From 0a46998a015265132df999e2a13ea16dd21b2919 Mon Sep 17 00:00:00 2001 From: Salvador Fuentes Date: Tue, 21 May 2019 10:00:26 -0500 Subject: [PATCH 01/21] ci: Build kata-runtime before running static checks We need to build kata-runtime to have the correct files in place to be able to run the static checks script. Fixes #1716. Signed-off-by: Salvador Fuentes (cherry picked from commit e8bf81029bf6f2a001319fa1dce59d48cda2a75f) Signed-off-by: Ganesh Maharaj Mahalingam --- .ci/static-checks.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.ci/static-checks.sh b/.ci/static-checks.sh index cfadeaf8a8..5d0317e41e 100755 --- a/.ci/static-checks.sh +++ b/.ci/static-checks.sh @@ -9,4 +9,8 @@ set -e cidir=$(dirname "$0") source "${cidir}/lib.sh" +# Build kata-runtime before running static checks +make -C "${cidir}/../" + +# Run static checks run_static_checks From 3cb631606aba6b4ed2edbe6d2b13d14975aa1e30 Mon Sep 17 00:00:00 2001 From: c00416947 Date: Sun, 26 May 2019 16:05:58 +0800 Subject: [PATCH 02/21] runtime : delete redundant code in CreateContainer Here we have done with logger and container ID map Just delete these code. fixes #1740 Signed-off-by: Haomin Tsai (cherry picked from commit bdae2954c0baed079b3833307db4e9c9ca528741) Signed-off-by: Ganesh Maharaj Mahalingam --- pkg/katautils/create.go | 6 ------ 1 file changed, 6 deletions(-) diff --git a/pkg/katautils/create.go b/pkg/katautils/create.go index 95f89d046e..0a78ea6eb2 100644 --- a/pkg/katautils/create.go +++ b/pkg/katautils/create.go @@ -311,12 +311,6 @@ func CreateContainer(ctx context.Context, vci vc.VC, sandbox vc.VCSandbox, ociSp if err := AddContainerIDMapping(ctx, containerID, sandboxID); err != nil { return vc.Process{}, err } - - kataUtilsLogger = kataUtilsLogger.WithField("sandbox", sandboxID) - - if err := AddContainerIDMapping(ctx, containerID, sandboxID); err != nil { - return vc.Process{}, err - } } // Run pre-start OCI hooks. From 6434414bdb1044c80ce54a67063d6a5a6dadd36b Mon Sep 17 00:00:00 2001 From: Hui Zhu Date: Thu, 23 May 2019 11:47:53 +0800 Subject: [PATCH 03/21] kata_proxy: Set Setsid to true when exec kata-proxy There is an issue that ctrl-c stop vmcache server will stop all containers that its VM is created by it. The cause is kata-proxy and vmcache server use same tty, for example: ps -e | grep kata 3617 pts/5 00:00:00 kata-runtime 3636 pts/5 00:00:00 kata-proxy Ctrl-c will send signal to both kata-proxy and vmcache server. Then the containers that its VM is created by this vmcache server will quit with it. Set Setsid to true when exec kata-proxy to handle this issue. Fixes: #1726 Signed-off-by: Hui Zhu (cherry picked from commit 19115ef5f1b5fa724efa11a1702b141f9203eacb) Signed-off-by: Ganesh Maharaj Mahalingam --- virtcontainers/kata_proxy.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/virtcontainers/kata_proxy.go b/virtcontainers/kata_proxy.go index 0b622f27c5..af60031a8a 100644 --- a/virtcontainers/kata_proxy.go +++ b/virtcontainers/kata_proxy.go @@ -47,6 +47,9 @@ func (p *kataProxy) start(params proxyParams) (int, string, error) { } cmd := exec.Command(args[0], args[1:]...) + cmd.SysProcAttr = &syscall.SysProcAttr{ + Setsid: true, + } if err := cmd.Start(); err != nil { return -1, "", err } From 5eecdae88209265d5743c963a0119e7a83b883e3 Mon Sep 17 00:00:00 2001 From: Hui Zhu Date: Thu, 23 May 2019 12:29:55 +0800 Subject: [PATCH 04/21] cache: Call vm.Disconnect() when close vm After previous commit, found that kata-proxy is not quit when vmcache server is stopped by ctrl-c. The cause is current kata-proxy is setsid when it exec. It will not get the signal ctrl-c. Call vm.Disconnect() when close vm in cache factory to handle this issue. Fixes: #1726 Signed-off-by: Hui Zhu (cherry picked from commit 7bf6c6754de0b288649f5fbb58af915b81c83aff) Signed-off-by: Ganesh Maharaj Mahalingam --- virtcontainers/factory/cache/cache.go | 1 + 1 file changed, 1 insertion(+) diff --git a/virtcontainers/factory/cache/cache.go b/virtcontainers/factory/cache/cache.go index 3f672eb8f8..a4f40402ad 100644 --- a/virtcontainers/factory/cache/cache.go +++ b/virtcontainers/factory/cache/cache.go @@ -63,6 +63,7 @@ func New(ctx context.Context, count uint, b base.FactoryBase) base.FactoryBase { case <-closed: c.removeFromVmm(vm) vm.Stop() + vm.Disconnect() c.wg.Done() return } From ad4b07d7a3a68615eeb45eb438d387f52e33622b Mon Sep 17 00:00:00 2001 From: Julio Montes Date: Wed, 22 May 2019 08:16:37 -0500 Subject: [PATCH 05/21] data: Revert pull request #1405 The rootfs image was fixed, now the