diff --git a/src/runtime/virtcontainers/container.go b/src/runtime/virtcontainers/container.go index c3784712f3..1716389272 100644 --- a/src/runtime/virtcontainers/container.go +++ b/src/runtime/virtcontainers/container.go @@ -1106,7 +1106,22 @@ func (c *Container) createDevices(ctx context.Context, contConfig *ContainerConf // device /dev/vfio/vfio an 2nd the actuall device(s) afterwards. // Sort the devices starting with device #1 being the VFIO control group // device and the next the actuall device(s) /dev/vfio/ - if coldPlugVFIO && c.sandbox.config.VfioMode == config.VFIOModeVFIO { + // + // Cold-plug VFIO devices must also reach the agent in + // `VfioMode == GuestKernel`. The agent's `vfio-pci-gk` handler + // returns `dev: None` (so /dev/vfio/ is *not* materialised in + // the container spec — `constrainGRPCSpec(stripVfio=true)` will have + // already removed it from `grpcSpec.Linux.Devices`), but it still + // records the host->guest PCI mapping into `sandbox.pcimap[cid]`. + // Without that mapping, `update_env_pci` cannot translate the + // `PCIDEVICE_=` env vars set by the SR-IOV device + // plugin and aborts the container creation with + // "No PCI mapping found for container ". + // + // `devManager.NewDevice` calls `FindDevice` first, which matches the + // already-cold-plugged sandbox-level device by HostPath/major/minor, + // so this does not double-attach. + if coldPlugVFIO { // DeviceInfo should still be added to the sandbox's device manager // if vfio_mode is VFIO and coldPlugVFIO is true (e.g. vfio-ap-cold). // This ensures that ociSpec.Linux.Devices is updated with diff --git a/src/runtime/virtcontainers/kata_agent_test.go b/src/runtime/virtcontainers/kata_agent_test.go index 4b27f0c07e..5b08271ad4 100644 --- a/src/runtime/virtcontainers/kata_agent_test.go +++ b/src/runtime/virtcontainers/kata_agent_test.go @@ -1284,7 +1284,7 @@ func TestKataAgentCreateContainerVFIODevices(t *testing.T) { hotPlugVFIO: config.NoPort, coldPlugVFIO: config.BridgePort, vfioMode: config.VFIOModeGuestKernel, - expectVFIODev: false, + expectVFIODev: true, }, }