kata-containers Changes
In this release we're posting the shortlog between 3.2.0-alpha0 and 3.2.0-alpha3,
as the -alpha1 and -alpha2 releases couldn't be finished due to issues in our
release pipeline.
The most notorious changes that are worth mentioning are:
- The addition of device manager for runtime-rs
- Several improvements related to GPU usage with Kata Containers
- Several improvements to the
kata-ctltool - Addition of artefacts and specific runtime classes for x86_64 TEEs
- SEV, SNP, and TDX are the ones being tested, built, and shipped for now
- Multi-architecture release, including:
- kata-static-3.2.0-alpha3-{aarch64,s390x,x86_64}.tar.xz
- Note, aarch64 and x86_64 will be changed to arm64 and amd64 for the next
release
- Note, aarch64 and x86_64 will be changed to arm64 and amd64 for the next
- kata-deploy payloads supporting amd64, arm64, and s390x
- kata-static-3.2.0-alpha3-{aarch64,s390x,x86_64}.tar.xz
- Several other bug fixes happened all over the code
Shortlog
f636c1f gha: release: Simplify the process for tagging the payload
d10c9be gha: release: login-action: Don't specify docker.io registry
0b1c5ea versions: Update nydus version to 2.2.1
eff6ed2 runtime: make debug console work with sandbox_cgroup_only
c543631 release: Kata Containers 3.2.0-alpha3
f370226 release: Fix docker/login-action version
fc09d0f release: Kata Containers 3.2.0-alpha2
4719802 runtime-rs: add virtio-blk-mmio
f9bded4 runtime-rs: add devicetype enum
6800d30 runtime-rs: remove device
f16012a runtime-rs: support linux device
fe9ec67 runtime-rs: block volume
a8bfac9 runtime-rs: support block rootfs
b076d46 agent: handle hotplug virtio-mmio device
6e273d6 runtime-rs: implement trait for vhost-user device
cc9c915 runtime-rs: implement trait for vfio device
e4c5c74 runtime-rs: device manager
22154e0 cache: Fix OVMF tarball name for different flavours
b7341cd cache: Use "initrd" as initrd_type to build rootfs-initrd
35c3d7b runtime: clh: Re-generate the client code
cfee99c versions: Upgrade to Cloud Hypervisor v32.0
b8ffcd1 osbuilder: Bump fedora image version
636539b kata-deploy: Use apt-key.gpg from k8s.io
ae24dc7 local-build: Standardise what's set for the local build scripts
ad324ad gha: aks: Wait a little bit more before run the tests
11a34a7 docs: Update container network model url
191b6dd gha: release: Fix s390x worklow
75330ab cache: Fix OVMF caching
cfd8f4f gha: payload-after-push: Pass secrets down
a89b44a tools: Fix arch bug
f527f61 release: Kata Containers 3.2.0-alpha1
ca1531f runtime: Use static_sandbox_resource_mgmt=true for TEEs
f6e1b11 agent: update tokio dependency
4cb83dc kata-ctl: update tokio dependency
df615ff runk: update tokio dependency
ca6892d runtime-rs: update tokio dependency
3e85bf5 resource-control: fix setting CPU affinities on Linux
bdb75fb runtime: use enable_vcpus_pinning from toml
fa832f4 gha: k8s: Make the tests more reliable
cbb9fe8 config: Use standard OVMF with SEV
724437e kata-deploy: add kata-qemu-sev runtimeclass
521dad2 Tests: skip CPU constraints test on SEV and SNP
72308dd gha: ci-on-push: Don't skip tests for SEV
da0f92c gha: ci-on-push: Don't skip tests for SEV-SNP
12f43be gha: tdx: Use the k3s overlay for kata-cleanup
dd75625 runtime: pkg/sev: Add kbs utility package for SEV pre-attestation
05de7b2 runtime: Add sev package
3a9d3c7 gpu: Rename the last bits from gpu to nvidia-gpu
4cde844 local-build: Fix kernel-nvidia-gpu target name
1a3f8fc deploy: fix shell script error
c5a59ca ppc64le: switch virtiofsd from C to rust version
bfdf014 versions: Bump virtiofsd to 1.6.1
87cb98c osbuilder: Fix indentation in rootfs.sh
20cb875 virtcontainers/qemu_test.go: Improve test coverage
022a33d agent: Add context to errors when AgentConfig file is missing
50cc9c5 tests: Improve coverage for virtcontainers/pkg/compatoci/ for Kata 2.0
73913c8 kata-manager: Fix '-o' syntax and logic error
593840e kata-ctl: Allow INSTALL_PATH= to be specified
5f3f844 runtime-rs: fix building instructions with respect to required Rust version
197c336 Dragonball: use LinuxBootConfigurator::write_bootparams to writes the boot parameters into guest memory.
