runtime-rs: skip local type conversion for block-encrypted emptyDirs

When emptydir_mode is "block-encrypted", host emptyDir paths must
remain as "bind" mounts so the EncryptedEmptyDirVolume handler can
intercept them in the volume dispatch chain.  Previously,
update_ephemeral_storage_type() would unconditionally convert them
to "local" type, causing them to be handled as plain local volumes
instead.

Add the emptydir_mode parameter to update_ephemeral_storage_type()
and its call chain (amend_spec in container.rs) and skip the
host-emptyDir-to-local conversion when the mode is block-encrypted.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Fabiano Fidêncio
2026-05-08 15:58:59 +02:00
parent d3a9669be5
commit 5e2ca6d6ee
2 changed files with 21 additions and 8 deletions

View File

@@ -58,7 +58,13 @@ pub fn is_host_empty_dir(path: &str) -> bool {
// For the given pod ephemeral volume is created only once
// backed by tmpfs inside the VM. For successive containers
// of the same pod the already existing volume is reused.
pub fn update_ephemeral_storage_type(oci_spec: &mut Spec, disable_guest_empty_dir: bool) {
pub fn update_ephemeral_storage_type(
oci_spec: &mut Spec,
disable_guest_empty_dir: bool,
emptydir_mode: &str,
) {
use kata_types::config::EMPTYDIR_MODE_BLOCK_ENCRYPTED;
if let Some(mounts) = oci_spec.mounts_mut() {
for m in mounts.iter_mut() {
if let Some(typ) = &m.typ() {
@@ -69,11 +75,16 @@ pub fn update_ephemeral_storage_type(oci_spec: &mut Spec, disable_guest_empty_di
if let Some(source) = &m.source() {
let mnt_src = &source.display().to_string();
// We only care about the "bind" mount volume here.
if is_ephemeral_volume(m) {
m.set_typ(Some(String::from(mount::KATA_EPHEMERAL_VOLUME_TYPE)));
}
if is_host_empty_dir(mnt_src) && !disable_guest_empty_dir {
// When block-encrypted mode is active, host emptyDirs must
// stay as "bind" so the EncryptedEmptyDirVolume handler can
// intercept them in the volume dispatch chain.
if is_host_empty_dir(mnt_src)
&& !disable_guest_empty_dir
&& emptydir_mode != EMPTYDIR_MODE_BLOCK_ENCRYPTED
{
m.set_typ(Some(mount::KATA_K8S_LOCAL_STORAGE_TYPE.to_string()));
}
}

View File

@@ -126,6 +126,7 @@ impl Container {
toml_config.runtime.disable_guest_seccomp,
disable_guest_selinux,
toml_config.runtime.disable_guest_empty_dir,
&toml_config.runtime.emptydir_mode,
)
.context("amend spec")?;
@@ -739,6 +740,7 @@ fn amend_spec(
disable_guest_seccomp: bool,
disable_guest_selinux: bool,
disable_guest_empty_dir: bool,
emptydir_mode: &str,
) -> Result<()> {
// Only the StartContainer hook needs to be reserved for execution in the guest
if let Some(hooks) = spec.hooks().as_ref() {
@@ -748,7 +750,7 @@ fn amend_spec(
}
// special process K8s ephemeral volumes.
update_ephemeral_storage_type(spec, disable_guest_empty_dir);
update_ephemeral_storage_type(spec, disable_guest_empty_dir, emptydir_mode);
if let Some(linux) = &mut spec.linux_mut() {
if disable_guest_seccomp {
@@ -861,11 +863,11 @@ mod tests {
assert!(spec.linux().as_ref().unwrap().seccomp().is_some());
// disable_guest_seccomp = false
amend_spec(&mut spec, false, false, false).unwrap();
amend_spec(&mut spec, false, false, false, "shared-fs").unwrap();
assert!(spec.linux().as_ref().unwrap().seccomp().is_some());
// disable_guest_seccomp = true
amend_spec(&mut spec, true, false, false).unwrap();
amend_spec(&mut spec, true, false, false, "shared-fs").unwrap();
assert!(spec.linux().as_ref().unwrap().seccomp().is_none());
}
@@ -888,12 +890,12 @@ mod tests {
.unwrap();
// disable_guest_selinux = false, selinux labels are left alone
amend_spec(&mut spec, false, false, false).unwrap();
amend_spec(&mut spec, false, false, false, "shared-fs").unwrap();
assert!(spec.process().as_ref().unwrap().selinux_label() == &Some("xxx".to_owned()));
assert!(spec.linux().as_ref().unwrap().mount_label() == &Some("yyy".to_owned()));
// disable_guest_selinux = true, selinux labels are reset
amend_spec(&mut spec, false, true, false).unwrap();
amend_spec(&mut spec, false, true, false, "shared-fs").unwrap();
assert!(spec.process().as_ref().unwrap().selinux_label().is_none());
assert!(spec.linux().as_ref().unwrap().mount_label().is_none());
}