Revert "Kata: Release v3.2.0.azl0 for both vanilla and CC based on al…

…igned sources (microsoft#6942)" (microsoft#7920)

SPECS/kata-containers-cc/kata-containers-cc.signatures.json

@@ -1,7 +1,7 @@
 {
   "Signatures": {
     "mariner-coco-build-uvm.sh": "4f2be6965d8c4d7919fd201a68160fc8ab02a1be50a336abbfea13f16a6ffb89",
-    "kata-containers-cc-3.2.0.azl0-cargo.tar.gz": "7ff6c5f7f7aa31a99ea5d837876291d886b16c32f21b6d65d044fd398abff1e6",
-    "kata-containers-cc-3.2.0.azl0.tar.gz": "78f3749c848c77f0d54aa16a4f29209a07f3d4af30664c0d9212300ac364aaec"
+    "kata-containers-cc-0.6.3-cargo.tar.gz": "7ff6c5f7f7aa31a99ea5d837876291d886b16c32f21b6d65d044fd398abff1e6",
+    "kata-containers-cc-0.6.3.tar.gz": "1f366ce70bf83a239a7ec99334506adb28c3199157b4370840c3685378a34268"
   }
 }

SPECS/kata-containers-cc/kata-containers-cc.spec

@@ -1,6 +1,6 @@
 %global runtime_make_vars       DEFMEMSZ=256 \\\
+                                DEFSHAREDFS_CLH_SNP_VIRTIOFS=none \\\
                                 DEFSTATICSANDBOXWORKLOADMEM=1792 \\\
-                                DEFSNPGUEST=true \\\
                                 SKIP_GO_VERSION_CHECK=1
 
 %global agent_make_vars         LIBC=gnu \\\
@@ -9,15 +9,16 @@
 %global debug_package %{nil}
 
 Name:         kata-containers-cc
-Version:      3.2.0.azl0
-Release:      1%{?dist}
+Version:      0.6.3
+Release:      4%{?dist}
 Summary:      Kata Confidential Containers package developed for Confidential Containers on AKS
 License:      ASL 2.0
 Vendor:       Microsoft Corporation
 URL:          https://github.com/microsoft/kata-containers
-Source0:      https://github.com/microsoft/kata-containers/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
-Source1:      %{name}-%{version}-cargo.tar.gz
-Source2:      mariner-coco-build-uvm.sh
+Source0:      https://github.com/microsoft/kata-containers/archive/refs/tags/cc-%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Source1:      https://github.com/microsoft/kata-containers/archive/refs/tags/%{name}-%{version}.tar.gz
+Source2:      %{name}-%{version}-cargo.tar.gz
+Source3:      mariner-coco-build-uvm.sh
 
 ExclusiveArch: x86_64
 
@@ -69,7 +70,7 @@ This package contains the the tooling and files required to build the UVM
 %prep
 %autosetup -p1 -n %{name}-%{version}
 pushd %{_builddir}/%{name}-%{version}
-tar -xf %{SOURCE1}
+tar -xf %{SOURCE2}
 popd
 
 %build
@@ -137,7 +138,7 @@ pushd %{_builddir}/%{name}-%{version}
 rm tools/osbuilder/.gitignore
 rm tools/osbuilder/rootfs-builder/.gitignore
 
-install -D -m 0755 %{SOURCE2}           %{buildroot}%{osbuilder}/mariner-coco-build-uvm.sh
+install -D -m 0755 %{SOURCE3}           %{buildroot}%{osbuilder}/mariner-coco-build-uvm.sh
 install -D -m 0644 VERSION              %{buildroot}%{osbuilder}/VERSION
 install -D -m 0644 ci/install_yq.sh     %{buildroot}%{osbuilder}/ci/install_yq.sh
 install -D -m 0644 versions.yaml        %{buildroot}%{osbuilder}/versions.yaml
@@ -184,27 +185,14 @@ install -D -m 0755 kata-monitor %{buildroot}%{coco_bin}/kata-monitor
 install -D -m 0755 kata-runtime %{buildroot}%{coco_bin}/kata-runtime
 install -D -m 0755 data/kata-collect-data.sh %{buildroot}%{coco_bin}/kata-collect-data.sh
 
-# We deploy 3 configurations:
-# configuration-clh-snp: production Kata-CC - IGVM & image, confidential_guest=true, sev_snp_guest=true
-# configuration-clh-snp-debug: debug Kata-CC - kernel & image, confidential_guest=true, sev_snp_guest=false
-# configuration-clh (symlinked to by configuration.toml): vanilla Kata - kernel & initrd, confidential_guest=false, sev_snp_guest=false
-install -D -m 0644 config/configuration-clh-snp.toml %{buildroot}/%{defaults_kata}/configuration-clh-snp.toml
-install -D -m 0644 config/configuration-clh.toml %{buildroot}/%{defaults_kata}/configuration-clh-snp-debug.toml
+# Note: we deploy two configurations - the additional one is for policy/snapshotter testing w/o SEV SNP or IGVM
 install -D -m 0644 config/configuration-clh.toml %{buildroot}/%{defaults_kata}/configuration-clh.toml
+install -D -m 0644 config/configuration-clh-snp.toml %{buildroot}/%{defaults_kata}/configuration-clh-snp.toml
 
-# Adapt configuration files:
-# - Change paths with locations specific to our distribution.
-sed --follow-symlinks -i 's|/usr|/opt/confidential-containers|g' %{buildroot}/%{defaults_kata}/configuration-clh*.toml
-# - Set up configuration-clh-snp-debug. Note that kernel and image are already
-#   set through configuration-clh.toml.in.
-sed -i 's|-igvm.img|-igvm-debug.img|g' %{buildroot}/%{defaults_kata}/configuration-clh-snp-debug.toml
-sed -i '/^#confidential_guest =/s|^#||g' %{buildroot}/%{defaults_kata}/configuration-clh-snp-debug.toml
-sed -i '/^#enable_debug =/s|^#||g' %{buildroot}/%{defaults_kata}/configuration-clh-snp-debug.toml
-sed -i '/^#debug_console_enabled =/s|^#||g' %{buildroot}/%{defaults_kata}/configuration-clh-snp-debug.toml
-sed -i 's|shared_fs = "virtio-fs"|shared_fs = "none"|g' %{buildroot}/%{defaults_kata}/configuration-clh-snp-debug.toml
-# - Set up configuration-clh.
-sed -i '/^#initrd =/s|^#||g' %{buildroot}/%{defaults_kata}/configuration-clh.toml
-sed -i '/^image =/s|^|#|g' %{buildroot}/%{defaults_kata}/configuration-clh.toml
+# adapt upstream config files
+# change paths with locations specific to our distribution
+sed -i 's|/usr|/opt/confidential-containers|g' %{buildroot}/%{defaults_kata}/configuration-clh.toml
+sed -i 's|/usr|/opt/confidential-containers|g' %{buildroot}/%{defaults_kata}/configuration-clh-snp.toml
 popd
 
 # tardev-snapshotter
@@ -287,11 +275,8 @@ install -D -m 0755 %{_builddir}/%{name}-%{version}/tools/osbuilder/image-builder
 %exclude %{osbuilder}/tools/osbuilder/rootfs-builder/ubuntu
 
 %changelog
-*   Mon Feb 12 2024 Aurelien Bombo <[email protected]> - 3.2.0.azl0-1
--   Use Microsoft sources based on upstream Kata version 3.2.0.
-
-*   Fri Feb 02 2024 CBL-Mariner Servicing Account <[email protected]> - 0.6.3-4
--   Bump release to rebuild with go 1.21.6
+* Fri Feb 02 2024 CBL-Mariner Servicing Account <[email protected]> - 0.6.3-4
+- Bump release to rebuild with go 1.21.6
 
 *   Tue Jan 30 2024 Archana Choudhary <[email protected]> - 0.6.3-3
 -   Remove kernel-uvm-cvm(-devel) dependency

SPECS/kata-containers/0001-Append-systemd-kernel-cmdline-params-for-initrd.patch

@@ -0,0 +1,25 @@
+From 0503cd61a56ed09de60981fedecc226df3845860 Mon Sep 17 00:00:00 2001
+From: dallasd1 <[email protected]>
+Date: Wed, 26 Jul 2023 08:40:44 -0700
+Subject: [PATCH] Append systemd kernel cmdline params for initrd
+
+---
+ src/runtime/pkg/katautils/create.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/runtime/pkg/katautils/create.go b/src/runtime/pkg/katautils/create.go
+index 67ea03dcf..2c829a691 100644
+--- a/src/runtime/pkg/katautils/create.go
++++ b/src/runtime/pkg/katautils/create.go
+@@ -57,7 +57,7 @@ func getKernelParams(needSystemd, trace bool) []vc.Param {
+ }
+
+ func needSystemd(config vc.HypervisorConfig) bool {
+-	return config.ImagePath != ""
++	return config.ImagePath != "" || config.InitrdPath != ""
+ }
+
+ // HandleFactory  set the factory
+-- 
+2.17.1
+

SPECS/kata-containers/0001-Merged-PR-9607-Allow-10-seconds-for-VM-creation-star.patch

@@ -0,0 +1,28 @@
+From 590604dca0f6a0636933be21fc6a490c0f17af34 Mon Sep 17 00:00:00 2001
+From: Daniel Mihai <[email protected]>
+Date: Tue, 16 Aug 2022 17:01:12 +0000
+Subject: [PATCH 2/3] Merged PR 9607: Allow 10 seconds for VM creation + start
+
+Allow 10 seconds for VM creation + start
+---
+ src/runtime/virtcontainers/clh.go | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go
+index 71bd931..444d9de 100644
+--- a/src/runtime/virtcontainers/clh.go
++++ b/src/runtime/virtcontainers/clh.go
+@@ -688,7 +688,9 @@ func (clh *cloudHypervisor) StartVM(ctx context.Context, timeout int) error {
+ 	}
+ 	clh.state.PID = pid
+
+-	ctx, cancel := context.WithTimeout(ctx, clh.getClhAPITimeout()*time.Second)
++	// FIXME - for now allow more than one second to create and start the VM.
++	//ctx, cancel := context.WithTimeout(ctx, clh.getClhAPITimeout()*time.Second)
++	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
+ 	defer cancel()
+
+ 	if err := clh.bootVM(ctx); err != nil {
+-- 
+2.25.1
+

