runtime-rs: fix the issue of hot-unplug memory smaller

It should do nothing instead of return an error when
hot-unplug the memory to the size smaller than static
plugged memory size.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>

.github/actionlint.yaml

@@ -7,20 +7,28 @@
 self-hosted-runner:
   # Labels of self-hosted runner that linter should ignore
   labels:
+    - amd64-nvidia-a100
+    - amd64-nvidia-h100-snp
     - arm64-k8s
-    - ubuntu-22.04-arm
+    - containerd-v1.7-overlayfs
+    - containerd-v2.0-overlayfs
+    - containerd-v2.1-overlayfs
+    - containerd-v2.2
+    - containerd-v2.2-overlayfs
     - garm-ubuntu-2004
     - garm-ubuntu-2004-smaller
     - garm-ubuntu-2204
     - garm-ubuntu-2304
     - garm-ubuntu-2304-smaller
     - garm-ubuntu-2204-smaller
-    - k8s-ppc64le
-    - metrics
     - ppc64le
+    - ppc64le-k8s
+    - ppc64le-small
+    - ubuntu-24.04-ppc64le
+    - metrics
     - riscv-builder
     - sev-snp
     - s390x
     - s390x-large
     - tdx
-    - amd64-nvidia-a100
+    - ubuntu-22.04-arm

.github/workflows/actionlint.yaml

@@ -3,23 +3,16 @@ name: Lint GHA workflows
 on:
   workflow_dispatch:
   pull_request:
-    types:
-      - opened
-      - edited
-      - reopened
-      - synchronize
-    paths:
-      - '.github/workflows/**'
 
 permissions: {}
 
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
 jobs:
   run-actionlint:
+    name: run-actionlint
     env:
       GH_TOKEN: ${{ github.token }}
     runs-on: ubuntu-24.04

.github/workflows/basic-ci-amd64.yaml

@@ -17,6 +17,7 @@ permissions: {}
 
 jobs:
   run-containerd-sandboxapi:
+    name: run-containerd-sandboxapi
     strategy:
       # We can set this to true whenever we're 100% sure that
       # the all the tests are not flaky, otherwise we'll fail
@@ -65,11 +66,12 @@ jobs:
         run: bash tests/integration/cri-containerd/gha-run.sh run
 
   run-containerd-stability:
+    name: run-containerd-stability
     strategy:
       fail-fast: false
       matrix:
         containerd_version: ['lts', 'active']
-        vmm: ['clh', 'cloud-hypervisor', 'dragonball', 'qemu', 'stratovirt']
+        vmm: ['clh', 'cloud-hypervisor', 'dragonball', 'qemu']
     runs-on: ubuntu-22.04
     env:
       CONTAINERD_VERSION: ${{ matrix.containerd_version }}
@@ -107,6 +109,7 @@ jobs:
         run: bash tests/stability/gha-run.sh run
 
   run-nydus:
+    name: run-nydus
     strategy:
       # We can set this to true whenever we're 100% sure that
       # the all the tests are not flaky, otherwise we'll fail
@@ -114,7 +117,7 @@ jobs:
       fail-fast: false
       matrix:
         containerd_version: ['lts', 'active']
-        vmm: ['clh', 'qemu', 'dragonball', 'stratovirt']
+        vmm: ['clh', 'qemu', 'dragonball']
     runs-on: ubuntu-22.04
     env:
       CONTAINERD_VERSION: ${{ matrix.containerd_version }}
@@ -152,6 +155,7 @@ jobs:
         run: bash tests/integration/nydus/gha-run.sh run
 
   run-runk:
+    name: run-runk
     # Skip runk tests as we have no maintainers. TODO: Decide when to remove altogether
     if: false
     runs-on: ubuntu-22.04
@@ -187,6 +191,7 @@ jobs:
         run: bash tests/integration/runk/gha-run.sh run
 
   run-tracing:
+    name: run-tracing
     strategy:
       fail-fast: false
       matrix:
@@ -231,6 +236,7 @@ jobs:
         run: bash tests/functional/tracing/gha-run.sh run
 
