Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/
This will help the Kata Containers community understand:
how you use Kata Containers
what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
libseccomp
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
agent (on all its different flavours): quay.io/kata-containers/builders:agent-5f68b343b-7420194ea-1.85.1-x86_64
Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-b00013c71-x86_64
OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-af919686a-x86_64
QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-2f73e34e3-x86_64
Starting with Kata Containers v3.23.0, a new structured configuration format is available for configuring shims. This provides better type safety, clearer organization, and per-shim configuration options.
See the full set of changes at https://github.com/kata-containers/kata-containers/tree/main/tools/packaging/kata-deploy/helm-chart#structured-configuration
Migration from Legacy Format
The legacy env.* configuration format is deprecated and will be removed in 2 releases. Users are encouraged to migrate to the new structured format.
Deprecated fields (will be removed in 2 releases):
Add NVIDIA CUDA vectoradd test and refactor NIM test by @manuelh-dev in https://github.com/kata-containers/kata-containers/pull/11889
runtime-rs: supporting the CLH VMM process running in non-root mode by @StevenFryto in https://github.com/kata-containers/kata-containers/pull/11862
runtime-rs: introduce VM template lifecycle and integration by @jiuyi123 in https://github.com/kata-containers/kata-containers/pull/11828
readme: install: Drop outdated documentation by @fidencio in https://github.com/kata-containers/kata-containers/pull/11990
kata-deploy: Automatically deploy NodeFeatureRules for TEEs by @fidencio in https://github.com/kata-containers/kata-containers/pull/11933
libs: Fix formatting issue by @stevenhorsman in https://github.com/kata-containers/kata-containers/pull/11995
gpu: Add libs for CC by @zvonkok in https://github.com/kata-containers/kata-containers/pull/11993
dragonball: Bump kvm-ioctls to fix security issue by @spectator333 in https://github.com/kata-containers/kata-containers/pull/11867
kata-ctl: add factory subcommands for VM template management by @jiuyi123 in https://github.com/kata-containers/kata-containers/pull/11816
tests: k8s: Remove tests running on GitHub provided runner by @fidencio in https://github.com/kata-containers/kata-containers/pull/12003
gpu: Handle VFIO and IOMMUFD by @zvonkok in https://github.com/kata-containers/kata-containers/pull/11977
chroot: Add NVRC release do not compile from github by @zvonkok in https://github.com/kata-containers/kata-containers/pull/11937
kata-deploy: Add more per-arch options & Add defaultRuntimeClassName by @fidencio in https://github.com/kata-containers/kata-containers/pull/11992
kata-deploy: Add NFD as a dependency by @fidencio in https://github.com/kata-containers/kata-containers/pull/11998
scripts: release: Run helm dependencies update by @fidencio in https://github.com/kata-containers/kata-containers/pull/12014
golang: Update to 1.24.9 by @fidencio in https://github.com/kata-containers/kata-containers/pull/12019
kata-deploy: Move runtimeClass creation out of the scripts by @fidencio in https://github.com/kata-containers/kata-containers/pull/12013
tests: k8s: reduce test time for unexpected CreateContainerRequest errors by @danmihai1 in https://github.com/kata-containers/kata-containers/pull/12016
tests: Add stability tests for experimental-force-guest-pull by @fidencio in https://github.com/kata-containers/kata-containers/pull/12018
tests: Align kata-deploy helm's uninstall by @fidencio in https://github.com/kata-containers/kata-containers/pull/11630
tests: Stop testing on stratovirt by @fidencio in https://github.com/kata-containers/kata-containers/pull/12006
runtime: Clear outer CDI annotations by @manuelh-dev in https://github.com/kata-containers/kata-containers/pull/12010
Revert "tests: Do not enable NFD on s390x" by @fidencio in https://github.com/kata-containers/kata-containers/pull/12029
tests: disable the cpu hotplug test for coco dev runtime by @lifupan in https://github.com/kata-containers/kata-containers/pull/12025
tests: guest-pull: Fix names by @fidencio in https://github.com/kata-containers/kata-containers/pull/12028
docs: Update devmapper containerd plugin name by @antonipp in https://github.com/kata-containers/kata-containers/pull/12031
kata-deploy: Add missing runtimeClasses by @fidencio in https://github.com/kata-containers/kata-containers/pull/12026
ci: Onboard another NVIDIA machine by @fidencio in https://github.com/kata-containers/kata-containers/pull/12034
kata-deploy: Add per arch ALLOWED_HYPERVISOR_ANNOTATIONS by @fidencio in https://github.com/kata-containers/kata-containers/pull/12027
ci: Fix failing static checks to enable IBM actionspz - Z specific by @BbolroC in https://github.com/kata-containers/kata-containers/pull/11924
runtime-rs: enable pselect6 syscall for dragonball seccomp by @lifupan in https://github.com/kata-containers/kata-containers/pull/12037
tests: gpu: cc: Run GPU tests on CC mode by @fidencio in https://github.com/kata-containers/kata-containers/pull/12035
runtime-rs: Add support LocalStorage for emptyDir within nontee cases by @Apokleos in https://github.com/kata-containers/kata-containers/pull/11921
runtime-rs: some remote hypervisor fixes by @pmores in https://github.com/kata-containers/kata-containers/pull/11857
tests: nvidia: Deploy Trustee by @fidencio in https://github.com/kata-containers/kata-containers/pull/12041