SPECS/kata-containers/0001-osbuilder-Add-support-for-CBL-Mariner.patch

@@ -0,0 +1,122 @@
+From 36198274dcb4332f1acd445d2a80854232b1d236 Mon Sep 17 00:00:00 2001
+From: Dallas Delaney <[email protected]>
+Date: Thu, 26 Jan 2023 14:58:55 -0800
+Subject: [PATCH] osbuilder: Add support for CBL-Mariner
+
+Add osbuilder support to build a rootfs and image
+based on the CBL-Mariner Linux distro
+
+Fixes: #6462
+
+Signed-off-by: Dallas Delaney <[email protected]>
+---
+ tools/osbuilder/README.md                     | 14 +++++-----
+ .../rootfs-builder/cbl-mariner/Dockerfile.in  | 15 +++++++++++
+ .../rootfs-builder/cbl-mariner/config.sh      | 10 +++++++
+ .../rootfs-builder/cbl-mariner/rootfs_lib.sh  | 26 +++++++++++++++++++
+ 4 files changed, 58 insertions(+), 7 deletions(-)
+ create mode 100644 tools/osbuilder/rootfs-builder/cbl-mariner/Dockerfile.in
+ create mode 100644 tools/osbuilder/rootfs-builder/cbl-mariner/config.sh
+ create mode 100644 tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh
+
+diff --git a/tools/osbuilder/README.md b/tools/osbuilder/README.md
+index 343d2bf60..9415de74e 100644
+--- a/tools/osbuilder/README.md
++++ b/tools/osbuilder/README.md
+@@ -80,7 +80,7 @@ filesystem components to generate an initrd.
+ 3. When generating an image, the initrd is extracted to obtain the base rootfs for
+ the image.
+
+-Ubuntu is the default distro for building the rootfs, to use a different one, you can set `DISTRO=alpine|clearlinux|debian|ubuntu`.
++Ubuntu is the default distro for building the rootfs, to use a different one, you can set `DISTRO=alpine|clearlinux|debian|ubuntu|cbl-mariner`.
+ For example `make USE_DOCKER=true DISTRO=alpine rootfs` will make an Alpine rootfs using Docker.
+
+ ### Rootfs creation
+@@ -209,9 +209,9 @@ of the the osbuilder distributions.
+ > Note: this table is not relevant for the dracut build method, since it supports
+ any Linux distribution and architecture where dracut is available.
+
+-|           |Alpine            |CentOS Stream     |Clear Linux       |Debian/Ubuntu     |
+-|--         |--                |--                |--                |--                |
+-|**ARM64**  |:heavy_check_mark:|:heavy_check_mark:|                  |                  |
+-|**PPC64le**|                  |:heavy_check_mark:|                  |:heavy_check_mark:|
+-|**s390x**  |                  |:heavy_check_mark:|                  |:heavy_check_mark:|
+-|**x86_64** |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
++|           |Alpine            |CentOS Stream     |Clear Linux       |Debian/Ubuntu     |CBL-Mariner       |
++|--         |--                |--                |--                |--                |--                |
++|**ARM64**  |:heavy_check_mark:|:heavy_check_mark:|                  |                  |                  |
++|**PPC64le**|                  |:heavy_check_mark:|                  |:heavy_check_mark:|                  |
++|**s390x**  |                  |:heavy_check_mark:|                  |:heavy_check_mark:|                  |
++|**x86_64** |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
+diff --git a/tools/osbuilder/rootfs-builder/cbl-mariner/Dockerfile.in b/tools/osbuilder/rootfs-builder/cbl-mariner/Dockerfile.in
+new file mode 100644
+index 000000000..6fa29807d
+--- /dev/null
++++ b/tools/osbuilder/rootfs-builder/cbl-mariner/Dockerfile.in
+@@ -0,0 +1,15 @@
++# Copyright (c) 2023 Microsoft Corporation
++#
++# SPDX-License-Identifier: Apache-2.0
++
++ARG IMAGE_REGISTRY=mcr.microsoft.com
++FROM ${IMAGE_REGISTRY}/cbl-mariner/base/core:@OS_VERSION@
++
++RUN tdnf -y install \
++    ca-certificates \
++    build-essential \
++    dnf \
++    git \
++    tar
++
++@INSTALL_RUST@
+diff --git a/tools/osbuilder/rootfs-builder/cbl-mariner/config.sh b/tools/osbuilder/rootfs-builder/cbl-mariner/config.sh
+new file mode 100644
+index 000000000..694124acd
+--- /dev/null
++++ b/tools/osbuilder/rootfs-builder/cbl-mariner/config.sh
+@@ -0,0 +1,10 @@
++# Copyright (c) 2023 Microsoft Corporation
++#
++# SPDX-License-Identifier: Apache-2.0
++
++OS_NAME=cbl-mariner
++OS_VERSION=${OS_VERSION:-2.0}
++LIBC="gnu"
++PACKAGES="core-packages-base-image ca-certificates"
++[ "$AGENT_INIT" = no ] && PACKAGES+=" systemd"
++[ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp"
+diff --git a/tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh b/tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh
+new file mode 100644
+index 000000000..0288d4d77
+--- /dev/null
++++ b/tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh
+@@ -0,0 +1,26 @@
++# Copyright (c) 2023 Microsoft Corporation
++#
++# SPDX-License-Identifier: Apache-2.0
++
++build_rootfs()
++{
++	# Mandatory
++	local ROOTFS_DIR="$1"
++
++	[ -z "$ROOTFS_DIR" ] && die "need rootfs"
++
++	# In case of support EXTRA packages, use it to allow
++	# users add more packages to the base rootfs
++	local EXTRA_PKGS=${EXTRA_PKGS:-""}
++
++	check_root
++	mkdir -p "${ROOTFS_DIR}"
++	PKG_MANAGER="tdnf"
++
++	DNF="${PKG_MANAGER} -y --installroot=${ROOTFS_DIR} --noplugins --releasever=${OS_VERSION}"
++
++	info "install packages for rootfs"
++	$DNF install ${EXTRA_PKGS} ${PACKAGES}
++
++	rm -rf ${ROOTFS_DIR}/usr/share/{bash-completion,cracklib,doc,info,locale,man,misc,pixmaps,terminfo,zoneinfo,zsh}
++}
+-- 
+2.33.8
+

SPECS/kata-containers/0002-Merged-PR-9671-Wait-for-a-possibly-slow-Guest.patch

@@ -0,0 +1,29 @@
+From ec322fec7e9c132c4caa0a93175320cb0d8fba73 Mon Sep 17 00:00:00 2001
+From: Daniel Mihai <[email protected]>
+Date: Mon, 22 Aug 2022 22:02:31 +0000
+Subject: [PATCH 3/3] Merged PR 9671: Wait for a possibly slow Guest
+
+Wait for a possibly slow Guest
+
+On some Host VMs it takes longer than 30 seconds to connect to
+the Agent - e.g., if enable_debug is enabled for [hypervisor.clh].
+---
+ src/runtime/config/configuration-clh.toml.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in
+index f09c095f..0ce7a98d 100644
+--- a/src/runtime/config/configuration-clh.toml.in
++++ b/src/runtime/config/configuration-clh.toml.in
+@@ -289,7 +289,7 @@ block_device_driver = "virtio-blk"
+
+ # Agent connection dialing timeout value in seconds
+ # (default: 30)
+-#dial_timeout = 30
++dial_timeout = 60
+
+ [runtime]
+ # If enabled, the runtime will log additional debug messages to the
+-- 
+2.17.1
+

