Merge pull request #7200 from fidencio/topic/add-virtiofs-none-option

runtime: Add "none" as a shared_fs option
2025-08-17 15:38:00 +00:00 · 2023-06-30 22:45:39 +02:00 · 2023-06-30 22:45:39 +02:00 · 00b0755e3e
commit 00b0755e3e
parent 5e3f617cb6 6a21e20c63
19 changed files with 113 additions and 21 deletions
--- a/src/runtime/config/configuration-clh.toml.in
+++ b/src/runtime/config/configuration-clh.toml.in
@ -131,6 +131,11 @@ default_maxmemory = @DEFMAXMEMSZ@
 # Shared file system type:
 #   - virtio-fs (default)
 #   - virtio-fs-nydus
 #   - none
 # WARNING: "none" should be carefully used, and only used in very few specific cases, as
 # any update to the mount will *NOT* be reflected during the lifecycle of the pod, causing
 # issues with rotation of secrets, certs, or configurations via kubernetes objects like
 # configMaps or secrets, as those will be copied into the guest at *pod* *creation* *time*.
 shared_fs = "@DEFSHAREDFS_CLH_VIRTIOFS@"
 # Path to vhost-user-fs daemon.
--- a/src/runtime/config/configuration-qemu-nvidia-gpu.toml.in
+++ b/src/runtime/config/configuration-qemu-nvidia-gpu.toml.in
@ -178,6 +178,11 @@ disable_block_device_use = @DEFDISABLEBLOCK@
 #   - virtio-fs (default)
 #   - virtio-9p
 #   - virtio-fs-nydus
 #   - none
 # WARNING: "none" should be carefully used, and only used in very few specific cases, as
 # any update to the mount will *NOT* be reflected during the lifecycle of the pod, causing
 # issues with rotation of secrets, certs, or configurations via kubernetes objects like
 # configMaps or secrets, as those will be copied into the guest at *pod* *creation* *time*.
 shared_fs = "@DEFSHAREDFS_QEMU_VIRTIOFS@"
 # Path to vhost-user-fs daemon.
--- a/src/runtime/config/configuration-qemu-sev.toml.in
+++ b/src/runtime/config/configuration-qemu-sev.toml.in
@ -164,6 +164,11 @@ disable_block_device_use = @DEFDISABLEBLOCK@
 #   - virtio-fs (default)
 #   - virtio-9p
 #   - virtio-fs-nydus
 #   - none
 # WARNING: "none" should be carefully used, and only used in very few specific cases, as
 # any update to the mount will *NOT* be reflected during the lifecycle of the pod, causing
 # issues with rotation of secrets, certs, or configurations via kubernetes objects like
 # configMaps or secrets, as those will be copied into the guest at *pod* *creation* *time*.
 shared_fs = "@DEFSHAREDFS_QEMU_SEV_VIRTIOFS@"
 # Path to vhost-user-fs daemon.
--- a/src/runtime/config/configuration-qemu-snp.toml.in
+++ b/src/runtime/config/configuration-qemu-snp.toml.in
@ -176,6 +176,11 @@ disable_block_device_use = @DEFDISABLEBLOCK@
 #   - virtio-fs (default)
 #   - virtio-9p
 #   - virtio-fs-nydus
 #   - none
 # WARNING: "none" should be carefully used, and only used in very few specific cases, as
 # any update to the mount will *NOT* be reflected during the lifecycle of the pod, causing
 # issues with rotation of secrets, certs, or configurations via kubernetes objects like
 # configMaps or secrets, as those will be copied into the guest at *pod* *creation* *time*.
 shared_fs = "@DEFSHAREDFS_QEMU_SNP_VIRTIOFS@"
 # Path to vhost-user-fs daemon.
--- a/src/runtime/config/configuration-qemu-tdx.toml.in
+++ b/src/runtime/config/configuration-qemu-tdx.toml.in
@ -172,6 +172,11 @@ disable_block_device_use = @DEFDISABLEBLOCK@
 #   - virtio-fs (default)
 #   - virtio-9p
 #   - virtio-fs-nydus
 #   - none
 # WARNING: "none" should be carefully used, and only used in very few specific cases, as
 # any update to the mount will *NOT* be reflected during the lifecycle of the pod, causing
 # issues with rotation of secrets, certs, or configurations via kubernetes objects like
 # configMaps or secrets, as those will be copied into the guest at *pod* *creation* *time*.
 shared_fs = "@DEFSHAREDFS_QEMU_TDX_VIRTIOFS@"