b9a1db2 kata-deploy: Add http_proxy as part of the docker build
777c3dc kata-deploy: Do not ship the kata tarball
136e241 static-build: Download firecracker instead of building it
3bf767c static-build: Adjust ARCH for nydus
ac88d34 static-build: Use relased binary for CLH (aarch64)
2856d3f deploy: Fix arch in image tag
e8f81ee Revert "kata-deploy: Use readinessProbe to ensure everything is ready"
a4c0303 virtcontainers: Fixed static checks for improved test coverage for fc.go
03a8cd6 virtcontainers: Improved test coverage for fc.go from 4.6% to 18.5%
cfe6352 release: Fix multi-arch publishing is not supported
4d17ea4 cache: Fix nvidia-snp caching version
a133fad cache: Fix nvidia-gpu-tdx-experimental cache URL
defb643 runtime: remove overriding ARCH value by default for ppc64le
5226f15 gha: Fix Body Line Length action flagging empty body commit messages
0d49cee gha: Fix snap creation workflow warnings
b9990c2 cache: Fix nvidia-gpu version
c9bf780 cache: Update the KERNEL_FLAVOUR list to include nvidia-gpu
3665b42 gpu: Rename gpu targets to nvidia-gpu
2c90cac local-build: fixup alphabetization
4da6eb5 kata-deploy: Add qemu-snp shim
14dd053 kata-deploy: add kata-qemu-snp runtimeclass
0bb37bf config: Add SNP configuration
af7f251 versions: update SEV kernel description
dbcc3b5 local-build: fix default values for OVMF build
b8bbe63 gha: build OVMF for tests and release
cf0ca26 local-build: Add x86_64 OVMF target
db095dd cache: add SNP flavor to comments
f4ee005 gha: Build and ship QEMU for SNP
7a58a91 docs: update SNP guide
879333b versions: update SNP QEMU version
38ce4a3 local-build: add support to build QEMU for SEV-SNP
e1f3b87 docs: Mark snap installation method as unmaintained
772d4db gha: Build and ship SEV initrd
45fa366 gha: Build and ship SEV OVMF
4770d30 gha: Build and ship SEV kernel.
fb9c1fc runtime: Add qemu-sev config
813e4c5 runtimeClasses: add sev runtime class
af18806 static-build: Add caching support to sev ovmf
76ae7a3 packaging: adding caching capability for kernel
12c5ef9 packaging: add support to build OVMF for SEV
b87820e packaging: add support to build initrd for sev
b0e6a09 packaging: Add sev kernel build capability
5f8008b kata-ctl: add unit test for kvm check
a085a6d kata-ctl: add generic kvm check
6594a93 tools: made log-parser-rs
17daeb9 warning_fix: fix warnings when build with cargo-1.68.0
8495f83 cross-compile: Include documentation and configuration for cross-compile
205909f runtime: Fix virtiofs fd leak
13d7f39 gpu: Check for VFIO port assignments
138ada0 gpu: Cold Plug VFIO toml setting
f7ad75c gpu: Cold-plug extend the api.md
0fec2e6 gpu: Add cold-plug test
dded731 gpu: Add OVMF setting for MMIO aperture
2a83017 gpu: Add fwcfg helper function
131f056 gpu: Extract VFIO Functions to drivers
c8cf7ed gpu: Add ColdPlug of VFIO devices with devManager
e2b5e7f gpu: Add Rawdevices to hypervisor
6107c32 gpu: Assign default value to cold-plug
377ebc2 gpu: Add configuration option for cold-plug VFIO
c18ceae gpu: Add new struct PCIePort
1c1ee80 pkg/signals: Improved test coverage 60% to 100%
9c38204 virtcontainers/persist: Improved test coverage 65% to 87.5%
0f45b0f virtcontainers/clh_test.go: improve unit test coverage
6bf1fc6 virtcontainers/factory: Improved test coverage
5c9246d gha: Also run k8s tests on qemu-snp
c57a444 gha: Add the ability to test qemu-snp
9e2b7ff gha: sev: fix for kata-deploy error
c849bdb gha: Also run k8s tests on qemu-sev
521519d gha: Add the ability to test qemu-sev
4064192 env: Utilize arch specific functionality to get cpu details
fb40c71 env: Check for root privileges
1016bc1 config: Add api to fetch config from default config path
b908a78 kata-env: Pass cmd option for file path
b192019 config: Workaround the way agent and hypervisor configs are fetched
f2b2621 kata-env: Implement the kata-env command.
f2ebdd8 utils: Get rid of spurious print statement left behind.
9a94f1f make: Export VERSION and COMMIT
2f81f48 config: Add file under /opt as another location to look for the config
07f7d17 config: Make the pipe_size field optional
68f6357 config: Make function to get the default conf file public
7565b33 kata-ctl: Implement Display trait for GuestProtection enum
94a00f9 utils: Make certain constants in utils.rs public
572b338 gitignore: Ignore .swp and .swo editor backup files
376884b cargo: Update version of clap to 4.1.13
cc8ea32 runtime-rs: support keep_abnormal in toml config
b1730e4 gpu: Add new kernel build option to usage()
825e769 gpu: Add GPU support to default kernel without any TEE
e4ee07f gpu: Add GPU TDX experimental kernel
87ea43c gpu: Add configuration fragment
aca6ff7 gpu: Build and Ship an GPU enabled Kernel
e4b3b08 gpu: Add proper CONFIG_LOCALVERSION depending on TEE
432d407 kata-ctl: checks for kvm, kvm_intel modules loaded
3e7b902 osbuilder: Fix D-Bus enabling in the dracut case
6d31571 snap: fix docker start fail issue
96e8470 kata-manager: Fix containerd download
53c749a agent: Fix ut issue caused by fd double closed
2e3f19a agent: fix clippy warnings caused by protobuf3
4849c56 agent: Fix unit test issue cuased by protobuf upgrade
0a582f7 trace-forwarder: remove unused crate protobuf
7325385 kata-ctl: remove unused crate ttrpc
76d2e30 agent-ctl: Bump ttrpc from 0.6.0 to 0.7.1
eb3d20d protocols: Add ut for Serde
59568c7 protocols: add support for Serde
a6b4d92 runtime-rs: Bump ttrpc from 0.6.0 to 0.7.1
8af6fc7 agent: Bump ttrpc from 0.6.0 to 0.7.1
009b42d protocols: Fix unit test
392732e protocols: Bump ttrpc from 0.6.0 to 0.7.1
ac7c63b gpu: Add containerd shim for qemu-gpu
a0cc8a7 gpu: Add a kube runtime class
a81fff7 gpu: Adding a GPU enabled configuration
f4f958d gpu: Do not pass-through PCI (Host) Bridges
a1272bc gha: tdx: Fix typo overlay -> overlays
3fa0890 cache-components: Fix TDVF caching
80e3a2d cache-components: Fix TDX QEMU caching
dc66233 runtime: Increase the dial_timeout
f478b91 clh: tdx: Update timeouts for confidential guest
3b76abb kata-deploy: Ensure node is ready after CRI Engine restart
5ec9ae0 kata-deploy: Use readinessProbe to ensure everything is ready
ea38670 kata-deploy: Update podOverhead for TDX
e31efc8 gha: tdx: Use the k3s overlay
542bb0f gha: tdx: Set KUBECONFIG env at the job level
d7fdf19 gha: tdx: Delete kata-deploy after the tests finish
da35241 tests: k8s: Skip k8s-cpu-ns when testing TDX
375187e versions: Upgrade to Cloud Hypervisor v31.0
eb1762e osbuilder: Enable dbus in the dracut case
db2cac3 runtime: Don't create socket file in /run/kata
f3595e4 nydus_rootfs/prefetch_files: add prefetch_files for RAFS
dc6569d runtime-rs/virtio-fs: add support extra handler for cache mode.
69ba209 runtime-rs: remove network entities and netns
b31f103 runtime-rs: enable nerdctl cni plugin
3bfaafb fix: oci hook
69d7a95 gha: ci-on-push: Run tests on TDX
5a0727e kata-deploy: Ship kata-qemu-tdx runtimeClass
9868280 config: Add configuration for QEMU TDX
3e15800 govmm: Directly pass the firmware using -bios with TDX
3c5ffb0 govmm: Set "sept-ve-disable=on"
ed14536 runtime/qemu: Drop "kvm-type=tdx"
25b3cdd virtcontainers: Drop check for the tdx CPU flag
01bdacb virtcontainers: Also check /sys/firmwares/tdx for TDX
9feec53 cache: Add ability to cache OVMF
ce8d982 gha: Build and ship the OVMF for TDX
39c3fab local-build: Add support to build OVMF for TDX
054174d versions: Bump OVMF for TDX
800fb49 packaging: Add get_ovmf_image_name() helper
fbf03d7 cache: Document kernel-tdx-experimental
5d79e96 cache: Add a space to ease the reading of the kernel flavours
6e4726e cache: Fix typos
fc22ed0 gha: Build and ship the Kernel for TDX
502844c local-build: Add support to build Kernel for TDX
b2585ee local-build: Avoid code duplication building the kernel
f33345c versions: Update Kernel TDX version
20ab2c2 versions: Move Kernel TDX to its own experimental entry
3d9ce39 cache: Allow specifying the QEMU_FLAVOUR
33dc6c6 gha: Build and ship QEMU for TDX
eceaae3 local-build: Add support to build QEMU for TDX
f7b7c18 static-build: Improve qemu-experimental build script
3018c9a versions: Update QEMU TDX version
800ee5c versions: Move QEMU TDX to its own experimental entry
1315bb4 local-build: Add dragonball kernel to the all target
