From 6d4a941431c1a30464567cdb1277a5fd5a73193b Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Thu, 29 Aug 2024 16:48:11 +0200 Subject: [PATCH] kata.{kata-runtime,kata-agent,kata-image,genpolicy}: 3.7.0 -> 3.8.0 Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- ...unts-Mount-configfs-into-the-contain.patch | 58 +++++++++ packages/by-name/kata/kata-agent/package.nix | 15 ++- ...ass-the-firwmare-using-bios-with-SNP.patch | 4 +- ...l-that-most-closely-matches-the-host.patch | 2 +- ...e-agent-verify-the-agent-policy-hash.patch | 76 +++++++----- .../0004-qemu-don-t-emit-scsi-parameter.patch | 116 ------------------ .../by-name/kata/kata-runtime/package.nix | 7 +- 7 files changed, 120 insertions(+), 158 deletions(-) create mode 100644 packages/by-name/kata/kata-agent/0001-runtime-agent-mounts-Mount-configfs-into-the-contain.patch delete mode 100644 packages/by-name/kata/kata-runtime/0004-qemu-don-t-emit-scsi-parameter.patch diff --git a/packages/by-name/kata/kata-agent/0001-runtime-agent-mounts-Mount-configfs-into-the-contain.patch b/packages/by-name/kata/kata-agent/0001-runtime-agent-mounts-Mount-configfs-into-the-contain.patch new file mode 100644 index 0000000000..baf55a63fc --- /dev/null +++ b/packages/by-name/kata/kata-agent/0001-runtime-agent-mounts-Mount-configfs-into-the-contain.patch @@ -0,0 +1,58 @@ +From 6ac3bfc6df55ba3cc0fdd80860f85621f345cd90 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Thu, 25 Apr 2024 10:34:26 +0200 +Subject: [PATCH] runtime: agent: mounts: Mount configfs into the container +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +configfs is used to get a quote generated, and having this information +available from inside the container (in case the container itself wants +to attest something) is a must. + +It's important to note that this is not really needed by Confidential +Containers, as the attestation-agent (which is running on the pod +sandbox VM) has access to this and is able to get the quote generated on +the guest without any kind of issue. However, this is still reasonable +to have exposed to the container, as it may and will help doing some +simpler tests. + +Signed-off-by: Fabiano FidĂȘncio +--- + src/agent/rustjail/src/mount.rs | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/src/agent/rustjail/src/mount.rs b/src/agent/rustjail/src/mount.rs +index 14e3d9560..b5f857913 100644 +--- a/src/agent/rustjail/src/mount.rs ++++ b/src/agent/rustjail/src/mount.rs +@@ -288,6 +288,26 @@ pub fn init_rootfs( + } + } + ++ if let Some(annotations) = spec.annotations() { ++ annotations.iter().for_each(|(k, v)| { ++ if k == "io.katacontainers.pkg.oci.container_type" && v != "pod_sandbox" { ++ let err = mount( ++ Some("configfs"), ++ format!("{}/sys/kernel/config", rootfs).as_str(), ++ Some("configfs"), ++ MsFlags::MS_NODEV | MsFlags::MS_NOSUID | MsFlags::MS_NOEXEC | MsFlags::MS_RELATIME, ++ None::<&str>, ++ ); ++ match err { ++ Ok(_) => (), ++ Err(e) => { ++ log_child!