profile
viewpoint
zhangwei_cs WeiZhang555 Kata Containers Beijing, China Kata Containers Architecture Committee/Container Fans/Cloud Native developer. Live long and prosper!

pull request commentkata-containers/runtime

[WIP] Support "Configuration" in "newstore" feature

@jodh-intel Thanks for help reviewing! There're some breaking cases, I will fix them in my free time.

I will also add some unit tests later.

WeiZhang555

comment created time in a day

Pull request review commentkata-containers/runtime

[WIP] Support "Configuration" in "newstore" feature

 func (s *Sandbox) supportNewStore() bool { 	} 	return false }++func loadSandboxConfig(id string) (*SandboxConfig, error) {+	store, err := persist.GetDriver("fs")+	if err != nil || store == nil {+		return nil, errors.New("failed to get fs persist driver")+	}++	ss, _, err := store.FromDisk(id)+	if err != nil {+		return nil, err+	}++	savedConf := ss.Config+	sconfig := &SandboxConfig{+		ID:             id,+		HypervisorType: HypervisorType(savedConf.HypervisorType),+		AgentType:      AgentType(savedConf.AgentType),+		ProxyType:      ProxyType(savedConf.ProxyType),+		ProxyConfig: ProxyConfig{+			Path:  savedConf.ProxyConfig.Path,+			Debug: savedConf.ProxyConfig.Debug,+		},+		ShimType: ShimType(savedConf.ShimType),+		NetworkConfig: NetworkConfig{+			NetNSPath:         savedConf.NetworkConfig.NetNSPath,+			NetNsCreated:      savedConf.NetworkConfig.NetNsCreated,+			DisableNewNetNs:   savedConf.NetworkConfig.DisableNewNetNs,+			InterworkingModel: NetInterworkingModel(savedConf.NetworkConfig.InterworkingModel),+		},++		ShmSize:             savedConf.ShmSize,+		SharePidNs:          savedConf.SharePidNs,+		Stateful:            savedConf.Stateful,+		SystemdCgroup:       savedConf.SystemdCgroup,+		SandboxCgroupOnly:   savedConf.SandboxCgroupOnly,+		DisableGuestSeccomp: savedConf.DisableGuestSeccomp,+	}++	for _, name := range savedConf.Experimental {+		sconfig.Experimental = append(sconfig.Experimental, *exp.Get(name))+	}++	hconf := savedConf.HypervisorConfig+	sconfig.HypervisorConfig = HypervisorConfig{+		NumVCPUs:              hconf.NumVCPUs,+		DefaultMaxVCPUs:       hconf.DefaultMaxVCPUs,+		MemorySize:            hconf.MemorySize,+		MemSlots:              hconf.MemSlots,+		KernelPath:            hconf.KernelPath,+		ImagePath:             hconf.ImagePath,+		InitrdPath:            hconf.InitrdPath,+		SharedFS:              hconf.SharedFS,+		VirtioFSDaemon:        hconf.VirtioFSDaemon,+		DisableBlockDeviceUse: hconf.DisableBlockDeviceUse,+		UseVSock:              hconf.UseVSock,+		DisableVhostNet:       hconf.DisableVhostNet,+	}++	if savedConf.AgentType == "kata" {+

Will remove in next push

WeiZhang555

comment created time in a day

Pull request review commentkata-containers/runtime

[WIP] Support "Configuration" in "newstore" feature

 func (s *Sandbox) dumpNetwork(ss *persistapi.SandboxState) { 	} } +func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) {+	sconfig := s.config+	ss.Config = persistapi.SandboxConfig{+		HypervisorType: string(sconfig.HypervisorType),+		AgentType:      string(sconfig.AgentType),+		ProxyType:      string(sconfig.ProxyType),+		ProxyConfig: persistapi.ProxyConfig{+			Path:  sconfig.ProxyConfig.Path,+			Debug: sconfig.ProxyConfig.Debug,+		},+		ShimType: string(sconfig.ShimType),+		NetworkConfig: persistapi.NetworkConfig{+			NetNSPath:         sconfig.NetworkConfig.NetNSPath,+			NetNsCreated:      sconfig.NetworkConfig.NetNsCreated,+			DisableNewNetNs:   sconfig.NetworkConfig.DisableNewNetNs,+			InterworkingModel: int(sconfig.NetworkConfig.InterworkingModel),+		},++		ShmSize:             sconfig.ShmSize,+		SharePidNs:          sconfig.SharePidNs,+		Stateful:            sconfig.Stateful,+		SystemdCgroup:       sconfig.SystemdCgroup,+		SandboxCgroupOnly:   sconfig.SandboxCgroupOnly,+		DisableGuestSeccomp: sconfig.DisableGuestSeccomp,+	}++	for _, e := range sconfig.Experimental {+		ss.Config.Experimental = append(ss.Config.Experimental, e.Name)+	}++	ss.Config.HypervisorConfig = persistapi.HypervisorConfig{+		NumVCPUs:              sconfig.HypervisorConfig.NumVCPUs,+		DefaultMaxVCPUs:       sconfig.HypervisorConfig.DefaultMaxVCPUs,+		MemorySize:            sconfig.HypervisorConfig.MemorySize,+		MemSlots:              sconfig.HypervisorConfig.MemSlots,+		KernelPath:            sconfig.HypervisorConfig.KernelPath,+		ImagePath:             sconfig.HypervisorConfig.ImagePath,+		InitrdPath:            sconfig.HypervisorConfig.InitrdPath,+		SharedFS:              sconfig.HypervisorConfig.SharedFS,+		VirtioFSDaemon:        sconfig.HypervisorConfig.VirtioFSDaemon,+		DisableBlockDeviceUse: sconfig.HypervisorConfig.DisableBlockDeviceUse,+		UseVSock:              sconfig.HypervisorConfig.UseVSock,+		DisableVhostNet:       sconfig.HypervisorConfig.DisableVhostNet,+	}++	if sconfig.AgentType == "kata" {+		var sagent KataAgentConfig+		err := mapstructure.Decode(sconfig.AgentConfig, &sagent)+		if err != nil {+			s.Logger().WithError(err).Error("internal error: KataAgentConfig failed to decode")+		} else {+			ss.Config.KataAgentConfig = &persistapi.KataAgentConfig{+				LongLiveConn: sagent.LongLiveConn,

🙌 :raised hand:

WeiZhang555

comment created time in a day

Pull request review commentkata-containers/runtime

[WIP] Support "Configuration" in "newstore" feature

 func setupTracing(context *cli.Context, rootSpanName string) error { 	return nil } +// add supported experimental features in context+func addExpFeatures(clictx *cli.Context, runtimeConfig oci.RuntimeConfig) error {+	ctx, err := cliContextToContext(clictx)+	if err != nil {+		return err+	}++	var exps []string+	for _, e := range runtimeConfig.Experimental {+		exps = append(exps, e.Name)

