kata: 3.9.0 -> 3.10.1

Let's update Kata Containers to its latest release Signed-off-by: Fabiano Fidêncio <[email protected]>
edgelesssys · Nov 4, 2024 · cea2865 · cea2865
1 parent 78cb6dc
commit cea2865
Show file tree

Hide file tree

Showing 17 changed files with 5,273 additions and 36 deletions.
diff --git a/...by-name/kata/kata-runtime/0001-govmm-Directly-pass-the-firwmare-using-bios-with-SNP.patch b/...by-name/kata/kata-runtime/0001-govmm-Directly-pass-the-firwmare-using-bios-with-SNP.patch
@@ -1,4 +1,4 @@
-From a6c6d12b6e067c5bbd193c6dde3e1deb4700e33d Mon Sep 17 00:00:00 2001
+From 099fd9159c03561ed738dacb370d18183f8601aa Mon Sep 17 00:00:00 2001
 From: Tom Dohrmann <[email protected]>
 Date: Fri, 5 Jul 2024 08:43:13 +0000
 Subject: [PATCH] govmm: Directly pass the firwmare using -bios with SNP

diff --git a/...by-name/kata/kata-runtime/0002-emulate-CPU-model-that-most-closely-matches-the-host.patch b/...by-name/kata/kata-runtime/0002-emulate-CPU-model-that-most-closely-matches-the-host.patch
@@ -1,4 +1,4 @@
-From 8086c7a042bcf54ee739c683588a5db6ffd26acd Mon Sep 17 00:00:00 2001
+From b73c887c4b00d58b1a9bf403c5b2d05b02574731 Mon Sep 17 00:00:00 2001
 From: Tom Dohrmann <[email protected]>
 Date: Mon, 8 Jul 2024 07:35:54 +0000
 Subject: [PATCH] emulate CPU model that most closely matches the host

diff --git a/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch b/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch
@@ -1,4 +1,4 @@
-From 9213830793a4a8fc04bdd063c8746d41b6bca4f6 Mon Sep 17 00:00:00 2001
+From d3bc2eb74a14272afb10d20c63e4d938538acbfe Mon Sep 17 00:00:00 2001
 From: Tom Dohrmann <[email protected]>
 Date: Mon, 8 Jul 2024 07:51:20 +0000
 Subject: [PATCH] runtime: agent: verify the agent policy hash
@@ -18,7 +18,7 @@ the Agent has the expected contents.
 Signed-off-by: Dan Mihai <[email protected]>
 Signed-off-by: Tom Dohrmann <[email protected]>
 ---
- src/agent/Cargo.lock                          |  98 +++++++++
+ src/agent/Cargo.lock                          | 101 +++++++++
  src/agent/Cargo.toml                          |   7 +-
  src/agent/src/main.rs                         |   4 +
  src/agent/src/policy.rs                       |  46 ++++-
@@ -37,12 +37,12 @@ Signed-off-by: Tom Dohrmann <[email protected]>
  src/runtime/virtcontainers/qemu_s390x.go      |   2 +-
  src/runtime/virtcontainers/qemu_s390x_test.go |  51 ++++-
  src/runtime/virtcontainers/sandbox.go         |   1 +
- 19 files changed, 674 insertions(+), 40 deletions(-)
+ 19 files changed, 677 insertions(+), 40 deletions(-)
  create mode 100644 src/agent/src/sev.rs
  create mode 100644 src/agent/src/tdx.rs
 
 diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock
-index f55144570..6c9342ddb 100644
+index f55144570..8cf40f7ec 100644
 --- a/src/agent/Cargo.lock
 +++ b/src/agent/Cargo.lock
 @@ -542,6 +542,12 @@ version = "0.6.3"
@@ -210,7 +210,17 @@ index f55144570..6c9342ddb 100644
  [[package]]
  name = "sha1"
  version = "0.10.6"
-@@ -6370,6 +6458,16 @@ version = "0.9.4"
+@@ -6351,6 +6439,9 @@ name = "uuid"
+ version = "1.10.0"
+ source = "registry+https://github.com/rust-lang/crates.io-index"
+ checksum = "81dfa00651efa65069b0b6b651f4aaa31ba9e3c3ce0137aaad053604ee7e0314"
++dependencies = [
++ "serde",
++]
+
+ [[package]]
+ name = "valuable"
+@@ -6370,6 +6461,16 @@ version = "0.9.4"
  source = "registry+https://github.com/rust-lang/crates.io-index"
  checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
 
