From b4a9d3256b9468393e8bf0ae1b59a417be9deeb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 8 May 2026 15:34:49 +0200 Subject: [PATCH] kata-types: add emptydir_mode configuration option MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add the emptydir_mode field to the Runtime configuration struct, allowing runtime-rs to read the emptyDir handling mode from the TOML config file. This is groundwork for trusted ephemeral data storage support in runtime-rs (parity with the Go runtime). Two modes are supported: - shared-fs (default): share emptyDir via virtio-fs/9p. - block-encrypted: plug a block device encrypted in-guest via CDH/LUKS2. Empty values default to "shared-fs"; unknown values are rejected during validation. Signed-off-by: Fabiano FidĂȘncio Assisted-by: Cursor --- src/libs/kata-types/src/config/runtime.rs | 66 +++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/src/libs/kata-types/src/config/runtime.rs b/src/libs/kata-types/src/config/runtime.rs index bfa5bef197..830af89575 100644 --- a/src/libs/kata-types/src/config/runtime.rs +++ b/src/libs/kata-types/src/config/runtime.rs @@ -18,6 +18,12 @@ pub use shared_mount::SharedMount; /// Type of runtime VirtContainer. pub const RUNTIME_NAME_VIRTCONTAINER: &str = "virt_container"; +/// EmptyDir mode: share the emptyDir folder with the guest using shared-fs. +pub const EMPTYDIR_MODE_SHARED_FS: &str = "shared-fs"; + +/// EmptyDir mode: plug a block device to be encrypted in the guest. +pub const EMPTYDIR_MODE_BLOCK_ENCRYPTED: &str = "block-encrypted"; + /// Kata runtime configuration information. #[derive(Debug, Default, Deserialize, Serialize)] pub struct Runtime { @@ -143,6 +149,15 @@ pub struct Runtime { #[serde(default)] pub disable_guest_empty_dir: bool, + /// Specifies how Kubernetes emptyDir volumes are handled. + /// + /// Options: + /// - shared-fs (default): shares the emptyDir folder with the guest using the method + /// given by the shared_fs setting. + /// - block-encrypted: plugs a block device to be encrypted in the guest via CDH/LUKS2. + #[serde(default)] + pub emptydir_mode: String, + /// Determines how VFIO devices should be be presented to the container. /// /// Options: @@ -222,6 +237,9 @@ impl ConfigOps for Runtime { if conf.runtime.internetworking_model.is_empty() { conf.runtime.internetworking_model = default::DEFAULT_INTERNETWORKING_MODEL.to_owned(); } + if conf.runtime.emptydir_mode.is_empty() { + conf.runtime.emptydir_mode = EMPTYDIR_MODE_SHARED_FS.to_owned(); + } for bind in conf.runtime.sandbox_bind_mounts.iter_mut() { // Split the bind mount, canonicalize the path and then append rw mode to it. @@ -262,6 +280,15 @@ impl ConfigOps for Runtime { ))); } + let emptydir_mode = &conf.runtime.emptydir_mode; + if emptydir_mode != EMPTYDIR_MODE_SHARED_FS + && emptydir_mode != EMPTYDIR_MODE_BLOCK_ENCRYPTED + { + return Err(std::io::Error::other(format!( + "Invalid emptydir_mode `{emptydir_mode}` in configuration file", + ))); + } + for shared_mount in &conf.runtime.shared_mounts { shared_mount.validate()?; } @@ -360,6 +387,45 @@ vfio_mode = "guest_kernel" config.validate().unwrap_err(); } + #[test] + fn test_invalid_emptydir_mode() { + let content = r#" +[runtime] +emptydir_mode = "invalid-value" +"#; + let config: TomlConfig = TomlConfig::load(content).unwrap(); + config.validate().unwrap_err(); + } + + #[test] + fn test_valid_emptydir_mode() { + let content = r#" +[runtime] +emptydir_mode = "shared-fs" +"#; + let config: TomlConfig = TomlConfig::load(content).unwrap(); + config.validate().unwrap(); + assert_eq!(&config.runtime.emptydir_mode, "shared-fs"); + + let content = r#" +[runtime] +emptydir_mode = "block-encrypted" +"#; + let config: TomlConfig = TomlConfig::load(content).unwrap(); + config.validate().unwrap(); + assert_eq!(&config.runtime.emptydir_mode, "block-encrypted"); + } + + #[test] + fn test_default_emptydir_mode() { + let content = r#" +[runtime] +"#; + let config: TomlConfig = TomlConfig::load(content).unwrap(); + config.validate().unwrap(); + assert_eq!(&config.runtime.emptydir_mode, "shared-fs"); + } + #[test] fn test_config() { let content = r#"