Actually the virtcontainers package already has a debug log message for this 😄

WeiZhang555

comment created time in a day

pull request commentkata-containers/runtime

[WIP] Support "Configuration" in "newstore" feature

/retest

WeiZhang555

comment created time in 2 days

pull request commentkata-containers/runtime

[WIP] Support "Configuration" in "newstore" feature

/test

WeiZhang555

comment created time in 2 days

push eventWeiZhang555/runtime

Wei Zhang

commit sha aeae2319bdb96364702527c075c6c71b618f56a7

persistence: store configuration in newstore Fixes #803 Store the configuration data in persist.json. Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>

view details

Wei Zhang

commit sha 9e08f15bdbe9a27f701ad7d1cfe0793632bccaa5

testing: enable 'newstore' feature by default Enable 'newstore' by default for testing. Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>

view details

push time in 2 days

pull request commentkata-containers/runtime

[WIP] Support "Configuration" in "newstore" feature

/test

WeiZhang555

comment created time in 2 days

push eventWeiZhang555/runtime

Wei Zhang

commit sha 464efeaa45e555e2dbf4ab0c4b9ce9521875089a

persistence: store configuration in newstore Fixes #803 Store the configuration data in persist.json. Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>

view details

Wei Zhang

commit sha 2376d6d1b01ab5d2fc472ca128c2f72d5e24d451

testing: enable 'newstore' feature by default Enable 'newstore' by default for testing. Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>

view details

push time in 2 days

push eventWeiZhang555/runtime

Wei Zhang

commit sha b6cbaad893b4ab5a0a0d44ed0e4a417a05772500

persistence: store configuration in newstore Fixes #803 Store the configuration data in persist.json. Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>

view details

Wei Zhang

commit sha 4d4fc2b85fbf7c55557cff3a2a8c508d687744fd

testing: enable 'newstore' feature by default Enable 'newstore' by default for testing. Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>

view details

push time in 2 days

pull request commentkata-containers/runtime

[WIP] Support "Configuration" in "newstore" feature

/test

WeiZhang555

comment created time in 3 days

PR opened kata-containers/runtime

[WIP] Support "Configuration" in "newstore" feature

Store the configuration file in persist.go.

This is the last file we should support for "newstore" feature, after this, we can safely remove old persistence storage drivers.

+237 -16

0 comment

5 changed files

pr created time in 3 days

push eventWeiZhang555/runtime

katacontainersbot

commit sha b84cb5e0f1cf8abdf142f18299d8fae4851a2e51

release: Kata Containers 1.9.0-rc0 - Fix cache factory UT - Virtio-fs v0.3 support - virtcontainers: set agent's logs vsock port - config: Fix `virtio-fs` typo in Makefile - Hypervisor: UUID fix for acrn hypevisor - virtcontainers: change firecracker socket permissions - Add annotations to provide custom configs - Fix CRIO + Firecracker - rootless: add rootless to kata - QEMU: do not require nvdimm machine option with initrd - s390x: Fix runtime build for s390x - versions: Update kernel to 4.19.75 - config: honor DEFSHAREDFS_QEMU_VIRTIOFS and CONFIG_QEMU_VIRTIOFS_IN - Support Firecracker 0.18 - virtcontainers: fix the issue of missing qemu error logs - config: Fix the qemu-virtiofs.toml - s390x: Share image between qemu instances - The unit of newMemory is MB - config: use 9p as default shared filesystem for nemu - Remove annotation config json key dd21046 vc/store: fix TestStoreVCNewVCSandboxStore/TestStoreVCNewVCContainerStore 6ab89e4 vc/store: fix cache factory ut 4863aa9 vc/store: reuse store ad15631 virtiofsd: Do not use posix lock. 2b40b6b vendor: update kata agent aa43e2a virtcontainers: set agent's logs vsock port 23a5dc7 virtiofsd: use virtiofsd --syslog d5a3d0a virtiofs: use virtiofsd --fd=FDNUM 6ce6a26 kata_agent: use virtio-fs 0.3+ mount options 80855a8 ci: travis: allow ppc64le failures c3abd51 config: Fix `virtio-fs` typo in Makefile 8f6b0a6 virtcontainers: change firecracker socket permissions 8f70643 tests: Remove hardcoded annotation value. e7b9c36 tests: Add tests for annotations. 09129c1 config: Define minimum memory requirement 8405b56 annotations: add Annotations for the agent. 5b78a8a annotations: Add annotations for runtime config afb91c2 annotations: Add annotations to support additional configurations 845bf73 annotations: Support annotations to customise kata config 30d0b7a annotations: Add missing firmware and hashes to asset annotations 46b6815 annotations: Change existing annotations to fit a new format 312f3e7 virtcontainers/fc: implement remove device 7e9cc56 virtcontainers/fc: improve create disk pool process 07932d5 virtcontainers/fc: add logs and improve others to make debugging easier ed7240b virtcontainers: move device operations to a more generic place e93bf96 network: Add tuntap device c8dd92d dep: update vendor packages for netlink commit 41407cf vc: make cgroup usage configurable if rootless 5f0799f vc: add rootless dir to path variables cdd6f7e katautils: update paths to be configurable for rootless execution 2d8b278 rootless: add rootless logic 8b843c5 QEMU: do not require nvdimm machine option with initrd c152ebf s390x: Fix runtime build for s390x bc3c07b versions: Update kernel to 4.19.75 aa6a16c Hypervisor: UUID fix for acrn hypevisor b1909e8 config: fix virtiofsd name 84ead98 config: add configuration-qemu-virtio-fs.toml to gitignore 443e657 config: honor DEFSHAREDFS_QEMU_VIRTIOFS and CONFIG_QEMU_VIRTIOFS_IN 3d0949d virtcontainers: check minimum supported version of firecracker 1f93cff virtcontainers: fix the issue of missing qemu error logs 8680db6 versions: update firecracker to the version 0.18.0 123ba13 vendor: update kata agent 5ac6e9a virtcontainers: make socket generation hypervisor specific f2f0923 virtcontainers: rename kataVSOCK type and move it into the types package f42dd7d virtcontainers/fc: Add support for hybrid vsocks 2c4cf39 virtcontainers/fc: bump firecracker experimental version bb87b44 virtcontainers/fc: Add logger to the http transport 880bb2b virtcontainers: introducing HybridVSock type 2a8af23 virtcontainers: Make fc.go fit the new API 67ce728 virtcontainers: Update firecracker swagger API cdb1b5c cli: Fix the qemu-virtiofs.toml 4134571 config: do not use nemu variable for qemu-virtiofs configuration 97fe749 config: use 9p as default shared filesystem for nemu c81db9c sandbox: The unit of newMemory is MB 7fa0a72 s390x: Share image between qemu instances 7965baa vendor: update govmm 2ed94cb Config: Remove ConfigJSONKey from annotations Signed-off-by: katacontainersbot <katacontainersbot@gmail.com>

view details

Archana Shinde

commit sha 86d8346d0caa41670b31973e948729dee881d33c

version: Update the version for cni plugins Update the version used for testing the cni plugins to the latest 0.8.2 release. This way we make sure CI tests with latest CNI plugins. Depends-on: github.com/kata-containers/tests#1984 Fixes #2111 Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>

view details

Archana Shinde

commit sha c0995c6201fb5bd56a8ae5ccfc969382866b424e

vendor: Vendor the latest CNI plugins Vendor cni plugin repo to use the latest code for setting up network namespaces. Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>

view details

Archana Shinde

commit sha 929c4e7e3d241c39e7c490b10047add0b57d65f7

network: Change NewNS() call NewNS() api has been moved to testutils package in the cni plugin repo. Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>

view details

Archana Shinde

commit sha fa4acad4aa0352d1f2ed2b7393b5648e3d175065

state: Load the state from storage early on The hypervisor.createSandbox may need to access the state. For eg, ACRN today needs to access the block index to assign it to the root image of the VM. Hence load this early on. Fixes #2026 Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>

view details

Archana Shinde

commit sha f6a10bcae78c654b3c396c9ec1bd398a2b79bae2

state: Refactor code to move all the state load code Refactor so that all code to load state, devices, network takes place at one place. This is in line with the experimental api for new storage that also loads all the necessary items here all at once. Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>

view details

Li Yuxuan

commit sha c1060a3b9e5ded9a96c4a4b50b330392298659f3

v2: Change the event and error behavior of pause/resume 1. Send the event when the container is paused/resumed successfully 2. Return the error of the pause/resume function rather than `getContainerStatus`. Fixes #2121 Signed-off-by: Li Yuxuan <liyuxuan04@baidu.com>

