# Release 1.11.0

Announcing Kata Containers 1.11.0.

This is a new stable branch for Kata. For this release Kata includes improvements.

Please note that this release includes security fixes for CVE-2020-2024 and CVE-2020-2025. Users are strongly encouraged to move to this new release.

Qemu:

• update qemu to 4.1.1
• qemu: Support PCIe device hotplug for q35
• qemu: Add virtio-mem support (experimental)
• Support pmem/nvdimm hotplug

Firecraker:

• Update Firecracker to v0.20.0

Cloud Hypervisor:

• Update to cloud-hypervisor 0.7.0
• Device assignment using VFIO (Virtual Function I/O) was implemented.
• Memory and CPU hotplug was enabled for Kata and Cloud Hypervisor.
• Boot guest OS using virtualized persistent memory was enabled (virtio-pmem).

Network:

• ipv6: Add support for ipv6

Internals:

• persist: move "newstore" out of experimental:The "newstore" feature has had been a "experimental" feature for long time.

cgroups and namespaces:

• rootless: Fix rootless for case net=none
• Support device cgroup in the host when sandbox_cgroup_only is true, the hypervisor has access only to the devices that the sandbox and its containers need

agent Changes

Shortlog

a04eb27 release: Kata Containers 1.11.0
27490d4 release: Kata Containers 1.11.0-rc0
305c6f9 protocols: fix client unit tests for go 1.13
6cbeed5 mount: Use "virtiofs" instead of "virtio_fs"
cfc96dd build: Add support to strip the agent golang binary
7c0a967 agent: signal from keyboard must not be fatal
8325ad8 agent: fix epoll fd left in the kata-agent when exec process
97f6fa7 release: Kata Containers 1.11.0-alpha1
05b557a agent: add configurable container pipe size cmdline option
8ede869 agent: add kernel cmdline parameter to enable or disable cgroups v2
ddd9188 agent: parse kernel command line as soon as possible
2a5442a agent: support pmem/nvdimm hotplug
3f0d98e agent: Remove dev from pciDeviceMap when device is unplugged
e4c2037 agent: don't receive signals from stdin
8f57eda protocols: client: Add timeout for hybrid vsock handshake
8929a02 release: Kata Containers 1.11.0-alpha0
f6472bd build: Update CentOS version for the Dockerfile
accab34 agent-client: include log in agent client
a44d555 FC: Add new vsock connection handshake
c66b927 ipv6: Add flag IFA_F_NODAD for ipv6 address.
93a901c ipv6: Add support for ipv6
8d8d3f8 test: change import path for NetworkInterface
e6cbfc1 vendor: Update vendoring for libcontainer.
660e61f Revert: client.go: HybridVSockDialer: Change Read EOT to recv peek
6cfb75d Revert: client.go: HybridVSockDialer: Check return size n of unix.Recvfrom
54eb918 Revert: client.go: HybridVSockDialer: Close dup fd after receive packet
2f49115 agent: Fix mem-hotplug on x86 when ARCH_MEMORY_PROBE is set
44608b2 vendor: update golang/sys
33f3208 client.go: HybridVSockDialer: Close dup fd after receive packet

proxy Changes

Shortlog

de96227 release: Kata Containers 1.11.0
9412389 release: Kata Containers 1.11.0-rc0
32085dd travis: specify golang version
1f23aa4 build: Add support to strip the proxy golang binary
a7e5f51 release: Kata Containers 1.11.0-alpha1
d70f905 release: Kata Containers 1.11.0-alpha0
46750d9 Makefile: overwrite PREFIX from environment

