diff --git a/src/runtime-rs/Makefile b/src/runtime-rs/Makefile index 7244f2d7e3..43735f0d9c 100644 --- a/src/runtime-rs/Makefile +++ b/src/runtime-rs/Makefile @@ -178,6 +178,8 @@ DEFENABLEANNOTATIONS := [\"enable_iommu\", \"virtio_fs_extra_args\", \"kernel_pa DEFENABLEANNOTATIONS_COCO := [\"enable_iommu\", \"virtio_fs_extra_args\", \"kernel_params\", \"kernel_verity_params\", \"default_vcpus\", \"default_memory\", \"cc_init_data\"] DEFDISABLEGUESTSECCOMP := true DEFDISABLEGUESTEMPTYDIR := false +DEFEMPTYDIRMODE := shared-fs +DEFEMPTYDIRMODE_COCO := block-encrypted ##VAR DEFAULTEXPFEATURES=[features] Default experimental features enabled DEFAULTEXPFEATURES := [] DEFDISABLESELINUX := false @@ -665,6 +667,8 @@ USER_VARS += DEFNETWORKMODEL_CLH USER_VARS += DEFNETWORKMODEL_QEMU USER_VARS += DEFNETWORKMODEL_FC USER_VARS += DEFDISABLEGUESTEMPTYDIR +USER_VARS += DEFEMPTYDIRMODE +USER_VARS += DEFEMPTYDIRMODE_COCO USER_VARS += DEFDISABLEGUESTSECCOMP USER_VARS += DEFDISABLESELINUX USER_VARS += DEFDISABLEGUESTSELINUX diff --git a/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in index b14ebc57e7..7bde0f0950 100644 --- a/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in @@ -782,6 +782,18 @@ vfio_mode = "@DEFVFIOMODE@" # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest. disable_guest_empty_dir = @DEFDISABLEGUESTEMPTYDIR@ +# Specifies how Kubernetes emptyDir volumes are handled. +# Options: +# +# - shared-fs (default) +# Shares the emptyDir folder with the guest using the method given +# by the `shared_fs` setting. +# +# - block-encrypted +# Plugs a block device to be encrypted in the guest. +# +emptydir_mode = "@DEFEMPTYDIRMODE_COCO@" + # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. diff --git a/src/runtime-rs/config/configuration-qemu-nvidia-gpu-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-nvidia-gpu-runtime-rs.toml.in index a20f97547d..8c056f3b09 100644 --- a/src/runtime-rs/config/configuration-qemu-nvidia-gpu-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-nvidia-gpu-runtime-rs.toml.in @@ -777,6 +777,18 @@ vfio_mode = "@DEFVFIOMODE_NV@" # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest. disable_guest_empty_dir = @DEFDISABLEGUESTEMPTYDIR@ +# Specifies how Kubernetes emptyDir volumes are handled. +# Options: +# +# - shared-fs (default) +# Shares the emptyDir folder with the guest using the method given +# by the `shared_fs` setting. +# +# - block-encrypted +# Plugs a block device to be encrypted in the guest. +# +emptydir_mode = "@DEFEMPTYDIRMODE@" + # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. diff --git a/src/runtime-rs/config/configuration-qemu-nvidia-gpu-snp-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-nvidia-gpu-snp-runtime-rs.toml.in index c24029696b..b24664366f 100644 --- a/src/runtime-rs/config/configuration-qemu-nvidia-gpu-snp-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-nvidia-gpu-snp-runtime-rs.toml.in @@ -709,6 +709,18 @@ vfio_mode = "@DEFVFIOMODE_NV@" # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest. disable_guest_empty_dir = @DEFDISABLEGUESTEMPTYDIR@ +# Specifies how Kubernetes emptyDir volumes are handled. +# Options: +# +# - shared-fs (default) +# Shares the emptyDir folder with the guest using the method given +# by the `shared_fs` setting. +# +# - block-encrypted +# Plugs a block device to be encrypted in the guest. +# +emptydir_mode = "@DEFEMPTYDIRMODE_COCO@" + # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. diff --git a/src/runtime-rs/config/configuration-qemu-nvidia-gpu-tdx-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-nvidia-gpu-tdx-runtime-rs.toml.in index 17499c2589..ab24baf8ee 100644 --- a/src/runtime-rs/config/configuration-qemu-nvidia-gpu-tdx-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-nvidia-gpu-tdx-runtime-rs.toml.in @@ -685,6 +685,18 @@ vfio_mode = "@DEFVFIOMODE_NV@" # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest. disable_guest_empty_dir = @DEFDISABLEGUESTEMPTYDIR@ +# Specifies how Kubernetes