Releases: kata-containers/kata-containers
Releases · kata-containers/kata-containers
Kata Containers 3.25.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.6.0 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-6f787300c-c9cd79655-1.89-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-229481b34-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-e02e22643-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-b2c943931-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.24.11-rust-1.89-1872af7c5-x86_64
- tools: quay.io/kata-containers/builders:tools-ca29e68ac-1a76d44e1-183507bee-a0d96256f-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.85.1-musl-2962e14c1-x86_64
Installation
Follow the Kata installation instructions.
Depreciation notice
runk has not been supported, or tested by the kata community for over a year, so it is officially deprecated in 3.25.0, with a plan to remove it in 3.26.0.
What's Changed
- gatekeeper: Make s390x e2e tests required again by @BbolroC in #12234
- kata-deploy: Remove deprecated features from 3.23.0 by @fidencio in #12229
- kata-deploy: sa: Fix permissions for patching nodefeaturerules by @fidencio in #12232
- packaging: Add ORAS cache for gperf and busybox tarballs by @fidencio in #12183
- runtime-rs: handle container missing during kill_process gracefully by @M-Phansa in #12167
- build: Move runtime-rs to root workspace by @RuoqingHe in #12148
- kata-tools: Create a smaller tarball only for kata-tools by @fidencio in #12171
- agent: Ensure MS_REMOUNT is respected by @fidencio in #11642
- gatekeeper: Adjust to kata-tools by @fidencio in #12245
- helm: Provide kata-remote runtime class by @fidencio in #12243
- kata-deploy: Oxidize the script by @fidencio in #12152
- build: Fix GPG key for gperf & Pass PUSH_TO_REGISTRY and GH_TOKEN to Docker builds by @fidencio in #12247
- runtime-rs: Enable VFIO-AP passthrough (hotplug only) on s390x by @BbolroC in #12180
- runtime: nvidia: Align on cold-plug and static_sandbox_resource_mgmt by @fidencio in #12250
- versions: Bump experimental {tdx,snp} QEMU by @fidencio in #12251
- dragonball: Use unique name for vhost path by @RuoqingHe in #12254
- tests: cc: add test with SNP reference values by @fitzthum in #12191
- versions: Update several components by @fidencio in #12244
- runtime-rs: Block Device Rootfs Mount Options Lost During Storage Object Creation by @zhangls-0524 in #12169
- genpolicy: support fsGroup setting in pod security context by @burgerdev in #11935
- CI: Upgrade log details for improved error analysis by @Apokleos in #12204
- tests: nvidia: Update NIM/RAG samples by @manuelh-dev in #12240
- kata-deploy: rust: Add list verb for runtimeclasses RBAC by @fidencio in #12260
- nydus-snapshotter: Bump to v0.15.10 by @fidencio in #12263
- tests: remove re-delcared local variable in k8s-empty-dirs.bats by @BbolroC in #12266
- workflows: payload: do not remove AGENT_TOOLSDIRECTORY by @shwetha-s-poojary in #12272
- Preparations for the rust 1.90 bump by @stevenhorsman in #12255
- dragonball: Skip tests require kvm while kvm is absent by @RuoqingHe in #12259
- Bump rust to 1.88 by @stevenhorsman in #12271
- tests: Make the tests coco-dev job with coco-dev-runtime-rs required by @Apokleos in #12156
- use-cases: drop Intel QuickAssist instructions by @mythi in #12287
- versions: Bump sha2 crate version by @stevenhorsman in #12294
- versions: Bump QEMU to v10.2.0 by @fidencio in #12299
- tests: k8s: Adjust terminationGracePeriodSeconds to 1 by @fidencio in #12301
- packaging: build OVMF for Intel TDX again by @mythi in #12286
- Set several tests as required ci by @Apokleos in #12282
- kata-deploy (rs): Remove unused dependency by @fidencio in #12303
- ci: Update AKS setup post Pod Sandboxing GA by @romoh in #12208
- virtiofsd: fix RUSTUP_HOME and CARGO_HOME permissions for non-root bu… by @BbolroC in #12313
- docs: Fix trusted-image-storage reference by @manuelh-dev in #12297
- docs: Update NVIDIA GPU passthrough documentation by @manuelh-dev in #12257
- versions: Bump rust to 1.89 by @stevenhorsman in #12288
- kata-deploy: Fix extraction of the containerd major version by @facorazza in #12312
- packaging: Fix tools permissions issue by @stevenhorsman in #12315
- agent: change secure_storage_integrity default by @manuelh-dev in #12314
- tools: Build kubectl image by @fidencio in #12321
- tests: generate pod config with stable .yaml suffix and refactor set_container_command by @Apokleos in #12320
- build(deps): bump sequoia-openpgp from 2.0.0 to 2.1.0 in /src/tools/agent-ctl by @dependabot[bot] in #12248
- runtime: nvidia: change kernel parameters by @manuelh-dev in #12302
- runtime-rs: Bump qapi-rs from 0.14 to 0.15 by @Apokleos in #12291
- build(deps): bump rsa from 0.9.6 to 0.9.9 in /src/tools/agent-ctl by @dependabot[bot] in #12296
- docs: Add Zensical Doc Site Generation by @LandonTClipp in #12307
- kernel: Bump to the new LTS by @fidencio in #12252
- Openssl src 3.5.4 bump by @stevenhorsman in #12332
- docs: Navigation improvements and bug fixes to Pages by @LandonTClipp in #12330
- Update Trustee and guest-components for upcoming releases by @fitzthum in #12333
- gpu: decouple kernel and rootfs by @zvonkok in #12317
- runtime: nvidia: Disable NVDIMM by @manuelh-dev in #12335
- gpu: Bump NVRC Version by @zvonkok in #12338
- runtime-rs: Set the default bridges with 1 in configurations and Makefile by @Apokleos in #12298
- kata-deploy: helm: Add post install verification support by @fidencio in #12318
- ci: move the job publish kata payload after push to an...
