diff --git a/packages/by-name/kata/kata-kernel-uvm/package.nix b/packages/by-name/kata/kata-kernel-uvm/package.nix index de0ee0c1e6..3c25e57c94 100644 --- a/packages/by-name/kata/kata-kernel-uvm/package.nix +++ b/packages/by-name/kata/kata-kernel-uvm/package.nix @@ -19,7 +19,7 @@ let src = fetchzip { url = "https://github.com/kata-containers/kata-containers/releases/download/${version}/kata-static-${version}-amd64.tar.xz"; - hash = "sha256-a0clnxq1vtaq9QpmFO6UBkU5Ecc5LcjqCH6/R7NBXMw="; + hash = "sha256-fp86V1ioD8Ga1FM/4a7fN8o67woW4Kz8D6Tgix2VuTI="; stripRoot = false; }; diff --git a/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch b/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch index f7ccaf8347..669ce2a426 100644 --- a/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch +++ b/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch @@ -42,7 +42,7 @@ Signed-off-by: Tom Dohrmann create mode 100644 src/agent/src/tdx.rs diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock -index 67b1830278ca52904a73c6281693049cb5d85283..d53facd717f2428f7790d5b65bdf4bde70ac7d64 100644 +index f94f936f6b0695164daaf09bce98c37894f3e1cb..06cd71212acbbe2093c195c0c40a8817e2d88deb 100644 --- a/src/agent/Cargo.lock +++ b/src/agent/Cargo.lock @@ -605,6 +605,12 @@ version = "0.6.3" @@ -126,7 +126,7 @@ index 67b1830278ca52904a73c6281693049cb5d85283..d53facd717f2428f7790d5b65bdf4bde [[package]] name = "iovec" version = "0.1.4" -@@ -3047,6 +3086,8 @@ dependencies = [ +@@ -3048,6 +3087,8 @@ dependencies = [ "serde", "serde_json", "serial_test", @@ -135,7 +135,7 @@ index 67b1830278ca52904a73c6281693049cb5d85283..d53facd717f2428f7790d5b65bdf4bde "slog", "slog-scope", "slog-stdlog", -@@ -3064,6 +3105,7 @@ dependencies = [ +@@ -3065,6 +3106,7 @@ dependencies = [ "tracing-subscriber", "ttrpc", "url", @@ -143,7 +143,7 @@ index 67b1830278ca52904a73c6281693049cb5d85283..d53facd717f2428f7790d5b65bdf4bde "vsock-exporter", "which", ] -@@ -4054,6 +4096,12 @@ dependencies = [ +@@ -4070,6 +4112,12 @@ dependencies = [ "tokio-stream", ] @@ -156,7 +156,7 @@ index 67b1830278ca52904a73c6281693049cb5d85283..d53facd717f2428f7790d5b65bdf4bde [[package]] name = "ordered-stream" version = "0.2.0" -@@ -5500,6 +5548,15 @@ dependencies = [ +@@ -5526,6 +5574,15 @@ dependencies = [ "syn 1.0.109", ] @@ -172,7 +172,7 @@ index 67b1830278ca52904a73c6281693049cb5d85283..d53facd717f2428f7790d5b65bdf4bde [[package]] name = "serde-enum-str" version = "0.4.0" -@@ -5519,6 +5576,15 @@ version = "0.2.2" +@@ -5545,6 +5602,15 @@ version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "794e44574226fc701e3be5c651feb7939038fc67fb73f6f4dd5c4ba90fd3be70" @@ -188,7 +188,7 @@ index 67b1830278ca52904a73c6281693049cb5d85283..d53facd717f2428f7790d5b65bdf4bde [[package]] name = "serde_derive" version = "1.0.204" -@@ -5622,6 +5688,28 @@ dependencies = [ +@@ -5648,6 +5714,28 @@ dependencies = [ "syn 1.0.109", ] @@ -217,7 +217,7 @@ index 67b1830278ca52904a73c6281693049cb5d85283..d53facd717f2428f7790d5b65bdf4bde [[package]] name = "sha1" version = "0.10.6" -@@ -6656,6 +6744,9 @@ name = "uuid" +@@ -6682,6 +6770,9 @@ name = "uuid" version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "81dfa00651efa65069b0b6b651f4aaa31ba9e3c3ce0137aaad053604ee7e0314" @@ -227,7 +227,7 @@ index 67b1830278ca52904a73c6281693049cb5d85283..d53facd717f2428f7790d5b65bdf4bde [[package]] name = "valuable" -@@ -6675,6 +6766,16 @@ version = "0.9.4" +@@ -6701,6 +6792,16 @@ version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" @@ -245,10 +245,10 @@ index 67b1830278ca52904a73c6281693049cb5d85283..d53facd717f2428f7790d5b65bdf4bde name = "vsock" version = "0.2.6" diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml -index 5dd9c1e2616b8cd47a60a5644ec9d88705fe3fbd..b8b216c6b24829a457ae55209c63d09187c02d24 100644 +index 6b0ab344c18b06fc09d7e09f68b51e8498a71587..8efa57bd87686bed26a143a1febda1979c52469e 100644 --- a/src/agent/Cargo.toml +++ b/src/agent/Cargo.toml -@@ -88,6 +88,11 @@ regorus = { version = "0.2.6", default-features = false, features = [ +@@ -89,6 +89,11 @@ regorus = { version = "0.2.6", default-features = false, features = [ cdi = { git = "https://github.com/cncf-tags/container-device-interface-rs", rev = "fba5677a8e7cc962fc6e495fcec98d7d765e332a" } json-patch = "2.0.0" @@ -260,7 +260,7 @@ index 5dd9c1e2616b8cd47a60a5644ec9d88705fe3fbd..b8b216c6b24829a457ae55209c63d091 [dev-dependencies] tempfile = "3.1.0" test-utils = { path = "../libs/test-utils" } -@@ -106,7 +111,7 @@ lto = true +@@ -107,7 +112,7 @@ lto = true default-pull = ["guest-pull"] seccomp = ["rustjail/seccomp"] standard-oci-runtime = ["rustjail/standard-oci-runtime"] @@ -270,7 +270,7 @@ index 5dd9c1e2616b8cd47a60a5644ec9d88705fe3fbd..b8b216c6b24829a457ae55209c63d091 [[bin]] diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs -index 17d1d34a147d58fe6cab10d21b54af4fffc4be63..033aac8530390129638d6feff64818d3ebbce20d 100644 +index c4df5f4aeccfd812669bac7c8069f11b6d943924..e3cd549673847328169e97968a37881d3334b67e 100644 --- a/src/agent/src/main.rs +++ b/src/agent/src/main.rs @@ -85,6 +85,10 @@ mod tracer; @@ -1293,7 +1293,7 @@ index 24a67bdd9e591ead96fbaea473cb662526dedbf3..3f5f84afffeec6fed0ba624408158425 + assert.Equal(expectedOut, devices) } diff --git a/src/runtime/virtcontainers/sandbox.go b/src/runtime/virtcontainers/sandbox.go -index 33244bc5358c7b50fdc9dcced29c13e24d2e0e39..8cfb80dcde865aa679c12f68173ae168d38c4b20 100644 +index 3711da7f5eace937aa96c10208406b6f1752adcf..4192cb93845e789ed449e017843ad3cca92a3b31 100644 --- a/src/runtime/virtcontainers/sandbox.go +++ b/src/runtime/virtcontainers/sandbox.go @@ -613,6 +613,7 @@ func newSandbox(ctx context.Context, sandboxConfig SandboxConfig, factory Factor diff --git a/packages/by-name/kata/kata-runtime/0019-agent-remove-CDI-support.patch b/packages/by-name/kata/kata-runtime/0018-agent-remove-CDI-support.patch similarity index 98% rename from packages/by-name/kata/kata-runtime/0019-agent-remove-CDI-support.patch rename to packages/by-name/kata/kata-runtime/0018-agent-remove-CDI-support.patch index 64f256e7da..146409ba71 100644 --- a/packages/by-name/kata/kata-runtime/0019-agent-remove-CDI-support.patch +++ b/packages/by-name/kata/kata-runtime/0018-agent-remove-CDI-support.patch @@ -200,7 +200,7 @@ index 400b6f1386e1b4a1a4cda1e3e3da2f66640165c7..53e77d82c88912488ead9052f44e3973 - } } diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs -index 0a1c6d34adfffcbc3aef1b55a77556b8b82e85c0..b3888633744a718586069314a192c9c0fd92459e 100644 +index 5f2a3eb955ea427478c842ba80ad2a17299b182f..fd824e9ec26728bf8088939aac7a1edb6d886aac 100644 --- a/src/agent/src/rpc.rs +++ b/src/agent/src/rpc.rs @@ -58,7 +58,7 @@ use rustjail::process::ProcessOperations; @@ -221,7 +221,7 @@ index 0a1c6d34adfffcbc3aef1b55a77556b8b82e85c0..b3888633744a718586069314a192c9c0 // Convenience function to obtain the scope logger. fn sl() -> slog::Logger { slog_scope::logger() -@@ -226,15 +224,6 @@ impl AgentService { +@@ -227,15 +225,6 @@ impl AgentService { // cannot predict everything from the caller. add_devices(&sl(), &req.devices, &mut oci, &self.sandbox).await?; diff --git a/packages/by-name/kata/kata-runtime/0018-runtime-use-actual-booleans-for-QMP-device_add-boole.patch b/packages/by-name/kata/kata-runtime/0018-runtime-use-actual-booleans-for-QMP-device_add-boole.patch deleted file mode 100644 index 7c7283be5c..0000000000 --- a/packages/by-name/kata/kata-runtime/0018-runtime-use-actual-booleans-for-QMP-device_add-boole.