From 7a59d7f937b468a7523c404e03e883e367879164 Mon Sep 17 00:00:00 2001
From: "alex.lyn" <alex.lyn@antgroup.com>
Date: Wed, 2 Jul 2025 20:57:21 +0800
Subject: [PATCH 1/3] runtime-rs: Import the public const value from libs

Introduce a const value `KATA_VIRTUAL_VOLUME_PREFIX` defined in the libs/kata-types,
and it'll be better import such const value from there.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
---
 src/libs/kata-types/src/mount.rs                            | 5 ++++-
 src/runtime-rs/crates/resource/src/rootfs/virtual_volume.rs | 3 +--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/libs/kata-types/src/mount.rs b/src/libs/kata-types/src/mount.rs
index eac2afbffb..b557d8cdb1 100644
--- a/src/libs/kata-types/src/mount.rs
+++ b/src/libs/kata-types/src/mount.rs
@@ -47,6 +47,9 @@ pub const SANDBOX_BIND_MOUNTS_RO: &str = ":ro";
 /// SANDBOX_BIND_MOUNTS_RO is for sandbox bindmounts with readwrite
 pub const SANDBOX_BIND_MOUNTS_RW: &str = ":rw";
 
+/// KATA_VIRTUAL_VOLUME_PREFIX is for container image guest pull
+pub const KATA_VIRTUAL_VOLUME_PREFIX: &str = "io.katacontainers.volume=";
+
 /// Directly assign a block volume to vm and mount it inside guest.
 pub const KATA_VIRTUAL_VOLUME_DIRECT_BLOCK: &str = "direct_block";
 /// Present a container image as a generic block device.
@@ -532,7 +535,7 @@ pub fn adjust_rootfs_mounts() -> Result<Vec<Mount>> {
     // Create a new Vec<Mount> with a single Mount entry.
     // This Mount's options will contain the base64-encoded virtual volume.
     Ok(vec![Mount {
-        options: vec![format!("{}={}", "io.katacontainers.volume", b64_vol)],
+        options: vec![format!("{}{}", KATA_VIRTUAL_VOLUME_PREFIX, b64_vol)],
         ..Default::default() // Use default values for other Mount fields
     }])
 }
diff --git a/src/runtime-rs/crates/resource/src/rootfs/virtual_volume.rs b/src/runtime-rs/crates/resource/src/rootfs/virtual_volume.rs
index 32cf69a76a..882919b246 100644
--- a/src/runtime-rs/crates/resource/src/rootfs/virtual_volume.rs
+++ b/src/runtime-rs/crates/resource/src/rootfs/virtual_volume.rs
@@ -17,13 +17,12 @@ use hypervisor::device::device_manager::DeviceManager;
 use kata_types::{
     annotations,
     container::ContainerType,
-    mount::{KataVirtualVolume, KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL},
+    mount::{KataVirtualVolume, KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL, KATA_VIRTUAL_VOLUME_PREFIX},
 };
 
 /// Image guest-pull related consts
 const KUBERNETES_CRI_IMAGE_NAME: &str = "io.kubernetes.cri.image-name";
 const KUBERNETES_CRIO_IMAGE_NAME: &str = "io.kubernetes.cri-o.ImageName";
-const KATA_VIRTUAL_VOLUME_PREFIX: &str = "io.katacontainers.volume=";
 const KATA_VIRTUAL_VOLUME_TYPE_OVERLAY_FS: &str = "overlayfs";
 const KATA_GUEST_ROOT_SHARED_FS: &str = "/run/kata-containers/";
 

