Merge tag 'v37.1' into lts-merge-v37.1

This is a bug fix release. The following issues have been addressed: * Fix several security advisories from dependencies (cloud-hypervisor#6134, cloud-hypervisor#6141) * Enable HTT flag to avoid crashing cpu topology enumeration software such as hwloc in the guest (cloud-hypervisor#6146) * Enable nested virtualization on AMD if supported (cloud-hypervisor#6106) * Handle non-power-of-two CPU topology properly (cloud-hypervisor#6062) * Various bug fixes around virtio-vsock(cloud-hypervisor#6080, cloud-hypervisor#6091, cloud-hypervisor#6095) * Align VFIO devices PCI BARs naturally (cloud-hypervisor#6196) Conflicts: Cargo.toml arch/src/x86_64/mod.rs
cyberus-technology · Mar 20, 2024 · d523a93 · d523a93
2 parents a48f028 + 115c455
commit d523a93
Show file tree

Hide file tree

Showing 82 changed files with 1,324 additions and 1,169 deletions.
diff --git a/.github/workflows/audit.yaml b/.github/workflows/audit.yaml
@@ -4,6 +4,7 @@ on:
     paths: 
       - '**/Cargo.toml'
       - '**/Cargo.lock'
+
 jobs:
   security_audit:
     name: Audit

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -1,9 +1,11 @@
 name: Cloud Hypervisor Build
-on: [pull_request, create]
+on: [pull_request, merge_group]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   build:
-    if: github.event_name == 'pull_request'
     name: Build
     runs-on: ubuntu-latest
     strategy:

diff --git a/.github/workflows/dco.yaml b/.github/workflows/dco.yaml
@@ -1,8 +1,9 @@
 name: DCO
-on:
-  pull_request:
+on: [pull_request, merge_group]
+
 jobs:
   check:
+    name: DCO Check ("Signed-Off-By")
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
@@ -11,6 +12,7 @@ jobs:
       with:
         python-version: '3.x'
     - name: Check DCO
+      if: ${{ github.event_name == 'pull_request' }}
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |

diff --git a/.github/workflows/docker-image.yaml b/.github/workflows/docker-image.yaml
@@ -1,11 +1,13 @@
 name: Cloud Hypervisor's Docker image update
-
 on:
   push:
     branches: main
     paths: resources/Dockerfile
   pull_request:
     paths: resources/Dockerfile
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 env:
   REGISTRY: ghcr.io

diff --git a/.github/workflows/fuzz-build.yaml b/.github/workflows/fuzz-build.yaml
@@ -1,9 +1,11 @@
 name: Cloud Hypervisor Cargo Fuzz Build
-on: [pull_request, create]
+on: [pull_request, merge_group]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   build:
-    if: github.event_name == 'pull_request'
     name: Cargo Fuzz Build
     runs-on: ubuntu-latest
     strategy:

diff --git a/.github/workflows/gitlint.yaml b/.github/workflows/gitlint.yaml
@@ -1,5 +1,4 @@
 name: Commit messages check
-
 on:
   pull_request:
 

diff --git a/.github/workflows/hadolint.yaml b/.github/workflows/hadolint.yaml
@@ -1,5 +1,4 @@
 name: Lint Dockerfile
-
 on:
   push:
     paths:

diff --git a/.github/workflows/integration-arm64.yaml b/.github/workflows/integration-arm64.yaml
@@ -0,0 +1,54 @@
+name: Cloud Hypervisor Tests (ARM64)
+on: [pull_request, merge_group]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    timeout-minutes: 60
+    name: Tests (ARM64)
+    runs-on: focal-arm64
+    steps:
+      - name: Fix workspace permissions
+        run: sudo chown -R github-runner:github-runner ${GITHUB_WORKSPACE}
+      - name: Code checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Run unit tests (musl)
+        run: scripts/dev_cli.sh tests --unit --libc musl
+      - name: Load openvswitch module
+        run: sudo modprobe openvswitch
+      - name: Run integration tests (musl)
+        timeout-minutes: 30
+        run: scripts/dev_cli.sh tests --integration --libc musl
+      - name: Install Azure CLI
+        if: ${{ github.event_name != 'pull_request' }}
+        run: |
+          sudo apt install -y ca-certificates curl apt-transport-https lsb-release gnupg
+          curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null
+          echo "deb [arch=arm64] https://packages.microsoft.com/repos/azure-cli/ focal main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
+          sudo apt update
+          sudo apt install -y azure-cli
+      - name: Download Windows image
+        if: ${{ github.event_name != 'pull_request' }}
+        shell: bash
+        run: |
+          IMG_BASENAME=windows-11-iot-enterprise-aarch64.raw
+          IMG_PATH=$HOME/workloads/$IMG_BASENAME
+          IMG_GZ_PATH=$HOME/workloads/$IMG_BASENAME.gz
+          IMG_GZ_BLOB_NAME=windows-11-iot-enterprise-aarch64-9-min.raw.gz
+          cp "scripts/$IMG_BASENAME.sha1" "$HOME/workloads/"
+          pushd "$HOME/workloads"
+          if sha1sum "$IMG_BASENAME.sha1" --check; then
+              exit
+          fi
+          popd
+          mkdir -p "$HOME/workloads"
+          az storage blob download --container-name private-images --file "$IMG_GZ_PATH" --name "$IMG_GZ_BLOB_NAME" --connection-string "${{ secrets.CH_PRIVATE_IMAGES }}"
+          gzip -d $IMG_GZ_PATH
+      - name: Run Windows guest integration tests
+        if: ${{ github.event_name != 'pull_request' }}
+        timeout-minutes: 30
+        run: scripts/dev_cli.sh tests --integration-windows --libc musl
diff --git a/.github/workflows/integration-metrics.yaml b/.github/workflows/integration-metrics.yaml
@@ -0,0 +1,22 @@
+name: Cloud Hypervisor Tests (Metrics)
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build:
+    name: Tests (Metrics)
+    runs-on: jammy-metrics
+    env:
+      METRICS_PUBLISH_KEY: ${{ secrets.METRICS_PUBLISH_KEY }}
+    steps:
+      - name: Code checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Run metrics tests
+        timeout-minutes: 60
+        run: scripts/dev_cli.sh tests --metrics -- -- --report-file /root/workloads/metrics.json
+      - name: Upload metrics report
+        run: 'curl -X PUT https://ch-metrics.azurewebsites.net/api/publishmetrics -H "x-functions-key: $METRICS_PUBLISH_KEY" -T ~/workloads/metrics.json'
diff --git a/.github/workflows/integration-rate-limiter.yaml b/.github/workflows/integration-rate-limiter.yaml
@@ -0,0 +1,28 @@
+name: Cloud Hypervisor Tests (Rate-Limiter)
+on: [merge_group, pull_request]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Tests (Rate-Limiter)
+    runs-on: ${{ github.event_name == 'pull_request' && 'ubuntu-latest' || 'jammy-rate-limiter' }}
+    env:
+      AUTH_DOWNLOAD_TOKEN: ${{ secrets.AUTH_DOWNLOAD_TOKEN }}
+    steps:
+      - name: Fix workspace permissions
+        if: ${{ github.event_name != 'pull_request' }}
+        run: sudo chown -R github-runner:github-runner ${GITHUB_WORKSPACE}
+      - name: Code checkout
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Run rate-limiter integration tests
+        if: ${{ github.event_name != 'pull_request' }}
+        timeout-minutes: 10
+        run: scripts/dev_cli.sh tests --integration-rate-limiter
+      - name: Skipping build for PR
+        if: ${{ github.event_name == 'pull_request' }}
+        run: echo "Skipping build for PR"
diff --git a/.github/workflows/integration-sgx.yaml b/.github/workflows/integration-sgx.yaml
