Now that we have a security page on the website with the Cure53 security
audit downloadable from there, update the README to point there and remove
the PDF from our docs/ directory.
Signed-off-by: Phil Estes <estesp@amazon.com>
Update instructions for enabling NRI. Remove the now
unnecessary step of creating an NRI configuration file.
Add a note about the shared default NRI socket path
preventing two NRI-enabled runtimes to be run with the
default configuration on a single node.
Remove a leftover/half sentence that slipped through in
an earlier commit.
Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
`*` was left out and therefore the `/bin` directory is also copied over, while the following commands assume the files are copied to `containerd`
Signed-off-by: Anthony Nandaa <profnandaa@gmail.com>
- Add Target to mount.Mount.
- Add UnmountMounts to unmount a list of mounts in reverse order.
- Add UnmountRecursive to unmount deepest mount first for a given target, using
moby/sys/mountinfo.
Signed-off-by: Edgar Lee <edgarhinshunlee@gmail.com>
Signed-off-by: Swagat Bora <sbora@amazon.com>
Add spans around image unpack operations
Use image.ref to denote image name and image.id for the image config digest
Add top-level spand and record errors in the CRI instrumentation service
This PR updates the url for the kata containers reference about
how to use kata containers and containerd for untrusted workloads.
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Referencing the raw link to the containerd.service may enhance the developer experience by enabling those following the docs to use the raw link directly to `wget` or `curl` the file without additional navigation.
Signed-off-by: Kyle L Frisbie <KyleFrisbie@users.noreply.github.com>
Updated some documentation for devmapper snapshotter plugin.
Made consistent use of "thin-pool", "Device Mapper" when referring to
the volume management framework, and "devmapper" when referring to the
snapshotter plugin itself.
Also added some additional resources / reorg.
Signed-off-by: Gavin Inglis <giinglis@amazon.com>
since containerd doesn't have GenerateSpec method any longer, spec has to be generated with WithNewSpec.
Signed-off-by: Yakul Garg <2000yeshu@gmail.com>
This patch adds support for a container annotation and two separate
pod annotations for controlling the blockio class of containers.
The container annotation can be used by a CRI client:
"io.kubernetes.cri.blockio-class"
Pod annotations specify the blockio class in the K8s pod spec level:
"blockio.resources.beta.kubernetes.io/pod"
(pod-wide default for all containers within)
"blockio.resources.beta.kubernetes.io/container.<container_name>"
(container-specific overrides)
Correspondingly, this patch adds support for --blockio-class and
--blockio-config-file to ctr, too.
This implementation follows the resource class annotation pattern
introduced in RDT and merged in commit 893701220.
Signed-off-by: Antti Kervinen <antti.kervinen@intel.com>
