From b32c5234f4b30cc65a400048b468d1059b487857 Mon Sep 17 00:00:00 2001 From: Paul Meyer Date: Mon, 30 Mar 2026 11:40:23 +0200 Subject: [PATCH 1/3] runtime-rs: deny unknown fields in config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ..where possible. Failing on unknown fields makes migration easier, as we do not silently ignore configuration options that previously worked in runtime-go. However, serde can't deny unknown fields where flatten is used, so this can't be used everywhere sadly. There were also errors in test fixtures that were unnoticed. These are fixed here, too. Signed-off-by: Paul Meyer Signed-off-by: Fabiano FidĂȘncio --- src/libs/kata-types/src/config/agent.rs | 2 ++ src/libs/kata-types/src/config/hypervisor/mod.rs | 2 ++ src/libs/kata-types/src/config/shared_mount.rs | 7 ++----- .../kata-types/tests/texture/configuration-anno-0.toml | 4 ++-- .../kata-types/tests/texture/configuration-anno-1.toml | 4 ++-- src/runtime-rs/config/configuration-remote.toml.in | 6 +++--- src/runtime-rs/config/configuration-rs-fc.toml.in | 6 +++--- src/runtime-rs/tests/texture/configuration-qemu.toml | 4 ++-- 8 files changed, 18 insertions(+), 17 deletions(-) diff --git a/src/libs/kata-types/src/config/agent.rs b/src/libs/kata-types/src/config/agent.rs index 07f97f4508..dab97f1096 100644 --- a/src/libs/kata-types/src/config/agent.rs +++ b/src/libs/kata-types/src/config/agent.rs @@ -19,6 +19,7 @@ use super::default::{ pub const AGENT_NAME_KATA: &str = "kata"; #[derive(Default, Debug, Deserialize, Serialize, Clone)] +#[serde(deny_unknown_fields)] pub struct MemAgent { #[serde(default, alias = "mem_agent_enable")] pub enable: bool, @@ -58,6 +59,7 @@ pub struct MemAgent { /// Kata agent configuration information. #[derive(Debug, Deserialize, Serialize, Clone)] +#[serde(deny_unknown_fields)] pub struct Agent { /// If enabled, the agent will log additional debug messages to the system log. #[serde(default, rename = "enable_debug")] diff --git a/src/libs/kata-types/src/config/hypervisor/mod.rs b/src/libs/kata-types/src/config/hypervisor/mod.rs index 72839104bc..29bf9eb2f3 100644 --- a/src/libs/kata-types/src/config/hypervisor/mod.rs +++ b/src/libs/kata-types/src/config/hypervisor/mod.rs @@ -1238,6 +1238,7 @@ impl NetworkInfo { /// Configuration information for rootless user. #[derive(Clone, Debug, Default, Deserialize, Serialize)] +#[serde(deny_unknown_fields)] pub struct RootlessUser { /// The UID of the rootless user. #[serde(default)] @@ -1643,6 +1644,7 @@ impl VmTemplateInfo { /// Configuration information for VM factory (templating, caches, etc.). #[derive(Clone, Debug, Default, Deserialize, Serialize)] +#[serde(deny_unknown_fields)] pub struct Factory { /// Enable VM templating support. /// When enabled, new VMs may be created from a template to speed up creation. diff --git a/src/libs/kata-types/src/config/shared_mount.rs b/src/libs/kata-types/src/config/shared_mount.rs index e02342a3ec..d1f8a6c482 100644 --- a/src/libs/kata-types/src/config/shared_mount.rs +++ b/src/libs/kata-types/src/config/shared_mount.rs @@ -8,6 +8,7 @@ use std::io::Result; use regex::Regex; #[derive(Debug, Deserialize, Serialize, Clone, Default)] +#[serde(deny_unknown_fields)] pub struct SharedMount { /// Name is used to identify a pair of shared mount points. /// This field cannot be omitted. @@ -143,7 +144,6 @@ mod tests { shared_mount_annotation: r#" { "name": "test", - "src": "sidecar", "src_path": "/mnt/storage", "dst_ctr": "app", "dst_path": "/mnt/storage" @@ -156,7 +156,6 @@ mod tests { { "name": "test", "src_ctr": "sidecar", - "src_dir": "/mnt/storage", "dst_ctr": "app", "dst_path": "/mnt/storage" }"#, @@ -169,7 +168,6 @@ mod tests { "name": "test", "src_ctr": "sidecar", "src_path": "/mnt/storage", - "dst_container": "app", "dst_path": "/mnt/storage" }"#, result: false, @@ -181,8 +179,7 @@ mod tests { "name": "test", "src_ctr": "sidecar", "src_path": "/mnt/storage", - "dst_ctr": "app", - "path": "/mnt/storage" + "dst_ctr": "app" }"#, result: false, message: "shared_mount: field 'dst_path' couldn't be empty.", diff --git a/src/libs/kata-types/tests/texture/configuration-anno-0.toml b/src/libs/kata-types/tests/texture/configuration-anno-0.toml index a2f1dac02e..5d93c36b5f 100644 --- a/src/libs/kata-types/tests/texture/configuration-anno-0.toml +++ b/src/libs/kata-types/tests/texture/configuration-anno-0.toml @@ -65,8 +65,8 @@ enable_guest_swap = true [agent.agent0] enable_tracing = true debug_console_enabled = true -debug = true -dial_timeout = 1 +enable_debug = true +dial_timeout_ms = 1000 kernel_modules = ["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1","i915_enabled_ppgtt=0"] container_pipe_size = 2 [runtime] diff --git