Kata 1.12.0 is here!
It includes several features including a couple of security fixes. Users are encouraged to upgrade to this release.
Security fixes:
- Readonly bind-mounts are now mounted read-only on the host. With this fix, mounts are protected at VM boundary not just the guest kernel. If a container escape were to occur, one would be able to write to a directory or file that was mounted read-only.
- Certain annotations in kata can be used to execute pre-exiting binaries. This could be used to execute arbitrary binaries with the onus of validating these paths left to the stack about Kata. In this release, we added appropriate validations so that an admin can configure a list of file system paths that can be used to filter annotations that represent valid file names.
Features:
- Added support for
getOOMEventGRPC agent API so OOM events can be retrieved from the agent. - We now detect and support static ARP entries that may be created by a network plugin.
- Added support to hotplug block and vfio devices in cloud hypervisor.
- Fixes were made to make sure systemd cgroups are detected and handled correctly.
- OpenShift CI enabled on runtime repository.
- Added a debug-only capability to run a debug container in the agent PID namespace.
- Host cpuset support added for cpuset.cpus and cpuset.mems
- Kernel LTS 5.4.60 supported with this release
- Qemu updated to 5.0
- Cloud-hypervisor updated to 0.11.0
agent Changes
Shortlog
5af1d61 release: Kata Containers 1.12.0
8f7c782 release: Kata Containers 1.12.0-rc0
05298d0 github: Remove issue template and use central one
9804b1e device: Generalize PCI paths to any number of bridges
134f55a device: Reorganize TestPciPathToSysfs
da4bc1d device: Introduce PciPath type, name things consistently
0eb612f device: Rename and clarify semantics of getDevicePCIAddress
8336b5b action: Improve porting checks
0a4d443 device: Simplify uevent matching in listenToUdevEvents()
bd4dcc5 device: Rename pciDeviceMap in sandbox struct
27ebdc9 device: Check type as well as major:minor when looking up devices
d88d468 device: Index all devices in spec before updating them
a48a062 network: Fix Could not create destination mount point: /etc/resolv.conf
427dc4e action: Require PR porting labels
5cc719a action: Add issue to project and move to "In progress" on linked PR
cef0a1e release: Kata Containers 1.12.0-alpha1
02d2f97 oci: Fix running of OCI hooks
abb006c RFC: namespaces: Allow container with agent PID namespace
5dc7ae4 device: Ease device access for rootfs device to allow node creation
96d8dd3 actions: Add action to perform checks for pull requests
b08eb7e release: Kata Containers 1.12.0-alpha0
c01192e device: Allow to use the predicted 'VmPath' when adding blk devices
a88af32 device: Do not allow container access to the nvdimm rootfs
42438f9 network: Add grpc method to add static arp neighbors
756de79 Makefile: do not use LDFLAGS to avoid environment contamination
1eb1abe channel: fix the issue of epoll_wait interrupted by signal
2aa833f agent: add grpc endpoint to retrieve oom events
proxy Changes
Shortlog
27b2fdc release: Kata Containers 1.12.0
f4db666 release: Kata Containers 1.12.0-rc0
16cf58a github: Remove issue template and use central one
e3df538 action: Improve porting checks
621fb82 action: Require PR porting labels
7e5a74c action: Fix in progress issue action
7dea9b4 action: Add issue to project and move to "In progress" on linked PR
57e322a release: Kata Containers 1.12.0-alpha1
9953a24 actions: Add action to perform checks for pull requests
c9c4883 release: Kata Containers 1.12.0-alpha0
runtime Changes
Shortlog
00ff192 release: Kata Containers 1.12.0
1e6c696 versions: Update cloud-hypervisor to release v0.11.0
d389fa4 tests: Update assets test to adapt to recent changes
fd59f15 makefile: Enable hypervisor annotations by default
b6f45c4 config: Rename 'runtime' to 'runtimeConfig'
18d9a1d config: Improve comments in configuration file templates
76a9542 config: Make configuration file comments consistent
40e2263 annotations: Correct unit tests to validate new protections
771865a annotations: Split addHypervisorOverrides to reduce complexity
d4b8f61 annotations: Add unit test for checkPathIsInGlobs