view details

Jose Carlos Venegas Munoz

commit sha a4b5a565ff589e7203a10d2c3ae1a37cf91c0d9d

Merge pull request #2117 from katabuilder/1.9.0-rc0-branch-bump # Kata Containers 1.9.0-rc0

view details

Julio Montes

commit sha 91bd095ee43bf34060527caa41b2aa4023a44ed5

virtcontainers/annotations: use right domain name for kata annotations The domain name should be used as prefix for the annotations, for kata containers the domain name is katacontainers.io, not kata-containers.io fixes #2123 Signed-off-by: Julio Montes <julio.montes@intel.com>

view details

Archana Shinde

commit sha 04489fec2d94f2721c1f7030414f676d60ea8622

Merge pull request #2118 from amshinde/load-state-early Load state early so that hypervisor can store the correct state

view details

Eric Ernst

commit sha 4f8cc73e82a114985a72eec7323f86e741661778

Merge pull request #2112 from amshinde/update-cni-plugin-version Update cni plugin version

view details

Peng Tao

commit sha 729b5faf52f3a79ce8486ec41af6e8b09baec199

Merge pull request #2122 from darfux/v2_pause_resume_behavior v2: Change the event and error behavior of pause/resume

view details

Peng Tao

commit sha c7b4c5eab9f950dd0f933fbfbd7205a62a717242

Merge pull request #2124 from devimc/topic/virtcontainers/fixAnnotationsPrefix virtcontainers/annotations: use right domain name for kata annotations

view details

Julio Montes

commit sha eca7bd270562f3d314319c50b6fd77daa3c57a3d

virtcontainers: unmount host mounts if container can't be created Mount points, like `resolv.conf` and `hostname` are left in the host when the cgroup creation fails. Use `unmountHostMounts()` and `bindUnmountContainerRootfs()` in the rollback function that is called when container's creation fails. fixes #2108 Signed-off-by: Julio Montes <julio.montes@intel.com>

view details

Julio Montes

commit sha abec17f8f28c46d803764d6d9bbd5b63d8f2d52d

virtcontainers/store: make VCStoreUUIDPath rootless The uuid file shouldn't be created at `/var` if running rootless. Modify `VMUUIDStoragePath` to get a path accessible for non-root users if running rootless. fixes #2133 Signed-off-by: Julio Montes <julio.montes@intel.com>

view details

Wang Liang

commit sha 24d7aff60c80b538544ae76128d1e8bb36f66a62

virtcontainers: change pass by value to pass by reference container.config does not point to sandbox.config.Containers.ContainerConfig which caused the ContainerConfig not sync. Fixes: #2129 Signed-off-by: Wang Liang <wangliangzz@inspur.com>

view details

Peng Tao

commit sha a1cd0f8f76e4a1e0a8a8307672b230bf8488bcfd

Merge pull request #2134 from devimc/topic/virtcontainers/rootlessVCStoreUUIDPath virtcontainers/store: make VCStoreUUIDPath rootless

view details

Peng Tao

commit sha 7d484dfe4c6b7104e215e91642a15a4ded617303

Merge pull request #2127 from devimc/topic/virtcontainers/rollbackUnmountHostMounts virtcontainers: unmount host mounts if container can't be created

view details

Jose Carlos Venegas Munoz

commit sha f8b84d7ebad0644f92751773040162349354efd2

ci: Fix versions_checker.sh Version checker does to work today - Allow to detect stabe branches Fixes #1581 Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>

view details

Jose Carlos Venegas Munoz

commit sha 5b226d0d39a0b14d4f6bd3348ae5672a2ed889ad

ci: Fix versions_checker.sh Version checker does to work today - Allow to detect stabe branches Fixes #1581 Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>

view details

push time in 3 days

issue commentZ3Prover/z3

Go language API bindings

@NikolajBjorner OK, I'll have a try, hope I can make some real contributions to Z3 prover 😄

WeiZhang555

comment created time in 5 days

issue openedZ3Prover/z3

Go language API bindings

Hi, do you have any plans for Golang API bindings? I can find some third part Golang bindings such as https://github.com/mitchellh/go-z3 and https://github.com/mitchellh/go-z3 but they are both incomplete and not formal.

Since Golang has been a really popular language, do you plan to add a new Golang binding? It would be quite useful to Golang users(it's a lot as I know.)

Thanks!

created time in 7 days

create barnchWeiZhang555/runtime

branch : persist-storage

created branch time in 9 days

push eventWeiZhang555/go-z3

Wei Zhang

commit sha f73503f980a0f8340e44b928b4c025ad66135120

bugfix: fix build error for latest z3 library Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>

view details

push time in 9 days

fork WeiZhang555/go-z3

Go (golang) bindings to the Z3 SMT Solver

fork in 9 days

issue commentfalcosecurity/falco

SSL server failed to start

Thanks for your quick response 😄

WeiZhang555

comment created time in a month

issue openedfalcosecurity/falco

SSL server failed to start

<!-- Please use this template while reporting a bug and provide as much info as possible. Not doing so may result in your bug not being addressed in a timely manner. Thanks!

If the matter is security related, please disclose it privately via https://falco.org/security/ -->

What happened:

I enabled SSL support in Falco configuration file but then the server failed to start. Its logs:

** CONFIG_BPF_JIT enabled and/or use --net=host if      **
** running inside a container.                          **
**********************************************************
* BPF probe located, it's now possible to start sysdig
Thu Sep 26 06:37:19 2019: Falco initialized with configuration file /etc/falco/falco.yaml
Thu Sep 26 06:37:19 2019: Loading rules from file /etc/falco/falco_rules.yaml:
Thu Sep 26 06:37:20 2019: Loading rules from file /etc/falco/falco_rules.local.yaml:
Thu Sep 26 06:37:20 2019: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Thu Sep 26 06:37:20 2019: Starting internal webserver, listening on port 443 (SSL)
Thu Sep 26 06:37:20 2019: Runtime error: Could not create embedded webserver: null context when constructing CivetServer. Possible problem binding to port.. Exiting.

What you expected to happen:

Falco server can start successfully with SSL support.

How to reproduce it (as minimally and precisely as possible):

  1. Following official docs: https://falco.org/docs/installation/ to install Falco in daemonset .
  2. modify falco-config/falco.yaml and open the SSL flag:
webserver:
  enabled: true
  listen_port: 443 
  k8s_audit_endpoint: /k8s-audit
  ssl_enabled: true
  ssl_certificate: /etc/falco/falco.pem

The SSL certificate is generated following the comment:

$ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem $ cat certificate.pem key.pem > falco.pem $ sudo cp falco.pem /etc/falco/falco.pem

After that the daemonset can't start successfully, but it can start after I set "ssl_enabled: false".

And the falco.pem is passed to POD via ConfigMap "falco-config"

Anything else we need to know?:

Environment:

  • Falco version (use falco --version): image "falcosecurity/falco:latest"
  • System info <!-- Falco has a built-in support command you can use "falco --support | jq .system_info" -->
  • Cloud provider or hardware configuration:
  • OS (e.g: cat /etc/os-release): 18.04.1 LTS (Bionic Beaver)
  • Kernel (e.g. uname -a): 4.15.0-51-generic
  • Install tools (e.g. in kubernetes, rpm, deb, from source): Kubernetes
  • Others:

created time in 2 months

issue commentkata-containers/runtime

docker start fails with Kata and ACRN hypervisor

@vijaydhanraj Can you add one more line into the configuration file(might be "/opt/kata/share/defaults/kata-containers/configuration.toml" if you install from the release tar)

experimental=['newstore']

and have another try? This can make the s.supportNewStore() true.

