Merge pull request #902 from c3d/bug-v2/launchpad-1878234-access

Validate runtime annotations
2025-08-25 03:02:17 +00:00 · 2020-10-16 15:47:45 +08:00 · 2020-10-16 15:47:45 +08:00 · 0d5d69e8cd
commit 0d5d69e8cd
parent e0da3af40b c5771be2de
13 changed files with 552 additions and 155 deletions
--- a/src/runtime/Makefile
+++ b/src/runtime/Makefile
@ -95,6 +95,14 @@ COLLECT_SCRIPT = data/kata-collect-data.sh
 COLLECT_SCRIPT_SRC = $(COLLECT_SCRIPT).in
 GENERATED_FILES += $(COLLECT_SCRIPT)
 GENERATED_VARS = \
 		VERSION \
 		CONFIG_ACRN_IN \
 		CONFIG_QEMU_IN \
 		CONFIG_QEMU_VIRTIOFS_IN \
 		CONFIG_CLH_IN \
 		CONFIG_FC_IN \
 		$(USER_VARS)
 SCRIPTS += $(COLLECT_SCRIPT)
 SCRIPTS_DIR := $(BINDIR)
@ -129,16 +137,22 @@ DEFAULT_HYPERVISOR ?= $(HYPERVISOR_QEMU)
 HYPERVISORS := $(HYPERVISOR_ACRN) $(HYPERVISOR_FC) $(HYPERVISOR_QEMU) $(HYPERVISOR_QEMU_VIRTIOFS) $(HYPERVISOR_CLH)
 QEMUPATH := $(QEMUBINDIR)/$(QEMUCMD)
 QEMUVALIDHYPERVISORPATHS := [\"$(QEMUPATH)\"]
-QEMUVIRTIOFSPATH := $(QEMUBINDIR)/$(QEMUVIRTIOFSCMD)
+QEMUVALIDVIRTIOFSPATHS := $(QEMUBINDIR)/$(QEMUVIRTIOFSCMD)
 CLHPATH := $(CLHBINDIR)/$(CLHCMD)
 CLHVALIDHYPERVISORPATHS := [\"$(CLHBINDIR)/$(CLHCMD)\"]
 FCPATH = $(FCBINDIR)/$(FCCMD)
 FCVALIDPATHS = [\"$(FCPATH)\"]
 FCJAILERPATH = $(FCBINDIR)/$(FCJAILERCMD)
 FCVALIDJAILERPATHS = [\"$(FCJAILERPATH)\"]
 ACRNPATH := $(ACRNBINDIR)/$(ACRNCMD)
 ACRNVALIDHYPERVISORPATHS := [\"$(ACRNPATH)\"]
 ACRNCTLPATH := $(ACRNBINDIR)/$(ACRNCTLCMD)
 ACRNVALIDCTLPATHS := [\"$(ACRNCTLPATH)\"]
 SHIMCMD := $(BIN_PREFIX)-shim
 SHIMPATH := $(PKGLIBEXECDIR)/$(SHIMCMD)
@ -161,6 +175,7 @@ DEFMEMSZ := 2048
 DEFMEMSLOTS := 10
 #Default number of bridges
 DEFBRIDGES := 1
 DEFENABLEANNOTATIONS := []
 DEFDISABLEGUESTSECCOMP := true
 #Default experimental features enabled
 DEFAULTEXPFEATURES := []
@ -172,6 +187,7 @@ DEFDISABLEBLOCK := false
 DEFSHAREDFS := virtio-9p
 DEFSHAREDFS_QEMU_VIRTIOFS := virtio-fs
 DEFVIRTIOFSDAEMON := $(VIRTIOFSDBINDIR)/virtiofsd
 DEFVALIDVIRTIOFSDAEMONPATHS := [\"$(DEFVIRTIOFSDAEMON)\"]
 # Default DAX mapping cache size in MiB
 #if value is 0, DAX is not enabled
 DEFVIRTIOFSCACHESIZE := 0
@ -187,6 +203,9 @@ DEFENABLEMEMPREALLOC := false
 DEFENABLEHUGEPAGES := false
 DEFENABLEVHOSTUSERSTORE := false
 DEFVHOSTUSERSTOREPATH := $(PKGRUNDIR)/vhost-user
 DEFVALIDVHOSTUSERSTOREPATHS := [\"$(DEFVHOSTUSERSTOREPATH)\"]
 DEFFILEMEMBACKEND := ""
 DEFVALIDFILEMEMBACKENDS := [\"$(DEFFILEMEMBACKEND)\"]
 DEFENABLESWAP := false
 DEFENABLEDEBUG := false
 DEFDISABLENESTINGCHECKS := false
@ -385,16 +404,29 @@ SHAREDIR := $(SHAREDIR)
 # list of variables the user may wish to override
 USER_VARS += ARCH
 USER_VARS += BINDIR
 USER_VARS += CONFIG_ACRN_IN
 USER_VARS += CONFIG_CLH_IN
 USER_VARS += CONFIG_FC_IN
 USER_VARS += CONFIG_PATH
 USER_VARS += CONFIG_QEMU_IN
 USER_VARS += CONFIG_QEMU_VIRTIOFS_IN
 USER_VARS += DESTDIR
 USER_VARS += DEFAULT_HYPERVISOR
 USER_VARS += DEFENABLEMSWAP
 USER_VARS += ACRNCMD
 USER_VARS += ACRNCTLCMD
 USER_VARS += ACRNPATH
 USER_VARS += ACRNVALIDHYPERVISORPATHS
 USER_VARS += ACRNCTLPATH
 USER_VARS += ACRNVALIDCTLPATHS
 USER_VARS += CLHPATH
 USER_VARS += CLHVALIDHYPERVISORPATHS
 USER_VARS += FIRMWAREPATH_CLH
 USER_VARS += FCCMD
 USER_VARS += FCPATH
 USER_VARS += FCVALIDHYPERVISORPATHS
 USER_VARS += FCJAILERPATH
 USER_VARS += FCVALIDJAILERPATHS
 USER_VARS += SYSCONFIG
 USER_VARS += IMAGENAME
 USER_VARS += IMAGEPATH
@ -406,6 +438,11 @@ USER_VARS += KERNELTYPE
 USER_VARS += KERNELTYPE_FC
 USER_VARS += KERNELTYPE_ACRN
 USER_VARS += KERNELTYPE_CLH
 USER_VARS += KERNELPATH_ACRN
 USER_VARS += KERNELPATH
 USER_VARS += KERNELPATH_CLH
 USER_VARS += KERNELPATH_FC
 USER_VARS += KERNELVIRTIOFSPATH
 USER_VARS += FIRMWAREPATH
 USER_VARS += MACHINEACCELERATORS
 USER_VARS += CPUFEATURES
@ -418,15 +455,22 @@ USER_VARS += PKGLIBDIR
 USER_VARS += PKGLIBEXECDIR
 USER_VARS += PKGRUNDIR
 USER_VARS += PREFIX
 USER_VARS += PROJECT_BUG_URL
 USER_VARS += PROJECT_NAME
 USER_VARS += PROJECT_ORG
 USER_VARS += PROJECT_PREFIX
 USER_VARS += PROJECT_TAG
 USER_VARS += PROJECT_TYPE
 USER_VARS += PROJECT_URL
 USER_VARS += NETMONPATH
 USER_VARS += QEMUBINDIR
 USER_VARS += QEMUCMD
 USER_VARS += QEMUPATH
 USER_VARS += QEMUVALIDHYPERVISORPATHS
 USER_VARS += QEMUVIRTIOFSCMD
 USER_VARS += QEMUVIRTIOFSPATH
 USER_VARS += QEMUVALIDVIRTIOFSPATHS
 USER_VARS += RUNTIME_NAME
 USER_VARS += SHAREDIR
 USER_VARS += SHIMPATH
 USER_VARS += SYSCONFDIR
@ -437,6 +481,7 @@ USER_VARS += DEFMEMSZ
 USER_VARS += DEFMEMSLOTS
 USER_VARS += DEFBRIDGES
 USER_VARS += DEFNETWORKMODEL_ACRN
 USER_VARS += DEFNETWORKMODEL_CLH
 USER_VARS += DEFNETWORKMODEL_FC
 USER_VARS += DEFNETWORKMODEL_QEMU
 USER_VARS += DEFDISABLEGUESTSECCOMP
@ -449,14 +494,19 @@ USER_VARS += DEFBLOCKSTORAGEDRIVER_QEMU_VIRTIOFS
 USER_VARS += DEFSHAREDFS
 USER_VARS += DEFSHAREDFS_QEMU_VIRTIOFS
 USER_VARS += DEFVIRTIOFSDAEMON
 USER_VARS += DEFVALIDVIRTIOFSDAEMONPATHS
 USER_VARS += DEFVIRTIOFSCACHESIZE
 USER_VARS += DEFVIRTIOFSCACHE