From 8f8b196705a7f94c1fc39b77755158180aa12716 Mon Sep 17 00:00:00 2001
From: "alex.lyn" <alex.lyn@antgroup.com>
Date: Wed, 2 Jul 2025 21:02:12 +0800
Subject: [PATCH 2/3] runtime-rs: refactor merging metadata within image_pull

refactor implementation for merging metadata.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
---
 .../crates/resource/src/rootfs/virtual_volume.rs       | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/runtime-rs/crates/resource/src/rootfs/virtual_volume.rs b/src/runtime-rs/crates/resource/src/rootfs/virtual_volume.rs
index 882919b246..18e01b7488 100644
--- a/src/runtime-rs/crates/resource/src/rootfs/virtual_volume.rs
+++ b/src/runtime-rs/crates/resource/src/rootfs/virtual_volume.rs
@@ -9,6 +9,7 @@ use std::{collections::HashMap, path::PathBuf};
 
 use anyhow::{anyhow, Context, Result};
 use async_trait::async_trait;
+use kata_types::mount::ImagePullVolume;
 use oci_spec::runtime as oci;
 use serde_json;
 use tokio::sync::RwLock;
@@ -84,11 +85,16 @@ fn handle_virtual_volume_storage(
 
         let mut virtual_volume_info = virt_volume.clone();
         // Merge metadata
-        for (k, v) in annotations.iter() {
-            if let Some(ref mut image_pull) = virtual_volume_info.image_pull {
+        if let Some(ref mut image_pull) = virtual_volume_info.image_pull {
+            for (k, v) in annotations.iter() {
                 image_pull.metadata.insert(k.to_owned(), v.to_owned());
             }
+        } else {
+            virtual_volume_info.image_pull = Some(ImagePullVolume {
+                metadata: annotations.clone(),
+            });
         }
+
         // Serialize ImagePull as JSON
         let image_pull_info = serde_json::to_string(&virtual_volume_info.image_pull)
             .map_err(|e| anyhow!(e.to_string()))?;

From 2b95facc6fba925c8900e55b69f927174b85ea74 Mon Sep 17 00:00:00 2001
From: "alex.lyn" <alex.lyn@antgroup.com>
Date: Thu, 3 Jul 2025 09:53:28 +0800
Subject: [PATCH 3/3] kata-type: Relax Mandatory source Field Check in
 Guest-Pull Mode

Previously, the source field was subject to mandatory checks. However,
in guest-pull mode, this field doesn't consistently provide useful
information. Our practical experience has shown that relying on this
field for critical data isn't always necessary.

In other aspect, not all cases need mandatory check for KataVirtualVolume.
based on this fact, we'd better to make from_base64 do only one thing and
remove the validate(). Of course, We also keep the previous capability to
make it easy for possible cases which use such method and we rename it
clearly with from_base64_and_validate.

This commit relaxes the mandatory checks on the KataVirtualVolume specifically
for guest-pull mode, acknowledging its diminished utility in this context.

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
---
 src/libs/kata-types/src/mount.rs | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/libs/kata-types/src/mount.rs b/src/libs/kata-types/src/mount.rs
index b557d8cdb1..00b3b62a3e 100644
--- a/src/libs/kata-types/src/mount.rs
+++ b/src/libs/kata-types/src/mount.rs
@@ -387,7 +387,15 @@ impl KataVirtualVolume {
     pub fn from_base64(value: &str) -> Result<Self> {
         let json = base64::decode(value)?;
         let volume: KataVirtualVolume = serde_json::from_slice(&json)?;
+
+        Ok(volume)
+    }
+
+    /// Decode and deserialize a virtual volume object from base64 encoded json string and validate it.
+    pub fn from_base64_and_validate(value: &str) -> Result<Self> {
+        let volume = Self::from_base64(value)?;
         volume.validate()?;
+
         Ok(volume)
     }
 }
@@ -650,7 +658,8 @@ mod tests {
         volume.direct_volume = Some(DirectAssignedVolume { metadata });
 
         let value = volume.to_base64().unwrap();
-        let volume2: KataVirtualVolume = KataVirtualVolume::from_base64(value.as_str()).unwrap();
+        let volume2: KataVirtualVolume =
+            KataVirtualVolume::from_base64_and_validate(value.as_str()).unwrap();
         assert_eq!(volume.volume_type, volume2.volume_type);
         assert_eq!(volume.source, volume2.source);
         assert_eq!(volume.fs_type, volume2.fs_type);