From 76e4f6a2a302fde526690c15721817b731b135d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 2 Mar 2022 10:52:47 +0100 Subject: [PATCH 1/8] Revert "hypervisors: Confidential Guests do not support Device hotplug" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit df8ffecde0b4190c6c8ce8ee21e871ceafe132f9, as device hotplug *is* supported and, more than that, is very much needed when using virtio-blk instead of virtio-fs. Signed-off-by: Fabiano Fidêncio --- src/runtime/config/configuration-clh.toml.in | 1 - src/runtime/config/configuration-qemu.toml.in | 1 - src/runtime/virtcontainers/clh.go | 12 +----------- src/runtime/virtcontainers/qemu_amd64.go | 5 ++--- src/runtime/virtcontainers/qemu_arch_base.go | 4 +--- src/runtime/virtcontainers/qemu_ppc64le.go | 3 +-- 6 files changed, 5 insertions(+), 21 deletions(-) diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in index 4afafaf08d..7c8782a63e 100644 --- a/src/runtime/config/configuration-clh.toml.in +++ b/src/runtime/config/configuration-clh.toml.in @@ -25,7 +25,6 @@ image = "@IMAGEPATH@" # Known limitations: # * Does not work by design: # - CPU Hotplug -# - Device Hotplug # - Memory Hotplug # - NVDIMM devices # diff --git a/src/runtime/config/configuration-qemu.toml.in b/src/runtime/config/configuration-qemu.toml.in index af5c583647..08d130815a 100644 --- a/src/runtime/config/configuration-qemu.toml.in +++ b/src/runtime/config/configuration-qemu.toml.in @@ -26,7 +26,6 @@ machine_type = "@MACHINETYPE@" # Known limitations: # * Does not work by design: # - CPU Hotplug -# - Device Hotplug # - Memory Hotplug # - NVDIMM devices # diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go index 805fda7169..a25cd019a3 100644 --- a/src/runtime/virtcontainers/clh.go +++ b/src/runtime/virtcontainers/clh.go @@ -638,10 +638,6 @@ func (clh *cloudHypervisor) HotplugAddDevice(ctx context.Context, devInfo interf span, _ := katatrace.Trace(ctx, clh.Logger(), "HotplugAddDevice", clhTracingTags, map[string]string{"sandbox_id": clh.id}) defer span.End() - if clh.config.ConfidentialGuest { - return nil, errors.New("Device hotplug addition is not supported in confidential mode") - } - switch devType { case BlockDev: drive := devInfo.(*config.BlockDrive) @@ -659,10 +655,6 @@ func (clh *cloudHypervisor) HotplugRemoveDevice(ctx context.Context, devInfo int span, _ := katatrace.Trace(ctx, clh.Logger(), "HotplugRemoveDevice", clhTracingTags, map[string]string{"sandbox_id": clh.id}) defer span.End() - if clh.config.ConfidentialGuest { - return nil, errors.New("Device hotplug removal is not supported in confidential mode") - } - var deviceID string switch devType { @@ -917,9 +909,7 @@ func (clh *cloudHypervisor) Capabilities(ctx context.Context) types.Capabilities clh.Logger().WithField("function", "Capabilities").Info("get Capabilities") var caps types.Capabilities caps.SetFsSharingSupport() - if !clh.config.ConfidentialGuest { - caps.SetBlockDeviceHotplugSupport() - } + caps.SetBlockDeviceHotplugSupport() return caps } diff --git a/src/runtime/virtcontainers/qemu_amd64.go b/src/runtime/virtcontainers/qemu_amd64.go index 8e76bf55c9..3f52ab756d 100644 --- a/src/runtime/virtcontainers/qemu_amd64.go +++ b/src/runtime/virtcontainers/qemu_amd64.go @@ -158,9 +158,8 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) { func (q *qemuAmd64) capabilities() types.Capabilities { var caps types.Capabilities - if (q.qemuMachine.Type == QemuQ35 || - q.qemuMachine.Type == QemuVirt) && - q.protection == noneProtection { + if q.qemuMachine.Type == QemuQ35 || + q.qemuMachine.Type == QemuVirt { caps.SetBlockDeviceHotplugSupport() } diff --git a/src/runtime/virtcontainers/qemu_arch_base.go b/src/runtime/virtcontainers/qemu_arch_base.go index c5c5e8057c..62fec60a7d 100644 --- a/src/runtime/virtcontainers/qemu_arch_base.go +++ b/src/runtime/virtcontainers/qemu_arch_base.go @@ -277,9 +277,7 @@ func (q *qemuArchBase) kernelParameters(debug bool) []Param { func (q *qemuArchBase) capabilities() types.Capabilities { var caps types.Capabilities - if q.protection == noneProtection { - caps.SetBlockDeviceHotplugSupport() - } + caps.SetBlockDeviceHotplugSupport() caps.SetMultiQueueSupport() caps.SetFsSharingSupport() return caps diff --git a/src/runtime/virtcontainers/qemu_ppc64le.go b/src/runtime/virtcontainers/qemu_ppc64le.go index e78fcb7016..e18f2264b5 100644 --- a/src/runtime/virtcontainers/qemu_ppc64le.go +++ b/src/runtime/virtcontainers/qemu_ppc64le.go @@ -101,8 +101,7 @@ func (q *qemuPPC64le) capabilities() types.Capabilities { var caps types.Capabilities // pseries machine type supports hotplugging drives - if q.qemuMachine.Type == QemuPseries && - q.protection == noneProtection { + if q.qemuMachine.Type == QemuPseries { caps.SetBlockDeviceHotplugSupport() } From 413b3b477a709fc345831f3e533c190ffc8c5bc4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 3 Mar 2022 10:25:18 +0100 Subject: [PATCH 2/8] clh: introduce createVirtiofsDaemon() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's introduce and use a new `createVirtiofsDaemon` method. Its name says it all, and it'll be handy later in this series when, spoiler alert, SharedFS cannot be used (in such cases as in Confidential Guests). Signed-off-by: Fabiano Fidêncio --- src/runtime/virtcontainers/clh.go | 65 ++++++++++++++++++------------- 1 file changed, 39 insertions(+), 26 deletions(-) diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go index a25cd019a3..8db4b6e07d 100644 --- a/src/runtime/virtcontainers/clh.go +++ b/src/runtime/virtcontainers/clh.go @@ -198,6 +198,42 @@ func (clh *cloudHypervisor) setConfig(config *HypervisorConfig) error { return nil } +func (clh *cloudHypervisor) createVirtiofsDaemon(sharedPath string) (VirtiofsDaemon, error) { + virtiofsdSocketPath, err := clh.virtioFsSocketPath(clh.id) + if err != nil { + return nil, err + } + + if clh.config.SharedFS == config.VirtioFSNydus { + apiSockPath, err := clh.nydusdAPISocketPath(clh.id) + if err != nil { + clh.Logger().WithError(err).Error("Invalid api socket path for nydusd") + return nil, err + } + nd := &nydusd{ + path: clh.config.VirtioFSDaemon, + sockPath: virtiofsdSocketPath, + apiSockPath: apiSockPath, + sourcePath: sharedPath, + debug: clh.config.Debug, + extraArgs: clh.config.VirtioFSExtraArgs, + startFn: startInShimNS, + } + nd.setupShareDirFn = nd.setupPassthroughFS + return nd, nil + } + + // default: use virtiofsd + return &virtiofsd{ + path: clh.config.VirtioFSDaemon, + sourcePath: sharedPath, + socketPath: virtiofsdSocketPath, + extraArgs: clh.config.VirtioFSExtraArgs, + debug: clh.config.Debug, + cache: clh.config.VirtioFSCache, + }, nil +} + func (clh *cloudHypervisor) nydusdAPISocketPath(id string) (string, error) { return utils.BuildSocketPath(clh.config.VMStorePath, id, nydusdAPISock) } @@ -402,32 +438,9 @@ func (clh *cloudHypervisor) CreateVM(ctx context.Context, id string, network Net ApiInternal: chclient.NewAPIClient(cfg).DefaultApi, } - clh.virtiofsDaemon = &virtiofsd{ - path: clh.config.VirtioFSDaemon, - sourcePath: filepath.Join(GetSharePath(clh.id)), - socketPath: virtiofsdSocketPath, - extraArgs: clh.config.VirtioFSExtraArgs, - debug: clh.config.Debug, - cache: clh.config.VirtioFSCache, - } - - if clh.config.SharedFS == config.VirtioFSNydus { - apiSockPath, err := clh.nydusdAPISocketPath(clh.id) - if err != nil { - clh.Logger().WithError(err).Error("Invalid api socket path for nydusd") - return err - } - nd := &nydusd{ - path: clh.config.VirtioFSDaemon, - sockPath: virtiofsdSocketPath, - apiSockPath: apiSockPath, - sourcePath: filepath.Join(GetSharePath(clh.id)), - debug: clh.config.Debug, - extraArgs: clh.config.VirtioFSExtraArgs, - startFn: startInShimNS, - } - nd.setupShareDirFn = nd.setupPassthroughFS - clh.virtiofsDaemon = nd + clh.virtiofsDaemon, err = clh.createVirtiofsDaemon(filepath.Join(GetSharePath(clh.id))) + if err != nil { + return err } if clh.config.SGXEPCSize > 0 { From e8bc26f90d284e9fa07a08e18213dba94e82ed78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 3 Mar 2022 12:11:59 +0100 Subject: [PATCH 3/8] clh: introduce setupVirtiofsDaemon() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Similarly to what's been done with the `createVirtiofsDaemon`, let's create a `setupVirtiofsDaemon` one. It will also become handy later in this series. Signed-off-by: Fabiano Fidêncio --- src/runtime/virtcontainers/clh.go | 41 ++++++++++++++++++++----------- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go index 8db4b6e07d..439d4a509e 100644 --- a/src/runtime/virtcontainers/clh.go +++ b/src/runtime/virtcontainers/clh.go @@ -234,6 +234,29 @@ func (clh *cloudHypervisor) createVirtiofsDaemon(sharedPath string) (VirtiofsDae }, nil } +func (clh *cloudHypervisor) setupVirtiofsDaemon(ctx context.Context) error { + if clh.config.SharedFS == config.Virtio9P { + return errors.New("cloud-hypervisor only supports virtio based file sharing") + } + + // virtioFS or virtioFsNydus + clh.Logger().WithField("function", "setupVirtiofsDaemon").Info("Starting virtiofsDaemon") + + if clh.virtiofsDaemon == nil { + return errors.New("Missing virtiofsDaemon configuration") + } + + pid, err := clh.virtiofsDaemon.Start(ctx, func() { + clh.StopVM(ctx, false) + }) + if err != nil { + return err + } + clh.state.VirtiofsDaemonPid = pid + + return nil +} + func (clh *cloudHypervisor) nydusdAPISocketPath(id string) (string, error) { return utils.BuildSocketPath(clh.config.VMStorePath, id, nydusdAPISock) } @@ -474,10 +497,6 @@ func (clh *cloudHypervisor) StartVM(ctx context.Context, timeout int) error { return err } - if clh.virtiofsDaemon == nil { - return errors.New("Missing virtiofsDaemon configuration") - } - // This needs to be done as late as possible, just before launching // virtiofsd are executed by kata-runtime after this call, run with // the SELinux label. If these processes require privileged, we do @@ -490,17 +509,9 @@ func (clh *cloudHypervisor) StartVM(ctx context.Context, timeout int) error { defer label.SetProcessLabel("") } - if clh.config.SharedFS == config.VirtioFS || clh.config.SharedFS == config.VirtioFSNydus { - clh.Logger().WithField("function", "StartVM").Info("Starting virtiofsDaemon") - pid, err := clh.virtiofsDaemon.Start(ctx, func() { - clh.StopVM(ctx, false) - }) - if err != nil { - return err - } - clh.state.VirtiofsDaemonPid = pid - } else { - return errors.New("cloud-hypervisor only supports virtio based file sharing") + err = clh.setupVirtiofsDaemon(ctx) + if err != nil { + return err } pid, err := clh.launchClh() From ae2221ea685332b4ccbe89228e5d5678a049bc66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 