edgelesssys · katexochen · Feb 3, 2025 · Jan 31, 2025
@@ -19,7 +19,7 @@ let
 
     src = fetchzip {
       url = "https://github.com/kata-containers/kata-containers/releases/download/${version}/kata-static-${version}-amd64.tar.xz";
-      hash = "sha256-a0clnxq1vtaq9QpmFO6UBkU5Ecc5LcjqCH6/R7NBXMw=";
+      hash = "sha256-fp86V1ioD8Ga1FM/4a7fN8o67woW4Kz8D6Tgix2VuTI=";
       stripRoot = false;
     };
 

@@ -42,7 +42,7 @@ Signed-off-by: Tom Dohrmann <[email protected]>
  create mode 100644 src/agent/src/tdx.rs
 
 diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock
-index 67b1830278ca52904a73c6281693049cb5d85283..d53facd717f2428f7790d5b65bdf4bde70ac7d64 100644
+index f94f936f6b0695164daaf09bce98c37894f3e1cb..06cd71212acbbe2093c195c0c40a8817e2d88deb 100644
 --- a/src/agent/Cargo.lock
 +++ b/src/agent/Cargo.lock
 @@ -605,6 +605,12 @@ version = "0.6.3"
@@ -126,7 +126,7 @@ index 67b1830278ca52904a73c6281693049cb5d85283..d53facd717f2428f7790d5b65bdf4bde
  [[package]]
  name = "iovec"
  version = "0.1.4"
-@@ -3047,6 +3086,8 @@ dependencies = [
+@@ -3048,6 +3087,8 @@ dependencies = [
   "serde",
   "serde_json",
   "serial_test",
@@ -135,15 +135,15 @@ index 67b1830278ca52904a73c6281693049cb5d85283..d53facd717f2428f7790d5b65bdf4bde
   "slog",
   "slog-scope",
   "slog-stdlog",
-@@ -3064,6 +3105,7 @@ dependencies = [
+@@ -3065,6 +3106,7 @@ dependencies = [
   "tracing-subscriber",
   "ttrpc",
   "url",
 + "vmm-sys-util",
   "vsock-exporter",
   "which",
  ]
-@@ -4054,6 +4096,12 @@ dependencies = [
+@@ -4070,6 +4112,12 @@ dependencies = [
   "tokio-stream",
  ]
 
@@ -156,7 +156,7 @@ index 67b1830278ca52904a73c6281693049cb5d85283..d53facd717f2428f7790d5b65bdf4bde
  [[package]]
  name = "ordered-stream"
  version = "0.2.0"
-@@ -5500,6 +5548,15 @@ dependencies = [
+@@ -5526,6 +5574,15 @@ dependencies = [
   "syn 1.0.109",
  ]
 
@@ -172,7 +172,7 @@ index 67b1830278ca52904a73c6281693049cb5d85283..d53facd717f2428f7790d5b65bdf4bde
  [[package]]
  name = "serde-enum-str"
  version = "0.4.0"
-@@ -5519,6 +5576,15 @@ version = "0.2.2"
+@@ -5545,6 +5602,15 @@ version = "0.2.2"
  source = "registry+https://github.com/rust-lang/crates.io-index"
  checksum = "794e44574226fc701e3be5c651feb7939038fc67fb73f6f4dd5c4ba90fd3be70"
 
@@ -188,7 +188,7 @@ index 67b1830278ca52904a73c6281693049cb5d85283..d53facd717f2428f7790d5b65bdf4bde
  [[package]]
  name = "serde_derive"
  version = "1.0.204"
-@@ -5622,6 +5688,28 @@ dependencies = [
+@@ -5648,6 +5714,28 @@ dependencies = [
   "syn 1.0.109",
  ]
 
@@ -217,7 +217,7 @@ index 67b1830278ca52904a73c6281693049cb5d85283..d53facd717f2428f7790d5b65bdf4bde
  [[package]]
  name = "sha1"
  version = "0.10.6"
-@@ -6656,6 +6744,9 @@ name = "uuid"
+@@ -6682,6 +6770,9 @@ name = "uuid"
  version = "1.10.0"
  source = "registry+https://github.com/rust-lang/crates.io-index"
  checksum = "81dfa00651efa65069b0b6b651f4aaa31ba9e3c3ce0137aaad053604ee7e0314"
@@ -227,7 +227,7 @@ index 67b1830278ca52904a73c6281693049cb5d85283..d53facd717f2428f7790d5b65bdf4bde
 
