Releases: kata-containers/kata-containers
Releases · kata-containers/kata-containers
Kata Containers 3.20.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-5f68b343b-7420194ea-1.85.1-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-a0ae1b660-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-aadad0c9b-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-4c006c707-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.23.12-rust-1.85.1-7e9e9263d-x86_64
- tools: quay.io/kata-containers/builders:tools-a03dc3129-014ab2fce-30aff429d-75ac09bab-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.85.1-musl-1cf1a332a-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- Breaking change: In #11693 the annotation for passing through the initdata confidential containers feature was changed from
io.katacontainers.config.runtime.cc_init_datatoio.katacontainers.config.hypervisor.cc_init_data
- runtime-rs: Support hotplugging host block devices within qemu-rs by @Apokleos in #11579
- runtime-rs: support block device driver virtio-scsi within qemu-rs by @Apokleos in #11547
- build(deps): bump the openssl group across 4 directories with 1 update by @dependabot[bot] in #11372
- runtime-rs: Some extra work to enhance copyfile with sharedfs disabled by @Apokleos in #11621
- runtime-rs: Add full cgroups support on host by @justxuewei in #11598
- versions: Upgrade to Cloud Hypervisor v47.0 by @RuoqingHe in #11626
- dragonball: Fix warnings in default build by @RuoqingHe in #11618
- mem-agent: Ignore Cargo.lock by @RuoqingHe in #11613
- ci: Try passing api token into githubh api call by @stevenhorsman in #11619
- ci/gatekeeper: make run-k8s-tests-coco-nontee job required by @wainersm in #11385
- genpolicy: reduce complexity by @danmihai1 in #11553
- Updated Firecracker Version to 1.12.1 by @itsmohitnarayan in #11627
- gpu: AMD64 NVIDIA GPU CI/CD by @zvonkok in #11236
- build: nvidia: Fix KBUILD_SIGN_PIN breakage by @fidencio in #11645
- gpu: guest components by @zvonkok in #11639
- runtime: reproducible generation of Golang proto bindings by @burgerdev in #11632
- gha: Remove unnecessary install-azure-cli step by @sprt in #11637
- ci: static-checks: Auto-detect repo by default by @sprt in #11646
- tests: k8s-sandbox-vcpus-allocation debug info by @danmihai1 in #11651
- qemu: Respect the JSON schema for hot plug by @c3d in #11667
- runtime: virtio-fs: Support "metadata" cache mode by @sprt in #11060
- runtime-rs: make vcpu allocation more accurate by @pmores in #10580
- Align initdata annoation with kata-runtime by @Apokleos in #11653
- ci: cri-containerd: add 5s timeout for creating sanbox with crictl by @kevinzs2048 in #11669
- version: Bump QEMU to v10.0.0 by @fidencio in #11219
- ci: Remove stable by @zvonkok in #11660
- ci: static-checks: add SECURITY.md to exclude list by @sprt in #11666
- runtime-rs: Label system journal log with kata by @Apokleos in #11641
- agent-ctl: Add option "--vm" to boot pod VM for testing. by @Sumynwa in #11565
- versions: Bump golang to 1.23.12 by @stevenhorsman in #11676
- runtime: make SNP guest policy configurable by @katexochen in #11675
- genpolicy: support AddARPNeighbors by @burgerdev in #11663
- runtime-rs: add seccomp support for cloud hypervisor and firecracker by @was-saw in #11536
- CI: change the directory for Arm64 firmware by @kevinzs2048 in #11670
- runtime-rs: add seccomp support for qemu by @was-saw in #11525
- gpu: AMD64 NVIDIA GPU CI/CD Part 2 by @zvonkok in #11658
- ci: static-checks: Don't hardcode default repo branch by @sprt in #11683
- Feat | Implement initdata for bare-metal/qemu for s390x by @rafsal-rahim in #11640
- gatekeeper: GPU test required by @zvonkok in #11684
- versions: sync go.mod with versions.yaml for go 1.23.12 by @alextibbles in #11701
- runtime-rs: Add only static ARP entries with handle_neighours by @Apokleos in #11698
- versions: update to latest LTS kernel 6.12.42 by @alextibbles in #11691
- kata-types: remove default setting of guest_hook_path by @Apokleos in #11705
- CI: Introduce CI for libs to Improve code quality and reduce noises by @Apokleos in #11514
- versions: update kernel-confidential to Linux v6.16.1 by @mythi in #11634
- runtime-rs: Fix issues for initdata by @BbolroC in #11693
- Optimize sealed secret scanning to avoid full file reads by @Park-Jiyeonn in #11647
- release: Bump version to 3.20.0 by @zvonkok in #11706
New Contributors
- @itsmohitnarayan made their first contribution in #11627
- @was-saw made their first contribution in #11536
- @rafsal-rahim made their first contribution in #11640
- @alextibbles made their first contribution in #11701
- @Park-Jiyeonn made their first contribution in #11647
Full Changelog: 3.19.1...3.20.0
Contributors
sprt, fidencio, and 21 other contributors
Assets 11
Kata Containers 3.19.1
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-5f68b343b-7420194ea-1.85.1-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-ca4f96ed0-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-5cabce1a2-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-4c006c707-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.23.10-rust-1.85.1-7e9e9263d-x86_64
- tools: quay.io/kata-containers/builders:tools-09efcfbd8-222393375-28929f5b3-75ac09bab-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.85.1-musl-1cf1a332a-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- dependencies: More crate bumps to resolve security issues by @stevenhorsman in #11603
- build(deps): bump unsafe-libyaml from 0.2.9 to 0.2.11 in /src/tools/kata-ctl by @dependabot[bot] in #11605