Contributors
fidencio, mythi, and 17 other contributors
Assets 12
Kata Containers 3.24.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-5f68b343b-22d60a36c-1.85.1-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-b00013c71-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-af919686a-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-b2c943931-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.24.11-rust-1.85.1-923f97bc6-x86_64
- tools: quay.io/kata-containers/builders:tools-b9774e44b-a8a458664-9dfa6df2c-12a515826-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.85.1-musl-1cf1a332a-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- genpolicy: Make cpath compatible with both runtime-rs and runtime-go by @Apokleos in #12064
- Runtime/QEMU: Introduce virtio-blk with iothreads and enable Indep iothreads framework by @zhangckid in #11620
- build: Introduce root workspace for rust components by @RuoqingHe in #11563
- genpolicy: prepare integration tests for programmatic modification by @burgerdev in #11978
- tests: Run authenticated tests with experimental_force_guest_pull by @fidencio in #12074
- ci: Adjust gatekeeper's job fetch by @stevenhorsman in #12106
- tests: nvidia: cc: Re-enable NIM tests by @fidencio in #12056
- runtime-rs: Clear Linux.Resources.Devices completely and correct the guest path for container mount binding by @Apokleos in #12102
- tests: Enable AUTO_GENERATE_POLICY for qemu-coco-dev-runtime-rs by @Apokleos in #12109
- build(deps): bump the bit-vec group across 2 directories with 1 update by @dependabot[bot] in #11370
- build(deps): bump oras-project/setup-oras from 1.2.2 to 1.2.4 by @dependabot[bot] in #11802
- build: Exclude tools from root workspace by @RuoqingHe in #12110
- tests: k8s: Fix typo in authenticated tests by @fidencio in #12111
- gpu: introduce a new devkit build flag to produce a rootfs for developers by @manuelh-dev in #12059
- tests: nvidia: cc: Re-enable multi GPU test case by @manuelh-dev in #12117
- shim: Support device cold plug with Kubernetes by @jojimt in #12087
- tests: cc: Test authenticated images with force guest pull by @fidencio in #12118
- tests: Reduce KBS deployment check flakeness by @fidencio in #12119
- runtime-rs: Bump cgroups-rs to v0.5.0 by @justxuewei in #12121
- tests: nvidia: cc: add allow-all policy and init-data generation by @manuelh-dev in #12050
- Required tests update 14 nov 2025 by @stevenhorsman in #12090
- tests: nvidia: cc: Remove nvrc.smi.srs=1 parameter by @manuelh-dev in #12092
- Kata-deploy: Add tolerations to daemonset and cleanup job by @nheinemans-asml in #12115
- gpu: Cleanup Makefile by @zvonkok in #12126
- kata-deploy: nfd: Patch TEE runtimeclasses when needed by @fidencio in #12128
- gpu: TDX kernel cmdline fixes by @zvonkok in #12127
- runtime-rs: Allow configuration of virtio block queue parameters by @Apokleos in #11932
- runtimeclasses: Fix nvidia-gpu podOverhead by @fidencio in #12132
- agent: allow disabling detect_initdata_device by @danmihai1 in #12135
- policy: ci: enable security policy for openvpn test case by @manuelh-dev in #12116
- runtimes: config: Do NOT have commented fields by @fidencio in #12122
- runtime-rs: fix QMP 'mq' parameter type in netdev_add to boolean by @Apokleos in #12137
- CI: readding SNP as required by @arvindskumar99 in #12138
- workflows: Add Report tests to all workflows by @stevenhorsman in #12143
- ci: re-enable IBM runners for ppc64le and s390x by @Amulyam24 in #12096
- qemu: Enable NUMA by @zvonkok in #11586
- agent: fix the list_routes failure by @shwetha-s-poojary in #12112
- kata-deploy: Fix multiInstallSuffix for NV shims by @fidencio in #12142
- tests: Properly handle containerd config based on version by @Apokleos in #12141
- tests: Enable stability tests for runtime-rs by @Apokleos in #12130
- runtime-rs: Only QEMU supports templating by @fidencio in #12140
- GHA: Use
runs-ononly for choosing proper runners by @BbolroC in #12144 - kernel: Enable NUMA by @zvonkok in #11591
- build: Add nvidia image rootfs builds by @fidencio in #12149
- agent: Bump CDI-rs to latest by @zvonkok in #12151
- ci: Add two extra gatekeeper triggers by @stevenhorsman in #12150
- gatekeeper: Drop SEV-SNP from required by @fidencio in #12154
- ci: nvidia: remove kubectl_retry calls by @manuelh-dev in #12158
- kata-deploy: Fix binary find install_tools_helper by @manuelh-dev in #12129
- Nginx test image unification by @stevenhorsman in #12153
- doc: Document our Toolchain policy by @stevenhorsman in #11983
- tests: Switch nginx test image ref to digest by @stevenhorsman in #12179
- ci: nvidia: Install kata-artifacts by @manuelh-dev in #12175
- gatekeeper: Drop all s390x e2e tests temporarily by @BbolroC in #12190
- gatekeeper: Mark NVIDIA CC GPU test as required by @fidencio in #12172
- gpu: Measured rootfs by @zvonkok in #12124
- version: Update golang to 1.24.11 by @stevenhorsman in #12184
- ci: Add qemu-runtime-rs AKS tests to required by @stevenhorsman in #12185
- rootfs: Temporarily revert "gpu: Handle root_hash.txt correctly" by @fidencio in #12196
- tests: use Authorization when GH_TOKEN is set by @manuelh-dev in #12181
- version: Bump sirupsen/logrus by @stevenhorsman in #12197
- tests: nvidia: cc: Add attestation test by @manuelh-dev in #12080
- gpu: VFIO handling container vs sandbox by @zvonkok in #12188
- versions: Bump experimental {tdx,snp} QEMU by @fidencio in https://github.com/kata-containers/kata-co...
Contributors
fidencio, jojimt, and 16 other contributors
Assets 11
Kata Containers 3.23.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-5f68b343b-7420194ea-1.85.1-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-b00013c71-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-af919686a-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-2f73e34e3-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.24.9-rust-1.85.1-12a515826-x86_64
- tools: quay.io/kata-containers/builders:tools-c47e8d0ab-dd5913192-7423eb7a3-12a515826-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.85.1-musl-1cf1a332a-x86_64
Installation
Follow the Kata installation instructions.
Deprecation notice
Starting with Kata Containers v3.23.0, a new structured configuration format is available for configuring shims. This provides better type safety, clearer organization, and per-shim configuration options.
See the full set of changes at https://github.com/kata-containers/kata-containers/tree/main/tools/packaging/kata-deploy/helm-chart#structured-configuration
Migration from Legacy Format
The legacy env.* configuration format is deprecated and will be removed in 2 releases. Users are encouraged to migrate to the new structured format.