 # Path to vhost-user-fs daemon.
--- a/src/runtime/config/configuration-qemu.toml.in
+++ b/src/runtime/config/configuration-qemu.toml.in
@ -178,6 +178,11 @@ disable_block_device_use = @DEFDISABLEBLOCK@
 #   - virtio-fs (default)
 #   - virtio-9p
 #   - virtio-fs-nydus
 #   - none
 # WARNING: "none" should be carefully used, and only used in very few specific cases, as
 # any update to the mount will *NOT* be reflected during the lifecycle of the pod, causing
 # issues with rotation of secrets, certs, or configurations via kubernetes objects like
 # configMaps or secrets, as those will be copied into the guest at *pod* *creation* *time*.
 shared_fs = "@DEFSHAREDFS_QEMU_VIRTIOFS@"
 # Path to vhost-user-fs daemon.
--- a/src/runtime/pkg/device/config/config.go
+++ b/src/runtime/pkg/device/config/config.go
@ -81,6 +81,17 @@ const (
 	// VirtioFSNydus means use nydus for the shared file system
 	VirtioFSNydus = "virtio-fs-nydus"
 	// NoSharedFS means *no* shared file system solution will be used
 	// and files will be copied into the guest system.
 	//
 	// WARNING: This should be carefully used, and only used in very few
 	// specific cases, as any update to the mount will *NOT* be reflected
 	// during the lifecycle of the pod, causing issues with rotation of
 	// secrets, certs, or configurations via kubernetes objects like
 	// configMaps or secrets, as those will be copied into the guest at
 	// *pod* *creation* *time*.
 	NoSharedFS = "none"
 )
 const (
--- a/src/runtime/pkg/katautils/config.go
+++ b/src/runtime/pkg/katautils/config.go
@ -512,7 +512,7 @@ func (h hypervisor) blockDeviceAIO() (string, error) {
 }
 func (h hypervisor) sharedFS() (string, error) {
-	supportedSharedFS := []string{config.Virtio9P, config.VirtioFS, config.VirtioFSNydus}
+	supportedSharedFS := []string{config.Virtio9P, config.VirtioFS, config.VirtioFSNydus, config.NoSharedFS}
 	if h.SharedFS == "" {
 		return config.VirtioFS, nil
@ -1009,11 +1009,12 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 		return vc.HypervisorConfig{}, err
 	}
-	if sharedFS != config.VirtioFS && sharedFS != config.VirtioFSNydus {
+	if sharedFS != config.VirtioFS && sharedFS != config.VirtioFSNydus && sharedFS != config.NoSharedFS {
-		return vc.HypervisorConfig{}, errors.New("clh only support virtio-fs or virtio-fs-nydus")
+		return vc.HypervisorConfig{},
 			fmt.Errorf("Cloud Hypervisor does not support %s shared filesystem option", sharedFS)
 	}
-	if h.VirtioFSDaemon == "" {
+	if (sharedFS == config.VirtioFS || sharedFS == config.VirtioFSNydus) && h.VirtioFSDaemon == "" {
 		return vc.HypervisorConfig{},
 			fmt.Errorf("cannot enable %s without daemon path in configuration file", sharedFS)
 	}
--- a/src/runtime/virtcontainers/acrn.go
+++ b/src/runtime/virtcontainers/acrn.go
@ -90,7 +90,7 @@ func (a *Acrn) Capabilities(ctx context.Context) types.Capabilities {
 	span, _ := katatrace.Trace(ctx, a.Logger(), "Capabilities", acrnTracingTags, map[string]string{"sandbox_id": a.id})
 	defer span.End()
-	return a.arch.capabilities()
+	return a.arch.capabilities(a.config)
 }
 func (a *Acrn) HypervisorConfig() HypervisorConfig {
--- a/src/runtime/virtcontainers/acrn_arch_base.go
+++ b/src/runtime/virtcontainers/acrn_arch_base.go
@ -33,7 +33,7 @@ type acrnArch interface {
 	kernelParameters(debug bool) []Param
 	//capabilities returns the capabilities supported by acrn
-	capabilities() types.Capabilities
+	capabilities(config HypervisorConfig) types.Capabilities