- build(deps): bump zerocopy from 0.6.1 to 0.6.6 in /src/tools/genpolicy by @dependabot[bot] in #11606
- release: Bump version to 3.19.1 by @fidencio in #11604
Full Changelog: 3.19.0...3.19.1
Contributors
fidencio, dependabot, and stevenhorsman
Assets 11
Kata Containers 3.19.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-5f68b343b-7420194ea-1.85.1-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-ca4f96ed0-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-5cabce1a2-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-4c006c707-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.23.10-rust-1.85.1-7e9e9263d-x86_64
- tools: quay.io/kata-containers/builders:tools-2fe9df16c-222393375-222393375-75ac09bab-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.85.1-musl-1cf1a332a-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- tests: update container image for ci and unit test by @Redent0r in #11443
- build(deps): bump rustix in various components by @dependabot[bot] in #11378
- osbuilder: Update image-builder base to f42 by @stevenhorsman in #11440
- workflow: Remove code injection in helm login by @stevenhorsman in #11331
- ci: Update dependabot ignore list by @RuoqingHe in #11431
- ci: Remove duplicated
rust-vmmdependencies by @RuoqingHe in #11448 - workflows: Pin action hashes by @stevenhorsman in #11420
- build(deps): bump the clap group across 6 directories with 1 update by @dependabot[bot] in #11405
- genpolicy: prevent corruption of the layer cache file by @charludo in #11426
- tests: k8s-policy-rc: print pod descriptions by @danmihai1 in #11444
- runtime-rs: Implement Initdata Spec Support in runtime-rs for CoCo by @Apokleos in #11181
- ci/static-checks: use oras cache for regorus by @katexochen in #11424
- runtime-rs: add the blockfile based rootfs support by @lifupan in #11466
- runtime-rs: fix the issue return the wrong volume by @lifupan in #11467
- versions: Bump protobuf to 3.7.2 by @stevenhorsman in #11441
- ci: Add scorecard action by @stevenhorsman in #11462
- runtime-rs: Support shared fs with "none" on non-tee platforms by @Apokleos in #11468
- runtime-rs: Add the memory and vcpu hotplug for cloud-hypervisor by @lifupan in #11422
- ci: Run zizmor for GHA security analysis by @sprt in #11392
- runtime-rs: Set default_maxvcpus to 0 by @fidencio in #11469
- runtime: improve EROFS snapshotter support by @hsiangkao in #11434
- tools: kata-monitor: update go version used to build in Dockerfile by @Redent0r in #11471
- versions: Bump guest-components by @stevenhorsman in #11461
- runtime-rs: Fix calculation of odd memory sizes by @fidencio in #11470
- runtime-rs: Add GPU annotations for remote hypervisor by @Apokleos in #11474
- version: Bump nydus-snapshotter by @stevenhorsman in #11484
- build: Allow passing IMAGE_SIZE_ALIGNMENT_MB as an env var by @fidencio in #11481
- workflows: Skip weekly coco stability tests by @stevenhorsman in #11479
- runtime-rs: support setting create_container timeout with request_timeout_ms for image pulling in guest by @Apokleos in #10693
- runtime-rs: Fix noise with frequently appearing in unstaged changes by @Apokleos in #11490
- genpolicy: add validation for storages by @arc9693 in #11248
- gha: Eliminate use of force-skip-ci label by @sprt in #11499
- test: fix broken testing code in libs by @zhaodiaoer in #11423
- kata-agent: mount.rs: Fix warning of test by @teawater in #11509
- runtime-rs: make the resize_vcpu api support sync by @lifupan in #11510
- security: ci: Fixes for Zizmor GHA security scanning by @sprt in #11475
- runtime-rs: refactor and fix the implementation of guest-pull by @Apokleos in #11482
- gpu: NVRC static build by @zvonkok in #11517
- Remove atty dependency by @stevenhorsman in #11506
- gpu: Update runtimeClasses for correct podoverhead by @zvonkok in #11336
- tools: port the dragonball kernel patch to 6.12.x by @lifupan in #11513
- tests: runtimeclasses: Adjust gpu runtimeclasses by @fidencio in #11530
- runtime-rs: add initdata annotation for remote hypervisor by @Apokleos in #11528
- workflows: adopting azure/setup-kubectl by @wainersm in #11523
- runtime: Fix rootlessDir not correctly set in rootless VMM mode by @StevenFryto in #11527
- Sev deprecation by @arvindskumar99 in #11380
- versions: bump opa 1.5.1 -> 1.6.0 by @katexochen in #11494
- runtime/runtime-rs: Set shared_fs to none for IBM SEL in config file by @BbolroC in #11537
- tests: k0s: Always use latest version, apart from CRI-O tests by @fidencio in #11529
- libs: Remove lockfile for libs by @RuoqingHe in #11545
- runtime-rs: Add vfio support with coldplug for cloud-hypervisor by @Apokleos in #11540
- runtime-rs: Switch tempdir to tempfile by @stevenhorsman in #11549
- gh: Fix released VERSION file by @fidencio in #11554
- runtime-rs: Change default block device driver from virtio-scsi to virtio-blk-* by @Apokleos in #11491
- tests/k8s: instrument some tests for debugging by @wainersm in #11519
- runtime-rs | trace-forwarder: Bump chrono crate version by @stevenhorsman in #11550
- versions: Bump idna crate to >= 1.0.3 by @stevenhorsman in #11521
- mem-agent: Update to https://github.com/teawater/mem-agent/tree/kata-20250627 by @teawater in #11480
- Rust advisory fixes pre 3.19.0 by @stevenhorsman in #11555
- ci: Make qemu-coco-dev for s390x (zVSI) required again by @BbolroC in #11564
- gpu: Add proper TDX config path by @zvonkok in #11568
- Remove gpu admin tools by @zvonkok in #11567
- runtime-rs: Fix initdata length field missing when create block by @Apokleos in #11557
- build: Fix cache for nvidia-gpu-initrd builds by @fidencio in https://github.com/kata-containers/kata-c...
