Download Latest Version kata-static-1.13.0-alpha0-x86_64.tar.xz (119.4 MB)
Email in envelope

Get an email when there's a new version of Runtime Kubernetes

Home / 1.11.5
Name Modified Size InfoDownloads / Week
Parent folder
kata-static-1.11.5-x86_64.tar.xz 2020-11-12 114.2 MB
0
# Release 1.11.5 source code.tar.gz 2020-11-12 11.9 MB
0
# Release 1.11.5 source code.zip 2020-11-12 13.6 MB
0
README.md 2020-11-12 6.2 kB
0
Totals: 4 Items   139.7 MB 0

This patch release include backports of security fixes and some bug fixes.

Security fixes included:

  • Readonly bind-mounts are now mounted read-only on the host. With this fix, mounts are protected at VM boundary not just the guest kernel. If a container escape were to occur, one would be able to write to a directory or file that was mounted read-only.
  • Certain annotations in kata can be used to execute pre-exiting binaries. This could be used to execute arbitrary binaries with the onus of validating these paths left to the stack about Kata. In this release, we added appropriate validations so that an admin can configure a list of file system paths that can be used to filter annotations that represent valid file names.

agent Changes

Shortlog

ce2107a release: Kata Containers 1.11.5

proxy Changes

Shortlog

369aaa6 release: Kata Containers 1.11.5

runtime Changes

Shortlog

362e3129 release: Kata Containers 1.11.5 8e5c1c33 tests: Update assets test to adapt to recent changes 1231ce9e makefile: Enable hypervisor annotations by default c2cbceb0 config: Rename 'runtime' to 'runtimeConfig' 7c1bf829 config: Improve comments in configuration file templates 57a29a8e config: Make configuration file comments consistent f7493d79 annotations: Correct unit tests to validate new protections e3efe738 annotations: Split addHypervisorOverrides to reduce complexity 50c126ff annotations: Add unit test for checkPathIsInGlobs 069360c7 annotations: Add unit test for regexpContains function 14bb5f1f runtime: Fix firecracker config 4eb00298 makefile: Add missing generated vars to USER_VARS 0705db23 makefile: Improve names of config entries for annotation checks f1c2a1cb annotations: Give better names to local variabes in search functions 0d5d221e annotations: Rename checkPathIsInGlobList with checkPathIsInGlobs 96ba05fd config: Add better comments in the template files 33021ef2 config: Whitelist hypervisor annotations by name db5fb825 config: Use glob instead of regexp to match paths in annotations 344e3384 annotations: Fix typo in comment d3245a4d config: Add makefile variables for path lists ba15b7e7 config: Protect file_mem_backend against annotation attacks 88b0544e config: Protect vhost_user_store_path against annotation attacks 7f381d5c config: Add security warning on configuration examples 4a753e85 config: Protect ctlpath from annotation attack 94076a64 config: Protect jailer_path annotation 14ef4df1 config: Add examples for path_list configuration 3d8ce2cc annotations: Simplify negative logic 562a0283 config: Add hypervisor path override through annotations 5848beca config: Fix typo in function name 46115673 config: Protect virtio_fs_daemon annotation 9ac0e93a config: Add 'List' alternates for hypervisor configuration paths eca202e7 arm64: correct bridge type for QEMUVIRT machine 314bc3d6 gitignore: Ignore cli/containerd-shim-kata-v2/config-generated.go 951302fb runtime: Ignore ENOENT in kill/delete 20fcb93c hypervisor: Remove unused methods 04dc0d93 annotations: Improve asset annotation handling a47f7b39 annotations: Add missing hypervisor control annotation 2dd0fe68 asset: Formatting, grammar and whitespace 3f0e61c0 runtime: mount shared mountpoint readonly 228e6eb4 runtime: readonly mounts should be readonly bindmount on the host 0b7019b9 runtime: Call s.newStore.Destroy if globalSandboxList.addSandbox 054c4fbd runtime: Don' call bindUnmountContainerRootfs for devicemapper device ad3eec50 runtime: Fix /var/lib/vc/sbs/${sid} dir residual d78780cf virtiofs: Disable DAX 51d85922 virtiofsd: Use cache=auto

shim Changes

Shortlog

2a0e8a5 release: Kata Containers 1.11.5

Compatibility with Docker

Kata Containers 1.11.5 is compatible with Docker v18.06-ce

Compatibility with CRI-O

Kata Containers 1.11.5 is compatible with CRI-O [0eec45]

Compatibility with cri-containerd

Kata Containers 1.11.5 is compatible with cri-contaienrd [3a4acf]

OCI Runtime Specification

Kata Containers 1.11.5 support the OCI Runtime Specification v1.0.0-rc5

Compatibility with Kubernetes

Kata Containers 1.11.5 is compatible with Kubernetes 1.17.3-00

Kata Linux Containers image

Agent version: 1.11.5

Default Image Guest OS:

description: | Root filesystem disk image used to boot the guest virtual machine. url: "https://github.com/kata-containers/osbuilder" architecture: aarch64: name: "ubuntu" version: "latest" ppc64le: name: "centos" version: "latest" s390x: name: "ubuntu" version: "latest" x86_64: name: "clearlinux" version: "latest" meta: image-type: "clearlinux"

Default Initrd Guest OS:

description: | Root filesystem initrd used to boot the guest virtual machine. url: "https://github.com/kata-containers/osbuilder" architecture: aarch64: name: "alpine" version: "3.7" ppc64le: name: "alpine" version: "3.7" s390x: name: "alpine" version: "3.7" x86_64: name: "alpine" version: "3.7"

Kata Linux Containers Kernel

Kata Containers 1.11.5 suggest to use the Linux kernel v5.4.32 See the kernel suggested Guest Kernel patches See the kernel suggested Guest Kernel config

Installation

Follow the Kata installation instructions.

Issues & limitations

More information Limitations

Source: README.md, updated 2020-11-12