I think your modification could impact other hypervisor implementations but not sure, please file a PR and let's check the Jenkins test result.

vijaydhanraj

comment created time in 2 months

issue commentrficcaglia/guardian

Questions about project Target and Roadmaps

Adding formal verification is interesting to them and we have discussed it (refer also to the sig-security PR where Tim from OPA comments).

I'm glad to hear that. Now I'm full of confidence in OPA and your work. LOL

WeiZhang555

comment created time in 2 months

issue commentrficcaglia/guardian

Questions about project Target and Roadmaps

@rficcaglia Wow, thanks for your detailed information!

But it doesn't translate the Rego into FOL predicates that can be input into an SAT or SMT solver, or model checker, so a Rego policy still needs someone to construct a set of tests and mocks.

I agree that this is a large missing part of OPA. OPA is a great project and takes a lot of effort from people, its policy language is easy to use, but I think AWS Zelkova is more powerful than OPA since it's "verification" but OPA is "validation" just as you said. From this point, I'm not sure if we should enhance the OPA or open a new project and start from scratch.

My company(Ant Financial, one child corp of Alibaba) is a large financial company in China, we care a lot about security since "security" equals "money" to us 😆. Also, we depend on K8s/Istio and other CNCF projects, so your idea(Guardian) is an attractive and interesting idea for me.

I'm looking forward to your POC and will try to attend if there's something I can help 😄

WeiZhang555

comment created time in 2 months

issue openedrficcaglia/guardian

Questions about project Target and Roadmaps

Hi Robert, this is Wei Zhang from Alibaba, I'm very interested in this project, but I still have some question about the project target and roadmaps, I tried to ping you on slack this morning but you're not online 😄

I read all the docs and some issues, but I'm still not very clear about the project due to I'm a newbie to formal verification.

What's the project's plan? Does it aim to formal verify Kubernetes' policy rules? Or does it want to verify users' policies with Z3 or Rego? What's the plan?

And what's the current status? Does it have a clear roadmap?

created time in 2 months

fork WeiZhang555/z3

The Z3 Theorem Prover

fork in 2 months

startedZ3Prover/z3

started time in 2 months

startedopen-policy-agent/gatekeeper

started time in 2 months

delete branch WeiZhang555/runtime

delete branch : remove-annotation-ConfigJSONKey

delete time in 2 months

pull request commentkata-containers/runtime

Remove annotation config json key

/test

Rebase on upstream master.

ping @lifupan @bergwolf @sboeuf @devimc

WeiZhang555

comment created time in 2 months

push eventWeiZhang555/runtime

Li Yuxuan

commit sha 7c4e4799567f8e1ee6fc86752a4e54a32337cfad

vc: Remove bind destination when unmounting `virtcontainers.ensureDestinationExists` will create the bind destination directory/file, which should be removed properly when unmounting. Fixes: #1974 Signed-off-by: Li Yuxuan <liyuxuan04@baidu.com>

view details

Eric Ren

commit sha 712e06ae84941bbff530593f8608ecef998d6ece

virtio-fs: add virtio_fs_extra_args for virtiofsd Since virtio-fs is under active development, more options will be added increasingly. To avaoid frequent change on runtime side to handle option changes, use one mingled arg to ease testing new option/feature of virtiofsd. See `virtiofsd -h` for more option details. Fixes: #1999 Signed-off-by: Eric Ren <renzhen@linux.alibaba.com>

view details

Jose Carlos Venegas Munoz

commit sha d804c3979cf316060b499c2b85b17f58b215aa19

cgroups: container: rename functions prefix cgroup related methods with cgroups, make easy to group together in auto-generated docs. Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>

view details

Jose Carlos Venegas Munoz

commit sha 529ec25fb770d46ef965885295364954021f2fc4

sandbox: cgroups: move methods to sandbox file Move sandbox related methods to its own file. Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>

view details

Jose Carlos Venegas Munoz

commit sha caac68c09f084bc7b19e2f1aff5dd975c256a388

sandbox: cgroup: prefix cgroup related methods rename to allow group in auto-generated docs. Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>

view details

Jose Carlos Venegas Munoz

commit sha 6fdbef4ff521ce944f612ee771a43b5bccc9589a

sandbox: Rename constrainHypervisor constrainHypervisor -> constrainHypervisorVCPUs Document and rename function. Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>

view details

Jose Carlos Venegas Munoz

commit sha f45b2d9cc6f5fd7de0422d855a86cce01464a876

cgroups: quote some paths on errors. Some errors propagate with printing showing a cgroup path. If for some reason this is empty is difficult to know looking at the logs. Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>

view details

Jose Carlos Venegas Munoz

commit sha 5a17d671a49d96195f85ffe83c1d1a0d94608f38

cgroups: container: check cgroup path before use it The container CgroupsPath is optional acording to OCI. If for some reason the runtime decide to not define one. just skip cgroup operations. This is going to be useful for upcoming, sandbox cgroup only cgroup managment feature. Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>

view details

Jose Carlos Venegas Munoz

commit sha b65063248fa5083ba265d9247f6ae93e45644113

config: add option SandboxCgroupOnly add option to eneable only pod cgroup (SandboxCgroupOnly) Depends-on: github.com/kata-containers/tests#1824 Fixes: #1879 Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>

view details

Jose Carlos Venegas Munoz

commit sha 2fcb8bb4d83a4785d0d3437bcb8a12ed31c76366

container: SandboxCgroupOnly: no host cgroups. No call cgroup operations for containers in host if SandboxCgroupOnly is enabled. Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>

view details

Jose Carlos Venegas Munoz

commit sha 074418f56bb738a2ff4f4407cd69577c9d338815

sandbox: Join cgroup sandbox on create. When a new sandbox is created, join to its cgroup path this will create all proxy, shim, etc in the sandbox cgroup. Fixes: #1879 Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>

view details

Jose Carlos Venegas Munoz

commit sha 3fc6f4bc5567a6bb05468df1c9cefda602411252

sandbox: add containers, do not get cgroup path Add containers does not need to check the cgroup path this is done in a different function Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>

view details

Jose Carlos Venegas Munoz

commit sha 9fc7246e8a0c1b8dbce20fd5bef8e96049cb3cd1

sandbox: delete cgroup for SandboxOnly option Use all subsystems for SandboxOnly option to make sure all cgroups are deleted. Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>

view details

Nitesh Konkar

commit sha 07630b570a18cd11e7ce68103f5f326658a7ee69

virtcontainers: Set sandbox dns in sandbox request If ociMounts has DNS file /etc/resolv.conf present, then pass the dns as part of CreateSandboxRequest to the agent. Depends-on: github.com/kata-containers/agent#625 Fixes: #1603 Signed-off-by: Nitesh Konkar <niteshkonkar@in.ibm.com>

view details

Vijay Dhanraj

commit sha d51215878d93c3ff52d88d04538c9e7c63d0f7c7

hypervisor: Fix MacVTap internetworking support in ACRN With MacVTap internetworking, Kata fails to launch containers with ACRN hypervisor. This was due to missing MAC address as part of virtio-net device when launching VM. This patch fixes this issue by adding the MAC address. Fixes: #2029 Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>

view details

Alice Frosi

commit sha 6b2a90a9e55c99c1582dfa09b879b46353a8f24c

virtcontainer: rename appendVSockPCI Rename function appendVSockPCI to appendVSock to be general. The function could use PCI or CCW devices. Added return error to appendVSock. Signed-off-by: Alice Frosi <afrosi@de.ibm.com>