Contributors
sprt, fidencio, and 23 other contributors
Assets 11
Kata Containers 3.18.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-5f68b343b-7420194ea-1.85.1-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-493ba63c7-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-5cabce1a2-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-4c006c707-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.23.10-rust-1.85.1-7e9e9263d-x86_64
- tools: quay.io/kata-containers/builders:tools-0f8e45351-cebb259e5-aae64fa3d-75ac09bab-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.85.1-musl-1cf1a332a-x86_64
Installation
Follow the Kata installation instructions.
Notable updates
What's Changed
- tests/k8s: increase wait time of KBS service ingress by @wainersm in #11293
- tests/k8s: better tests reporting for CI by @wainersm in #11130
- osbuilder: lib.sh: Fix indent by @Rtoax in #11267
- runtime-rs: fix vfio pci address domain 0001 problem by @sampleyang in #11254
- tests/k8s: delint confidential_kbs.sh by @wainersm in #11294
- kernel: support
CONFIG_TMPFS_XATTR=yby @hsiangkao in #11308 - Drop outdated erofs patches for 6.1.y kernels & fix a dragonball vsock issue by @hsiangkao in #10964
- tools.testing: Add methods to simplify gatekeeper development by @ldoktor in #11270
- ci.ocp: A couple of peer-pods setup improvements by @ldoktor in #11266
- runtime-rs: fix the issue of delete cgroup failed by @lifupan in #11301
- runtime-rs: Propagate k8s configs correctly when sharedfs is disabled by @Apokleos in #11240
- runtime: add option to force guest pull by @katexochen in #11244
- runtime-rs: add support hotplugging vfio device for qemu-rs by @Apokleos in #10362
- workflows: gatekeeper: Update permissions by @stevenhorsman in #11320
- workflows: Delete workflows by @stevenhorsman in #11319
- workflow: Update gatekeeper permissions by @stevenhorsman in #11323
- workflows: Add explicit permissions for attestation by @stevenhorsman in #11322
- genpolicy: fix svc_name regex by @katexochen in #11314
- Explicitly set top level permissions for each workflow by @stevenhorsman in #11326
- workflow: add packages: write to csi-driver publish by @stevenhorsman in #11333
- runtime: fix cgroupv2 deletion when sandbox_cgroup_only=false by @Champ-Goblem in #11324
- agent: increase LimitNOFILE in the systemd service by @Champ-Goblem in #11327
- rust: Update cgroups-rs to its v0.3.5 release by @fidencio in #11346
- kernel: Add CONFIG_TUN (needed for VPNs) and move mem-agent related configs to common by @fidencio in #11344
- Fix | Support initdata for SNP by @Xynnn007 in #11329
- image: custom guest rootfs image file size alignment by @danmihai1 in #11340
- doc: Add Helm Chart entry by @zvonkok in #10748
- workflows: Add dependabot config by @stevenhorsman in #11016
- ci: Require agent-ctl tests by @sprt in #11339
- Upgrade
ttrpc-codegenandprotobufto kill#![allow(box_pointers)]by @RuoqingHe in #11376 - Switch docker hub mirroring to ghcr.io by @stevenhorsman in #11383
- runtime: remove hotplug_vfio_on_root_bus from config.toml by @kimullaa in #11317
- ci: fix artifact name of RISC-V tarball by @burgerdev in #11387
- workflows: Replace secrets: inherit by @stevenhorsman in #11334
- genpolicy: improvements to /etc/passwd checks by @burgerdev in #11358
- dragonball: Remove a useless dead_code attribute by @justxuewei in #11357
- runtime-rs: Log error instead of format by @RuoqingHe in #11381
- ci: Fix Mariner rootfs build failure by @sprt in #11396
- runtime-rs: Reduce the number of duplicate log entries being printed by @justxuewei in #11377
- runtime-rs: Skip test on RISC-V architecture by @RuoqingHe in #11391
- libs: Bump chrono package by @stevenhorsman in #11393
- ci: Use OIDC to log into Azure by @sprt in #11388
- Revert "ci: Fix Mariner rootfs build failure" by @sprt in #11398
- ci: gha: Remove ok-to-test label on every push by @sprt in #11397
- protocols: Fix the noise caused by non-formatted codes in protocols by @Apokleos in #11345
- runtime-rs: Add TDX Support to runtime-rs for Confidential Containers (CoCo) by @Apokleos in #11179
- Enables block device and disable virtio-fs by @Apokleos in #11343
- nvidia-rootfs: only copy
kata-opaifAGENT_POLICYis enabled by @Champ-Goblem in #11407 - versions: Bump Rust from 1.80.0 to 1.85.1 by @RuoqingHe in #11305
- runtime-rs: Support shared_fs = "none" for CoCo by @Apokleos in #10697
- runk: Switch users crate by @stevenhorsman in #11411
- Revert "ci: gha: Remove ok-to-test label on every push" by @sprt in #11417
- build(deps): bump the tracing group across 7 directories with 1 update by @dependabot in #11374
- genpolicy: fix rules syntax issues, rego v1 compatibility; ci: checks for rego parsing by @katexochen in #11412
- runtime: build variable for disable_image_nvdimm=true by @danmihai1 in #11402
- agent: add feature flag to secure_mount method by @Redent0r in #11418
- runtime-rs: add the memory prealloc support for qemu/ch by @lifupan in #11416
- workflows: Set persist-credentials: false on checkout by @stevenhorsman in #11389
- Fix logging on virtiofs shutdown by @pawelbeza in #11359
- gitignore: ignore direnv by @katexochen in #11419
- runtime-rs: Support Pull Image in Guest with Kata Volume for CoCo by @Apokleos in #10698
- Enable cri-containerd-tests for arm64 by @seungukshin in https://github.com/kata-conta...