a/src/libs/kata-types/tests/texture/configuration-anno-1.toml b/src/libs/kata-types/tests/texture/configuration-anno-1.toml index 12a4e85f94..dce864839f 100644 --- a/src/libs/kata-types/tests/texture/configuration-anno-1.toml +++ b/src/libs/kata-types/tests/texture/configuration-anno-1.toml @@ -64,8 +64,8 @@ enable_guest_swap = true [agent.agent0] enable_tracing = true debug_console_enabled = true -debug = true -dial_timeout = 1 +enable_debug = true +dial_timeout_ms = 1000 kernel_modules = ["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1","i915_enabled_ppgtt=0"] container_pipe_size = 2 [runtime] diff --git a/src/runtime-rs/config/configuration-remote.toml.in b/src/runtime-rs/config/configuration-remote.toml.in index 75eda88604..04ba2628bd 100644 --- a/src/runtime-rs/config/configuration-remote.toml.in +++ b/src/runtime-rs/config/configuration-remote.toml.in @@ -150,9 +150,9 @@ enable_tracing = false debug_console_enabled = false -# Agent connection dialing timeout value in seconds -# (default: 30) -dial_timeout = 30 +# Agent connection dialing timeout value in milliseconds +# (default: 30000) +dial_timeout_ms = 30000 # Create Container Request Timeout # This timeout value is used to set the maximum duration for the agent to process a CreateContainerRequest. diff --git a/src/runtime-rs/config/configuration-rs-fc.toml.in b/src/runtime-rs/config/configuration-rs-fc.toml.in index 5edc6587f2..aa44c1b636 100644 --- a/src/runtime-rs/config/configuration-rs-fc.toml.in +++ b/src/runtime-rs/config/configuration-rs-fc.toml.in @@ -310,9 +310,9 @@ kernel_modules = [] debug_console_enabled = false -# Agent connection dialing timeout value in seconds -# (default: 45) -dial_timeout = 45 +# Agent connection dialing timeout value in milliseconds +# (default: 45000) +dial_timeout_ms = 45000 # Confidential Data Hub API timeout value in seconds # (default: 50) diff --git a/src/runtime-rs/tests/texture/configuration-qemu.toml b/src/runtime-rs/tests/texture/configuration-qemu.toml index 735de41af2..9c77eb447a 100644 --- a/src/runtime-rs/tests/texture/configuration-qemu.toml +++ b/src/runtime-rs/tests/texture/configuration-qemu.toml @@ -65,8 +65,8 @@ enable_guest_swap = true [agent.agent0] enable_tracing = true debug_console_enabled = true -debug = true -dial_timeout = 1 +enable_debug = true +dial_timeout_ms = 1000 kernel_modules = ["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1","i915_enabled_ppgtt=0"] container_pipe_size = 2 [runtime] From a6e891e733994e9d8416adc404e97ea4bbcbb549 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 7 Apr 2026 10:13:38 +0200 Subject: [PATCH 2/3] runtime-rs: s/dbg_monitor_socket/extra_monitor_socket/g MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's align this with what's been already used for the go runtime. Signed-off-by: Fabiano FidĂȘncio --- src/libs/kata-types/src/config/hypervisor/mod.rs | 6 +++--- .../config/configuration-qemu-coco-dev-runtime-rs.toml.in | 2 +- src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in | 2 +- .../config/configuration-qemu-snp-runtime-rs.toml.in | 2 +- .../config/configuration-qemu-tdx-runtime-rs.toml.in | 2 +- .../crates/hypervisor/src/qemu/cmdline_generator.rs | 4 ++-- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/libs/kata-types/src/config/hypervisor/mod.rs b/src/libs/kata-types/src/config/hypervisor/mod.rs index 29bf9eb2f3..42d884cbe8 100644 --- a/src/libs/kata-types/src/config/hypervisor/mod.rs +++ b/src/libs/kata-types/src/config/hypervisor/mod.rs @@ -708,10 +708,10 @@ pub struct DebugInfo { /// /// Example usage in configuration: /// ```toml - /// dbg_monitor_socket = "hmp" + /// extra_monitor_socket = "hmp" /// ``` - #[serde(default)] - pub dbg_monitor_socket: String, + #[serde(default, alias = "dbg_monitor_socket")] + pub extra_monitor_socket: String, } impl DebugInfo { diff --git a/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in index 7ed437883b..e6e07eacf9 100644 --- a/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in @@ -339,7 +339,7 @@ enable_debug = false # # If set to the empty string "", no extra monitor socket is added. This is # the default. -dbg_monitor_socket = "" +extra_monitor_socket = "" # Disable the customizations done in the runtime when it detects # that it is running on top a VMM. This will result in the runtime diff --git a/src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in index f9c82cfca2..597639c117 100644 --- a/src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in @@ -335,7 +335,7 @@ enable_debug = false # # If set to the empty string "", no extra monitor socket is added. This is # the default. -dbg_monitor_socket = "" +extra_monitor_socket = "" # Disable the customizations done in the runtime when