edgelesssys · katexochen · Oct 30, 2024 · Oct 30, 2024
@@ -1,4 +1,4 @@
-From 3beb8ad9581c8e090061b5f5b2d56d9dff4789c6 Mon Sep 17 00:00:00 2001
+From a6c6d12b6e067c5bbd193c6dde3e1deb4700e33d Mon Sep 17 00:00:00 2001
 From: Tom Dohrmann <[email protected]>
 Date: Fri, 5 Jul 2024 08:43:13 +0000
 Subject: [PATCH] govmm: Directly pass the firwmare using -bios with SNP

@@ -1,4 +1,4 @@
-From 5dc70d0bc426f4557ec952157e9bc2182a928ba2 Mon Sep 17 00:00:00 2001
+From 8086c7a042bcf54ee739c683588a5db6ffd26acd Mon Sep 17 00:00:00 2001
 From: Tom Dohrmann <[email protected]>
 Date: Mon, 8 Jul 2024 07:35:54 +0000
 Subject: [PATCH] emulate CPU model that most closely matches the host

@@ -1,4 +1,4 @@
-From 1f16f82b5e639861e53edb4e258bf4aa2794bd4c Mon Sep 17 00:00:00 2001
+From 9213830793a4a8fc04bdd063c8746d41b6bca4f6 Mon Sep 17 00:00:00 2001
 From: Tom Dohrmann <[email protected]>
 Date: Mon, 8 Jul 2024 07:51:20 +0000
 Subject: [PATCH] runtime: agent: verify the agent policy hash

@@ -1,4 +1,4 @@
-From 2ce00e84c352f445e86f1f40d6745ed6c087776e Mon Sep 17 00:00:00 2001
+From e3dd3bd5ead8af4b8e3363e08e24eb340f068dcd Mon Sep 17 00:00:00 2001
 From: Dan Mihai <[email protected]>
 Date: Thu, 4 Jan 2024 22:28:24 +0000
 Subject: [PATCH] genpolicy: validate create sandbox storages

@@ -1,4 +1,4 @@
-From ca06944ca5c4152d5d79fe173bf191222dfc7738 Mon Sep 17 00:00:00 2001
+From 3c05719560ccc658440af1d12542a9b2b1b68dea Mon Sep 17 00:00:00 2001
 From: Markus Rudy <[email protected]>
 Date: Wed, 24 Jul 2024 09:48:48 +0200
 Subject: [PATCH] genpolicy: enable sysctl checks

@@ -1,4 +1,4 @@
-From 4f3d1bf8749fe7d11095f564ed6299207138c9aa Mon Sep 17 00:00:00 2001
+From a91041e762342a76065e51c4076574aba7c63c42 Mon Sep 17 00:00:00 2001
 From: Markus Rudy <[email protected]>
 Date: Wed, 24 Jul 2024 09:51:57 +0200
 Subject: [PATCH] genpolicy: read bundle-id from rootfs

@@ -1,4 +1,4 @@
-From e8475ed6e8bde8c890773aa3b12da881800ac88f Mon Sep 17 00:00:00 2001
+From dcbe8905e574525c4aa3afbb32e58fda0b49889b Mon Sep 17 00:00:00 2001
 From: Paul Meyer <[email protected]>
 Date: Thu, 11 Jul 2024 12:05:00 +0200
 Subject: [PATCH] genpolicy: regex check contrast specific layer-src-prefix

@@ -1,4 +1,4 @@
-From 49d5646a9c93ecae2575c686d94be19cf8dc6086 Mon Sep 17 00:00:00 2001
+From f970b8d4fe08d4a3e5d4dcefc3f71415c560c5d1 Mon Sep 17 00:00:00 2001
 From: Markus Rudy <[email protected]>
 Date: Wed, 24 Jul 2024 11:16:37 +0200
 Subject: [PATCH] genpolicy-settings: bump OCI version

@@ -1,4 +1,4 @@
-From c4b49fe79bfab7a43bf21dd5a11ee2c827fd1d35 Mon Sep 17 00:00:00 2001
+From b2f09cebe1d383ef00fd84af79a45e4848ea4b69 Mon Sep 17 00:00:00 2001
 From: Markus Rudy <[email protected]>
 Date: Mon, 12 Aug 2024 14:18:43 +0200
 Subject: [PATCH] genpolicy-settings: change cpath for Nydus guest pull