Deprecated fields (will be removed in 2 releases):
env.shims
env.shims_x86_64
env.shims_aarch64
env.shims_s390x
env.shims_ppc64le
env.defaultShim
env.defaultShim_x86_64
env.defaultShim_aarch64
env.defaultShim_s390x
env.defaultShim_ppc64le
env.allowedHypervisorAnnotations
env.snapshotterHandlerMapping
env.snapshotterHandlerMapping_x86_64
env.snapshotterHandlerMapping_aarch64
env.snapshotterHandlerMapping_s390x
env.snapshotterHandlerMapping_ppc64le
env.pullTypeMapping
env.pullTypeMapping_x86_64
env.pullTypeMapping_aarch64
env.pullTypeMapping_s390x
env.pullTypeMapping_ppc64le
env.agentHttpsProxy
env.agentNoProxy
env._experimentalSetupSnapshotter
env._experimentalForceGuestPull
env._experimentalForceGuestPull_x86_64
env._experimentalForceGuestPull_aarch64
env._experimentalForceGuestPull_s390x
env._experimentalForceGuestPull_ppc64le
env.debug
What's Changed
- Add NVIDIA CUDA vectoradd test and refactor NIM test by @manuelh-dev in #11889
- runtime-rs: supporting the CLH VMM process running in non-root mode by @StevenFryto in #11862
- runtime-rs: introduce VM template lifecycle and integration by @jiuyi123 in #11828
- readme: install: Drop outdated documentation by @fidencio in #11990
- kata-deploy: Automatically deploy NodeFeatureRules for TEEs by @fidencio in #11933
- libs: Fix formatting issue by @stevenhorsman in #11995
- gpu: Add libs for CC by @zvonkok in #11993
- dragonball: Bump kvm-ioctls to fix security issue by @spectator333 in #11867
- kata-ctl: add factory subcommands for VM template management by @jiuyi123 in #11816
- tests: k8s: Remove tests running on GitHub provided runner by @fidencio in #12003
- gpu: Handle VFIO and IOMMUFD by @zvonkok in #11977
- chroot: Add NVRC release do not compile from github by @zvonkok in #11937
- kata-deploy: Add more per-arch options & Add defaultRuntimeClassName by @fidencio in #11992
- kata-deploy: Add NFD as a dependency by @fidencio in #11998
- scripts: release: Run helm dependencies update by @fidencio in #12014
- golang: Update to 1.24.9 by @fidencio in #12019
- kata-deploy: Move runtimeClass creation out of the scripts by @fidencio in #12013
- tests: k8s: reduce test time for unexpected CreateContainerRequest errors by @danmihai1 in #12016
- tests: Add stability tests for experimental-force-guest-pull by @fidencio in #12018
- tests: Align kata-deploy helm's uninstall by @fidencio in #11630
- tests: Stop testing on stratovirt by @fidencio in #12006
- runtime: Clear outer CDI annotations by @manuelh-dev in #12010
- Revert "tests: Do not enable NFD on s390x" by @fidencio in #12029
- tests: disable the cpu hotplug test for coco dev runtime by @lifupan in #12025
- tests: guest-pull: Fix names by @fidencio in #12028
- docs: Update devmapper containerd plugin name by @antonipp in #12031
- kata-deploy: Add missing runtimeClasses by @fidencio in #12026
- ci: Onboard another NVIDIA machine by @fidencio in #12034
- kata-deploy: Add per arch ALLOWED_HYPERVISOR_ANNOTATIONS by @fidencio in #12027
- ci: Fix failing static checks to enable IBM actionspz - Z specific by @BbolroC in #11924
- runtime-rs: enable pselect6 syscall for dragonball seccomp by @lifupan in #12037
- tests: gpu: cc: Run GPU tests on CC mode by @fidencio in #12035
- runtime-rs: Add support LocalStorage for emptyDir within nontee cases by @Apokleos in #11921
- runtime-rs: some remote hypervisor fixes by @pmores in #11857
- tests: nvidia: Deploy Trustee by @fidencio in #12041
- ci: k8s: re-enable genpolicy testing for mariner hosts by @danmihai1 in #11994
- Disable guest emptydir by @Apokleos in #12046
- ci: nvidia: Ensure K8S_TEST_HOST_TYPE=baremetal by @fidencio in #12023
- agent: update version.rs when VERSION file changed by @danmihai1 in #12051
- webhook: allow privileged containers by @Redent0r in #12008
- runtime-rs: read sev params from processor by @pmores in #10968
- tests: nvidia: cc: Use experimental_force_guest_pull (when possible) by @fidencio in #12040
- build(deps): bump github.com/opencontainers/runc from 1.2.6 to 1.2.8 in /src/runtime by @dependabot[bot] in #12032
- agent: Support both virtio-blk and virtio-scsi block devices for initdata by @Apokleos in #11986
- deploy: Improve busybox build by @manuelh-dev in #12048
- genpolicy: Correct caps matcher for runtime-rs by @Apokleos in #11985
- build(deps): bump github.com/containerd/containerd from 1.7.27 to 1.7.29 in /src/runtime by @dependabot[bot] in #12039
- runtime-rs: Fix several incorrect settings with guest empty dir. by @Apokleos in #12067
- ci: Drop docker tests by @fidencio in #12058
- tests: Correct unexpected capability for policy failure test by @Apokleos in #12061
- ci: Remove stratovirt & doc...
Contributors
fidencio, skaegi, and 20 other contributors
Assets 11
Kata Containers 3.22.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-5f68b343b-7420194ea-1.85.1-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-b00013c71-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-af919686a-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-2f73e34e3-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.24.6-rust-1.85.1-12a515826-x86_64
- tools: quay.io/kata-containers/builders:tools-99ae3607d-9fda9905a-7bb28d8da-12a515826-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.85.1-musl-1cf1a332a-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- genpolicy: match sandbox name by regex by @charludo in #11814
- runtime-rs: Remove InitData annotation from OCI Spec by @Apokleos in #11843
- tests: k8s: add test duration information by @danmihai1 in #11841
- runtime-rs: set the default block driver as virtio-scsi for qemu by @lifupan in #11844
- agent/rustjail: Fix double free in TTY handling by @sprt in #11833
- tests: agent-ctl: Fix cleanup for testing with qemu by @Sumynwa in #11847
- GHA: Pin Alpine to 3.20 for tee-unencrypted image by @BbolroC in #11848
- csi-kata-directvolume: Add basic SPDK volume support by @whyeinstein in #11719
- ci: Remove DL3007 ignore comment for base image by @BbolroC in #11851
- runtime-rs: Add support for running the VMM in non-root mode by @StevenFryto in #11678
- ci.ocp: Avoid unsupported "git --revision" by @ldoktor in #11835
- gha: Run Zizmor without Advanced Security by @sprt in #11853
- tests/k8s: Add set -euo pipefail to lib.sh by @sprt in #11854
- gha: zizmor: fix "workflow or action definition without a name" error by @sprt in #11855
- tests: k8s: auto-generate policy for additional tests by @danmihai1 in #11845
- gpu: Add libgcc for RUST libc=gnu builds by @zvonkok in #11856
- libs: Fix the test_parse_mount_options failure on ppc64le by @shwetha-s-poojary in #11849
- tests: k8s: auto-generate policy for additional tests by @danmihai1 in #11858