@@ -253,7 +263,7 @@ index a8ed5d081..d5b3db965 100644
 
  [[bin]]
 diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs
-index 88a5ec01a..9e98794d4 100644
+index 8a057bb36..22d858c10 100644
 --- a/src/agent/src/main.rs
 +++ b/src/agent/src/main.rs
 @@ -85,6 +85,10 @@ mod tracer;
@@ -621,10 +631,10 @@ index b3b3fb4bd..5070ecd1e 100644
 
  	return tdxObject.String()
 diff --git a/src/runtime/virtcontainers/hypervisor.go b/src/runtime/virtcontainers/hypervisor.go
-index 853ad4d5b..c47029e1d 100644
+index 5eb922980..0e5205cc9 100644
 --- a/src/runtime/virtcontainers/hypervisor.go
 +++ b/src/runtime/virtcontainers/hypervisor.go
-@@ -559,7 +559,7 @@ type HypervisorConfig struct {
+@@ -545,7 +545,7 @@ type HypervisorConfig struct {
  	// NumVCPUs specifies default number of vCPUs for the VM.
  	NumVCPUsF float32
 
@@ -633,7 +643,7 @@ index 853ad4d5b..c47029e1d 100644
  	DefaultMaxVCPUs uint32
 
  	// DefaultMem specifies default memory size in MiB for the VM.
-@@ -687,6 +687,10 @@ type HypervisorConfig struct {
+@@ -673,6 +673,10 @@ type HypervisorConfig struct {
 
  	// Initdata defines the initdata passed into guest when CreateVM
  	Initdata string
@@ -644,7 +654,7 @@ index 853ad4d5b..c47029e1d 100644
  }
 
  // vcpu mapping from vcpu number to thread number
-@@ -1048,8 +1052,8 @@ type guestProtection uint8
+@@ -1027,8 +1031,8 @@ type guestProtection uint8
  const (
  	noneProtection guestProtection = iota
 
@@ -656,7 +666,7 @@ index 853ad4d5b..c47029e1d 100644
  	tdxProtection
 
 diff --git a/src/runtime/virtcontainers/qemu.go b/src/runtime/virtcontainers/qemu.go
-index 7a189bb91..509f74a3c 100644
+index ba86c3d63..2c6311c06 100644
 --- a/src/runtime/virtcontainers/qemu.go
 +++ b/src/runtime/virtcontainers/qemu.go
 @@ -681,7 +681,7 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi
@@ -1271,10 +1281,10 @@ index 24a67bdd9..3f5f84aff 100644
 +	assert.Equal(expectedOut, devices)
  }
 diff --git a/src/runtime/virtcontainers/sandbox.go b/src/runtime/virtcontainers/sandbox.go
-index 8df2b7cc5..07df77478 100644
+index ac0d35e9c..ff7a46b4e 100644
 --- a/src/runtime/virtcontainers/sandbox.go
 +++ b/src/runtime/virtcontainers/sandbox.go
-@@ -608,6 +608,7 @@ func newSandbox(ctx context.Context, sandboxConfig SandboxConfig, factory Factor
+@@ -613,6 +613,7 @@ func newSandbox(ctx context.Context, sandboxConfig SandboxConfig, factory Factor
 
  	sandboxConfig.HypervisorConfig.VMStorePath = s.store.RunVMStoragePath()
  	sandboxConfig.HypervisorConfig.RunStorePath = s.store.RunStoragePath()

