Backports for 1.7.1

.ci/static-checks.sh

@@ -9,4 +9,8 @@ set -e
 cidir=$(dirname "$0")
 source "${cidir}/lib.sh"
 
+# Build kata-runtime before running static checks
+make -C "${cidir}/../"
+
+# Run static checks
 run_static_checks

Makefile

@@ -245,7 +245,7 @@ ifneq (,$(NEMUCMD))
     # currently, huge pages are required for virtiofsd support
     DEFENABLEHUGEPAGES_NEMU := true
     # nemu uses virt machine type
-    DEFMACHINEACCELERATOR_NEMU := virt
+    DEFMACHINETYPE_NEMU := virt
     DEFBLOCKSTORAGEDRIVER_NEMU := virtio-scsi
     DEFNETWORKMODEL_NEMU := tcfilter
     KERNELNAME = $(call MAKE_KERNEL_NAME,$(KERNELTYPE))
@@ -334,7 +334,7 @@ USER_VARS += KERNELTYPE_FC
 USER_VARS += FIRMWAREPATH
 USER_VARS += FIRMWAREPATH_NEMU
 USER_VARS += MACHINEACCELERATORS
-USER_VARS += DEFMACHINEACCELERATOR_NEMU
+USER_VARS += DEFMACHINETYPE_NEMU
 USER_VARS += KERNELPARAMS
 USER_VARS += LIBEXECDIR
 USER_VARS += LOCALSTATEDIR
@@ -486,7 +486,7 @@ $(GENERATED_FILES): %: %.in $(MAKEFILE_LIST) VERSION .git-commit
 		-e "s|@FIRMWAREPATH@|$(FIRMWAREPATH)|g" \
 		-e "s|@FIRMWAREPATH_NEMU@|$(FIRMWAREPATH_NEMU)|g" \
 		-e "s|@MACHINEACCELERATORS@|$(MACHINEACCELERATORS)|g" \
-		-e "s|@DEFMACHINEACCELERATOR_NEMU@|$(DEFMACHINEACCELERATOR_NEMU)|g" \
+		-e "s|@DEFMACHINETYPE_NEMU@|$(DEFMACHINETYPE_NEMU)|g" \
 		-e "s|@KERNELPARAMS@|$(KERNELPARAMS)|g" \
 		-e "s|@LOCALSTATEDIR@|$(LOCALSTATEDIR)|g" \
 		-e "s|@PKGLIBEXECDIR@|$(PKGLIBEXECDIR)|g" \

cli/config/configuration-fc.toml.in

@@ -201,8 +201,6 @@ use_vsock = true
 # Default false
 #enable_template = true
 
-[proxy.@PROJECT_TYPE@]
-
 [shim.@PROJECT_TYPE@]
 path = "@SHIMPATH@"
 

cli/config/configuration-nemu.toml.in

@@ -15,6 +15,7 @@
 path = "@NEMUPATH@"
 kernel = "@KERNELPATH@"
 image = "@IMAGEPATH@"
+machine_type = "@DEFMACHINETYPE_NEMU@"
 
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having
@@ -35,7 +36,7 @@ firmware = "@FIRMWAREPATH_NEMU@"
 # Machine accelerators
 # comma-separated list of machine accelerators to pass to the hypervisor.
 # For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"`
-machine_accelerators="@DEFMACHINEACCELERATOR_NEMU@"
+machine_accelerators=""
 
 # Default number of vCPUs per SB/VM:
 # unspecified or 0                --> will be set to @DEFVCPUS@

containerd-shim-v2/container.go

@@ -6,7 +6,6 @@
 package containerdshim
 
 import (
-	"sync"
 	"time"
 
 	"github.com/containerd/containerd/api/types/task"
@@ -31,7 +30,6 @@ type container struct {
 	stderr   string
 	bundle   string
 	cType    vc.ContainerType
-	mu       sync.Mutex
 	exit     uint32
 	status   task.Status
 	terminal bool

containerd-shim-v2/create.go

@@ -10,12 +10,13 @@ package containerdshim
 import (
 	"context"
 	"fmt"
+	"os"
+	"path/filepath"
+
 	"github.com/containerd/typeurl"
 	vc "github.com/kata-containers/runtime/virtcontainers"
 	"github.com/kata-containers/runtime/virtcontainers/pkg/oci"
 	"github.com/pkg/errors"
-	"os"
-	"path/filepath"
 
 	taskAPI "github.com/containerd/containerd/runtime/v2/task"
 
@@ -30,7 +31,7 @@ import (
 	crioption "github.com/containerd/cri-containerd/pkg/api/runtimeoptions/v1"
 )
 
-func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest, netns string) (*container, error) {
+func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*container, error) {
 	rootFs := vc.RootFs{Mounted: s.mount}
 	if len(r.Rootfs) == 1 {
 		m := r.Rootfs[0]
@@ -40,7 +41,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest, netns
 	}
 
 	detach := !r.Terminal
-	ociSpec, bundlePath, err := loadSpec(r, netns)
+	ociSpec, bundlePath, err := loadSpec(r)
 	if err != nil {
 		return nil, err
 	}
@@ -124,7 +125,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest, netns
 	return container, nil
 }
 