runtime Changes

Shortlog

c7fa5dc utils: Fix case version check for stable releases
c2b6978 release: Kata Containers 1.11.0
2d25165 clh: vsock: Supply the right VsockConfig to Vmconfig
fcc9e93 versions: Move to cloud-hypervisor v0.7.0
34be9e0 clh: memory: remove pmem size argument
9798e8a versions: Move to latest cloud-hypervisor
93b1b83 virtcontainers: constrain runtime after creating network
fc9be99 virtcontainers: update sandbox's device cgroup
5cfae21 virtcontainers: remove all the code related to HasCRIContainerType
cff5392 virtcontainers: apply constraints to the sandbox cgroup
ce6edc5 pkg/cgroups: update the list of devices for the hypervisor
3fceece pkg/cgroups: add methods to add and remove device from the cgroup
b345855 pkg/cgroups: implement functions to get information from a host device
0d3b697 device: add GetHostPath() to generic device
21711ee release: Kata Containers 1.11.0-rc0
d78ffd6 makefile: Make SELinux support configurable
7aa3168 clh: Boot from persistent memory device
e8fc25a version: Update clh to master
8c850d9 config: Add scsi_mod.scan=none for virtio-scsi
bf9758b katautils: Use config paths set during the build
07d0a4f version: Update kernel to lts 5.4.32
432f9be clh: virtiofs: Add no_posix_lock option
ab8050c kata_agent: Don't use dax if virtio_fs_cache is 0
6218b2a kata_agent: Remove sharedDirVirtioFSOptions
95ccc0f agent: Use "virtiofs" instead of "virtio_fs"
4c1cacd versions: Switch to virtio-fs-dev branch for kernel
8e0f891 v2: Open log fifo with RDWR instead of WRONLY
afbd03c qemu-ppc64le: Switch off large decrementer capability
0294fcb versions: Update go to 1.13.9
5eec8bd qemu_ppc64le: EXpose fs support explicitly
fd625b3 qemu: Don't crash if virtiofsd path is non existent
e4eb553 virtcontainers: Add SELinux support for running VM Confinement
39e354f clh: Implement capabilities
0a1ffc1 types: Make FS sharing disable by default
4d034b1 versions: update go to v1.14
7997218 Makefile: Allow change default hypervisor via env var
669b6e3 clh: Report warning when requested vCPUs exceeds maxVCPU allowed
aab82f6 clh: Add memory hotplug
2f94873 clh: Use MemUnit to create VM
b6a7d8d utils: Add memory unit abstraction
5e7d253 clh: add vmInfo method
ebb8fd5 versions: Update clh to latest master
3b53114 virtcontainers: improve algorithm to check Large bar devices
7aff546 virtcontainers: check PCI resource format before using it
2c310fe virtcontainers: handle persistent memory volumes
434b302 virtcontainers: hotplug block drives that are pmem devices as nvdimm
84e0ee1 virtcontainers: reimplement createBlockDevices
abbdf07 virtcontainers: add Pmem attribute to BlockDrive
ee941e5 virtcontainers: Implement function to get the pmem DeviceInfo
9ff44db virtcontainers: implement function to get the backing file
0a4e2ed virtcontainers: move GetDevicePathAndFsType to utils_linux
2c7f27e vendor: update govmm
e62a8aa versions: Update containerd commit
4d2574a virtcontainers: Don't create vfio devices in the guest
d0a730c shimv2: move container rootfs mounted flag to container level
d60902a FC: change minimum supported version of Firecracker to v0.21.1
aadf8c4 AArch64: enable firecracker v0.21.1 on AArch64
44e2349 FC: Fix error of overlong firecracker API unix socket
c3bafd5 FC: Change default API socket path
2945bcd FC: Removed redundant --seccomp-level jailer parameter
d2cae59 FC: Removed redundant RescanBlockDevice action
37b91b3 FC: Remove logger.options
f61eca8 clh: Add comments around clh api
6a4e667 virtiofsd: Check if PID is valid
3251bea version: Update clh to master
c518464 clh: Add vfio support
00da127 unit-test: refine related unit tests
13390df Jailer: re-mount jailerRoot with exec
9d3022a mount: modify func bindMount
126fa15 agent: append and handle vhost-user-blk device
cf066b7 devices: hotplug vhost-user-blk device to qemu
3696318 devices: filter vhost-user-blk/scsi device
54b24da devices: add vhost-user storage configuration
17a92ae release: Kata Containers 1.11.0-alpha1
94298dd clh: Remove dead-code on maxClhVcpus
2cd0c88 README: logging: add shimv2 information
4c28717 vc: add agent.container_pipe_size annotation
4ce44ab clh: set rootfstype
eee4d70 katutils: logging: default log level to Warn
913d153 cli: logging: Default to Warn level
ed43117 vc: Remove container share dir when stopping
17b9de1 clh: enable CPU hotplug
63c7ac5 clh: add 'APIsocket' to persist HypervisorState
e9a4658 vc: Use BlockIndexMap instead of BlockIndex
7427fea dnm: vendor: update agent client
0da1010 version-update: version update for cri-o and k8s
376c425 cli: add virtioFsDaemon to kata-env.
171eb70 qemu: use govmm vhost user device types directly
4639294 qemu: pass guest image file readonly
63fdf53 vendor: update govmm dependency
c6cc8b9 virtcontainers: support lazy attach devices
3345977 clh: update minimal supported version to check.
2033229 clh: Fix version check
ea82922 virtcontainers/pkg/cgroups: implement cgroup manager
03cdf6c virtcontainers: add new package for cgroups
5f9a77c vc: validate container path when cleaning up
5bf3231 vc: do not follow symlink when umounting contanier host path
12d10eb clh: Update clh driver to use the latest openAPI knobs
de8fe25 clh: Update CLH to stable/v0.5.x
32196ff clh: Do not find vsock context ID
c2462e7 release: Kata Containers 1.11.0-alpha0
db5cfeb makefile: Fix missing LDFLAGS references
b74cda0 makefile: do not use LDFLAGS for extra kata flags.
1c1e7cc unit-test: refine unit tests