Contributors
sprt, fidencio, and 24 other contributors
Assets 11
Kata Containers 3.17.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-5f68b343b-75ac09bab-1.80.0-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-493ba63c7-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-5cabce1a2-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-4c006c707-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.23.7-rust-1.80.0-7e9e9263d-x86_64
- tools: quay.io/kata-containers/builders:tools-9a4432d19-9a03815f1-f8c5aa6df-75ac09bab-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.80.0-musl-1cf1a332a-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- kernel: Add CONFIG_TASKSTATS (and related) configs by @fidencio in #11186
- kata-types: Optimize memory adjuesting by only gathering memory info by @Apokleos in #11166
- kata-sys-utils: Introduce pcilibs for getting pci devices info by @Apokleos in #10579
- ci: Extend basic s390x tests by @Jakob-Naucke in #11044
- ci: Remove run-k8s-tests-coco-nontee from required tests by @BbolroC in #11201
- runtime: clh: Add reclaim_guest_freed_memory [BACKPORT] by @fidencio in #11185
- versions: Bump golang version by @stevenhorsman in #11098
- build(deps): bump golang.org/x/net from 0.33.0 to 0.38.0 in /src/runtime by @dependabot in #11161
- rust: High severity security bumps april 25 by @stevenhorsman in #11203
- build(deps): bump crossbeam-channel from 0.5.14 to 0.5.15 in /src/agent by @dependabot in #11175
- tests: confidential: Add KBS logging by @stevenhorsman in #10882
- ci.ocp: Add peer-pods setup script by @ldoktor in #10940
- GHA: Add VFIO-AP to s390x nightly tests for CoCo by @BbolroC in #11212
- build(deps): bump tokio from 1.38.0 to 1.44.2 in /src/tools/runk by @dependabot in #11210
- tests/k8s: fix kbs installation on Azure AKS by @wainersm in #11164
- genpolicy: Align GID behavior with CRI and enable GID policy checks. by @Camelron in #11077
- build(deps): bump tokio from 1.38.0 to 1.38.2 in /src/runtime-rs by @dependabot in #11208
- dragonball: Remove package lockfiles by @stevenhorsman in #11211
- ci: revert temp: ci: Fix AKS cluster creation by @Camelron in #11223
- runtime: remove wrong xfs options by @kimullaa in #11206
- Runtime rs centralise workspace config by @stevenhorsman in #11217
- versions: Bump golang.org/x/net by @stevenhorsman in #11204
- build(deps): bump crossbeam-channel from 0.5.13 to 0.5.15 in /src/mem-agent by @dependabot in #11174
- dragonball: Put local dependencies into workspace by @RuoqingHe in #11146
- gpu: Set the ARCH explicilty for driver builds by @zvonkok in #11228
- runtime: remove wrong qemu-system-x86_64 option by @kimullaa in #11230
- shimv2: fix the issue logger write failed by @lifupan in #11209
- agent: netlink: Only add an ipv6 address if ipv6 is enabled by @fidencio in #11227
- runtime-rs: Upgrade
rust-netlinkcrates by @RuoqingHe in #11202 - EROFS Snapshotter Support in Kata by @ChengyuZhu6 in #11172
- build(deps): bump openssl from 0.10.57 to 0.10.72 by @dependabot in #11225
- runtime: add the mtu support for updating routes by @lifupan in #11232
- build(deps): bump tokio from 1.44.0 to 1.44.2 by @dependabot in #11226
- kata-debug: Make path resolution more robust by @kimullaa in #11116
- runtime: Add Path for kata-deploy by @kimullaa in #11123
- agent: Support RISC-V 64-bit architecture by @ncppd in #10512
- build(deps): bump openssl from 0.10.60 to 0.10.72 in /src/tools/kata-ctl by @dependabot in #11235
- Crio annotations update by @stevenhorsman in #10833
- tests: k8s: Retry output of kubectl exec in k8s-cpu-ns by @stevenhorsman in #11141
- genpolicy: improve validation for mounts by @arc9693 in #11127
- Bind/associate for VFIO-AP by @Jakob-Naucke in #11076
- genpolicy: support secrets to be referenced for pod envs by @3u13r in #10986
- versions: Update tempfile crate by @stevenhorsman in #11250
- helm: Avoid appending the multiInstallSuffix several times by @fidencio in #11199
- agent: use safe-path to replace secure_join by @houstar in #11242
- runtime/config: Add VFIO config for IBM SEL by @BbolroC in #11262
- ci: gatekeeper: skip docker tests by @stevenhorsman in #11255
- versions: Bump golang.org/x/oauth2 by @stevenhorsman in #11253
- build(deps): bump github.com/opencontainers/runc from 1.1.12 to 1.2.0 in /src/runtime by @dependabot in #11243
- Rust vulns 9th may 2025 by @stevenhorsman in #11251
- build(deps): bump ring from 0.17.8 to 0.17.14 in /src/tools/agent-ctl by @dependabot in #11241
- helm: release: Publish our helm charts to the OCI registries by @fidencio in #11264
- kata-deploy: Avoid changing any component path in case of restart by @fidencio in #11258
- osbuilder: ubuntu: Switch from multistrap to mmdebstrap by @skazi0 in #11246
- Bump: libz-sys crate to address CVE by @chathuryaadapa in #11265
- Enable edk2 for arm64 by @seungukshin in #11272
- confidential guest kernel hardening changes by @mythi in #11257
- ci: k8s: arm: Enable skipped tests by @fidencio in #11274
- genpolicy: Enable AdditionalGids checks in rules.rego by @Camelron in #11214
- runtime-rs: Introduce PCIe Port devices in runtime-rs for qemu-rs by @Apokleos in #10578
- runtime: Fix logging for remote hypervisor by @bpradipt in #11287
- config: Fix typos by @Rtoax in #11283
- kata-deploy: fix bug when config does not exist by @kimullaa in #11093
- runtime-rs: add the ephemeral memory based volume support by @lifupan in https://github.com/kata-containers/ka...
