From 347ce5e3bc44bd2bc66e03e5ddb5dfa049fcaf9c Mon Sep 17 00:00:00 2001
From: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
Date: Tue, 3 Mar 2026 13:44:12 +0100
Subject: [PATCH] runtime: Skip to call sandboxDevices() for remote hypervisor

The remote hypervisor delegates VM creation to a remote service.
The VM runs on cloud infrastructure, not the local host kernel.
So requiring a KVM/MSHV device is semantically wrong and would
cause a hard failure on any host where these devices are absent
(e.g., a VM that doesn't expose nested virtualization).

Skip sandboxDevices() entirely when the configured hypervisor type
is remoteHypervisor{}.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
---
 src/runtime/pkg/resourcecontrol/cgroups.go        | 12 +++++++-----
 src/runtime/pkg/resourcecontrol/cgroups_darwin.go |  2 +-
 src/runtime/virtcontainers/sandbox.go             |  7 ++++++-
 src/runtime/virtcontainers/sandbox_test.go        | 13 +++++++++++++
 4 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/src/runtime/pkg/resourcecontrol/cgroups.go b/src/runtime/pkg/resourcecontrol/cgroups.go
index f80f0f7a73..deb472904b 100644
--- a/src/runtime/pkg/resourcecontrol/cgroups.go
+++ b/src/runtime/pkg/resourcecontrol/cgroups.go
@@ -186,13 +186,15 @@ func NewResourceController(path string, resources *specs.LinuxResources) (Resour
 	}, nil
 }
 
-func NewSandboxResourceController(path string, resources *specs.LinuxResources, sandboxCgroupOnly bool) (ResourceController, error) {
+func NewSandboxResourceController(path string, resources *specs.LinuxResources, sandboxCgroupOnly bool, needsHypervisorDevices bool) (ResourceController, error) {
 	sandboxResources := *resources
-	sandboxDevices, err := sandboxDevices()
-	if err != nil {
-		return nil, err
+	if needsHypervisorDevices {
+		sandboxDevs, err := sandboxDevices()
+		if err != nil {
+			return nil, err
+		}
+		sandboxResources.Devices = append(sandboxResources.Devices, sandboxDevs...)
 	}
-	sandboxResources.Devices = append(sandboxResources.Devices, sandboxDevices...)
 
 	// Currently we know to handle systemd cgroup path only when it's the only cgroup (no overhead group), hence,
 	// if sandboxCgroupOnly is not true we treat it as cgroupfs path as it used to be, although it may be incorrect.
diff --git a/src/runtime/pkg/resourcecontrol/cgroups_darwin.go b/src/runtime/pkg/resourcecontrol/cgroups_darwin.go
index 50cde8e5d0..ed379614de 100644
--- a/src/runtime/pkg/resourcecontrol/cgroups_darwin.go
+++ b/src/runtime/pkg/resourcecontrol/cgroups_darwin.go
@@ -21,7 +21,7 @@ func NewResourceController(path string, resources *specs.LinuxResources) (Resour
 	return &DarwinResourceController{}, nil
 }
 
-func NewSandboxResourceController(path string, resources *specs.LinuxResources, sandboxCgroupOnly bool) (ResourceController, error) {
+func NewSandboxResourceController(path string, resources *specs.LinuxResources, sandboxCgroupOnly bool, needsHypervisorDevices bool) (ResourceController, error) {
 	return &DarwinResourceController{}, nil
 }
 
diff --git a/src/runtime/virtcontainers/sandbox.go b/src/runtime/virtcontainers/sandbox.go
index 68c9ba566c..6c47d7bed7 100644
--- a/src/runtime/virtcontainers/sandbox.go
+++ b/src/runtime/virtcontainers/sandbox.go
@@ -870,7 +870,12 @@ func (s *Sandbox) createResourceController() error {
 	// Depending on the SandboxCgroupOnly value, this cgroup
 	// will either hold all the pod threads (SandboxCgroupOnly is true)
 	// or only the virtual CPU ones (SandboxCgroupOnly is false).
-	s.sandboxController, err = resCtrl.NewSandboxResourceController(cgroupPath, &resources, s.config.SandboxCgroupOnly)
+	s.sandboxController, err = resCtrl.NewSandboxResourceController(
+		cgroupPath,
+		&resources,
+		s.config.SandboxCgroupOnly,
+		s.config.HypervisorType != RemoteHypervisor,
+	)
 	if err != nil {
 		return fmt.Errorf("Could not create the sandbox resource controller %v", err)
 	}
diff --git a/src/runtime/virtcontainers/sandbox_test.go b/src/runtime/virtcontainers/sandbox_test.go
index 0a6fb8ee50..7e521f3842 100644
--- a/src/runtime/virtcontainers/sandbox_test.go
+++ b/src/runtime/virtcontainers/sandbox_test.go
@@ -1483,6 +1483,19 @@ func TestSandbox_Cgroups(t *testing.T) {
 			false,
 			true,
 		},
+		{
+			"sandbox, remote hypervisor (no kvm required)",
+			&Sandbox{
+				config: &SandboxConfig{
+					HypervisorType: RemoteHypervisor,
+					Containers: []ContainerConfig{
+						successfulContainer,
+					},
+				},
+			},
+			false,
+			true,
+		},
 	}
 	for _, tt := range tests {
 		if tt.needRoot && os.Getuid() != 0 {