Kata Containers 3.10.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-2b2d0f738-107265821-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-c95ae5a50-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-c99ba42d6-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-74662a072-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.22.2-rust-1.75.0-25c784c56-x86_64
- tools: quay.io/kata-containers/builders:tools-c06bf2e3b-fefcf7cfa-3dabe0f5f-bc195d758-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.72.0-musl-c99ba42d6-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- gha: Increase timeout to run k8s tests on TDX by @GabyCT in #10336
- acrn: Drop support by @fidencio in #10239
- kata-deploy: clean up and fix docs for k0s by @sprt in #10335
- runtime-rs: fix the issue of using block_on by @lifupan in #10339
- tests: Fix loop device handling for exec_host() by @BbolroC in #10232
- doc: Update the release process by @stevenhorsman in #10337
- tools.kata-webhook: Specify runtime class using configMap by @Bickor in #10329
- Introduce cdi in runtime-rs by @Apokleos in #10146
- ci: don't require sudo for yq if already installed by @pawelpros in #10311
- runtime: add DAN support for VFIO network device in Go kata-runtime by @l8huang in #9977
- tests: Improve k8s negative tests by @BbolroC in #10328
- ci: Reorder webhook deployment by @ldoktor in #10345
- tests: Delete custom node debugger pod on EXIT by @BbolroC in #10348
- Some prepared work for sandbox api support by @lifupan in #10330
- runtime-rs: Notify containerd when process exits by @lsc2001 in #10293
- ci: Enable basic docker tests for runtime-rs by @lsc2001 in #10318
- tests: Minor improvement k8s tests by @BbolroC in #10346
- agent: fix the issue of setup sandbox pidns by @lifupan in #10351
- sandbox: refactor the sandbox init process by @lifupan in #10349
- runtime-rs: Port TAP implementation from dragonball by @sidneychang in #10219
- gha: Add ita_key as a github secret by @fidencio in #10357
- docs: Remove qemu information not longer valid by @GabyCT in #10342
- ci:tdx: Use an ITA key for TDX by @GabyCT in #10305
- runtime-rs: Add Configurable Compilation for Dragonball in Runtime-rs by @sidneychang in #10312
- tests: Add
k8s-block-volumetest to GHA CI by @sprt in #7165 - genpolicy: validate create sandbox storages by @Redent0r in #10340
- tests: Skip k8s-block-volume.bats for qemu-runtime-rs by @BbolroC in #10374
- metrics: Update fast footprint script to use grep by @GabyCT in #10369
- tests: k8s-policy-rc: remove default UID from YAML by @danmihai1 in #10370
- k8s: tests: Re-enable empty-dirs tests for TDX / coco-qemu-dev by @fidencio in #10371
- runtime-rs: add network device hotplugging to qemu-rs by @pmores in #10165
- k8s:kbs: Add trap statement to clean up tmp files by @GabyCT in #10375
- ci.ocp: Sort images according to git by @ldoktor in #10134
- osbuilder: Remove duplicated arch variable definition by @GabyCT in #10381
- CI: Select jobs by touched code by @ldoktor in #9637
- gha: enable AUTO_GENERATE_POLICY where needed by @danmihai1 in #10376
- tests: k8s: AUTO_GENERATE_POLICY=yes for local testing by @danmihai1 in #10384
- build: Fix RPM build fail due to AGENT_POLICY by @emanuellima1 in #10389
- image-builder: Remove unused variable by @GabyCT in #10383
- Support Confidential Sealed Secrets (as volume) by @ChengyuZhu6 in #10363
- local-build: add ability to build rootfs-image-mariner by @danmihai1 in #10390
- tools/osbuilder/tests: Add trap statement in test images script by @GabyCT in #10388
- Revert "agent:cdh: unittest for sealed secret as file" by @fidencio in #10404
- ci: mariner: Use the image instead of the initrd by @fidencio in #10396
- packaging: Remove unused variable in build kernel script by @GabyCT in #10407
- build: mariner: Remove the ability to build the marine initrd by @fidencio in #10397
- Kbs deploy overlays update by @stevenhorsman in #10401
- agent:cdh: fix unit tests about sealed secret by @ChengyuZhu6 in #10406
- kbs: ita: Ensure the proper image / image_tag is used for ITA by @fidencio in #10409
- tools/osbuilder/tests: Remove egrep in test images script by @GabyCT in #10415
- ci: Install build dependencies for building agent-ctl with image pull. by @Sumynwa in #10402
- genpolicy: read binaryData value as String by @3u13r in #10426
- ci: static_sandbox_resource_mgmt for cbl-mariner by @danmihai1 in #10416
- tests: k8s-inotify.bats improvements by @danmihai1 in #10417
- agent: config: Use rstest for unit tests by @stevenhorsman in #10412
- gha: Use a arch_to_golang variable to have uniformity by @GabyCT in #10428
- docs: Update CI documentation by @GabyCT in #10430
- runtime-rs: Use vCPU and memory values from config by @ananos in #10435
- ci: add provenance attestation for agent artifact by @mkulke in #10433
- ci: don't parse oci image for cached artifacts by @mkulke in #10437
- kata-agent: fixing bug of unable setting hostname correctly. by @Apokleos in #10421
- runtime-rs: support virtio-scsi device in qemu-rs by @pmores in #10420
- release: Bump VERSION to 3.10.0 by @gkurz in #10443
New Contributors
- @Bickor made their first contribution in #10329
- @pawelpros made their first contribution in #10311
- @lsc2001 made their first contribution in #10293
Full Changelog: 3.9.0...3.10.0
Contributors
sprt, fidencio, and 21 other contributors