-func loadSpec(r *taskAPI.CreateTaskRequest, netns string) (*oci.CompatOCISpec, string, error) {
+func loadSpec(r *taskAPI.CreateTaskRequest) (*oci.CompatOCISpec, string, error) {
 	// Checks the MUST and MUST NOT from OCI runtime specification
 	bundlePath, err := validBundle(r.ID, r.Bundle)
 	if err != nil {
@@ -136,23 +137,6 @@ func loadSpec(r *taskAPI.CreateTaskRequest, netns string) (*oci.CompatOCISpec, s
 		return nil, "", err
 	}
 
-	//set the network namespace path
-	//this set will be applied to sandbox's
-	//network config and has nothing to
-	//do with containers in the sandbox since
-	//networkNamespace has been ignored by
-	//kata-agent in sandbox.
-
-	for _, n := range ociSpec.Linux.Namespaces {
-		if n.Type != specs.NetworkNamespace {
-			continue
-		}
-
-		if n.Path == "" {
-			n.Path = netns
-		}
-	}
-
 	// Todo:
 	// Since there is a bug in kata for sharedPidNs, here to
 	// remove the pidns to disable the sharePidNs temporarily,

containerd-shim-v2/delete.go

@@ -17,21 +17,21 @@ import (
 )
 
 func deleteContainer(ctx context.Context, s *service, c *container) error {
-
-	status, err := s.sandbox.StatusContainer(c.id)
-	if err != nil {
-		return err
-	}
-	if status.State.State != types.StateStopped {
-		_, err = s.sandbox.StopContainer(c.id)
+	if !c.cType.IsSandbox() {
+		status, err := s.sandbox.StatusContainer(c.id)
 		if err != nil {
 			return err
 		}
-	}
+		if status.State.State != types.StateStopped {
+			_, err = s.sandbox.StopContainer(c.id)
+			if err != nil {
+				return err
+			}
+		}
 
-	_, err = s.sandbox.DeleteContainer(c.id)
-	if err != nil {
-		return err
+		if _, err = s.sandbox.DeleteContainer(c.id); err != nil {
+			return err
+		}
 	}
 
 	// Run post-stop OCI hooks.

containerd-shim-v2/service.go

@@ -334,15 +334,8 @@ func (s *service) Create(ctx context.Context, r *taskAPI.CreateTaskRequest) (_ *
 	defer s.mu.Unlock()
 
 	var c *container
-	var netns string
 
-	//the network namespace created by cni plugin
-	netns, err = namespaces.NamespaceRequired(ctx)
-	if err != nil {
-		return nil, errors.Wrap(err, "create namespace")
-	}
-
-	c, err = create(ctx, s, r, netns)
+	c, err = create(ctx, s, r)
 	if err != nil {
 		return nil, err
 	}
@@ -431,29 +424,12 @@ func (s *service) Delete(ctx context.Context, r *taskAPI.DeleteRequest) (_ *task
 	}
 
 	if r.ExecID == "" {
-		err = deleteContainer(ctx, s, c)
-		if err != nil {
+		if err = deleteContainer(ctx, s, c); err != nil {
 			return nil, err
 		}
 
-		// Take care of the use case where it is a sandbox.
-		// Right after the container representing the sandbox has
-		// been deleted, let's make sure we stop and delete the
-		// sandbox.
-		if c.cType.IsSandbox() {
-			if err = s.sandbox.Stop(); err != nil {
-				logrus.WithField("sandbox", s.sandbox.ID()).Error("failed to stop sandbox")
-				return nil, err
-			}
-
-			if err = s.sandbox.Delete(); err != nil {
-				logrus.WithField("sandbox", s.sandbox.ID()).Error("failed to delete sandbox")
-				return nil, err
-			}
-		}
-
 		s.send(&eventstypes.TaskDelete{
-			ContainerID: s.id,
+			ContainerID: c.id,
 			Pid:         s.pid,
 			ExitStatus:  c.exit,
 			ExitedAt:    c.exitTime,
@@ -677,6 +653,20 @@ func (s *service) Kill(ctx context.Context, r *taskAPI.KillRequest) (_ *ptypes.E
 		return nil, err
 	}
 
+	// According to CRI specs, kubelet will call StopPodSandbox()
+	// at least once before calling RemovePodSandbox, and this call
+	// is idempotent, and must not return an error if all relevant
+	// resources have already been reclaimed. And in that call it will
+	// send a SIGKILL signal first to try to stop the container, thus
+	// once the container has terminated, here should ignore this signal
+	// and return directly.
+	if signum == syscall.SIGKILL || signum == syscall.SIGTERM {
+		if c.status == task.StatusStopped {
+			logrus.WithField("sandbox", s.sandbox.ID()).WithField("Container", c.id).Debug("Container has already been stopped")
+			return empty, nil
+		}
+	}
+
 	processID := c.id
 	if r.ExecID != "" {
 		execs, err := c.getExec(r.ExecID)

