From 7aa3f7777a40d98269590f181aee327c4fece8d6 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Mon, 27 Apr 2026 16:42:46 +0100 Subject: [PATCH] runtime-rs: Actually send cdh_api_timeout as kernel_param The cdh_api_timeout_ms configuration parameter wasn't being used anywhere, so add the logic to process it as an annotation into the runtime-rs agent config and then use that as a kernel_param. Assisted-by IBM Bob Signed-off-by: stevenhorsman --- docs/how-to/how-to-set-sandbox-config-kata.md | 4 ++-- src/libs/kata-types/src/annotations/mod.rs | 11 +++++++++++ src/libs/kata-types/src/config/mod.rs | 8 ++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/docs/how-to/how-to-set-sandbox-config-kata.md b/docs/how-to/how-to-set-sandbox-config-kata.md index 535d233c6d..36fcded6eb 100644 --- a/docs/how-to/how-to-set-sandbox-config-kata.md +++ b/docs/how-to/how-to-set-sandbox-config-kata.md @@ -40,7 +40,8 @@ There are several kinds of Kata configurations and they are listed below. | `io.katacontainers.config.agent.enable_tracing` | `boolean` | enable tracing for the agent | | `io.katacontainers.config.agent.container_pipe_size` | uint32 | specify the size of the std(in/out) pipes created for containers | | `io.katacontainers.config.agent.kernel_modules` | string | the list of kernel modules and their parameters that will be loaded in the guest kernel. Semicolon separated list of kernel modules and their parameters. These modules will be loaded in the guest kernel using `modprobe`(8). E.g., `e1000e InterruptThrottleRate=3000,3000,3000 EEE=1; i915 enable_ppgtt=0` | -| `io.katacontainers.config.agent.cdh_api_timeout` | uint32 | timeout in second for Confidential Data Hub (CDH) API service, default is `50` | +| `io.katacontainers.config.agent.cdh_api_timeout` | uint32 | Go runtime timeout in seconds for Confidential Data Hub (CDH) API service, default is `50` | +| `io.katacontainers.config.agent.cdh_api_timeout_ms` | uint32 | runtime-rs timeout in milliseconds for Confidential Data Hub (CDH) API service, default is `50000` | ### Hypervisor Options @@ -167,7 +168,6 @@ In the following example two PODs are created, but the kernel modules `e1000e` and `i915` are inserted only in the POD `pod1`. Also guest `seccomp` is only enabled in the POD `pod2`. - ```yaml apiVersion: v1 kind: Pod diff --git a/src/libs/kata-types/src/annotations/mod.rs b/src/libs/kata-types/src/annotations/mod.rs index 79e44712ac..271872d78a 100644 --- a/src/libs/kata-types/src/annotations/mod.rs +++ b/src/libs/kata-types/src/annotations/mod.rs @@ -79,6 +79,9 @@ pub const KATA_ANNO_CFG_AGENT_CONTAINER_PIPE_SIZE: &str = "io.katacontainers.config.agent.container_pipe_size"; /// An annotation key to specify the size of the pipes created for containers. pub const CONTAINER_PIPE_SIZE_KERNEL_PARAM: &str = "agent.container_pipe_size"; +/// An annotation to specify the Confidential Data Hub API timeout in milliseconds. +pub const KATA_ANNO_CFG_AGENT_CDH_API_TIMEOUT: &str = + "io.katacontainers.config.agent.cdh_api_timeout_ms"; // Hypervisor related annotations /// Prefix for Hypervisor configurations. @@ -1085,6 +1088,14 @@ impl Annotation { return Err(u32_err); } }, + KATA_ANNO_CFG_AGENT_CDH_API_TIMEOUT => match self.get_value::(key) { + Ok(v) => { + ag.cdh_api_timeout_ms = v.unwrap_or_default(); + } + Err(_e) => { + return Err(u32_err); + } + }, KATA_ANNO_CFG_RUNTIME_CREATE_CONTAINTER_TIMEOUT => { match self.get_value::(key) { Ok(v) => { diff --git a/src/libs/kata-types/src/config/mod.rs b/src/libs/kata-types/src/config/mod.rs index f1d99e543c..be9ec49713 100644 --- a/src/libs/kata-types/src/config/mod.rs +++ b/src/libs/kata-types/src/config/mod.rs @@ -228,6 +228,14 @@ impl TomlConfig { launch_process_timeout, ); } + if cfg.cdh_api_timeout_ms > 0 { + // Convert milliseconds to seconds for agent kernel parameter + let cdh_api_timeout_secs = cfg.cdh_api_timeout_ms / 1000; + kv.insert( + "agent.cdh_api_timeout".to_string(), + cdh_api_timeout_secs.to_string(), + ); + } if cfg.debug_console_enabled { kv.insert(DEBUG_CONSOLE_FLAG.to_string(), "".to_string()); kv.insert(