 USER_VARS += DEFVIRTIOFSEXTRAARGS
 USER_VARS += DEFENABLEANNOTATIONS
 USER_VARS += DEFENABLEIOTHREADS
 USER_VARS += DEFENABLEMEMPREALLOC
 USER_VARS += DEFENABLEHUGEPAGES
 USER_VARS += DEFENABLEVHOSTUSERSTORE
 USER_VARS += DEFVHOSTUSERSTOREPATH
 USER_VARS += DEFVALIDVHOSTUSERSTOREPATHS
 USER_VARS += DEFFILEMEMBACKEND
 USER_VARS += DEFVALIDFILEMEMBACKENDS
 USER_VARS += DEFENABLESWAP
 USER_VARS += DEFENABLEDEBUG
 USER_VARS += DEFDISABLENESTINGCHECKS
@ -598,84 +648,7 @@ GENERATED_FILES += $(CONFIGS)
 $(GENERATED_FILES): %: %.in $(MAKEFILE_LIST) VERSION .git-commit
 	$(QUIET_GENERATE)$(SED) \
 		-e "s|@COMMIT@|$(shell cat .git-commit)|g" \
-		-e "s|@VERSION@|$(VERSION)|g" \
+		$(foreach v,$(GENERATED_VARS),-e "s|@$v@|$($v)|g") \
 		-e "s|@CONFIG_ACRN_IN@|$(CONFIG_ACRN_IN)|g" \
 		-e "s|@CONFIG_QEMU_IN@|$(CONFIG_QEMU_IN)|g" \
 		-e "s|@CONFIG_QEMU_VIRTIOFS_IN@|$(CONFIG_QEMU_VIRTIOFS_IN)|g" \
 		-e "s|@CONFIG_CLH_IN@|$(CONFIG_CLH_IN)|g" \
 		-e "s|@CONFIG_FC_IN@|$(CONFIG_FC_IN)|g" \
 		-e "s|@CONFIG_PATH@|$(CONFIG_PATH)|g" \
 		-e "s|@FCPATH@|$(FCPATH)|g" \
 		-e "s|@FCJAILERPATH@|$(FCJAILERPATH)|g" \
 		-e "s|@ACRNPATH@|$(ACRNPATH)|g" \
 		-e "s|@ACRNCTLPATH@|$(ACRNCTLPATH)|g" \
 		-e "s|@CLHPATH@|$(CLHPATH)|g" \
 		-e "s|@SYSCONFIG@|$(SYSCONFIG)|g" \
 		-e "s|@IMAGEPATH@|$(IMAGEPATH)|g" \
 		-e "s|@KERNELPATH_ACRN@|$(KERNELPATH_ACRN)|g" \
 		-e "s|@KERNELPATH_FC@|$(KERNELPATH_FC)|g" \
 		-e "s|@KERNELPATH_CLH@|$(KERNELPATH_CLH)|g" \
 		-e "s|@KERNELPATH@|$(KERNELPATH)|g" \
 		-e "s|@KERNELVIRTIOFSPATH@|$(KERNELVIRTIOFSPATH)|g" \
 		-e "s|@INITRDPATH@|$(INITRDPATH)|g" \
 		-e "s|@FIRMWAREPATH@|$(FIRMWAREPATH)|g" \
 		-e "s|@MACHINEACCELERATORS@|$(MACHINEACCELERATORS)|g" \
 		-e "s|@CPUFEATURES@|$(CPUFEATURES)|g" \
 		-e "s|@FIRMWAREPATH_CLH@|$(FIRMWAREPATH_CLH)|g" \
 		-e "s|@DEFMACHINETYPE_CLH@|$(DEFMACHINETYPE_CLH)|g" \
 		-e "s|@KERNELPARAMS@|$(KERNELPARAMS)|g" \
 		-e "s|@LOCALSTATEDIR@|$(LOCALSTATEDIR)|g" \
 		-e "s|@PKGLIBEXECDIR@|$(PKGLIBEXECDIR)|g" \
 		-e "s|@PKGRUNDIR@|$(PKGRUNDIR)|g" \
 		-e "s|@NETMONPATH@|$(NETMONPATH)|g" \
 		-e "s|@PROJECT_BUG_URL@|$(PROJECT_BUG_URL)|g" \
 		-e "s|@PROJECT_ORG@|$(PROJECT_ORG)|g" \
 		-e "s|@PROJECT_URL@|$(PROJECT_URL)|g" \
 		-e "s|@PROJECT_NAME@|$(PROJECT_NAME)|g" \
 		-e "s|@PROJECT_TAG@|$(PROJECT_TAG)|g" \
 		-e "s|@PROJECT_TYPE@|$(PROJECT_TYPE)|g" \
 		-e "s|@QEMUPATH@|$(QEMUPATH)|g" \
 		-e "s|@QEMUVIRTIOFSPATH@|$(QEMUVIRTIOFSPATH)|g" \
 		-e "s|@RUNTIME_NAME@|$(TARGET)|g" \
 		-e "s|@MACHINETYPE@|$(MACHINETYPE)|g" \
 		-e "s|@SHIMPATH@|$(SHIMPATH)|g" \
 		-e "s|@DEFVCPUS@|$(DEFVCPUS)|g" \
 		-e "s|@DEFMAXVCPUS@|$(DEFMAXVCPUS)|g" \
 		-e "s|@DEFMAXVCPUS_ACRN@|$(DEFMAXVCPUS_ACRN)|g" \
 		-e "s|@DEFMEMSZ@|$(DEFMEMSZ)|g" \
 		-e "s|@DEFMEMSLOTS@|$(DEFMEMSLOTS)|g" \
 		-e "s|@DEFBRIDGES@|$(DEFBRIDGES)|g" \
 		-e "s|@DEFNETWORKMODEL_ACRN@|$(DEFNETWORKMODEL_ACRN)|g" \
 		-e "s|@DEFNETWORKMODEL_CLH@|$(DEFNETWORKMODEL_CLH)|g" \
 		-e "s|@DEFNETWORKMODEL_FC@|$(DEFNETWORKMODEL_FC)|g" \
 		-e "s|@DEFNETWORKMODEL_QEMU@|$(DEFNETWORKMODEL_QEMU)|g" \
 		-e "s|@DEFDISABLEGUESTSECCOMP@|$(DEFDISABLEGUESTSECCOMP)|g" \
 		-e "s|@DEFAULTEXPFEATURES@|$(DEFAULTEXPFEATURES)|g" \
 		-e "s|@DEFDISABLEBLOCK@|$(DEFDISABLEBLOCK)|g" \
 		-e "s|@DEFBLOCKSTORAGEDRIVER_ACRN@|$(DEFBLOCKSTORAGEDRIVER_ACRN)|g" \
 		-e "s|@DEFBLOCKSTORAGEDRIVER_FC@|$(DEFBLOCKSTORAGEDRIVER_FC)|g" \
 		-e "s|@DEFBLOCKSTORAGEDRIVER_QEMU@|$(DEFBLOCKSTORAGEDRIVER_QEMU)|g" \
 		-e "s|@DEFBLOCKSTORAGEDRIVER_QEMU_VIRTIOFS@|$(DEFBLOCKSTORAGEDRIVER_QEMU_VIRTIOFS)|g" \
 		-e "s|@DEFSHAREDFS@|$(DEFSHAREDFS)|g" \
 		-e "s|@DEFSHAREDFS_QEMU_VIRTIOFS@|$(DEFSHAREDFS_QEMU_VIRTIOFS)|g" \
 		-e "s|@DEFVIRTIOFSDAEMON@|$(DEFVIRTIOFSDAEMON)|g" \
 		-e "s|@DEFVIRTIOFSCACHESIZE@|$(DEFVIRTIOFSCACHESIZE)|g" \
 		-e "s|@DEFVIRTIOFSCACHE@|$(DEFVIRTIOFSCACHE)|g" \
 		-e "s|@DEFVIRTIOFSEXTRAARGS@|$(DEFVIRTIOFSEXTRAARGS)|g" \
 		-e "s|@DEFENABLEIOTHREADS@|$(DEFENABLEIOTHREADS)|g" \
 		-e "s|@DEFENABLEMEMPREALLOC@|$(DEFENABLEMEMPREALLOC)|g" \
 		-e "s|@DEFENABLEHUGEPAGES@|$(DEFENABLEHUGEPAGES)|g" \
 		-e "s|@DEFENABLEVHOSTUSERSTORE@|$(DEFENABLEVHOSTUSERSTORE)|g" \
 		-e "s|@DEFVHOSTUSERSTOREPATH@|$(DEFVHOSTUSERSTOREPATH)|g" \
 		-e "s|@DEFENABLEMSWAP@|$(DEFENABLESWAP)|g" \
 		-e "s|@DEFENABLEDEBUG@|$(DEFENABLEDEBUG)|g" \
 		-e "s|@DEFDISABLENESTINGCHECKS@|$(DEFDISABLENESTINGCHECKS)|g" \
 		-e "s|@DEFMSIZE9P@|$(DEFMSIZE9P)|g" \
 		-e "s|@DEFHOTPLUGVFIOONROOTBUS@|$(DEFHOTPLUGVFIOONROOTBUS)|g" \
 		-e "s|@DEFPCIEROOTPORT@|$(DEFPCIEROOTPORT)|g" \
 		-e "s|@DEFENTROPYSOURCE@|$(DEFENTROPYSOURCE)|g" \
 		-e "s|@DEFSANDBOXCGROUPONLY@|$(DEFSANDBOXCGROUPONLY)|g" \
 		-e "s|@FEATURE_SELINUX@|$(FEATURE_SELINUX)|g" \
 		$< > $@
 generate-config: $(CONFIGS)
--- a/src/runtime/cli/config/configuration-acrn.toml.in
+++ b/src/runtime/cli/config/configuration-acrn.toml.in
@ -16,6 +16,22 @@ ctlpath = "@ACRNCTLPATH@"
 kernel = "@KERNELPATH_ACRN@"
 image = "@IMAGEPATH@"