emptyDir volumes are handled. +# Options: +# +# - shared-fs (default) +# Shares the emptyDir folder with the guest using the method given +# by the `shared_fs` setting. +# +# - block-encrypted +# Plugs a block device to be encrypted in the guest. +# +emptydir_mode = "@DEFEMPTYDIRMODE_COCO@" + # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. diff --git a/src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in index 1dcd8a0aa2..ac70f140c9 100644 --- a/src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in @@ -779,6 +779,18 @@ vfio_mode = "@DEFVFIOMODE@" # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest. disable_guest_empty_dir = @DEFDISABLEGUESTEMPTYDIR@ +# Specifies how Kubernetes emptyDir volumes are handled. +# Options: +# +# - shared-fs (default) +# Shares the emptyDir folder with the guest using the method given +# by the `shared_fs` setting. +# +# - block-encrypted +# Plugs a block device to be encrypted in the guest. +# +emptydir_mode = "@DEFEMPTYDIRMODE@" + # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. diff --git a/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in index 3edf12ba46..1309b70a21 100644 --- a/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in @@ -662,6 +662,18 @@ vfio_mode = "@DEFVFIOMODE_SE@" # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest. disable_guest_empty_dir = @DEFDISABLEGUESTEMPTYDIR@ +# Specifies how Kubernetes emptyDir volumes are handled. +# Options: +# +# - shared-fs (default) +# Shares the emptyDir folder with the guest using the method given +# by the `shared_fs` setting. +# +# - block-encrypted +# Plugs a block device to be encrypted in the guest. +# +emptydir_mode = "@DEFEMPTYDIRMODE_COCO@" + # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. diff --git a/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in index 67e23550ce..0ac9a89871 100644 --- a/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in @@ -704,6 +704,18 @@ vfio_mode = "@DEFVFIOMODE@" # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest. disable_guest_empty_dir = @DEFDISABLEGUESTEMPTYDIR@ +# Specifies how Kubernetes emptyDir volumes are handled. +# Options: +# +# - shared-fs (default) +# Shares the emptyDir folder with the guest using the method given +# by the `shared_fs` setting. +# +# - block-encrypted +# Plugs a block device to be encrypted in the guest. +# +emptydir_mode = "@DEFEMPTYDIRMODE_COCO@" + # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. diff --git a/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in index 818bf36cc0..ed717b8f35 100644 --- a/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in @@ -680,6 +680,18 @@ vfio_mode = "@DEFVFIOMODE@" # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest. disable_guest_empty_dir = @DEFDISABLEGUESTEMPTYDIR@ +# Specifies how Kubernetes emptyDir volumes are handled. +# Options: +# +# - shared-fs (default) +# Shares the emptyDir folder with the guest using the method given +# by the `shared_fs` setting. +# +# - block-encrypted +# Plugs a block device to be encrypted in the guest. +# +emptydir_mode = "@DEFEMPTYDIRMODE_COCO@" + # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. diff --git a/src/runtime-rs/config/configuration-rs-fc.toml.in b/src/runtime-rs/config/configuration-rs-fc.toml.in index aa44c1b636..31db32de4a 100644 --- a/src/runtime-rs/config/configuration-rs-fc.toml.in +++ b/src/runtime-rs/config/configuration-rs-fc.toml.in @@ -411,6 +411,18 @@ static_sandbox_resource_mgmt = @DEFSTATICRESOURCEMGMT_FC@ # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest. disable_guest_empty_dir = @DEFDISABLEGUESTEMPTYDIR@ +# Specifies how Kubernetes emptyDir volumes are handled. +# Options: +# +# - shared-fs (default) +# Shares the emptyDir folder with the guest using the method given +# by the `shared_fs` setting. +# +# - block-encrypted +# Plugs a block device to be encrypted in the guest. +# +emptydir_mode = "@DEFEMPTYDIRMODE@" + # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump.