From 0a736387442435e1c4f0c40404d979f84238df68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 26 Feb 2026 15:07:18 +0100 Subject: [PATCH] runtime: add configurable kubelet root dir MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Different kubernetes distributions, such as k0s, use a different kubelet root dir location instead of the default /var/lib/kubelet, so ConfigMap and Secret volume propagation were failing. This adds a kubelet_root_dir config option that the go runtime uses when matching volume paths and kata-deploy now sets it automatically for k0s via a drop-in file. runtime-rs does not need this option: it identifies ConfigMap/Secret, projected, and downward-api volumes by volume-type path segment (kubernetes.io~configmap, etc.), not by kubelet root prefix. Signed-off-by: Fabiano FidĂȘncio --- src/runtime/Makefile | 5 ++- src/runtime/config/configuration-clh.toml.in | 5 +++ src/runtime/config/configuration-fc.toml.in | 5 +++ .../config/configuration-qemu-cca.toml.in | 6 +++ .../configuration-qemu-coco-dev.toml.in | 5 +++ .../configuration-qemu-nvidia-gpu-snp.toml.in | 5 +++ .../configuration-qemu-nvidia-gpu-tdx.toml.in | 5 +++ .../configuration-qemu-nvidia-gpu.toml.in | 5 +++ .../config/configuration-qemu-se.toml.in | 5 +++ .../config/configuration-qemu-snp.toml.in | 5 +++ .../config/configuration-qemu-tdx.toml.in | 5 +++ src/runtime/config/configuration-qemu.toml.in | 5 +++ .../config/configuration-remote.toml.in | 5 +++ .../config/configuration-stratovirt.toml.in | 5 +++ src/runtime/pkg/katautils/config.go | 2 + src/runtime/pkg/oci/utils.go | 6 +++ src/runtime/virtcontainers/fs_share_linux.go | 32 +++++++------ src/runtime/virtcontainers/sandbox.go | 5 +++ .../binary/src/artifacts/install.rs | 45 +++++++++++++++---- .../packaging/kata-deploy/binary/src/main.rs | 2 +- 20 files changed, 139 insertions(+), 24 deletions(-) diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 8d889bc8d2..377cd79a5e 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -301,9 +301,11 @@ DEFDANCONF := /run/kata-containers/dans DEFFORCEGUESTPULL := false +DEFKUBELETROOTDIR := /var/lib/kubelet + # Device cold plug DEFPODRESOURCEAPISOCK := "" -DEFPODRESOURCEAPISOCK_NV := "/var/lib/kubelet/pod-resources/kubelet.sock" +DEFPODRESOURCEAPISOCK_NV := "$(DEFKUBELETROOTDIR)/pod-resources/kubelet.sock" SED = sed @@ -785,6 +787,7 @@ USER_VARS += DEFSTATICRESOURCEMGMT_NV USER_VARS += DEFBINDMOUNTS USER_VARS += DEFCREATECONTAINERTIMEOUT USER_VARS += DEFDANCONF +USER_VARS += DEFKUBELETROOTDIR USER_VARS += DEFFORCEGUESTPULL USER_VARS += DEFVFIOMODE USER_VARS += DEFVFIOMODE_SE diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in index 8718b56f39..6858ef3ffd 100644 --- a/src/runtime/config/configuration-clh.toml.in +++ b/src/runtime/config/configuration-clh.toml.in @@ -491,6 +491,11 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@ # (default: /run/kata-containers/dans) dan_conf = "@DEFDANCONF@" +# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret +# volume paths for propagation. Override for distros that use a different path +# (e.g. k0s: /var/lib/k0s/kubelet). +kubelet_root_dir = "@DEFKUBELETROOTDIR@" + # pod_resource_api_sock specifies the unix socket for the Kubelet's # PodResource API endpoint. If empty, kubernetes based cold plug # will not be attempted. In order for this feature to work, the diff --git a/src/runtime/config/configuration-fc.toml.in b/src/runtime/config/configuration-fc.toml.in index 5f55a02ba2..cd265d52d8 100644 --- a/src/runtime/config/configuration-fc.toml.in +++ b/src/runtime/config/configuration-fc.toml.in @@ -382,6 +382,11 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@ # (default: /run/kata-containers/dans) dan_conf = "@DEFDANCONF@" +# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret +# volume paths for propagation. Override for distros that use a different path +# (e.g. k0s: /var/lib/k0s/kubelet). +kubelet_root_dir = "@DEFKUBELETROOTDIR@" + # pod_resource_api_sock