- Revert "ci: temporarily avoid using the Mariner Host image" by @sprt in #11846
- ci: add genpolicy build for Darwin by @burgerdev in #11636
- runtime: config: allow TDX QGS port=0 by @mythi in #11850
- kata-sys-util: format mount.rs by @burgerdev in #11869
- agent-ctl: Add fs sharing using virtio-fs when booting a pod vm. by @Sumynwa in #11839
- kata-sys-util: use a tempdir per test case by @burgerdev in #11868
- kernel: add required configs for openvpn support by @manuelh-dev in #11818
- agent/rustjail: Fix potentially uninitialized memory read in unsafe code by @sprt in #11872
- gpu Switch to Noble and CUDA repos by @zvonkok in #11860
- build: Fix initramfs build by @fidencio in #11879
- build(deps): bump astral-tokio-tar from 0.5.2 to 0.5.5 in /src/tools/agent-ctl by @dependabot[bot] in #11840
- runtime: Simplify mounting guest devices when using hostPath volumes by @sprt in #11832
- kata-deploy: Add the ability to set up different snapshotters (nydus & erofs) by @fidencio in #11881
- genpolicy: better parsing of mount path by @danmihai1 in #11877
- kata-deploy: accept 25.10 as supported distro for TDX by @szymon-klimek in #11880
- tests/k8s: Add test for privileged containers by @sprt in #11884
- gpu: Some fixes regarding the rootfs v580 by @zvonkok in #11896
- ci: k8s: Add the basic test for qemu-coco-dev + erofs-snapshotter by @fidencio in #11870
- kata-deploy: Remove kustomize yamls, rely on helm-chart only by @fidencio in #11893
- kata-deploy: Allow users to set experimental_force_guest_pull by @fidencio in #11897
- docs: Document
privileged_without_host_devices=falseas unsupported by @sprt in #11878 - gha: Fix
docs-url-alive-checkworkflow by @sprt in #11901 - ci: zizmor: Address all issues by @sprt in #11883
- runtime-rs: add seccomp support for dragonball by @was-saw in #11674
- runtime: fix device typo by @M-Phansa in #11894
- runtime: fix "num-queues expects uint64" error with virtio-blk by @spuzirev in #11888
- tests: k8s-nested-configmap-secret policy by @danmihai1 in #11865
- gpu: PPCIE support DGX like systems by @zvonkok in #11903
- tests: k8s: Unify k8s TEE tests by @fidencio in #11898
- ci: Enable new ibm runners by @stevenhorsman in #11909
- versions: bump opa 1.6.0 -> 1.9.0 by @katexochen in #11906
- build: Fix KBUILD_SIGN_PIN usage by @fidencio in #11914
- ci: k8s: Test experimental_force_guest_pull by @fidencio in #11900
- gpu: Fix kernel module signing by @zvonkok in #11916
- runtime-rs: ad the block device hot unplug for clh by @lifupan in #11863
- runtime-rs: Support virtio-scsi for initdata within non-TEE by @Apokleos in #11905
- build: Fix nvidia kernel breakage by @fidencio in #11929
- tests: Run apt-get update before installing a package by @fidencio in #11928
- versions: Bump QEMU to 10.1.1 by @fidencio in #11917
- ci: Add protobuf-compiler dependencies by @stevenhorsman in #11915
- builds: qemu: Use a liburing newer than 2.2 by @fidencio in #11918
- ci.ocp: Use helm to install kata by @ldoktor in #11936
- cdi: Add Crate remove Github Hash by @zvonkok in #11908
- virtcontainers: fix nydus cleanup on rootfs unmount by @katexochen in #11899
- agent: Stabilize static checks by @BbolroC in #11927
- Use variable in NVIDIA GPU rootfs build to differentiate between variants by @manuelh-dev in #11911
- tests: Check whether containerd is stable enough with multi-snapshotters b...
Contributors
sprt, fidencio, and 25 other contributors
Assets 11
Kata Containers 3.21.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-5f68b343b-7420194ea-1.85.1-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-a0ae1b660-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-aadad0c9b-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-54e808122-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.24.6-rust-1.85.1-7e9e9263d-x86_64
- tools: quay.io/kata-containers/builders:tools-28ab972b3-a9ec8ef21-bfc54d904-75ac09bab-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.85.1-musl-1cf1a332a-x86_64
Installation
Follow the Kata installation instructions.
Security fixes
Fix to security advisory: GHSA-989w-4xr2-ww9m
What's Changed
- runtime-rs Enable initdata IBM SEL by @BbolroC in #11696
- gpu: Add more debugging to CI/CD by @zvonkok in #11703
- runtime-rs: Adjust VSOCK timeouts for IBM SEL by @BbolroC in #11321
- runtime-rs: Support initdata within NonProtection scenarios by @Apokleos in #11699
- runtime: Enable init_data annotation for remote configs by @stevenhorsman in #11711
- Golang 1.24.6 bump by @stevenhorsman in #11608
- kata-deploy: local-build: Use zstd instead of xz by @fidencio in #11707
- Revert "local-build: Enforce USE_CACHE=no" by @fidencio in #11713
- runtime: qemu: Add reclaim_guest_freed_memory [BACKPORT] by @fidencio in #11715
- kata-manager: Support xz and zst suffixes for the kata tarball by @fidencio in #11718
- cgroups: Fix "." parent cgroup special case by @fidencio in #11717
- Workflow permissions tightening by @stevenhorsman in #11614
- runtime-rs: Empty block-rootfs Storage.options and align with Go runtime by @Caspian443 in #11689
- build(deps): bump gopkg.in/yaml.v3 from 3.0.0 to 3.0.1 in /src/tools/log-parser by @dependabot[bot] in #11729
- runtime-rs: Adjust path for sealed secret mount check by @BbolroC in #11728
- tests: Use "Failed" consistently for both runtimes by @BbolroC in #11750
- kernel: add required configs for ip6tables support by @Camelron in #11692
- genpolicy: print Input and Policy storages by @danmihai1 in #11759
- ci: aks: Refresh OIDC token in case access token expired by @sprt in #11760
- runtime-rs: Remove default value of Linux.Resources.Devices and correctly set Hooks in OCI Spec to meet with Agent Policy requirements by @Apokleos in #11752
- security: gha: Run Zizmor in auditor mode by @sprt in #11615
- ci: cri-containerd-amd64: add logging for curl failures by @sprt in #11756
- ci: security: Fix "commit hash does not point to a Git tag" by @sprt in #11772
- agent-ctl: version: bump hypervisor by @stevenhorsman in #11770
- ci: gatekeeper: Mark
make test libsnot required by @RuoqingHe in #11774 - versions: Bump gopkg.in/yaml.v3 by @stevenhorsman in #11746
- build(deps): bump tracing-subscriber from 0.3.17 to 0.3.20 in /src/runtime-rs by @dependabot[bot] in #11737
- build(deps): bump github.com/ulikunitz/xz from 0.5.11 to 0.5.14 in /src/tools/csi-kata-directvolume by @dependabot[bot] in #11731
- runtime-rs: log out the qemu console when debug enabled by @lifupan in #11781
- runtime-rs: Enable s390x nightly test for IBM SEL by @BbolroC in #11743
- versions: Tidy up go.mod versions by @stevenhorsman in #11754
- packaging: add required modules for confidential guest kernel by @ryansavino in #11780