view details

Alice Frosi

commit sha a0e09df1df6ce203cc46bd0da7691300948bee4b

s390x: add appendVSock with devno Reimplementation of appendVSock in order to assign the devno to the vsock device. Fixes: #2033 Signed-off-by: Alice Frosi <afrosi@de.ibm.com>

view details

Alice Frosi

commit sha e3f92fe59b671eb7ea0b2e3d4e1b603cc72b10ab

virtcontainer: add error return code Add error return code to append functions. Fixes: #2035 Signed-off-by: Alice Frosi <afrosi@de.ibm.com>

view details

Eric Ernst

commit sha b62814a6f0575f580e9fabcc939b1d3c9cde527d

sandbox: combine sandbox cgroup functions Simplify the tests and the code by combining the create and join functions into a single function. Signed-off-by: Eric Ernst <eric.ernst@intel.com>

view details

Julio Montes

commit sha 42ef119992a51fc6751d6021e04acf135def8b84

Merge pull request #2030 from vijaydhanraj/fix-acrn-macvtap hypervisor: Fix MacVTap internetworking support in ACRN

view details

push time in 2 months

startedrficcaglia/guardian

started time in 2 months

push eventkata-containers/community

Eric Ernst

commit sha 8717d42f06f9facccb80f74213597ae49be328a9

elections: Eric Ernst candidacy Fixes: #116 Signed-off-by: Eric Ernst <eric.ernst@intel.com>

view details

zhangwei_cs

commit sha b9570176de9822e96e97e1e685988ee4cdee4356

Merge pull request #117 from egernst/candidacy elections: Eric Ernst candidacy

view details

push time in 2 months

PR merged kata-containers/community

elections: Eric Ernst candidacy

Fixes: #116

Signed-off-by: Eric Ernst eric.ernst@intel.com

+23 -0

1 comment

1 changed file

egernst

pr closed time in 2 months

issue closedkata-containers/community

Candidacy - add my candidacy for 2019-08 AC elections

Candidacy - add my candidacy for 2019-08 AC elections

closed time in 2 months

egernst

pull request commentkata-containers/community

elections: Eric Ernst candidacy

LGTM definitely :-)

egernst

comment created time in 2 months

Pull request review commentkata-containers/runtime

[RFC] vc: Use BlockIndexMap instead of BlockIndex

 func (s *Sandbox) resumeSetStates() error { 	return s.setSandboxState(types.StateRunning) } -// getAndSetSandboxBlockIndex retrieves sandbox block index and increments it for-// subsequent accesses. This index is used to maintain the index at which a-// block device is assigned to a container in the sandbox.-func (s *Sandbox) getAndSetSandboxBlockIndex() (int, error) {-	currentIndex := s.state.BlockIndex+const maxBlockIndex = 65535 -	// Increment so that container gets incremented block index-	s.state.BlockIndex+++// getAndSetSandboxBlockIndex retrieves an unused sandbox block index from+// the BlockIndexMap and marks it as used. This index is used to maintain the+// index at which a block device is assigned to a container in the sandbox.+func (s *Sandbox) getAndSetSandboxBlockIndex() (int, error) {+	var currentIndex int+	for i := 0; i < maxBlockIndex; i++ {+		if used, ok := s.state.BlockIndexMap[i]; !ok || !used {

Nit: you can make BlockIndexMap "map[int]struct{}" since the value is always true once set. This could save tiny space and you can ignore the "used" variable.

darfux

comment created time in 2 months

pull request commentkata-containers/runtime

[RFC] vc: Use BlockIndexMap instead of BlockIndex

@darfux You already did this at https://github.com/kata-containers/runtime/pull/2008/files#diff-f433efe7313cabd358c21fa927ca0c2cR33

Theoretically you can't modify existing field, you can only deprecate old field and add a new field, and you have to take good care of the compatibility.

But you're lucky that the persistent API haven't been settle down before kata's future 2.0 version, so the change is acceptable so far.

And I'm +1 on you change from slices to map 😄

darfux

comment created time in 2 months

pull request commentkata-containers/runtime

Remove annotation config json key

/test

WeiZhang555

comment created time in 2 months

push eventWeiZhang555/runtime

Wei Zhang

commit sha 186f48ee988f54ea80c6e7ecea9bf6c194d406ed

Config: Remove ConfigJSONKey from annotations Fixes: #2023 We can get OCI spec config from bundle instead of annotations, so this field isn't necessary. Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>

view details

push time in 2 months

pull request commentkata-containers/runtime

[WIP] Remove annotation config json key

/test

Rebased on upstream.

WeiZhang555

comment created time in 2 months

push eventWeiZhang555/runtime

Alice Frosi

commit sha 9188774c9351d00642949bd30d74e2ffad583264

bridges: abstraction of bridge type The abstraction of the bridge type to add additional types. Fixes: #1153 Signed-off-by: Alice Frosi <afrosi@de.ibm.com> Co-authored-by: Jan Schintag <jan.schintag@de.ibm.com>

view details

Alice Frosi

commit sha 23e607314e3c7fd36292d1d486a8e3578d579401

virtcontainers: Move bridge var in qemu type In this way it is possible to set bridge variable for each arch when instantiating the hypervisor. Fixes: #1153 Signed-off-by: Alice Frosi <afrosi@de.ibm.com> Co-authored-by: Jan Schintag <jan.schintag@de.ibm.com>

view details

Alice Frosi

commit sha e99739f9bd94a2dd6ae8d96911cc067f3076657a

ccw: add ccw type as bridge On IBM Z, CCW bus type can be additionally used. Fixes: #1153 Signed-off-by: Alice Frosi <afrosi@de.ibm.com> Reviewed-by: Jan Schintag <jan.schintag@de.ibm.com>

view details

Alice Frosi

commit sha 7eec67044f228fdc6db6f8c9e5fd1bed24a116c0

virtcontainers: create generic function Create generic function to be reused to the reimplemented methods by various architectures Fixes: #1153 Signed-off-by: Alice Frosi <afrosi@de.ibm.com> Reviewed-by: Jan Schintag <jan.schintag@de.ibm.com>

view details

Alice Frosi

commit sha d627585dc1bcf20b844ef59cb7ad0d9db029757f

virtcontainers: add devno The devno number is use to identify the device on IBM Z arch. Fixes: #1153 Signed-off-by: Alice Frosi <afrosi@de.ibm.com> Reviewed-by: Jan Schintag <jan.schintag@de.ibm.com>

view details

Jan Schintag

commit sha b075b5c24e19d557696b23bea6f6ef96282c720f

s390x: add virtio-blk-ccw Add virtio-blk-ccw support Fixes: #1153 Signed-off-by: Alice Frosi <afrosi@de.ibm.com> Reviewed-by: Jan Schintag <jan.schintag@de.ibm.com>

view details

Penny Zheng

commit sha 611a86035b9fa32dd4f5584d848221d7d20435f1

kubernetes: update kubernetes for AArch64 The latest stable kubernetes v1.15.3 has finally included the significant commit 820a717(https://github.com/kubernetes/kubernetes/commit/ 820a717bce3ef92f9280a4870d449c1e903255f2), which fixed the crash of `kubeadm init` on AArch64 since kubernetes v1.14.0, find detailed info here (https://github.com/kata-containers/tests/issues/1726). Fixes: #2020 Signed-off-by: Penny Zheng <penny.zheng@arm.com>

view details

Julio Montes

commit sha 9e164008979ed9555f8e0ecfc99f12df10f21c6c

Merge pull request #2021 from Pennyzct/kubernetes_on_aarch64 kubernetes: update kubernetes to v1.15.3 for AArch64