   run-vfio:
+    name: run-vfio
     strategy:
       fail-fast: false
       matrix:
@@ -274,6 +280,7 @@ jobs:
         run: bash tests/functional/vfio/gha-run.sh run
 
   run-docker-tests:
+    name: run-docker-tests
     strategy:
       # We can set this to true whenever we're 100% sure that
       # all the tests are not flaky, otherwise we'll fail them
@@ -317,6 +324,7 @@ jobs:
         run: bash tests/integration/docker/gha-run.sh run
 
   run-nerdctl-tests:
+    name: run-nerdctl-tests
     strategy:
       # We can set this to true whenever we're 100% sure that
       # all the tests are not flaky, otherwise we'll fail them
@@ -376,6 +384,7 @@ jobs:
           retention-days: 1
 
   run-kata-agent-apis:
+    name: run-kata-agent-apis
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/basic-ci-s390x.yaml

@@ -17,6 +17,7 @@ permissions: {}
 
 jobs:
   run-containerd-sandboxapi:
+    name: run-containerd-sandboxapi
     strategy:
       # We can set this to true whenever we're 100% sure that
       # the all the tests are not flaky, otherwise we'll fail
@@ -65,6 +66,7 @@ jobs:
         run: bash tests/integration/cri-containerd/gha-run.sh run
 
   run-containerd-stability:
+    name: run-containerd-stability
     strategy:
       fail-fast: false
       matrix:
@@ -106,6 +108,7 @@ jobs:
         run: bash tests/stability/gha-run.sh run
 
   run-docker-tests:
+    name: run-docker-tests
     strategy:
       # We can set this to true whenever we're 100% sure that
       # all the tests are not flaky, otherwise we'll fail them

.github/workflows/build-checks-preview-riscv64.yaml

@@ -17,6 +17,7 @@ permissions: {}
 name: Build checks preview riscv64
 jobs:
   check:
+    name: check
     runs-on: ${{ inputs.instance }}
     strategy:
       fail-fast: false
@@ -123,9 +124,11 @@ jobs:
           echo "GITHUB_RUNNER_CI_NON_VIRT=true" >> "$GITHUB_ENV"
       - name: Running `${{ matrix.command }}` for ${{ matrix.component.name }}
         run: |
-          cd ${{ matrix.component.path }}
-          ${{ matrix.command }}
+          cd "${COMPONENT_PATH}"
+          ${COMMAND}
         env:
+          COMMAND: ${{ matrix.command }}
+          COMPONENT_PATH: ${{ matrix.component.path }}
           RUST_BACKTRACE: "1"
           RUST_LIB_BACKTRACE: "0"
           SKIP_GO_VERSION_CHECK: "1"

.github/workflows/build-checks.yaml

@@ -11,7 +11,8 @@ permissions: {}
 name: Build checks
 jobs:
   check:
-    runs-on: ${{ inputs.instance }}
+    name: check
+    runs-on: ${{ matrix.component.name == 'runtime' && inputs.instance == 'ubuntu-24.04-s390x' && 's390x' || matrix.component.name == 'runtime' && inputs.instance == 'ubuntu-24.04-ppc64le' && 'ppc64le' || inputs.instance }}
     strategy:
       fail-fast: false
       matrix:
@@ -46,6 +47,7 @@ jobs:
             path: src/libs
             needs:
               - rust
+              - protobuf-compiler
           - name: agent-ctl
             path: src/tools/agent-ctl
             needs:
@@ -56,6 +58,7 @@ jobs:
             path: src/tools/kata-ctl
             needs:
               - rust
+              - protobuf-compiler
           - name: trace-forwarder
             path: src/tools/trace-forwarder
             needs:
@@ -126,9 +129,11 @@ jobs:
           echo "GITHUB_RUNNER_CI_NON_VIRT=true" >> "$GITHUB_ENV"
       - name: Running `${{ matrix.command }}` for ${{ matrix.component.name }}
         run: |
-          cd ${{ matrix.component.path }}
-          ${{ matrix.command }}
+          cd "${COMPONENT_PATH}"
+          eval "${COMMAND}"
         env:
+          COMMAND: ${{ matrix.command }}
+          COMPONENT_PATH: ${{ matrix.component.path }}
           RUST_BACKTRACE: "1"
           RUST_LIB_BACKTRACE: "0"
           SKIP_GO_VERSION_CHECK: "1"