- ci: Run Zizmor on pushes to any branch by @sprt in #11788
- libs: Fix unit tests under non-root user by @RuoqingHe in #11775
- runtime: snp: enable CoCo annotations by @danmihai1 in #11795
- runtime-rs: make the virtio-blk use the pci bus as default by @lifupan in #11716
- genpolicy: Enhance policy rule for runtime-rs scenarios by @Apokleos in #11782
- kata-types: Support create_container_timeout set within configuration by @Apokleos in #11766
- clh: Update to v48.0 release by @fidencio in #11796
- build(deps): bump slab from 0.4.10 to 0.4.11 in a few components by @dependabot[bot] in #11680
- version: Bump QEMU to v10.1.0 by @alextibbles in #11797
- versions: update kernel kernel-dragonball-experimental to latest 6.12.47 LTS by @alextibbles in #11791
- runtime: fix the issue clh resize vcpu failed by @lifupan in #11761
- kata-deploy: Don't fail if the runtimeclass is already deleted by @fidencio in #11763
- versions: bump ovmf edk2 version by @alextibbles in #11798
- runtime: Bump cri-o to latest by @stevenhorsman in #11771
- versions: update kernel-confidential to Linux v6.16.7 by @mythi in #11804
- tests: Only run devmapper tests with QEMU by @fidencio in #11809
- tests: Only run docker tests with one VMM by @fidencio in #11808
- genpolicy: add init data support by @Redent0r in #11732
- runtime-rs: Bugfix for kata virtual volume overlay fstype by @Apokleos in #11799
- runtime-rs: Enable share-rw=true when hotplug block device within qemu by @Apokleos in #11801
- runtime-rs: Add the block devices io limit support by @lifupan in #11784
- runtime-rs: add the sandbox's shm volume support by @lifupan in #11773
- tools: agent-ctl: Fix unresolved ch import by @fidencio in #11811
- kata-manager: Handle zst unpacking by @fidencio in #11812
- kata-agent: Rename misleading variable in config parsing by @billionairiam in #11783
- tests: k8s: additional kubectl logs debug info by @danmihai1 in #11813
- runtime-rs: Fix annotations within runtime-rs to pass the agent policy check by @Apokleos in #11753
- runtime: qemu: disable memory hotplug for ConfidentialGuests by @mythi in #11681
- runtime: Set maxmem to ...
Contributors
sprt, fidencio, and 17 other contributors
Assets 11
Kata Containers 3.20.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-5f68b343b-7420194ea-1.85.1-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-a0ae1b660-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-aadad0c9b-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-4c006c707-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.23.12-rust-1.85.1-7e9e9263d-x86_64
- tools: quay.io/kata-containers/builders:tools-a03dc3129-014ab2fce-30aff429d-75ac09bab-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.85.1-musl-1cf1a332a-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- Breaking change: In #11693 the annotation for passing through the initdata confidential containers feature was changed from
io.katacontainers.config.runtime.cc_init_datatoio.katacontainers.config.hypervisor.cc_init_data
- runtime-rs: Support hotplugging host block devices within qemu-rs by @Apokleos in #11579
- runtime-rs: support block device driver virtio-scsi within qemu-rs by @Apokleos in #11547
- build(deps): bump the openssl group across 4 directories with 1 update by @dependabot[bot] in #11372
- runtime-rs: Some extra work to enhance copyfile with sharedfs disabled by @Apokleos in #11621
- runtime-rs: Add full cgroups support on host by @justxuewei in #11598
- versions: Upgrade to Cloud Hypervisor v47.0 by @RuoqingHe in #11626
- dragonball: Fix warnings in default build by @RuoqingHe in #11618
- mem-agent: Ignore Cargo.lock by @RuoqingHe in #11613
- ci: Try passing api token into githubh api call by @stevenhorsman in #11619
- ci/gatekeeper: make run-k8s-tests-coco-nontee job required by @wainersm in #11385
- genpolicy: reduce complexity by @danmihai1 in #11553
- Updated Firecracker Version to 1.12.1 by @itsmohitnarayan in #11627
- gpu: AMD64 NVIDIA GPU CI/CD by @zvonkok in #11236
- build: nvidia: Fix KBUILD_SIGN_PIN breakage by @fidencio in #11645
- gpu: guest components by @zvonkok in #11639
- runtime: reproducible generation of Golang proto bindings by @burgerdev in #11632
- gha: Remove unnecessary install-azure-cli step by @sprt in #11637
- ci: static-checks: Auto-detect repo by default by @sprt in #11646
- tests: k8s-sandbox-vcpus-allocation debug info by @danmihai1 in #11651
- qemu: Respect the JSON schema for hot plug by @c3d in #11667
- runtime: virtio-fs: Support "metadata" cache mode by @sprt in #11060
- runtime-rs: make vcpu allocation more accurate by @pmores in #10580
- Align initdata annoation with kata-runtime by @Apokleos in #11653
- ci: cri-containerd: add 5s timeout for creating sanbox with crictl by @kevinzs2048 in #11669
- version: Bump QEMU to v10.0.0 by @fidencio in #11219
- ci: Remove stable by @zvonkok in #11660
- ci: static-checks: add SECURITY.md to exclude list by @sprt in #11666
- runtime-rs: Label system journal log with kata by @Apokleos in #11641
- agent-ctl: Add option "--vm" to boot pod VM for testing. by @Sumynwa in #11565
- versions: Bump golang to 1.23.12 by @stevenhorsman in #11676
- runtime: make SNP guest policy configurable by @katexochen in #11675
- genpolicy: support AddARPNeighbors by @burgerdev in #11663
- runtime-rs: add seccomp support for cloud hypervisor and firecracker by @was-saw in #11536
- CI: change the directory for Arm64 firmware by @kevinzs2048 in #11670
- runtime-rs: add seccomp support for qemu by @was-saw in #11525
- gpu: AMD64 NVIDIA GPU CI/CD Part 2 by @zvonkok in #11658
- ci: static-checks: Don't hardcode default repo branch by @sprt in #11683
- Feat | Implement initdata for bare-metal/qemu for s390x by @rafsal-rahim in #11640
- gatekeeper: GPU test required by @zvonkok in #11684
- versions: sync go.mod with versions.yaml for go 1.23.12 by @alextibbles in #11701
- runtime-rs: Add only static ARP entries with handle_neighours by @Apokleos in #11698
- versions: update to latest LTS kernel 6.12.42 by @alextibbles in #11691
- kata-types: remove default setting of guest_hook_path by @Apokleos in #11705
- CI: Introduce CI for libs to Improve code quality and reduce noises by @Apokleos in #11514
- versions: update kernel-confidential to Linux v6.16.1 by @mythi in #11634
- runtime-rs: Fix issues for initdata by @BbolroC in #11693
- Optimize sealed secret scanning to avoid full file reads by @Park-Jiyeonn in #11647
- release: Bump version to 3.20.0 by @zvonkok in #11706
New Contributors
- @itsmohitnarayan made their first contribution in #11627
- @was-saw made their first contribution in #11536
