From 6237a43a8dc8a49eb2a23abb21a12d9a343a69c3 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Mon, 27 Apr 2026 16:40:59 +0100 Subject: [PATCH 1/2] runtime-rs: Add cdh_api_timeout_ms configuration parameter Add the cdh_api_timeout_ms parameter to runtime-rs. Note the go runtime has cdh_api_timeout is seconds, but the suggestions was to move everything to ms. This parameter controls the timeout for Confidential Data Hub API timeout in the agent. Changes: - Add cdh_api_timeout_ms field to Agent config struct in kata-types - Defaults to 50,000 milliseconds internally - Add cdh_api_timeout to confidential computing configuration files: - configuration-qemu-coco-dev-runtime-rs.toml.in - configuration-qemu-se-runtime-rs.toml.in - configuration-qemu-snp-runtime-rs.toml.in - configuration-qemu-tdx-runtime-rs.toml.in The parameter is only added to confidential computing configurations where the Confidential Data Hub is used. Assisted-by: IBM Bob Signed-off-by: stevenhorsman --- src/libs/kata-types/src/config/agent.rs | 16 +++++++++++++--- ...onfiguration-qemu-coco-dev-runtime-rs.toml.in | 4 ++++ .../configuration-qemu-se-runtime-rs.toml.in | 4 ++++ .../configuration-qemu-snp-runtime-rs.toml.in | 4 ++++ .../configuration-qemu-tdx-runtime-rs.toml.in | 5 ++++- .../config/configuration-rs-fc.toml.in | 6 +++--- 6 files changed, 32 insertions(+), 7 deletions(-) diff --git a/src/libs/kata-types/src/config/agent.rs b/src/libs/kata-types/src/config/agent.rs index 8dda214585..ded2523171 100644 --- a/src/libs/kata-types/src/config/agent.rs +++ b/src/libs/kata-types/src/config/agent.rs @@ -113,6 +113,10 @@ pub struct Agent { #[serde(default = "default_reconnect_timeout")] pub reconnect_timeout_ms: u32, + /// Confidential Data Hub API timeout value in milliseconds + #[serde(default = "default_cdh_api_timeout_ms")] + pub cdh_api_timeout_ms: u32, + /// Agent request timeout value in millisecond /// This timeout value is used to set the maximum duration for the agent to process a CreateContainerRequest. /// It's also used to ensure that workloads, especially those involving large image pulls within the guest, @@ -180,9 +184,10 @@ impl std::default::Default for Agent { log_port: DEFAULT_AGENT_LOG_PORT, passfd_listener_port: DEFAULT_PASSFD_LISTENER_PORT, dial_timeout_ms: DEFAULT_AGENT_DIAL_TIMEOUT_MS, - reconnect_timeout_ms: 3_000, - request_timeout_ms: 30_000, - health_check_request_timeout_ms: 90_000, + reconnect_timeout_ms: default_reconnect_timeout(), + cdh_api_timeout_ms: default_cdh_api_timeout_ms(), + request_timeout_ms: default_request_timeout(), + health_check_request_timeout_ms: default_health_check_timeout(), kernel_modules: Default::default(), container_pipe_size: 0, launch_process_timeout: 0, @@ -218,6 +223,11 @@ fn default_reconnect_timeout() -> u32 { 3_000 } +fn default_cdh_api_timeout_ms() -> u32 { + // ms + 50_000 +} + fn default_request_timeout() -> u32 { // ms 30_000 diff --git a/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in index b14ebc57e7..f710776101 100644 --- a/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in @@ -574,6 +574,10 @@ launch_process_timeout = 6 # Defaults to @DEFCREATECONTAINERTIMEOUT_COCO@ second(s) create_container_timeout = @DEFCREATECONTAINERTIMEOUT_COCO@ +# Confidential Data Hub API timeout value in milliseconds +# (default: 50000) +cdh_api_timeout_ms = 50000 + [agent.@PROJECT_TYPE@.mem_agent] # Control the mem-agent function enable or disable. # Default to false diff --git a/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in index 3edf12ba46..21d0144531 100644 --- a/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in @@ -551,6 +551,10 @@ launch_process_timeout = 6 # Defaults to @DEFCREATECONTAINERTIMEOUT@ second(s) create_container_timeout = @DEFCREATECONTAINERTIMEOUT@ +# Confidential Data Hub API timeout value in milliseconds +# (default: 50000) +cdh_api_timeout_ms = 50000 + [runtime] # If enabled, the runtime will log additional debug messages to the # system log diff --git a/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in index 67e23550ce..239d048f69 100644 --- a/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in @@ -593,6 +593,10 @@ launch_process_timeout = 6 # Defaults to @DEFCREATECONTAINERTIMEOUT_COCO@ second(s) create_container_timeout = @DEFCREATECONTAINERTIMEOUT_COCO@ +# Confidential Data Hub API timeout value in milliseconds +# (default: 50000) +cdh_api_timeout_ms = 50000 + [runtime] # If enabled, the runtime will log additional debug messages to the # system log diff --git a/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in index 818bf36cc0..66c5a2cf26 100644 --- a/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in @@ -569,6 +569,10 @@ launch_process_timeout = 6 # Defaults to @DEFCREATECONTAINERTIMEOUT_COCO@ second(s) create_container_timeout = @DEFCREATECONTAINERTIMEOUT_COCO@ +# Confidential Data Hub API timeout value in milliseconds +# (default: 50000) +cdh_api_timeout_ms = 50000 + [runtime] # If enabled, the