diff --git a/src/runtime/pkg/containerd-shim-v2/create.go b/src/runtime/pkg/containerd-shim-v2/create.go index 3a0814e86a..4fb06cd8d8 100644 --- a/src/runtime/pkg/containerd-shim-v2/create.go +++ b/src/runtime/pkg/containerd-shim-v2/create.go @@ -242,6 +242,11 @@ func loadRuntimeConfig(s *service, r *taskAPI.CreateTaskRequest, anno map[string } func checkAndMount(s *service, r *taskAPI.CreateTaskRequest) (bool, error) { + // In the confidential computing, there is no Image information on the host, + // so there is no Rootfs. + if s.config.ServiceOffload && len(r.Rootfs) == 0 { + return false, nil + } if len(r.Rootfs) == 1 { m := r.Rootfs[0] diff --git a/src/runtime/pkg/katautils/config.go b/src/runtime/pkg/katautils/config.go index 6d65468abc..9ec2321260 100644 --- a/src/runtime/pkg/katautils/config.go +++ b/src/runtime/pkg/katautils/config.go @@ -1166,6 +1166,7 @@ func LoadConfiguration(configPath string, ignoreLogging bool) (resolvedConfigPat config.JaegerEndpoint = tomlConf.Runtime.JaegerEndpoint config.JaegerUser = tomlConf.Runtime.JaegerUser config.JaegerPassword = tomlConf.Runtime.JaegerPassword + config.ServiceOffload = tomlConf.Image.ServiceOffload for _, f := range tomlConf.Runtime.Experimental { feature := exp.Get(f) if feature == nil { diff --git a/src/runtime/virtcontainers/container.go b/src/runtime/virtcontainers/container.go index 60a409a527..ee66610567 100644 --- a/src/runtime/virtcontainers/container.go +++ b/src/runtime/virtcontainers/container.go @@ -1252,6 +1252,11 @@ func (c *Container) hotplugDrive(ctx context.Context) error { // Check to see if the rootfs is an umounted block device (source) or if the // mount (target) is backed by a block device: if !c.rootFs.Mounted { + // In the confidential computing, there is no Image information on the host, + // so there is no Rootfs.Source. + if c.sandbox.config.ServiceOffload && c.rootFs.Source == "" { + return nil + } dev, err = getDeviceForPath(c.rootFs.Source) // there is no "rootfs" dir on block device backed rootfs c.rootfsSuffix = "" diff --git a/src/runtime/virtcontainers/kata_agent.go b/src/runtime/virtcontainers/kata_agent.go index 3366af7dfb..f91ab534bf 100644 --- a/src/runtime/virtcontainers/kata_agent.go +++ b/src/runtime/virtcontainers/kata_agent.go @@ -1235,6 +1235,11 @@ func (k *kataAgent) rollbackFailingContainerCreation(ctx context.Context, c *Con } func (k *kataAgent) buildContainerRootfs(ctx context.Context, sandbox *Sandbox, c *Container, rootPathParent string) (*grpc.Storage, error) { + // In the confidential computing, there is no Image information on the host, + // so there is no Rootfs.Target. + if sandbox.config.ServiceOffload && c.rootFs.Target == "" { + return nil, nil + } if c.state.Fstype != "" && c.state.BlockDeviceID != "" { // The rootfs storage volume represents the container rootfs // mount point inside the guest. diff --git a/src/runtime/virtcontainers/pkg/oci/utils.go b/src/runtime/virtcontainers/pkg/oci/utils.go index c4413ec03d..51efe2ef64 100644 --- a/src/runtime/virtcontainers/pkg/oci/utils.go +++ b/src/runtime/virtcontainers/pkg/oci/utils.go @@ -134,6 +134,9 @@ type RuntimeConfig struct { // Determines if enable pprof EnablePprof bool + + // Offload the CRI image management service to the Kata agent. + ServiceOffload bool } // AddKernelParam allows the addition of new kernel parameters to an existing @@ -917,6 +920,8 @@ func SandboxConfig(ocispec specs.Spec, runtime RuntimeConfig, bundlePath, cid, c // Spec: &ocispec, Experimental: runtime.Experimental, + + ServiceOffload: runtime.ServiceOffload, } if err := addAnnotations(ocispec, &sandboxConfig, runtime); err != nil { diff --git a/src/runtime/virtcontainers/sandbox.go b/src/runtime/virtcontainers/sandbox.go index e35f295c6a..2658e97a8a 100644 --- a/src/runtime/virtcontainers/sandbox.go +++ b/src/runtime/virtcontainers/sandbox.go @@ -147,6 +147,9 @@ type SandboxConfig struct { SandboxCgroupOnly bool DisableGuestSeccomp bool + + // Offload the CRI image management service to the Kata agent. + ServiceOffload bool } // valid checks that the sandbox configuration is valid.