runtime-rs: Set disable_guest_empty_dir = true by default

.github/workflows/build-kubectl-image.yaml

@@ -8,7 +8,7 @@ on:
     # Allow manual triggering
   push:
     branches:
-      - main
+      - msft-preview
     paths:
       - 'tools/packaging/kubectl/Dockerfile'
       - '.github/workflows/build-kubectl-image.yaml'

.github/workflows/ci-on-push.yaml

@@ -1,13 +1,19 @@
 name: Kata Containers CI
 on:
-  pull_request_target: # zizmor: ignore[dangerous-triggers] See #11332.
+  # Upstream uses `pull_request_target` to have access to secrets for
+  # PRs from forks but:
+  # (1) `pull_request_target` only runs on the default branch and we
+  #     have multiple leading branches, so we need to use `pull_request`.
+  # (2) We can use `pull_request` practically since we don't expect PRs
+  #     from external contributors.
+  pull_request:
     branches:
-      - 'main'
+      - 'msft-preview'
     types:
       # Adding 'labeled' to the list of activity types that trigger this event
       # (default: opened, synchronize, reopened) so that we can run this
       # workflow when the 'ok-to-test' label is added.
-      # Reference: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
+      # Reference: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request
       - opened
       - synchronize
       - reopened

.github/workflows/ci.yaml

@@ -108,6 +108,7 @@ jobs:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
   build-kata-static-tarball-s390x:
+    if: false # msft-preview doesn't have these runners
     permissions:
       contents: read
       packages: write
@@ -123,6 +124,7 @@ jobs:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
   build-kata-static-tarball-ppc64le:
+    if: false # msft-preview doesn't have these runners
     permissions:
       contents: read
       packages: write
@@ -172,6 +174,7 @@ jobs:
 
   build-and-publish-tee-confidential-unencrypted-image:
     name: build-and-publish-tee-confidential-unencrypted-image
+    if: false # msft-preview can't push to GHCR
     permissions:
       contents: read
       packages: write
@@ -277,7 +280,7 @@ jobs:
       target-branch: ${{ inputs.target-branch }}
 
   run-k8s-tests-on-aks:
-    if: ${{ inputs.skip-test != 'yes' }}
+    if: false # msft-preview doesn't test on AKS yet
     needs: publish-kata-deploy-payload-amd64
     uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
 
@@ -298,7 +301,7 @@ jobs:
       AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
 
   run-k8s-tests-on-arm64:
-    if: ${{ inputs.skip-test != 'yes' }}
+    if: false # msft-preview doesn't have these runners
     needs: publish-kata-deploy-payload-arm64
     uses: ./.github/workflows/run-k8s-tests-on-arm64.yaml
     with:
@@ -310,7 +313,7 @@ jobs:
       target-branch: ${{ inputs.target-branch }}
 
   run-k8s-tests-on-nvidia-gpu:
-    if: ${{ inputs.skip-test != 'yes' }}
+    if: false # msft-preview doesn't have these runners
     needs: publish-kata-deploy-payload-amd64
     uses: ./.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
     with:
@@ -365,7 +368,7 @@ jobs:
       AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
 
   run-k8s-tests-on-ppc64le:
-    if: ${{ inputs.skip-test != 'yes' }}
+    if: false # msft-preview doesn't have these runners
     needs: publish-kata-deploy-payload-ppc64le
     uses: ./.github/workflows/run-k8s-tests-on-ppc64le.yaml
     with:

.github/workflows/codeql.yml

@@ -13,9 +13,9 @@ name: "CodeQL Advanced"
 
 on:
   push:
-    branches: [ "main" ]
+    branches: [ "msft-preview", "release/*" ]
   pull_request:
-    branches: [ "main" ]
+    branches: [ "msft-preview", "release/*" ]
   schedule:
     - cron: '45 0 * * 1'
 

.github/workflows/commit-message-check.yaml

@@ -16,7 +16,7 @@ env:
   error_msg: |+
     See the document below for help on formatting commits for the project.
 
-    https://github.com/kata-containers/community/blob/main/CONTRIBUTING.md#patch-format
+    https://github.com/kata-containers/community/blob/msft-preview/CONTRIBUTING.md#patch-format
 
 jobs:
   commit-message-check:

.github/workflows/docs.yaml

@@ -2,7 +2,7 @@ name: Documentation
 on:
   push:
     branches:
-      - main
+      - msft-preview
 permissions: {}
 jobs:
   deploy-docs:

.github/workflows/gatekeeper.yaml

@@ -5,7 +5,13 @@ name: Gatekeeper
 # reporting the status.
 
 on:
-  pull_request_target: # zizmor: ignore[dangerous-triggers] See #11332.
+  # Upstream uses `pull_request_target` to have access to secrets for
+  # PRs from forks but:
+  # (1) `pull_request_target` only runs on the default branch and we
+  #     have multiple leading branches, so we need to use `pull_request`.
+  # (2) We can use `pull_request` practically since we don't expect PRs
+  #     from external contributors.
+  pull_request:
     types:
       - opened
       - synchronize