Contributors
fidencio, mythi, and 24 other contributors
Assets 11
Kata Containers 3.16.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-76ca12d22-75ac09bab-1.80.0-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-493ba63c7-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-75ac09bab-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-4c006c707-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.22.11-rust-1.80.0-7e9e9263d-x86_64
- tools: quay.io/kata-containers/builders:tools-2a1762859-fd6c16e20-8b49564c0-75ac09bab-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.80.0-musl-1cf1a332a-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- tests: k8s: retry "kubectl exec" on empty output by @danmihai1 in #11024
- build: drop libtdx-attest by @mythi in #11046
- ci: Generalize
GITHUB_RUNNER_CI_ARM64by @RuoqingHe in #11061 - kata-deploy: return exit code for invalid argument by @kimullaa in #11069
- metrics: Test improvements by @stevenhorsman in #11010
- genpolicy: add support for BUILD_TYPE=debug by @danmihai1 in #11075
- genpolicy: Refactor tests to allow different request types in a testcases json. by @Sumynwa in #11074
- tests: kata-deploy: The rest of the ground work to rewrite the kata-deploy tests by @fidencio in #10984
- ci: shellcheck fixes by @ldoktor in #11053
- tests: Make sure /etc/containerd before writing config by @BbolroC in #11086
- tests: k8s: clean-up shellcheck warnings in tests_common.sh by @danmihai1 in #11059
- runtime-rs: update the protobuf to 3.7.1 by @lifupan in #11063
- runtime: Support and enable build on riscv64 by @RuoqingHe in #11056
- ci: Update static-checks strings by @stevenhorsman in #11058
- kata-deploy: Fix kata-cleanup's CrashLoopBackOff by @kimullaa in #11088
- gatekeeper: Add kata-deploy tests as required by @fidencio in #11091
- runtime-rs: Remove redundant empty line by @RuoqingHe in #11101
- tests: Enable sealed secrets for all TEEs by @BbolroC in #11081
- runtime-go: qemu: Fix sandbox start failing with virtio-mem enable on arm64 by @kevinzs2048 in #11085
- kata-deploy: remove the double "/" by @kimullaa in #11100
- kernel: Update the usage in readme by @kimullaa in #11066
- kata-deploy: Create runtimeclasses by default by @fidencio in #11104
- kata-deploy: add INSTALLATION_PREFIX validation by @kimullaa in #11097
- agent: Allow users to build without guest-pull by @fidencio in #11114
- ci: Enable
build-kata-static-tarball-riscv64.yamlby @RuoqingHe in #11094 - policy: Add missing input validations for ExecProcessRequest by @Ankita13-code in #11103
- runtime: qemu: add support to use TDX QGS via Unix Domain Sockets by @mythi in #11057
- versions: Upgrade to Cloud Hypervisor v45.0 by @likebreath in #10724
- docs: Add how-to-use-memory-agent.md to howto by @teawater in #11014
- versions: Bump LTS kernel by @fidencio in #11121
- ci: Remove metric jobs by @stevenhorsman in #11128
- runtime-rs: Extend runtime-rs workspace and centralize local dependencies by @RuoqingHe in #11129
- runtime-rs: Simplify iommu group base name extraction from symlink by @Apokleos in #10938
- ci: required-tests fixes/updates by @stevenhorsman in #11090
- ci: Update gatekeeper tests for md files by @stevenhorsman in #10678
- agent: Inherit rust workspace settings by @stevenhorsman in #11106
- doc: Update required job process by @stevenhorsman in #11105
- rust: Add rust-toolchain.toml by @stevenhorsman in #11134
- build: User-facing improvements for the build scripts by @fidencio in #11142
- ci.ocp: Override default runtimeclass CPU resources by @ldoktor in #11026
- gpu: Update creation permissions by @zvonkok in #10999
- ci: demote CoCo non-TEE to non-required from gatekeeper by @wainersm in #11157
- rootfs: Don't remove files from the rootfs by default by @gkurz in #11126
- genpolicy: Add container_id & related policy container data to state. by @Sumynwa in #11113
- runtime-rs: Use bitwise or assign for bitflags by @RuoqingHe in #11158
- workflows: Add apt update before install by @stevenhorsman in #11173
- versions: Switch gperf mirror by @stevenhorsman in #11178
- gpu: Fix CDI annotations by @zvonkok in #11150
- Feat | Implement initdata for bare-metal/qemu hypervisor by @Xynnn007 in #10610
- ci: retry genpolicy execution by @danmihai1 in #11184
- temp: ci: Fix AKS cluster creation by @sprt in #11189
- build: Allow users to build the go, rust, or both runtimes by @fidencio in #11153
- release: Bump version to 3.16.0 by @fidencio in #11191
New Contributors
- @kevinzs2048 made their first contribution in #11085
- @Ankita13-code made their first contribution in #11103
Full Changelog: 3.15.0...3.16.0
Contributors
sprt, fidencio, and 18 other contributors
Assets 11
Kata Containers 3.15.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-8d4e72f0d-75ac09bab-1.80.0-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-493ba63c7-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-75ac09bab-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-4c006c707-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.22.11-rust-1.80.0-75ac09bab-x86_64
