Survey

Please take the Kata Containers survey:

• https://openinfrafoundation.formstack.com/forms/kata_containers_user_survey

This will help the Kata Containers community understand:

• how you use Kata Containers
• what features and improvements you would like to see in Kata Containers

Libseccomp Notices

The kata-agent binaries inside the Kata Containers images provided with this release are statically linked with the following GNU LGPL-2.1 licensed libseccomp library.

• libseccomp

The kata-agent uses the libseccomp v2.6.0 which is not modified from the upstream version. However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.

Kata Containers builder images

• agent (on all its different flavours): quay.io/kata-containers/builders:agent-6f787300c-c9cd79655-1.89-x86_64
• Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-229481b34-x86_64
• OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-e02e22643-x86_64
• QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-b2c943931-x86_64
• shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.24.11-rust-1.89-1872af7c5-x86_64
• tools: quay.io/kata-containers/builders:tools-ca29e68ac-1a76d44e1-183507bee-a0d96256f-x86_64
• virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.85.1-musl-2962e14c1-x86_64

Installation

Follow the Kata installation instructions.

NOTE FOR PEOPLE BUILDING THE KATA AGENT FROM SOURCE

Some downstream build systems have high standards when it comes to reproducibility. This usually involves pedantic checks on dependencies to ensure everything is strait. In the case of rust, one such test is cargo check --locked that fails if Cargo.lock needs an update to match Cargo.toml.

$ cd src/agent/
$ cargo check --locked
error: the lock file Cargo.lock needs to be updated but --locked was passed to prevent this
If you want to try to generate the lock file without accessing the network, remove the --locked
flag and use --offline instead.

Consistency of Cargo.toml and Cargo.lock is usually achieved by the contributor. But we don't have anything in place to verify it in CI and nits can fall through the cracks. Such a nit was released with Kata Container 3.25.

Anyone encountering problems when building the agent from this release should consider applying https://github.com/kata-containers/kata-containers/commit/cf3441bd2c0b7b1b5a13eefd1e359728e0b72924 on top of the official sources.

Depreciation notice

runk has not been supported, or tested by the kata community for over a year, so it is officially deprecated in 3.25.0, with a plan to remove it in 3.26.0.

What's Changed

• gatekeeper: Make s390x e2e tests required again by @BbolroC in https://github.com/kata-containers/kata-containers/pull/12234
• kata-deploy: Remove deprecated features from 3.23.0 by @fidencio in https://github.com/kata-containers/kata-containers/pull/12229
• kata-deploy: sa: Fix permissions for patching nodefeaturerules by @fidencio in https://github.com/kata-containers/kata-containers/pull/12232
• packaging: Add ORAS cache for gperf and busybox tarballs by @fidencio in https://github.com/kata-containers/kata-containers/pull/12183
• runtime-rs: handle container missing during kill_process gracefully by @M-Phansa in https://github.com/kata-containers/kata-containers/pull/12167
• build: Move runtime-rs to root workspace by @RuoqingHe in https://github.com/kata-containers/kata-containers/pull/12148
• kata-tools: Create a smaller tarball only for kata-tools by @fidencio in https://github.com/kata-containers/kata-containers/pull/12171
• agent: Ensure MS_REMOUNT is respected by @fidencio in https://github.com/kata-containers/kata-containers/pull/11642
• gatekeeper: Adjust to kata-tools by @fidencio in https://github.com/kata-containers/kata-containers/pull/12245
• helm: Provide kata-remote runtime class by @fidencio in https://github.com/kata-containers/kata-containers/pull/12243
• kata-deploy: Oxidize the script by @fidencio in https://github.com/kata-containers/kata-containers/pull/12152
• build: Fix GPG key for gperf & Pass PUSH_TO_REGISTRY and GH_TOKEN to Docker builds by @fidencio in https://github.com/kata-containers/kata-containers/pull/12247
• runtime-rs: Enable VFIO-AP passthrough (hotplug only) on s390x by @BbolroC in https://github.com/kata-containers/kata-containers/pull/12180
• runtime: nvidia: Align on cold-plug and static_sandbox_resource_mgmt by @fidencio in https://github.com/kata-containers/kata-containers/pull/12250
• versions: Bump experimental {tdx,snp} QEMU by @fidencio in https://github.com/kata-containers/kata-containers/pull/12251
• dragonball: Use unique name for vhost path by @RuoqingHe in https://github.com/kata-containers/kata-containers/pull/12254
• tests: cc: add test with SNP reference values by @fitzthum in https://github.com/kata-containers/kata-containers/pull/12191
• versions: Update several components by @fidencio in https://github.com/kata-containers/kata-containers/pull/12244
• runtime-rs: Block Device Rootfs Mount Options Lost During Storage Object Creation by @zhangls-0524 in https://github.com/kata-containers/kata-containers/pull/12169
• genpolicy: support fsGroup setting in pod security context by @burgerdev in https://github.com/kata-containers/kata-containers/pull/11935
• CI: Upgrade log details for improved error analysis by @Apokleos in https://github.com/kata-containers/kata-containers/pull/12204

New Contributors

• @zhangls-0524 made their first contribution in https://github.com/kata-containers/kata-containers/pull/12169
• @romoh made their first contribution in https://github.com/kata-containers/kata-containers/pull/12208
• @facorazza made their first contribution in https://github.com/kata-containers/kata-containers/pull/12312
• @Xander-C made their first contribution in https://github.com/kata-containers/kata-containers/pull/11501

Full Changelog: https://github.com/kata-containers/kata-containers/compare/3.24.0...3.25.0