it detects # that it is running on top a VMM. This will result in the runtime diff --git a/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in index 40d2894302..5488e1a873 100644 --- a/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in @@ -392,7 +392,7 @@ disable_vhost_net = false # # If set to the empty string "", no extra monitor socket is added. This is # the default. -#dbg_monitor_socket = "hmp" +extra_monitor_socket = "" # # Default entropy source. diff --git a/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in index 74b576ffe2..222fa62ab8 100644 --- a/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in @@ -349,7 +349,7 @@ enable_debug = false # # If set to the empty string "", no extra monitor socket is added. This is # the default. -dbg_monitor_socket = "" +extra_monitor_socket = "" # Disable the customizations done in the runtime when it detects # that it is running on top a VMM. This will result in the runtime diff --git a/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs b/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs index 17fff5010b..ebafd353a5 100644 --- a/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs +++ b/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs @@ -2248,8 +2248,8 @@ impl<'a> QemuCmdLine<'a> { qemu_cmd_line.add_iommu(); } - if config.debug_info.enable_debug && !config.debug_info.dbg_monitor_socket.is_empty() { - qemu_cmd_line.add_monitor(&config.debug_info.dbg_monitor_socket)?; + if config.debug_info.enable_debug && !config.debug_info.extra_monitor_socket.is_empty() { + qemu_cmd_line.add_monitor(&config.debug_info.extra_monitor_socket)?; } qemu_cmd_line.add_rtc(); From 9a5aaf7ecb847d74b59a79b9f2a51b2dc7bbe1eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 7 Apr 2026 11:23:46 +0200 Subject: [PATCH 3/3] runtime-rs: move create_container_timeout before [mem_agent] section MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The create_container_timeout key was placed after the [agent.@PROJECT_TYPE@.mem_agent] TOML section header, which meant TOML parsed it as a field of mem_agent rather than of the parent agent table. This was silently ignored before, but now that MemAgent has #[serde(deny_unknown_fields)] it causes a parse error. Move the key above the [mem_agent] section so it belongs to the correct [agent.@PROJECT_TYPE@] table. Also fix configuration-qemu-coco-dev which had a duplicate entry: keep only the correctly placed one with the COCO timeout value. Signed-off-by: Fabiano FidĂȘncio --- .../configuration-cloud-hypervisor.toml.in | 26 +++++++++---------- ...iguration-qemu-coco-dev-runtime-rs.toml.in | 17 ++---------- .../configuration-qemu-runtime-rs.toml.in | 26 +++++++++---------- 3 files changed, 28 insertions(+), 41 deletions(-) diff --git a/src/runtime-rs/config/configuration-cloud-hypervisor.toml.in b/src/runtime-rs/config/configuration-cloud-hypervisor.toml.in index 4b981d47c0..97f890791c 100644 --- a/src/runtime-rs/config/configuration-cloud-hypervisor.toml.in +++ b/src/runtime-rs/config/configuration-cloud-hypervisor.toml.in @@ -311,6 +311,19 @@ dial_timeout_ms = 10 # (default: 3000) reconnect_timeout_ms = 3000 +# Create Container Request Timeout +# This timeout value is used to set the maximum duration for the agent to process a CreateContainerRequest. +# It's also used to ensure that workloads, especially those involving large image pulls within the guest, +# have sufficient time to complete. +# +# Effective Timeout Determination: +# The effective timeout for a CreateContainerRequest is determined by taking the minimum of the following two values: +# - create_container_timeout: The timeout value configured for creating containers (default: 30 seconds). +# - runtime-request-timeout: The timeout value specified in the Kubelet configuration described as the link below: +# (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) +# Defaults to @DEFCREATECONTAINERTIMEOUT@ second(s) +create_container_timeout = @DEFCREATECONTAINERTIMEOUT@ + [agent.@PROJECT_TYPE@.mem_agent] # Control the mem-agent function enable or disable. # Default to false @@ -409,19 +422,6 @@ compact_threshold = 1024 # Using 9223372036854775807 (i64::MAX) which is effectively "never" for practical purposes compact_force_times = 9223372036854775807 -# Create Container Request Timeout -# This timeout value is used to set the maximum duration for the agent to process a CreateContainerRequest. -# It's also used to ensure that workloads, especially those involving large image pulls within the guest, -# have sufficient time to complete. -# -# Effective Timeout Determination: -# The effective timeout for a CreateContainerRequest is determined by taking the minimum of the following