From 5e2ca6d6ee0165ca7431760d06cd531dca5d57d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 8 May 2026 15:58:59 +0200 Subject: [PATCH] runtime-rs: skip local type conversion for block-encrypted emptyDirs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When emptydir_mode is "block-encrypted", host emptyDir paths must remain as "bind" mounts so the EncryptedEmptyDirVolume handler can intercept them in the volume dispatch chain. Previously, update_ephemeral_storage_type() would unconditionally convert them to "local" type, causing them to be handled as plain local volumes instead. Add the emptydir_mode parameter to update_ephemeral_storage_type() and its call chain (amend_spec in container.rs) and skip the host-emptyDir-to-local conversion when the mode is block-encrypted. Signed-off-by: Fabiano FidĂȘncio Assisted-by: Cursor --- src/libs/kata-sys-util/src/k8s.rs | 17 ++++++++++++++--- .../src/container_manager/container.rs | 12 +++++++----- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/src/libs/kata-sys-util/src/k8s.rs b/src/libs/kata-sys-util/src/k8s.rs index 8b803ef062..085a622c6f 100644 --- a/src/libs/kata-sys-util/src/k8s.rs +++ b/src/libs/kata-sys-util/src/k8s.rs @@ -58,7 +58,13 @@ pub fn is_host_empty_dir(path: &str) -> bool { // For the given pod ephemeral volume is created only once // backed by tmpfs inside the VM. For successive containers // of the same pod the already existing volume is reused. -pub fn update_ephemeral_storage_type(oci_spec: &mut Spec, disable_guest_empty_dir: bool) { +pub fn update_ephemeral_storage_type( + oci_spec: &mut Spec, + disable_guest_empty_dir: bool, + emptydir_mode: &str, +) { + use kata_types::config::EMPTYDIR_MODE_BLOCK_ENCRYPTED; + if let Some(mounts) = oci_spec.mounts_mut() { for m in mounts.iter_mut() { if let Some(typ) = &m.typ() { @@ -69,11 +75,16 @@ pub fn update_ephemeral_storage_type(oci_spec: &mut Spec, disable_guest_empty_di if let Some(source) = &m.source() { let mnt_src = &source.display().to_string(); - // We only care about the "bind" mount volume here. if is_ephemeral_volume(m) { m.set_typ(Some(String::from(mount::KATA_EPHEMERAL_VOLUME_TYPE))); } - if is_host_empty_dir(mnt_src) && !disable_guest_empty_dir { + // When block-encrypted mode is active, host emptyDirs must + // stay as "bind" so the EncryptedEmptyDirVolume handler can + // intercept them in the volume dispatch chain. + if is_host_empty_dir(mnt_src) + && !disable_guest_empty_dir + && emptydir_mode != EMPTYDIR_MODE_BLOCK_ENCRYPTED + { m.set_typ(Some(mount::KATA_K8S_LOCAL_STORAGE_TYPE.to_string())); } } diff --git a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs index d8b5fd9467..ca876d5fe6 100644 --- a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs +++ b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs @@ -126,6 +126,7 @@ impl Container { toml_config.runtime.disable_guest_seccomp, disable_guest_selinux, toml_config.runtime.disable_guest_empty_dir, + &toml_config.runtime.emptydir_mode, ) .context("amend spec")?; @@ -739,6 +740,7 @@ fn amend_spec( disable_guest_seccomp: bool, disable_guest_selinux: bool, disable_guest_empty_dir: bool, + emptydir_mode: &str, ) -> Result<()> { // Only the StartContainer hook needs to be reserved for execution in the guest if let Some(hooks) = spec.hooks().as_ref() { @@ -748,7 +750,7 @@ fn amend_spec( } // special process K8s ephemeral volumes. - update_ephemeral_storage_type(spec, disable_guest_empty_dir); + update_ephemeral_storage_type(spec, disable_guest_empty_dir, emptydir_mode); if let Some(linux) = &mut spec.linux_mut() { if disable_guest_seccomp { @@ -861,11 +863,11 @@ mod tests { assert!(spec.linux().as_ref().unwrap().seccomp().is_some()); // disable_guest_seccomp = false - amend_spec(&mut spec, false, false, false).unwrap(); + amend_spec(&mut spec, false, false, false, "shared-fs").unwrap(); assert!(spec.linux().as_ref().unwrap().seccomp().is_some()); // disable_guest_seccomp = true - amend_spec(&mut spec, true, false, false).unwrap(); + amend_spec(&mut spec, true, false, false, "shared-fs").unwrap(); assert!(spec.linux().as_ref().unwrap().seccomp().is_none()); } @@ -888,12 +890,12 @@ mod tests { .unwrap(); // disable_guest_selinux = false, selinux labels are left alone - amend_spec(&mut spec, false, false, false).unwrap(); + amend_spec(&mut spec, false, false, false, "shared-fs").unwrap(); assert!(spec.process().as_ref().unwrap().selinux_label() == &Some("xxx".to_owned())); assert!(spec.linux().as_ref().unwrap().mount_label() == &Some("yyy".to_owned())); // disable_guest_selinux = true, selinux labels are reset - amend_spec(&mut spec, false, true, false).unwrap(); + amend_spec(&mut spec, false, true, false, "shared-fs").unwrap(); assert!(spec.process().as_ref().unwrap().selinux_label().is_none()); assert!(spec.linux().as_ref().unwrap().mount_label().is_none()); }