 	// memoryTopology returns the memory topology using the given amount of memoryMb and hostMemoryMb
 	memoryTopology(memMb uint64) Memory
@ -361,7 +361,7 @@ func (a *acrnArchBase) memoryTopology(memoryMb uint64) Memory {
 	return memory
 }
-func (a *acrnArchBase) capabilities() types.Capabilities {
+func (a *acrnArchBase) capabilities(config HypervisorConfig) types.Capabilities {
 	var caps types.Capabilities
 	caps.SetBlockDeviceSupport()
--- a/src/runtime/virtcontainers/acrn_arch_base_test.go
+++ b/src/runtime/virtcontainers/acrn_arch_base_test.go
@ -83,8 +83,9 @@ func TestAcrnArchBaseKernelParameters(t *testing.T) {
 func TestAcrnArchBaseCapabilities(t *testing.T) {
 	assert := assert.New(t)
 	acrnArchBase := newAcrnArchBase()
 	config := HypervisorConfig{}
-	c := acrnArchBase.capabilities()
+	c := acrnArchBase.capabilities(config)
 	assert.True(c.IsBlockDeviceSupported())
 	assert.True(c.IsBlockDeviceHotplugSupported())
 	assert.False(c.IsFsSharingSupported())
--- a/src/runtime/virtcontainers/clh.go
+++ b/src/runtime/virtcontainers/clh.go
@ -349,6 +349,10 @@ func (clh *cloudHypervisor) createVirtiofsDaemon(sharedPath string) (VirtiofsDae
 }
 func (clh *cloudHypervisor) setupVirtiofsDaemon(ctx context.Context) error {
 	if clh.config.SharedFS == config.NoSharedFS {
 		return nil
 	}
 	if clh.config.SharedFS == config.Virtio9P {
 		return errors.New("cloud-hypervisor only supports virtio based file sharing")
 	}
@ -1205,7 +1209,9 @@ func (clh *cloudHypervisor) Capabilities(ctx context.Context) types.Capabilities
 	clh.Logger().WithField("function", "Capabilities").Info("get Capabilities")
 	var caps types.Capabilities
 	if clh.config.SharedFS != config.NoSharedFS {
 		caps.SetFsSharingSupport()
 	}
 	caps.SetBlockDeviceHotplugSupport()
 	return caps
 }
--- a/src/runtime/virtcontainers/clh_test.go
+++ b/src/runtime/virtcontainers/clh_test.go
@ -726,3 +726,30 @@ func TestClhSetConfig(t *testing.T) {
 	assert.Equal(clh.config, config)
 }
 func TestClhCapabilities(t *testing.T) {
 	assert := assert.New(t)
 	hConfig, err := newClhConfig()
 	assert.NoError(err)
 	clh := &cloudHypervisor{}
 	assert.Equal(clh.config, HypervisorConfig{})
 	hConfig.SharedFS = config.VirtioFS
 	err = clh.setConfig(&hConfig)
 	assert.NoError(err)
 	var ctx context.Context
 	c := clh.Capabilities(ctx)
 	assert.True(c.IsFsSharingSupported())
 	hConfig.SharedFS = config.NoSharedFS
 	err = clh.setConfig(&hConfig)
 	assert.NoError(err)
 	c = clh.Capabilities(ctx)
 	assert.False(c.IsFsSharingSupported())
 }
--- a/src/runtime/virtcontainers/qemu.go
+++ b/src/runtime/virtcontainers/qemu.go
@ -211,7 +211,7 @@ func (q *qemu) Capabilities(ctx context.Context) types.Capabilities {
 	span, _ := katatrace.Trace(ctx, q.Logger(), "Capabilities", qemuTracingTags, map[string]string{"sandbox_id": q.id})
 	defer span.End()
-	return q.arch.capabilities()
+	return q.arch.capabilities(q.config)
 }
 func (q *qemu) HypervisorConfig() HypervisorConfig {
--- a/src/runtime/virtcontainers/qemu_amd64.go
+++ b/src/runtime/virtcontainers/qemu_amd64.go
@ -16,6 +16,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/intel-go/cpuid"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/device/config"
 	govmmQemu "github.com/kata-containers/kata-containers/src/runtime/pkg/govmm/qemu"
 )
@ -155,7 +156,7 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) {
 	return q, nil
 }
-func (q *qemuAmd64) capabilities() types.Capabilities {
