent Changes

Shortlog

ce2107a release: Kata Containers 1.11.5

proxy Changes

Shortlog

369aaa6 release: Kata Containers 1.11.5

runtime Changes

Shortlog

362e312 release: Kata Containers 1.11.5
8e5c1c3 tests: Update assets test to adapt to recent changes
1231ce9 makefile: Enable hypervisor annotations by default
c2cbceb config: Rename 'runtime' to 'runtimeConfig'
7c1bf82 config: Improve comments in configuration file templates
57a29a8 config: Make configuration file comments consistent
f7493d7 annotations: Correct unit tests to validate new protections
e3efe73 annotations: Split addHypervisorOverrides to reduce complexity
50c126f annotations: Add unit test for checkPathIsInGlobs
069360c annotations: Add unit test for regexpContains function
14bb5f1 runtime: Fix firecracker config
4eb0029 makefile: Add missing generated vars to USER_VARS
0705db2 makefile: Improve names of config entries for annotation checks
f1c2a1c annotations: Give better names to local variabes in search functions
0d5d221 annotations: Rename checkPathIsInGlobList with checkPathIsInGlobs
96ba05f config: Add better comments in the template files
33021ef config: Whitelist hypervisor annotations by name
db5fb82 config: Use glob instead of regexp to match paths in annotations
344e338 annotations: Fix typo in comment
d3245a4 config: Add makefile variables for path lists
ba15b7e config: Protect file_mem_backend against annotation attacks
88b0544 config: Protect vhost_user_store_path against annotation attacks
7f381d5 config: Add security warning on configuration examples
4a753e8 config: Protect ctlpath from annotation attack
94076a6 config: Protect jailer_path annotation
14ef4df config: Add examples for path_list configuration
3d8ce2c annotations: Simplify negative logic
562a028 config: Add hypervisor path override through annotations
5848bec config: Fix typo in function name
4611567 config: Protect virtio_fs_daemon annotation
9ac0e93 config: Add 'List' alternates for hypervisor configuration paths
eca202e arm64: correct bridge type for QEMUVIRT machine
314bc3d gitignore: Ignore cli/containerd-shim-kata-v2/config-generated.go
951302f runtime: Ignore ENOENT in kill/delete
20fcb93 hypervisor: Remove unused methods
04dc0d9 annotations: Improve asset annotation handling
a47f7b3 annotations: Add missing hypervisor control annotation
2dd0fe6 asset: Formatting, grammar and whitespace
3f0e61c runtime: mount shared mountpoint readonly
228e6eb runtime: readonly mounts should be readonly bindmount on the host
0b7019b runtime: Call s.newStore.Destroy if globalSandboxList.addSandbox
054c4fb runtime: Don' call bindUnmountContainerRootfs for devicemapper device
ad3eec5 runtime: Fix /var/lib/vc/sbs/${sid} dir residual
d78780c virtiofs: Disable DAX
51d8592 virtiofsd: Use cache=auto

shim Changes

Shortlog

2a0e8a5 release: Kata Containers 1.11.5

Compatibility with Docker

Kata Containers 1.11.5 is compatible with Docker v18.06-ce

Compatibility with CRI-O

Kata Containers 1.11.5 is compatible with CRI-O 0eec454168e381e460b3d6de07bf50bfd9b0d082

Compatibility with cri-containerd

Kata Containers 1.11.5 is compatible with cri-contaienrd 3a4acfbc99aa976849f51a8edd4af20ead51d8d7

OCI Runtime Specification

Kata Containers 1.11.5 support the OCI Runtime Specification v1.0.0-rc5

Compatibility with Kubernetes

Kata Containers 1.11.5 is compatible with Kubernetes 1.17.3-00

Kata Linux Containers image

Agent version: 1.11.5

Default Image Guest OS:

description: |
Root filesystem disk image used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/osbuilder"
architecture:
aarch64:
name: "ubuntu"
version: "latest"
ppc64le:
name: "centos"
version: "latest"
s390x:
name: "ubuntu"
version: "latest"
x86_64:
name: "clearlinux"
version: "latest"
meta:
image-type: "clearlinux"

Default Initrd Guest OS:

description: |
Root filesystem initrd used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/osbuilder"
architecture:
aarch64:
name: "alpine"
version: "3.7"
ppc64le:
name: "alpine"
version: "3.7"
s390x:
name: "alpine"
version: "3.7"
x86_64:
name: "alpine"
version: "3.7"

Kata Linux Containers Kernel

Kata Containers 1.11.5 suggest to use the Linux kernel v5.4.32
See the kernel suggested Guest Kernel patches
See the kernel suggested Guest Kernel config

Installation

Follow the Kata installation instructions.

Issues & limitations

More information Limitations

0b8ef4d
Compare
Choose a tag to compare
Pre-release
Kata Containers release 1.12.0-rc0
a2bb15b
Compare
Choose a tag to compare
551e717
Compare
Choose a tag to compare
1.11.3
aab76ae
Compare
Choose a tag to compare
1.12.0-alpha1
2be92dd
Compare
Choose a tag to compare
1.10.7
cfe182d
Compare
Choose a tag to compare