view details

katacontainersbot

commit sha f128195249746975cdb40a1c1afedee72b74cffd

release: Kata Containers 1.9.0-alpha1 - kubernetes: update kubernetes to v1.15.3 for AArch64 - vsock: set VHOST_VSOCK_SET_GUEST_CID for ppc64le - tests: allow running unit tests using podman - vc: Delete store when new/create container is failed - virtcontainers: fix kernel modules annotations - vendor: update govmm - kata-check: require kvm modules for amd64 - kata-check: reduce default output verbosity - v2: Prevent killing all container processes when exec is failed - api: add a CleanupContainer api for VC - shim v2: add network stat in metric - qemu: fix error message miss - Fix the issue of update resources wrong - monitor: enlarge watch buffer - add virtiofsd to sandbox cgroup - virtcontainers: Fix the issue of watching console for firecracker - versions: update version of qemu to 4.1.0 - qemu interaction improvements - add watchconsole for no_proxy type - qemu: do not try to stop qemu multiple times - do not hotplug network device when stopping sandbox - agent: add default timeout for grpc requests - container: do not pause a StateReady container - sandbox: remove network before stopping vm - virtcontainers: fix hotplug block/net devices execeed pciBridgeMaxCap… - vsock: Propogate error for vsock ioctl - versions: kernel: update to 4.19.65 - network: Ignore routes with proto as "kernel" - network: Deprecate bridged networking mode. - network: fix failed to remove network - virtcontainers: add support for loading kernel modules - shim-v2: fix shim leak when hypervisor exit unexpectly - virtiofs: wait for virtiofsd process to release its resources - pkg/katautils: Do not set `init` in the kernel command line - virtiofs: fix virtiofs crash when cache=none - acrn: Add toml to gitignore - versions: Upgrade to k8s 1.15 - virtcontainers: support SMP die - qemu: support vfio pass x-pci-vendor-id and x-pci-device-id pass - Remove nested vendor dir - Fix UT failures with non-root - persist: manage "hypervisor.json" with new store - improve robustness w.r.t. dead hypervisor - virtcontainers: convert virtcontainers tests to testify/assert - ci: Allow travis to use go install script 611a860 kubernetes: update kubernetes for AArch64 ba3d3da vendor: update govmm c8e5659 virtcontainers: fix kernel modules annotations a5f1744 vc: Delete store when new/create container is failed 8cf0f06 vsock: set VHOST_VSOCK_SET_GUEST_CID based based on arch ff8d23d tests: allow running unit tests using podman c91556a api: add a CleanupContainer api for VC 4cf0703 v2: Prevent killing all container processes when exec is failed 5bfca6e test: add arch required kernel modules c54f00a kata-check: reduce default output verbosity 24fcd1b test: add a generic function for CLI kata-check command 52e68f5 virtcontainers: cleanup the container config once failed 5b749a5 virtcontainers: remove the redundant sandbox config store 50d4188 qemu: fix error message miss 0926c8d virtcontainers: Fix the issue of watching console for firecracker 0075bf8 hypervisor: allow to return a slice of pids 88e281c monitor: enlarge watch buffer db50978 kata-check: require kvm/vhost modules for amd64 4deeb05 versions: update version of qemu to 4.1.0 4a28b52 test: add test for network metric dc38ba7 test: fix cgroup mock test 6534357 shim-v2: add network stat in metric 21698aa vendor: update cgroup e7457e6 qemu: add logfile when debug is on aebc496 qemu: fix memory prealloc option handling 6c77d76 qemu: check guest status with qmp query-status 5b50b34 shimv2: cancel monitor before stopping sandbox 49184ee vendor: update govmm d90eba8 network: always cold unplug network devices d26ff71 Revert: "sandbox: remove network before stopping vm" debc7d9 agent: add default timeout for grpc requests 9d4050e container: do not pause a StateReady container b58ab66 qemu: do not try to stop qemu multiple times 794e08e sandbox: remove network before stopping vm 31ddb4d virtcontainers: add watchconsole for no_proxy type 3fc17e9 vsock: Propogate error for vsock ioctl 565f14f acrn: Change the default network model for ACRN to macvtap 2c99b95 network: Deprecate bridged networking mode. e467293 virtcontainers: fix hotplug pci devices execeed max capacity bug 604e1ab versions: kernel: update to 4.19.65 df7cf77 network: Ignore routes with proto as "kernel" 355b9c0 virtcontainers: add support for loading kernel modules 979f064 vendor: update kata agent 0832294 pkg/katautils: Do not set `init` in the kernel command line 2058751 shim-v2: fix shim leak when hypervisor exit unexpectly a9168a3 virtiofs: wait for virtiofsd process to release its resources 263fb64 acrn: Add toml to gitignore 6e1e6a2 virtiofs: fix virtiofs crash when cache=none 50c3e56 network: fix failed to remove network 0d0a84e versions: Upgrade to k8s 1.15 7668aeb virtcontainers: support SMP die 104c04d vendor: update govmm e41a6b9 vendor: Update vendor directories 95e8a7a dep: Remove nested vendor directories f3d0978 persist: improve readability 3bfbbd6 persist: merge "network.json" 99cf3f8 persist: merge "agent.json" 7d5e48f persist: manage "hypervisor.json" with new store d5d7d82 vc: move container mount cleanup to container.go e02f6dc shimv2: monitor sandbox liveness 262484d monitor: watch hypervisor 67c401c agent: use hypervisor pid as backup proxy pid for non-kata proxy cases 835b6e9 sandbox: do not fail SIGKILL bc4460e sandbox: support force stop 4130913 agent: mark agent dead when failing to connect c472a01 container: allow to stop a paused container f886c0b vc: drop container SetPid API f2e6a31 ci: Allow travis to use go install script 3063391 ut: skip TestBindUnmountContainerRootfsENOENTNotError for non-root c4583f4 ut: skip TestStartNetworkMonitor for non-root f2423e7 virtcontainers: convert virtcontainers tests to testify/assert 50e263d qemu: support vfio pass x-pci-vendor-id and x-pci-device-id pass 2cf4189 vendor: update github.com/intel/govmm Signed-off-by: katacontainersbot <katacontainersbot@gmail.com>

view details

Eric Ernst

commit sha 87eca1fff12ac164c37ff5288d12f48819f11776

Merge pull request #2025 from katabuilder/1.9.0-alpha1-branch-bump # Kata Containers 1.9.0-alpha1

view details

James O. D. Hunt

commit sha 94c47dcecdcb5ff1edf3539e4f12f49dbd5e10e6

Merge pull request #1965 from jschintag/virtio-blk-ccw s390x: add virtio-blk-ccw support

view details

Fupan Li

commit sha e21dc8babe749f3adb422392bf185b1ef7cf9833

Merge pull request #2022 from WeiZhang555/limit-usage-of-compatOCISpec CompatOCISpec: limit usage of CompatOCISpec

view details

Wei Zhang

commit sha 03323623e63e7912eb26fa67513f8e5d23412aec

Config: Remove ConfigJSONKey from annotations We can get OCI spec config from bundle instead of annotations, so this field isn't necessary. Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>

view details

push time in 2 months

Pull request review commentkata-containers/runtime

[WIP] Remove annotation config json key

 const ( 	// AssetHashType is the hash type used for assets verification 	AssetHashType = vcAnnotationsPrefix + "AssetHashType" -	// ConfigJSONKey is the annotation key to fetch the OCI configuration.-	ConfigJSONKey = vcAnnotationsPrefix + "pkg.oci.config"

@jodh-intel I don't think it's an API change. This annotation is used for storing OCI spec in kata-runtime itself's configuration. It's not exposed to user and user won't have any way to use it, so this is an internal change and it's definitely safe to remove :smile:

