diff --git a/src/runtime-rs/config/configuration-clh-azure-runtime-rs.toml.in b/src/runtime-rs/config/configuration-clh-azure-runtime-rs.toml.in index 8237012486..308ad7bbd9 100644 --- a/src/runtime-rs/config/configuration-clh-azure-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-clh-azure-runtime-rs.toml.in @@ -509,6 +509,9 @@ sandbox_cgroup_only = @DEFSANDBOXCGROUPONLY_CLH@ # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. # Supported experimental features: +# for example: +# experimental = ["force_guest_pull"] +# which enables force_guest_pull mode in CoCo scenarios. # (default: []) experimental = @DEFAULTEXPFEATURES@ diff --git a/src/runtime-rs/config/configuration-clh-runtime-rs.toml.in b/src/runtime-rs/config/configuration-clh-runtime-rs.toml.in index 928130ea37..c34e95b152 100644 --- a/src/runtime-rs/config/configuration-clh-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-clh-runtime-rs.toml.in @@ -509,6 +509,9 @@ sandbox_cgroup_only = @DEFSANDBOXCGROUPONLY_CLH@ # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. # Supported experimental features: +# for example: +# experimental = ["force_guest_pull"] +# which enables force_guest_pull mode in CoCo scenarios. # (default: []) experimental = @DEFAULTEXPFEATURES@ diff --git a/src/runtime-rs/config/configuration-dragonball.toml.in b/src/runtime-rs/config/configuration-dragonball.toml.in index 54ea7abae9..44e5c903f2 100644 --- a/src/runtime-rs/config/configuration-dragonball.toml.in +++ b/src/runtime-rs/config/configuration-dragonball.toml.in @@ -510,6 +510,9 @@ sandbox_cgroup_only = @DEFSANDBOXCGROUPONLY_DB@ # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. # Supported experimental features: +# for example: +# experimental = ["force_guest_pull"] +# which enables force_guest_pull mode in CoCo scenarios. # (default: []) experimental = @DEFAULTEXPFEATURES@ diff --git a/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in index 33c347c9fd..437cd740c4 100644 --- a/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in @@ -571,102 +571,6 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT_COCO@ # (default: 50000) cdh_api_timeout_ms = 50000 -[agent.@PROJECT_TYPE@.mem_agent] -# Control the mem-agent function enable or disable. -# Default to false -mem_agent_enable = false - -# Control the mem-agent memcg function disable or enable -# Default to false -memcg_disable = false - -# Control the mem-agent function swap enable or disable. -# Default to false -memcg_swap = false - -# Control the mem-agent function swappiness max number. -# Default to 50 -memcg_swappiness_max = 50 - -# Control the mem-agent memcg function wait period seconds -# Default to 600 -memcg_period_secs = 600 - -# Control the mem-agent memcg wait period PSI percent limit. -# If the percentage of memory and IO PSI stall time within -# the memcg waiting period for a cgroup exceeds this value, -# then the aging and eviction for this cgroup will not be -# executed after this waiting period. -# Default to 1 -memcg_period_psi_percent_limit = 1 - -# Control the mem-agent memcg eviction PSI percent limit. -# If the percentage of memory and IO PSI stall time for a cgroup -# exceeds this value during an eviction cycle, the eviction for -# this cgroup will immediately stop and will not resume until -# the next memcg waiting period. -# Default to 1 -memcg_eviction_psi_percent_limit = 1 - -# Control the mem-agent memcg eviction run aging count min. -# A cgroup will only perform eviction when the number of aging cycles -# in memcg is greater than or equal to memcg_eviction_run_aging_count_min. -# Default to 3 -memcg_eviction_run_aging_count_min = 3 - -# Control the mem-agent compact function disable or enable -# Default to false -compact_disable = false - -# Control the mem-agent compaction function wait period seconds -# Default to 600 -compact_period_secs = 600 - -# Control the mem-agent compaction function wait period PSI percent limit. -# If the percentage of memory and IO PSI stall time within -# the compaction waiting period exceeds this value, -# then the compaction will not be executed after this waiting period. -# Default