+func (q *qemuAmd64) capabilities(hConfig HypervisorConfig) types.Capabilities {
 	var caps types.Capabilities
 	if q.qemuMachine.Type == QemuQ35 ||
@ -164,7 +165,9 @@ func (q *qemuAmd64) capabilities() types.Capabilities {
 	}
 	caps.SetMultiQueueSupport()
 	if hConfig.SharedFS != config.NoSharedFS {
 		caps.SetFsSharingSupport()
 	}
 	return caps
 }
--- a/src/runtime/virtcontainers/qemu_amd64_test.go
+++ b/src/runtime/virtcontainers/qemu_amd64_test.go
@ -42,13 +42,14 @@ func TestQemuAmd64BadMachineType(t *testing.T) {
 func TestQemuAmd64Capabilities(t *testing.T) {
 	assert := assert.New(t)
 	config := HypervisorConfig{}
 	amd64 := newTestQemu(assert, QemuQ35)
-	caps := amd64.capabilities()
+	caps := amd64.capabilities(config)
 	assert.True(caps.IsBlockDeviceHotplugSupported())
 	amd64 = newTestQemu(assert, QemuMicrovm)
-	caps = amd64.capabilities()
+	caps = amd64.capabilities(config)
 	assert.False(caps.IsBlockDeviceHotplugSupported())
 }
--- a/src/runtime/virtcontainers/qemu_arch_base.go
+++ b/src/runtime/virtcontainers/qemu_arch_base.go
@ -51,7 +51,7 @@ type qemuArch interface {
 	kernelParameters(debug bool) []Param
 	//capabilities returns the capabilities supported by QEMU
-	capabilities() types.Capabilities
+	capabilities(config HypervisorConfig) types.Capabilities
 	// bridges sets the number bridges for the machine type
 	bridges(number uint32)
@ -280,11 +280,13 @@ func (q *qemuArchBase) kernelParameters(debug bool) []Param {
 	return params
 }
-func (q *qemuArchBase) capabilities() types.Capabilities {
+func (q *qemuArchBase) capabilities(hConfig HypervisorConfig) types.Capabilities {
 	var caps types.Capabilities
 	caps.SetBlockDeviceHotplugSupport()
 	caps.SetMultiQueueSupport()
 	if hConfig.SharedFS != config.NoSharedFS {
 		caps.SetFsSharingSupport()
 	}
 	return caps
 }
--- a/src/runtime/virtcontainers/qemu_arch_base_test.go
+++ b/src/runtime/virtcontainers/qemu_arch_base_test.go
@ -117,9 +117,16 @@ func TestQemuArchBaseKernelParameters(t *testing.T) {
 func TestQemuArchBaseCapabilities(t *testing.T) {
 	assert := assert.New(t)
 	qemuArchBase := newQemuArchBase()
 	hConfig := HypervisorConfig{}
 	hConfig.SharedFS = config.VirtioFS
-	c := qemuArchBase.capabilities()
+	c := qemuArchBase.capabilities(hConfig)
 	assert.True(c.IsBlockDeviceHotplugSupported())
 	assert.True(c.IsFsSharingSupported())
 	hConfig.SharedFS = config.NoSharedFS
 	c = qemuArchBase.capabilities(hConfig)
 	assert.False(c.IsFsSharingSupported())
 }
 func TestQemuArchBaseBridges(t *testing.T) {
--- a/src/runtime/virtcontainers/qemu_ppc64le.go
+++ b/src/runtime/virtcontainers/qemu_ppc64le.go
@ -11,6 +11,7 @@ import (
 	"fmt"
 	"time"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/device/config"
 	govmmQemu "github.com/kata-containers/kata-containers/src/runtime/pkg/govmm/qemu"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/types"
 	"github.com/sirupsen/logrus"
@ -97,7 +98,7 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) {
 	return q, nil
 }
-func (q *qemuPPC64le) capabilities() types.Capabilities {
+func (q *qemuPPC64le) capabilities(hConfig HypervisorConfig) types.Capabilities {
 	var caps types.Capabilities
 	// pseries machine type supports hotplugging drives
@ -106,7 +107,9 @@ func (q *qemuPPC64le) capabilities() types.Capabilities {
 	}
 	caps.SetMultiQueueSupport()
 	if hConfig.SharedFS != config.NoSharedFS {
 		caps.SetFsSharingSupport()
 	}
 	return caps
 }