- tools: quay.io/kata-containers/builders:tools-26bd7989b-fd6c16e20-b7786fbcf-75ac09bab-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.83.0-musl-1cf1a332a-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- genpolicy: bump oci-distribution to v0.12.0 by @katexochen in #10896
- agent: make policy feature optional again by @katexochen in #10895
- example: Use multi-arch image for test-deploy-kata-qemu.yaml by @BbolroC in #10894
- ci: Fix spell_check and improve header_check by @RuoqingHe in #10893
- gpu: QEMU SNP+TDX experimental updates by @zvonkok in #10867
- QEMU TDX experimental workflow by @zvonkok in #10868
- tests: Support systemd unit files in /usr/lib as well as /lib by @BbolroC in #10903
- agent: clear log pipes if denied by policy by @burgerdev in #10818
- GHA: Turn off MEASURED_ROOTFS in build-kata-static-tarball-s390x by @BbolroC in #10904
- shim-v2: Remove MEASURED_ROOTFS assignment for s390x by @BbolroC in #10906
- IOMMUFD GPU enhancement by @zvonkok in #10743
- dragonball: Appease clippy, setup workspace and centralize RustVMM by @RuoqingHe in #10780
- Disabling Nesting Check for SNP upstream by @arvindskumar99 in #10784
- minor build fixes by @mythi in #10881
- agent: Fix race condition with cgroup watchers by @sprt in #10911
- arm: ci: k8s: Enable CI by @fidencio in #10929
- workflows: Refactor publish workflows by @stevenhorsman in #10932
- build: Drop redundant ARCH override by @RuoqingHe in #10921
- gpu: IOMMUFD fix by @zvonkok in #10931
- runtime-rs: TEE support framework by @pmores in #10819
- agent: Fix non-guest-pull build by @fidencio in #10934
- runtime: add cause to CDI errors by @burgerdev in #10935
- genpolicy: add get_process_fields to CronJob by @burgerdev in #10654
- ci: Enable partial components build-check on riscv by @RuoqingHe in #10831
- genpolicy: fail when layer can't be processed by @katexochen in #10925
- genpolicy: support sysctls from PodSpec and environment defaults by @burgerdev in #10652
- workflows: Add codeql config by @stevenhorsman in #10930
- ci: k8s: Pin k0s version to get cri-o tests back working by @stevenhorsman in #10883
- versions: update confidential initrd to 22.04 by @ryansavino in #10803
- ci: arm64: Skip tests that depend on virt on non-virt capable runners by @fidencio in #10950
- ci: Add shellcheckrc by @zvonkok in #10953
- kata-deploy: Update kata-deploy to support microk8s by @stalb in #10846
- kata-deploy: k0s: Fix drop-in path by @fidencio in #10960
- gpu: add module signing by @zvonkok in #10870
- Fix virtio-net-ccw by @Jakob-Naucke in #10817
- gpu: fix init symlinks by @zvonkok in #10965
- Shell check errors fix by @stevenhorsman in #10958
- runtime: Properly set default hyp loglevel to 1 by @Camelron in #10955
- Rework and fix metrics issues by @stevenhorsman in #10954
- runtime-rs: Enable Dragonball only for x86_64 & aarch64 by @RuoqingHe in #10963
- agent: Fix default linux device permissions by @zvonkok in #10976
- agent: Enable VFIO and initContainers by @zvonkok in #10971
- agent: fix permisssion according to runc by @zvonkok in #10982
- tests: Bring back kata-deploy tests by @fidencio in #10966
- runtime: Remove console=ttysclp0 for s390x by @BbolroC in #10981
- kata-types: Fix bugs related to annotations in kata-types by @Apokleos in #10937
- runtime-rs: Fix log_level's comments in configuration-dragonball.toml.in by @teawater in #10975
- runtime-rs: Enable IBM SE for QEMU by @BbolroC in #10862
- ci: cri-containerd: upgrade the LTS / Active versions for containerd by @lifupan in #10876
- runtime-rs: remove snp certs path support from qemu-rs by @pmores in #10941
- runtime-rs: Remove s390x conditional compilation by @RuoqingHe in #10985
- add the Route flags suport when adding the route in the guest by @lifupan in #10760
- kata-deploy: Use docker.io for all architectures by @RuoqingHe in #10987
- gha: always delete workspace on rebase error by @danmihai1 in #10992
- runtime-rs: Add mem-agent config to clh and qemu config file by @teawater in #10998
- tests: k8s: log kubectl exec ouput by @danmihai1 in #11000
- ci: Refactor matrix for
build-checksby @RuoqingHe in #10948 - ci: temporarily avoid using the Mariner Host image by @danmihai1 in #10973
- tests: fix confidential ssh Dockerfile by @ryansavino in #11006
- tests: k8s: skip trusted storage tests for qemu-tdx by @mythi in #11009
- runtime-rs: Add guest swap support by @teawater in #10994
- workflows: shellcheck: Expand vendor ignore by @stevenhorsman in #10990
- ci: Change the way we modify runtimeclass in webhook by @ldoktor in #10892
- runtime: upgrade grpc vendor dependency by @ms-mahuber in #11003
- kernel: Support and enable riscv kernel build by @RuoqingHe in #11001
- ci: Add coco required tests by @stevenhorsman in #10967
- genpolicy: Introduce UpdateRoutesRequest rules in genpolicy-settings by @...