  [[package]]
  name = "valuable"
-@@ -6675,6 +6766,16 @@ version = "0.9.4"
+@@ -6701,6 +6792,16 @@ version = "0.9.4"
  source = "registry+https://github.com/rust-lang/crates.io-index"
  checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
 
@@ -245,10 +245,10 @@ index 67b1830278ca52904a73c6281693049cb5d85283..d53facd717f2428f7790d5b65bdf4bde
  name = "vsock"
  version = "0.2.6"
 diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml
-index 5dd9c1e2616b8cd47a60a5644ec9d88705fe3fbd..b8b216c6b24829a457ae55209c63d09187c02d24 100644
+index 6b0ab344c18b06fc09d7e09f68b51e8498a71587..8efa57bd87686bed26a143a1febda1979c52469e 100644
 --- a/src/agent/Cargo.toml
 +++ b/src/agent/Cargo.toml
-@@ -88,6 +88,11 @@ regorus = { version = "0.2.6", default-features = false, features = [
+@@ -89,6 +89,11 @@ regorus = { version = "0.2.6", default-features = false, features = [
  cdi = { git = "https://github.com/cncf-tags/container-device-interface-rs", rev = "fba5677a8e7cc962fc6e495fcec98d7d765e332a" }
  json-patch = "2.0.0"
 
@@ -260,7 +260,7 @@ index 5dd9c1e2616b8cd47a60a5644ec9d88705fe3fbd..b8b216c6b24829a457ae55209c63d091
  [dev-dependencies]
  tempfile = "3.1.0"
  test-utils = { path = "../libs/test-utils" }
-@@ -106,7 +111,7 @@ lto = true
+@@ -107,7 +112,7 @@ lto = true
  default-pull = ["guest-pull"]
  seccomp = ["rustjail/seccomp"]
  standard-oci-runtime = ["rustjail/standard-oci-runtime"]
@@ -270,7 +270,7 @@ index 5dd9c1e2616b8cd47a60a5644ec9d88705fe3fbd..b8b216c6b24829a457ae55209c63d091
 
  [[bin]]
 diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs
-index 17d1d34a147d58fe6cab10d21b54af4fffc4be63..033aac8530390129638d6feff64818d3ebbce20d 100644
+index c4df5f4aeccfd812669bac7c8069f11b6d943924..e3cd549673847328169e97968a37881d3334b67e 100644
 --- a/src/agent/src/main.rs
 +++ b/src/agent/src/main.rs
 @@ -85,6 +85,10 @@ mod tracer;
@@ -1293,7 +1293,7 @@ index 24a67bdd9e591ead96fbaea473cb662526dedbf3..3f5f84afffeec6fed0ba624408158425
 +	assert.Equal(expectedOut, devices)
  }
 diff --git a/src/runtime/virtcontainers/sandbox.go b/src/runtime/virtcontainers/sandbox.go
-index 33244bc5358c7b50fdc9dcced29c13e24d2e0e39..8cfb80dcde865aa679c12f68173ae168d38c4b20 100644
+index 3711da7f5eace937aa96c10208406b6f1752adcf..4192cb93845e789ed449e017843ad3cca92a3b31 100644
 --- a/src/runtime/virtcontainers/sandbox.go
 +++ b/src/runtime/virtcontainers/sandbox.go
 @@ -613,6 +613,7 @@ func newSandbox(ctx context.Context, sandboxConfig SandboxConfig, factory Factor

@@ -200,7 +200,7 @@ index 400b6f1386e1b4a1a4cda1e3e3da2f66640165c7..53e77d82c88912488ead9052f44e3973
 -    }
  }
 diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs
-index 0a1c6d34adfffcbc3aef1b55a77556b8b82e85c0..b3888633744a718586069314a192c9c0fd92459e 100644
+index 5f2a3eb955ea427478c842ba80ad2a17299b182f..fd824e9ec26728bf8088939aac7a1edb6d886aac 100644
 --- a/src/agent/src/rpc.rs
 +++ b/src/agent/src/rpc.rs
 @@ -58,7 +58,7 @@ use rustjail::process::ProcessOperations;
@@ -221,7 +221,7 @@ index 0a1c6d34adfffcbc3aef1b55a77556b8b82e85c0..b3888633744a718586069314a192c9c0
  // Convenience function to obtain the scope logger.
  fn sl() -> slog::Logger {
      slog_scope::logger()
-@@ -226,15 +224,6 @@ impl AgentService {
+@@ -227,15 +225,6 @@ impl AgentService {
          // cannot predict everything from the caller.
          add_devices(&sl(), &req.devices, &mut oci, &self.sandbox).await?;
 