containerd-shim-v2/wait.go

@@ -42,23 +42,41 @@ func wait(s *service, c *container, execID string) (int32, error) {
 	}
 
 	timeStamp := time.Now()
-	c.mu.Lock()
+
+	s.mu.Lock()
 	if execID == "" {
+		// Take care of the use case where it is a sandbox.
+		// Right after the container representing the sandbox has
+		// been deleted, let's make sure we stop and delete the
+		// sandbox.
+
+		if c.cType.IsSandbox() {
+			if err = s.sandbox.Stop(); err != nil {
+				logrus.WithField("sandbox", s.sandbox.ID()).Error("failed to stop sandbox")
+			}
+
+			if err = s.sandbox.Delete(); err != nil {
+				logrus.WithField("sandbox", s.sandbox.ID()).Error("failed to delete sandbox")
+			}
+		} else {
+			if _, err = s.sandbox.StopContainer(c.id); err != nil {
+				logrus.WithError(err).WithField("container", c.id).Warn("stop container failed")
+			}
+		}
 		c.status = task.StatusStopped
 		c.exit = uint32(ret)
 		c.exitTime = timeStamp
+
+		c.exitCh <- uint32(ret)
+
 	} else {
 		execs.status = task.StatusStopped
 		execs.exitCode = ret
 		execs.exitTime = timeStamp
-	}
-	c.mu.Unlock()
 
-	if execID == "" {
-		c.exitCh <- uint32(ret)
-	} else {
 		execs.exitCh <- uint32(ret)
 	}
+	s.mu.Unlock()
 
 	go cReap(s, int(ret), c.id, execID, timeStamp)
 

data/kata-collect-data.sh.in

@@ -1,20 +1,22 @@
 #!/bin/bash
 #
-# Copyright (c) 2017-2019 Intel Corporation
+# Copyright (c) 2017-2018 Intel Corporation
 #
 # SPDX-License-Identifier: Apache-2.0
 #
 
 typeset -r script_name=${0##*/}
 typeset -r runtime_name="@RUNTIME_NAME@"
-typeset -r runtime=$(command -v "$runtime_name" 2>/dev/null)
+typeset -r runtime_path=$(command -v "$runtime_name" 2>/dev/null)
+typeset -r runtime_snap_name="kata-containers.runtime"
+typeset -r runtime_snap_path=$(command -v "$runtime_snap_name" 2>/dev/null)
+typeset -r runtime=${runtime_path:-"$runtime_snap_path"}
 typeset -r issue_url="@PROJECT_BUG_URL@"
 typeset -r script_version="@VERSION@ (commit @COMMIT@)"
 
 typeset -r unknown="unknown"
 
 typeset -r osbuilder_file="/var/lib/osbuilder/osbuilder.yaml"
-typeset -r dax_header_size_bytes=$((2 * 1024 * 1024))
 
 # Maximum number of errors to show for a single system component
 # (such as runtime or proxy).
@@ -401,34 +403,19 @@ get_image_details()
 	local contents
 	local expected
 
-	local found_valid_image=0
-
-	# Newer images contain a dax header, but check for both types.
-	for use_dax_offset in true false
-	do
-		loop_device=$(loopmount_image "$img" "$use_dax_offset")
-		[ -z "$loop_device" ] && continue
-
-		partitions=$(get_partitions "$loop_device")
-		if [ -z "$partitions" ]; then
-			release_device "$loop_device"
-			continue
-		fi
-
-		count=$(echo "$partitions"|wc -l)
-
-		expected=1
+	loop_device=$(loopmount_image "$img")
+	if [ -z "$loop_device" ]; then
+		echo "$unknown"
+		return
+	fi
 
-		if [ "$count" -ne "$expected" ]; then
-			release_device "$loop_device"
-			continue
-		fi
+	partitions=$(get_partitions "$loop_device")
+	count=$(echo "$partitions"|wc -l)
 
-		found_valid_image=1
-		break
-	done
+	expected=1
 
-	if [ "$found_valid_image" = 0 ]; then
+	if [ "$count" -ne "$expected" ]; then
+		release_device "$loop_device"
 		echo "$unknown"
 		return
 	fi
@@ -450,8 +437,7 @@ get_image_details()
 	unmount_partition "$mountpoint"
 	release_device "$loop_device"
 
-	# Supplement the output with details of whether the header was found
-	printf -- "%s\ndax-nvdimm-header: \"%s\"\n" "${contents}" "$use_dax_offset"
+	echo "$contents"
 }
 
 # Parameter 1: Path to the initrd file.
@@ -526,16 +512,10 @@ loopmount_image()
 {
 	local img="$1"
 	[ -n "$img" ] || die "need image file"
-	local use_dax_offset="$2"
-	[ -n "$use_dax_offset" ] || die "need dax offset value"
 
 	local device_path
 
-	local offset=0
-
-	[ "$use_dax_offset" = true ] && offset="$dax_header_size_bytes"
-
-	losetup -fP -o "$offset" "$img"
+	losetup -fP "$img"
 
 	device_path=$(losetup -j "$img" |\
 		cut -d: -f1 |\