@@ -1,4 +1,4 @@
-From e7e5ef9123e071e9f1c6cb4e42649f6c24edbc7b Mon Sep 17 00:00:00 2001
+From 36fd802eb33442c7a9a7897847b13a2a364d888b Mon Sep 17 00:00:00 2001
 From: Markus Rudy <[email protected]>
 Date: Thu, 1 Aug 2024 15:58:42 +0200
 Subject: [PATCH] genpolicy: allow image_guest_pull

@@ -1,4 +1,4 @@
-From ef7aed6e4bf202e387c13ad44e41f7db317b22f6 Mon Sep 17 00:00:00 2001
+From b7e3a9272cdce44e6087bcf35673365b3e576672 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <[email protected]>
 Date: Thu, 25 Apr 2024 10:34:26 +0200
 Subject: [PATCH] runtime: agent: mounts: Mount configfs into the container

@@ -1,4 +1,4 @@
-From fd128e868a42359e3abf3d10d3ffa9c134094523 Mon Sep 17 00:00:00 2001
+From b378d2761d632f4fca8c5fca1e7e69ea2d19edb2 Mon Sep 17 00:00:00 2001
 From: Markus Rudy <[email protected]>
 Date: Mon, 12 Aug 2024 13:45:43 +0200
 Subject: [PATCH] genpolicy: bump oci-distribution to v0.12.0

@@ -1,4 +1,4 @@
-From 318c6540f5c5e959b3cfac06541b9ffad808ff5a Mon Sep 17 00:00:00 2001
+From 1870d6484813b4700dad2e5795924d050138a4a3 Mon Sep 17 00:00:00 2001
 From: Markus Rudy <[email protected]>
 Date: Tue, 24 Sep 2024 16:05:31 +0200
 Subject: [PATCH] genpolicy: support mount propagation and ro-mounts

@@ -1,4 +1,4 @@
-From 460679591d0cbcf0da51dc7ce7b83ac8e9fe2007 Mon Sep 17 00:00:00 2001
+From 1ab3e3189814a6ddd64676749b4c3c94c210aba9 Mon Sep 17 00:00:00 2001
 From: Markus Rudy <[email protected]>
 Date: Fri, 4 Oct 2024 11:27:37 +0200
 Subject: [PATCH] tools: don't clean build root when generating rootfs