WeiZhang555

comment created time in 2 months

delete branch WeiZhang555/runtime

delete branch : limit-usage-of-compatOCISpec

delete time in 2 months

pull request commentkata-containers/runtime

wip: Move to Go modules

I think go mod vendor can be an option. How about we only use go mod to manage our "vendor" dir instead of remove whole "vendor" from the repo?

amshinde

comment created time in 2 months

pull request commentkata-containers/runtime

[WIP] Remove annotation config json key

/test

WeiZhang555

comment created time in 2 months

pull request commentkata-containers/runtime

CompatOCISpec: limit usage of CompatOCISpec

ping @jodh-intel @bergwolf @sboeuf

WeiZhang555

comment created time in 2 months

push eventWeiZhang555/runtime

Wei Zhang

commit sha 0fabefde82fd24fa561e2a8143067d912c205c60

Config: Remove ConfigJSONKey from annotations We can get OCI spec config from bundle instead of annotations, so this field isn't necessary. Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>

view details

push time in 2 months

push eventWeiZhang555/runtime

Wei Zhang

commit sha 29d3c700c236f6b8ada8f6e3b124c517ccf7b3ef

Config: Remove ConfigJSONKey from annotations We can get OCI spec config from bundle instead of annotations, so this field isn't necessary. Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>

view details

push time in 2 months

push eventWeiZhang555/runtime

Wei Zhang

commit sha 9507f45a0f6b60d7ad8f8304221fae7f7bfe880a

CompatOCISpec: limit usage of CompatOCISpec Fixes: #2023 CompatOCISpec is used to gurantee backward compatbility for old runtime specs, after we convert CompatOCISpec to standard specs.Spec, we should use specs.Spec instead of CompatOCISpec, and CompatOCISpec should be useless from then. Spread usage of CompatOCISpec can make code structure confusing and making the runtime spec usage non-standard. Besides, this can be the very first step of removing CompatOCISpec from config's Annotations field. Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>

view details

Wei Zhang

commit sha 42e603f83c6279b99f54cfe1e5843bcca023a06b

Config: Remove ConfigJSONKey from annotations We can get OCI spec config from bundle instead of annotations, so this field isn't necessary. Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>

view details

push time in 2 months

pull request commentkata-containers/runtime

[WIP] Remove annotation config json key

depends-on: #2022

Waiting for it's merging.

WeiZhang555

comment created time in 2 months

pull request commentkata-containers/runtime

CompatOCISpec: limit usage of CompatOCISpec

/test

WeiZhang555

comment created time in 2 months

Pull request review commentkata-containers/runtime

CompatOCISpec: limit usage of CompatOCISpec

 const (  const KernelModulesSeparator = ";" -// CompatOCIProcess is a structure inheriting from spec.Process defined+// CompatOCIProcess is a structure inheriting from specs.Process defined // in runtime-spec/specs-go package. The goal is to be compatible with // both v1.0.0-rc4 and v1.0.0-rc5 since the latter introduced a change // about the type of the Capabilities field. // Refer to: https://github.com/opencontainers/runtime-spec/commit/37391fb type CompatOCIProcess struct {-	spec.Process+	specs.Process 	Capabilities interface{} `json:"capabilities,omitempty" platform:"linux"` //nolint:govet } -// CompatOCISpec is a structure inheriting from spec.Spec defined+// CompatOCISpec is a structure inheriting from specs.Spec defined // in runtime-spec/specs-go package. It relies on the CompatOCIProcess // structure declared above, in order to be compatible with both // v1.0.0-rc4 and v1.0.0-rc5. // Refer to: https://github.com/opencontainers/runtime-spec/commit/37391fb type CompatOCISpec struct {-	spec.Spec+	specs.Spec

I checked the code and made the "CompatOCISpec" private structure, same for "ContainerCapabilities()". Now they're "compatOCISpec" and "containerCapabilities()".

Thanks @jodh-intel for your great suggestion!

WeiZhang555

comment created time in 2 months

push eventWeiZhang555/runtime

Wei Zhang

commit sha 9507f45a0f6b60d7ad8f8304221fae7f7bfe880a

CompatOCISpec: limit usage of CompatOCISpec Fixes: #2023 CompatOCISpec is used to gurantee backward compatbility for old runtime specs, after we convert CompatOCISpec to standard specs.Spec, we should use specs.Spec instead of CompatOCISpec, and CompatOCISpec should be useless from then. Spread usage of CompatOCISpec can make code structure confusing and making the runtime spec usage non-standard. Besides, this can be the very first step of removing CompatOCISpec from config's Annotations field. Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>

view details

push time in 2 months

pull request commentkata-containers/runtime

[WIP] Remove annotation config json key

/test

WeiZhang555

comment created time in 2 months

pull request commentkata-containers/runtime

CompatOCISpec: limit usage of CompatOCISpec

/test

WeiZhang555

comment created time in 2 months

PR opened kata-containers/runtime

[WIP] Remove annotation config json key

This is a WIP PR trying to remove ConfigJSONKey annotation.

Currently we have several places saving the OCI spec in configurations which bing a lot of redundancy and confusion, the plan is removing them all and only keep "bundle/config.json" from upper level components.

+646 -713

0 comment

37 changed files

pr created time in 2 months

push eventWeiZhang555/runtime

Wei Zhang

commit sha 1c00915ec754f204b353a159b41c42cebdd8dbdc

CompatOCISpec: limit usage of CompatOCISpec Fixes: #2023 CompatOCISpec is used to gurantee backward compatbility for old runtime specs, after we convert CompatOCISpec to standard specs.Spec, we should use specs.Spec instead of CompatOCISpec, and CompatOCISpec should be useless from then. Spread usage of CompatOCISpec can make code structure confusing and making the runtime spec usage non-standard. Besides, this can be the very first step of removing CompatOCISpec from config's Annotations field. Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>

view details

push time in 2 months

Pull request review commentkata-containers/runtime

CompatOCISpec: limit usage of CompatOCISpec

 const (  const KernelModulesSeparator = ";" -// CompatOCIProcess is a structure inheriting from spec.Process defined+// CompatOCIProcess is a structure inheriting from specs.Process defined // in runtime-spec/specs-go package. The goal is to be compatible with // both v1.0.0-rc4 and v1.0.0-rc5 since the latter introduced a change // about the type of the Capabilities field. // Refer to: https://github.com/opencontainers/runtime-spec/commit/37391fb type CompatOCIProcess struct {-	spec.Process+	specs.Process 	Capabilities interface{} `json:"capabilities,omitempty" platform:"linux"` //nolint:govet } -// CompatOCISpec is a structure inheriting from spec.Spec defined+// CompatOCISpec is a structure inheriting from specs.Spec defined // in runtime-spec/specs-go package. It relies on the CompatOCIProcess // structure declared above, in order to be compatible with both // v1.0.0-rc4 and v1.0.0-rc5. // Refer to: https://github.com/opencontainers/runtime-spec/commit/37391fb type CompatOCISpec struct {-	spec.Spec+	specs.Spec

The comment is still valid, besides there will be another PR about persist data doing the config file refactoring.

And for the private change, I'll need some more investigation.

WeiZhang555

comment created time in 2 months

Pull request review commentkata-containers/runtime

CompatOCISpec: limit usage of CompatOCISpec

 func containerCapabilities(s CompatOCISpec) (types.LinuxCapabilities, error) { }  // ContainerCapabilities return a LinuxCapabilities for virtcontainer-func ContainerCapabilities(s CompatOCISpec) (types.LinuxCapabilities, error) {+func ContainerCapabilities(s CompatOCISpec) (specs.LinuxCapabilities, error) {

That sounds great. Hmm, why I didn't think of it....Will modify.