specifies the unix socket for the Kubelet's # PodResource API endpoint. If empty, kubernetes based cold plug # will not be attempted. In order for this feature to work, the diff --git a/src/runtime/config/configuration-qemu-cca.toml.in b/src/runtime/config/configuration-qemu-cca.toml.in index f3ec070c97..6039c72a87 100644 --- a/src/runtime/config/configuration-qemu-cca.toml.in +++ b/src/runtime/config/configuration-qemu-cca.toml.in @@ -670,6 +670,12 @@ dan_conf = "@DEFDANCONF@" # the container image should be pulled in the guest, without using an external snapshotter. # This is an experimental feature and might be removed in the future. experimental_force_guest_pull = @DEFFORCEGUESTPULL@ + +# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret +# volume paths for propagation. Override for distros that use a different path +# (e.g. k0s: /var/lib/k0s/kubelet). +kubelet_root_dir = "@DEFKUBELETROOTDIR@" + # pod_resource_api_sock specifies the unix socket for the Kubelet's # PodResource API endpoint. If empty, kubernetes based cold plug # will not be attempted. In order for this feature to work, the diff --git a/src/runtime/config/configuration-qemu-coco-dev.toml.in b/src/runtime/config/configuration-qemu-coco-dev.toml.in index 8d1c614006..fddc535fa4 100644 --- a/src/runtime/config/configuration-qemu-coco-dev.toml.in +++ b/src/runtime/config/configuration-qemu-coco-dev.toml.in @@ -734,6 +734,11 @@ dan_conf = "@DEFDANCONF@" # This is an experimental feature and might be removed in the future. experimental_force_guest_pull = @DEFFORCEGUESTPULL@ +# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret +# volume paths for propagation. Override for distros that use a different path +# (e.g. k0s: /var/lib/k0s/kubelet). +kubelet_root_dir = "@DEFKUBELETROOTDIR@" + # pod_resource_api_sock specifies the unix socket for the Kubelet's # PodResource API endpoint. If empty, kubernetes based cold plug # will not be attempted. In order for this feature to work, the diff --git a/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in b/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in index 8503209754..ae71fe6162 100644 --- a/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in +++ b/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in @@ -750,6 +750,11 @@ dan_conf = "@DEFDANCONF@" # This is an experimental feature and might be removed in the future. experimental_force_guest_pull = @DEFFORCEGUESTPULL@ +# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret +# volume paths for propagation. Override for distros that use a different path +# (e.g. k0s: /var/lib/k0s/kubelet). +kubelet_root_dir = "@DEFKUBELETROOTDIR@" + # pod_resource_api_sock specifies the unix socket for the Kubelet's # PodResource API endpoint. If empty, kubernetes based cold plug # will not be attempted. In order for this feature to work, the diff --git a/src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in b/src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in index 3f17b53634..e778df34ab 100644 --- a/src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in +++ b/src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in @@ -727,6 +727,11 @@ dan_conf = "@DEFDANCONF@" # This is an experimental feature and might be removed in the future. experimental_force_guest_pull = @DEFFORCEGUESTPULL@ +# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret +# volume paths for propagation. Override for distros that use a different path +# (e.g. k0s: /var/lib/k0s/kubelet). +kubelet_root_dir = "@DEFKUBELETROOTDIR@" + # pod_resource_api_sock specifies the unix socket for the Kubelet's # PodResource API endpoint. If empty, kubernetes based cold plug # will not be attempted. In order for this feature to work, the diff --git a/src/runtime/config/configuration-qemu-nvidia-gpu.toml.in b/src/runtime/config/configuration-qemu-nvidia-gpu.toml.in index 40e53aba7d..5d8272da08 100644 --- a/src/runtime/config/configuration-qemu-nvidia-gpu.toml.in +++ b/src/runtime/config/configuration-qemu-nvidia-gpu.toml.in @@ -724,6 +724,11 @@ create_container_timeout = @DEFAULTTIMEOUT_NV@ # (default: /run/kata-containers/dans) dan_conf = "@DEFDANCONF@" +# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret +# volume paths for propagation. Override for distros that use a different path +# (e.g. k0s: /var/lib/k0s/kubelet). +kubelet_root_dir = "@DEFKUBELETROOTDIR@" + # pod_resource_api_sock specifies the unix socket for the Kubelet's # PodResource API endpoint. If empty, kubernetes based cold plug # will not be attempted. In order for this feature to work, the diff --git a/src/runtime/config/configuration-qemu-se.toml.in b/src/runtime/config/configuration-qemu-se.toml.in index 49fefa099c..6a073b6d34 100644 --- a/src/runtime/config/configuration-qemu-se.toml.in +++ b/src/runtime/config/configuration-qemu-se.toml.in @@ -712,6 +712,11 @@ dan_conf = "@DEFDANCONF@" # This is an experimental feature and might be removed in the future. experimental_force_guest_pull = @DEFFORCEGUESTPULL@ +# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret +# volume paths for propagation. Override for distros that use a different path +# (e.g. k0s: /var/lib/k0s/kubelet). +kubelet_root_dir = "@DEFKUBELETROOTDIR@" + # pod_resource_api_sock specifies the unix socket for the Kubelet's # PodResource API endpoint. If empty, kubernetes based cold plug # will not be attempted. In order for this feature to work, the diff --git a/src/runtime/config/configuration-qemu-snp.toml.in b/src/runtime/config/configuration-qemu-snp.toml.in index 47c9140935..c7d6e3e07a 100644 --- a/src/runtime/config/configuration-qemu-snp.toml.in +++ b/src/runtime/config/configuration-qemu-snp.toml.in @@ -737,6 +737,11 @@ dan_conf = "@DEFDANCONF@" # This is an experimental feature and might be removed in the future. experimental_force_guest_pull = @DEFFORCEGUESTPULL@ +# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret +# volume paths for propagation. Override for distros that use a different path +# (e.g. k0s: /var/lib/k0s/kubelet). +kubelet_root_dir = "@DEFKUBELETROOTDIR@" + # pod_resource_api_sock specifies the unix socket for the Kubelet's # PodResource API endpoint. If empty, kubernetes based cold plug # will not be attempted. In order for this feature to work, the diff --git a/src/runtime/config/configuration-qemu-tdx.toml.in b/src/runtime/config/configuration-qemu-tdx.toml.in index 49c7e0eda5..b034b78670 100644 --- a/src/runtime/config/configuration-qemu-tdx.toml.in +++ b/src/runtime/config/configuration-qemu-tdx.toml.in @@ -719,6 +719,11 @@ dan_conf = "@DEFDANCONF@" # This is an experimental feature and might be removed in the future. experimental_force_guest_pull = @DEFFORCEGUESTPULL@ +# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret +# volume paths for propagation. Override for distros that use a different path +# (e.g. k0s: /var/lib/k0s/kubelet). +kubelet_root_dir = "@DEFKUBELETROOTDIR@" + # pod_resource_api_sock specifies the unix socket for the Kubelet's # PodResource API endpoint. If empty, kubernetes based cold plug # will not be attempted. In order for this feature to work, the diff --git a/src/runtime/config/configuration-qemu.toml.in b/src/runtime/config/configuration-qemu.toml.in index 7059a0f467..f12099c31f 100644 --- a/src/runtime/config/configuration-qemu.toml.in +++ b/src/runtime/config/configuration-qemu.toml.in @@ -723,6 +723,11 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@ # (default: /run/kata-containers/dans) dan_conf = "@DEFDANCONF@" +# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret +# volume paths for propagation. Override for distros that use a different path +# (e.g. k0s: /var/lib/k0s/kubelet). +kubelet_root_dir = "@DEFKUBELETROOTDIR@" + # pod_resource_api_sock specifies the unix socket for the Kubelet's # PodResource API endpoint. If empty, kubernetes based cold plug # will not be attempted. In order for