Commit Graph

636 Commits

Author SHA1 Message Date
Fabiano Fidêncio
fefc0b75ab kata-deploy: nvidia: Default to the Job-based deployment mode
Switch the NVIDIA GPU example values file to install Kata via the
Job-based deployment mode (deploymentMode: job) instead of the
always-on, privileged DaemonSet, so that nothing keeps running on the
node once the install completes.

To exercise this in our CI, make the helm_helper aware of the deployment
mode coming from the (base) values file:

  - In "job" mode, clear job.nodeSelectorExpressions so the dispatcher
    targets every discovered node.  Our CI clusters are typically
    single-node, where the only node carries the control-plane label,
    and the default selector excludes control-plane/master nodes.

  - There is no always-on DaemonSet to wait on in "job" mode.  The
    dispatcher runs as a blocking post-install hook and the final
    per-node stage labels the node, so wait until at least one node
    carries the katacontainers.io/kata-runtime label as the
    "install complete" signal (dumping Job/pod logs on timeout).

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
2026-06-12 22:55:11 +02:00
LandonTClipp
6005f8a499 chore(docs): Add cspell makefile target for local testing
This makes it easier to check the spellchecker is happy before
submitting it as a PR.

Signed-off-by: LandonTClipp <lclipp@coreweave.com>
2026-06-12 22:24:18 +02:00
LandonTClipp
03c283edec chore(docs): Clarify dropIn runtime configuration
Clean the runtime configuration section by focusing first on the helm
configuration. Then, pivot into a further explanation on how the runtime
can be directly configured. Link to where these config parameters are
explained more in-depth.

Add open-in-new-tab (already downloaded in requirements.txt) in the
mkdocs plugin config so that links don't open in the same tab.

Signed-off-by: LandonTClipp <lclipp@coreweave.com>
2026-06-12 22:24:18 +02:00
Fabiano Fidêncio
aebadb1ab2 docs: document kata-deploy job deployment mode
Document the new opt-in deploymentMode: job alongside the default
DaemonSet model in the maintained docs (not just the chart README):

  - helm-configuration.md: add a "Deployment Modes (DaemonSet vs Job)"
    section covering the dispatcher-driven staged install/cleanup
    pipelines, why a dispatcher is used instead of Helm-rendered per-node
    Jobs (O(1) release, guaranteed coverage, paced rollout, explicit
    privilege split), the "re-run helm upgrade to cover newly added
    nodes" model (no always-on reconcile component), and the
    node-selection precedence (job.nodes > job.nodeSelector +
    job.nodeSelectorExpressions) that defaults to worker nodes.
  - installation.md: note that the DaemonSet is the default but no longer
    the only model, linking to the section above.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
2026-06-12 18:58:33 +02:00
Zvonko Kaiser
a2ad9b458e Merge pull request #13215 from stevenhorsman/docs/python-cve-fixes-12th-june-2026
fix: pin idna and pymdown-extensions to remediate CVEs
2026-06-12 12:18:03 -04:00
Fabiano Fidêncio
110843d6e1 Merge pull request #13138 from manuelh-dev/mahuber/runt-rs-mem-file-removal
runtime(-rs): remove file_mem_backend config option
2026-06-12 17:13:04 +02:00
stevenhorsman
3c3f754f3f fix: pin idna and pymdown-extensions to remediate CVEs
Pin idna to 3.15 and pymdown-extensions to 10.21.3 to address
security vulnerabilities:

- GHSA-65pc-fj4g-8rjx (idna, severity 6.9)
- GHSA-62q4-447f-wv8h (pymdown-extensions, severity 4.3)
- GHSA-r6h4-mm7h-8pmq (pymdown-extensions, severity 2.7)

These dependencies were previously transitive and vulnerable.
They are now explicitly pinned to secure versions.

Generated-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-06-12 13:28:58 +01:00
Manuel Huber
70d8f1bf3d runtime: remove file_mem_backend config option
Remove the Go runtime file_mem_backend and valid_file_mem_backends
config knobs, along with the corresponding sandbox annotation handling.

