kata-types: add emptydir_mode configuration option

Add the emptydir_mode field to the Runtime configuration struct,
allowing runtime-rs to read the emptyDir handling mode from the
TOML config file. This is groundwork for trusted ephemeral data
storage support in runtime-rs (parity with the Go runtime).

Two modes are supported:
  - shared-fs (default): share emptyDir via virtio-fs/9p.
  - block-encrypted: plug a block device encrypted in-guest via
    CDH/LUKS2.

Empty values default to "shared-fs"; unknown values are rejected
during validation.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Fabiano Fidêncio
2026-05-08 15:34:49 +02:00
parent c8f6f17269
commit b4a9d3256b

View File

@@ -18,6 +18,12 @@ pub use shared_mount::SharedMount;
/// Type of runtime VirtContainer.
pub const RUNTIME_NAME_VIRTCONTAINER: &str = "virt_container";
/// EmptyDir mode: share the emptyDir folder with the guest using shared-fs.
pub const EMPTYDIR_MODE_SHARED_FS: &str = "shared-fs";
/// EmptyDir mode: plug a block device to be encrypted in the guest.
pub const EMPTYDIR_MODE_BLOCK_ENCRYPTED: &str = "block-encrypted";
/// Kata runtime configuration information.
#[derive(Debug, Default, Deserialize, Serialize)]
pub struct Runtime {
@@ -143,6 +149,15 @@ pub struct Runtime {
#[serde(default)]
pub disable_guest_empty_dir: bool,
/// Specifies how Kubernetes emptyDir volumes are handled.
///
/// Options:
/// - shared-fs (default): shares the emptyDir folder with the guest using the method
/// given by the shared_fs setting.
/// - block-encrypted: plugs a block device to be encrypted in the guest via CDH/LUKS2.
#[serde(default)]
pub emptydir_mode: String,
/// Determines how VFIO devices should be be presented to the container.
///
/// Options:
@@ -222,6 +237,9 @@ impl ConfigOps for Runtime {
if conf.runtime.internetworking_model.is_empty() {
conf.runtime.internetworking_model = default::DEFAULT_INTERNETWORKING_MODEL.to_owned();
}
if conf.runtime.emptydir_mode.is_empty() {
conf.runtime.emptydir_mode = EMPTYDIR_MODE_SHARED_FS.to_owned();
}
for bind in conf.runtime.sandbox_bind_mounts.iter_mut() {
// Split the bind mount, canonicalize the path and then append rw mode to it.
@@ -262,6 +280,15 @@ impl ConfigOps for Runtime {
)));
}
let emptydir_mode = &conf.runtime.emptydir_mode;
if emptydir_mode != EMPTYDIR_MODE_SHARED_FS
&& emptydir_mode != EMPTYDIR_MODE_BLOCK_ENCRYPTED
{
return Err(std::io::Error::other(format!(
"Invalid emptydir_mode `{emptydir_mode}` in configuration file",
)));
}
for shared_mount in &conf.runtime.shared_mounts {
shared_mount.validate()?;
}
@@ -360,6 +387,45 @@ vfio_mode = "guest_kernel"
config.validate().unwrap_err();
}
#[test]
fn test_invalid_emptydir_mode() {
let content = r#"
[runtime]
emptydir_mode = "invalid-value"
"#;
let config: TomlConfig = TomlConfig::load(content).unwrap();
config.validate().unwrap_err();
}
#[test]
fn test_valid_emptydir_mode() {
let content = r#"
[runtime]
emptydir_mode = "shared-fs"
"#;
let config: TomlConfig = TomlConfig::load(content).unwrap();
config.validate().unwrap();
assert_eq!(&config.runtime.emptydir_mode, "shared-fs");
let content = r#"
[runtime]
emptydir_mode = "block-encrypted"
"#;
let config: TomlConfig = TomlConfig::load(content).unwrap();
config.validate().unwrap();
assert_eq!(&config.runtime.emptydir_mode, "block-encrypted");
}
#[test]
fn test_default_emptydir_mode() {
let content = r#"
[runtime]
"#;
let config: TomlConfig = TomlConfig::load(content).unwrap();
config.validate().unwrap();
assert_eq!(&config.runtime.emptydir_mode, "shared-fs");
}
#[test]
fn test_config() {
let content = r#"