diff --git a/Makefile b/Makefile index f0fede29db..b29b36efa3 100644 --- a/Makefile +++ b/Makefile @@ -170,6 +170,7 @@ DEFMEMSZ := 2048 DEFMEMSLOTS := 10 #Default number of bridges DEFBRIDGES := 1 +DEFENABLEANNOTATIONS := [] DEFDISABLEGUESTSECCOMP := true #Default experimental features enabled DEFAULTEXPFEATURES := [] @@ -673,6 +674,7 @@ $(GENERATED_FILES): %: %.in $(MAKEFILE_LIST) VERSION .git-commit -e "s|@DEFNETWORKMODEL_CLH@|$(DEFNETWORKMODEL_CLH)|g" \ -e "s|@DEFNETWORKMODEL_FC@|$(DEFNETWORKMODEL_FC)|g" \ -e "s|@DEFNETWORKMODEL_QEMU@|$(DEFNETWORKMODEL_QEMU)|g" \ + -e "s|@DEFENABLEANNOTATIONS@|$(DEFENABLEANNOTATIONS)|g" \ -e "s|@DEFDISABLEGUESTSECCOMP@|$(DEFDISABLEGUESTSECCOMP)|g" \ -e "s|@DEFAULTEXPFEATURES@|$(DEFAULTEXPFEATURES)|g" \ -e "s|@DEFDISABLEBLOCK@|$(DEFDISABLEBLOCK)|g" \ diff --git a/cli/config/configuration-acrn.toml.in b/cli/config/configuration-acrn.toml.in index 2a1364f768..2523ec2b76 100644 --- a/cli/config/configuration-acrn.toml.in +++ b/cli/config/configuration-acrn.toml.in @@ -16,6 +16,11 @@ ctlpath = "@ACRNCTLPATH@" kernel = "@KERNELPATH_ACRN@" image = "@IMAGEPATH@" +# List of valid annotation names for the hypervisor +# Each member of the list is a regular expression, which is the base name +# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path" +enable_annotations = @DEFENABLEANNOTATIONS@ + # List of valid annotations values for the hypervisor (default: empty) # Each member of the list is a path pattern as described by glob(3). path_list = @ACRNPATHLIST@ diff --git a/cli/config/configuration-clh.toml.in b/cli/config/configuration-clh.toml.in index cc915d591f..e35c10b10e 100644 --- a/cli/config/configuration-clh.toml.in +++ b/cli/config/configuration-clh.toml.in @@ -15,6 +15,11 @@ path = "@CLHPATH@" kernel = "@KERNELPATH_CLH@" image = "@IMAGEPATH@" +# List of valid annotation names for the hypervisor +# Each member of the list is a regular expression, which is the base name +# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path" +enable_annotations = @DEFENABLEANNOTATIONS@ + # List of valid annotations values for the hypervisor (default: empty) # Each member of the list is a path pattern as described by glob(3). path_list = @CLHPATHLIST@ diff --git a/cli/config/configuration-fc.toml.in b/cli/config/configuration-fc.toml.in index def9d1b2ae..43e7d92a9c 100644 --- a/cli/config/configuration-fc.toml.in +++ b/cli/config/configuration-fc.toml.in @@ -15,6 +15,11 @@ path = "@FCPATH@" kernel = "@KERNELPATH_FC@" image = "@IMAGEPATH@" +# List of valid annotation names for the hypervisor +# Each member of the list is a regular expression, which is the base name +# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path" +enable_annotations = @DEFENABLEANNOTATIONS@ + # List of valid annotations values for the hypervisor (default: empty) # Each member of the list is a path pattern as described by glob(3). path_list = @FCPATHLIST@ diff --git a/cli/config/configuration-qemu-virtiofs.toml.in b/cli/config/configuration-qemu-virtiofs.toml.in index fdd0c41840..27e4961c43 100644 --- a/cli/config/configuration-qemu-virtiofs.toml.in +++ b/cli/config/configuration-qemu-virtiofs.toml.in @@ -16,6 +16,11 @@ kernel = "@KERNELVIRTIOFSPATH@" image = "@IMAGEPATH@" machine_type = "@MACHINETYPE@" +# List of valid annotation names for the hypervisor +# Each member of the list is a regular expression, which is the base name +# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path" +enable_annotations = @DEFENABLEANNOTATIONS@ + # List of valid annotations values for the hypervisor (default: empty) # Each member of the list is a path pattern as described by glob(3). path_list = @QEMUVIRTIOFSPATHLIST@ diff --git a/cli/config/configuration-qemu.toml.in b/cli/config/configuration-qemu.toml.in index 994062c6aa..7ea4f42c79 100644 --- a/cli/config/configuration-qemu.toml.in +++ b/cli/config/configuration-qemu.toml.in @@ -17,6 +17,11 @@ initrd = "@INITRDPATH@" image = "@IMAGEPATH@" machine_type = "@MACHINETYPE@" +# List of valid annotation names for the hypervisor +# Each member of the list is a regular expression, which is the base name +# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path" +enable_annotations = @DEFENABLEANNOTATIONS@ + # List of valid annotations values for the hypervisor (default: empty) # Each member of the list is a path pattern as described by glob(3). path_list = @QEMUPATHLIST@ diff --git a/pkg/katautils/config.go b/pkg/katautils/config.go index 11b3e65459..d5b6f93e94 100644 --- a/pkg/katautils/config.go +++ b/pkg/katautils/config.go @@ -138,6 +138,7 @@ type hypervisor struct { HotplugVFIOOnRootBus bool `toml:"hotplug_vfio_on_root_bus"` DisableVhostNet