3 Mar 2022 10:43:04 +0100 Subject: [PATCH 4/8] clh: introduce stopVirtiofsDaemon() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Similary to the `createVirtiofsDaemon` method, let's introduce and use its counterpart, as it'll also be handy later in this series. Signed-off-by: Fabiano Fidêncio --- src/runtime/virtcontainers/clh.go | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go index 439d4a509e..e3ae289075 100644 --- a/src/runtime/virtcontainers/clh.go +++ b/src/runtime/virtcontainers/clh.go @@ -257,6 +257,22 @@ func (clh *cloudHypervisor) setupVirtiofsDaemon(ctx context.Context) error { return nil } +func (clh *cloudHypervisor) stopVirtiofsDaemon(ctx context.Context) (err error) { + if clh.state.VirtiofsDaemonPid == 0 { + clh.Logger().Warn("The virtiofsd had stopped") + return nil + } + + err = clh.virtiofsDaemon.Stop(ctx) + if err != nil { + return err + } + + clh.state.VirtiofsDaemonPid = 0 + + return nil +} + func (clh *cloudHypervisor) nydusdAPISocketPath(id string) (string, error) { return utils.BuildSocketPath(clh.config.VMStorePath, id, nydusdAPISock) } @@ -516,7 +532,7 @@ func (clh *cloudHypervisor) StartVM(ctx context.Context, timeout int) error { pid, err := clh.launchClh() if err != nil { - if shutdownErr := clh.virtiofsDaemon.Stop(ctx); shutdownErr != nil { + if shutdownErr := clh.stopVirtiofsDaemon(ctx); shutdownErr != nil { clh.Logger().WithError(shutdownErr).Warn("error shutting down VirtiofsDaemon") } return fmt.Errorf("failed to launch cloud-hypervisor: %q", err) @@ -971,12 +987,9 @@ func (clh *cloudHypervisor) terminate(ctx context.Context, waitOnly bool) (err e return err } - if clh.virtiofsDaemon == nil { - return errors.New("virtiofsDaemon config is nil, failed to stop it") - } - clh.Logger().Debug("stop virtiofsDaemon") - if err = clh.virtiofsDaemon.Stop(ctx); err != nil { + + if err = clh.stopVirtiofsDaemon(ctx); err != nil { clh.Logger().WithError(err).Error("failed to stop virtiofsDaemon") } From 54d27ed721746ad569444b8021bad5133e432322 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 3 Mar 2022 10:52:00 +0100 Subject: [PATCH 5/8] clh: introduce loadVirtiofsDaemon() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Similarly to the `createVirtiofsDaemon` and `stopVirtiofsDaemon` methos, let's introduce and use loadVirtiofsDaemon, at it'll also be handy later in this series. Signed-off-by: Fabiano Fidêncio --- src/runtime/virtcontainers/clh.go | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go index e3ae289075..d609d9ea1f 100644 --- a/src/runtime/virtcontainers/clh.go +++ b/src/runtime/virtcontainers/clh.go @@ -273,6 +273,20 @@ func (clh *cloudHypervisor) stopVirtiofsDaemon(ctx context.Context) (err error) return nil } +func (clh *cloudHypervisor) loadVirtiofsDaemon(sharedPath string) (VirtiofsDaemon, error) { + virtiofsdSocketPath, err := clh.virtioFsSocketPath(clh.id) + if err != nil { + return nil, err + } + + return &virtiofsd{ + PID: clh.state.VirtiofsDaemonPid, + sourcePath: sharedPath, + debug: clh.config.Debug, + socketPath: virtiofsdSocketPath, + }, nil +} + func (clh *cloudHypervisor) nydusdAPISocketPath(id string) (string, error) { return utils.BuildSocketPath(clh.config.VMStorePath, id, nydusdAPISock) } @@ -323,19 +337,15 @@ func (clh *cloudHypervisor) CreateVM(ctx context.Context, id string, network Net clh.Logger().WithField("function", "CreateVM").Info("creating Sandbox") - virtiofsdSocketPath, err := clh.virtioFsSocketPath(clh.id) - if err != nil { - return nil - } - if clh.state.PID > 0 { clh.Logger().WithField("function", "CreateVM").Info("Sandbox already exist, loading from state") - clh.virtiofsDaemon = &virtiofsd{ - PID: clh.state.VirtiofsDaemonPid, - sourcePath: hypervisorConfig.SharedPath, - debug: clh.config.Debug, - socketPath: virtiofsdSocketPath, + + virtiofsDaemon, err := clh.loadVirtiofsDaemon(hypervisorConfig.SharedFS) + if err != nil { + return err } + clh.virtiofsDaemon = virtiofsDaemon + return nil } From f889f1f95736a05fad5eb993f402b9d8fa8387e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 3 Mar 2022 12:18:43 +0100 Subject: [PATCH 6/8] clh: introduce supportsSharedFS() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit supportsSharedFS() is a new method to be used to ensure that no SharedFS specifics are called when, for a reason or another, Cloud Hypervisor is in a mode where SharedFSs are not supported. Signed-off-by: Fabiano Fidêncio --- src/runtime/virtcontainers/clh.go | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go index d609d9ea1f..6bdc917edc 100644 --- a/src/runtime/virtcontainers/clh.go +++ b/src/runtime/virtcontainers/clh.go @@ -199,6 +199,11 @@ func (clh *cloudHypervisor) setConfig(config *HypervisorConfig) error { } func (clh *cloudHypervisor) createVirtiofsDaemon(sharedPath string) (VirtiofsDaemon, error) { + if !clh.supportsSharedFS() { + clh.Logger().Info("SharedFS is not supported") + return nil, nil + } + virtiofsdSocketPath, err := clh.virtioFsSocketPath(clh.id) if err != nil { return nil, err @@ -235,6 +240,11 @@ func (clh *cloudHypervisor) createVirtiofsDaemon(sharedPath string) (VirtiofsDae } func (clh *cloudHypervisor) setupVirtiofsDaemon(ctx context.Context) error { + if !clh.supportsSharedFS() { + clh.Logger().Info("SharedFS is not supported") + return nil + } + if clh.config.SharedFS == config.Virtio9P { return errors.New("cloud-hypervisor only supports virtio based file sharing") } @@ -258,6 +268,11 @@ func (clh *cloudHypervisor) setupVirtiofsDaemon(ctx context.Context) error { } func (clh *cloudHypervisor) stopVirtiofsDaemon(ctx context.Context) (err error) { + if !clh.supportsSharedFS() { + clh.Logger().Info("SharedFS is not supported") + return nil + } + if clh.state.VirtiofsDaemonPid == 0 { clh.Logger().Warn("The virtiofsd had stopped") return nil @@ -274,6 +289,11 @@ func (clh *cloudHypervisor) stopVirtiofsDaemon(ctx context.Context) (err error) } func (clh *cloudHypervisor) loadVirtiofsDaemon(sharedPath string) (VirtiofsDaemon, error) { + if !clh.supportsSharedFS() { + clh.Logger().Info("SharedFS is not supported") + return nil, nil + } + virtiofsdSocketPath, err := clh.virtioFsSocketPath(clh.id) if err != nil { return nil, err @@ -291,6 +311,12 @@ func (clh *cloudHypervisor) nydusdAPISocketPath(id string) (string, error) { return utils.BuildSocketPath(clh.config.VMStorePath, id, nydusdAPISock) } +func (clh *cloudHypervisor) supportsSharedFS() bool { + caps := clh.Capabilities(clh.ctx) + + return caps.IsFsSharingSupported() +} + func (clh *cloudHypervisor) enableProtection() error { protection, err := availableGuestProtection() if err != nil { From c30b3a9ff1b439af295ab4296b95b41cf9f95de6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 3 Mar 2022 12:22:55 +0100 Subject: [PATCH 7/8] clh: Adding a volume is not supported without SharedFS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As mounting volumes into the guest requires SharedFS setup, let's ensure we error out if trying to do so in a situation where SharedFS is not supported. Signed-off-by: Fabiano Fidêncio --- src/runtime/virtcontainers/clh.