The runtime still enables file-backed shared memory automatically for
virtio-fs by using /dev/shm as the backing directory. This only removes
the user-selectable backend path.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
Assisted-by: OpenAI Codex <codex@openai.com>
2026-06-12 00:07:16 +00:00
Manuel Huber
86fd65271c runtime-rs: remove file_mem_backend config option
While the config knob is being parsed, it is being unused in the
rust shim. This renders the config knob useless. Remove the
file_mem_backend config option as there is no current users for it.
As this option is being usable in the go shim, we leave it intact.

For the rust shim, /dev/shm is still being used in a similar way to
the go shim when filesystem sharing is enabled (virtio-fs). Future
use cases where other file_mem_backends are being utilized are
currently planning to define these backends in a similar manner:
based on the configuration/platform, determine the proper file
memory backend, but do not let end users determine the file memory
backend.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2026-06-12 00:07:16 +00:00
Alex Lyn
4eb7512e7b docs: Update how-to guide for virtio-fs-nydus with runtime-rs
Add comprehensive documentation for using virtio-fs-nydus shared
filesystem with Kata Containers. This guide covers:
(1) Clarify configuration options for virtio-fs-nydus and nydus image
    preparation and usage.
(2) Update daemon configuration and lifecycle management and introduce
    standalone, inline nydus architecture.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2026-06-11 21:42:48 +02:00
Fabiano Fidêncio
21657b9cd9 Merge pull request #13147 from manuelh-dev/mahuber/debug-go-rust
runtime-rs: Honor enable_debug for logs and adjust debugging documentation
2026-06-11 08:57:36 +02:00
Fabiano Fidêncio
2b6efda67d docs: document the standalone kata-monitor image
kata-monitor is published as a standalone container image starting
with 3.32.0; point users at it from the metrics design doc and the
Prometheus-on-Kubernetes how-to, and switch the DaemonSet manifest to
the dedicated image (keeping the runtime endpoint/listen settings and
hostPath cleanups).

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: OpenAI Codex <codex@openai.com>
2026-06-09 14:33:30 +02:00
Fabiano Fidêncio
b119b051cb kata-deploy: support drop-in configs for default runtimes
Allow operators to provide per-shim drop-in TOML for built-in runtimes
and reconcile stale override files so upgrades and migrations remain
safe when drop-ins are added or removed.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Codex
2026-06-08 13:31:03 +02:00
Fabiano Fidêncio
2440b5940b docs: add composable VM images design proposal
Add an RFC document describing the composable image architecture that
replaces monolithic guest rootfs images with a lean base image plus
purpose-specific addon images cold-plugged as virtio-blk devices.

The proposal covers the runtime configuration (extra_images), host-side
cold-plugging, guest-side mounting via systemd and dm-verity, agent-side
dynamic path resolution, the image build pipeline, and the security
model.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-07 13:58:17 +02:00
stevenhorsman
b737ae48bf trace-forwarder: migrate from Jaeger to OTLP exporter
Migrate trace-forwarder from the deprecated opentelemetry-jaeger
exporter to the modern opentelemetry-otlp exporter.

This change remediates GHSA-2f9f-gq7v-9h6m (CVE-2026-43868), a
medium-severity vulnerability in Apache Thrift. The opentelemetry-jaeger
crate is no longer maintained and depends on vulnerable thrift versions
(0.13.0 and 0.16.0). The opentelemetry-otlp exporter does not use thrift
and is actively maintained.

Changes:
- Replace opentelemetry-jaeger with opentelemetry-otlp in Cargo.toml
- Update tracer.rs to use OTLP exporter instead of Jaeger exporter
- Replace --jaeger-host/--jaeger-port flags with --otlp-endpoint flag
- Update server.rs to use TracerProvider instead of SpanExporter
- Update documentation to reflect OTLP migration
- Add examples for common OTLP-compatible collectors

Breaking change: Users must update their trace-forwarder invocations
to use --otlp-endpoint instead of --jaeger-host and --jaeger-port.