bool `toml:"disable_vhost_net"` GuestHookPath string `toml:"guest_hook_path"` + EnableAnnotations []string `toml:"enable_annotations"` } type proxy struct { @@ -590,6 +591,7 @@ func newFirecrackerHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { DisableVhostNet: true, // vhost-net backend is not supported in Firecracker UseVSock: true, GuestHookPath: h.guestHookPath(), + EnableAnnotations: h.EnableAnnotations, }, nil } @@ -712,6 +714,7 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { VhostUserStorePath: h.vhostUserStorePath(), VhostUserStorePathList: h.VhostUserStorePathList, GuestHookPath: h.guestHookPath(), + EnableAnnotations: h.EnableAnnotations, }, nil } @@ -775,6 +778,7 @@ func newAcrnHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { BlockDeviceDriver: blockDriver, DisableVhostNet: h.DisableVhostNet, GuestHookPath: h.guestHookPath(), + EnableAnnotations: h.EnableAnnotations, }, nil } @@ -867,6 +871,7 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { DisableVhostNet: true, UseVSock: true, VirtioFSExtraArgs: h.VirtioFSExtraArgs, + EnableAnnotations: h.EnableAnnotations, }, nil } diff --git a/virtcontainers/hypervisor.go b/virtcontainers/hypervisor.go index 9f1332476a..aea67ecca3 100644 --- a/virtcontainers/hypervisor.go +++ b/virtcontainers/hypervisor.go @@ -433,6 +433,9 @@ type HypervisorConfig struct { // SELinux label for the VM SELinuxProcessLabel string + + // Enable annotations by name + EnableAnnotations []string } // vcpu mapping from vcpu number to thread number diff --git a/virtcontainers/persist.go b/virtcontainers/persist.go index 92cf16c239..8471e36b25 100644 --- a/virtcontainers/persist.go +++ b/virtcontainers/persist.go @@ -264,6 +264,7 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) { VhostUserStorePathList: sconfig.HypervisorConfig.VhostUserStorePathList, GuestHookPath: sconfig.HypervisorConfig.GuestHookPath, VMid: sconfig.HypervisorConfig.VMid, + EnableAnnotations: sconfig.HypervisorConfig.EnableAnnotations, } if sconfig.AgentType == "kata" { @@ -561,6 +562,7 @@ func loadSandboxConfig(id string) (*SandboxConfig, error) { VhostUserStorePathList: hconf.VhostUserStorePathList, GuestHookPath: hconf.GuestHookPath, VMid: hconf.VMid, + EnableAnnotations: hconf.EnableAnnotations, } if savedConf.AgentType == "kata" { diff --git a/virtcontainers/persist/api/config.go b/virtcontainers/persist/api/config.go index 5498d2161e..4623378a62 100644 --- a/virtcontainers/persist/api/config.go +++ b/virtcontainers/persist/api/config.go @@ -201,6 +201,9 @@ type HypervisorConfig struct { // VMid is the id of the VM that create the hypervisor if the VM is created by the factory. // VMid is "" if the hypervisor is not created by the factory. VMid string + + // Enable annotations by name + EnableAnnotations []string } // KataAgentConfig is a structure storing information needed diff --git a/virtcontainers/pkg/annotations/annotations.go b/virtcontainers/pkg/annotations/annotations.go index 264960cd98..70366a82dd 100644 --- a/virtcontainers/pkg/annotations/annotations.go +++ b/virtcontainers/pkg/annotations/annotations.go @@ -28,6 +28,7 @@ const ( // // Assets // + KataAnnotationHypervisorPrefix = kataAnnotHypervisorPrefix // KernelPath is a sandbox annotation for passing a per container path pointing at the kernel needed to boot the container VM. KernelPath = kataAnnotHypervisorPrefix + "kernel" diff --git a/virtcontainers/pkg/oci/utils.go b/virtcontainers/pkg/oci/utils.go index b1c83bd0eb..dc667cb030 100644 --- a/virtcontainers/pkg/oci/utils.go +++ b/virtcontainers/pkg/oci/utils.go @@ -227,6 +227,14 @@ func checkPathIsInGlobList(list []string, path string) bool { return false } +// Check if an annotation name either belongs to another prefix, matches regexp list +func checkAnnotationNameIsValid(list []string, name string, prefix string) bool { + if strings.HasPrefix(name, prefix) { + return regexpContains(list, strings.TrimPrefix(name, prefix)) + } + return true +} + func newLinuxDeviceInfo(d specs.LinuxDevice) (*config.DeviceInfo, error) { allowedDeviceTypes := []string{"c", "b", "u", "p"} @@ -360,11 +368,15 @@ func SandboxID(spec specs.Spec) (string, error) { } func addAnnotations(ocispec specs.Spec, config *vc.SandboxConfig, runtime RuntimeConfig) error { + for key := range ocispec.Annotations { + if !checkAnnotationNameIsValid(runtime.HypervisorConfig.EnableAnnotations, key, vcAnnotations.KataAnnotationHypervisorPrefix) { + return fmt.Errorf("annotation %v is not enabled", key) + } + } err := addAssetAnnotations(ocispec, config) if err != nil { return err } - if err := addHypervisorConfigOverrides(ocispec, config, runtime); err != nil { return err }