this feature to work, the diff --git a/src/runtime/config/configuration-remote.toml.in b/src/runtime/config/configuration-remote.toml.in index 3a9b34fae8..fe677656e9 100644 --- a/src/runtime/config/configuration-remote.toml.in +++ b/src/runtime/config/configuration-remote.toml.in @@ -290,6 +290,11 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@ # (default: /run/kata-containers/dans) dan_conf = "@DEFDANCONF@" +# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret +# volume paths for propagation. Override for distros that use a different path +# (e.g. k0s: /var/lib/k0s/kubelet). +kubelet_root_dir = "@DEFKUBELETROOTDIR@" + # pod_resource_api_sock specifies the unix socket for the Kubelet's # PodResource API endpoint. If empty, kubernetes based cold plug # will not be attempted. In order for this feature to work, the diff --git a/src/runtime/config/configuration-stratovirt.toml.in b/src/runtime/config/configuration-stratovirt.toml.in index c4669c711e..5508accdfe 100644 --- a/src/runtime/config/configuration-stratovirt.toml.in +++ b/src/runtime/config/configuration-stratovirt.toml.in @@ -425,6 +425,11 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@ # (default: /run/kata-containers/dans) dan_conf = "@DEFDANCONF@" +# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret +# volume paths for propagation. Override for distros that use a different path +# (e.g. k0s: /var/lib/k0s/kubelet). +kubelet_root_dir = "@DEFKUBELETROOTDIR@" + # pod_resource_api_sock specifies the unix socket for the Kubelet's # PodResource API endpoint. If empty, kubernetes based cold plug # will not be attempted. In order for this feature to work, the diff --git a/src/runtime/pkg/katautils/config.go b/src/runtime/pkg/katautils/config.go index 356dc78aba..de9136a338 100644 --- a/src/runtime/pkg/katautils/config.go +++ b/src/runtime/pkg/katautils/config.go @@ -201,6 +201,7 @@ type runtime struct { DanConf string `toml:"dan_conf"` ForceGuestPull bool `toml:"experimental_force_guest_pull"` PodResourceAPISock string `toml:"pod_resource_api_sock"` + KubeletRootDir string `toml:"kubelet_root_dir"` } type agent struct { @@ -1642,6 +1643,7 @@ func LoadConfiguration(configPath string, ignoreLogging bool) (resolvedConfigPat config.ForceGuestPull = tomlConf.Runtime.ForceGuestPull config.PodResourceAPISock = tomlConf.Runtime.PodResourceAPISock + config.KubeletRootDir = tomlConf.Runtime.KubeletRootDir return resolved, config, nil } diff --git a/src/runtime/pkg/oci/utils.go b/src/runtime/pkg/oci/utils.go index 99d86515a9..854cb42cec 100644 --- a/src/runtime/pkg/oci/utils.go +++ b/src/runtime/pkg/oci/utils.go @@ -193,6 +193,10 @@ type RuntimeConfig struct { // ColdPlugVFIO != NoPort AND PodResourceAPISock != "" => kubelet // based cold plug. PodResourceAPISock string + + // KubeletRootDir is the kubelet root directory used to match ConfigMap/Secret + // volume paths (e.g. /var/lib/k0s/kubelet for k0s). If empty, default is used. + KubeletRootDir string } // AddKernelParam allows the addition of new kernel parameters to an existing @@ -1216,6 +1220,8 @@ func SandboxConfig(ocispec specs.Spec, runtime RuntimeConfig, bundlePath, cid st CreateContainerTimeout: runtime.CreateContainerTimeout, ForceGuestPull: runtime.ForceGuestPull, + + KubeletRootDir: runtime.KubeletRootDir, } if err := addAnnotations(ocispec, &sandboxConfig, runtime); err != nil { diff --git a/src/runtime/virtcontainers/fs_share_linux.go b/src/runtime/virtcontainers/fs_share_linux.go index e8f93fe93a..ff9d25dff6 100644 --- a/src/runtime/virtcontainers/fs_share_linux.go +++ b/src/runtime/virtcontainers/fs_share_linux.go @@ -58,19 +58,20 @@ func unmountNoFollow(path string) error { return syscall.Unmount(path, syscall.MNT_DETACH|UmountNoFollow) } -// Resolve the K8S root dir if it is a symbolic link -func resolveRootDir() string { - rootDir, err := os.Readlink(defaultKubernetesRootDir) - if err != nil { - // Use the default root dir in case of any errors resolving