two values: -# - create_container_timeout: The timeout value configured for creating containers (default: 30 seconds). -# - runtime-request-timeout: The timeout value specified in the Kubelet configuration described as the link below: -# (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) -# Defaults to @DEFCREATECONTAINERTIMEOUT@ second(s) -create_container_timeout = @DEFCREATECONTAINERTIMEOUT@ - [runtime] # If enabled, the runtime will log additional debug messages to the # system log diff --git a/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in index e6e07eacf9..0b6c32ec8e 100644 --- a/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in @@ -552,8 +552,8 @@ reconnect_timeout_ms = 3000 # - create_container_timeout: The timeout value configured for creating containers (default: 30 seconds). # - runtime-request-timeout: The timeout value specified in the Kubelet configuration described as the link below: # (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) -# Defaults to @DEFCREATECONTAINERTIMEOUT@ second(s) -create_container_timeout = @DEFCREATECONTAINERTIMEOUT@ +# Defaults to @DEFCREATECONTAINERTIMEOUT_COCO@ second(s) +create_container_timeout = @DEFCREATECONTAINERTIMEOUT_COCO@ [agent.@PROJECT_TYPE@.mem_agent] # Control the mem-agent function enable or disable. @@ -651,19 +651,6 @@ compact_threshold = 1024 # Default to 9223372036854775807 compact_force_times = 9223372036854775807 -# Create Container Request Timeout -# This timeout value is used to set the maximum duration for the agent to process a CreateContainerRequest. -# It's also used to ensure that workloads, especially those involving large image pulls within the guest, -# have sufficient time to complete. -# -# Effective Timeout Determination: -# The effective timeout for a CreateContainerRequest is determined by taking the minimum of the following two values: -# - create_container_timeout: The timeout value configured for creating containers (default: @DEFCREATECONTAINERTIMEOUT_COCO@ seconds). -# - runtime-request-timeout: The timeout value specified in the Kubelet configuration described as the link below: -# (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) -# Defaults to @DEFCREATECONTAINERTIMEOUT_COCO@ second(s) -create_container_timeout = @DEFCREATECONTAINERTIMEOUT_COCO@ - [runtime] # If enabled, the runtime will log additional debug messages to the # system log diff --git a/src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in index 597639c117..74a0a1e6c7 100644 --- a/src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in @@ -548,6 +548,19 @@ dial_timeout_ms = 10 # (default: 3000) reconnect_timeout_ms = 3000 +# Create Container Request Timeout +# This timeout value is used to set the maximum duration for the agent to process a CreateContainerRequest. +# It's also used to ensure that workloads, especially those involving large image pulls within the guest, +# have sufficient time to complete. +# +# Effective Timeout Determination: +# The effective timeout for a CreateContainerRequest is determined by taking the minimum of the following two values: +# - create_container_timeout: The timeout value configured for creating containers (default: 30 seconds). +# - runtime-request-timeout: The timeout value specified in the Kubelet configuration described as the link below: +# (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) +# Defaults to @DEFCREATECONTAINERTIMEOUT@ second(s) +create_container_timeout = @DEFCREATECONTAINERTIMEOUT@ + [agent.@PROJECT_TYPE@.mem_agent] # Control the mem-agent function enable or disable. # Default to false @@ -646,19 +659,6 @@ compact_threshold = 1024 # Using 9223372036854775807 (i64::MAX) which is effectively "never" for practical purposes compact_force_times = 9223372036854775807 -# Create Container Request Timeout -# This timeout value is used to set the maximum duration for the agent to process a CreateContainerRequest. -# It's also used to ensure that workloads, especially those involving large image pulls within the guest, -# have sufficient time to complete. -# -# Effective Timeout Determination: -# The effective timeout for a CreateContainerRequest is determined by taking the minimum of the following two values: -# - create_container_timeout: The timeout value configured for creating containers (default: 30 seconds). -# - runtime-request-timeout: The timeout value specified in the Kubelet configuration described as the link below: -# (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) -# Defaults to @DEFCREATECONTAINERTIMEOUT@ second(s) -create_container_timeout = @DEFCREATECONTAINERTIMEOUT@ - [runtime] # If enabled, the runtime will log additional debug messages to the # system log