diff --git a/packages/by-name/kata/kata-runtime/0004-genpolicy-enable-sysctl-checks.patch b/packages/by-name/kata/kata-runtime/0004-genpolicy-enable-sysctl-checks.patch
@@ -0,0 +1,220 @@
+From cc68c48a9af8cbdd6ffd8a74d7960adc22150f08 Mon Sep 17 00:00:00 2001
+From: Markus Rudy <[email protected]>
+Date: Wed, 24 Jul 2024 09:48:48 +0200
+Subject: [PATCH] genpolicy: enable sysctl checks
+
+Sysctls may be added to a container by the Kubernetes pod definition or
+by containerd configuration. This commit adds support for the
+corresponding PodSpec field and an option to specify
+environment-dependent sysctls in the settings file.
+---
+ src/tools/genpolicy/genpolicy-settings.json | 10 ++++++++++
+ src/tools/genpolicy/rules.rego              | 19 ++++++++++++++++++-
+ src/tools/genpolicy/src/containerd.rs       |  4 ++++
+ src/tools/genpolicy/src/pod.rs              | 20 ++++++++++++++++++++
+ src/tools/genpolicy/src/policy.rs           | 10 ++++++++++
+ 5 files changed, 62 insertions(+), 1 deletion(-)
+
+diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
+index fe1625bac..e50d5e545 100644
+--- a/src/tools/genpolicy/genpolicy-settings.json
++++ b/src/tools/genpolicy/genpolicy-settings.json
+@@ -39,6 +39,10 @@
+             ]
+         },
+         "Linux": {
++            "Sysctl": {
++                "net.ipv4.ip_unprivileged_port_start": "0",
++                "net.ipv4.ping_group_range": "0 2147483647"
++            },
+             "MaskedPaths": [
+                 "/proc/acpi",
+                 "/proc/asound",
+@@ -132,6 +136,12 @@
+             "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$",
+             "io.katacontainers.pkg.oci.container_type": "pod_container",
+             "io.kubernetes.cri.container-type": "container"
++        },
++        "Linux": {
++            "Sysctl": {
++                "net.ipv4.ip_unprivileged_port_start": "0",
++                "net.ipv4.ping_group_range": "0 2147483647"
++            }
+         }
+     },
+     "volumes": {
+diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
+index 1d95bfe69..a89b13ed1 100644
+--- a/src/tools/genpolicy/rules.rego
++++ b/src/tools/genpolicy/rules.rego
+@@ -112,7 +112,6 @@ allow_create_container_input {
+     is_null(i_linux.Resources.Network)
+     is_null(i_linux.Resources.Pids)
+     is_null(i_linux.Seccomp)
+-    i_linux.Sysctl == {}
+
+     i_process := i_oci.Process
+     count(i_process.SelinuxLabel) == 0
+@@ -389,6 +388,7 @@ allow_linux(p_oci, i_oci) {
+     allow_masked_paths(p_oci, i_oci)
+     allow_readonly_paths(p_oci, i_oci)
+     allow_linux_devices(p_oci.Linux.Devices, i_oci.Linux.Devices)
++    allow_linux_sysctl(p_oci.Linux, i_oci.Linux)
+
+     print("allow_linux: true")
+ }
+@@ -487,6 +487,23 @@ allow_linux_devices(p_devices, i_devices) {
+     print("allow_linux_devices: true")
+ }
+
++allow_linux_sysctl(p_linux, i_linux) {
++    print("allow_linux_sysctl 1: start")
++    not i_linux["Sysctl"]
++    print("allow_linux_sysctl 1: true")
++}
++
++allow_linux_sysctl(p_linux, i_linux) {
++    print("allow_linux_sysctl 2: start")
++    p_sysctl := p_linux.Sysctl
++    i_sysctl := i_linux.Sysctl
++    every i_name, i_val in i_sysctl {
++        print("allow_linux_sysctl: i_name =", i_name, "i_val =", i_val)
++        p_sysctl[i_name] == i_val
++    }
++    print("allow_linux_sysctl 2: true")
++}
++
+ # Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path"
+ # and io.kubernetes.cri.sandbox-id" values with other fields.
+ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
+diff --git a/src/tools/genpolicy/src/containerd.rs b/src/tools/genpolicy/src/containerd.rs
+index 075fced5b..2922ea0ab 100644
+--- a/src/tools/genpolicy/src/containerd.rs
++++ b/src/tools/genpolicy/src/containerd.rs
+@@ -3,6 +3,8 @@
+ // SPDX-License-Identifier: Apache-2.0
+ //
+
++use std::collections::HashMap;
++
+ use crate::policy;
+
+ // Default process field from containerd.
+@@ -153,6 +155,7 @@ pub fn get_linux(privileged_container: bool) -> policy::KataLinux {