DAX metadata and 2 MBRs headers are part of the same image. Mounting the rootfs partiton with an offset of 2M is no more needed, since the first MBR is read by partx or losetup by default. fixes #1443 Signed-off-by: Julio Montes julio.montes@intel.com (cherry picked from commit 82e51d42abc4b8bcf26d7aad2ba1870012f1d723) Signed-off-by: Ganesh Maharaj Mahalingam --- data/kata-collect-data.sh.in | 49 ++++++++++-------------------------- 1 file changed, 13 insertions(+), 36 deletions(-) diff --git a/data/kata-collect-data.sh.in b/data/kata-collect-data.sh.in index 7a4ddc571b..8d703f4433 100644 --- a/data/kata-collect-data.sh.in +++ b/data/kata-collect-data.sh.in @@ -1,6 +1,6 @@ #!/bin/bash # -# Copyright (c) 2017-2019 Intel Corporation +# Copyright (c) 2017-2018 Intel Corporation # # SPDX-License-Identifier: Apache-2.0 # @@ -14,7 +14,6 @@ typeset -r script_version="@VERSION@ (commit @COMMIT@)" typeset -r unknown="unknown" typeset -r osbuilder_file="/var/lib/osbuilder/osbuilder.yaml" -typeset -r dax_header_size_bytes=$((2 * 1024 * 1024)) # Maximum number of errors to show for a single system component # (such as runtime or proxy). @@ -401,34 +400,19 @@ get_image_details() local contents local expected - local found_valid_image=0 - - # Newer images contain a dax header, but check for both types. - for use_dax_offset in true false - do - loop_device=$(loopmount_image "$img" "$use_dax_offset") - [ -z "$loop_device" ] && continue - - partitions=$(get_partitions "$loop_device") - if [ -z "$partitions" ]; then - release_device "$loop_device" - continue - fi - - count=$(echo "$partitions"|wc -l) - - expected=1 + loop_device=$(loopmount_image "$img") + if [ -z "$loop_device" ]; then + echo "$unknown" + return + fi - if [ "$count" -ne "$expected" ]; then - release_device "$loop_device" - continue - fi + partitions=$(get_partitions "$loop_device") + count=$(echo "$partitions"|wc -l) - found_valid_image=1 - break - done + expected=1 - if [ "$found_valid_image" = 0 ]; then + if [ "$count" -ne "$expected" ]; then + release_device "$loop_device" echo "$unknown" return fi @@ -450,8 +434,7 @@ get_image_details() unmount_partition "$mountpoint" release_device "$loop_device" - # Supplement the output with details of whether the header was found - printf -- "%s\ndax-nvdimm-header: \"%s\"\n" "${contents}" "$use_dax_offset" + echo "$contents" } # Parameter 1: Path to the initrd file. @@ -526,16 +509,10 @@ loopmount_image() { local img="$1" [ -n "$img" ] || die "need image file" - local use_dax_offset="$2" - [ -n "$use_dax_offset" ] || die "need dax offset value" local device_path - local offset=0 - - [ "$use_dax_offset" = true ] && offset="$dax_header_size_bytes" - - losetup -fP -o "$offset" "$img" + losetup -fP "$img" device_path=$(losetup -j "$img" |\ cut -d: -f1 |\ From a98871e5a11400844c3907b47099ddc6b6137f74 Mon Sep 17 00:00:00 2001 From: lifupan Date: Tue, 21 May 2019 16:36:29 +0800 Subject: [PATCH 06/21] shimv2: fix the issue of passing the wrong container id It should pass the container id instead of sandbox id. Fixes:#1672 Signed-off-by: lifupan (cherry picked from commit 5e1f5ca735d71670563970d97f89e4486c34fe48) Signed-off-by: Ganesh Maharaj Mahalingam --- containerd-shim-v2/service.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containerd-shim-v2/service.go b/containerd-shim-v2/service.go index 383d7d1238..d479790e15 100644 --- a/containerd-shim-v2/service.go +++ b/containerd-shim-v2/service.go @@ -453,7 +453,7 @@ func (s *service) Delete(ctx context.Context, r *taskAPI.DeleteRequest) (_ *task } s.send(&eventstypes.TaskDelete{ - ContainerID: s.id, + ContainerID: c.id, Pid: s.pid, ExitStatus: c.exit, ExitedAt: c.exitTime, From eb75d0cc2bbc73f6509c34fc5e1200fbffa6ae4d Mon Sep 17 00:00:00 2001 From: lifupan Date: Tue, 21 May 2019 16:53:43 +0800 Subject: [PATCH 07/21] shimv2: kill a container return directly once the container termianted According to CRI specs, kubelet will call StopPodSandbox() at least once before calling RemovePodSandbox, and this call is idempotent, and must not return an error if all relevant resources have already been reclaimed. And in that call it will send a SIGKILL signal first to try to stop the container, thus once the container has terminated, here should ignore this signal and return directly. Fixes:#1672 Signed-off-by: lifupan (cherry picked from commit 0d535f56e514b37a21aa5e70e2c1becba732f8f1) Signed-off-by: Ganesh Maharaj Mahalingam --- containerd-shim-v2/service.