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go index 6bdc917edc..5c9c2a6413 100644 --- a/src/runtime/virtcontainers/clh.go +++ b/src/runtime/virtcontainers/clh.go @@ -958,6 +958,10 @@ func (clh *cloudHypervisor) AddDevice(ctx context.Context, devInfo interface{}, case types.HybridVSock: clh.addVSock(defaultGuestVSockCID, v.UdsPath) case types.Volume: + if !clh.supportsSharedFS() { + return fmt.Errorf("SharedFS is not supported") + } + err = clh.addVolume(v) default: clh.Logger().WithField("function", "AddDevice").Warnf("Add device of type %v is not supported.", v) From 97951a2d1264500a6519322d700cc19d7b251f89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 3 Mar 2022 12:28:40 +0100 Subject: [PATCH 8/8] clh: Don't use SharedFS with Confidential Guests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit kata-containers/pulls#3771 added TDX support for Cloud Hypervisor, but two big things got overlooked while doing that. 1. virtio-fs, as of now, cannot be part of the trust boundary, so the Confidential Guest will not be using it. 2. virtio-block hotplug should be enabled in order to use virtio-block for the rootfs (used with the devmapper plugin). When trying to use cloud-hypervisor with TDX using virtio-fs, we're facing the following error on the guest kernel: ``` virtiofs virtio2: device must provide VIRTIO_F_ACCESS_PLATFORM ``` After checking and double-checking with virtiofs and cloud-hypervisor developers, it happens as confidential containers might put some limitations on the device, so it can't access all of the guests' memory and that's where this restriction seems to be coming from. Vivek mentioned that virtiofsd do not support VIRTIO_F_ACCESS_PLATFORM (aka VIRTIO_F_IOMMU_PLATFORM) yet, and that for ecrypted guests virtiofs may not be the best solution at the moment. @sboeuf put this in a very nice way: "if the virtio-fs driver doesn't support VIRTIO_F_ACCESS_PLATFORM, then the pages corresponding to the virtqueues and the buffers won't be marked as SHARED, meaning the VMM won't have access to it". Interestingly enough, it works with QEMU, and it may be due to some change done on the patched QEMU that @devimc is packaging, but we won't take the path to figure out what was the change and patch cloud-hypervisor on the same way, because of 1. Fixes: #3810 Signed-off-by: Fabiano Fidêncio --- src/runtime/config/configuration-clh.toml.in | 4 ++++ src/runtime/virtcontainers/clh.go | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in index 7c8782a63e..c91260a31a 100644 --- a/src/runtime/config/configuration-clh.toml.in +++ b/src/runtime/config/configuration-clh.toml.in @@ -27,6 +27,10 @@ image = "@IMAGEPATH@" # - CPU Hotplug # - Memory Hotplug # - NVDIMM devices +# - SharedFS, such as virtio-fs and virtio-fs-nydus +# +# Requirements: +# * virtio-block used as rootfs, thus the usage of devmapper snapshotter. # # Supported TEEs: # * Intel TDX diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go index 5c9c2a6413..c77ce15309 100644 --- a/src/runtime/virtcontainers/clh.go +++ b/src/runtime/virtcontainers/clh.go @@ -988,7 +988,9 @@ func (clh *cloudHypervisor) Capabilities(ctx context.Context) types.Capabilities clh.Logger().WithField("function", "Capabilities").Info("get Capabilities") var caps types.Capabilities - caps.SetFsSharingSupport() + if !clh.config.ConfidentialGuest { + caps.SetFsSharingSupport() + } caps.SetBlockDeviceHotplugSupport() return caps }