.github/workflows/build-kata-static-tarball-amd64.yaml

@@ -30,6 +30,7 @@ permissions: {}
 
 jobs:
   build-asset:
+    name: build-asset
     runs-on: ubuntu-22.04
     permissions:
       contents: read
@@ -62,7 +63,6 @@ jobs:
           - qemu
           - qemu-snp-experimental
           - qemu-tdx-experimental
-          - stratovirt
           - trace-forwarder
           - virtiofsd
         stage:
@@ -96,7 +96,6 @@ jobs:
       - name: Build ${{ matrix.asset }}
         id: build
         run: |
-          [[ "${KATA_ASSET}" == *"nvidia"* ]] && echo "KBUILD_SIGN_PIN=${{ secrets.KBUILD_SIGN_PIN }}" >> "${GITHUB_ENV}"
           make "${KATA_ASSET}-tarball"
           build_dir=$(readlink -f build)
           # store-artifact does not work with symlink
@@ -110,12 +109,15 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
 
       - name: Parse OCI image name and digest
         id: parse-oci-segments
         if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
+        env:
+          KATA_ASSET: ${{ matrix.asset }}
         run: |
-          oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
+          oci_image="$(<"build/${KATA_ASSET}-oci-image")"
           echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
           echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"
 
@@ -157,6 +159,7 @@ jobs:
           if-no-files-found: error
 
   build-asset-rootfs:
+    name: build-asset-rootfs
     runs-on: ubuntu-22.04
     needs: build-asset
     permissions:
@@ -203,7 +206,6 @@ jobs:
       - name: Build ${{ matrix.asset }}
         id: build
         run: |
-          [[ "${KATA_ASSET}" == *"nvidia"* ]] && echo "KBUILD_SIGN_PIN=${{ secrets.KBUILD_SIGN_PIN }}" >> "${GITHUB_ENV}"
           ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
           make "${KATA_ASSET}-tarball"
           build_dir=$(readlink -f build)
@@ -218,6 +220,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
 
       - name: store-artifact ${{ matrix.asset }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -229,6 +232,7 @@ jobs:
 
   # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
   remove-rootfs-binary-artifacts:
+    name: remove-rootfs-binary-artifacts
     runs-on: ubuntu-22.04
     needs: build-asset-rootfs
     strategy:
@@ -246,6 +250,7 @@ jobs:
 
   # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
   remove-rootfs-binary-artifacts-for-release:
+    name: remove-rootfs-binary-artifacts-for-release
     runs-on: ubuntu-22.04
     needs: build-asset-rootfs
     strategy:
@@ -259,6 +264,7 @@ jobs:
           name: kata-artifacts-amd64-${{ matrix.asset}}${{ inputs.tarball-suffix }}
 
   build-asset-shim-v2:
+    name: build-asset-shim-v2
     runs-on: ubuntu-22.04
     needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
     permissions:
@@ -320,6 +326,7 @@ jobs:
           if-no-files-found: error
 
   create-kata-tarball:
+    name: create-kata-tarball
     runs-on: ubuntu-22.04
     needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
     permissions:

.github/workflows/build-kata-static-tarball-arm64.yaml

@@ -23,11 +23,14 @@ on:
     secrets:
       QUAY_DEPLOYER_PASSWORD:
         required: false
+      KBUILD_SIGN_PIN:
+        required: true
 
 permissions: {}
 
 jobs:
   build-asset:
+    name: build-asset
     runs-on: ubuntu-22.04-arm
     permissions:
       contents: read
@@ -44,10 +47,10 @@ jobs:
           - kernel
           - kernel-dragonball-experimental
           - kernel-nvidia-gpu
+          - kernel-cca-confidential
           - nydus
           - ovmf
           - qemu
-          - stratovirt
           - virtiofsd
     env:
       PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
@@ -87,12 +90,15 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
 
       - name: Parse OCI image name and digest
         id: parse-oci-segments
         if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
+        env:
+          KATA_ASSET: ${{ matrix.asset }}
         run: |
-          oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
+          oci_image="$(<"build/${KATA_ASSET}-oci-image")"
           echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
           echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"
 
@@ -134,6 +140,7 @@ jobs:
           if-no-files-found: error
 
   build-asset-rootfs:
+    name: build-asset-rootfs
     runs-on: ubuntu-22.04-arm
     needs: build-asset
     permissions:
@@ -189,6 +196,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
 
       - name: store-artifact ${{ matrix.asset }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -200,6 +208,7 @@ jobs:
 
   # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
   remove-rootfs-binary-artifacts:
+    name: remove-rootfs-binary-artifacts
     runs-on: ubuntu-22.04-arm
     needs: build-asset-rootfs
     strategy:
@@ -214,6 +223,7 @@ jobs:
 
   # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
   remove-rootfs-binary-artifacts-for-release:
+    name: remove-rootfs-binary-artifacts-for-release
     runs-on: ubuntu-22.04-arm
     needs: build-asset-rootfs
     strategy:
@@ -227,6 +237,7 @@ jobs:
           name: kata-artifacts-arm64-${{ matrix.asset}}${{ inputs.tarball-suffix }}
 
   build-asset-shim-v2:
+    name: build-asset-shim-v2
     runs-on: ubuntu-22.04-arm
     needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
     permissions:
@@ -286,6 +297,7 @@ jobs:
           if-no-files-found: error
 
   create-kata-tarball:
+    name: create-kata-tarball
     runs-on: ubuntu-22.04-arm
     needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
     permissions:

.github/workflows/build-kata-static-tarball-ppc64le.yaml

@@ -28,10 +28,11 @@ permissions: {}
 
 jobs:
   build-asset:
+    name: build-asset
     permissions:
       contents: read
       packages: write
-    runs-on: ppc64le
+    runs-on: ppc64le-small
     strategy:
       matrix:
         asset:
@@ -87,7 +88,8 @@ jobs:
           if-no-files-found: error
 
   build-asset-rootfs:
-    runs-on: ppc64le
+    name: build-asset-rootfs
+    runs-on: ppc64le-small
     needs: build-asset
     permissions:
       contents: read
@@ -153,6 +155,7 @@ jobs:
 
   # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
   remove-rootfs-binary-artifacts:
+    name: remove-rootfs-binary-artifacts
     runs-on: ubuntu-22.04
     needs: build-asset-rootfs
     strategy:
@@ -166,7 +169,8 @@ jobs:
           name: kata-artifacts-ppc64le-${{ matrix.asset}}${{ inputs.tarball-suffix }}
 
   build-asset-shim-v2:
-    runs-on: ppc64le
+    name: build-asset-shim-v2
+    runs-on: ppc64le-small
     needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
     permissions:
       contents: read
@@ -225,7 +229,8 @@ jobs:
           if-no-files-found: error
 
   create-kata-tarball:
-    runs-on: ppc64le
+    name: create-kata-tarball
+    runs-on: ppc64le-small
     needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
     permissions:
       contents: read

.github/workflows/build-kata-static-tarball-riscv64.yaml

@@ -28,6 +28,7 @@ permissions: {}
 
 jobs:
   build-asset:
+    name: build-asset
     runs-on: riscv-builder
     permissions:
       contents: read