73e1081 local-build: Rename non vanilla kernel build functions
1d851b4 local-build: Cosmetic changes in build targets
cbe6ad9 runtime: support non-root for clh
49ce685 gha: k8s-on-aks: Always delete the AKS cluster
e2a770d gha: ci-on-push: Run k8s tests with dragonball
c1fbaae rustjail: Use CPUWeight with systemd and CgroupsV2
79f3047 gha: k8s-on-aks: {create,delete} AKS must be a coded-in step
d1f550b docs: update the rust version from versions.yaml
2f35b4d gha: ci-on-push: Only run on main branch
e7bd254 Revert "gha: ci-on-push: Depend on Commit Message Check"
0d96d49 Revert "gha: ci-on-push: Adjust to using workflow_run"
c7ee45f Revert "gha: ci-on-push: Adapt chained jobs to workflow_run"
5d4d720 Revert "gha: k8s-on-aks: Fix cluster name"
13d857a gha: k8s-on-aks: Set {create,delete}_aks as steps
85cc5bb gha: k8s-on-aks: Fix cluster name
108d80a gha: Add the ability to also test Dragonball
8086c75 gha: Also run k8s tests on AKS with dragonball
2550d44 gha: build-kata-static-tarball: Only push to registry after merge
e81b8b8 local-build: build-and-upload-payload is not quay.io specific
13929fc gha: publish-kata-deploy-payload: Improve registry login
41026f0 gha: payload-after-push: Pass registry / repo as inputs
7855b43 gha: ci-on-push: Adapt chained jobs to workflow_run
3a760a1 gha: ci-on-push: Adjust to using workflow_run
a159ffd gha: ci-on-push: Depend on Commit Message Check
1688e4f gha: aks: Use D4s_v5 instance
fe86c08 tools: Avoid building the kernel twice
b661e0c rustjail: Add anyhow context for D-Bus connections
7796e6c rustjail: Fix minor grammatical error in function name
41fdda1 rustjail: Do not unwrap potential error with cgroup manager
0f73515 runtime: add filter metrics with specific names
3215860 gha: Set ci-on-push to run on pull_request_target
d17dfe4 gha: Use ghcr.io for the k8s CI
60c62c3 gha: Remove kata-deploy-test.yaml
43894e9 gha: Remove kata-deploy-push.yaml
cab9ca0 gha: Add a CI pipeline for Kata Containers
53b526b gha: k8s: Add snippet to run k8s tests on aks clusters
c444c24 gha: aks: Add snippets to create / delete aks clusters
11e0099 tests: Move k8s tests to this repo
73be4bd gha: Update actions for release.yaml
d38d7fb gha: Remove code duplication from release.yaml
56331bd gha: Split payload-after-push-*.yaml
a552a19 docs: Update CNM url in networking document
a914283 kata-ctl: add function to get platform protection.
d3bb254 utils: Add function to check vhost-vsock
Compatibility with CRI-O
Kata Containers 3.2.0-alpha3 is compatible with CRI-O
Compatibility with containerd
Kata Containers 3.2.0-alpha3 is compatible with contaienrd v1.6.8
OCI Runtime Specification
Kata Containers 3.2.0-alpha3 support the OCI Runtime Specification v1.0.2
Compatibility with Kubernetes
Kata Containers 3.2.0-alpha3 is compatible with Kubernetes 1.23.1-00
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.4 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
If you want to use the kata-agent which is not statically linked with the library, you can build
a custom kata-agent that does not use the library from sources.
For the details, please check the developer guide.
Kata Linux Containers image
Agent version: 3.2.0-alpha3
Default Image Guest OS:
description: |
Root filesystem disk image used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/kata-containers/tools/osbuilder"
architecture:
aarch64:
name: "ubuntu"
version: "latest"
ppc64le:
name: "ubuntu"
version: "latest"
s390x:
name: "ubuntu"
version: "latest"
x86_64:
name: "ubuntu"
version: "latest"
meta:
image-type: "ubuntu"
Default Initrd Guest OS:
description: |
Root filesystem initrd used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/kata-containers/tools/osbuilder"
architecture:
aarch64:
name: "alpine"
version: "3.15"
ppc64le:
name: "ubuntu"
version: "20.04"
s390x:
name: "ubuntu"
version: "20.04"
x86_64:
name: "alpine"
version: "3.15"
sev:
name: "ubuntu"
version: "20.04"
Kata Linux Containers Kernel
Kata Containers 3.2.0-alpha3 suggest to use the Linux kernel v5.19.2
See the kernel suggested Guest Kernel patches
See the kernel suggested Guest Kernel config
Installation
Follow the Kata installation instructions.
Issues & limitations
More information Limitations