@@ -0,0 +1,32 @@
+name: Cloud Hypervisor Tests (SGX)
+on: [merge_group, pull_request]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Tests (SGX)
+    runs-on: ${{ github.event_name == 'pull_request' && 'ubuntu-latest' || 'jammy-sgx' }}
+    env:
+      AUTH_DOWNLOAD_TOKEN: ${{ secrets.AUTH_DOWNLOAD_TOKEN }}
+    steps:
+      - name: Fix workspace permissions
+        if: ${{ github.event_name != 'pull_request' }}
+        run: sudo chown -R github-runner:github-runner ${GITHUB_WORKSPACE}
+      - name: Code checkout
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Run SGX integration tests
+        if: ${{ github.event_name != 'pull_request' }}
+        timeout-minutes: 10
+        run: scripts/dev_cli.sh tests --integration-sgx
+      - name: Run SGX integration tests for musl
+        if: ${{ github.event_name != 'pull_request' }}
+        timeout-minutes: 10
+        run: scripts/dev_cli.sh tests --integration-sgx --libc musl
+      - name: Skipping build for PR
+        if: ${{ github.event_name == 'pull_request' }}
+        run: echo "Skipping build for PR"
diff --git a/.github/workflows/integration-vfio.yaml b/.github/workflows/integration-vfio.yaml
@@ -0,0 +1,32 @@
+name: Cloud Hypervisor Tests (VFIO)
+on: [merge_group, pull_request]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Tests (VFIO)
+    runs-on: ${{ github.event_name == 'pull_request' && 'ubuntu-latest' || 'jammy-vfio' }}
+    env:
+      AUTH_DOWNLOAD_TOKEN: ${{ secrets.AUTH_DOWNLOAD_TOKEN }}
+    steps:
+      - name: Fix workspace permissions
+        if: ${{ github.event_name != 'pull_request' }}
+        run: sudo chown -R github-runner:github-runner ${GITHUB_WORKSPACE}
+      - name: Code checkout
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Run VFIO integration tests
+        if: ${{ github.event_name != 'pull_request' }}
+        timeout-minutes: 15
+        run: scripts/dev_cli.sh tests --integration-vfio
+      - name: Run VFIO integration tests for musl
+        if: ${{ github.event_name != 'pull_request' }}
+        timeout-minutes: 15
+        run: scripts/dev_cli.sh tests --integration-vfio --libc musl
+      - name: Skipping build for PR
+        if: ${{ github.event_name == 'pull_request' }}
+        run: echo "Skipping build for PR"
diff --git a/.github/workflows/integration-windows.yaml b/.github/workflows/integration-windows.yaml
@@ -0,0 +1,50 @@
+name: Cloud Hypervisor Tests (Windows Guest)
+on: [merge_group, pull_request]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Tests (Windows Guest)
+    runs-on: ${{ github.event_name == 'pull_request' && 'ubuntu-latest' || 'garm-jammy-16' }}
+    steps:
+      - name: Code checkout
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Install Docker
+        if: ${{ github.event_name != 'pull_request' }}
+        run: |
+          sudo apt-get update
+          sudo apt-get -y install ca-certificates curl gnupg
+          curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
+          sudo chmod a+r /usr/share/keyrings/docker-archive-keyring.gpg
+          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+          sudo apt-get update
+          sudo apt install -y docker-ce docker-ce-cli
+      - name: Install Azure CLI
+        if: ${{ github.event_name != 'pull_request' }}
+        run: |
+          sudo apt install -y ca-certificates curl apt-transport-https lsb-release gnupg
+          curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null
+          echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ jammy main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
+          sudo apt update
+          sudo apt install -y azure-cli
+      - name: Download Windows image
+        if: ${{ github.event_name != 'pull_request' }}
+        run: |
+          mkdir $HOME/workloads
+          az storage blob download --container-name private-images --file "$HOME/workloads/windows-server-2022-amd64-2.raw" --name windows-server-2022-amd64-2.raw --connection-string "${{ secrets.CH_PRIVATE_IMAGES }}"
+      - name: Run Windows guest integration tests
+        if: ${{ github.event_name != 'pull_request' }}
+        timeout-minutes: 15
+        run: scripts/dev_cli.sh tests --integration-windows
+      - name: Run Windows guest integration tests for musl
+        if: ${{ github.event_name != 'pull_request' }}
+        timeout-minutes: 15
+        run: scripts/dev_cli.sh tests --integration-windows --libc musl
+      - name: Skipping build for PR
+        if: ${{ github.event_name == 'pull_request' }}
+        run: echo "Skipping build for PR"
diff --git a/.github/workflows/integration-x86-64.yaml b/.github/workflows/integration-x86-64.yaml
@@ -0,0 +1,52 @@
+name: Cloud Hypervisor Tests (x86-64)
+on: [pull_request, merge_group]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    timeout-minutes: 60
+    strategy:
+      fail-fast: false
+      matrix:
+        runner: ['garm-jammy', "garm-jammy-amd"]
+        libc: ["musl", 'gnu']
+    name: Tests (x86-64)
+    runs-on: ${{ github.event_name == 'pull_request' && !(matrix.runner == 'garm-jammy' && matrix.libc == 'gnu') && 'ubuntu-latest' || format('{0}-16', matrix.runner) }}
+    steps:
+      - name: Code checkout
+        if: ${{ github.event_name != 'pull_request' || (matrix.runner == 'garm-jammy' && matrix.libc == 'gnu') }}
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Install Docker
+        if: ${{ github.event_name != 'pull_request' || (matrix.runner == 'garm-jammy' && matrix.libc == 'gnu') }}
+        run: |
+          sudo apt-get update
+          sudo apt-get -y install ca-certificates curl gnupg
+          curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
+          sudo chmod a+r /usr/share/keyrings/docker-archive-keyring.gpg
+          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+          sudo apt-get update
+          sudo apt install -y docker-ce docker-ce-cli
+      - name: Prepare for VDPA
+        if: ${{ github.event_name != 'pull_request' || (matrix.runner == 'garm-jammy' && matrix.libc == 'gnu') }}
+        run: scripts/prepare_vdpa.sh
+      - name: Run unit tests
+        if: ${{ github.event_name != 'pull_request' || (matrix.runner == 'garm-jammy' && matrix.libc == 'gnu') }}
+        run: scripts/dev_cli.sh tests --unit --libc ${{ matrix.libc }}
+      - name: Load openvswitch module
+        if: ${{ github.event_name != 'pull_request' || (matrix.runner == 'garm-jammy' && matrix.libc == 'gnu') }}
+        run: sudo modprobe openvswitch
+      - name: Run integration tests
+        if: ${{ github.event_name != 'pull_request' || (matrix.runner == 'garm-jammy' && matrix.libc == 'gnu') }}
+        timeout-minutes: 40
+        run: scripts/dev_cli.sh tests --integration --libc ${{ matrix.libc }}
+      - name: Run live-migration integration tests
+        if: ${{ github.event_name != 'pull_request' || (matrix.runner == 'garm-jammy' && matrix.libc == 'gnu') }}
+        timeout-minutes: 20
+        run: scripts/dev_cli.sh tests --integration-live-migration --libc ${{ matrix.libc }}
+      - name: Skipping build for PR
+        if: ${{ github.event_name == 'pull_request' && matrix.runner != 'garm-jammy' && matrix.libc != 'gnu' }}
+        run: echo "Skipping build for PR"
diff --git a/.github/workflows/openapi.yaml b/.github/workflows/openapi.yaml
@@ -1,7 +1,5 @@
 name: Cloud Hypervisor OpenAPI Validation
-
-on:
-  pull_request:
+on: [pull_request, merge_group]
 
 jobs:
   Validate:

diff --git a/.github/workflows/quality.yaml b/.github/workflows/quality.yaml
@@ -1,9 +1,11 @@
 name: Cloud Hypervisor Quality Checks
-on: [pull_request, create]
+on: [pull_request, merge_group]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   build:
-    if: github.event_name == 'pull_request'
     name: Quality (clippy, rustfmt)
     runs-on: ubuntu-latest
     continue-on-error: ${{ matrix.experimental }}
@@ -46,8 +48,8 @@ jobs:
           override: true
           components: rustfmt, clippy
 
-      - name: Debug Check (default features)
-        if: ${{ matrix.target == 'x86_64-unknown-linux-gnu' }}
+      - name: Bisectability Check (default features)
+        if: ${{ github.event_name == 'pull_request' && matrix.target == 'x86_64-unknown-linux-gnu' }}
         run: |
           set -e
           commits=$(git rev-list origin/${{ github.base_ref }}..${{ github.sha }})