- @rafsal-rahim made their first contribution in #11640
- @alextibbles made their first contribution in #11701
- @Park-Jiyeonn made their first contribution in #11647
Full Changelog: 3.19.1...3.20.0
Contributors
sprt, fidencio, and 21 other contributors
Assets 11
Kata Containers 3.19.1
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-5f68b343b-7420194ea-1.85.1-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-ca4f96ed0-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-5cabce1a2-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-4c006c707-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.23.10-rust-1.85.1-7e9e9263d-x86_64
- tools: quay.io/kata-containers/builders:tools-09efcfbd8-222393375-28929f5b3-75ac09bab-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.85.1-musl-1cf1a332a-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- dependencies: More crate bumps to resolve security issues by @stevenhorsman in #11603
- build(deps): bump unsafe-libyaml from 0.2.9 to 0.2.11 in /src/tools/kata-ctl by @dependabot[bot] in #11605
- build(deps): bump zerocopy from 0.6.1 to 0.6.6 in /src/tools/genpolicy by @dependabot[bot] in #11606
- release: Bump version to 3.19.1 by @fidencio in #11604
Full Changelog: 3.19.0...3.19.1
Contributors
fidencio, dependabot, and stevenhorsman
Assets 11
Kata Containers 3.19.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-5f68b343b-7420194ea-1.85.1-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-ca4f96ed0-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-5cabce1a2-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-4c006c707-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.23.10-rust-1.85.1-7e9e9263d-x86_64
- tools: quay.io/kata-containers/builders:tools-2fe9df16c-222393375-222393375-75ac09bab-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.85.1-musl-1cf1a332a-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- tests: update container image for ci and unit test by @Redent0r in #11443
- build(deps): bump rustix in various components by @dependabot[bot] in #11378
- osbuilder: Update image-builder base to f42 by @stevenhorsman in #11440
- workflow: Remove code injection in helm login by @stevenhorsman in #11331
- ci: Update dependabot ignore list by @RuoqingHe in #11431
- ci: Remove duplicated
rust-vmmdependencies by @RuoqingHe in #11448 - workflows: Pin action hashes by @stevenhorsman in #11420
- build(deps): bump the clap group across 6 directories with 1 update by @dependabot[bot] in #11405
- genpolicy: prevent corruption of the layer cache file by @charludo in #11426
- tests: k8s-policy-rc: print pod descriptions by @danmihai1 in #11444
- runtime-rs: Implement Initdata Spec Support in runtime-rs for CoCo by @Apokleos in #11181
- ci/static-checks: use oras cache for regorus by @katexochen in #11424
- runtime-rs: add the blockfile based rootfs support by @lifupan in #11466
- runtime-rs: fix the issue return the wrong volume by @lifupan in #11467
- versions: Bump protobuf to 3.7.2 by @stevenhorsman in #11441
- ci: Add scorecard action by @stevenhorsman in #11462
- runtime-rs: Support shared fs with "none" on non-tee platforms by @Apokleos in #11468
- runtime-rs: Add the memory and vcpu hotplug for cloud-hypervisor by @lifupan in #11422
- ci: Run zizmor for GHA security analysis by @sprt in #11392
- runtime-rs: Set default_maxvcpus to 0 by @fidencio in #11469
- runtime: improve EROFS snapshotter support by @hsiangkao in #11434
- tools: kata-monitor: update go version used to build in Dockerfile by @Redent0r in #11471
- versions: Bump guest-components by @stevenhorsman in #11461
- runtime-rs: Fix calculation of odd memory sizes by @fidencio in #11470
- runtime-rs: Add GPU annotations for remote hypervisor by @Apokleos in #11474
- version: Bump nydus-snapshotter by @stevenhorsman in #11484
- build: Allow passing IMAGE_SIZE_ALIGNMENT_MB as an env var by @fidencio in #11481
- workflows: Skip weekly coco stability tests by @stevenhorsman in #11479
- runtime-rs: support setting create_container timeout with request_timeout_ms for image pulling in guest by @Apokleos in #10693
- runtime-rs: Fix noise with frequently appearing in unstaged changes by @Apokleos in #11490
- genpolicy: add validation for storages by @arc9693 in #11248
- gha: Eliminate use of force-skip-ci label by @sprt in #11499
- test: fix broken testing code in libs by @zhaodiaoer in #11423
- kata-agent: mount.rs: Fix warning of test by @teawater in #11509
- runtime-rs: make the resize_vcpu api support sync by @lifupan in #11510
- security: ci: Fixes for Zizmor GHA security scanning by @sprt in #11475
- runtime-rs: refactor and fix the implementation of guest-pull by @Apokleos in #11482
- gpu: NVRC static build by @zvonkok in #11517
- Remove atty dependency by @stevenhorsman in #11506
- gpu: Update runtimeClasses for correct podoverhead by @zvonkok in #11336
- tools: port the dragonball kernel patch to 6.12.x by @lifupan in #11513
- tests: runtimeclasses: Adjust gpu runtimeclasses by @fidencio in #11530
- runtime-rs: add initdata annotation for remote hypervisor by @Apokleos in #11528
- workflows: adopting azure/setup-kubectl by @wainersm in #11523
- runtime: Fix rootlessDir not correctly set in rootless VMM mode by @StevenFryto in #11527
- Sev deprecation by @arvindskumar99 in #11380
- versions: bump opa 1.5.1 -> 1.6.0 by @katexochen in #11494
- runtime/runtime-rs: Set shared_fs to none for IBM SEL in config file by @BbolroC in #11537
- tests: k0s: Always use latest version, apart from CRI-O tests by @fidencio in #11529
- libs: Remove lockfile for libs by @RuoqingHe in #11545
- runtime-rs: Add vfio support with coldplug for cloud-hypervisor by @Apokleos in #11540
- runtime-rs: Switch tempdir to tempfile by @stevenhorsman in #11549
- gh: Fix released VERSION file by @fidencio in #11554
- runtime-rs: Change default block device driver from virtio-scsi to virtio-blk-* by @Apokleos in #11491
- tests/k8s: instrument some tests for debugging by @wainersm in #11519
- runtime-rs | trace-forwarder: Bump chrono crate version by @stevenhorsman in #11550
- versions: Bump idna crate to >= 1.0.3 by @stevenhorsman in #11521
- mem-agent: Update to https://github.com/teawater/mem-agent/tree/kata-20250627 by @teawater in #11480
- Rust advisory fixes pre 3.19.0 by @stevenhorsman in #11555
- ci: Make qemu-coco-dev for s390x (zVSI) required again by @BbolroC in #11564
- gpu: Add proper TDX config path by @zvonkok in #11568
- Remove gpu admin tools by @zvonkok in #11567
- runtime-rs: Fix initdata length field missing when create block by @Apokleos in #11557
- build: Fix cache for nvidia-gpu-initrd builds by @fidencio in https://github.com/kata-containers/kata-c...