the root dir symlink - return defaultKubernetesRootDir +// resolveRootDirWithBase returns the resolved (followed symlink) kubelet root path. +// If base is non-empty it is used as the root; otherwise defaultKubernetesRootDir is used. +func resolveRootDirWithBase(base string) string { + if base == "" { + base = defaultKubernetesRootDir + } + rootDir, err := os.Readlink(base) + if err != nil { + return base } - // Make root dir an absolute path if needed if !filepath.IsAbs(rootDir) { - rootDir, err = filepath.Abs(filepath.Join(filepath.Dir(defaultKubernetesRootDir), rootDir)) + rootDir, err = filepath.Abs(filepath.Join(filepath.Dir(base), rootDir)) if err != nil { - // Use the default root dir in case of any errors resolving the root dir symlink - return defaultKubernetesRootDir + return base } } return rootDir @@ -99,9 +100,14 @@ func NewFilesystemShare(s *Sandbox) (*FilesystemShare, error) { return nil, fmt.Errorf("Creating watcher returned error %w", err) } - kubernetesRootDir := resolveRootDir() - configVolRegex := regexp.MustCompile("^" + kubernetesRootDir + configVolRegexString) - timestampDirRegex := regexp.MustCompile("^" + kubernetesRootDir + configVolRegexString + timestampDirRegexString) + baseRoot := "" + if s.config != nil { + baseRoot = s.config.KubeletRootDir + } + kubernetesRootDir := resolveRootDirWithBase(baseRoot) + quotedRoot := regexp.QuoteMeta(kubernetesRootDir) + configVolRegex := regexp.MustCompile("^" + quotedRoot + configVolRegexString) + timestampDirRegex := regexp.MustCompile("^" + quotedRoot + configVolRegexString + timestampDirRegexString) return &FilesystemShare{ prepared: false, diff --git a/src/runtime/virtcontainers/sandbox.go b/src/runtime/virtcontainers/sandbox.go index 30d44dd762..68c9ba566c 100644 --- a/src/runtime/virtcontainers/sandbox.go +++ b/src/runtime/virtcontainers/sandbox.go @@ -189,6 +189,11 @@ type SandboxConfig struct { // ForceGuestPull enforces guest pull independent of snapshotter annotations. ForceGuestPull bool + + // KubeletRootDir is the kubelet root directory (e.g. /var/lib/kubelet or + // /var/lib/k0s/kubelet for k0s). If empty, the runtime uses the default + // /var/lib/kubelet for matching ConfigMap/Secret volume paths. + KubeletRootDir string } // valid checks that the sandbox configuration is valid. diff --git a/tools/packaging/kata-deploy/binary/src/artifacts/install.rs b/tools/packaging/kata-deploy/binary/src/artifacts/install.rs index 561bdcb2b1..2fa37af6ac 100644 --- a/tools/packaging/kata-deploy/binary/src/artifacts/install.rs +++ b/tools/packaging/kata-deploy/binary/src/artifacts/install.rs @@ -71,7 +71,7 @@ fn get_hypervisor_name(shim: &str) -> Result<&str> { } } -pub async fn install_artifacts(config: &Config) -> Result<()> { +pub async fn install_artifacts(config: &Config, container_runtime: &str) -> Result<()> { info!("copying kata artifacts onto host"); // Create the installation directory if it doesn't exist @@ -99,12 +99,12 @@ pub async fn install_artifacts(config: &Config) -> Result<()> { set_executable_permissions(&config.host_install_dir)?; for shim in &config.shims_for_arch { - configure_shim_config(config, shim).await?; + configure_shim_config(config, shim, container_runtime).await?; } // Install custom runtime configuration files if enabled if config.custom_runtimes_enabled && !config.custom_runtimes.is_empty() { - install_custom_runtime_configs(config)?; + install_custom_runtime_configs(config, container_runtime)?; } if std::env::var("HOST_OS").unwrap_or_default() == "cbl-mariner" { @@ -146,7 +146,12 @@ pub async fn remove_artifacts(config: &Config) -> Result<()> { /// Write the common drop-in configuration files for a shim. /// This is shared between standard runtimes and custom runtimes. -fn write_common_drop_ins(config: &Config, shim: &str, config_d_dir: &str) -> Result<()> { +fn write_common_drop_ins( + config: &Config, + shim: &str, + config_d_dir: &str, + container_runtime: &str, +) -> Result<()> { info!