Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
b03db3e
runtime: Resolve high UVM memory footprint
sprt Dec 15, 2023
14b1bfc
tools: Add initial igvm-builder and node-builder/azure-linux scripting
Mar 5, 2024
7ddec33
runtime: improved memory overhead management
danmihai1 Dec 31, 2024
521def7
runtime: Allocate default workload vcpus
Jan 2, 2025
f38ae83
ci: Update codeql.yml with proper branches
Jul 30, 2025
c06b470
runtime: Enforce that OCI memory limit exceeds 128MB baseline
Camelron Jul 29, 2025
2f5c814
webhook: enforce minimum memory limit
Redent0r Jan 9, 2025
4e81837
docs: add Microsoft mandatory file
microsoft-github-policy-service[bot] Dec 19, 2023
9ef2bb6
runtime: clh: update cloud-hypervisor API reference
Redent0r Mar 10, 2026
a136359
network: preseed default-gateway neighbor
Redent0r Aug 19, 2025
e58badb
ci: replace 'main' with 'msft-preview'
Redent0r Mar 24, 2026
2cb2026
ci: security: Use pull_request instead of pull_request_target
sprt Sep 10, 2025
5ffbdea
gatekeeper: set default to msft-preview
Redent0r Mar 25, 2026
d1351d3
versions: use upstream cloud-hypervisor
Redent0r Mar 25, 2026
4919644
static-checks: update target branch to msft-preview
Redent0r Mar 25, 2026
b27d196
runtime: run gofmt
Redent0r Mar 25, 2026
028a2dc
tests: disable tests that are not supported yet in our fork
Redent0r Mar 25, 2026
35da6c2
clh: Add VFIO device cold-plug support
romoh Mar 18, 2026
ed9cb74
Adding non-VF support - v1
Apr 2, 2026
45b83e5
Adding non-VF support - v2
Apr 2, 2026
e29dd02
Fix TestIsPhysicalIface: remove spurious ParentDevBus from Bridge and…
Copilot Apr 3, 2026
d3df378
Agent-Logs-Url: https://github.com/microsoft/kata-containers/sessions…
Copilot Apr 3, 2026
14b5ad6
Address reviewer feedback: nil link guard, rate-limiter switch, load(…
Copilot Apr 3, 2026
38449d1
Update src/runtime/virtcontainers/physical_endpoint.go
sharath-srikanth-chellappa Apr 3, 2026
9f7187c
Potential fix for pull request finding 'CodeQL / Incorrect conversion…
sharath-srikanth-chellappa Apr 3, 2026
6bba719
Update src/runtime/virtcontainers/physical_endpoint.go
sharath-srikanth-chellappa Apr 3, 2026
33d8941
runtime-rs: get_bus_type: only suppress NotFound errors, propagate ot…
Copilot Apr 3, 2026
77f6697
virtcontainers: PhysicalEndpoint: support Rx/Tx rate limiter for non-…
Copilot Apr 3, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/build-kubectl-image.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ on:
# Allow manual triggering
push:
branches:
- main
- msft-preview
paths:
- 'tools/packaging/kubectl/Dockerfile'
- '.github/workflows/build-kubectl-image.yaml'
Expand Down
12 changes: 9 additions & 3 deletions .github/workflows/ci-on-push.yaml
Original file line number Diff line number Diff line change
@@ -1,13 +1,19 @@
name: Kata Containers CI
on:
pull_request_target: # zizmor: ignore[dangerous-triggers] See #11332.
# Upstream uses `pull_request_target` to have access to secrets for
# PRs from forks but:
# (1) `pull_request_target` only runs on the default branch and we
# have multiple leading branches, so we need to use `pull_request`.
# (2) We can use `pull_request` practically since we don't expect PRs
# from external contributors.
pull_request:
branches:
- 'main'
- 'msft-preview'
types:
# Adding 'labeled' to the list of activity types that trigger this event
# (default: opened, synchronize, reopened) so that we can run this
# workflow when the 'ok-to-test' label is added.
# Reference: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
# Reference: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request
- opened
- synchronize
- reopened
Expand Down
11 changes: 7 additions & 4 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@ jobs:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

build-kata-static-tarball-s390x:
if: false # msft-preview doesn't have these runners
permissions:
contents: read
packages: write
Expand All @@ -123,6 +124,7 @@ jobs:
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