@@ -0,0 +1,47 @@
+From ca7c9dfae2880adfdd8886657ca6bc352fc949a2 Mon Sep 17 00:00:00 2001
+From: "alex.lyn" <[email protected]>
+Date: Sat, 12 Oct 2024 17:39:00 +0800
+Subject: [PATCH] kata-agent: fixing bug of unable setting hostname correctly.
+
+When do update_container_namespaces updating namespaces, setting
+all UTS(and IPC) namespace paths to None resulted in hostnames
+set prior to the update becoming ineffective. This was primarily
+due to an error made while aligning with the oci spec: in an attempt
+to match empty strings with None values in oci-spec-rs, all paths
+were incorrectly set to None.
+
+Fixes #10325
+
+Signed-off-by: alex.lyn <[email protected]>
+---
+ src/agent/src/rpc.rs | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs
+index 9f13af0f0..a2efb8396 100644
+--- a/src/agent/src/rpc.rs
++++ b/src/agent/src/rpc.rs
+@@ -1726,13 +1726,19 @@ fn update_container_namespaces(
+     if let Some(namespaces) = linux.namespaces_mut() {
+         for namespace in namespaces.iter_mut() {
+             if namespace.typ().to_string() == NSTYPEIPC {
+-                namespace.set_path(Some(PathBuf::from(&sandbox.shared_ipcns.path.clone())));
+-                namespace.set_path(None);
++                namespace.set_path(if !sandbox.shared_ipcns.path.is_empty() {
++                    Some(PathBuf::from(&sandbox.shared_ipcns.path))
++                } else {
++                    None
++                });
+                 continue;
+             }
+             if namespace.typ().to_string() == NSTYPEUTS {
+-                namespace.set_path(Some(PathBuf::from(&sandbox.shared_utsns.path.clone())));
+-                namespace.set_path(None);
++                namespace.set_path(if !sandbox.shared_utsns.path.is_empty() {
++                    Some(PathBuf::from(&sandbox.shared_utsns.path))
++                } else {
++                    None
++                });
+                 continue;
+             }
+         }
@@ -0,0 +1,73 @@
+From fe0c4d181cb68b471b46dd94046bba13aabd74c9 Mon Sep 17 00:00:00 2001
+From: Simon Kaegi <[email protected]>
+Date: Thu, 24 Oct 2024 16:23:49 -0400
+Subject: [PATCH] agent: Correct rustjail device filemode permission typo
+
+Corrects device filemode permissions typo/regression in rustjail to `666` instead of `066`.
+`666` is the standard and expected value for these devices in containers.
+
+Fixes: #10454
+
+Signed-off-by: Simon Kaegi <[email protected]>
+---
+ src/agent/rustjail/src/container.rs | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/agent/rustjail/src/container.rs b/src/agent/rustjail/src/container.rs
+index a8334fed9..a1eb6974a 100644
+--- a/src/agent/rustjail/src/container.rs
++++ b/src/agent/rustjail/src/container.rs
+@@ -158,7 +158,7 @@ lazy_static! {
+                 .typ(oci::LinuxDeviceType::C)
+                 .major(1)
+                 .minor(3)
+-                .file_mode(0o066_u32)
++                .file_mode(0o666_u32)
+                 .uid(0xffffffff_u32)
+                 .gid(0xffffffff_u32)
+                 .build()
+@@ -168,7 +168,7 @@ lazy_static! {
+                 .typ(oci::LinuxDeviceType::C)
+                 .major(1)
+                 .minor(5)
+-                .file_mode(0o066_u32)
++                .file_mode(0o666_u32)
+                 .uid(0xffffffff_u32)
+                 .gid(0xffffffff_u32)
+                 .build()
+@@ -178,7 +178,7 @@ lazy_static! {
+                 .typ(oci::LinuxDeviceType::C)
+                 .major(1)
+                 .minor(7)
+-                .file_mode(0o066_u32)
++                .file_mode(0o666_u32)
+                 .uid(0xffffffff_u32)
+                 .gid(0xffffffff_u32)
+                 .build()
+@@ -188,7 +188,7 @@ lazy_static! {
+                 .typ(oci::LinuxDeviceType::C)
+                 .major(5)
+                 .minor(0)
+-                .file_mode(0o066_u32)
++                .file_mode(0o666_u32)
+                 .uid(0xffffffff_u32)
+                 .gid(0xffffffff_u32)
+                 .build()
+@@ -198,7 +198,7 @@ lazy_static! {
+                 .typ(oci::LinuxDeviceType::C)
+                 .major(1)
+                 .minor(9)
+-                .file_mode(0o066_u32)
++                .file_mode(0o666_u32)
+                 .uid(0xffffffff_u32)
+                 .gid(0xffffffff_u32)
+                 .build()
+@@ -208,7 +208,7 @@ lazy_static! {
+                 .typ(oci::LinuxDeviceType::C)
+                 .major(1)
+                 .minor(8)
+-                .file_mode(0o066_u32)
++                .file_mode(0o666_u32)
+                 .uid(0xffffffff_u32)
+                 .gid(0xffffffff_u32)
+                 .build()
@@ -90,6 +90,11 @@ buildGoModule rec {
       # The patch is not sufficient for upstream, because it requires the extraRootFs content from
       # our Nix packaging.
       ./0014-tools-don-t-clean-build-root-when-generating-rootfs.patch
+
+      # Cherry-pick of bug fixes from the Kata v3.10.1 patch release.
+      # Drop when upgrading to v3.10.
+      ./0015-kata-agent-fixing-bug-of-unable-setting-hostname-cor.patch
+      ./0016-agent-Correct-rustjail-device-filemode-permission-ty.patch
     ];
   };