9b733a9 annotations: Add unit test for regexpContains function
ff869d5 runtime: Fix firecracker config
7a6cd2a makefile: Add missing generated vars to USER_VARS
622c288 makefile: Improve names of config entries for annotation checks
90b7cfb annotations: Give better names to local variabes in search functions
0609d2d annotations: Rename checkPathIsInGlobList with checkPathIsInGlobs
179325d config: Add better comments in the template files
fc300a3 config: Whitelist hypervisor annotations by name
b6d4683 config: Use glob instead of regexp to match paths in annotations
8c1199f annotations: Fix typo in comment
a390728 config: Add makefile variables for path lists
0624812 config: Protect file_mem_backend against annotation attacks
3317bf7 config: Protect vhost_user_store_path against annotation attacks
dc97a64 config: Add security warning on configuration examples
99ef2b6 config: Protect ctlpath from annotation attack
0243f40 config: Protect jailer_path annotation
b7c8905 config: Add examples for path_list configuration
f4dd729 annotations: Simplify negative logic
7542405 config: Add hypervisor path override through annotations
0330aa0 config: Fix typo in function name
802bc99 config: Protect virtio_fs_daemon annotation
06369f2 config: Add 'List' alternates for hypervisor configuration paths
7739905 runtime: mount shared mountpoint readonly
509eb6f runtime: readonly mounts should be readonly bindmount on the host
f03db9f static-checks: Correct the copyright format
7df99f3 arm64: correct bridge type for QEMUVIRT machine
a8e9cff gitignore: Ignore cli/containerd-shim-kata-v2/config-generated.go
b71211c runtime: Ignore ENOENT in kill/delete
ebf5f95 runtime: Add s.newStore.Destroy before defer
44871d2 hypervisor: Remove unused methods
f8e25a4 annotations: Improve asset annotation handling
fb6ca1f annotations: Add missing hypervisor control annotation
fa02f1b asset: Formatting, grammar and whitespace
3add5af release: Kata Containers 1.12.0-rc0
3f9f4b8 runtime: Don' call bindUnmountContainerRootfs for devicemapper device
cfedf35 runtime: Fix /var/lib/vc/sbs/${sid} dir residual
ab7f18d hypervisor: don't enforce a minimum memory setting
ec96409 shimv2: handle ctx passed by containerd
b90babb runtime: write oom file to notify CRI-O OOM occurred
e5f3b6d ci: clear travis config warnings
1e91677 virtiofsd: fix typo in test code
321d28e version: upgrade qemu version to v5.1.0 for arm64
2f1219f virtiofs: Disable DAX
e31c834 versions: Add newest-version for OpenShift
b5b8870 cpuset: don't set cpuset.mems in the guest
18c1a7f clh: Support VFIO device unplug
0f75801 clh: Remove unnecessary VmmPing
49bd162 versions: cloud-hypervisor: Bump to version 6d30fe05
62b0d5e clh: openapi: Tag the 'openapi-generator-cli' container to v4.3.1
3a1a70c github: Remove issue template and use central one
4cfaa8c versions: Update CLH to version v0.10.0
a707608 kata-check: check for newer release
7d3fff4 scripts: Don't use hard-coded crio config
8ef2946 sandbox: consider cpusets if quota is not enforced
0e0ef63 cpuset: support setting mems for sandbox
598b4fe ci/openshift-ci: Enable openshift-ci
22d4823 virtcontainers: fix delete sandbox failed problem
67be926 action: Require PR porting labels
5cb47f2 action: Add issue to project and move to "In progress" on linked PR
0868c2a virtcontainers: Add unit test for utils/compare.go
227cba6 sandbox: Disconnect from agent after VM shutdown
d3690ec release: Kata Containers 1.12.0-alpha1
dfb8ed7 clh: Disable the 'seccomp' option temporarily
e529c01 kernel: move to the latest LTS kernel 5.4.60
9bb8e36 shimv2: Add a "--version" cli option
ad78c6f build: Fold long clean line
6bf93b2 drivers: Correct isPCIeDevice logic
c87ff44 clh: Add some error handling for clh
3a0cd87 shimv2: fix the issue of close IO stream
44b58e4 clh: Add support to unplug block devices
03fb9c5 clh: Set 'Id' explicitly while hotplugging block device
3989786 clh: Provide cpu topology to API
40f4931 clh: opeanapi: update api for cloud hypervisor
0dcbbd8 versions: cloud-hypervisor 0.9.0
d803f07 versions: Update qemu-virtiofs to 5.0
3a4aec1 qemu: add annotations for iommu_platform for s390x virtio devices