to 1 -compact_period_psi_percent_limit = 1 - -# Control the mem-agent compaction function compact PSI percent limit. -# During compaction, the percentage of memory and IO PSI stall time -# is checked every second. If this percentage exceeds -# compact_psi_percent_limit, the compaction process will stop. -# Default to 5 -compact_psi_percent_limit = 5 - -# Control the maximum number of seconds for each compaction of mem-agent compact function. -# Default to 180 -compact_sec_max = 180 - -# Control the mem-agent compaction function compact order. -# compact_order is use with compact_threshold. -# Default to 9 -compact_order = 9 - -# Control the mem-agent compaction function compact threshold. -# compact_threshold is the pages number. -# When examining the /proc/pagetypeinfo, if there's an increase in the -# number of movable pages of orders smaller than the compact_order -# compared to the amount following the previous compaction, -# and this increase surpasses a certain threshold—specifically, -# more than 'compact_threshold' number of pages. -# Or the number of free pages has decreased by 'compact_threshold' -# since the previous compaction. -# then the system should initiate another round of memory compaction. -# Default to 1024 -compact_threshold = 1024 - -# Control the mem-agent compaction function force compact times. -# After one compaction, if there has not been a compaction within -# the next compact_force_times times, a compaction will be forced -# regardless of the system's memory situation. -# If compact_force_times is set to 0, will do force compaction each time. -# If compact_force_times is set to 9223372036854775807, will never do force compaction. -# Default to 9223372036854775807 -compact_force_times = 9223372036854775807 - [runtime] # If enabled, the runtime will log additional debug messages to the # system log @@ -795,9 +699,21 @@ emptydir_mode = "@DEFEMPTYDIRMODE_COCO@" # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. # Supported experimental features: +# for example: +# experimental = ["force_guest_pull"] +# which enables force_guest_pull mode in CoCo scenarios. # (default: []) experimental = @DEFAULTEXPFEATURES@ # If enabled, user can run pprof tools with shim v2 process through kata-monitor. # (default: false) enable_pprof = false + +# Base directory of directly attachable network config. +# Network devices for VM-based containers are allowed to be placed in the +# host netns to eliminate as many hops as possible, which is what we +# called a "Directly Attachable Network". The config, set by special CNI +# plugins, is used to tell the Kata containers what devices are attached +# to the hypervisor. +# (default: /run/kata-containers/dans) +dan_conf = "@DEFDANCONF@" diff --git a/src/runtime-rs/config/configuration-qemu-nvidia-gpu-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-nvidia-gpu-runtime-rs.toml.in index cb9f4e9b76..3738301bcd 100644 --- a/src/runtime-rs/config/configuration-qemu-nvidia-gpu-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-nvidia-gpu-runtime-rs.toml.in @@ -813,6 +813,9 @@ emptydir_mode = "@DEFEMPTYDIRMODE@" # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. # Supported experimental features: +# for example: +# experimental = ["force_guest_pull"] +# which enables force_guest_pull mode in CoCo scenarios. # (default: []) experimental = @DEFAULTEXPFEATURES@ @@ -820,6 +823,15 @@ experimental = @DEFAULTEXPFEATURES@ # (default: false) enable_pprof = false +# Base directory of directly attachable network config. +# Network devices for VM-based containers are allowed to be placed in the +# host netns to eliminate as many hops as possible, which is what we +# called a "Directly Attachable Network". The config, set by special CNI +# plugins, is used to tell the Kata containers what devices are attached +# to the hypervisor. +# (default: /run/kata-containers/dans) +dan_conf = "@DEFDANCONF@" + # kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret # volume paths for propagation. Override for distros that use a different path # (e.g. k0s: /var/lib/k0s/kubelet). diff --git