.github/workflows/osv-scanner.yaml

@@ -9,11 +9,11 @@ name: OSV-Scanner
 on:
   workflow_dispatch:
   pull_request:
-    branches: [ "main" ]
+    branches: [ "msft-preview" ]
   schedule:
     - cron: '0 1 * * 0'
   push:
-    branches: [ "main" ]
+    branches: [ "msft-preview" ]
 
 permissions: {}
 

.github/workflows/payload-after-push.yaml

@@ -2,7 +2,7 @@ name: CI | Publish Kata Containers payload
 on:
   push:
     branches:
-      - main
+      - msft-preview
   workflow_dispatch:
 
 permissions: {}

.github/workflows/push-oras-tarball-cache.yaml

@@ -1,11 +1,11 @@
 # Push gperf and busybox tarballs to the ORAS cache (ghcr.io) so that
 # download-with-oras-cache.sh can pull them instead of hitting upstream.
-# Runs when versions.yaml changes on main (e.g. after a PR merge) or manually.
+# Runs when versions.yaml changes on msft-preview (e.g. after a PR merge) or manually.
 name: CI | Push ORAS tarball cache
 on:
   push:
     branches:
-      - main
+      - msft-preview
     paths:
       - 'versions.yaml'
   workflow_dispatch:

.github/workflows/release-amd64.yaml

@@ -66,7 +66,7 @@ jobs:
           # We need to do such trick here as the format of the $GITHUB_REF
           # is "refs/tags/<tag>"
           tag=$(echo "$GITHUB_REF" | cut -d/ -f3-)
-          if [ "${tag}" = "main" ]; then
+          if [ "${tag}" = "msft-preview" ]; then
               tag=$(./tools/packaging/release/release.sh release-version)
               tags=("${tag}" "latest")
           else

.github/workflows/release-arm64.yaml

@@ -66,7 +66,7 @@ jobs:
           # We need to do such trick here as the format of the $GITHUB_REF
           # is "refs/tags/<tag>"
           tag=$(echo "$GITHUB_REF" | cut -d/ -f3-)
-          if [ "${tag}" = "main" ]; then
+          if [ "${tag}" = "msft-preview" ]; then
               tag=$(./tools/packaging/release/release.sh release-version)
               tags=("${tag}" "latest")
           else

.github/workflows/release-ppc64le.yaml

@@ -63,7 +63,7 @@ jobs:
           # We need to do such trick here as the format of the $GITHUB_REF
           # is "refs/tags/<tag>"
           tag=$(echo "$GITHUB_REF" | cut -d/ -f3-)
-          if [ "${tag}" = "main" ]; then
+          if [ "${tag}" = "msft-preview" ]; then
               tag=$(./tools/packaging/release/release.sh release-version)
               tags=("${tag}" "latest")
           else

.github/workflows/release-s390x.yaml

@@ -67,7 +67,7 @@ jobs:
           # We need to do such trick here as the format of the $GITHUB_REF
           # is "refs/tags/<tag>"
           tag=$(echo "$GITHUB_REF" | cut -d/ -f3-)
-          if [ "${tag}" = "main" ]; then
+          if [ "${tag}" = "msft-preview" ]; then
               tag=$(./tools/packaging/release/release.sh release-version)
               tags=("${tag}" "latest")
           else

.github/workflows/scorecard.yaml

@@ -5,10 +5,10 @@
 name: Scorecard supply-chain security
 on:
   # For Branch-Protection check. Only the default branch is supported. See
-  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  # https://github.com/ossf/scorecard/blob/msft-preview/docs/checks.md#branch-protection
   branch_protection_rule:
   push:
-    branches: [ "main" ]
+    branches: [ "msft-preview" ]
   workflow_dispatch:
 
 permissions: {}

.github/workflows/static-checks-self-hosted.yaml

@@ -23,7 +23,7 @@ jobs:
 
   build-checks:
     needs: skipper
-    if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
+    if: false # msft-preview doesn't have these runners
     strategy:
       fail-fast: false
       matrix:

.github/workflows/static-checks.yaml

@@ -110,6 +110,7 @@ jobs:
           - "make static-checks"
     env:
       GOPATH: ${{ github.workspace }}
+      target_branch: msft-preview
     permissions:
       contents: read  # for checkout
       packages: write # for push to ghcr.io

.gitignore

@@ -20,3 +20,23 @@ tools/packaging/static-build/agent/install_libseccomp.sh
 .direnv
 **/.DS_Store
 site/
+
+# Microsoft-specific
+.cargo/
+src/agent/samples/policy/test-input/
+src/tarfs/**/*.cmd
+src/tarfs/**/*.ko
+src/tarfs/**/*.mod
+src/tarfs/**/*.mod.c
+src/tarfs/**/*.o
+src/tarfs/**/modules.order
+src/tarfs/**/Module.symvers
+src/tarfs-cvm/
+tools/osbuilder/kata-containers-igvm.img
+tools/osbuilder/kata-containers-igvm-debug.img
+tools/osbuilder/igvm-debug-measurement.cose
+tools/osbuilder/igvm-measurement.cose
+tools/osbuilder/root_hash.txt
+tools/osbuilder/igvm.log
+tools/osbuilder/kata-opa.service
+tools/osbuilder/rootfs-builder/opa/

SECURITY.md

@@ -0,0 +1,41 @@
+<!-- BEGIN MICROSOFT SECURITY.MD V0.0.9 BLOCK -->
+
+## Security
+
+Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet) and [Xamarin](https://github.com/xamarin).
+
+If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/security.md/definition), please report it to us as described below.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/security.md/msrc/create-report).
+
+If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/security.md/msrc/pgp).
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc). 
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/security.md/msrc/bounty) page for more details about our active programs.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/security.md/cvd).
+
+<!-- END MICROSOFT SECURITY.MD BLOCK -->

src/libs/kata-types/src/config/default.rs

@@ -54,7 +54,7 @@ pub const MAX_SHARED_9PFS_SIZE_MB: u32 = 8 * 1024 * 1024;
 pub const DEFAULT_GUEST_HOOK_PATH: &str = "/opt/kata/hooks";
 pub const DEFAULT_GUEST_DNS_FILE: &str = "/etc/resolv.conf";
 
-pub const DEFAULT_GUEST_VCPUS: u32 = 1;
+pub const DEFAULT_GUEST_VCPUS: u32 = 0;
 
 // Default configuration for dragonball
 pub const DEFAULT_DRAGONBALL_GUEST_KERNEL_IMAGE: &str = "vmlinuz";
@@ -93,7 +93,7 @@ pub const DEFAULT_CH_MEMORY_SLOTS: u32 = 128;
 pub const DEFAULT_CH_PCI_BRIDGES: u32 = 2;
 pub const MAX_CH_PCI_BRIDGES: u32 = 5;
 pub const MAX_CH_VCPUS: u32 = 256;
-pub const MIN_CH_MEMORY_SIZE_MB: u32 = 64;
+pub const MIN_CH_MEMORY_SIZE_MB: u32 = 0;
 
 //Default configuration for firecracker
 pub const DEFAULT_FIRECRACKER_ENTROPY_SOURCE: &str = "/dev/urandom";

src/libs/kata-types/src/config/hypervisor/ch.rs

@@ -79,9 +79,6 @@ impl ConfigPlugin for CloudHypervisorConfig {
                 ch.machine_info.entropy_source = default::DEFAULT_CH_ENTROPY_SOURCE.to_string();
             }
 
-            if ch.memory_info.default_memory == 0 {
-                ch.memory_info.default_memory = default::DEFAULT_CH_MEMORY_SIZE_MB;
-            }
             if ch.memory_info.memory_slots == 0 {
                 ch.memory_info.memory_slots = default::DEFAULT_CH_MEMORY_SLOTS;
             }
@@ -129,12 +126,6 @@ impl ConfigPlugin for CloudHypervisorConfig {
                     ch.device_info.default_bridges,
                 )));
             }
-
-            if ch.memory_info.default_memory < MIN_CH_MEMORY_SIZE_MB {
-                return Err(std::io::Error::other(format!(
-                    "CH hypervisor has minimal memory limitation {MIN_CH_MEMORY_SIZE_MB}",
-                )));
-            }
         }
 
         Ok(())

src/libs/kata-types/src/config/hypervisor/mod.rs

@@ -1031,19 +1031,14 @@ impl MemoryInfo {
 
     /// Validates the memory configuration information.
     ///
-    /// This ensures that critical memory parameters like `default_memory`
-    /// and `memory_slots` are non-zero, and checks the validity of
+    /// This ensures that critical memory parameters like `memory_slots` are
+    /// non-zero, and checks the validity of
     /// the memory backend file path.
     pub fn validate(&self) -> Result<()> {
         validate_path!(
             self.file_mem_backend,
             "Memory backend file {} is invalid: {}"
         )?;
-        if self.default_memory == 0 {
-            return Err(std::io::Error::other(
-                "Configured memory size for guest VM is zero",
-            ));
-        }
         if self.memory_slots == 0 {
             return Err(std::io::Error::other(
                 "Configured memory slots for guest VM are zero",

src/libs/kata-types/src/config/runtime.rs

@@ -123,6 +123,15 @@ pub struct Runtime {
     #[serde(default)]
     pub static_sandbox_resource_mgmt: bool,
 
+    /// Memory to allocate for workloads within the sandbox when workload memory is unspecified
+    #[serde(default)]
+    pub static_sandbox_default_workload_mem: u32,
+
+    /// Default workload vcpus added to the sandbox when static resource management
+    /// is enabled and no explicit workload vcpu limit was provided.
+    #[serde(default)]
+    pub static_sandbox_default_workload_vcpus: f32,
+
     /// Determines whether container seccomp profiles are passed to the virtual machine and
     /// applied by the kata agent. If set to true, seccomp is not applied within the guest.
     #[serde(default)]