(cfd_log, "mount /sys/kernel/config configs error: {}", e.to_string()); ++ } ++ } ++ } ++ }); ++ } ++ + let olddir = unistd::getcwd()?; + unistd::chdir(rootfs)?; + +-- +2.45.2 + diff --git a/packages/by-name/kata/kata-agent/package.nix b/packages/by-name/kata/kata-agent/package.nix index ec7e44346e..b239c2c255 100644 --- a/packages/by-name/kata/kata-agent/package.nix +++ b/packages/by-name/kata/kata-agent/package.nix @@ -27,7 +27,7 @@ rustPlatform.buildRustPackage rec { cargoLock = { lockFile = "${src}/src/agent/Cargo.lock"; outputHashes = { - "attester-0.1.0" = "sha256-sRkBoBtE1irZxo5y3Ined6wMUmwxXq9c+Trt99q7kRk="; + "attester-0.1.0" = "sha256-qQcQv4byjGTP5mUUt1xMSZnHA0m39QhPew/t/SKlleQ="; "loopdev-0.5.0" = "sha256-PD+iuZWPAFd3VUCgNB0ZrH/aCM2VMqJEyAv5/j1kqlA="; "sigstore-0.9.0" = "sha256-IeHuB5d5IU9YryeD47Qht0x806kJCoIOHsoEATRV+MY="; }; @@ -35,13 +35,16 @@ rustPlatform.buildRustPackage rec { patches = [ # Mount configfs into the workload container from the UVM. - (fetchpatch { - url = "https://github.com/kata-containers/kata-containers/commit/779152b91b20b22009d215887d06908c638d2efc.patch"; - stripLen = 2; - hash = "sha256-gs1EgD+1Ol9rg0oo14WFQ3H7GCAU5EQrXSuQW+DtEWk="; - }) + # Based on https://github.com/kata-containers/kata-containers/pull/9554, + # which wasn't accepted upstream. + # + # Rebase 3.8.0, changes squashed into patch: + # - fix 'field `annotations` of struct `oci_spec::runtime::Spec` is private' + ./0001-runtime-agent-mounts-Mount-configfs-into-the-contain.patch ]; + patchFlags = [ "-p3" ]; + nativeBuildInputs = [ cmake pkg-config diff --git a/packages/by-name/kata/kata-runtime/0001-govmm-Directly-pass-the-firwmare-using-bios-with-SNP.patch b/packages/by-name/kata/kata-runtime/0001-govmm-Directly-pass-the-firwmare-using-bios-with-SNP.patch index cdad9e24c3..aca57958f3 100644 --- a/packages/by-name/kata/kata-runtime/0001-govmm-Directly-pass-the-firwmare-using-bios-with-SNP.patch +++ b/packages/by-name/kata/kata-runtime/0001-govmm-Directly-pass-the-firwmare-using-bios-with-SNP.patch @@ -1,4 +1,4 @@ -From 5f8dbb3390fc47b7330b1bf6419466261a0541c1 Mon Sep 17 00:00:00 2001 +From c7462075ed2bca6a56da5f246dbaddf128073eba Mon Sep 17 00:00:00 2001 From: Tom Dohrmann Date: Fri, 5 Jul 2024 08:43:13 +0000 Subject: [PATCH 1/3] govmm: Directly pass the firwmare using -bios with SNP @@ -9,7 +9,7 @@ Subject: [PATCH 1/3] govmm: Directly pass the firwmare using -bios with SNP 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go -index 6d71e28f9..4cc2239ec 100644 +index 47322c803..6b2b6b02d 100644 --- a/src/runtime/pkg/govmm/qemu/qemu.go +++ b/src/runtime/pkg/govmm/qemu/qemu.go @@ -395,9 +395,7 @@ func (object Object) QemuParams(config *Config) []string { diff --git a/packages/by-name/kata/kata-runtime/0002-emulate-CPU-model-that-most-closely-matches-the-host.patch b/packages/by-name/kata/kata-runtime/0002-emulate-CPU-model-that-most-closely-matches-the-host.patch index 0fc1fe40d8..e2044a7382 100644 --- a/packages/by-name/kata/kata-runtime/0002-emulate-CPU-model-that-most-closely-matches-the-host.patch +++ b/packages/by-name/kata/kata-runtime/0002-emulate-CPU-model-that-most-closely-matches-the-host.patch @@ -1,4 +1,4 @@ -From f6bb9ca2c01ba9ed474c60faa8e29b033e8ca763 Mon Sep 17 00:00:00 2001 +From 1b310a680a6f8920d353db2baa0e112c4f24d4d7 Mon Sep 17 00:00:00 2001 From: Tom Dohrmann Date: Mon, 8 Jul 2024 07:35:54 +0000 Subject: [PATCH 2/3] emulate CPU model that most closely matches the host diff --git a/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch b/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch index cdb37ba0f8..738696c6fb 100644 --- a/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch +++ b/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch @@ -1,7 +1,7 @@ -From 9a0c4195f2051d2e49218a48700f6d2952ddd3f6 Mon Sep 17 00:00:00 2001 +From 90ac78311def7100de26d543d862c56561526f7f Mon Sep 17 00:00:00 2001 From: Tom Dohrmann Date: Mon, 8 Jul 2024 07:51:20 +0000 -Subject: [PATCH] runtime: agent: verify the agent policy hash +Subject: [PATCH 3/3] runtime: agent: verify the agent policy hash For TEE Guests that support the inclusion of immutable Host owned data in their configuration (SNP HostData and TDX MRCONFIGID): @@ -25,7 +25,7 @@ Signed-off-by: Tom Dohrmann src/agent/src/sev.rs | 19 ++ src/agent/src/tdx.rs | 194 ++++++++++++++++++ src/runtime/pkg/govmm/qemu/qemu.go | 25 ++- - src/runtime/virtcontainers/hypervisor.go | 4 + + src/runtime/virtcontainers/hypervisor.go | 10 +- src/runtime/virtcontainers/qemu.go | 2 +- src/runtime/virtcontainers/qemu_amd64.go | 39 +++- src/runtime/virtcontainers/qemu_amd64_test.go | 116 ++++++++++- @@ -37,15 +37,15 @@ Signed-off-by: Tom Dohrmann src/runtime/virtcontainers/qemu_s390x.go | 2 +- src/runtime/virtcontainers/qemu_s390x_test.go | 51 ++++- src/runtime/virtcontainers/sandbox.go | 1 + - 19 files changed, 678 insertions(+), 38 deletions(-) + 19 files changed, 681 insertions(+), 41 deletions(-) create mode 100644 src/agent/src/sev.rs create mode 100644 src/agent/src/tdx.rs diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock -index a69195f92..04f51559d 100644 +index 7afdf286a..f7a96e0b7 100644 --- a/src/agent/Cargo.lock +++ b/src/agent/Cargo.lock -@@ -541,6 +541,12 @@ version = "0.6.3" +@@ -542,6 +542,12 @@ version = "0.6.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb" @@ -119,7 +119,7 @@ index a69195f92..04f51559d 100644 [[package]] name = "iovec" version = "0.1.4" -@@ -2812,6 +2851,8 @@ dependencies = [ +@@ -2813,6 +2852,8 @@ dependencies = [ "serde", "serde_json", "serial_test", @@ -128,7 +128,7 @@ index a69195f92..04f51559d 100644 "slog", "slog-scope", "slog-stdlog", -@@ -2829,6 +2870,7 @@ dependencies = [ +@@ -2830,6 +2871,7 @@ dependencies = [ "tracing-subscriber", "ttrpc", "url", @@ -136,7 +136,7 @@ index a69195f92..04f51559d 100644 "vsock-exporter", "which", ] -@@ -3743,6 +3785,12 @@ dependencies = [ +@@ -3737,6 +3779,12 @@ dependencies = [ "tokio-stream", ] @@ -149,7 +149,7 @@ index a69195f92..04f51559d 100644 [[package]] name = "ordered-stream" version = "0.2.0" -@@ -5167,6 +5215,15 @@ dependencies = [ +@@ -5173,6 +5221,15 @@ dependencies = [ "syn 1.0.109", ] @@ -165,7 +165,7 @@ index a69195f92..04f51559d 100644 [[package]] name = "serde-enum-str" version = "0.4.0" -@@ -5186,6 +5243,15 @@ version = "0.2.2" +@@ -5192,6 +5249,15 @@ version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "794e44574226fc701e3be5c651feb7939038fc67fb73f6f4dd5c4ba90fd3be70" @@ -181,7 +181,7 @@ index a69195f92..04f51559d 100644 [[package]] name = "serde_derive" version = "1.0.204" -@@ -5289,6 +5355,28 @@ dependencies = [ +@@ -5295,6 +5361,28 @@ dependencies = [ "syn 1.0.109", ] @@ -210,7 +210,7 @@ index a69195f92..04f51559d 100644 [[package]] name = "sha1" version = "0.10.6" -@@ -6356,6 +6444,16 @@ version = "0.9.4" +@@ -6362,6 +6450,16 @@ version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" @@ -228,10 +228,10 @@ index a69195f92..04f51559d 100644 name = "vsock" version = "0.2.6" diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml -index 2df8ce15f..f137d6b1b 100644 +index b545449b8..4b9a0ed48 100644 --- a/src/agent/Cargo.toml +++ b/src/agent/Cargo.toml -@@ -84,6 +84,11 @@ regorus = { version = "0.1.4", default-features = false, features = [ +@@ -85,6 +85,11 @@ regorus = { version = "0.1.4", default-features = false, features = [ "regex", ], optional = true } @@ -243,7 +243,7 @@ index 2df8ce15f..f137d6b1b 100644 [dev-dependencies] tempfile = "3.1.0" test-utils = { path = "../libs/test-utils" } -@@ -102,7 +107,7 @@ lto = true +@@ -103,7 +108,7 @@ lto = true default-pull = ["guest-pull"] seccomp = ["rustjail/seccomp"] standard-oci-runtime = ["rustjail/standard-oci-runtime"] @@ -253,10 +253,10 @@ index 2df8ce15f..f137d6b1b 100644 [[bin]] diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs -index ccde79e98..6b4ad3e06 100644 +index 6d1327d76..25746ffda 100644 --- a/src/agent/src/main.rs +++ b/src/agent/src/main.rs -@@ -87,6 +87,10 @@ mod tracer; +@@ -86,6 +86,10 @@ mod tracer; #[cfg(feature = "agent-policy")] mod policy; @@ -268,7 +268,7 @@ index ccde79e98..6b4ad3e06 100644 cfg_if! { if #[cfg(target_arch = "s390x")] { diff --git a/src/agent/src/policy.rs b/src/agent/src/policy.rs -index d709515ff..ee4f1f324 100644 +index 241611585..c01f756b7 100644 --- a/src/agent/src/policy.rs +++ b/src/agent/src/policy.rs @@ -3,12 +3,15 @@ @@ -288,7 +288,7 @@ index d709515ff..ee4f1f324 100644 use crate::AGENT_POLICY; static POLICY_LOG_FILE: &str = "/tmp/policy.txt"; -@@ -131,6 +134,7 @@ impl AgentPolicy { +@@ -137,6 +140,7 @@ impl AgentPolicy { /// Replace the Policy in regorus. pub async fn set_policy(&mut self, policy: &str) -> Result<()> { @@ -296,8 +296,8 @@ index d709515ff..ee4f1f324 100644 self.engine = Self::new_engine(); self.engine .add_policy("agent_policy".to_string(), policy.to_string())?; -@@ -161,3 +165,43 @@ impl AgentPolicy { - } +@@ -184,3 +188,43 @@ impl AgentPolicy { + Ok(()) } } + @@ -566,7 +566,7 @@ index 000000000..1531e72a8 + Ok(mrconfigid) +} diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go -index 4cc2239ec..f5ff0fc95 100644 +index 