SPECS/kata-containers/0003-Merged-PR-9805-Add-support-for-MSHV.patch

@@ -0,0 +1,27 @@
+From 67e4b4ceaefea83a1e5c77a7760fa1f9b37589f4 Mon Sep 17 00:00:00 2001
+From: Daniel Mihai <[email protected]>
+Date: Thu, 1 Sep 2022 15:07:16 +0000
+Subject: [PATCH 09/10] Merged PR 9805: Add support for MSHV
+
+Cloud Hypervisor is able to use either /dev/mshv or /dev/kvm.
+---
+ src/runtime/pkg/resourcecontrol/cgroups.go | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/runtime/pkg/resourcecontrol/cgroups.go b/src/runtime/pkg/resourcecontrol/cgroups.go
+index 4210392d..d4608458 100644
+--- a/src/runtime/pkg/resourcecontrol/cgroups.go
++++ b/src/runtime/pkg/resourcecontrol/cgroups.go
+@@ -64,7 +64,8 @@ func sandboxDevices() []specs.LinuxDeviceCgroup {
+ 	// In order to run Virtual Machines and create virtqueues, hypervisors
+ 	// need access to certain character devices in the host, like kvm and vhost-net.
+ 	hypervisorDevices := []string{
+-		"/dev/kvm",         // To run virtual machines
++		"/dev/kvm",         // To run virtual machines using KVM
++		"/dev/mshv",        // To run virtual machines using MSHV
+ 		"/dev/vhost-net",   // To create virtqueues
+ 		"/dev/vfio/vfio",   // To access VFIO devices
+ 		"/dev/vhost-vsock", // To interact with vsock if
+-- 
+2.17.1
+

SPECS/kata-containers/0004-Merged-PR-9806-Fix-enable_debug-for-hypervisor.clh.patch

@@ -0,0 +1,28 @@
+From c844e8011f0726e2a371115c209d4c3d63273b3b Mon Sep 17 00:00:00 2001
+From: Daniel Mihai <[email protected]>
+Date: Thu, 1 Sep 2022 15:54:16 +0000
+Subject: [PATCH 10/10] Merged PR 9806: Fix enable_debug for [hypervisor.clh]
+
+Fix error when using enable_debug = true in configuration.toml:
+
+level=error msg="Error create pseudo tty"
+error="open /dev/ptmx: operation not permitted"
+---
+ src/runtime/pkg/resourcecontrol/cgroups.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/runtime/pkg/resourcecontrol/cgroups.go b/src/runtime/pkg/resourcecontrol/cgroups.go
+index d4608458..f674e97a 100644
+--- a/src/runtime/pkg/resourcecontrol/cgroups.go
++++ b/src/runtime/pkg/resourcecontrol/cgroups.go
+@@ -57,6 +57,7 @@ func sandboxDevices() []specs.LinuxDeviceCgroup {
+ 		"/dev/zero",
+ 		"/dev/urandom",
+ 		"/dev/console",
++		"/dev/ptmx",
+ 	}
+
+ 	// Processes running in a device-cgroup are constrained, they have acccess
+-- 
+2.17.1
+

SPECS/kata-containers/0005-Merged-PR-9956-shim-avoid-memory-hotplug-timeout.patch

@@ -0,0 +1,28 @@
+From 7fab743a43e4f2063d560161753f2b6390c7add6 Mon Sep 17 00:00:00 2001
+From: Dan Mihai <[email protected]>
+Date: Thu, 15 Sep 2022 20:50:12 +0000
+Subject: [PATCH] Merged PR 9956: shim: avoid memory hotplug timeout
+
+Wait up to 10 seconds for cloud-hypervisor memory hotplug.
+---
+ src/runtime/virtcontainers/clh.go | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go
+index 118e1b4d..f18b6c6f 100644
+--- a/src/runtime/virtcontainers/clh.go
++++ b/src/runtime/virtcontainers/clh.go
+@@ -918,7 +918,9 @@ func (clh *cloudHypervisor) ResizeMemory(ctx context.Context, reqMemMB uint32, m
+ 	}
+
+ 	cl := clh.client()
+-	ctx, cancelResize := context.WithTimeout(ctx, clh.getClhAPITimeout()*time.Second)
++	// FIXME: memory hotplug sometimes takes longer than 1 second.
++	// ctx, cancelResize := context.WithTimeout(ctx, clh.getClhAPITimeout()*time.Second)
++	ctx, cancelResize := context.WithTimeout(ctx, 10*time.Second)
+ 	defer cancelResize()
+
+ 	resize := *chclient.NewVmResize()
+-- 
+2.17.1
+