ci: k8s: re-enable genpolicy testing for mariner hosts by @danmihai1 in https://github.com/kata-containers/kata-containers/pull/11994
Disable guest emptydir by @Apokleos in https://github.com/kata-containers/kata-containers/pull/12046
ci: nvidia: Ensure K8S_TEST_HOST_TYPE=baremetal by @fidencio in https://github.com/kata-containers/kata-containers/pull/12023
agent: update version.rs when VERSION file changed by @danmihai1 in https://github.com/kata-containers/kata-containers/pull/12051
webhook: allow privileged containers by @Redent0r in https://github.com/kata-containers/kata-containers/pull/12008
runtime-rs: read sev params from processor by @pmores in https://github.com/kata-containers/kata-containers/pull/10968
tests: nvidia: cc: Use experimental_force_guest_pull (when possible) by @fidencio in https://github.com/kata-containers/kata-containers/pull/12040
build(deps): bump github.com/opencontainers/runc from 1.2.6 to 1.2.8 in /src/runtime by @dependabot[bot] in https://github.com/kata-containers/kata-containers/pull/12032
agent: Support both virtio-blk and virtio-scsi block devices for initdata by @Apokleos in https://github.com/kata-containers/kata-containers/pull/11986
deploy: Improve busybox build by @manuelh-dev in https://github.com/kata-containers/kata-containers/pull/12048
genpolicy: Correct caps matcher for runtime-rs by @Apokleos in https://github.com/kata-containers/kata-containers/pull/11985
build(deps): bump github.com/containerd/containerd from 1.7.27 to 1.7.29 in /src/runtime by @dependabot[bot] in https://github.com/kata-containers/kata-containers/pull/12039
runtime-rs: Fix several incorrect settings with guest empty dir. by @Apokleos in https://github.com/kata-containers/kata-containers/pull/12067
ci: Drop docker tests by @fidencio in https://github.com/kata-containers/kata-containers/pull/12058
tests: Correct unexpected capability for policy failure test by @Apokleos in https://github.com/kata-containers/kata-containers/pull/12061
ci: Remove stratovirt & docker tests from required by @stevenhorsman in https://github.com/kata-containers/kata-containers/pull/12071
build(deps): bump github.com/opencontainers/selinux from 1.12.0 to 1.13.0 in /src/runtime by @dependabot[bot] in https://github.com/kata-containers/kata-containers/pull/12052
versions: Bump Trustee by @fidencio in https://github.com/kata-containers/kata-containers/pull/12055
riscv: Introduce its own nightly tests by @fidencio in https://github.com/kata-containers/kata-containers/pull/12057
genpolicy: support full DeploymentSpec, JobSpec; cleanup CronJobSpec by @katexochen in https://github.com/kata-containers/kata-containers/pull/12068
runtime-rs: fix the issue of hot-unplug memory smaller by @lifupan in https://github.com/kata-containers/kata-containers/pull/12038
tools.kata-webhook: Add support for only-filter by @ldoktor in https://github.com/kata-containers/kata-containers/pull/11030
tests: Enforce qemu-coco-dev for experimental_force_guest_pull by @fidencio in https://github.com/kata-containers/kata-containers/pull/12077
workflows: Switch to ubuntu-24.04-arm runner by @stevenhorsman in https://github.com/kata-containers/kata-containers/pull/12078
Add preliminary support for EROFS native rwlayers by @hsiangkao in https://github.com/kata-containers/kata-containers/pull/12079
ci: Switch gatekeeper auth header by @stevenhorsman in https://github.com/kata-containers/kata-containers/pull/12082
Runtime rs qemu coco dev config by @stevenhorsman in https://github.com/kata-containers/kata-containers/pull/11447
github: run agent checks for Power on ppc64le instead of ubuntu-24.04-ppc64le by @Amulyam24 in https://github.com/kata-containers/kata-containers/pull/12069
retire adler dependency by @burgerdev in https://github.com/kata-containers/kata-containers/pull/12075
genpolicy: ci: re-enable policy tests for coco-dev by @danmihai1 in https://github.com/kata-containers/kata-containers/pull/12081
kernel: adds nft bridging and filtering support for IPv4 and IPv6 by @skaegi in https://github.com/kata-containers/kata-containers/pull/11952
Update kata-rbac.yaml by @nheinemans-asml in https://github.com/kata-containers/kata-containers/pull/12084
kata-deploy: make it more user-friendly by @fidencio in https://github.com/kata-containers/kata-containers/pull/12070
runtime-rs: fix the issue of wrong vcpu number by @lifupan in https://github.com/kata-containers/kata-containers/pull/12095
kata-deploy: try-kata-values.yaml -> values.yaml by @fidencio in https://github.com/kata-containers/kata-containers/pull/12093
csi-kata-directvolume: Bump xz module by @stevenhorsman in https://github.com/kata-containers/kata-containers/pull/12098
runtime: fix the issue of update interface error by @lifupan in https://github.com/kata-containers/kata-containers/pull/12044
Adler removal by @stevenhorsman in https://github.com/kata-containers/kata-containers/pull/12097
release: Bump version to 3.23.0 by @stevenhorsman in https://github.com/kata-containers/kata-containers/pull/12101
New Contributors
@jiuyi123 made their first contribution in https://github.com/kata-containers/kata-containers/pull/11828
@spectator333 made their first contribution in https://github.com/kata-containers/kata-containers/pull/11867
@antonipp made their first contribution in https://github.com/kata-containers/kata-containers/pull/12031
@nheinemans-asml made their first contribution in https://github.com/kata-containers/kata-containers/pull/12084
Full Changelog: https://github.com/kata-containers/kata-containers/compare/3.22.0...3.23.0