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/containerd-shim-v2/service.go b/containerd-shim-v2/service.go index d479790e15..782c4a87a9 100644 --- a/containerd-shim-v2/service.go +++ b/containerd-shim-v2/service.go @@ -677,6 +677,20 @@ func (s *service) Kill(ctx context.Context, r *taskAPI.KillRequest) (_ *ptypes.E return nil, err } + // According to CRI specs, kubelet will call StopPodSandbox() + // at least once before calling RemovePodSandbox, and this call + // is idempotent, and must not return an error if all relevant + // resources have already been reclaimed. And in that call it will + // send a SIGKILL signal first to try to stop the container, thus + // once the container has terminated, here should ignore this signal + // and return directly. + if signum == syscall.SIGKILL || signum == syscall.SIGTERM { + if c.status == task.StatusStopped { + logrus.WithField("sandbox", s.sandbox.ID()).WithField("Container", c.id).Debug("Container has already been stopped") + return empty, nil + } + } + processID := c.id if r.ExecID != "" { execs, err := c.getExec(r.ExecID) From 966158617d852438f8d59cb8da1019053ee4ec48 Mon Sep 17 00:00:00 2001 From: lifupan Date: Wed, 22 May 2019 10:03:24 +0800 Subject: [PATCH 08/21] shimv2: shutdown the sandbox when sandbox container exited Kubelet would cleanup the pod cgroup resources and kill the processes in the pod cgroups when it detected all of the containers in a pod exited, thus shimv2 should close the hypervisor process once the podsandbox container exited, otherwise, the hypervisor process would be killed by kubelet and made shimv2 failed to shutdown the sandbox. Fixes:#1672 Signed-off-by: lifupan (cherry picked from commit f301c957f6316ed82c16025e9795e39c4aa4f9b0) Signed-off-by: Ganesh Maharaj Mahalingam --- containerd-shim-v2/container.go | 2 -- containerd-shim-v2/delete.go | 22 +++++++++++----------- containerd-shim-v2/service.go | 19 +------------------ containerd-shim-v2/wait.go | 30 ++++++++++++++++++++++++------ 4 files changed, 36 insertions(+), 37 deletions(-) diff --git a/containerd-shim-v2/container.go b/containerd-shim-v2/container.go index 5fc252be69..9dffa2cfcf 100644 --- a/containerd-shim-v2/container.go +++ b/containerd-shim-v2/container.go @@ -6,7 +6,6 @@ package containerdshim import ( - "sync" "time" "github.com/containerd/containerd/api/types/task" @@ -31,7 +30,6 @@ type container struct { stderr string bundle string cType vc.ContainerType - mu sync.Mutex exit uint32 status task.Status terminal bool diff --git a/containerd-shim-v2/delete.go b/containerd-shim-v2/delete.go index 462749215e..59e7faad41 100644 --- a/containerd-shim-v2/delete.go +++ b/containerd-shim-v2/delete.go @@ -17,21 +17,21 @@ import ( ) func deleteContainer(ctx context.Context, s *service, c *container) error { - - status, err := s.sandbox.StatusContainer(c.id) - if err != nil { - return err - } - if status.State.State != types.StateStopped { - _, err = s.sandbox.StopContainer(c.id) + if !c.cType.IsSandbox() { + status, err := s.sandbox.StatusContainer(c.id) if err != nil { return err } - } + if status.State.State != types.StateStopped { + _, err = s.sandbox.StopContainer(c.id) + if err != nil { + return err + } + } - _, err = s.sandbox.DeleteContainer(c.id) - if err != nil { - return err + if _, err = s.sandbox.DeleteContainer(c.id); err != nil { + return err + } } // Run post-stop OCI hooks. diff --git a/containerd-shim-v2/service.go b/containerd-shim-v2/service.go index 782c4a87a9..912252ae4c 100644 --- a/containerd-shim-v2/service.go +++ b/containerd-shim-v2/service.go @@ -431,27 +431,10 @@ func (s *service) Delete(ctx context.Context, r *taskAPI.DeleteRequest) (_ *task } if r.ExecID == "" { - err = deleteContainer(ctx, s, c) - if err != nil { + if err = deleteContainer(ctx, s, c); err != nil { return nil, err } - // Take care of the use case where it is a sandbox. - // Right after the container representing the sandbox has - // been deleted, let's make sure we stop and delete the - // sandbox. - if c.cType.IsSandbox() { - if err = s.sandbox.Stop(); err != nil { - logrus.WithField("sandbox", s.sandbox.ID()).Error("failed to stop sandbox") - return nil, err - } - - if err = s.sandbox.Delete(); err != nil { - logrus.WithField("sandbox", s.sandbox.ID()).Error("failed to delete sandbox") - return nil, err - } - } - s.send(&eventstypes.TaskDelete{ ContainerID: c.id, Pid: s.pid, diff --git a/containerd-shim-v2/wait.go b/containerd-shim-v2/wait.go index 121cad47b5..d36408dd5b 100644 --- a/containerd-shim-v2/wait.go +++ b/containerd-shim-v2/wait.go @@ -42,23 +42,41 @@ func wait(s *service, c *container, execID string) (int32, error) { } timeStamp := time.Now() - c.mu.Lock() + + s.mu.Lock() if execID == "" { + // Take care of the use case where it is a sandbox. + // Right after the container representing the sandbox has + // been deleted, let's make sure we stop and delete the + // sandbox. + + if c.cType.IsSandbox() { + if err = s.sandbox.Stop(); err != nil { + logrus.WithField("sandbox", s.sandbox.ID()).Error("failed to stop sandbox") + } + + if err = s.sandbox.Delete(); err != nil { + logrus.WithField("sandbox", s.sandbox.ID()).Error("failed to delete sandbox") + } + } else { + if _, err = s.sandbox.StopContainer(c.id); err != nil { + logrus.WithError(err).WithField("container", c.id).Warn("stop container failed") + } + } c.status = task.StatusStopped c.exit = uint32(ret) c.exitTime = timeStamp + + c.exitCh <- uint32(ret) + } else { execs.status = task.StatusStopped execs.exitCode = ret execs.exitTime = timeStamp - } - c.mu.Unlock() - if execID == "" { - c.exitCh <- uint32(ret) - } else { execs.exitCh <- uint32(ret) } + s.mu.Unlock() go cReap(s, int(ret), c.id, execID, timeStamp) From a0c413ada6ca89a9ff91e30a90eddd738a4ec5b4 Mon Sep 17 00:00:00 2001 From: Ace-Tang Date: Wed, 22 May 2019 11:25:19 +0800 Subject: [PATCH 09/21] shimv2: remove use containerd ns as netns ``` //the network namespace created by cni plugin netns, err = namespaces.NamespaceRequired(ctx) if err != nil { return nil, errors.Wrap(err, "create namespace") } ``` the netns is a containerd namespace concept, it not netns, event a cni set netns for this, this is a tricky way, so remove the logic. Fixes: #1692 Signed-off-by: Ace-Tang (cherry picked from commit d6b3bffad81214403c57a1cbf89618b9bb10aa52) Signed-off-by: Ganesh Maharaj Mahalingam --- containerd-shim-v2/create.go | 28 ++++++---------------------- containerd-shim-v2/service.go | 9 +-------- 2 files changed, 7 insertions(+), 30 deletions(-) diff --git a/containerd-shim-v2/create.go b/containerd-shim-v2/create.go index 6ddafc36d1..418c4108f4 100644 --- a/containerd-shim-v2/create.go +++ b/containerd-shim-v2/create.go @@ -10,12 +10,13 @@ package containerdshim import ( "context" "fmt" + "os" + "path/filepath" + "github.com/containerd/typeurl" vc "github.com/kata-containers/runtime/virtcontainers" "github.com/kata-containers/runtime/virtcontainers/pkg/oci" "github.com/pkg/errors" - "os" - "path/filepath" taskAPI "github.com/containerd/containerd/runtime/v2/task" @@ -30,7 +31,7 @@ import ( crioption "github.com/containerd/cri-containerd/pkg/api/runtimeoptions/v1" ) -func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest, netns string) (*container, error) { +func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*container, error) { rootFs := vc.RootFs{Mounted: s.mount} if len(r.Rootfs) == 1 { m := r.Rootfs[0] @@ -40,7 +41,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest, netns } detach := !r.Terminal - ociSpec, bundlePath, err := loadSpec(r, netns) + ociSpec, bundlePath, err := loadSpec(r) if err != nil { return nil, err } @@ -124,7 +125,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest, netns return container, nil } -func loadSpec(r *taskAPI.CreateTaskRequest, netns string) (*oci.CompatOCISpec, string, error) { +func loadSpec(r *taskAPI.CreateTaskRequest) (*oci.CompatOCISpec, string, error) { // Checks the MUST and MUST NOT from OCI runtime specification bundlePath, err := validBundle(r.ID, r.Bundle) if err != nil { @@ -136,23 +137,6 @@ func loadSpec(r *taskAPI.CreateTaskRequest, netns string) (*oci.CompatOCISpec, s return nil, "", err } - //set the network namespace path - //this set will be applied to sandbox's - //network config and has nothing to - //do with containers in the sandbox since - //networkNamespace has been ignored by - //kata-agent in sandbox. - - for _, n := range ociSpec.Linux.Namespaces { - if n.Type != specs.NetworkNamespace { - continue - } - - if n.Path == "" { - n.Path = netns - } - } - // Todo: // Since there is a bug in kata for sharedPidNs, here to // remove the pidns to disable the sharePidNs temporarily, diff --git a/containerd-shim-v2/service.go b/containerd-shim-v2/service.go index 912252ae4c..9103885080 100644 --- a/containerd-shim-v2/service.go +++ b/containerd-shim-v2/service.go @@ -334,15 +334,8 @@ func (s *service) Create(ctx context.Context, r *taskAPI.CreateTaskRequest) (_ * defer s.mu.Unlock() var c *container - var netns string - //the network namespace created by cni plugin - netns, err = namespaces.NamespaceRequired(ctx) - if err != nil { - return