1ad927d kata-check: use "--strict" to perform version consistency check
a4b3c65 kata-env: import new struct VersionInfo
0f720e6 virtcontainers: fix typo in sandbox
78bb6c0 virtcontainers/persist: fix typo in fs
a8dcff5 AArch64: change image rootfs from fedora to ubuntu
2c3b465 build: Add support to strip the binary
de7383b kernel: Update kernel to latest stable 5.4.15
055f317 selinux: Disable selinux
a45cf62 virtcontainers/pkg/rootless: fix comment on exported var
c36c667 cli: implement --rootless option
11bd456 virtcontainers: support new persist API
9585bc9 virtcontainers/hypervisors: support new persist API
00307a7 virtcontainers/sandbox: support new persist API
4b9ab55 virtcontainers/factory: support new persist API
71f48a3 virtcontainers/persist: update GetDriver to support rootless fs
dd2762f virtcontainers/persist: introduce mock fs driver
ea8fb96 virtcontainers/persist: introduce rootless fs driver
768db1b virtcontainers/persist: update API and interface
6be7481 virtcontainers: remove getVMPath method from agent
658f779 rootless: move pkg/rootless to virtcontainers
83561c4 ci: Do not setup virtcontainers while using podman
22c486a CI: update yq to 3.1.0
5c3bcd8 dep: Fix dep check
836e3c2 clh: update to v0.5.0
b602e62 docs: README: Minor grammatical updates
7498978 Vendor: update agent client
27d9e43 FC: update Firecracker to v0.20.0
bb41b72 qemu: Support PCIe device hotplug for q35
fa7d00e vendor: update github.com/intel/govmm
b2fb86f virtcontainers: clh: Set the serial to NULL instead of OFF
3594855 s390x: fix refactoring
96a49a8 AArch64: arm ci failed on stale Gopkg.lock.
9bf4b85 AArch64: fix golint error on ARM CI.
2560e65 versions: bump conmon version to v2.0.5
693ad23 virtcontainers: Fix error message in mockHypervisor
4a77b0f rootless: use libcontainer API to detect rootless
c5d79eb ipv6: Add support for ipv6 for netmon as well.
b169476 ipv6: Add support for ipv6
c26ce18 vendor: update agent client
01a12b0 qemu: Add virtio-mem support
b337428 vendor: Update github.com/intel/govmm
c3cf98a virtcontainers: constrain docker container when sandbox_cgroup_only=true
54482f1 virtcontainers: remove json cgroups struct tag
316b5f2 virtcontainers: Fix typo in logger message
1f957e1 vc: Detach device when unable to store sandbox device
7186c01 unit-test: delete what ioutil.TempFile creates
0244d95 unit-test: delete what ioutil.TempDir() creates
aa62781 unit-test: reconstuct TestMain
d042d5c virtcontainers: fix unit tests
776da08 virtcontainers/hook: fix HookState
f372b85 virtcontainers: reimplement setupSandboxCgroup
9949daf virtcontainers: move validCgroupPath
ce2795e virtcontainers: remove systemd paramenter from constraintGRPCSpec
8c63c18 virtcontainers: add function to create a new cgroup manager
8057cd7 virtcontainers: add function to identify systemd cgroup path
4126968 virtcontainers: save CgroupPaths and Cgroups in sandbox
a170d00 vendor: update agent
112f90b vendor: update golang/x/sys
4a1dc1e vendor: update libcontainer
908a42a vendor: update logrus
290339d compatibility: keep oldstore for compatibility
4a298cb persist: address comments
d33b154 persist: add interface for global read/write
ed4a195 persist: remove unused struct
8e88859 persist: remove all usage of VCStore
01b4a64 persist: remove VCStore from sandbox/apis
b63e517 persist: replace sandbox lock with newstore.Lock
508101b persist: fix vmtemplate storage leak
29b55ab persist: remove VCStore from container
633748a persist: remove VCStore from hypervisor
687f2db persist: move "newstore" out of experimental
0af4819 versions: update qemu to 4.1.1
09198ee FC: jailer failed when importing new flag "--config-file"
3ed472d store: UT tmp path should be random
5617120 nsenter: skip ut on non-root
e5b04a5 ut: fs test should set RunStoragePath
9bf0d67 ut: direct factory needs to set VCStorePrefix
4c35d09 vc: set store RunVMStoragePath for ut
3deb24e cli: flush coverage report in defer function
f56d70c vc: UT should set VCStorePrefix
7c7a4a3 annotations: add disable_image_nvdimm
652bb76 cli: syscall return value check is wrong
a871728 qemu: add disalbe_image_nvdimm option
dd5b446 qemu: refactor appendImage
a2d3f9f vitiofsd: Add virtiofsd interaface
2a085ee clh: virtiofsd: check path is not empty
af5c9c2 clh: hypervisor: Do not set 9p values for virtiofs
6a10cd9 clh: test: add unit test
8a439ea clh: add Client Interface and bootVM test
661956f versions: Update cloud hypervisor url
b96c7e5 rootless: fix rootless for case net=none
a215f87 vendor: Update github.com/kata-containers/agent to handle hvsock issue
1c11fe2 shimv2: support runtime config path via annotation
6eae033 shimv2: cleanup container if not found
743309c vc: stop container should change container state at last
6cd9b3b vendor: Update golang.org/x/sys
9c3151e clh: remove not requried values
e9a852d clh: update api calls for latest master
1a7539c clh: update client
5532378 versions: update clh to v0.4.0
837a0ee cache-factory: set bridge info when creating vm
3d8ffe4 cache-factory: fix nil pointer runtime panic
8f6d0ab FC: introduce --config-file to replace API configure request
f2d8d71 FC: func checkVersion should be more independent
9ce2113 FC: remove API Ready state
efb611a clh: client: update acording to versions.yaml
9a15457 vc: Check error return from storeState
ab2088f makefile: honor virtiofs config for default config
cc25216 virtiofs: add default value for virtioFsCache type.