Default endpoint: http://localhost:4317 (OTLP gRPC)

Generated-by: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Co-authored-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2026-06-04 19:39:47 +01:00
Manuel Huber
fbc5c99807 docs: Clarify runtime-rs debug logging
Update the debugging guidance to explain the shared enable_debug
baseline for Go and runtime-rs. Document runtime-rs component log_level
controls and clarify that containerd debug is not required for
runtime-rs Kata logs in journald.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
Assisted-by: OpenAI Codex <codex@openai.com>
2026-06-01 21:29:08 +00:00
Fabiano Fidêncio
3dc02a8604 Merge pull request #13085 from Apokleos/erofs-gpt-vmdk-only
runtime-rs: Support erofs snapshotter with gpt vmdk mode
2026-05-25 16:29:59 +02:00
Alex Lyn
53699b0170 docs: Reset max_unmerged_layers = 0 for gpt+vmdk mode
As max_unmerged_layers = 1 is just for fsmerge mode, as containerd
temperally unsupport fsmerge, we just reset it with default 0.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2026-05-25 19:13:28 +08:00
Fabiano Fidêncio
f763e9cca9 tests: Add NUMA topology / GPU placement tests to the NV CIs
Add k8s-nvidia-numa.bats with five tests that validate NUMA behaviour
on hosts where NUMA is configured by default (qemu-nvidia-gpu,
qemu-nvidia-gpu-snp, qemu-nvidia-gpu-tdx):

1. Multi-node sandbox (large workload spanning all host NUMA nodes):
   - Guest NUMA node count matches host
   - Guest vCPU distribution is balanced across nodes (max-min <= 1)
   - Guest memory is distributed across NUMA nodes
   - Host-side vCPU pinning is balanced across NUMA nodes

2. Right-sized single-node sandbox (small workload fitting one node):
   - Guest collapses to a single NUMA node
   - All host vCPU threads pinned to that one NUMA node

3. GPU passthrough with VFIO, multi-node:
   - Guest NUMA topology is balanced (same as test 1)
   - Guest GPU's NUMA node matches the host GPU's NUMA node
     (resolved via the vfio-pci,host=<BDF> from the QEMU command
     line and /sys/bus/pci/devices/<BDF>/numa_node)
   - QEMU command line contains pxb-pcie and policy=bind
   - Host vCPU pinning is balanced

4. GPU passthrough with VFIO, right-sized single-node: small workload
   plus GPU that fits in a single host NUMA node:
   - Guest collapses to a single NUMA node
   - The chosen node is the GPU's host NUMA node, not just any node
     that fits — verified by matching host-nodes= in the memory
     backend and pxb-pcie numa_node= against the GPU's host node
   - Guest GPU reports the same NUMA node as the host GPU

5. Explicit numa_mapping in the runtime TOML (QEMU-only):
   - Drops a config.d/ fragment that sets numa_mapping = ["1"], so the
     auto-derive + right-sizing path is bypassed entirely
   - Guest sees exactly 1 NUMA node
   - QEMU memory backend is bound to host node 1 (host-nodes=1,
     policy=bind), not host node 0
   - Host-side vCPU threads land on host node 1
   - Drop-in is removed on teardown so subsequent tests are unaffected

Guest-side checks use a dedicated container image
(quay.io/kata-containers/numa) that reads sysfs and prints results to
stdout — no kubectl exec or CoCo policy overrides needed.

Host-side checks (crictl, pgrep, taskset) run directly on the host
via sudo; a standalone numa-pinning-check.sh script handles the vCPU
thread affinity inspection.  The config.d/ helpers used by test 5 are
runtime-agnostic (probe Go vs runtime-rs layout on disk) but the test
is gated to qemu-* shims since runtime-rs does not yet implement
NUMA.

Skips cleanly on single-NUMA hosts, unsupported hypervisors, or when
no nvidia.com/pgpu resources are available (GPU tests only).