 # List of valid annotation names for the hypervisor
 # Each member of the list is a regular expression, which is the base name
 # of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
 enable_annotations = @DEFENABLEANNOTATIONS@
 # List of valid annotations values for the hypervisor
 # Each member of the list is a path pattern as described by glob(3).
 # The default if not set is empty (all annotations rejected.)
 # Your distribution recommends: @ACRNVALIDHYPERVISORPATHS@
 valid_hypervisor_paths = @ACRNVALIDHYPERVISORPATHS@
 # List of valid annotations values for ctlpath
 # The default if not set is empty (all annotations rejected.)
 # Your distribution recommends: @ACRNVALIDCTLPATHS@
 valid_ctlpaths = @ACRNVALIDCTLPATHS@
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having
 # trouble running pre-2.15 glibc.
--- a/src/runtime/cli/config/configuration-clh.toml.in
+++ b/src/runtime/cli/config/configuration-clh.toml.in
@ -15,6 +15,17 @@ path = "@CLHPATH@"
 kernel = "@KERNELPATH_CLH@"
 image = "@IMAGEPATH@"
 # List of valid annotation names for the hypervisor
 # Each member of the list is a regular expression, which is the base name
 # of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
 enable_annotations = @DEFENABLEANNOTATIONS@
 # List of valid annotations values for the hypervisor
 # Each member of the list is a path pattern as described by glob(3).
 # The default if not set is empty (all annotations rejected.)
 # Your distribution recommends: @CLHVALIDHYPERVISORPATHS@
 valid_hypervisor_paths = @CLHVALIDHYPERVISORPATHS@
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having
 # trouble running pre-2.15 glibc.
@ -62,6 +73,11 @@ default_memory = @DEFMEMSZ@
 # Path to vhost-user-fs daemon.
 virtio_fs_daemon = "@DEFVIRTIOFSDAEMON@"
 # List of valid annotations values for the virtiofs daemon
 # The default if not set is empty (all annotations rejected.)
 # Your distribution recommends: @DEFVALIDVIRTIOFSDAEMONPATHS@
 valid_virtio_fs_daemon_paths = @DEFVALIDVIRTIOFSDAEMONPATHS@
 # Default size of DAX cache in MiB
 virtio_fs_cache_size = @DEFVIRTIOFSCACHESIZE@
--- a/src/runtime/cli/config/configuration-fc.toml.in
+++ b/src/runtime/cli/config/configuration-fc.toml.in
@ -12,6 +12,20 @@
 [hypervisor.firecracker]
 path = "@FCPATH@"
 kernel = "@KERNELPATH_FC@"
 image = "@IMAGEPATH@"
 # List of valid annotation names for the hypervisor
 # Each member of the list is a regular expression, which is the base name
 # of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
 enable_annotations = @DEFENABLEANNOTATIONS@
 # List of valid annotations values for the hypervisor
 # Each member of the list is a path pattern as described by glob(3).
 # The default if not set is empty (all annotations rejected.)
 # Your distribution recommends: @FCVALIDHYPERVISORPATHS@
 valid_hypervisor_paths = @FCVALIDHYPERVISORPATHS@
 # Path for the jailer specific to firecracker
 # If the jailer path is not set kata will launch firecracker
 # without a jail. If the jailer is set firecracker will be
@ -19,8 +33,13 @@ path = "@FCPATH@"
 # This is disabled by default as additional setup is required
 # for this feature today.
 #jailer_path = "@FCJAILERPATH@"
-kernel = "@KERNELPATH_FC@"
+
-image = "@IMAGEPATH@"
+# List of valid jailer path values for the hypervisor
 # Each member of the list can be a regular expression
 # The default if not set is empty (all annotations rejected.)
 # Your distribution recommends: @FCVALIDJAILERPATHS@
 valid_jailer_paths = @FCVALIDJAILERPATHS@
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having
--- a/src/runtime/cli/config/configuration-qemu-virtiofs.toml.in
+++ b/src/runtime/cli/config/configuration-qemu-virtiofs.toml.in
@ -16,6 +16,19 @@ kernel = "@KERNELVIRTIOFSPATH@"
 image = "@IMAGEPATH@"
 machine_type = "@MACHINETYPE@"
 # List of valid annotation names for the hypervisor
 # Each member of the list is a regular expression, which is the base name
 # of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
 # The default if not set is empty (all annotations rejected.)
 # Your distribution recommends: @DEFENABLEANNOTATIONS@
 enable_annotations = @DEFENABLEANNOTATIONS@
 # List of valid annotations values for the hypervisor
 # Each member of the list is a path pattern as described by glob(3).
 # The default if not set is empty (all annotations rejected.)
 # Your distribution recommends: @QEMUVALIDHYPERVISORPATHS@
 valid_hypervisor_paths = @QEMUVALIDHYPERVISORPATHS@
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having
 # trouble running pre-2.15 glibc.
@ -110,6 +123,11 @@ shared_fs = "@DEFSHAREDFS_QEMU_VIRTIOFS@"
 # Path to vhost-user-fs daemon.
 virtio_fs_daemon = "@DEFVIRTIOFSDAEMON@"
 # List of valid annotations values for the virtiofs daemon
 # The default if not set is empty (all annotations rejected.)
 # Your distribution recommends: @DEFVALIDVIRTIOFSDAEMONPATHS@
 valid_virtio_fs_daemon_paths = @DEFVALIDVIRTIOFSDAEMONPATHS@
 # Default size of DAX cache in MiB
 virtio_fs_cache_size = @DEFVIRTIOFSCACHESIZE@
@ -199,11 +217,21 @@ vhost_user_store_path = "@DEFVHOSTUSERSTOREPATH@"
 # Enabling this will result in the VM device having iommu_platform=on set
 #enable_iommu_platform = true
 # List of valid annotations values for the virtiofs daemon
 # The default if not set is empty (all annotations rejected.)
 # Your distribution recommends: @DEFVALIDVHOSTUSERSTOREPATHS@
 valid_vhost_user_store_paths = @DEFVALIDVHOSTUSERSTOREPATHS@
 # Enable file based guest memory support. The default is an empty string which
 # will disable this feature. In the case of virtio-fs, this is enabled
 # automatically and '/dev/shm' is used as the backing folder.
 # This option will be ignored if VM templating is enabled.
-#file_mem_backend = ""
+#file_mem_backend = "@DEFFILEMEMBACKEND@"
 # List of valid annotations values for the file_mem_backend annotation
 # The default if not set is empty (all annotations rejected.)
 # Your distribution recommends: @DEFVALIDVHOSTUSERSTOREPATHS@
 valid_file_mem_backends = @DEFVALIDFILEMEMBACKENDS@
 # Enable swap of vm memory. Default false.
 # The behaviour is undefined if mem_prealloc is also set to true
--- a/src/runtime/cli/config/configuration-qemu.toml.in
+++ b/src/runtime/cli/config/configuration-qemu.toml.in
@ -16,6 +16,17 @@ kernel = "@KERNELPATH@"
 image = "@IMAGEPATH@"
 machine_type = "@MACHINETYPE@"
 # List of valid annotation names for the hypervisor
 # Each member of the list is a regular expression, which is the base name
 # of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
 enable_annotations = @DEFENABLEANNOTATIONS@
 # List of valid annotations values for the hypervisor
 # Each member of the list is a path pattern as described by glob(3).
 # The default if not set is empty (all annotations rejected.)
 # Your distribution recommends: @QEMUVALIDHYPERVISORPATHS@
 valid_hypervisor_paths = @QEMUVALIDHYPERVISORPATHS@
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having
 # trouble running pre-2.15 glibc.
@ -116,6 +127,11 @@ shared_fs = "@DEFSHAREDFS@"
 # Path to vhost-user-fs daemon.
 virtio_fs_daemon = "@DEFVIRTIOFSDAEMON@"
 # List of valid annotations values for the virtiofs daemon
 # The default if not set is empty (all annotations rejected.)
 # Your distribution recommends: @DEFVALIDVIRTIOFSDAEMONPATHS@
 valid_virtio_fs_daemon_paths = @DEFVALIDVIRTIOFSDAEMONPATHS@
 # Default size of DAX cache in MiB
 virtio_fs_cache_size = @DEFVIRTIOFSCACHESIZE@
@ -205,11 +221,21 @@ vhost_user_store_path = "@DEFVHOSTUSERSTOREPATH@"