a/src/runtime-rs/config/configuration-qemu-nvidia-gpu-snp-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-nvidia-gpu-snp-runtime-rs.toml.in index 73977a9bf6..06f7a2e9f9 100644 --- a/src/runtime-rs/config/configuration-qemu-nvidia-gpu-snp-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-nvidia-gpu-snp-runtime-rs.toml.in @@ -745,6 +745,9 @@ emptydir_mode = "@DEFEMPTYDIRMODE_COCO@" # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. # Supported experimental features: +# for example: +# experimental = ["force_guest_pull"] +# which enables force_guest_pull mode in CoCo scenarios. # (default: []) experimental = @DEFAULTEXPFEATURES@ @@ -752,6 +755,15 @@ experimental = @DEFAULTEXPFEATURES@ # (default: false) enable_pprof = false +# Base directory of directly attachable network config. +# Network devices for VM-based containers are allowed to be placed in the +# host netns to eliminate as many hops as possible, which is what we +# called a "Directly Attachable Network". The config, set by special CNI +# plugins, is used to tell the Kata containers what devices are attached +# to the hypervisor. +# (default: /run/kata-containers/dans) +dan_conf = "@DEFDANCONF@" + # kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret # volume paths for propagation. Override for distros that use a different path # (e.g. k0s: /var/lib/k0s/kubelet). diff --git a/src/runtime-rs/config/configuration-qemu-nvidia-gpu-tdx-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-nvidia-gpu-tdx-runtime-rs.toml.in index 5af5b74c51..9ae7041cc5 100644 --- a/src/runtime-rs/config/configuration-qemu-nvidia-gpu-tdx-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-nvidia-gpu-tdx-runtime-rs.toml.in @@ -721,6 +721,9 @@ emptydir_mode = "@DEFEMPTYDIRMODE_COCO@" # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. # Supported experimental features: +# for example: +# experimental = ["force_guest_pull"] +# which enables force_guest_pull mode in CoCo scenarios. # (default: []) experimental = @DEFAULTEXPFEATURES@ @@ -728,6 +731,15 @@ experimental = @DEFAULTEXPFEATURES@ # (default: false) enable_pprof = false +# Base directory of directly attachable network config. +# Network devices for VM-based containers are allowed to be placed in the +# host netns to eliminate as many hops as possible, which is what we +# called a "Directly Attachable Network". The config, set by special CNI +# plugins, is used to tell the Kata containers what devices are attached +# to the hypervisor. +# (default: /run/kata-containers/dans) +dan_conf = "@DEFDANCONF@" + # kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret # volume paths for propagation. Override for distros that use a different path # (e.g. k0s: /var/lib/k0s/kubelet). diff --git a/src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in index 23b5bbf611..47adda3409 100644 --- a/src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in @@ -789,9 +789,21 @@ emptydir_mode = "@DEFEMPTYDIRMODE@" # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. # Supported experimental features: +# for example: +# experimental = ["force_guest_pull"] +# which enables force_guest_pull mode in CoCo scenarios. # (default: []) experimental = @DEFAULTEXPFEATURES@ # If enabled, user can run pprof tools with shim v2 process through kata-monitor. # (default: false) enable_pprof = false + +# Base directory of directly attachable network config. +# Network devices for VM-based containers are allowed to be placed in the +# host netns to eliminate as many hops as possible, which is what we +# called a "Directly Attachable Network". The config, set by special CNI +# plugins, is used to tell the Kata containers what devices are attached +# to the hypervisor. +# (default: /run/kata-containers/dans) +dan_conf = "@DEFDANCONF@" diff --git a/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in index f3e678d201..7b3d1649e4 100644 --- a/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in @@ -675,9 +675,21 @@ emptydir_mode = "@DEFEMPTYDIRMODE_COCO@" # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. # Supported experimental features: +# for example: +# experimental = ["force_guest_pull"] +# which enables