Contributors
sprt, fidencio, and 23 other contributors
Assets 11
Kata Containers 3.18.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-5f68b343b-7420194ea-1.85.1-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-493ba63c7-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-5cabce1a2-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-4c006c707-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.23.10-rust-1.85.1-7e9e9263d-x86_64
- tools: quay.io/kata-containers/builders:tools-0f8e45351-cebb259e5-aae64fa3d-75ac09bab-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.85.1-musl-1cf1a332a-x86_64
Installation
Follow the Kata installation instructions.
Notable updates
What's Changed
- tests/k8s: increase wait time of KBS service ingress by @wainersm in #11293
- tests/k8s: better tests reporting for CI by @wainersm in #11130
- osbuilder: lib.sh: Fix indent by @Rtoax in #11267
- runtime-rs: fix vfio pci address domain 0001 problem by @sampleyang in #11254
- tests/k8s: delint confidential_kbs.sh by @wainersm in #11294
- kernel: support
CONFIG_TMPFS_XATTR=yby @hsiangkao in #11308 - Drop outdated erofs patches for 6.1.y kernels & fix a dragonball vsock issue by @hsiangkao in #10964
- tools.testing: Add methods to simplify gatekeeper development by @ldoktor in #11270
- ci.ocp: A couple of peer-pods setup improvements by @ldoktor in #11266
- runtime-rs: fix the issue of delete cgroup failed by @lifupan in #11301
- runtime-rs: Propagate k8s configs correctly when sharedfs is disabled by @Apokleos in #11240
- runtime: add option to force guest pull by @katexochen in #11244
- runtime-rs: add support hotplugging vfio device for qemu-rs by @Apokleos in #10362
- workflows: gatekeeper: Update permissions by @stevenhorsman in #11320
- workflows: Delete workflows by @stevenhorsman in #11319
- workflow: Update gatekeeper permissions by @stevenhorsman in #11323
- workflows: Add explicit permissions for attestation by @stevenhorsman in #11322
- genpolicy: fix svc_name regex by @katexochen in #11314
- Explicitly set top level permissions for each workflow by @stevenhorsman in #11326
- workflow: add packages: write to csi-driver publish by @stevenhorsman in #11333
- runtime: fix cgroupv2 deletion when sandbox_cgroup_only=false by @Champ-Goblem in #11324
- agent: increase LimitNOFILE in the systemd service by @Champ-Goblem in #11327
- rust: Update cgroups-rs to its v0.3.5 release by @fidencio in #11346
- kernel: Add CONFIG_TUN (needed for VPNs) and move mem-agent related configs to common by @fidencio in #11344
- Fix | Support initdata for SNP by @Xynnn007 in #11329
- image: custom guest rootfs image file size alignment by @danmihai1 in #11340
- doc: Add Helm Chart entry by @zvonkok in #10748
- workflows: Add dependabot config by @stevenhorsman in #11016
- ci: Require agent-ctl tests by @sprt in #11339
- Upgrade
ttrpc-codegenandprotobufto kill#![allow(box_pointers)]by @RuoqingHe in #11376 - Switch docker hub mirroring to ghcr.io by @stevenhorsman in #11383
- runtime: remove hotplug_vfio_on_root_bus from config.toml by @kimullaa in #11317
- ci: fix artifact name of RISC-V tarball by @burgerdev in #11387
- workflows: Replace secrets: inherit by @stevenhorsman in #11334
- genpolicy: improvements to /etc/passwd checks by @burgerdev in #11358
- dragonball: Remove a useless dead_code attribute by @justxuewei in #11357
- runtime-rs: Log error instead of format by @RuoqingHe in #11381
- ci: Fix Mariner rootfs build failure by @sprt in #11396
- runtime-rs: Reduce the number of duplicate log entries being printed by @justxuewei in #11377
- runtime-rs: Skip test on RISC-V architecture by @RuoqingHe in #11391
- libs: Bump chrono package by @stevenhorsman in #11393
- ci: Use OIDC to log into Azure by @sprt in #11388
- Revert "ci: Fix Mariner rootfs build failure" by @sprt in #11398
- ci: gha: Remove ok-to-test label on every push by @sprt in #11397
- protocols: Fix the noise caused by non-formatted codes in protocols by @Apokleos in #11345
- runtime-rs: Add TDX Support to runtime-rs for Confidential Containers (CoCo) by @Apokleos in #11179
- Enables block device and disable virtio-fs by @Apokleos in #11343
- nvidia-rootfs: only copy
kata-opaifAGENT_POLICYis enabled by @Champ-Goblem in #11407 - versions: Bump Rust from 1.80.0 to 1.85.1 by @RuoqingHe in #11305
- runtime-rs: Support shared_fs = "none" for CoCo by @Apokleos in #10697
- runk: Switch users crate by @stevenhorsman in #11411
- Revert "ci: gha: Remove ok-to-test label on every push" by @sprt in #11417
- build(deps): bump the tracing group across 7 directories with 1 update by @dependabot in #11374
- genpolicy: fix rules syntax issues, rego v1 compatibility; ci: checks for rego parsing by @katexochen in #11412
- runtime: build variable for disable_image_nvdimm=true by @danmihai1 in #11402
- agent: add feature flag to secure_mount method by @Redent0r in #11418
- runtime-rs: add the memory prealloc support for qemu/ch by @lifupan in #11416
- workflows: Set persist-credentials: false on checkout by @stevenhorsman in #11389
- Fix logging on virtiofs shutdown by @pawelbeza in #11359
- gitignore: ignore direnv by @katexochen in #11419
- runtime-rs: Support Pull Image in Guest with Kata Volume for CoCo by @Apokleos in #10698
- Enable cri-containerd-tests for arm64 by @seungukshin in https://github.com/kata-conta...
Contributors
sprt, fidencio, and 24 other contributors
Assets 11
Kata Containers 3.17.0
Survey
Please take the Kata Containers survey:
This will help the Kata Containers community understand:
- how you use Kata Containers
- what features and improvements you would like to see in Kata Containers
Libseccomp Notices
The kata-agent binaries inside the Kata Containers images provided with this release are
statically linked with the following GNU LGPL-2.1 licensed libseccomp library.