 # Enabling this will result in the VM device having iommu_platform=on set
 #enable_iommu_platform = true
 # List of valid annotations values for the vhost user store path
 # The default if not set is empty (all annotations rejected.)
 # Your distribution recommends: @DEFVALIDVHOSTUSERSTOREPATHS@
 valid_vhost_user_store_paths = @DEFVALIDVHOSTUSERSTOREPATHS@
 # Enable file based guest memory support. The default is an empty string which
 # will disable this feature. In the case of virtio-fs, this is enabled
 # automatically and '/dev/shm' is used as the backing folder.
 # This option will be ignored if VM templating is enabled.
-#file_mem_backend = ""
+#file_mem_backend = "@DEFFILEMEMBACKEND@"
 # List of valid annotations values for the file_mem_backend annotation
 # The default if not set is empty (all annotations rejected.)
 # Your distribution recommends: @DEFVALIDFILEMEMBACKENDS@
 valid_file_mem_backends = @DEFVALIDFILEMEMBACKENDS@
 # Enable swap of vm memory. Default false.
 # The behaviour is undefined if mem_prealloc is also set to true
--- a/src/runtime/pkg/katautils/config.go
+++ b/src/runtime/pkg/katautils/config.go
@ -71,9 +71,12 @@ type factory struct {
 type hypervisor struct {
 	Path                    string   `toml:"path"`
 	HypervisorPathList      []string `toml:"valid_hypervisor_paths"`
 	JailerPath              string   `toml:"jailer_path"`
 	JailerPathList          []string `toml:"valid_jailer_paths"`
 	Kernel                  string   `toml:"kernel"`
 	CtlPath                 string   `toml:"ctlpath"`
 	CtlPathList             []string `toml:"valid_ctlpaths"`
 	Initrd                  string   `toml:"initrd"`
 	Image                   string   `toml:"image"`
 	Firmware                string   `toml:"firmware"`
@ -85,6 +88,7 @@ type hypervisor struct {
 	EntropySource           string   `toml:"entropy_source"`
 	SharedFS                string   `toml:"shared_fs"`
 	VirtioFSDaemon          string   `toml:"virtio_fs_daemon"`
 	VirtioFSDaemonList      []string `toml:"valid_virtio_fs_daemon_paths"`
 	VirtioFSCache           string   `toml:"virtio_fs_cache"`
 	VirtioFSExtraArgs       []string `toml:"virtio_fs_extra_args"`
 	VirtioFSCacheSize       uint32   `toml:"virtio_fs_cache_size"`
@ -93,6 +97,7 @@ type hypervisor struct {
 	BlockDeviceCacheNoflush bool     `toml:"block_device_cache_noflush"`
 	EnableVhostUserStore    bool     `toml:"enable_vhost_user_store"`
 	VhostUserStorePath      string   `toml:"vhost_user_store_path"`
 	VhostUserStorePathList  []string `toml:"valid_vhost_user_store_paths"`
 	NumVCPUs                int32    `toml:"default_vcpus"`
 	DefaultMaxVCPUs         uint32   `toml:"default_maxvcpus"`
 	MemorySize              uint32   `toml:"default_memory"`
@ -108,6 +113,7 @@ type hypervisor struct {
 	IOMMU                   bool     `toml:"enable_iommu"`
 	IOMMUPlatform           bool     `toml:"enable_iommu_platform"`
 	FileBackedMemRootDir    string   `toml:"file_mem_backend"`
 	FileBackedMemRootList   []string `toml:"valid_file_mem_backends"`
 	Swap                    bool     `toml:"enable_swap"`
 	Debug                   bool     `toml:"enable_debug"`
 	DisableNestingChecks    bool     `toml:"disable_nesting_checks"`
@ -118,6 +124,7 @@ type hypervisor struct {
 	GuestHookPath           string   `toml:"guest_hook_path"`
 	RxRateLimiterMaxRate    uint64   `toml:"rx_rate_limiter_max_rate"`
 	TxRateLimiterMaxRate    uint64   `toml:"tx_rate_limiter_max_rate"`
 	EnableAnnotations       []string `toml:"enable_annotations"`
 }
 type runtime struct {
@ -527,7 +534,9 @@ func newFirecrackerHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 	return vc.HypervisorConfig{
 		HypervisorPath:        hypervisor,
 		HypervisorPathList:    h.HypervisorPathList,
 		JailerPath:            jailer,
 		JailerPathList:        h.JailerPathList,
 		KernelPath:            kernel,
 		InitrdPath:            initrd,
 		ImagePath:             image,
@ -550,6 +559,7 @@ func newFirecrackerHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 		GuestHookPath:         h.guestHookPath(),
 		RxRateLimiterMaxRate:  rxRateLimiterMaxRate,
 		TxRateLimiterMaxRate:  txRateLimiterMaxRate,
 		EnableAnnotations:     h.EnableAnnotations,
 	}, nil
 }
@ -628,6 +638,7 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 	return vc.HypervisorConfig{
 		HypervisorPath:          hypervisor,
 		HypervisorPathList:      h.HypervisorPathList,
 		KernelPath:              kernel,
 		InitrdPath:              initrd,
 		ImagePath:               image,
@ -647,6 +658,7 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 		DisableBlockDeviceUse:   h.DisableBlockDeviceUse,
 		SharedFS:                sharedFS,
 		VirtioFSDaemon:          h.VirtioFSDaemon,
 		VirtioFSDaemonList:      h.VirtioFSDaemonList,
 		VirtioFSCacheSize:       h.VirtioFSCacheSize,
 		VirtioFSCache:           h.defaultVirtioFSCache(),
 		VirtioFSExtraArgs:       h.VirtioFSExtraArgs,
@ -655,6 +667,7 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 		IOMMU:                   h.IOMMU,
 		IOMMUPlatform:           h.getIOMMUPlatform(),
 		FileBackedMemRootDir:    h.FileBackedMemRootDir,
 		FileBackedMemRootList:   h.FileBackedMemRootList,
 		Mlock:                   !h.Swap,
 		Debug:                   h.Debug,
 		DisableNestingChecks:    h.DisableNestingChecks,
@ -670,9 +683,11 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 		DisableVhostNet:         h.DisableVhostNet,
 		EnableVhostUserStore:    h.EnableVhostUserStore,
 		VhostUserStorePath:      h.vhostUserStorePath(),
 		VhostUserStorePathList:  h.VhostUserStorePathList,
 		GuestHookPath:           h.guestHookPath(),
 		RxRateLimiterMaxRate:    rxRateLimiterMaxRate,
 		TxRateLimiterMaxRate:    txRateLimiterMaxRate,
 		EnableAnnotations:       h.EnableAnnotations,
 	}, nil
 }
@ -715,25 +730,28 @@ func newAcrnHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 	}
 	return vc.HypervisorConfig{
-		HypervisorPath:       hypervisor,
+		HypervisorPath:        hypervisor,
-		KernelPath:           kernel,
+		HypervisorPathList:    h.HypervisorPathList,
-		ImagePath:            image,
+		KernelPath:            kernel,
-		HypervisorCtlPath:    hypervisorctl,
+		ImagePath:             image,
-		FirmwarePath:         firmware,
+		HypervisorCtlPath:     hypervisorctl,
-		KernelParams:         vc.DeserializeParams(strings.Fields(kernelParams)),
+		HypervisorCtlPathList: h.CtlPathList,
-		NumVCPUs:             h.defaultVCPUs(),
+		FirmwarePath:          firmware,
-		DefaultMaxVCPUs:      h.defaultMaxVCPUs(),
+		KernelParams:          vc.DeserializeParams(strings.Fields(kernelParams)),
-		MemorySize:           h.defaultMemSz(),
+		NumVCPUs:              h.defaultVCPUs(),
-		MemSlots:             h.defaultMemSlots(),
+		DefaultMaxVCPUs:       h.defaultMaxVCPUs(),
-		EntropySource:        h.GetEntropySource(),
+		MemorySize:            h.defaultMemSz(),
-		DefaultBridges:       h.defaultBridges(),
+		MemSlots:              h.defaultMemSlots(),
-		HugePages:            h.HugePages,
+		EntropySource:         h.GetEntropySource(),
-		Mlock:                !h.Swap,
+		DefaultBridges:        h.defaultBridges(),
-		Debug:                h.Debug,
+		HugePages:             h.HugePages,
-		DisableNestingChecks: h.DisableNestingChecks,
+		Mlock:                 !h.Swap,
-		BlockDeviceDriver:    blockDriver,
+		Debug:                 h.Debug,
-		DisableVhostNet:      h.DisableVhostNet,
+		DisableNestingChecks:  h.DisableNestingChecks,
-		GuestHookPath:        h.guestHookPath(),
+		BlockDeviceDriver:     blockDriver,
 		DisableVhostNet:       h.DisableVhostNet,
 		GuestHookPath:         h.guestHookPath(),
 		EnableAnnotations:     h.EnableAnnotations,
 	}, nil
 }
@ -786,6 +804,7 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 	return vc.HypervisorConfig{
 		HypervisorPath:          hypervisor,
 		HypervisorPathList:      h.HypervisorPathList,
 		KernelPath:              kernel,
 		InitrdPath:              initrd,
 		ImagePath:               image,
@ -804,11 +823,13 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 		DisableBlockDeviceUse:   h.DisableBlockDeviceUse,
 		SharedFS:                sharedFS,
 		VirtioFSDaemon:          h.VirtioFSDaemon,
 		VirtioFSDaemonList:      h.VirtioFSDaemonList,
 		VirtioFSCacheSize:       h.VirtioFSCacheSize,
 		VirtioFSCache:           h.VirtioFSCache,
 		MemPrealloc:             h.MemPrealloc,
 		HugePages:               h.HugePages,
 		FileBackedMemRootDir:    h.FileBackedMemRootDir,
 		FileBackedMemRootList:   h.FileBackedMemRootList,
 		Mlock:                   !h.Swap,
 		Debug:                   h.Debug,
 		DisableNestingChecks:    h.DisableNestingChecks,
@ -823,6 +844,7 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 		DisableVhostNet:         true,
 		VirtioFSExtraArgs:       h.VirtioFSExtraArgs,
 		SGXEPCSize:              defaultSGXEPCSize,
 		EnableAnnotations:     h.EnableAnnotations,
 	}, nil
 }
--- a/src/runtime/virtcontainers/hypervisor.go
+++ b/src/runtime/virtcontainers/hypervisor.go
@ -275,12 +275,21 @@ type HypervisorConfig struct {
 	// HypervisorPath is the hypervisor executable host path.