shim Changes

FIXME - message this section by hand to produce a summary please

Shortlog

a6e93df release: Kata Containers 1.11.0
157eb5a release: Kata Containers 1.11.0-rc0
3d4166a vendor: Update kata agent to 5bf8d4c
6153de8 vendor: Update logrus to v1.4.2
21a5451 travis: specify golang version.
298a4d8 make: Add support to strip the binary
488bbaf release: Kata Containers 1.11.0-alpha1
5723a04 release: Kata Containers 1.11.0-alpha0
f299e2c Makefile: overwrite PREFIX from environment

Compatibility with Docker

Kata Containers 1.11.0 is compatible with Docker v18.06-ce

Compatibility with CRI-O

Kata Containers 1.11.0 is compatible with CRI-O 0eec454168e381e460b3d6de07bf50bfd9b0d082

Compatibility with cri-containerd

Kata Containers 1.11.0 is compatible with cri-contaienrd 3a4acfbc99aa976849f51a8edd4af20ead51d8d7

OCI Runtime Specification

Kata Containers 1.11.0 support the OCI Runtime Specification v1.0.0-rc5

Compatibility with Kubernetes

Kata Containers 1.11.0 is compatible with Kubernetes 1.17.3-00

Kata Linux Containers image

Agent version: 1.11.0

Default Image Guest OS:

description: |
Root filesystem disk image used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/osbuilder"
architecture:
aarch64:
name: "ubuntu"
version: "latest"
ppc64le:
name: "centos"
version: "latest"
s390x:
name: "ubuntu"
version: "latest"
x86_64:
name: "clearlinux"
version: "latest"
meta:
image-type: "clearlinux"

Default Initrd Guest OS:

description: |
Root filesystem initrd used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/osbuilder"
architecture:
aarch64:
name: "alpine"
version: "3.7"
ppc64le:
name: "alpine"
version: "3.7"
s390x:
name: "alpine"
version: "3.7"
x86_64:
name: "alpine"
version: "3.7"

Kata Linux Containers Kernel

Kata Containers 1.11.0 suggest to use the Linux kernel v5.4.32
See the kernel suggested Guest Kernel patches
See the kernel suggested Guest Kernel config

Installation

Follow the Kata installation instructions.

Issues & limitations

More information Limitations