The kata-agent uses the libseccomp v2.5.5 which is not modified from the upstream version.
However, in order to comply with the LGPL-2.1 (§6(a)), we attach the complete source code for the library.
Kata Containers builder images
- agent (on all its different flavours): quay.io/kata-containers/builders:agent-5f68b343b-75ac09bab-1.80.0-x86_64
- Kernel (on all its different flavours): quay.io/kata-containers/builders:kernel-493ba63c7-x86_64
- OVMF (on all its different flavours): quay.io/kata-containers/builders:ovmf-5cabce1a2-x86_64
- QEMU (on all its different flavurs): quay.io/kata-containers/builders:qemu-4c006c707-x86_64
- shim-v2: quay.io/kata-containers/builders:shim-v2-go-1.23.7-rust-1.80.0-7e9e9263d-x86_64
- tools: quay.io/kata-containers/builders:tools-9a4432d19-9a03815f1-f8c5aa6df-75ac09bab-x86_64
- virtiofsd: quay.io/kata-containers/builders:virtiofsd-1.80.0-musl-1cf1a332a-x86_64
Installation
Follow the Kata installation instructions.
What's Changed
- kernel: Add CONFIG_TASKSTATS (and related) configs by @fidencio in #11186
- kata-types: Optimize memory adjuesting by only gathering memory info by @Apokleos in #11166
- kata-sys-utils: Introduce pcilibs for getting pci devices info by @Apokleos in #10579
- ci: Extend basic s390x tests by @Jakob-Naucke in #11044
- ci: Remove run-k8s-tests-coco-nontee from required tests by @BbolroC in #11201
- runtime: clh: Add reclaim_guest_freed_memory [BACKPORT] by @fidencio in #11185
- versions: Bump golang version by @stevenhorsman in #11098
- build(deps): bump golang.org/x/net from 0.33.0 to 0.38.0 in /src/runtime by @dependabot in #11161
- rust: High severity security bumps april 25 by @stevenhorsman in #11203
- build(deps): bump crossbeam-channel from 0.5.14 to 0.5.15 in /src/agent by @dependabot in #11175
- tests: confidential: Add KBS logging by @stevenhorsman in #10882
- ci.ocp: Add peer-pods setup script by @ldoktor in #10940
- GHA: Add VFIO-AP to s390x nightly tests for CoCo by @BbolroC in #11212
- build(deps): bump tokio from 1.38.0 to 1.44.2 in /src/tools/runk by @dependabot in #11210
- tests/k8s: fix kbs installation on Azure AKS by @wainersm in #11164
- genpolicy: Align GID behavior with CRI and enable GID policy checks. by @Camelron in #11077
- build(deps): bump tokio from 1.38.0 to 1.38.2 in /src/runtime-rs by @dependabot in #11208
- dragonball: Remove package lockfiles by @stevenhorsman in #11211
- ci: revert temp: ci: Fix AKS cluster creation by @Camelron in #11223
- runtime: remove wrong xfs options by @kimullaa in #11206
- Runtime rs centralise workspace config by @stevenhorsman in #11217
- versions: Bump golang.org/x/net by @stevenhorsman in #11204
- build(deps): bump crossbeam-channel from 0.5.13 to 0.5.15 in /src/mem-agent by @dependabot in #11174
- dragonball: Put local dependencies into workspace by @RuoqingHe in #11146
- gpu: Set the ARCH explicilty for driver builds by @zvonkok in #11228
- runtime: remove wrong qemu-system-x86_64 option by @kimullaa in #11230
- shimv2: fix the issue logger write failed by @lifupan in #11209
- agent: netlink: Only add an ipv6 address if ipv6 is enabled by @fidencio in #11227
- runtime-rs: Upgrade
rust-netlinkcrates by @RuoqingHe in #11202 - EROFS Snapshotter Support in Kata by @ChengyuZhu6 in #11172
- build(deps): bump openssl from 0.10.57 to 0.10.72 by @dependabot in #11225
- runtime: add the mtu support for updating routes by @lifupan in #11232
- build(deps): bump tokio from 1.44.0 to 1.44.2 by @dependabot in #11226
- kata-debug: Make path resolution more robust by @kimullaa in #11116
- runtime: Add Path for kata-deploy by @kimullaa in #11123
- agent: Support RISC-V 64-bit architecture by @ncppd in #10512
- build(deps): bump openssl from 0.10.60 to 0.10.72 in /src/tools/kata-ctl by @dependabot in #11235
- Crio annotations update by @stevenhorsman in #10833
- tests: k8s: Retry output of kubectl exec in k8s-cpu-ns by @stevenhorsman in #11141
- genpolicy: improve validation for mounts by @arc9693 in #11127
- Bind/associate for VFIO-AP by @Jakob-Naucke in #11076
- genpolicy: support secrets to be referenced for pod envs by @3u13r in #10986
- versions: Update tempfile crate by @stevenhorsman in #11250
- helm: Avoid appending the multiInstallSuffix several times by @fidencio in #11199
- agent: use safe-path to replace secure_join by @houstar in #11242
- runtime/config: Add VFIO config for IBM SEL by @BbolroC in #11262
- ci: gatekeeper: skip docker tests by @stevenhorsman in #11255
- versions: Bump golang.org/x/oauth2 by @stevenhorsman in #11253
- build(deps): bump github.com/opencontainers/runc from 1.1.12 to 1.2.0 in /src/runtime by @dependabot in #11243
- Rust vulns 9th may 2025 by @stevenhorsman in #11251
- build(deps): bump ring from 0.17.8 to 0.17.14 in /src/tools/agent-ctl by @dependabot in #11241
- helm: release: Publish our helm charts to the OCI registries by @fidencio in #11264
- kata-deploy: Avoid changing any component path in case of restart by @fidencio in #11258
- osbuilder: ubuntu: Switch from multistrap to mmdebstrap by @skazi0 in #11246
- Bump: libz-sys crate to address CVE by @chathuryaadapa in #11265
- Enable edk2 for arm64 by @seungukshin in #11272
- confidential guest kernel hardening changes by @mythi in #11257
- ci: k8s: arm: Enable skipped tests by @fidencio in #11274
- genpolicy: Enable AdditionalGids checks in rules.rego by @Camelron in #11214
- runtime-rs: Introduce PCIe Port devices in runtime-rs for qemu-rs by @Apokleos in #10578
- runtime: Fix logging for remote hypervisor by @bpradipt in #11287
- config: Fix typos by @Rtoax in #11283
- kata-deploy: fix bug when config does not exist by @kimullaa in #11093
- runtime-rs: add the ephemeral memory based volume support by @lifupan in https://github.com/kata-containers/ka...
Contributors
fidencio, mythi, and 24 other contributors