6b2b6b02d..bcb6cd2ad 100644 --- a/src/runtime/pkg/govmm/qemu/qemu.go +++ b/src/runtime/pkg/govmm/qemu/qemu.go @@ -320,6 +320,11 @@ type Object struct { @@ -625,13 +625,22 @@ index 4cc2239ec..f5ff0fc95 100644 return tdxObject.String() diff --git a/src/runtime/virtcontainers/hypervisor.go b/src/runtime/virtcontainers/hypervisor.go -index cc3743310..0c24183a3 100644 +index 853ad4d5b..c47029e1d 100644 --- a/src/runtime/virtcontainers/hypervisor.go +++ b/src/runtime/virtcontainers/hypervisor.go -@@ -684,6 +684,10 @@ type HypervisorConfig struct { +@@ -559,7 +559,7 @@ type HypervisorConfig struct { + // NumVCPUs specifies default number of vCPUs for the VM. + NumVCPUsF float32 - // QgsPort defines Intel Quote Generation Service port exposed from the host - QgsPort uint32 +- //DefaultMaxVCPUs specifies the maximum number of vCPUs for the VM. ++ // DefaultMaxVCPUs specifies the maximum number of vCPUs for the VM. + DefaultMaxVCPUs uint32 + + // DefaultMem specifies default memory size in MiB for the VM. +@@ -687,6 +687,10 @@ type HypervisorConfig struct { + + // Initdata defines the initdata passed into guest when CreateVM + Initdata string + + // Policy text, for sandboxes created using a valid io.katacontainers.config.agent.policy + // annotation @@ -639,6 +648,17 @@ index cc3743310..0c24183a3 100644 } // vcpu mapping from vcpu number to thread number +@@ -1048,8 +1052,8 @@ type guestProtection uint8 + const ( + noneProtection guestProtection = iota + +- //Intel Trust Domain Extensions +- //https://software.intel.com/content/www/us/en/develop/articles/intel-trust-domain-extensions.html ++ // Intel Trust Domain Extensions ++ // https://software.intel.com/content/www/us/en/develop/articles/intel-trust-domain-extensions.html + // Exclude from lint checking for it won't be used on arm64 code + tdxProtection + diff --git a/src/runtime/virtcontainers/qemu.go b/src/runtime/virtcontainers/qemu.go index 7a189bb91..509f74a3c 100644 --- a/src/runtime/virtcontainers/qemu.go @@ -1267,5 +1287,5 @@ index b58daccaa..af35af12e 100644 spec := s.GetPatchedOCISpec() if spec != nil && spec.Process.SelinuxLabel != "" { -- -2.45.1 +2.45.2 diff --git a/packages/by-name/kata/kata-runtime/0004-qemu-don-t-emit-scsi-parameter.patch b/packages/by-name/kata/kata-runtime/0004-qemu-don-t-emit-scsi-parameter.patch deleted file mode 100644 index f96314619a..0000000000 --- a/packages/by-name/kata/kata-runtime/0004-qemu-don-t-emit-scsi-parameter.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 08d7d998c183f8beb92a334f0e08b5baab1cc866 Mon Sep 17 00:00:00 2001 -From: Tom Dohrmann -Date: Thu, 1 Aug 2024 14:42:17 +0200 -Subject: [PATCH 4/4] qemu: don't emit scsi parameter - -This parameter has been deprecated for a long time and QEMU 9.1.0 finally removes it. - -Fixes: #10112 -Signed-off-by: Tom Dohrmann ---- - .../crates/hypervisor/src/qemu/cmdline_generator.rs | 13 ------------- - src/runtime/pkg/govmm/qemu/qemu.go | 4 ---- - src/runtime/pkg/govmm/qemu/qemu_arch_base_test.go | 2 +- - src/runtime/pkg/govmm/qemu/qemu_s390x_test.go | 2 +- - src/runtime/pkg/govmm/qemu/qemu_test.go | 1 - - 5 files changed, 2 insertions(+), 20 deletions(-) - -diff --git a/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs b/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs -index c5e5de3c2..c00f3204f 100644 ---- a/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs -+++ b/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs -@@ -820,7 +820,6 @@ impl ToQemuParams for BlockBackend { - struct DeviceVirtioBlk { - bus_type: VirtioBusType, - id: String, -- scsi: bool, - config_wce: bool, - share_rw: bool, - } -@@ -830,18 +829,11 @@ impl DeviceVirtioBlk { - DeviceVirtioBlk { - bus_type, - id: id.to_owned(), -- scsi: false, - config_wce: false, - share_rw: true, - } - } - -- #[allow(dead_code)] -- fn set_scsi(&mut self, scsi: bool) -> &mut Self { -- self.scsi = scsi; -- self -- } -- - #[allow(dead_code)] - fn set_config_wce(&mut self, config_wce: bool) -> &mut Self { - self.config_wce = config_wce; -@@ -861,11 +853,6 @@ impl ToQemuParams for DeviceVirtioBlk { - let mut params = Vec::new(); - params.push(format!("virtio-blk-{}", self.bus_type)); - params.push(format!("drive=image-{}", self.id)); -- if self.scsi { -- params.push("scsi=on".to_owned()); -- } else { -- params.push("scsi=off".to_owned()); -- } - if self.config_wce { - params.push("config-wce=on".to_owned()); - } else { -diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go -index f5ff0fc95..bcb6cd2ad 100644 ---- a/src/runtime/pkg/govmm/qemu/qemu.go -+++ b/src/runtime/pkg/govmm/qemu/qemu.go -@@ -1317,10 +1317,6 @@ func (blkdev BlockDevice) QemuParams(config *Config) []string { - deviceParams = append(deviceParams, s) - } - deviceParams = append(deviceParams, fmt.Sprintf("drive=%s", blkdev.ID)) -- if !blkdev.SCSI { -- deviceParams = append(deviceParams, "scsi=off") -- } -- - if !blkdev.WCE { - deviceParams = append(deviceParams, "config-wce=off") - } -diff --git a/src/runtime/pkg/govmm/qemu/qemu_arch_base_test.go b/src/runtime/pkg/govmm/qemu/qemu_arch_base_test.go -index ec70767d7..10fd0bdff 100644 ---- a/src/runtime/pkg/govmm/qemu/qemu_arch_base_test.go -+++ b/src/runtime/pkg/govmm/qemu/qemu_arch_base_test.go -@@ -25,7 +25,7 @@ var ( - deviceSCSIControllerBusAddrStr = "-device virtio-scsi-pci,id=foo,bus=pci.0,addr=00:04.0,disable-modern=true,iothread=iothread1,romfile=efi-virtio.rom" - deviceVhostUserSCSIString = "-chardev socket,id=char1,path=/tmp/nonexistentsocket.socket -device vhost-user-scsi-pci,id=scsi1,chardev=char1,romfile=efi-virtio.rom" - deviceVhostUserBlkString = "-chardev socket,id=char2,path=/tmp/nonexistentsocket.socket -device vhost-user-blk-pci,logical_block_size=4096,size=512M,chardev=char2,romfile=efi-virtio.rom" -- deviceBlockString = "-device virtio-blk-pci,disable-modern=true,drive=hd0,scsi=off,config-wce=off,romfile=efi-virtio.rom,share-rw=on,serial=hd0 -drive id=hd0,file=/var/lib/vm.img,aio=threads,format=qcow2,if=none,readonly=on" -+ deviceBlockString = "-device