9305ef7 vendor: Update govmm for s390x iommu_platform annoations
62529e3 virtcontainers: Add msg to existing utils unit tests
5debe06 virtcontainers: Add to utils unit tests
e8e1124 virtcontainers: Add unit test for types/container.go
cb49a57 namespace: Allow container to join pid namespace of agent
50085ca vendor: Vendor in github.com/kata-containers/agent
a7b98ac initrd: Increase Alpine Version to 3.12
a162469 qemu: Set govmmQemu NoReboot config Knob
b1cbf83 qemu: Add test for qemuConfig Knobs
0d5c05e vendor: update govmm
8802bd3 qemu: remove multidev in qemu/fsdev parameter on arm64
1e2a361 virtcontainers: Expand unit test coverage for asset
18fbde9 virtcontainers: Add function to capabilities test
695fa43 virtcontainers: 9p: shares multiple devices with only one export
50d96b3 vendor: update govmm
d889e9c virtcontainers: Add additional unit tests for sandbox
345d0c2 virtcontainers: Remove duplicate unit tests
d2fac4c virtcontainers: Move unit tests for types/sandbox.go
64bf3fe cgroups: remove unused SystemdCgroup variable and accessor/mutators
ad5484b cgroups: Add systemd detection when creating cgroup manager
790951a actions: Add action to perform checks for pull requests
b8238ce versions: Use new kata tag for virtiofs kernel
e71b05b virtcontainers: Add to bridges unit test
337f2e0 sandbox: Stop and clean up containers that fail to create
0f957fb virtcontainers: vhost-user-blk/scsi are block device nodes
8b4c299 sandbox: don't constrain cpus, mem only cpuset, devices
093aaa8 cgroups: add ability to update CPUSet
9fa2bf1 vendor: add cpuset package from kubernetes
1aa0cec virtcontainers: add method for calculating cpuset for sandbox
e0dc806 shimv2: Removing function as no longer used
624d13d shimv2 : Remove workaround for sharedPidNs
a3de452 release: Kata Containers 1.12.0-alpha0
c139a66 versions: update QEMU to 5.0.0
30b40f5 clh: Remove the use of deprecated '--memory file=' parameter
e02d5ef virtcontainers: print a warning when the device to append is not supported
5fccab7 virtcontainer/cgroup: create cgroup manager after creating the network
3c8c650 virtcontainers/network: Change signature of Enpoint Attach method
581ff97 drivers: change BindDevicetoVFIO signature
970ef45 device: support vfio cold plug
6532eaa device: add ColdPlug flag
26f8c14 vendor: update govmm
53a9d00 virtcontainers: Fix structured logging in cgroups package
c51baf8 shimv2: Use BUILDTAGS when building shimv2
651d5ff qemu: Fix kernel_irqchip=split option for IOMMU enabled sandbox
364435a clh: vsock: Use the updated VsockConfig
17d265a versions: Move to cloud-hypervisor v0.8.0
4ee382c qemu: Report all errors on virtiofsd execution
5a3b665 katatestutils: Use the configured virtiofs daemon path
2c34263 virtcontainers: Check the correct error variable for sandbox creation
c19daa5 qemu: Fix travis build failure for Power
5d442a2 qemu_arm64: Fix build failure
fdcd1f3 qemu: enable iommu on q35
66b54f8 qemu: support appending a vIOMMU device
401ad67 vendor: update govmm to bring iommu support
4645d3e virtiofsd: Use cache=auto
9ac3911 cli: Fix kata-env output on Power
6be76fc kata_agent: Add unit tests
5b96e01 clh: Clear the "PCIAddr" field while blk device hotplug
50c1dce kata_agent: Pass "VirtPath" with "PCIAddr" of blk devices to agent
aea29b6 kata_agent: Allow to use "VirtPath" as volume source for blk devices
e5a3211 clh: Allow add virtiofs args and cache options from config
49ebaa8 virtcontainers: drop deferred func for GetAndSetSandboxBlockIndex
379f19f qemu: Fix rtc parameter is not set to qemu
20fe3bb shimv2: check correct error variable for deferred func in service#StartShim
54e8fdb qemu: Fix Qemu binary path for Power across distros
e855d8d github: add auto comment bot
a3dec26 vc: make host shared path readonly
1d3e1ea qemu: Remove hard-coding of Qemu machine options for ppc64le
67d3e2c network: Detect and add static ARP entries
412dcbf vendor: Update agent to include AddARPNeighbors grpc method
6b32472 qemu: Remove PMU feature for Power (ppc64le) platform
e07a932 ci: Do not install virtcontainers with podman clh
f76d739 virtcontainers: GetOOMEvent should have no timeout
5e55272 clh: Set 'virtio-blk' as the default block device driver
c5f97b2 clh: Enable disk block device hotplug support
18662e1 qemu: Remove pmu limitation in nested virtualization of amd/ppc64le
41a06d4 build: Add "pmu=off" to default cpu_features option
f03c17d annotations: add cpu_features
0100af1 qemu: add cpu_features option
0b3a927 vendor: Update govmm
6c51754 clh: remove slow boot debug flags from kernel cmdline
160e3a7 clh: Remove vsock log port in kernel cmdline
e1ee00d clh: Improve hypervisor logging
882a823 virtiofsd: Improve logging
7b269ff qemu: Don't leak file descriptors in case of error
6aff077 virtcontainers: x86: Support microvm machine type
c98ef48 vendor: update govmm
bec32f6 utils: Fix case version check for stable releases
86f5810 shim: exit out of oom polling if unimplemented
b4833a4 virtcontainers: tests fix, nit fix
db28dcf shim: retrieve oom events after starting sandbox
86686b5 virtcontainers: add support for getOOMEvent agent endpoint to sandbox
ef8624b vendor: update agent
619ada2 clh: vsock: Supply the right VsockConfig to Vmconfig
9dbd929 versions: Move to cloud-hypervisor v0.7.0
3c4fe03 shm: handle shm mount backed by empty-dir memory volumes
7b5e8f6 clh: memory: remove pmem size argument
d4a9282 versions: Move to latest cloud-hypervisor
ee985a6 qemu: arm64: Set defaultGICVersion to 3 to limit the max vCPU number
4d4a153 qemu: arm64: Don't detect gic version by /proc/interrupts
d0dbd04 virtcontainers: Fix structured logging in device/config package
8d9fa47 virtcontainers: constrain runtime after creating network
017ac55 virtcontainers: update sandbox's device cgroup
1da6f22 virtcontainers: remove all the code related to HasCRIContainerType
389b374 virtcontainers: apply constraints to the sandbox cgroup
6377fc4 pkg/cgroups: update the list of devices for the hypervisor
042e7a2 pkg/cgroups: add methods to add and remove device from the cgroup
dc69d6e pkg/cgroups: implement functions to get information from a host device
eee0b09 device: add GetHostPath() to generic device
23aa94e logging: Fix structured logging in store package
868f687 versions: Remove golangci-lint and gometalinter entries
e36389e dax: enable dax on arm64
7e47046 vc: Version support check is ineffective in createSandbox
c4b5922 versions: Misc changes to descriptions
shim Changes
Shortlog
50e26ea release: Kata Containers 1.12.0
147a3ce release: Kata Containers 1.12.0-rc0
bdc7968 github: Remove issue template and use central one
b1f77fa action: Require PR porting labels
01f1f12 action: Add issue to project and move to "In progress" on linked PR
f8b3398 release: Kata Containers 1.12.0-alpha1
f5220a8 actions: Add action to perform checks for pull requests
866e33c release: Kata Containers 1.12.0-alpha0
Compatibility with Docker
Kata Containers 1.12.0 is compatible with Docker v18.06-ce
Compatibility with CRI-O
Kata Containers 1.12.0 is compatible with CRI-O 0eec454168e381e460b3d6de07bf50bfd9b0d082
Compatibility with cri-containerd
Kata Containers 1.12.0 is compatible with cri-contaienrd 3a4acfbc99aa976849f51a8edd4af20ead51d8d7
OCI Runtime Specification
Kata Containers 1.12.0 support the OCI Runtime Specification v1.0.0-rc5
Compatibility with Kubernetes
Kata Containers 1.12.0 is compatible with Kubernetes 1.17.3-00
Kata Linux Containers image
Agent version: 1.12.0
Default Image Guest OS:
description: |
Root filesystem disk image used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/osbuilder"
architecture:
aarch64:
name: "ubuntu"
version: "latest"
ppc64le:
name: "centos"
version: "latest"
s390x:
name: "ubuntu"
version: "latest"
x86_64:
name: "clearlinux"
version: "latest"
meta:
image-type: "clearlinux"
Default Initrd Guest OS:
description: |
Root filesystem initrd used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/osbuilder"
architecture:
aarch64:
name: "alpine"
version: "3.12"
ppc64le:
name: "alpine"
version: "3.12"
s390x:
name: "alpine"
version: "3.12"
x86_64:
name: "alpine"
version: "3.12"
Kata Linux Containers Kernel
Kata Containers 1.12.0 suggest to use the Linux kernel v5.4.60
See the kernel suggested Guest Kernel patches
See the kernel suggested Guest Kernel config
Installation
Follow the Kata installation instructions.
Issues & limitations
More information Limitations