+                 "/proc/sysrq-trigger".to_string(),
+             ],
+             Devices: vec![],
++            Sysctl: HashMap::new(),
+         }
+     } else {
+         policy::KataLinux {
+@@ -160,6 +163,7 @@ pub fn get_linux(privileged_container: bool) -> policy::KataLinux {
+             MaskedPaths: vec![],
+             ReadonlyPaths: vec![],
+             Devices: vec![],
++            Sysctl: HashMap::new(),
+         }
+     }
+ }
+diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs
+index 19f882239..5030144c6 100644
+--- a/src/tools/genpolicy/src/pod.rs
++++ b/src/tools/genpolicy/src/pod.rs
+@@ -21,6 +21,7 @@ use log::{debug, warn};
+ use protocols::agent;
+ use serde::{Deserialize, Serialize};
+ use std::collections::BTreeMap;
++use std::collections::HashMap;
+
+ /// See Reference / Kubernetes API / Workload Resources / Pod.
+ #[derive(Clone, Debug, Serialize, Deserialize)]
+@@ -298,6 +299,9 @@ struct SecurityContext {
+
+     #[serde(skip_serializing_if = "Option::is_none")]
+     seccompProfile: Option<SeccompProfile>,
++
++    #[serde(skip_serializing_if = "Option::is_none")]
++    sysctls: Option<Vec<Sysctl>>,
+ }
+
+ /// See Reference / Kubernetes API / Workload Resources / Pod.
+@@ -310,6 +314,13 @@ struct SeccompProfile {
+     localhostProfile: Option<String>,
+ }
+
++/// See Reference / Kubernetes API / Workload Resources / Pod.
++#[derive(Clone, Debug, Serialize, Deserialize)]
++struct Sysctl {
++    name: String,
++    value: String,
++}
++
+ /// See Reference / Kubernetes API / Workload Resources / Pod.
+ #[derive(Clone, Debug, Serialize, Deserialize)]
+ pub struct PodSecurityContext {
+@@ -699,6 +710,14 @@ impl Container {
+
+         commands
+     }
++
++    pub fn apply_sysctls(&self, sysctls: &mut HashMap<String, String>) {
++        if let Some(securityContext) = &self.securityContext {
++            if let Some(container_sysctls) = &securityContext.sysctls {
++                sysctls.extend(container_sysctls.iter().map(|el| (el.name.clone(), el.value.clone())));
++            }
++        }
++    }
+ }
+
+ impl EnvFromSource {
+@@ -995,6 +1014,7 @@ pub async fn add_pause_container(containers: &mut Vec<Container>, config: &Confi
+             capabilities: None,
+             runAsUser: None,
+             seccompProfile: None,
++            sysctls: None,
+         }),
+         ..Default::default()
+     };
+diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
+index 973643e1f..adbdf97f3 100644
+--- a/src/tools/genpolicy/src/policy.rs
++++ b/src/tools/genpolicy/src/policy.rs
+@@ -27,6 +27,7 @@ use serde_yaml::Value;
+ use sha2::{Digest, Sha256};
+ use std::boxed;
+ use std::collections::BTreeMap;
++use std::collections::HashMap;
+ use std::fs::read_to_string;
+ use std::io::Write;
+
+@@ -180,14 +181,20 @@ pub struct KataLinux {
+     pub Namespaces: Vec<KataLinuxNamespace>,
+
+     /// MaskedPaths masks over the provided paths inside the container.
++    #[serde(default)]
+     pub MaskedPaths: Vec<String>,
+
+     /// ReadonlyPaths sets the provided paths as RO inside the container.
++    #[serde(default)]
+     pub ReadonlyPaths: Vec<String>,
+
+     /// Devices contains devices to be created inside the container.
+     #[serde(default)]
+     pub Devices: Vec<KataLinuxDevice>,
++
++    /// Sysctls contains sysctls to be applied inside the container.
++    #[serde(default, skip_serializing_if = "HashMap::is_empty")]
++    pub Sysctl: HashMap<String, String>,
+ }
+
+ /// OCI container LinuxNamespace struct. This struct is similar to the LinuxNamespace
+@@ -616,6 +623,9 @@ impl AgentPolicy {
+             linux.Devices.push(default_device.clone())
+         }
+
++        linux.Sysctl.extend(c_settings.Linux.Sysctl.clone());
++        yaml_container.apply_sysctls(&mut linux.Sysctl);
++
+         ContainerPolicy {
+             OCI: KataSpec {
+                 Version: self.config.settings.kata_config.oci_version.clone(),