nil, errors.Wrap(err, "create namespace") - } - - c, err = create(ctx, s, r, netns) + c, err = create(ctx, s, r) if err != nil { return nil, err } From 2c444f34effd85c1242a1b5a7498adb00bc2b670 Mon Sep 17 00:00:00 2001 From: Julio Montes Date: Tue, 21 May 2019 14:00:41 -0500 Subject: [PATCH 10/21] data/kata-collect-data: support kata containers snap Use `kata-containers.runtime` that is the runtime binary, to collect the data if the kata-runtime binary is not installed fixes #1720 Signed-off-by: Julio Montes (cherry picked from commit 19288aab46220a6fbdf5cb2a7be4a03fa64d4c55) Signed-off-by: Ganesh Maharaj Mahalingam --- data/kata-collect-data.sh.in | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/data/kata-collect-data.sh.in b/data/kata-collect-data.sh.in index 8d703f4433..b6f003db31 100644 --- a/data/kata-collect-data.sh.in +++ b/data/kata-collect-data.sh.in @@ -7,7 +7,10 @@ typeset -r script_name=${0##*/} typeset -r runtime_name="@RUNTIME_NAME@" -typeset -r runtime=$(command -v "$runtime_name" 2>/dev/null) +typeset -r runtime_path=$(command -v "$runtime_name" 2>/dev/null) +typeset -r runtime_snap_name="kata-containers.runtime" +typeset -r runtime_snap_path=$(command -v "$runtime_snap_name" 2>/dev/null) +typeset -r runtime=${runtime_path:-"$runtime_snap_path"} typeset -r issue_url="@PROJECT_BUG_URL@" typeset -r script_version="@VERSION@ (commit @COMMIT@)" From 97cf3c92808e7087717cc55db43b629de6842bb9 Mon Sep 17 00:00:00 2001 From: Ganesh Maharaj Mahalingam Date: Fri, 17 May 2019 15:57:26 -0700 Subject: [PATCH 11/21] nemu-config: fix nemu for ci virtio-fs is now available in 1.7 release and needs hugepages enabled. Updating version of NEMU that ships with kata by default which contains the fixes for hugepages, machine_type=virt and network access. Fixes: #1709 Signed-off-by: Ganesh Maharaj Mahalingam (cherry picked from commit 722ac5aa978e3b998a1d6de450a289a52d367ca6) Signed-off-by: Ganesh Maharaj Mahalingam --- versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.yaml b/versions.yaml index 29fb4c19a6..d33b2abbb1 100644 --- a/versions.yaml +++ b/versions.yaml @@ -84,7 +84,7 @@ assets: uscan-url: >- https://github.com/intel/nemu/tags .*/release-?(\d\S+)\.tar\.gz - version: "release-2019-05-07" + version: "release-2019-05-21" nemu-ovmf: description: "OVMF firmware used by nemu VMM" From a268c66245ee835d8f612ea7c07ae5fafe23d92d Mon Sep 17 00:00:00 2001 From: Salvador Fuentes Date: Fri, 17 May 2019 11:29:14 -0500 Subject: [PATCH 12/21] nemu-config: Add machine_type to config file nemu needs to be configured with: `machine_type = "virt"` by default. In addition, this commit removes `machine_accelerators="virt"` which was added instead of `machine_type` in a previous commit. Fixes: #1707. Signed-off-by: Salvador Fuentes (cherry picked from commit 6be5e5f1824fd9dde1e6775e91a4623d6ffe6c51) Signed-off-by: Ganesh Maharaj Mahalingam --- Makefile | 6 +++--- cli/config/configuration-nemu.toml.in | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 3891726ba1..e00e99c2c0 100644 --- a/Makefile +++ b/Makefile @@ -245,7 +245,7 @@ ifneq (,$(NEMUCMD)) # currently, huge pages are required for virtiofsd support DEFENABLEHUGEPAGES_NEMU := true # nemu uses virt machine type - DEFMACHINEACCELERATOR_NEMU := virt + DEFMACHINETYPE_NEMU := virt DEFBLOCKSTORAGEDRIVER_NEMU := virtio-scsi DEFNETWORKMODEL_NEMU := tcfilter KERNELNAME = $(call MAKE_KERNEL_NAME,$(KERNELTYPE)) @@ -334,7 +334,7 @@ USER_VARS += KERNELTYPE_FC USER_VARS += FIRMWAREPATH USER_VARS += FIRMWAREPATH_NEMU USER_VARS += MACHINEACCELERATORS -USER_VARS += DEFMACHINEACCELERATOR_NEMU +USER_VARS += DEFMACHINETYPE_NEMU USER_VARS += KERNELPARAMS USER_VARS += LIBEXECDIR USER_VARS += LOCALSTATEDIR @@ -486,7 +486,7 @@ $(GENERATED_FILES): %: %.in $(MAKEFILE_LIST) VERSION .git-commit -e "s|@FIRMWAREPATH@|$(FIRMWAREPATH)|g" \ -e "s|@FIRMWAREPATH_NEMU@|$(FIRMWAREPATH_NEMU)|g" \ -e "s|@MACHINEACCELERATORS@|$(MACHINEACCELERATORS)|g" \ - -e "s|@DEFMACHINEACCELERATOR_NEMU@|$(DEFMACHINEACCELERATOR_NEMU)|g" \ + -e "s|@DEFMACHINETYPE_NEMU@|$(DEFMACHINETYPE_NEMU)|g" \ -e "s|@KERNELPARAMS@|$(KERNELPARAMS)|g" \ -e "s|@LOCALSTATEDIR@|$(LOCALSTATEDIR)|g" \ -e "s|@PKGLIBEXECDIR@|$(PKGLIBEXECDIR)|g" \ diff --git a/cli/config/configuration-nemu.toml.in b/cli/config/configuration-nemu.toml.in index 19dbefd2e5..085a92b03d 100644 --- a/cli/config/configuration-nemu.toml.in +++ b/cli/config/configuration-nemu.toml.in @@ -15,6 +15,7 @@ path = "@NEMUPATH@" kernel = "@KERNELPATH@" image = "@IMAGEPATH@" +machine_type = "@DEFMACHINETYPE_NEMU@" # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having @@ -35,7 +36,7 @@ firmware = "@FIRMWAREPATH_NEMU@" # Machine accelerators # comma-separated list of machine accelerators to pass to the hypervisor. # For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"` -machine_accelerators="@DEFMACHINEACCELERATOR_NEMU@" +machine_accelerators="" # Default number of vCPUs per SB/VM: # unspecified or 0 --> will be set to @DEFVCPUS@ From feddee085cf5960aa0bb0a12f2d0f9dcd6ed270e Mon Sep 17 00:00:00 2001 From: Nitesh Konkar Date: Fri, 17 May 2019 18:54:28 +0530 Subject: [PATCH 13/21] virtcontainers: Set correct Shmsize for ppc64le Fix the test case TestGetShmSizeBindMounted by setting the right ShmSize for ppc64le. Fixes: #1702 Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com (cherry picked from commit 1789b65c93affe1bd2be90b43d733a63594909bb) Signed-off-by: Ganesh Maharaj Mahalingam --- virtcontainers/pkg/oci/utils_test.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/virtcontainers/pkg/oci/utils_test.go b/virtcontainers/pkg/oci/utils_test.go index 700d4863b3..6d63bf51ba 100644 --- a/virtcontainers/pkg/oci/utils_test.go +++ b/virtcontainers/pkg/oci/utils_test.go @@ -13,6 +13,7 @@ import ( "path" "path/filepath" "reflect" + "runtime" "strconv" "testing" @@ -816,6 +817,10 @@ func TestGetShmSizeBindMounted(t *testing.T) { assert.Nil(t, err) size := 8192 + if runtime.GOARCH == "ppc64le" { + // PAGE_SIZE on ppc64le is 65536 + size = 65536 + } shmOptions := "mode=1777,size=" + strconv.Itoa(size) err = unix.Mount("shm", shmPath, "tmpfs", unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV, shmOptions) From 58f7eea030a6aca930e1ba0c5e9dbe7400fba7c3 Mon Sep 17 00:00:00 2001 From: Gabriela Cervantes Date: Thu, 16 May 2019 05:17:08 -0500 Subject: [PATCH 14/21] versions: Update CRI-O version to 1.14.1 Now that CRI-O released a new version we can update it. Fixes #1696 Signed-off-by: Gabriela Cervantes (cherry picked from commit 5d527d719e43de06b35e1a2b755a3bdba4770925) Signed-off-by: Ganesh Maharaj Mahalingam --- versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.yaml b/versions.yaml index d33b2abbb1..4865bfa093 100644 --- a/versions.yaml +++ b/versions.yaml @@ -186,7 +186,7 @@ externals: description: | OCI-based Kubernetes Container Runtime Interface implementation url: "https://github.com/cri-o/cri-o" - version: "3ddde3dee35a239712ee26fa542abe5609c4f44f" + version: "v1.14.1" meta: openshift: "6273bea4c9ed788aeb3d051ebf2d030060c05b6c" From 0199d890f2c5f0552d71d6b3613cc04b9f559602 Mon Sep 17 00:00:00 2001 From: Marco Vedovati Date: Thu, 16 May 2019 18:56:33 +0200 Subject: [PATCH 15/21] versions: Update golang to 1.11.10 Set the minimum golang version to 1.11.10, the latest stable 1.11 version at the time of writing. Go 1.11 is required to build the agent with working vsock support. Fixes: #1693 Signed-off-by: Marco Vedovati (cherry picked from commit c22b15d122090b308b3dd81c449fdd4776b17724) Signed-off-by: Ganesh Maharaj Mahalingam --- versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.yaml b/versions.yaml index 4865bfa093..67a2e13f85 100644 --- a/versions.yaml +++ b/versions.yaml @@ -264,7 +264,7 @@ languages: issue: "https://github.com/golang/go/issues/20676" uscan-url: >- https://github.com/golang/go/tags .*/go?([\d\.]+)\.tar\.gz - version: "1.10.4" + version: "1.11.10" meta: description: | 'newest-version' is the latest version known to work when From 52f0193f2c2891cbc857d590f8dbb72708bb173a Mon Sep 17 00:00:00 2001 From: Peng Tao Date: Mon, 6 May 2019 14:20:52 +0800 Subject: [PATCH 16/21] qemu: print virtiofsd logs when debug is on To help trace virtiofsd issues. Signed-off-by: Peng Tao (cherry picked from commit d0aae80f5556aefa661b22d8ed980f5ea3535914) Signed-off-by: Ganesh Maharaj Mahalingam --- virtcontainers/qemu.go | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/virtcontainers/qemu.go b/virtcontainers/qemu.go index 1217dfc32b..2d0ffe418f 100644 --- a/virtcontainers/qemu.go +++ b/virtcontainers/qemu.go @@ -598,10 +598,16 @@ func (q *qemu) startSandbox(timeout int) error { // connection with QEMU closes. Therefore we do not keep track // of this child process after returning from this function. sourcePath := filepath.Join(kataHostSharedDir, q.id) - cmd := exec.Command(q.config.VirtioFSDaemon, - "-o", "vhost_user_socket="+sockPath, - "-o", "source="+sourcePath, - "-o", "cache="+q.config.VirtioFSCache) + args := []string{ + "-o", "vhost_user_socket=" + sockPath, + "-o", "source=" + sourcePath, + "-o", "cache=" + q.config.VirtioFSCache} + if