build-kata-static-tarball-ppc64le:
if: false # msft-preview doesn't have these runners
permissions:
contents: read
packages: write
Expand Down Expand Up @@ -172,6 +174,7 @@ jobs:

build-and-publish-tee-confidential-unencrypted-image:
name: build-and-publish-tee-confidential-unencrypted-image
if: false # msft-preview can't push to GHCR
permissions:
contents: read
packages: write
Expand Down Expand Up @@ -277,7 +280,7 @@ jobs:
target-branch: ${{ inputs.target-branch }}

run-k8s-tests-on-aks:
if: ${{ inputs.skip-test != 'yes' }}
if: false # msft-preview doesn't test on AKS yet
needs: publish-kata-deploy-payload-amd64
uses: ./.github/workflows/run-k8s-tests-on-aks.yaml

Expand All @@ -298,7 +301,7 @@ jobs:
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}

run-k8s-tests-on-arm64:
if: ${{ inputs.skip-test != 'yes' }}
if: false # msft-preview doesn't have these runners
needs: publish-kata-deploy-payload-arm64
uses: ./.github/workflows/run-k8s-tests-on-arm64.yaml
with:
Expand All @@ -310,7 +313,7 @@ jobs:
target-branch: ${{ inputs.target-branch }}

run-k8s-tests-on-nvidia-gpu:
if: ${{ inputs.skip-test != 'yes' }}
if: false # msft-preview doesn't have these runners
needs: publish-kata-deploy-payload-amd64
uses: ./.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
with:
Expand Down Expand Up @@ -365,7 +368,7 @@ jobs:
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}

run-k8s-tests-on-ppc64le:
if: ${{ inputs.skip-test != 'yes' }}
if: false # msft-preview doesn't have these runners
needs: publish-kata-deploy-payload-ppc64le
uses: ./.github/workflows/run-k8s-tests-on-ppc64le.yaml
with:
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ name: "CodeQL Advanced"

on:
push:
branches: [ "main" ]
branches: [ "msft-preview", "release/*" ]
pull_request:
branches: [ "main" ]
branches: [ "msft-preview", "release/*" ]
schedule:
- cron: '45 0 * * 1'

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/commit-message-check.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ env:
error_msg: |+
See the document below for help on formatting commits for the project.

https://github.com/kata-containers/community/blob/main/CONTRIBUTING.md#patch-format
https://github.com/kata-containers/community/blob/msft-preview/CONTRIBUTING.md#patch-format

jobs:
commit-message-check:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/docs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: Documentation
on:
push:
branches:
- main
- msft-preview
permissions: {}
jobs:
deploy-docs:
Expand Down
8 changes: 7 additions & 1 deletion .github/workflows/gatekeeper.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,13 @@ name: Gatekeeper
# reporting the status.

on:
pull_request_target: # zizmor: ignore[dangerous-triggers] See #11332.
# Upstream uses `pull_request_target` to have access to secrets for
# PRs from forks but:
# (1) `pull_request_target` only runs on the default branch and we
# have multiple leading branches, so we need to use `pull_request`.
# (2) We can use `pull_request` practically since we don't expect PRs
# from external contributors.
pull_request:
types:
- opened
- synchronize
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/osv-scanner.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,11 @@ name: OSV-Scanner
on:
workflow_dispatch:
pull_request:
branches: [ "main" ]
branches: [ "msft-preview" ]
schedule:
- cron: '0 1 * * 0'
push:
branches: [ "main" ]
branches: [ "msft-preview" ]

permissions: {}

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/payload-after-push.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: CI | Publish Kata Containers payload
on:
push:
branches:
- main
- msft-preview
workflow_dispatch:

permissions: {}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/push-oras-tarball-cache.yaml
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
# Push gperf and busybox tarballs to the ORAS cache (ghcr.io) so that
# download-with-oras-cache.sh can pull them instead of hitting upstream.
# Runs when versions.yaml changes on main (e.g. after a PR merge) or manually.
# Runs when versions.yaml changes on msft-preview (e.g. after a PR merge) or manually.
name: CI | Push ORAS tarball cache
on:
push:
branches:
- main
- msft-preview
paths:
- 'versions.yaml'
workflow_dispatch:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release-amd64.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ jobs:
# We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>"
tag=$(echo "$GITHUB_REF" | cut -d/ -f3-)
if [ "${tag}" = "main" ]; then
if [ "${tag}" = "msft-preview" ]; then
tag=$(./tools/packaging/release/release.sh release-version)
tags=("${tag}" "latest")
else
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release-arm64.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ jobs:
# We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>"
tag=$(echo "$GITHUB_REF" | cut -d/ -f3-)
if [ "${tag}" = "main" ]; then
if [ "${tag}" = "msft-preview" ]; then
tag=$(./tools/packaging/release/release.sh release-version)
tags=("${tag}" "latest")
else
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release-ppc64le.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ jobs:
# We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>"
tag=$(echo "$GITHUB_REF" | cut -d/ -f3-)
if [ "${tag}" = "main" ]; then
if [ "${tag}" = "msft-preview" ]; then
tag=$(./tools/packaging/release/release.sh release-version)
tags=("${tag}" "latest")
else
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release-s390x.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ jobs:
# We need to do such trick here as the format of the $GITHUB_REF
# is "refs/tags/<tag>"
tag=$(echo "$GITHUB_REF" | cut -d/ -f3-)
if [ "${tag}" = "main" ]; then
if [ "${tag}" = "msft-preview" ]; then
tag=$(./tools/packaging/release/release.sh release-version)
tags=("${tag}" "latest")
else
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/scorecard.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,10 @@
name: Scorecard supply-chain security
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
# https://github.com/ossf/scorecard/blob/msft-preview/docs/checks.md#branch-protection
branch_protection_rule:
push:
branches: [ "main" ]
branches: [ "msft-preview" ]
workflow_dispatch:

permissions: {}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/static-checks-self-hosted.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:

build-checks:
needs: skipper
if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
if: false # msft-preview doesn't have these runners
strategy:
fail-fast: false
matrix:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/static-checks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ jobs:
- "make static-checks"
env:
GOPATH: ${{ github.workspace }}
target_branch: msft-preview
permissions:
contents: read # for checkout
packages: write # for push to ghcr.io
Expand Down
20 changes: 20 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,23 @@ tools/packaging/static-build/agent/install_libseccomp.sh
.direnv
**/.DS_Store
site/

# Microsoft-specific
.cargo/
src/agent/samples/policy/test-input/
src/tarfs/**/*.cmd
src/tarfs/**/*.ko
src/tarfs/**/*.mod
src/tarfs/**/*.mod.c
src/tarfs/**/*.o
src/tarfs/**/modules.order
src/tarfs/**/Module.symvers
src/tarfs-cvm/
tools/osbuilder/kata-containers-igvm.img
tools/osbuilder/kata-containers-igvm-debug.img
tools/osbuilder/igvm-debug-measurement.cose
tools/osbuilder/igvm-measurement.cose
tools/osbuilder/root_hash.txt
tools/osbuilder/igvm.log
tools/osbuilder/kata-opa.service
tools/osbuilder/rootfs-builder/opa/
41 changes: 41 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
<!-- BEGIN MICROSOFT SECURITY.MD V0.0.9 BLOCK -->

## Security

Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet) and [Xamarin](https://github.com/xamarin).

If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/security.md/definition), please report it to us as described below.

## Reporting Security Issues

**Please do not report security vulnerabilities through public GitHub issues.**

Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/security.md/msrc/create-report).

If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/security.md/msrc/pgp).

You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc).

Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:

* Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
* Full paths of source file(s) related to the manifestation of the issue
* The location of the affected source code (tag/branch/commit or direct URL)
* Any special configuration required to reproduce the issue
* Step-by-step instructions to reproduce the issue
* Proof-of-concept or exploit code (if possible)
* Impact of the issue, including how an attacker might exploit the issue

This information will help us triage your report more quickly.

If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/security.md/msrc/bounty) page for more details about our active programs.

## Preferred Languages

We prefer all communications to be in English.

## Policy

Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/security.md/cvd).

<!-- END MICROSOFT SECURITY.MD BLOCK -->
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ pub struct PhysicalEndpointState {
pub vendor_id: String,
pub device_id: String,
pub hard_addr: String,
pub is_vf: bool,
pub iface_name: String,
/// "pci" or "vmbus"
pub bus_type: String,
Comment thread
sharath-srikanth-chellappa marked this conversation as resolved.
}

#[derive(Serialize, Deserialize, Clone, Default)]
Expand Down
Loading