Contributors
sprt, fidencio, and 24 other contributors
Assets 11
Kata Containers 3.14.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-8d4e72f0d-75ac09bab-1.80.0-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-c95ae5a50-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-75ac09bab-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-4c006c707-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.22.11-rust-1.80.0-75ac09bab-x86_64
- tools: quay.io/kata-containers/builders:tools-ec0af6fbd-78b96a6e2-72833cb00-75ac09bab-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.83.0-musl-1cf1a332a-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- virtiofsd: Update ubuntu to 22.04 for gnu target by @RuoqingHe in #10741
- gpu: Fix rootfs build by @zvonkok in #10736
- gpu: Add rootfs target amd64/arm64 by @zvonkok in #10764
- Revert "gpu: Add rootfs target amd64/arm64" by @zvonkok in #10769
- ci: Unify on
$GH_PR_NUMBERenvironment variable by @sprt in #10754 - Add reclaim_guest_freed_memory config to qemu and cloud-hypervisor by @teawater in #10711
- gpu: Add kernel dep for the non coco use-case by @zvonkok in #10770
- ci: Retry on failure of Create AKS cluster by @RuoqingHe in #10773
- agent: Update ttrpc to include the fix for connectivity issues by @fidencio in #10775
- workflows: Switch to github-hosted arm runners by @stevenhorsman in #10776
- agent: Ensure proper cgroupsV2 handling with init_mode=true by @zvonkok in #10778
- libs/kata-types: Remove config enable_swap by @teawater in #10762
- gpu: Fix arm64 kernel build by @zvonkok in #10777
- rootfs-confidential: Ensure systemd is used as init by @fidencio in #10755
- rootfs: minor systemd file deletion cleanup by @danmihai1 in #10732
- kernel: Ensure no cgroupsv1 is used by @fidencio in #10720
- workflows: Move arm static checks runner by @stevenhorsman in #10779
- virtiofsd: Enable build for RISC-V by @RuoqingHe in #10740
- Remove shebang in non-executable completion script by @balintTobik in #10766
- build(deps): bump the go_modules group across 3 directories with 1 update by @dependabot in #10768
- metrics: Increase minval range for blogbench test by @stevenhorsman in #10782
- versions: Bump Ubuntu base image & initrd by @fidencio in #10794
- kernel: Add CONFIG_TMPFS_XATTR to tdx.conf by @JakubLedworowski in #10790
- gpu: Add driver version selection by @zvonkok in #10749
- agent: Add proper activation param handling to activate cgroupV2 by @zvonkok in #10785
- Enable VFIO-AP coldplug for s390x by @BbolroC in #10767
- egrep/fgrep removal by @balintTobik in #10805
- packaging: virtiofsd: Allow building a specific commit by @stevenhorsman in #10823
- build(deps): bump github.com/golang/glog from 1.2.0 to 1.2.4 in /src/tools/csi-kata-directvolume in the go_modules group across 1 directory by @dependabot in #10807
- snp: update kata to use latest upstream packages for snp by @ryansavino in #10751
- versions: Fix formatting by @stevenhorsman in #10828
- versions: Bump golang version by @stevenhorsman in #10827
- workflows: Add delete kata-deploy timeouts for crio tests by @stevenhorsman in #10826
- CLH: config: add hypervisor_loglevel by @Camelron in #10811
- gpu: Fix arm64 build by @zvonkok in #10812
- Updates in prep of rust 1.80 bump by @stevenhorsman in #10824
- local-build: Do not build measured rootfs on s390x by @BbolroC in #10841
- tests: disable k8s-policy-job.bats on coco-dev by @danmihai1 in #10842
- Rust 1.80.0 bump by @stevenhorsman in #10806
- gpu: Add first target and fix extratarballs by @zvonkok in #10791
- ci: Only use the Ubuntu TDX machine in the CI by @fidencio in #10857
- workflows: build: Do not store unnecessary content on the tarball by @fidencio in #10860
- sandbox: Add the sandbox api support by @lifupan in #10716
- gha: Add shellcheck by @zvonkok in #10814
- Clean the config block_device_cache_direct of runtime-rs by @teawater in #10850
- gpu: enable confidential initrd build by @zvonkok in #10866
- Skipping SNP and SEV from deploying and deleting Snapshotter by @arvindskumar99 in #10810
- packaging: Move builds to Ubuntu 22.04 by @fidencio in #10864
- dragonball: Appease clippy by @RuoqingHe in #10839
- policy: add policy crate and add network namespace check to policy by @3u13r in #10613
- ci: k8s: Bump kcli image version by @stevenhorsman in #10869
- ci: Update yq to v4.44.5 to support riscv64 by @RuoqingHe in #10832
- tests: Skip block volume test on fc, stratovirt by @stevenhorsman in #10874
- CI: Deprecate SEV by @AdithyaKrishnan in #10877
- packaging(release): Properly handle version tag for the release bundle by @ananos in #10879
- Add process to init subcgroup when we're using dind with cgroups v2 by @antoine-gaillard in #10845
- agent: Bump image-rs to 514c561d93 by @fidencio in #10851
- agent: Bump agent crates to resolve CVEs by @stevenhorsman in #10885
- version: Bump kernel to 6.12.13 by @fidencio in #10787
- gpu: Update config files by @zvonkok in #10786
- gpu: agent cdi timeout by @zvonkok in #10878
- release: Bump version to 3.14.0 by @ananos in #10880
- release: Remove artifacts for release by @zvonkok in #10890
New Contributors
- @RuoqingHe made their first contribution in #10741
- @balintTobik made their first contribution in #10766
- @arvindskumar99 made their first contribution in https://github.com/kata-containers/kat...