runtime will log additional debug messages to the # system log @@ -702,4 +706,3 @@ enable_pprof = false # to the hypervisor. # (default: /run/kata-containers/dans) dan_conf = "@DEFDANCONF@" - diff --git a/src/runtime-rs/config/configuration-rs-fc.toml.in b/src/runtime-rs/config/configuration-rs-fc.toml.in index aa44c1b636..20f99bf5cb 100644 --- a/src/runtime-rs/config/configuration-rs-fc.toml.in +++ b/src/runtime-rs/config/configuration-rs-fc.toml.in @@ -314,9 +314,9 @@ debug_console_enabled = false # (default: 45000) dial_timeout_ms = 45000 -# Confidential Data Hub API timeout value in seconds -# (default: 50) -cdh_api_timeout = 50 +# Confidential Data Hub API timeout value in milliseconds +# (default: 50000) +cdh_api_timeout_ms = 50000 # Create Container Request Timeout # This timeout value is used to set the maximum duration for the agent to process a CreateContainerRequest. From 7aa3f7777a40d98269590f181aee327c4fece8d6 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Mon, 27 Apr 2026 16:42:46 +0100 Subject: [PATCH 2/2] runtime-rs: Actually send cdh_api_timeout as kernel_param The cdh_api_timeout_ms configuration parameter wasn't being used anywhere, so add the logic to process it as an annotation into the runtime-rs agent config and then use that as a kernel_param. Assisted-by IBM Bob Signed-off-by: stevenhorsman --- docs/how-to/how-to-set-sandbox-config-kata.md | 4 ++-- src/libs/kata-types/src/annotations/mod.rs | 11 +++++++++++ src/libs/kata-types/src/config/mod.rs | 8 ++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/docs/how-to/how-to-set-sandbox-config-kata.md b/docs/how-to/how-to-set-sandbox-config-kata.md index 535d233c6d..36fcded6eb 100644 --- a/docs/how-to/how-to-set-sandbox-config-kata.md +++ b/docs/how-to/how-to-set-sandbox-config-kata.md @@ -40,7 +40,8 @@ There are several kinds of Kata configurations and they are listed below. | `io.katacontainers.config.agent.enable_tracing` | `boolean` | enable tracing for the agent | | `io.katacontainers.config.agent.container_pipe_size` | uint32 | specify the size of the std(in/out) pipes created for containers | | `io.katacontainers.config.agent.kernel_modules` | string | the list of kernel modules and their parameters that will be loaded in the guest kernel. Semicolon separated list of kernel modules and their parameters. These modules will be loaded in the guest kernel using `modprobe`(8). E.g., `e1000e InterruptThrottleRate=3000,3000,3000 EEE=1; i915 enable_ppgtt=0` | -| `io.katacontainers.config.agent.cdh_api_timeout` | uint32 | timeout in second for Confidential Data Hub (CDH) API service, default is `50` | +| `io.katacontainers.config.agent.cdh_api_timeout` | uint32 | Go runtime timeout in seconds for Confidential Data Hub (CDH) API service, default is `50` | +| `io.katacontainers.config.agent.cdh_api_timeout_ms` | uint32 | runtime-rs timeout in milliseconds for Confidential Data Hub (CDH) API service, default is `50000` | ### Hypervisor Options @@ -167,7 +168,6 @@ In the following example two PODs are created, but the kernel modules `e1000e` and `i915` are inserted only in the POD `pod1`. Also guest `seccomp` is only enabled in the POD `pod2`. - ```yaml apiVersion: v1 kind: Pod diff --git a/src/libs/kata-types/src/annotations/mod.rs b/src/libs/kata-types/src/annotations/mod.rs index 79e44712ac..271872d78a 100644 --- a/src/libs/kata-types/src/annotations/mod.rs +++ b/src/libs/kata-types/src/annotations/mod.rs @@ -79,6 +79,9 @@ pub const KATA_ANNO_CFG_AGENT_CONTAINER_PIPE_SIZE: &str = "io.katacontainers.config.agent.container_pipe_size"; /// An annotation key to specify the size of the pipes created for containers. pub const CONTAINER_PIPE_SIZE_KERNEL_PARAM: &str = "agent.container_pipe_size"; +/// An annotation to specify the Confidential Data Hub API timeout in milliseconds. +pub const KATA_ANNO_CFG_AGENT_CDH_API_TIMEOUT: &str = + "io.katacontainers.config.agent.cdh_api_timeout_ms"; // Hypervisor related annotations /// Prefix for Hypervisor configurations. @@ -1085,6 +1088,14 @@ impl Annotation { return Err(u32_err); } }, + KATA_ANNO_CFG_AGENT_CDH_API_TIMEOUT => match self.get_value::(key) { + Ok(v) => { + ag.cdh_api_timeout_ms = v.unwrap_or_default(); + } + Err(_e) => { + return Err(u32_err); + } + }, KATA_ANNO_CFG_RUNTIME_CREATE_CONTAINTER_TIMEOUT => { match self.get_value::(key) { Ok(v) => { diff --git a/src/libs/kata-types/src/config/mod.rs b/src/libs/kata-types/src/config/mod.rs index f1d99e543c..be9ec49713 100644 --- a/src/libs/kata-types/src/config/mod.rs +++ b/src/libs/kata-types/src/config/mod.rs @@ -228,6 +228,14 @@ impl TomlConfig { launch_process_timeout, ); } + if cfg.cdh_api_timeout_ms > 0 { + // Convert milliseconds to seconds for agent kernel parameter + let cdh_api_timeout_secs = cfg.cdh_api_timeout_ms / 1000; + kv.insert( + "agent.cdh_api_timeout".to_string(), + cdh_api_timeout_secs.to_string(), + ); + } if cfg.debug_console_enabled { kv.insert(DEBUG_CONSOLE_FLAG.to_string(), "".to_string()); kv.insert(