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Moritz Sanft <58110325+msanft@users.noreply.github.com> -Date: Wed, 8 Jan 2025 16:13:49 +0100 -Subject: [PATCH] runtime: use actual booleans for QMP `device_add` boolean - options - -Since -https://github.com/qemu/qemu/commit/be93fd53723cbdca675bd9ed112dae5cabbe1e91, -which is included in QEMU since version 9.2.0, the options for the -`device_add` QMP command need to be typed correctly. - -This makes it so that instead of `"on"`, the value is set to `true`, -matching QEMU's expectations. - -This has been tested on QEMU 9.2.0 and QEMU 9.1.2, so before and after -the change. - -The compatibility with incorrectly typed options for the `device_add` -command is deprecated since version 6.2.0 [^1]. - -[^1]: https://qemu-project.gitlab.io/qemu/about/deprecated.html#incorrectly-typed-device-add-arguments-since-6-2 ---- - src/runtime/pkg/govmm/qemu/qmp.go | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/runtime/pkg/govmm/qemu/qmp.go b/src/runtime/pkg/govmm/qemu/qmp.go -index bf18bef9fc027cbf8c77c169ae2b36fdcbdaaa44..af907ba56e514e7fa8c1fc71175c2d039fef9010 100644 ---- a/src/runtime/pkg/govmm/qemu/qmp.go -+++ b/src/runtime/pkg/govmm/qemu/qmp.go -@@ -869,7 +869,7 @@ func (q *QMP) ExecuteDeviceAdd(ctx context.Context, blockdevID, devID, driver, b - } - - if shared { -- args["share-rw"] = "on" -+ args["share-rw"] = true - } - if transport.isVirtioPCI(nil) { - args["romfile"] = romfile -@@ -923,7 +923,7 @@ func (q *QMP) ExecuteSCSIDeviceAdd(ctx context.Context, blockdevID, devID, drive - args["lun"] = lun - } - if shared { -- args["share-rw"] = "on" -+ args["share-rw"] = true - } - - return q.executeCommand(ctx, "device_add", args, nil) -@@ -1113,7 +1113,7 @@ func (q *QMP) ExecutePCIDeviceAdd(ctx context.Context, blockdevID, devID, driver - args["bus"] = bus - } - if shared { -- args["share-rw"] = "on" -+ args["share-rw"] = true - } - if queues > 0 { - args["num-queues"] = strconv.Itoa(queues) diff --git a/packages/by-name/kata/kata-runtime/0020-genpolicy-support-dynamic-annotations.patch b/packages/by-name/kata/kata-runtime/0019-genpolicy-support-dynamic-annotations.patch similarity index 100% rename from packages/by-name/kata/kata-runtime/0020-genpolicy-support-dynamic-annotations.patch rename to packages/by-name/kata/kata-runtime/0019-genpolicy-support-dynamic-annotations.patch diff --git a/packages/by-name/kata/kata-runtime/0021-agent-clear-log-pipes-if-denied-by-policy.patch b/packages/by-name/kata/kata-runtime/0020-agent-clear-log-pipes-if-denied-by-policy.patch similarity index 90% rename from packages/by-name/kata/kata-runtime/0021-agent-clear-log-pipes-if-denied-by-policy.patch rename to packages/by-name/kata/kata-runtime/0020-agent-clear-log-pipes-if-denied-by-policy.patch index 705de17571..0258be81b0 100644 --- a/packages/by-name/kata/kata-runtime/0021-agent-clear-log-pipes-if-denied-by-policy.patch +++ b/packages/by-name/kata/kata-runtime/0020-agent-clear-log-pipes-if-denied-by-policy.patch @@ -20,10 +20,10 @@ Fixes: #10680 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs -index b3888633744a718586069314a192c9c0fd92459e..4714084d7912f18b3a4a788559ad91fc3723b30a 100644 +index fd824e9ec26728bf8088939aac7a1edb6d886aac..cb5dac7a4a941e11fb9a086ff01633672364902a 100644 --- a/src/agent/src/rpc.rs +++ b/src/agent/src/rpc.rs -@@ -637,11 +637,11 @@ impl AgentService { +@@ -638,11 +638,11 @@ impl AgentService { async fn do_read_stream( &self, @@ -38,7 +38,7 @@ index b3888633744a718586069314a192c9c0fd92459e..4714084d7912f18b3a4a788559ad91fc let term_exit_notifier; let reader = { -@@ -857,8 +857,12 @@ impl agent_ttrpc::AgentService for AgentService { +@@ -889,8 +889,12 @@ impl agent_ttrpc::AgentService for AgentService { _ctx: &TtrpcContext, req: protocols::agent::ReadStreamRequest, ) -> ttrpc::Result { @@ -53,7 +53,7 @@ index b3888633744a718586069314a192c9c0fd92459e..4714084d7912f18b3a4a788559ad91fc } async fn read_stderr( -@@ -866,8 +870,12 @@ impl agent_ttrpc::AgentService for AgentService { +@@ -898,8 +902,12 @@ impl agent_ttrpc::AgentService for AgentService { _ctx: &TtrpcContext, req: protocols::agent::ReadStreamRequest, ) -> ttrpc::Result { diff --git a/packages/by-name/kata/kata-runtime/package.nix b/packages/by-name/kata/kata-runtime/package.nix index bee2d56ba4..9a5018662f 100644 --- a/packages/by-name/kata/kata-runtime/package.nix +++ b/packages/by-name/kata/kata-runtime/package.nix @@ -11,14 +11,14 @@ buildGoModule rec { pname = "kata-runtime"; - version = "3.12.0"; + version = "3.13.0"; src = applyPatches { src = fetchFromGitHub { owner = "kata-containers"; repo = "kata-containers"; rev = version; - hash = "sha256-0pJx8ASUeJjLubu/QV72avntkaU3b5PC5V1H54SrPIs="; + hash = "sha256-xBEK+Tczc4MVnETx5sV9sb5/myxLeP7YDDigTroN4Lg="; }; patches = [ @@ -114,30 +114,25 @@ buildGoModule rec { # Upstream issue: https://github.com/kata-containers/kata-containers/issues/10633 ./0017-genpolicy-support-guest-hooks.patch - # Correctly type QEMU QMP command options for the `device_add` command. - # See: https://github.com/kata-containers/kata-containers/pull/10719 - # TODO(msanft): Remove once upstream PR is released. - ./0018-runtime-use-actual-booleans-for-QMP-device_add-boole.patch - # Revert CDI support in kata-agent, which breaks legacy mode GPU facilitation which # we currently use. # TODO(msanft): Get native CDI working, which will allow us to drop this patch / undo the revert. # See https://dev.azure.com/Edgeless/Edgeless/_workitems/edit/5061 - ./0019-agent-remove-CDI-support.patch + ./0018-agent-remove-CDI-support.patch # This adds support for annotations with dynamic keys *and* values to Genpolicy. # This is required for e.g. GPU containers, which get annotated by an in-cluster # component (i.e. after policy generation based on the Pod spec) with an annotation # like `cdi.k8s.io/vfioXY`, where `XY` corresponds to a dynamic ID. # Upstream issue: https://github.com/kata-containers/kata-containers/issues/10745 - ./0020-genpolicy-support-dynamic-annotations.patch + ./0019-genpolicy-support-dynamic-annotations.patch # This allows denying ReadStream requests without blocking the container on its # stdout/stderr, by redacting the streams instead of blocking them. # Upstream: # * https://github.com/kata-containers/kata-containers/issues/10680 # * https://github.com/kata-containers/kata-containers/pull/10818 - ./0021-agent-clear-log-pipes-if-denied-by-policy.patch + ./0020-agent-clear-log-pipes-if-denied-by-policy.patch ]; };