WeiZhang555

comment created time in 2 months

push eventWeiZhang555/runtime

Wei Zhang

commit sha 76d471c4b0fcced6debb957ebd414a22d8bb1184

CompatOCISpec: limit usage of CompatOCISpec Fixes: #2023 CompatOCISpec is used to gurantee backward compatbility for old runtime specs, after we convert CompatOCISpec to standard specs.Spec, we should use specs.Spec instead of CompatOCISpec, and CompatOCISpec should be useless from then. Spread usage of CompatOCISpec can make code structure confusing and making the runtime spec usage non-standard. Besides, this can be the very first step of removing CompatOCISpec from config's Annotations field. Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>

view details

push time in 2 months

push eventWeiZhang555/runtime

Wei Zhang

commit sha 76d471c4b0fcced6debb957ebd414a22d8bb1184

CompatOCISpec: limit usage of CompatOCISpec Fixes: #2023 CompatOCISpec is used to gurantee backward compatbility for old runtime specs, after we convert CompatOCISpec to standard specs.Spec, we should use specs.Spec instead of CompatOCISpec, and CompatOCISpec should be useless from then. Spread usage of CompatOCISpec can make code structure confusing and making the runtime spec usage non-standard. Besides, this can be the very first step of removing CompatOCISpec from config's Annotations field. Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>

view details

Wei Zhang

commit sha 77f1b41f146a7408a14c7013441f2b0544c65db6

Config: Remove ConfigJSONKey from annotations We can get OCI spec config from bundle instead of annotations, so this field isn't necessary. Signed-off-by: Wei Zhang <weizhang555.zw@gmail.com>

view details

push time in 2 months

create barnchWeiZhang555/runtime

branch : remove-annotation-ConfigJSONKey

created branch time in 2 months

pull request commentkata-containers/runtime

[WIP]CompatOCISpec: limit usage of CompatOCISpec

/test

WeiZhang555

comment created time in 2 months

push eventWeiZhang555/runtime

Marco Vedovati

commit sha ff8d23d75f68769abe2ea885d7c45f0d43d7267d

tests: allow running unit tests using podman Refactor unit test so that podman can be used to run tests when docker is not available. Fixes: #2006 Signed-off-by: Marco Vedovati <mvedovati@suse.com>

view details

Nitesh Konkar

commit sha 8cf0f0602ff0205739b6bd90b99947c1b78f614c

vsock: set VHOST_VSOCK_SET_GUEST_CID based based on arch set VHOST_VSOCK_SET_GUEST_CID depending on the host architecture. Fixes: #1988 Signed-off-by: Nitesh Konkar <niteshkonkar@in.ibm.com>

view details

Li Yuxuan

commit sha a5f1744132c8bca27a7fb73ea88621e03de7d58b

vc: Delete store when new/create container is failed The container store should be deleted when new/create is failed if the store is newly created. Fixes: #2013 Signed-off-by: Li Yuxuan <liyuxuan04@baidu.com>

view details

Julio Montes

commit sha c8e5659c07827b98d2fee2ee1ab566799e969e03

virtcontainers: fix kernel modules annotations Casting in golang doesn't return a pointer to the structure, instead a new structure is instantiated. This patch is to update the old structure with the new one in order to apply the changes. fixes #2016 Signed-off-by: Julio Montes <julio.montes@intel.com>

view details

Alice Frosi

commit sha ba3d3dad7e43f63b003c65d70b4f1eebe8324374

vendor: update govmm s389x doesn't support dimm and we need to skip it. Fixes: #2003 detail commit change: 9463486 s390x: dimm not supported Signed-off-by: Alice Frosi <afrosi@de.ibm.com>

view details

Julio Montes

commit sha fe8506740b375a051066e7b35c2cd2f88448ada1

Merge pull request #2019 from alicefr/update-govmm-skip-numa vendor: update govmm

view details

Julio Montes

commit sha 52cff50e1c4b97de77c556a05469eeb4f5704871

Merge pull request #2017 from devimc/topic/virtcontainers/loadKernelModules virtcontainers: fix kernel modules annotations

view details

Julio Montes

commit sha d44b9f3356def9fe8615a12f8378d61fd3b9ca46

Merge pull request #2014 from darfux/delete_store_when_new_or_create_cntr_fail vc: Delete store when new/create container is failed

view details

Julio Montes

commit sha 284927d33446d5866fa597d770108cd0fdceef23

Merge pull request #2011 from marcov/podman-test tests: allow running unit tests using podman

view details

Salvador Fuentes

commit sha 4176a7c9471596f6aa2eced4cf51cfebd756567c

Merge pull request #1989 from nitkon/vsock vsock: set VHOST_VSOCK_SET_GUEST_CID for ppc64le

view details

Wei Zhang

commit sha c6fc7c777a5203ecc4c8b66329f8126cb39fe210

CompatOCISpec: limit usage of CompatOCISpec Fixes: #2023 CompatOCISpec is used to gurantee backward compatbility for old runtime specs, after we convert CompatOCISpec to standard specs.Spec, we should use specs.Spec instead of CompatOCISpec, and CompatOCISpec should be useless from then. Spread usage of CompatOCISpec can make code structure confusing and making the runtime spec usage non-standard. Besides, this can be the very first step of removing CompatOCISpec from config's Annotations field. Signed-off-by: Wei Zhang <fangcun.zw@alibaba-inc.com>

view details

push time in 2 months

push eventWeiZhang555/runtime

Wei Zhang

commit sha c33669b589a1063efacbade883113ad1feefb5e5

CompatOCISpec: limit usage of CompatOCISpec Fixes: #2023 CompatOCISpec is used to gurantee backward compatbility for old runtime specs, after we convert CompatOCISpec to standard specs.Spec, we should use specs.Spec instead of CompatOCISpec, and CompatOCISpec should be useless from then. Spread usage of CompatOCISpec can make code structure confusing and making the runtime spec usage non-standard. Besides, this can be the very first step of removing CompatOCISpec from config's Annotations field. Signed-off-by: Wei Zhang <fangcun.zw@alibaba-inc.com>

view details

push time in 2 months

issue openedkata-containers/runtime

Limit usage of CompatOCISpec

CompatOCISpec is used to gurantee backward compatbility for old runtime specs, after we convert CompatOCISpec to standard specs.Spec, we should use specs.Spec instead of CompatOCISpec, and CompatOCISpec should be useless from then.

Spread usage of CompatOCISpec can make code structure confusing and making the runtime spec usage non-standard. Besides, this can be the very first step of removing CompatOCISpec from config's Annotations field.

created time in 2 months

PR opened kata-containers/runtime

[WIP]CompatOCISpec: limit usage of CompatOCISpec

CompatOCISpec is used to gurantee backward compatbility for old runtime specs, after we convert CompatOCISpec to standard specs.Spec, we should use specs.Spec instead of CompatOCISpec, and CompatOCISpec should be useless from then.

Spread usage of CompatOCISpec can make code structure confusing and making the runtime spec usage non-standard. Besides, this can be the very first step of removing CompatOCISpec from config's Annotations field.

Signed-off-by: Wei Zhang fangcun.zw@alibaba-inc.com

+199 -317

0 comment

22 changed files

pr created time in 2 months

create barnchWeiZhang555/runtime

branch : limit-usage-of-compatOCISpec

created branch time in 2 months

CommitCommentEvent

issue commentkata-containers/runtime

is kata support virtualbox vm ?

As I know, virtualbox doesn't support nested virtualization, which mean you can't run another KVM virtual machine inside virtualbox.

So as the kata-runtime check showed, kata containers can't be run inside VirtualBox, it's not bug.

damozhiying

comment created time in 2 months

CommitCommentEvent

startedAwesome-HarmonyOS/HarmonyOS

started time in 3 months

more