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
2026-05-24 22:00:46 +02:00
Fabiano Fidêncio
20705470e9 docs: Add NUMA support guide for Kata Containers with QEMU
Add a step-by-step how-to guide covering host inspection, Kata NUMA
drop-in setup (via kata-deploy Helm and manual config.d/), pod
deployment examples, and guest/host verification procedures.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-24 22:00:46 +02:00
Fabiano Fidêncio
ffa59ce3aa Merge commit from fork
runtime: disable virtiofsd extra-args annotation by default
2026-05-19 08:22:12 +02:00
Aurélien Bombo
83e20877d8 Merge pull request #12882 from stevenhorsman/runtime-rs/cdh_api_timeout
runtime-rs: Add cdh_api_timeout configuration parameter
2026-05-18 15:38:27 -05:00
pavithiran34
83ea8e0915 fix: add click 8.3.3 to docs requirements
- Added click==8.3.3 to docs/requirements.txt
- Click 8.3.3 is the latest version for Python >=3.10
- Required for mkdocs toolchain compatibility and resolves vulnerability in indirect dependencies
- Ref : CVE-2026-7246

Signed-off-by: pavithiran34 <pavithiran.p@ibm.com>
2026-05-13 10:11:58 +01:00
stevenhorsman
7aa3f7777a runtime-rs: Actually send cdh_api_timeout as kernel_param
The cdh_api_timeout_ms configuration parameter wasn't being used
anywhere, so add the logic to process it as an annotation into the runtime-rs
agent config and then use that as a kernel_param.

Assisted-by IBM Bob

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-05-12 08:41:05 +01:00
Fabiano Fidêncio
c945d2701c runtime: disable virtiofsd extra-args annotation by default
Keep virtio_fs_extra_args support in code, but remove it from default
enable_annotations and add explicit security warnings in Makefiles and
docs.

Release-note note: mirror this hardening in release notes so operators
know this remains opt-in and carries host-side risk when enabled.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-09 13:21:39 +02:00
Rajat Chopra
4a19262efb docs: fix nvidia config for device plugin
Description: the config for gpu operator for Nvidia kata containers device
plugin needs to be revised. The older one attributes to vgpu/kubevirt use case.

Signed-off-by: Rajat Chopra <rajatc@nvidia.com>
2026-05-04 11:03:58 -07:00
Aurélien Bombo
e4fbddb91a ci: rename cloud-hypervisor to clh-runtime-rs
This aligns on qemu-runtime-rs and makes more sense.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2026-04-28 10:58:01 -05:00
Fabiano Fidêncio
3ef2c5db65 docs: docker: Update docs to mention runtime-rs and what's tested
Now that we're adding support for the rust runtime, let's also update
the docs.

We may also need to update the docs again once we start testing with
different VMMs, but that's not in the scope for this PR.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-28 10:22:21 +02:00
Alex Tibbles
90286d3072 docs: add a simple how-to on using kata from docker
Create a new how-to covering simple installation and configuration of
kata as a docker daemon runtime.

Signed-off-by: Alex Tibbles <alex@bleg.org>
2026-04-27 17:51:13 +02:00
Fabiano Fidêncio
56c6f8bbb2 docs: Fix shellcheck issues in offline_cpu.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
47dea24409 Merge pull request #12895 from fidencio/topic/kata-deploy-avoid-shipping-what-we-do-not-test
kata-deploy: Remove arm64 and qemu-cca shim support
2026-04-22 15:42:43 +02:00
Fabiano Fidêncio
9b62021049 kata-deploy: Remove untested arm64 and qemu-cca shim support
We should not ship configurations that we do not actively test.

This commit drops the following from the kata-deploy helm chart:

values.yaml:
- arm64 from supportedArches for the clh shim
- arm64 from supportedArches for the cloud-hypervisor shim
- arm64 from supportedArches for the dragonball shim
- arm64 from supportedArches for the fc shim
- arm64 from supportedArches for the qemu-nvidia-gpu shim
- the entire qemu-cca shim definition

try-kata-tee.values.yaml:
- CCA from the file description comment
- qemu-cca from the TEE shims list comment
- the entire qemu-cca shim definition
- arm64: qemu-cca from the defaultShim mapping, replaced with
  arm64: qemu-coco-dev-runtime-rs (which is tested)

try-kata-nvidia-gpu.values.yaml:
- arm64 from supportedArches for the qemu-nvidia-gpu shim
- arm64: qemu-nvidia-gpu from the defaultShim mapping

Once arm64 and qemu-cca support are properly tested, they can be
re-added.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Made-with: Cursor
2026-04-22 10:55:29 +02:00
Alex Lyn
978f40d631 docs: Remove obsolete and update documentation index
This commit prunes the documentation tree by removing file
that are either no longer relevant to the current architecture
or have been superseded by newer guides.

Specifically, the doc Intel-Discrete-GPU-passthrough-and-Kata.md
and update using-Intel-QAT-and-kata.md index in nav.yaml

Refining the documentation helps ensure that new contributors
find accurate and up-to-date information.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2026-04-22 16:29:46 +08:00
Alex Lyn
59609463e0 docs: Update kernel modules loading document
- Restructure document with clearer sections and better readability
- Add configuration format examples for both runtimes
- Add technical details including data flow and implementation references
- Add debugging section for troubleshooting

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2026-04-22 16:29:46 +08:00
Alex Lyn
d6308ffb8c docs: Update SPDK vhost-user guide with CSI driver
- Add support for runtime-rs with Dragonball
- Add CSI driver integration method for Kubernetes
- Add kata-ctl direct-volume method for manual setup
- Preserve SPDK vhost-user Target Overview principles
- Fix minor typo (can exposes -> can expose)

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2026-04-22 16:29:46 +08:00
Alex Lyn
27341f45f1 docs: Add how-to guide for using fsmerged EROFS rootfs with Kata
Document the end-to-end workflow for using the containerd EROFS
snapshotter with Kata Containers runtime-rs, covering containerd
configuration, Kata QEMU settings, and pod deployment examples
via crictl/ctr/Kubernetes.

Include prerequisites (containerd >= 2.2, runtime-rs main branch),
QEMU VMDK format verification command, architecture diagram,
VMDK descriptor format reference, and troubleshooting guide.

Note that Cloud Hypervisor, Firecracker, and Dragonball do not
support VMDK block devices and are currently unsupported for
fsmerged EROFS rootfs.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2026-04-19 13:24:31 +02:00
Fabiano Fidêncio
588a67a3fb kata-deploy: add arm64 support for qemu-coco-dev shims
Add aarch64/arm64 to the list of supported architectures for
qemu-coco-dev and qemu-coco-dev-runtime-rs shims across kata-deploy
configuration, Helm chart values, and test helper scripts.

Note that guest-components and the related build dependencies are not
yet wired for arm64 in these configurations; those will be addressed
separately.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Made-with: Cursor
2026-04-18 00:48:13 +02:00
Fabiano Fidêncio
d9128a58d9 Merge pull request #11611 from Xynnn007/docs-typo
docs: fix nerdctl guest image command
2026-04-16 15:36:37 +02:00
Fabiano Fidêncio
78a8133112 Merge pull request #12242 from stevenhorsman/msrv-current-thoughts
doc: Add MSRV comments to toolchain guidance
2026-04-16 14:09:30 +02:00
stevenhorsman
05430d5690 doc: Add MSRV comments to toolchain guidance
Add some extra clarification about our current position on
MSRV.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-04-16 12:06:46 +01:00
Xynnn007
1d806e0cfa docs: fix nerdctl guest image command
the image name is delivered via annotation than label in nerdctl >= 2.0
version.

See the release note
https://github.com/containerd/nerdctl/releases/tag/v2.0.0

and PR
https://github.com/containerd/nerdctl/pull/2906

If an old version of nerdctl (< 2.0), --label will still work.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2026-04-16 11:34:03 +02:00
LandonTClipp
56cdfa831f docs: Add annotation config to doc site
Adding the pod annotation config to the doc site. A symlink is created
at docs/pod-annotations.md that points to
how-to/how-to-set-sandbox-config-kata.md so that the URL for this file will be
created at `/pod-annotations`. Also adding brief contrbuting guidelines and
how-to's for running the documentation site locally for local previews.