q.config.Debug { + args = append(args, "-d") + } else { + args = append(args, "-f") + } + cmd := exec.Command(q.config.VirtioFSDaemon, args...) stderr, err := cmd.StderrPipe() if err != nil { return err @@ -621,16 +627,24 @@ func (q *qemu) startSandbox(timeout int) error { timeStart := time.Now() go func() { scanner := bufio.NewScanner(stderr) + var sent bool for scanner.Scan() { - if strings.Contains(scanner.Text(), "Waiting for vhost-user socket connection...") { + if q.config.Debug { + q.Logger().WithField("source", "virtiofsd").Debug(scanner.Text()) + } + if !sent && strings.Contains(scanner.Text(), "Waiting for vhost-user socket connection...") { sockReady <- nil - return + sent = true } } - if err := scanner.Err(); err != nil { - sockReady <- err + if !sent { + if err := scanner.Err(); err != nil { + sockReady <- err + } else { + sockReady <- fmt.Errorf("virtiofsd did not announce socket connection") + } } - sockReady <- fmt.Errorf("virtiofsd did not announce socket connection") + q.Logger().Info("virtiofsd quits") }() timeoutDuration := time.Duration(timeout) * time.Second select { From fb2a9952941bf4bda4bf0596b6f415cc03235abc Mon Sep 17 00:00:00 2001 From: Peng Tao Date: Mon, 6 May 2019 18:01:05 +0800 Subject: [PATCH 17/21] qemu: stop qemu process when virtiofsd quits If virtiofsd fails to initialize and stops unexpected, qemu might hang forever. We just stop the qemu process. Resource cleanup will be done by others. Fixes: #1690 Signed-off-by: Peng Tao (cherry picked from commit 89e0dfae111e0365fdcbf7a65ecafa60580ee8b0) Signed-off-by: Ganesh Maharaj Mahalingam --- virtcontainers/qemu.go | 1 + 1 file changed, 1 insertion(+) diff --git a/virtcontainers/qemu.go b/virtcontainers/qemu.go index 2d0ffe418f..9edafcb08c 100644 --- a/virtcontainers/qemu.go +++ b/virtcontainers/qemu.go @@ -645,6 +645,7 @@ func (q *qemu) startSandbox(timeout int) error { } } q.Logger().Info("virtiofsd quits") + q.stopSandbox() }() timeoutDuration := time.Duration(timeout) * time.Second select { From 7c7da54e85d46de346752d95941421ba74daee28 Mon Sep 17 00:00:00 2001 From: Hui Zhu Date: Wed, 15 May 2019 21:36:26 +0800 Subject: [PATCH 18/21] kata_proxy: Open a special goroutine do cmd.Wait Got a defunct kata-proxy after kata quit when VMCache is enabled. The reason is vmcache server opens kata-proxy but doesn't wait it. If VMCache is disabled, kata-runtime will quit before kata-proxy. So it will not meet the issue. Open a special goroutine do cmd.Wait in kataProxy.start to handle the isssue. Fixes: #1678 Signed-off-by: Hui Zhu (cherry picked from commit 00d03c102200a9fb6a43df0a8236245edeac81af) Signed-off-by: Ganesh Maharaj Mahalingam --- virtcontainers/kata_proxy.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/virtcontainers/kata_proxy.go b/virtcontainers/kata_proxy.go index af60031a8a..e04b4cfff4 100644 --- a/virtcontainers/kata_proxy.go +++ b/virtcontainers/kata_proxy.go @@ -54,6 +54,8 @@ func (p *kataProxy) start(params proxyParams) (int, string, error) { return -1, "", err } + go cmd.Wait() + return cmd.Process.Pid, proxyURL, nil } From 8c199e24277360f3ac5174fe52e32ecb53552ca1 Mon Sep 17 00:00:00 2001 From: Zha Bin Date: Mon, 22 Apr 2019 14:22:34 +0800 Subject: [PATCH 19/21] network: delete IP addrs on bridge model to prevent ARP conflict Fixes: #1673 Signed-off-by: Zha Bin (cherry picked from commit bdb1047a674793971c3492601b48bfe0ab7fe66b) Signed-off-by: Ganesh Maharaj Mahalingam --- virtcontainers/network.go | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/virtcontainers/network.go b/virtcontainers/network.go index ff7dd26935..4dea04e5f6 100644 --- a/virtcontainers/network.go +++ b/virtcontainers/network.go @@ -716,6 +716,16 @@ func bridgeNetworkPair(endpoint Endpoint, queues int, disableVhostNet bool) erro netPair.VirtIface.Name, netPair.Name, err) } + // Clear the IP addresses from the veth interface to prevent ARP conflict + netPair.VirtIface.Addrs, err = netlink.AddrList(link, netlink.FAMILY_V4) + if err != nil { + return fmt.Errorf("Unable to obtain veth IP addresses: %s", err) + } + + if err := clearIPs(link, netPair.VirtIface.Addrs); err != nil { + return fmt.Errorf("Unable to clear veth IP addresses: %s", err) + } + if err := netHandle.LinkSetUp(link); err != nil { return fmt.Errorf("Could not enable veth %s: %s", netPair.VirtIface.Name, err) } @@ -1001,7 +1011,8 @@ func unBridgeNetworkPair(endpoint Endpoint) error { return fmt.Errorf("Could not detach veth %s: %s", netPair.VirtIface.Name, err) } - return nil + // Restore the IPs that were