@@ -20,10 +20,10 @@ Fixes: #10680
  1 file changed, 15 insertions(+), 7 deletions(-)
 
 diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs
-index b3888633744a718586069314a192c9c0fd92459e..4714084d7912f18b3a4a788559ad91fc3723b30a 100644
+index fd824e9ec26728bf8088939aac7a1edb6d886aac..cb5dac7a4a941e11fb9a086ff01633672364902a 100644
 --- a/src/agent/src/rpc.rs
 +++ b/src/agent/src/rpc.rs
-@@ -637,11 +637,11 @@ impl AgentService {
+@@ -638,11 +638,11 @@ impl AgentService {
 
      async fn do_read_stream(
          &self,
@@ -38,7 +38,7 @@ index b3888633744a718586069314a192c9c0fd92459e..4714084d7912f18b3a4a788559ad91fc
 
          let term_exit_notifier;
          let reader = {
-@@ -857,8 +857,12 @@ impl agent_ttrpc::AgentService for AgentService {
+@@ -889,8 +889,12 @@ impl agent_ttrpc::AgentService for AgentService {
          _ctx: &TtrpcContext,
          req: protocols::agent::ReadStreamRequest,
      ) -> ttrpc::Result<ReadStreamResponse> {
@@ -53,7 +53,7 @@ index b3888633744a718586069314a192c9c0fd92459e..4714084d7912f18b3a4a788559ad91fc
      }
 
      async fn read_stderr(
-@@ -866,8 +870,12 @@ impl agent_ttrpc::AgentService for AgentService {
+@@ -898,8 +902,12 @@ impl agent_ttrpc::AgentService for AgentService {
          _ctx: &TtrpcContext,
          req: protocols::agent::ReadStreamRequest,
      ) -> ttrpc::Result<ReadStreamResponse> {

@@ -11,14 +11,14 @@
 
 buildGoModule rec {
   pname = "kata-runtime";
-  version = "3.12.0";
+  version = "3.13.0";
 
   src = applyPatches {
     src = fetchFromGitHub {
       owner = "kata-containers";
       repo = "kata-containers";
       rev = version;
-      hash = "sha256-0pJx8ASUeJjLubu/QV72avntkaU3b5PC5V1H54SrPIs=";
+      hash = "sha256-xBEK+Tczc4MVnETx5sV9sb5/myxLeP7YDDigTroN4Lg=";
     };
 
     patches = [
@@ -114,30 +114,25 @@ buildGoModule rec {
       # Upstream issue: https://github.com/kata-containers/kata-containers/issues/10633
       ./0017-genpolicy-support-guest-hooks.patch
 
-      # Correctly type QEMU QMP command options for the `device_add` command.
-      # See: https://github.com/kata-containers/kata-containers/pull/10719
-      # TODO(msanft): Remove once upstream PR is released.
-      ./0018-runtime-use-actual-booleans-for-QMP-device_add-boole.patch
-
       # Revert CDI support in kata-agent, which breaks legacy mode GPU facilitation which
       # we currently use.
       # TODO(msanft): Get native CDI working, which will allow us to drop this patch / undo the revert.
       # See https://dev.azure.com/Edgeless/Edgeless/_workitems/edit/5061
-      ./0019-agent-remove-CDI-support.patch
+      ./0018-agent-remove-CDI-support.patch
 
       # This adds support for annotations with dynamic keys *and* values to Genpolicy.
       # This is required for e.g. GPU containers, which get annotated by an in-cluster
       # component (i.e. after policy generation based on the Pod spec) with an annotation
       # like `cdi.k8s.io/vfioXY`, where `XY` corresponds to a dynamic ID.
       # Upstream issue: https://github.com/kata-containers/kata-containers/issues/10745
-      ./0020-genpolicy-support-dynamic-annotations.patch
+      ./0019-genpolicy-support-dynamic-annotations.patch
 
       # This allows denying ReadStream requests without blocking the container on its
       # stdout/stderr, by redacting the streams instead of blocking them.
       # Upstream:
       # * https://github.com/kata-containers/kata-containers/issues/10680
       # * https://github.com/kata-containers/kata-containers/pull/10818
-      ./0021-agent-clear-log-pipes-if-denied-by-policy.patch
+      ./0020-agent-clear-log-pipes-if-denied-by-policy.patch
     ];
   };