("Generating drop-in configuration files for shim: {}", shim); // 1. Installation prefix adjustments (if not default) @@ -163,6 +168,15 @@ fn write_common_drop_ins(config: &Config, shim: &str, config_d_dir: &str) -> Res write_drop_in_file(config_d_dir, "20-debug.toml", &debug_content)?; } + // 2b. k0s: set kubelet root dir so ConfigMap/Secret volume propagation works (non-Rust shims only) + if (container_runtime == "k0s-worker" || container_runtime == "k0s-controller") + && !utils::is_rust_shim(shim) + { + info!(" - k0s: setting kubelet_root_dir for ConfigMap/Secret propagation"); + let k0s_content = generate_k0s_kubelet_root_drop_in(); + write_drop_in_file(config_d_dir, "22-k0s-kubelet-root.toml", &k0s_content)?; + } + // 3. Combined kernel_params (proxy, debug, etc.) // Reads base kernel_params from original config and combines with new params let kernel_params_content = generate_kernel_params_drop_in(config, shim)?; @@ -176,8 +190,8 @@ fn write_common_drop_ins(config: &Config, shim: &str, config_d_dir: &str) -> Res /// Each custom runtime gets an isolated directory under custom-runtimes/{handler}/ /// Custom runtimes inherit the same drop-in configurations as standard runtimes -/// (installation prefix, debug, kernel_params) plus any user-provided overrides. -fn install_custom_runtime_configs(config: &Config) -> Result<()> { +/// (installation prefix, debug, kernel_params, and for k0s on Go/remote runtime: kubelet root) plus any user-provided overrides. +fn install_custom_runtime_configs(config: &Config, container_runtime: &str) -> Result<()> { info!("Installing custom runtime configuration files"); for runtime in &config.custom_runtimes { @@ -225,7 +239,7 @@ fn install_custom_runtime_configs(config: &Config) -> Result<()> { } // Generate the common drop-in files (shared with standard runtimes) - write_common_drop_ins(config, &runtime.base_config, &config_d_dir)?; + write_common_drop_ins(config, &runtime.base_config, &config_d_dir, container_runtime)?; // Copy user-provided drop-in file if provided (at 50-overrides.toml) if let Some(ref drop_in_src) = runtime.drop_in_file { @@ -490,7 +504,7 @@ fn remove_runtime_directory(config: &Config, shim: &str) -> Result<()> { Ok(()) } -async fn configure_shim_config(config: &Config, shim: &str) -> Result<()> { +async fn configure_shim_config(config: &Config, shim: &str, container_runtime: &str) -> Result<()> { // Set up the runtime directory structure with symlink to original config setup_runtime_directory(config, shim)?; @@ -513,7 +527,7 @@ async fn configure_shim_config(config: &Config, shim: &str) -> Result<()> { } // Generate common drop-in files (shared with custom runtimes) - write_common_drop_ins(config, shim, &config_d_dir)?; + write_common_drop_ins(config, shim, &config_d_dir, container_runtime)?; configure_hypervisor_annotations(config, shim, &kata_config_file).await?; @@ -678,6 +692,19 @@ fn generate_installation_prefix_drop_in(config: &Config, shim: &str) -> Result String { + r#"# k0s kubelet root directory +# Generated by kata-deploy for k0s (ConfigMap/Secret volume propagation) + +[runtime] +kubelet_root_dir = "/var/lib/k0s/kubelet" +"# + .to_string() +} + /// Generate drop-in content for debug configuration. /// Enables debug settings for the hypervisor, runtime, and agent. /// Note: kernel_params for debug are handled separately in generate_kernel_params_drop_in diff --git a/tools/packaging/kata-deploy/binary/src/main.rs b/tools/packaging/kata-deploy/binary/src/main.rs index c4bc146ee1..de587e63a1 100644 --- a/tools/packaging/kata-deploy/binary/src/main.rs +++ b/tools/packaging/kata-deploy/binary/src/main.rs @@ -189,7 +189,7 @@ async fn install(config: &config::Config, runtime: &str) -> Result<()> { runtime::containerd::setup_containerd_config_files(runtime, config).await?; - artifacts::install_artifacts(config).await?; + artifacts::install_artifacts(config, runtime).await?; runtime::configure_cri_runtime(config, runtime).await?;