cleared + return setIPs(link, netPair.VirtIface.Addrs) } func removeTCFiltering(endpoint Endpoint) error { From b798c28fd04bd62e2077b076e1c260e31ba72462 Mon Sep 17 00:00:00 2001 From: "Yang, Wei" Date: Mon, 13 May 2019 23:01:04 +0800 Subject: [PATCH 20/21] shimv2: Close vhostfd after vm get vhostfd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If kata containers is using vfio and vhost net,the unbinding of vfio would be hang. In the scenario, vhost net kernel thread takes a reference to the qemu's mm, and the reference also includes the mmap regions on the vfio device file. so vhost kernel thread would be not released when qemu is killed as the vhost file descriptor still is opened by shim v2 process, and the vfio device is not released because there's still a reference to the mmap. Fixes: #1669 Signed-off-by: Yang, Wei Signed-off-by: Eric Ernst (cherry picked from commit 071030b7846e765ffa3db1ee10c29552f383cbb3) Signed-off-by: Ganesh Maharaj Mahalingam --- virtcontainers/api.go | 2 ++ virtcontainers/network.go | 26 ++++++++++++++++++++++++++ virtcontainers/qemu.go | 1 + virtcontainers/sandbox.go | 5 +++++ 4 files changed, 34 insertions(+) diff --git a/virtcontainers/api.go b/virtcontainers/api.go index cdbfb1ad10..8605b978f4 100644 --- a/virtcontainers/api.go +++ b/virtcontainers/api.go @@ -108,6 +108,8 @@ func createSandboxFromConfig(ctx context.Context, sandboxConfig SandboxConfig, f } }() + s.postCreatedNetwork() + if err = s.getAndStoreGuestDetails(); err != nil { return nil, err } diff --git a/virtcontainers/network.go b/virtcontainers/network.go index 4dea04e5f6..df553f4c27 100644 --- a/virtcontainers/network.go +++ b/virtcontainers/network.go @@ -1448,6 +1448,32 @@ func (n *Network) Add(ctx context.Context, config *NetworkConfig, hypervisor hyp return endpoints, nil } +func (n *Network) PostAdd(ctx context.Context, ns *NetworkNamespace, hotplug bool) error { + if hotplug { + return nil + } + + if ns.Endpoints == nil { + return nil + } + + endpoints := ns.Endpoints + + for _, endpoint := range endpoints { + netPair := endpoint.NetworkPair() + if netPair == nil { + continue + } + if netPair.VhostFds != nil { + for _, VhostFd := range netPair.VhostFds { + VhostFd.Close() + } + } + } + + return nil +} + // Remove network endpoints in the network namespace. It also deletes the network // namespace in case the namespace has been created by us. func (n *Network) Remove(ctx context.Context, ns *NetworkNamespace, hypervisor hypervisor, hotunplug bool) error { diff --git a/virtcontainers/qemu.go b/virtcontainers/qemu.go index 9edafcb08c..8560df94fc 100644 --- a/virtcontainers/qemu.go +++ b/virtcontainers/qemu.go @@ -1042,6 +1042,7 @@ func (q *qemu) hotAddNetDevice(name, hardAddr string, VMFds, VhostFds []*os.File if err := q.qmpMonitorCh.qmp.ExecuteGetFD(q.qmpMonitorCh.ctx, fdName, VhostFd); err != nil { return err } + VhostFd.Close() VhostFdNames = append(VhostFdNames, fdName) } return q.qmpMonitorCh.qmp.ExecuteNetdevAddByFds(q.qmpMonitorCh.ctx, "tap", name, VMFdNames, VhostFdNames) diff --git a/virtcontainers/sandbox.go b/virtcontainers/sandbox.go index f02ebbbdce..a4b32dec64 100644 --- a/virtcontainers/sandbox.go +++ b/virtcontainers/sandbox.go @@ -840,6 +840,11 @@ func (s *Sandbox) createNetwork() error { return s.store.Store(store.Network, s.networkNS) } +func (s *Sandbox) postCreatedNetwork() error { + + return s.network.PostAdd(s.ctx, &s.networkNS, s.factory != nil) +} + func (s *Sandbox) removeNetwork() error { span, _ := s.trace("removeNetwork") defer span.Finish() From a480f27fe3e11338279922aeaa78284d754d02a9 Mon Sep 17 00:00:00 2001 From: Eric Ernst Date: Tue, 4 Jun 2019 09:33:24 -0700 Subject: [PATCH 21/21] fc-toml: remove proxy section in config proxy will never be use with the Firecracker VMM. Keeping this header will result in runtime failures, since the configuration will be parsed on the path searched for. Since vsock will always be used, remove the proxy section. Fixes: #1761 Signed-off-by: Eric Ernst (cherry picked from commit bbe5584deba4df6166b9cd92293eef58818aa5bf) Signed-off-by: Ganesh Maharaj Mahalingam --- cli/config/configuration-fc.toml.in | 2 -- 1 file changed, 2 deletions(-) diff --git a/cli/config/configuration-fc.toml.in b/cli/config/configuration-fc.toml.in index d90c79e2d1..3f9ca1fbf9 100644 --- a/cli/config/configuration-fc.toml.in +++ b/cli/config/configuration-fc.toml.in @@ -201,8 +201,6 @@ use_vsock = true # Default false #enable_template = true -[proxy.@PROJECT_TYPE@] - [shim.@PROJECT_TYPE@] path = "@SHIMPATH@"