 	HypervisorPath string
 	// HypervisorPathList is the list of hypervisor paths names allowed in annotations
 	HypervisorPathList []string
 	// HypervisorCtlPathList is the list of hypervisor control paths names allowed in annotations
 	HypervisorCtlPathList []string
 	// HypervisorCtlPath is the hypervisor ctl executable host path.
 	HypervisorCtlPath string
 	// JailerPath is the jailer executable host path.
 	JailerPath string
 	// JailerPathList is the list of jailer paths names allowed in annotations
 	JailerPathList []string
 	// BlockDeviceDriver specifies the driver to be used for block device
 	// either VirtioSCSI or VirtioBlock with the default driver being defaultBlockDriver
 	BlockDeviceDriver string
@ -309,6 +318,9 @@ type HypervisorConfig struct {
 	// VirtioFSDaemon is the virtio-fs vhost-user daemon path
 	VirtioFSDaemon string
 	// VirtioFSDaemonList is the list of valid virtiofs names for annotations
 	VirtioFSDaemonList []string
 	// VirtioFSCache cache mode for fs version cache or "none"
 	VirtioFSCache string
@ -318,6 +330,9 @@ type HypervisorConfig struct {
 	// File based memory backend root directory
 	FileBackedMemRootDir string
 	// FileBackedMemRootList is the list of valid root directories values for annotations
 	FileBackedMemRootList []string
 	// customAssets is a map of assets.
 	// Each value in that map takes precedence over the configured assets.
 	// For example, if there is a value for the "kernel" key in this map,
@ -400,6 +415,9 @@ type HypervisorConfig struct {
 	// related folders, sockets and device nodes should be.
 	VhostUserStorePath string
 	// VhostUserStorePathList is the list of valid values for vhost-user paths
 	VhostUserStorePathList []string
 	// GuestHookPath is the path within the VM that will be used for 'drop-in' hooks
 	GuestHookPath string
@ -419,6 +437,9 @@ type HypervisorConfig struct {
 	// SGXEPCSize specifies the size in bytes for the EPC Section.
 	// Enable SGX. Hardware-based isolation and memory encryption.
 	SGXEPCSize int64
 	// Enable annotations by name
 	EnableAnnotations []string
 }
 // vcpu mapping from vcpu number to thread number
--- a/src/runtime/virtcontainers/persist.go
+++ b/src/runtime/virtcontainers/persist.go
@ -212,8 +212,11 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) {
 		MachineAccelerators:     sconfig.HypervisorConfig.MachineAccelerators,
 		CPUFeatures:             sconfig.HypervisorConfig.CPUFeatures,
 		HypervisorPath:          sconfig.HypervisorConfig.HypervisorPath,
 		HypervisorPathList:      sconfig.HypervisorConfig.HypervisorPathList,
 		HypervisorCtlPath:       sconfig.HypervisorConfig.HypervisorCtlPath,
 		HypervisorCtlPathList:   sconfig.HypervisorConfig.HypervisorCtlPathList,
 		JailerPath:              sconfig.HypervisorConfig.JailerPath,
 		JailerPathList:          sconfig.HypervisorConfig.JailerPathList,
 		BlockDeviceDriver:       sconfig.HypervisorConfig.BlockDeviceDriver,
 		HypervisorMachineType:   sconfig.HypervisorConfig.HypervisorMachineType,
 		MemoryPath:              sconfig.HypervisorConfig.MemoryPath,
@ -221,6 +224,7 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) {
 		EntropySource:           sconfig.HypervisorConfig.EntropySource,
 		SharedFS:                sconfig.HypervisorConfig.SharedFS,
 		VirtioFSDaemon:          sconfig.HypervisorConfig.VirtioFSDaemon,
 		VirtioFSDaemonList:      sconfig.HypervisorConfig.VirtioFSDaemonList,
 		VirtioFSCache:           sconfig.HypervisorConfig.VirtioFSCache,
 		VirtioFSExtraArgs:       sconfig.HypervisorConfig.VirtioFSExtraArgs[:],
 		BlockDeviceCacheSet:     sconfig.HypervisorConfig.BlockDeviceCacheSet,
@ -232,6 +236,7 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) {
 		MemPrealloc:             sconfig.HypervisorConfig.MemPrealloc,
 		HugePages:               sconfig.HypervisorConfig.HugePages,
 		FileBackedMemRootDir:    sconfig.HypervisorConfig.FileBackedMemRootDir,
 		FileBackedMemRootList:   sconfig.HypervisorConfig.FileBackedMemRootList,
 		Realtime:                sconfig.HypervisorConfig.Realtime,
 		Mlock:                   sconfig.HypervisorConfig.Mlock,
 		DisableNestingChecks:    sconfig.HypervisorConfig.DisableNestingChecks,
@ -243,11 +248,13 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) {
 		DisableVhostNet:         sconfig.HypervisorConfig.DisableVhostNet,
 		EnableVhostUserStore:    sconfig.HypervisorConfig.EnableVhostUserStore,
 		VhostUserStorePath:      sconfig.HypervisorConfig.VhostUserStorePath,
 		VhostUserStorePathList:  sconfig.HypervisorConfig.VhostUserStorePathList,
 		GuestHookPath:           sconfig.HypervisorConfig.GuestHookPath,
 		VMid:                    sconfig.HypervisorConfig.VMid,
 		RxRateLimiterMaxRate:    sconfig.HypervisorConfig.RxRateLimiterMaxRate,
 		TxRateLimiterMaxRate:    sconfig.HypervisorConfig.TxRateLimiterMaxRate,
 		SGXEPCSize:              sconfig.HypervisorConfig.SGXEPCSize,
 		EnableAnnotations:       sconfig.HypervisorConfig.EnableAnnotations,
 	}
 	ss.Config.KataAgentConfig = &persistapi.KataAgentConfig{
@ -474,8 +481,11 @@ func loadSandboxConfig(id string) (*SandboxConfig, error) {
 		MachineAccelerators:     hconf.MachineAccelerators,
 		CPUFeatures:             hconf.CPUFeatures,
 		HypervisorPath:          hconf.HypervisorPath,
 		HypervisorPathList:      hconf.HypervisorPathList,
 		HypervisorCtlPath:       hconf.HypervisorCtlPath,
 		HypervisorCtlPathList:   hconf.HypervisorCtlPathList,
 		JailerPath:              hconf.JailerPath,
 		JailerPathList:          hconf.JailerPathList,
 		BlockDeviceDriver:       hconf.BlockDeviceDriver,
 		HypervisorMachineType:   hconf.HypervisorMachineType,
 		MemoryPath:              hconf.MemoryPath,
@ -483,6 +493,7 @@ func loadSandboxConfig(id string) (*SandboxConfig, error) {
 		EntropySource:           hconf.EntropySource,
 		SharedFS:                hconf.SharedFS,
 		VirtioFSDaemon:          hconf.VirtioFSDaemon,
 		VirtioFSDaemonList:      hconf.VirtioFSDaemonList,
 		VirtioFSCache:           hconf.VirtioFSCache,
 		VirtioFSExtraArgs:       hconf.VirtioFSExtraArgs[:],
 		BlockDeviceCacheSet:     hconf.BlockDeviceCacheSet,
@ -494,6 +505,7 @@ func loadSandboxConfig(id string) (*SandboxConfig, error) {
 		MemPrealloc:             hconf.MemPrealloc,
 		HugePages:               hconf.HugePages,
 		FileBackedMemRootDir:    hconf.FileBackedMemRootDir,
 		FileBackedMemRootList:   hconf.FileBackedMemRootList,
 		Realtime:                hconf.Realtime,
 		Mlock:                   hconf.Mlock,
 		DisableNestingChecks:    hconf.DisableNestingChecks,
@ -505,11 +517,13 @@ func loadSandboxConfig(id string) (*SandboxConfig, error) {
 		DisableVhostNet:         hconf.DisableVhostNet,
 		EnableVhostUserStore:    hconf.EnableVhostUserStore,
 		VhostUserStorePath:      hconf.VhostUserStorePath,
 		VhostUserStorePathList:  hconf.VhostUserStorePathList,
 		GuestHookPath:           hconf.GuestHookPath,
 		VMid:                    hconf.VMid,
 		RxRateLimiterMaxRate:    hconf.RxRateLimiterMaxRate,
 		TxRateLimiterMaxRate:    hconf.TxRateLimiterMaxRate,
 		SGXEPCSize:              hconf.SGXEPCSize,
 		EnableAnnotations:       hconf.EnableAnnotations,
 	}
 	sconfig.AgentConfig = KataAgentConfig{
--- a/src/runtime/virtcontainers/persist/api/config.go
+++ b/src/runtime/virtcontainers/persist/api/config.go
@ -60,12 +60,22 @@ type HypervisorConfig struct {
 	// HypervisorPath is the hypervisor executable host path.
 	HypervisorPath string
 	// HypervisorPathList is the list of hypervisor paths names allowed in annotations
 	HypervisorPathList []string
 	// HypervisorCtlPath is the hypervisor ctl executable host path.
 	HypervisorCtlPath string
 	// HypervisorCtlPathList is the list of hypervisor control paths names allowed in annotations
 	HypervisorCtlPathList []string
 	// HypervisorCtlPath is the hypervisor ctl executable host path.
 	// JailerPath is the jailer executable host path.
 	JailerPath string
 	// JailerPathList is the list of jailer paths names allowed in annotations
 	JailerPathList []string
 	// BlockDeviceDriver specifies the driver to be used for block device
 	// either VirtioSCSI or VirtioBlock with the default driver being defaultBlockDriver
 	BlockDeviceDriver string
@ -94,6 +104,9 @@ type HypervisorConfig struct {
 	// VirtioFSDaemon is the virtio-fs vhost-user daemon path
 	VirtioFSDaemon string
 	// VirtioFSDaemonList is the list of valid virtiofs names for annotations
 	VirtioFSDaemonList []string
 	// VirtioFSCache cache mode for fs version cache or "none"
 	VirtioFSCache string
@ -103,6 +116,9 @@ type HypervisorConfig struct {
 	// File based memory backend root directory
 	FileBackedMemRootDir string
 	// FileBackedMemRootList is the list of valid root directories values for annotations
 	FileBackedMemRootList []string
 	// BlockDeviceCacheSet specifies cache-related options will be set to block devices or not.
 	BlockDeviceCacheSet bool
@ -173,6 +189,9 @@ type HypervisorConfig struct {
 	// related folders, sockets and device nodes should be.
 	VhostUserStorePath string
 	// VhostUserStorePathList is the list of valid values for vhost-user paths
 	VhostUserStorePathList []string
 	// GuestHookPath is the path within the VM that will be used for 'drop-in' hooks
 	GuestHookPath string
@ -189,6 +208,9 @@ type HypervisorConfig struct {
 	// SGXEPCSize specifies the size in bytes for the EPC Section.
 	// Enable SGX. Hardware-based isolation and memory encryption.
 	SGXEPCSize int64
 	// Enable annotations by name
 	EnableAnnotations []string
 }
 // KataAgentConfig is a structure storing information needed
--- a/src/runtime/virtcontainers/pkg/annotations/annotations.go
+++ b/src/runtime/virtcontainers/pkg/annotations/annotations.go
@ -28,6 +28,7 @@ const (
 	//
 	// Assets
 	//
 	KataAnnotationHypervisorPrefix = kataAnnotHypervisorPrefix
 	// KernelPath is a sandbox annotation for passing a per container path pointing at the kernel needed to boot the container VM.
 	KernelPath = kataAnnotHypervisorPrefix + "kernel"
@ -44,6 +45,9 @@ const (
 	// JailerPath is a sandbox annotation for passing a per container path pointing at the jailer that will constrain the container VM.
 	JailerPath = kataAnnotHypervisorPrefix + "jailer_path"
 	// CtlPath is a sandbox annotation for passing a per container path pointing at the acrn ctl binary
 	CtlPath = kataAnnotHypervisorPrefix + "ctlpath"
 	// FirmwarePath is a sandbox annotation for passing a per container path pointing at the guest firmware that will run the container VM.
 	FirmwarePath = kataAnnotHypervisorPrefix + "firmware"
@ -211,7 +215,7 @@ const (
 	TxRateLimiterMaxRate = kataAnnotHypervisorPrefix + "tx_rate_limiter_max_rate"
 )
-// Agent related annotations
+// Runtime related annotations
 const (
 	kataAnnotRuntimePrefix = kataConfAnnotationsPrefix + "runtime."
@ -235,6 +239,7 @@ const (
 	DisableNewNetNs = kataAnnotRuntimePrefix + "disable_new_netns"
 )
 // Agent related annotations
 const (
 	kataAnnotAgentPrefix = kataConfAnnotationsPrefix + "agent."
--- a/src/runtime/virtcontainers/pkg/oci/utils.go
+++ b/src/runtime/virtcontainers/pkg/oci/utils.go
@ -10,6 +10,7 @@ import (
 	"errors"
 	"fmt"
 	"path/filepath"
 	"regexp"
 	goruntime "runtime"
 	"strconv"
 	"strings"
@ -182,15 +183,44 @@ func containerMounts(spec specs.Spec) []vc.Mount {
 	return mnts
 }
-func contains(s []string, e string) bool {
+func contains(strings []string, toFind string) bool {
-	for _, a := range s {
+	for _, candidate := range strings {
-		if a == e {
+		if candidate == toFind {
 			return true
 		}
 	}
 	return false
 }
 func regexpContains(regexps []string, toMatch string) bool {
 	for _, candidate := range regexps {
 		if matched, _ := regexp.MatchString(candidate, toMatch); matched {
 			return true
 		}
 	}
 	return false
 }
 func checkPathIsInGlobs(globs []string, path string) bool {
 	for _, glob := range globs {
 		filenames, _ := filepath.Glob(glob)
 		for _, a := range filenames {
 			if path == a {
 				return true
 			}
 		}
 	}
 	return false
 }
 // Check if an annotation name either belongs to another prefix, matches regexp list
 func checkAnnotationNameIsValid(list []string, name string, prefix string) bool {
 	if strings.HasPrefix(name, prefix) {
 		return regexpContains(list, strings.TrimPrefix(name, prefix))
 	}
 	return true
 }
 func newLinuxDeviceInfo(d specs.LinuxDevice) (*config.DeviceInfo, error) {
 	allowedDeviceTypes := []string{"c", "b", "u", "p"}
@ -323,13 +353,18 @@ func SandboxID(spec specs.Spec) (string, error) {
 	return "", fmt.Errorf("Could not find sandbox ID")
 }
-func addAnnotations(ocispec specs.Spec, config *vc.SandboxConfig) error {
+func addAnnotations(ocispec specs.Spec, config *vc.SandboxConfig, runtime RuntimeConfig) error {
 	for key := range ocispec.Annotations {
 		if !checkAnnotationNameIsValid(runtime.HypervisorConfig.EnableAnnotations, key, vcAnnotations.KataAnnotationHypervisorPrefix) {
 			return fmt.Errorf("annotation %v is not enabled", key)
 		}
 	}
 	addAssetAnnotations(ocispec, config)
-	if err := addHypervisorConfigOverrides(ocispec, config); err != nil {
+	if err := addHypervisorConfigOverrides(ocispec, config, runtime); err != nil {
 		return err
 	}
-	if err := addRuntimeConfigOverrides(ocispec, config); err != nil {
+	if err := addRuntimeConfigOverrides(ocispec, config, runtime); err != nil {
 		return err
 	}
@ -354,20 +389,18 @@ func addAssetAnnotations(ocispec specs.Spec, config *vc.SandboxConfig) {
 	for _, a := range assetAnnotations {
 		value, ok := ocispec.Annotations[a]
-		if !ok {
+		if ok {
-			continue
+			config.Annotations[a] = value
 		}
 		config.Annotations[a] = value
 	}
 }
-func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig) error {
+func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig, runtime RuntimeConfig) error {
 	if err := addHypervisorCPUOverrides(ocispec, config); err != nil {
 		return err
 	}
-	if err := addHypervisorMemoryOverrides(ocispec, config); err != nil {
+	if err := addHypervisorMemoryOverrides(ocispec, config, runtime); err != nil {
 		return err
 	}
@ -375,7 +408,7 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig)
 		return err
 	}
-	if err := addHypervisporVirtioFsOverrides(ocispec, config); err != nil {
+	if err := addHypervisorVirtioFsOverrides(ocispec, config, runtime); err != nil {
 		return err
 	}
@ -383,15 +416,8 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig)
 		return err
 	}
-	if value, ok := ocispec.Annotations[vcAnnotations.KernelParams]; ok {
+	if err := addHypervisorPathOverrides(ocispec, config, runtime); err != nil {
-		if value != "" {
+		return err
 			params := vc.DeserializeParams(strings.Fields(value))
 			for _, param := range params {
 				if err := config.HypervisorConfig.AddKernelParam(param); err != nil {