Contributors
sprt, fidencio, and 17 other contributors
Assets 11
Kata Containers 3.13.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-8d4e72f0d-107265821-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-c95ae5a50-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-aff3d98dd-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-69ed4bc3b-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.22.2-rust-1.75.0-9c8b20b2b-x86_64
- tools: quay.io/kata-containers/builders:tools-d15a7baed-2068801b8-5218345e3-fb87bf221-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.83.0-musl-0af353632-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- release: Abort if release version exists by @stevenhorsman in #10675
- doc: Update the release process by @stevenhorsman in #10668
- packaging: fix the broken usage help by @deagon in #9387
- tests: Fix qemu-coc-dev skip by @stevenhorsman in #10676
- doc: Add required jobs info by @stevenhorsman in #10380
- workflows: Add timeout to some ppc64le steps by @stevenhorsman in #10685
- workflows: Add more ppc64le timeouts by @stevenhorsman in #10686
- Add mem-agent to kata by @teawater in #10626
- runtime-rs: Remove unneeded
mutfromnew_hypervisor()by @justxuewei in #10683 - kata-ctl: direct-volume: Auto create KATA_DIRECT_VOLUME_ROOT_PATH by @teawater in #10696
- CI: change the containerd tarball name from cri-containerd-cni to containerd by @lifupan in #10702
- versions: Move kernel to the latest 6.12 release (the current LTS) by @fidencio in #10468
- metrics: Increase latency minimum range by @stevenhorsman in #10718
- tests: Re-enable oom tests for mariner by @fidencio in #10717
- Update Trustee and Guest Components by @fitzthum in #10541
- virtiofsd: Update to its v1.13.0 ( + one patch) release :-) by @fidencio in #10714
- tests/gha-run-k8s-common: shorten AKS cluster name by @wainersm in #9871
- metrics: Increase latency test range by @stevenhorsman in #10721
- runtime: use actual booleans for QMP
device_addboolean options by @msanft in #10719 - versions: Bump trustee to latest by @BbolroC in #10730
- agent: alternative implementation for sealed_secret as volume by @bpradipt in #10674
- rootfs: reduced console output by default by @danmihai1 in #10731
- image: bump mariner guest version to 3.0 by @danmihai1 in #10727
- tests: Introduce retry_kubectl_apply() for trusted storage by @BbolroC in #10735
- runtime: skip empty Guest console output lines by @danmihai1 in #10738
- release: Bump version to 3.13.0 by @zvonkok in #10742
Full Changelog: 3.12.0...3.13.0
Contributors
fidencio, teawater, and 11 other contributors
Assets 11
Kata Containers 3.12.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-8d4e72f0d-107265821-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-c95ae5a50-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-aff3d98dd-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-69ed4bc3b-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.22.2-rust-1.75.0-9c8b20b2b-x86_64
- tools: quay.io/kata-containers/builders:tools-95fc58510-59ed19e8b-3fb91dd63-fb87bf221-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.72.0-musl-c99ba42d6-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- ci: Re-enable SNP CI by @AdithyaKrishnan in #10558
- osbuilder: Fix build dependency of ubuntu rootfs with Docker by @coolljt0725 in #10377
- ci: Required jobs by @ldoktor in #10447
- osbuilder: Drop Clear Linux by @fidencio in #10520
- gpu: NVIDIA GPU initrd/image build by @zvonkok in #10464
- docs: Fix several build failures when I tried the procedures in "Kata Containers with AMD SEV-SNP VMs" by @kimullaa in #10386
- ci: Fix error on self-hosted machines by @zvonkok in #10516
- genpolicy: avoid regorus warning by @danmihai1 in #10543
- runtime-rs: fix vfio device name combination issue by @Apokleos in #10577
- kata-deploy: Support containerd configuration version 3 by @fidencio in #10584
- workflows: Remove rootfs binary artifacts by @stevenhorsman in #10586
- agent: fix startup when guest_components_procs is set to none by @squarti in #10583
- kata-deploy: Use drop-in files whenever it's possible by @fidencio in #10585
- coco: ci: Lay groundwork for compiling and publishing CSI driver image [1/x] by @sprt in #10561
- runtime: clh: addNet() logging clean-up by @danmihai1 in #10564
- gha: Unbreak CI and work around workflow limit by @sprt in #10589
- ci: unbreak: Reallow no-op builds by @sprt in #10594
- Unbreak the CI, 3rd attempt by @fidencio in #10597
- gatekeeper: add run-k8s-tests-on-zvsi(devmapper) to required jobs by @BbolroC in #10595
- ci: Fix variant for confidential targets by @zvonkok in #10590
- ci: Fix Docker publishing for CSI driver by @sprt in #10609
- policy: add constants to rules.rego by @Redent0r in #10592
- policy: ignore optional metadata uid field by @Redent0r in #10608
- ci: Fix Docker publishing for CSI driver, 2nd try by @sprt in #10612
- coco: ci: Fully implement compilation of CSI driver and require it for CoCo tests [2/x] by @sprt in #10563
- Add subchannel support to qemu-runtime-rs for s390x by @BbolroC in #10574
- genpolicy: align state path getter and setter by @3u13r in #10604
- runtime: skip logging some of the dial errors by @danmihai1 in #10607
- workflows: Fix remove artifact name filter by @stevenhorsman in #10615
- metrics: Increase minval range for failing tests by @stevenhorsman in #10588
- tests: Skip k8s job test on qemu-coco-dev by @stevenhorsman in #10617
- ci.gatekeeper: Update existing results by @ldoktor in #10572
- kata-deploy: Add support to multi-installation by @fidencio in #10551
- release: helm: Add the chart as part of the release by @fidencio in #10627
- runtime: Set memory config shared=false when shared_fs=None in CLH. by @Sumynwa in #10548
- Action lint workflow by @stevenhorsman in #10631
- policy: improve pod namespace validation by @Redent0r in #10593
- Revert "ci: Skip the failing tests in SNP" by @ryansavino in #10581
- runtime-rs: Fix the issues with stderr fifo by @justxuewei in #10638
- runtime-rs: Ignore BUILD_TYPE if it is not release by @justxuewei in #10641
- runtime-rs & agent: Fix the issues with bind volumes by @justxuewei in #10643
- qemu: Upgrade qemu 9.1.2 by @zvonkok in #10492
- vfio-ap: Assign default string "0" for empty APID and APQI by @BbolroC in #10660
- kata-ctl: fix outdated comments by @liubogithub in #10655
- release: Bump version to 3.12.0 by @zvonkok in #10663
- qemu: Fix aarch64 build by @zvonkok in #10669
- workflows: Remove potential timing issues with artifacts by @stevenhorsman in #10620
New Contributors
- @coolljt0725 made their first contribution in #10377
- @kimullaa made their first contribution in #10386
Full Changelog: 3.11.0...3.12.0
Contributors
sprt, fidencio, and 16 other contributors