Signed-off-by: LandonTClipp <11232769+LandonTClipp@users.noreply.github.com>
2026-04-15 14:48:01 +01:00
dependabot[bot]
b54f02aa6c build(deps): bump pillow from 12.1.1 to 12.2.0 in /docs
Bumps [pillow](https://github.com/python-pillow/Pillow) from 12.1.1 to 12.2.0.
- [Release notes](https://github.com/python-pillow/Pillow/releases)
- [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst)
- [Commits](https://github.com/python-pillow/Pillow/compare/12.1.1...12.2.0)

---
updated-dependencies:
- dependency-name: pillow
  dependency-version: 12.2.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-14 14:40:14 +00:00
Tobin Feldman-Fitzthum
9119b4982c docs: update flow for setting nvidia devices to ready
Now, we include the nvrc.smi.srs=1 flag in the default kernel cmdline.
Thus, we can remove the guidance for people to add it themselves when
not using attestation. In fact, users don't really need to know about
this flag at all.

Signed-off-by: Tobin Feldman-Fitzthum <tfeldmanfitz@nvidia.com>
2026-04-08 18:59:51 +00:00
Manuel Huber
0fd4559f7e docs: Update NVIDIA GPU passthrough QEMU scenario
Updates for the NVIDIA GPU passthrough scenario for the
kata-containers release 3.29.0.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2026-04-07 14:58:40 +02:00
Alex Lyn
7dce05b5fc docs: Update the pictures of kata 4.0 with mermaid codes
It becomes simple and flexible with mermaid codes to update
the pic or diagrams. And it also remove the legacy PNG pictures
to reduce the kata-statics release file size.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2026-03-29 19:17:03 +02:00
Alex Lyn
302b2c8d75 docs: Restructure and modernize virtualization design document
Comprehensive rewrite of docs/design/virtualization.md to improve
clarity, completeness, and usability.

This document now serves as the authoritative guide for
understanding and selecting hypervisors in Kata Containers deployments.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2026-03-29 19:17:03 +02:00
Alex Lyn
7fa68ffd52 docs: Consolidate hypervisor documentation in virtualization.md
Add 'Choose a Hypervisor', 'Hypervisor Configuration Files', and
'Hypervisor Versions' sections to virtualization.md.

Key changes:
- Integrate hypervisor comparison table from hypervisors.md
- Add configuration file reference table for both go and rust runtimes
- Add current hypervisor versions from versions.yaml:
  - Cloud Hypervisor: v51.1
  - Firecracker: v1.12.1
  - QEMU: v10.2.1
  - StratoVirt: v2.3.0
  - Dragonball: builtin (part of rust runtime)
- Preserve original structure documenting each hypervisor's device model
  and features
- Add reference links for all hypervisors

This consolidates hypervisor selection guidance and version information
into a single comprehensive virtualization design document.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2026-03-29 19:17:03 +02:00
Alex Lyn
119a145923 docs: Upgrade architecture documentation from 3.0 to 4.0
Replace Kata 3.0 architecture docs with Kata 4.0 (Rust Runtime)
documentation.

Key changes:
- Remove deprecated architecture 3.0 documentation
- Add comprehensive Kata 4.0 architecture guide covering:
  - Unified single-binary architecture
  - Built-in Dragonball VMM integration
  - Async I/O model with Tokio
  - Layered architecture design
  - Modular resource manager
  - Extensible framework for multiple container types

The new documentation reflects the production-ready Rust runtime
with improved performance and reduced resource consumption.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2026-03-29 19:17:03 +02:00
Alex Lyn
9f6bce9517 docs: Remove containerd settings from crio dedicated document
As the document is just for CRI-O, we need remove containerd related
settings from it and make it clear for users.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2026-03-29 19:17:03 +02:00