 					return fmt.Errorf("Error adding kernel parameters in annotation kernel_params : %v", err)
 				}
 			}
 		}
 	}
 	if value, ok := ocispec.Annotations[vcAnnotations.MachineType]; ok {
@ -406,6 +432,13 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig)
 		}
 	}
 	if value, ok := ocispec.Annotations[vcAnnotations.VhostUserStorePath]; ok {
 		if !checkPathIsInGlobs(runtime.HypervisorConfig.VhostUserStorePathList, value) {
 			return fmt.Errorf("vhost store path %v required from annotation is not valid", value)
 		}
 		config.HypervisorConfig.VhostUserStorePath = value
 	}
 	if value, ok := ocispec.Annotations[vcAnnotations.GuestHookPath]; ok {
 		if value != "" {
 			config.HypervisorConfig.GuestHookPath = value
@ -461,7 +494,42 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig)
 	return nil
 }
-func addHypervisorMemoryOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConfig) error {
+func addHypervisorPathOverrides(ocispec specs.Spec, config *vc.SandboxConfig, runtime RuntimeConfig) error {
 	if value, ok := ocispec.Annotations[vcAnnotations.HypervisorPath]; ok {
 		if !checkPathIsInGlobs(runtime.HypervisorConfig.HypervisorPathList, value) {
 			return fmt.Errorf("hypervisor %v required from annotation is not valid", value)
 		}
 		config.HypervisorConfig.HypervisorPath = value
 	}
 	if value, ok := ocispec.Annotations[vcAnnotations.JailerPath]; ok {
 		if !checkPathIsInGlobs(runtime.HypervisorConfig.JailerPathList, value) {
 			return fmt.Errorf("jailer %v required from annotation is not valid", value)
 		}
 		config.HypervisorConfig.JailerPath = value
 	}
 	if value, ok := ocispec.Annotations[vcAnnotations.CtlPath]; ok {
 		if !checkPathIsInGlobs(runtime.HypervisorConfig.HypervisorCtlPathList, value) {
 			return fmt.Errorf("hypervisor control %v required from annotation is not valid", value)
 		}
 		config.HypervisorConfig.HypervisorCtlPath = value
 	}
 	if value, ok := ocispec.Annotations[vcAnnotations.KernelParams]; ok {
 		if value != "" {
 			params := vc.DeserializeParams(strings.Fields(value))
 			for _, param := range params {
 				if err := config.HypervisorConfig.AddKernelParam(param); err != nil {
 					return fmt.Errorf("Error adding kernel parameters in annotation kernel_params : %v", err)
 				}
 			}
 		}
 	}
 	return nil
 }
 func addHypervisorMemoryOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConfig, runtime RuntimeConfig) error {
 	if value, ok := ocispec.Annotations[vcAnnotations.DefaultMemory]; ok {
 		memorySz, err := strconv.ParseUint(value, 10, 32)
 		if err != nil {
@ -525,6 +593,9 @@ func addHypervisorMemoryOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConfig
 	}
 	if value, ok := ocispec.Annotations[vcAnnotations.FileBackedMemRootDir]; ok {
 		if !checkPathIsInGlobs(runtime.HypervisorConfig.FileBackedMemRootList, value) {
 			return fmt.Errorf("file_mem_backend value %v required from annotation is not valid", value)
 		}
 		sbConfig.HypervisorConfig.FileBackedMemRootDir = value
 	}
@ -661,7 +732,7 @@ func addHypervisorBlockOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConfig)
 	return nil
 }
-func addHypervisporVirtioFsOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConfig) error {
+func addHypervisorVirtioFsOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConfig, runtime RuntimeConfig) error {
 	if value, ok := ocispec.Annotations[vcAnnotations.SharedFS]; ok {
 		supportedSharedFS := []string{config.Virtio9P, config.VirtioFS}
 		valid := false
@ -678,6 +749,9 @@ func addHypervisporVirtioFsOverrides(ocispec specs.Spec, sbConfig *vc.SandboxCon
 	}
 	if value, ok := ocispec.Annotations[vcAnnotations.VirtioFSDaemon]; ok {
 		if !checkPathIsInGlobs(runtime.HypervisorConfig.VirtioFSDaemonList, value) {
 			return fmt.Errorf("virtiofs daemon %v required from annotation is not valid", value)
 		}
 		sbConfig.HypervisorConfig.VirtioFSDaemon = value
 	}
@ -745,7 +819,7 @@ func addHypervisporNetworkOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConf
 	return nil
 }
-func addRuntimeConfigOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConfig) error {
+func addRuntimeConfigOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConfig, runtime RuntimeConfig) error {
 	if value, ok := ocispec.Annotations[vcAnnotations.DisableGuestSeccomp]; ok {
 		disableGuestSeccomp, err := strconv.ParseBool(value)
 		if err != nil {
@ -885,7 +959,7 @@ func SandboxConfig(ocispec specs.Spec, runtime RuntimeConfig, bundlePath, cid, c
 		Experimental: runtime.Experimental,
 	}
-	if err := addAnnotations(ocispec, &sandboxConfig); err != nil {
+	if err := addAnnotations(ocispec, &sandboxConfig, runtime); err != nil {
 		return vc.SandboxConfig{}, err
 	}
--- a/src/runtime/virtcontainers/pkg/oci/utils_test.go
+++ b/src/runtime/virtcontainers/pkg/oci/utils_test.go
@ -676,7 +676,25 @@ func TestAddAssetAnnotations(t *testing.T) {
 		Annotations: expectedAnnotations,
 	}
-	addAnnotations(ocispec, &config)
+	runtimeConfig := RuntimeConfig{
 		HypervisorType: vc.QemuHypervisor,
 		Console:        consolePath,
 	}
 	// Try annotations without enabling them first
 	err := addAnnotations(ocispec, &config, runtimeConfig)
 	assert.Error(err)
 	assert.Exactly(map[string]string{}, config.Annotations)
 	// Check if annotation not enabled correctly
 	runtimeConfig.HypervisorConfig.EnableAnnotations = []string{"nonexistent"}
 	err = addAnnotations(ocispec, &config, runtimeConfig)
 	assert.Error(err)
 	// Check that it works if all annotation are enabled
 	runtimeConfig.HypervisorConfig.EnableAnnotations = []string{".*"}
 	err = addAnnotations(ocispec, &config, runtimeConfig)
 	assert.NoError(err)
 	assert.Exactly(expectedAnnotations, config.Annotations)
 }
@ -700,9 +718,14 @@ func TestAddAgentAnnotations(t *testing.T) {
 		ContainerPipeSize: 1024,
 	}
 	runtimeConfig := RuntimeConfig{
 		HypervisorType: vc.QemuHypervisor,
 		Console:        consolePath,
 	}
 	ocispec.Annotations[vcAnnotations.KernelModules] = strings.Join(expectedAgentConfig.KernelModules, KernelModulesSeparator)
 	ocispec.Annotations[vcAnnotations.AgentContainerPipeSize] = "1024"
-	addAnnotations(ocispec, &config)
+	addAnnotations(ocispec, &config, runtimeConfig)
 	assert.Exactly(expectedAgentConfig, config.AgentConfig)
 }
@ -722,8 +745,13 @@ func TestContainerPipeSizeAnnotation(t *testing.T) {
 		ContainerPipeSize: 0,
 	}
 	runtimeConfig := RuntimeConfig{
 		HypervisorType: vc.QemuHypervisor,
 		Console:        consolePath,
 	}
 	ocispec.Annotations[vcAnnotations.AgentContainerPipeSize] = "foo"
-	err := addAnnotations(ocispec, &config)
+	err := addAnnotations(ocispec, &config, runtimeConfig)
 	assert.Error(err)
 	assert.Exactly(expectedAgentConfig, config.AgentConfig)
 }
@ -752,8 +780,16 @@ func TestAddHypervisorAnnotations(t *testing.T) {
 		},
 	}
 	runtimeConfig := RuntimeConfig{
 		HypervisorType: vc.QemuHypervisor,
 		Console:        consolePath,
 	}
 	runtimeConfig.HypervisorConfig.EnableAnnotations = []string{".*"}
 	runtimeConfig.HypervisorConfig.FileBackedMemRootList = []string{"/dev/shm*"}
 	runtimeConfig.HypervisorConfig.VirtioFSDaemonList = []string{"/bin/*ls*"}
 	ocispec.Annotations[vcAnnotations.KernelParams] = "vsyscall=emulate iommu=on"
-	addHypervisorConfigOverrides(ocispec, &config)
+	addHypervisorConfigOverrides(ocispec, &config, runtimeConfig)
 	assert.Exactly(expectedHyperConfig, config.HypervisorConfig)