force_guest_pull mode in CoCo scenarios. # (default: []) experimental = @DEFAULTEXPFEATURES@ # If enabled, user can run pprof tools with shim v2 process through kata-monitor. # (default: false) enable_pprof = false + +# Base directory of directly attachable network config. +# Network devices for VM-based containers are allowed to be placed in the +# host netns to eliminate as many hops as possible, which is what we +# called a "Directly Attachable Network". The config, set by special CNI +# plugins, is used to tell the Kata containers what devices are attached +# to the hypervisor. +# (default: /run/kata-containers/dans) +dan_conf = "@DEFDANCONF@" diff --git a/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in index b489ff280a..de39c6a424 100644 --- a/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in @@ -722,8 +722,8 @@ emptydir_mode = "@DEFEMPTYDIRMODE_COCO@" # they may break compatibility, and are prepared for a big version bump. # Supported experimental features: # for example: -# experimental=["force_guest_pull"] -# which is for enable force_guest_pull mode in CoCo scenarios. +# experimental = ["force_guest_pull"] +# which enables force_guest_pull mode in CoCo scenarios. # (default: []) experimental = @DEFAULTEXPFEATURES@ diff --git a/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in index a9231ae453..ccf5b4da37 100644 --- a/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in @@ -700,8 +700,8 @@ emptydir_mode = "@DEFEMPTYDIRMODE_COCO@" # they may break compatibility, and are prepared for a big version bump. # Supported experimental features: # for example: -# experimental=["force_guest_pull"] -# which is for enable force_guest_pull mode in CoCo scenarios. +# experimental = ["force_guest_pull"] +# which enables force_guest_pull mode in CoCo scenarios. # (default: []) experimental = @DEFAULTEXPFEATURES@ diff --git a/src/runtime-rs/config/configuration-remote.toml.in b/src/runtime-rs/config/configuration-remote.toml.in index 04ba2628bd..0fd48a667b 100644 --- a/src/runtime-rs/config/configuration-remote.toml.in +++ b/src/runtime-rs/config/configuration-remote.toml.in @@ -277,9 +277,21 @@ disable_guest_empty_dir = false # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. # Supported experimental features: +# for example: +# experimental = ["force_guest_pull"] +# which enables force_guest_pull mode in CoCo scenarios. # (default: []) experimental = @DEFAULTEXPFEATURES@ # If enabled, user can run pprof tools with shim v2 process through kata-monitor. # (default: false) enable_pprof = false + +# Base directory of directly attachable network config. +# Network devices for VM-based containers are allowed to be placed in the +# host netns to eliminate as many hops as possible, which is what we +# called a "Directly Attachable Network". The config, set by special CNI +# plugins, is used to tell the Kata containers what devices are attached +# to the hypervisor. +# (default: /run/kata-containers/dans) +dan_conf = "@DEFDANCONF@" diff --git a/src/runtime-rs/config/configuration-rs-fc.toml.in b/src/runtime-rs/config/configuration-rs-fc.toml.in index 8d7771e2ff..3b47687513 100644 --- a/src/runtime-rs/config/configuration-rs-fc.toml.in +++ b/src/runtime-rs/config/configuration-rs-fc.toml.in @@ -423,9 +423,21 @@ emptydir_mode = "@DEFEMPTYDIRMODE@" # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. # Supported experimental features: +# for example: +# experimental = ["force_guest_pull"] +# which enables force_guest_pull mode in CoCo scenarios. # (default: []) experimental = @DEFAULTEXPFEATURES@ # If enabled, user can run pprof tools with shim v2 process through kata-monitor. # (default: false) enable_pprof = false + +# Base directory of directly attachable network config. +# Network devices for VM-based containers are allowed to be placed in the +# host netns to eliminate as many hops as possible, which is what we +# called a "Directly Attachable Network". The config, set by special CNI +# plugins, is used to tell the Kata containers what devices are attached +# to the hypervisor. +# (default: /run/kata-containers/dans) +dan_conf = "@DEFDANCONF@"