virtio-blk-pci,disable-modern=true,drive=hd0,config-wce=off,romfile=efi-virtio.rom,share-rw=on,serial=hd0 -drive id=hd0,file=/var/lib/vm.img,aio=threads,format=qcow2,if=none,readonly=on" - devicePCIBridgeString = "-device pci-bridge,bus=/pci-bus/pcie.0,id=mybridge,chassis_nr=5,shpc=on,addr=ff,romfile=efi-virtio.rom" - devicePCIBridgeStringReserved = "-device pci-bridge,bus=/pci-bus/pcie.0,id=mybridge,chassis_nr=5,shpc=off,addr=ff,romfile=efi-virtio.rom,io-reserve=4k,mem-reserve=1m,pref64-reserve=1m" - devicePCIEBridgeString = "-device pcie-pci-bridge,bus=/pci-bus/pcie.0,id=mybridge,addr=ff,romfile=efi-virtio.rom" -diff --git a/src/runtime/pkg/govmm/qemu/qemu_s390x_test.go b/src/runtime/pkg/govmm/qemu/qemu_s390x_test.go -index 90dbecca1..311e286e9 100644 ---- a/src/runtime/pkg/govmm/qemu/qemu_s390x_test.go -+++ b/src/runtime/pkg/govmm/qemu/qemu_s390x_test.go -@@ -19,7 +19,7 @@ var ( - deviceVFIOString = "-device vfio-ccw,host=02:10.0,devno=" + DevNo - deviceSCSIControllerStr = "-device virtio-scsi-ccw,id=foo,devno=" + DevNo - deviceSCSIControllerBusAddrStr = "-device virtio-scsi-ccw,id=foo,bus=pci.0,addr=00:04.0,iothread=iothread1,devno=" + DevNo -- deviceBlockString = "-device virtio-blk-ccw,drive=hd0,scsi=off,config-wce=off,devno=" + DevNo + ",share-rw=on,serial=hd0 -drive id=hd0,file=/var/lib/vm.img,aio=threads,format=qcow2,if=none,readonly=on" -+ deviceBlockString = "-device virtio-blk-ccw,drive=hd0,config-wce=off,devno=" + DevNo + ",share-rw=on,serial=hd0 -drive id=hd0,file=/var/lib/vm.img,aio=threads,format=qcow2,if=none,readonly=on" - romfile = "" - ) - -diff --git a/src/runtime/pkg/govmm/qemu/qemu_test.go b/src/runtime/pkg/govmm/qemu/qemu_test.go -index 8fc960905..181eb6506 100644 ---- a/src/runtime/pkg/govmm/qemu/qemu_test.go -+++ b/src/runtime/pkg/govmm/qemu/qemu_test.go -@@ -281,7 +281,6 @@ func TestAppendDeviceBlock(t *testing.T) { - AIO: Threads, - Format: QCOW2, - Interface: NoInterface, -- SCSI: false, - WCE: false, - DisableModern: true, - ROMFile: romfile, --- -2.45.1 - diff --git a/packages/by-name/kata/kata-runtime/package.nix b/packages/by-name/kata/kata-runtime/package.nix index 020ad767ab..7fef862872 100644 --- a/packages/by-name/kata/kata-runtime/package.nix +++ b/packages/by-name/kata/kata-runtime/package.nix @@ -11,14 +11,14 @@ buildGoModule rec { pname = "kata-runtime"; - version = "3.7.0"; + version = "3.8.0"; src = applyPatches { src = fetchFromGitHub { owner = "kata-containers"; repo = "kata-containers"; rev = version; - hash = "sha256-Ir+/ZZJHm6E+044wczU3UvL+Py9Wprgw2QKJaYyDrKU="; + hash = "sha256-62qoAMlE62hS02+Bj5HNgNyGVTk7SVLJaqN9GhCWQXc="; }; patches = [ @@ -39,9 +39,6 @@ buildGoModule rec { # delegates hash verification to the AA. Until that effort lands, we're # sticking with the policy verification from AKS CoCo. ./0003-runtime-agent-verify-the-agent-policy-hash.patch - # This patches fixes compatibility issues with QEMU 9.1. - # https://github.com/kata-containers/kata-containers/pull/10113 - ./0004-qemu-don-t-emit-scsi-parameter.patch ]; };