 	ocispec.Annotations[vcAnnotations.DefaultVCPUs] = "1"
@ -774,7 +810,7 @@ func TestAddHypervisorAnnotations(t *testing.T) {
 	ocispec.Annotations[vcAnnotations.BlockDeviceCacheDirect] = "true"
 	ocispec.Annotations[vcAnnotations.BlockDeviceCacheNoflush] = "true"
 	ocispec.Annotations[vcAnnotations.SharedFS] = "virtio-fs"
-	ocispec.Annotations[vcAnnotations.VirtioFSDaemon] = "/home/virtiofsd"
+	ocispec.Annotations[vcAnnotations.VirtioFSDaemon] = "/bin/false"
 	ocispec.Annotations[vcAnnotations.VirtioFSCache] = "/home/cache"
 	ocispec.Annotations[vcAnnotations.Msize9p] = "512"
 	ocispec.Annotations[vcAnnotations.MachineType] = "q35"
@ -792,7 +828,7 @@ func TestAddHypervisorAnnotations(t *testing.T) {
 	ocispec.Annotations[vcAnnotations.RxRateLimiterMaxRate] = "10000000"
 	ocispec.Annotations[vcAnnotations.TxRateLimiterMaxRate] = "10000000"
-	addAnnotations(ocispec, &config)
+	addAnnotations(ocispec, &config, runtimeConfig)
 	assert.Equal(config.HypervisorConfig.NumVCPUs, uint32(1))
 	assert.Equal(config.HypervisorConfig.DefaultMaxVCPUs, uint32(1))
 	assert.Equal(config.HypervisorConfig.MemorySize, uint32(1024))
@ -811,7 +847,7 @@ func TestAddHypervisorAnnotations(t *testing.T) {
 	assert.Equal(config.HypervisorConfig.BlockDeviceCacheDirect, true)
 	assert.Equal(config.HypervisorConfig.BlockDeviceCacheNoflush, true)
 	assert.Equal(config.HypervisorConfig.SharedFS, "virtio-fs")
-	assert.Equal(config.HypervisorConfig.VirtioFSDaemon, "/home/virtiofsd")
+	assert.Equal(config.HypervisorConfig.VirtioFSDaemon, "/bin/false")
 	assert.Equal(config.HypervisorConfig.VirtioFSCache, "/home/cache")
 	assert.Equal(config.HypervisorConfig.Msize9p, uint32(512))
 	assert.Equal(config.HypervisorConfig.HypervisorMachineType, "q35")
@ -830,16 +866,77 @@ func TestAddHypervisorAnnotations(t *testing.T) {
 	// In case an absurd large value is provided, the config value if not over-ridden
 	ocispec.Annotations[vcAnnotations.DefaultVCPUs] = "655536"
-	err := addAnnotations(ocispec, &config)
+	err := addAnnotations(ocispec, &config, runtimeConfig)
 	assert.Error(err)
 	ocispec.Annotations[vcAnnotations.DefaultVCPUs] = "-1"
-	err = addAnnotations(ocispec, &config)
+	err = addAnnotations(ocispec, &config, runtimeConfig)
 	assert.Error(err)
 	ocispec.Annotations[vcAnnotations.DefaultVCPUs] = "1"
 	ocispec.Annotations[vcAnnotations.DefaultMaxVCPUs] = "-1"
-	err = addAnnotations(ocispec, &config)
+	err = addAnnotations(ocispec, &config, runtimeConfig)
 	assert.Error(err)
 	ocispec.Annotations[vcAnnotations.DefaultMaxVCPUs] = "1"
 	ocispec.Annotations[vcAnnotations.DefaultMemory] = fmt.Sprintf("%d", vc.MinHypervisorMemory+1)
 	assert.Error(err)
 }
 func TestAddProtectedHypervisorAnnotations(t *testing.T) {
 	assert := assert.New(t)
 	config := vc.SandboxConfig{
 		Annotations: make(map[string]string),
 	}
 	ocispec := specs.Spec{
 		Annotations: make(map[string]string),
 	}
 	runtimeConfig := RuntimeConfig{
 		HypervisorType: vc.QemuHypervisor,
 		Console:        consolePath,
 	}
 	ocispec.Annotations[vcAnnotations.KernelParams] = "vsyscall=emulate iommu=on"
 	err := addAnnotations(ocispec, &config, runtimeConfig)
 	assert.Error(err)
 	assert.Exactly(vc.HypervisorConfig{}, config.HypervisorConfig)
 	// Enable annotations
 	runtimeConfig.HypervisorConfig.EnableAnnotations = []string{".*"}
 	ocispec.Annotations[vcAnnotations.FileBackedMemRootDir] = "/dev/shm"
 	ocispec.Annotations[vcAnnotations.VirtioFSDaemon] = "/bin/false"
 	config.HypervisorConfig.FileBackedMemRootDir = "do-not-touch"
 	config.HypervisorConfig.VirtioFSDaemon = "dangerous-daemon"
 	err = addAnnotations(ocispec, &config, runtimeConfig)
 	assert.Error(err)
 	assert.Equal(config.HypervisorConfig.FileBackedMemRootDir, "do-not-touch")
 	assert.Equal(config.HypervisorConfig.VirtioFSDaemon, "dangerous-daemon")
 	// Now enable them and check again
 	runtimeConfig.HypervisorConfig.FileBackedMemRootList = []string{"/dev/*m"}
 	runtimeConfig.HypervisorConfig.VirtioFSDaemonList = []string{"/bin/*ls*"}
 	err = addAnnotations(ocispec, &config, runtimeConfig)
 	assert.NoError(err)
 	assert.Equal(config.HypervisorConfig.FileBackedMemRootDir, "/dev/shm")
 	assert.Equal(config.HypervisorConfig.VirtioFSDaemon, "/bin/false")
 	// In case an absurd large value is provided, the config value if not over-ridden
 	ocispec.Annotations[vcAnnotations.DefaultVCPUs] = "655536"
 	err = addAnnotations(ocispec, &config, runtimeConfig)
 	assert.Error(err)
 	ocispec.Annotations[vcAnnotations.DefaultVCPUs] = "-1"
 	err = addAnnotations(ocispec, &config, runtimeConfig)
 	assert.Error(err)
 	ocispec.Annotations[vcAnnotations.DefaultVCPUs] = "1"
 	ocispec.Annotations[vcAnnotations.DefaultMaxVCPUs] = "-1"
 	err = addAnnotations(ocispec, &config, runtimeConfig)
 	assert.Error(err)
 	ocispec.Annotations[vcAnnotations.DefaultMaxVCPUs] = "1"
@ -858,18 +955,82 @@ func TestAddRuntimeAnnotations(t *testing.T) {
 		Annotations: make(map[string]string),
 	}
 	runtimeConfig := RuntimeConfig{
 		HypervisorType: vc.QemuHypervisor,
 		Console:        consolePath,
 	}
 	ocispec.Annotations[vcAnnotations.DisableGuestSeccomp] = "true"
 	ocispec.Annotations[vcAnnotations.SandboxCgroupOnly] = "true"
 	ocispec.Annotations[vcAnnotations.DisableNewNetNs] = "true"
 	ocispec.Annotations[vcAnnotations.InterNetworkModel] = "macvtap"
-	addAnnotations(ocispec, &config)
+	addAnnotations(ocispec, &config, runtimeConfig)
 	assert.Equal(config.DisableGuestSeccomp, true)
 	assert.Equal(config.SandboxCgroupOnly, true)
 	assert.Equal(config.NetworkConfig.DisableNewNetNs, true)
 	assert.Equal(config.NetworkConfig.InterworkingModel, vc.NetXConnectMacVtapModel)
 }
 func TestRegexpContains(t *testing.T) {
 	assert := assert.New(t)
 	type testData struct {
 		regexps  []string
 		toMatch  string
 		expected bool
 	}
 	data := []testData{
 		{[]string{}, "", false},
 		{[]string{}, "nonempty", false},
 		{[]string{"simple"}, "simple", true},
 		{[]string{"simple"}, "some_simple_text", true},
 		{[]string{"simple"}, "simp", false},
 		{[]string{"one", "two"}, "one", true},
 		{[]string{"one", "two"}, "two", true},
 		{[]string{"o*"}, "oooo", true},
 		{[]string{"o*"}, "oooa", true},
 		{[]string{"^o*$"}, "oooa", false},
 	}
 	for _, d := range data {
 		matched := regexpContains(d.regexps, d.toMatch)
 		assert.Equal(d.expected, matched, "%+v", d)
 	}
 }
 func TestCheckPathIsInGlobs(t *testing.T) {
 	assert := assert.New(t)
 	type testData struct {
 		globs    []string
 		toMatch  string
 		expected bool
 	}
 	data := []testData{
 		{[]string{}, "", false},
 		{[]string{}, "nonempty", false},
 		{[]string{"simple"}, "simple", false},
 		{[]string{"simple"}, "some_simple_text", false},
 		{[]string{"/bin/ls"}, "/bin/ls", true},
 		{[]string{"/bin/ls", "/bin/false"}, "/bin/ls", true},
 		{[]string{"/bin/ls", "/bin/false"}, "/bin/false", true},
 		{[]string{"/bin/ls", "/bin/false"}, "/bin/bar", false},
 		{[]string{"/bin/*ls*"}, "/bin/ls", true},
 		{[]string{"/bin/*ls*"}, "/bin/false", true},
 		{[]string{"bin/ls"}, "/bin/ls", false},
 		{[]string{"./bin/ls"}, "/bin/ls", false},
 		{[]string{"*/bin/ls"}, "/bin/ls", false},
 	}
 	for _, d := range data {
 		matched := checkPathIsInGlobs(d.globs, d.toMatch)
 		assert.Equal(d.expected, matched, "%+v", d)
 	}
 }
 func TestIsCRIOContainerManager(t *testing.T) {
 	assert := assert.New(t)