.github/workflows/build-kata-static-tarball-s390x.yaml

@@ -31,6 +31,7 @@ permissions: {}
 
 jobs:
   build-asset:
+    name: build-asset
     runs-on: s390x
     permissions:
       contents: read
@@ -90,8 +91,10 @@ jobs:
       - name: Parse OCI image name and digest
         id: parse-oci-segments
         if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
+        env:
+          ASSET: ${{ matrix.asset }}
         run: |
-          oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
+          oci_image="$(<"build/${ASSET}-oci-image")"
           echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
           echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"
 
@@ -119,6 +122,7 @@ jobs:
           if-no-files-found: error
 
   build-asset-rootfs:
+    name: build-asset-rootfs
     runs-on: s390x
     needs: build-asset
     permissions:
@@ -186,6 +190,7 @@ jobs:
           if-no-files-found: error
 
   build-asset-boot-image-se:
+    name: build-asset-boot-image-se
     runs-on: s390x
     needs: [build-asset, build-asset-rootfs]
     permissions:
@@ -235,6 +240,7 @@ jobs:
 
   # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
   remove-rootfs-binary-artifacts:
+    name: remove-rootfs-binary-artifacts
     runs-on: ubuntu-22.04
     needs: [build-asset-rootfs, build-asset-boot-image-se]
     strategy:
@@ -250,6 +256,7 @@ jobs:
           name: kata-artifacts-s390x-${{ matrix.asset}}${{ inputs.tarball-suffix }}
 
   build-asset-shim-v2:
+    name: build-asset-shim-v2
     runs-on: s390x
     needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
     permissions:
@@ -311,6 +318,7 @@ jobs:
           if-no-files-found: error
 
   create-kata-tarball:
+    name: create-kata-tarball
     runs-on: s390x
     needs:
       - build-asset

.github/workflows/cargo-deny-runner.yaml

@@ -15,6 +15,7 @@ permissions: {}
 
 jobs:
   cargo-deny-runner:
+    name: cargo-deny-runner
     runs-on: ubuntu-22.04
 
     steps:

.github/workflows/ci-nightly-s390x.yaml

@@ -8,6 +8,7 @@ permissions: {}
 
 jobs:
   check-internal-test-result:
+    name: check-internal-test-result
     runs-on: s390x
     strategy:
       fail-fast: false

.github/workflows/ci-on-push.yaml

@@ -1,6 +1,6 @@
 name: Kata Containers CI
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] See #11332.
     branches:
       - 'main'
     types:

.github/workflows/ci-weekly.yaml

@@ -66,6 +66,7 @@ jobs:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
   build-and-publish-tee-confidential-unencrypted-image:
+    name: build-and-publish-tee-confidential-unencrypted-image
     permissions:
       contents: read
       packages: write

.github/workflows/ci.yaml

@@ -86,6 +86,8 @@ jobs:
       tarball-suffix: -${{ inputs.tag }}
       commit-hash: ${{ inputs.commit-hash }}
       target-branch: ${{ inputs.target-branch }}
+    secrets:
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
 
   publish-kata-deploy-payload-arm64:
     needs: build-kata-static-tarball-arm64
@@ -177,12 +179,13 @@ jobs:
       tag: ${{ inputs.tag }}-ppc64le
       commit-hash: ${{ inputs.commit-hash }}
       target-branch: ${{ inputs.target-branch }}
-      runner: ppc64le
+      runner: ppc64le-small
       arch: ppc64le
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
   build-and-publish-tee-confidential-unencrypted-image:
+    name: build-and-publish-tee-confidential-unencrypted-image
     permissions:
       contents: read
       packages: write
@@ -224,6 +227,7 @@ jobs:
           file: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile
 
   publish-csi-driver-amd64:
+    name: publish-csi-driver-amd64
     needs: build-kata-static-tarball-amd64
     permissions:
       contents: read
@@ -307,18 +311,6 @@ jobs:
       AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
       AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
 
-  run-k8s-tests-on-amd64:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: publish-kata-deploy-payload-amd64
-    uses: ./.github/workflows/run-k8s-tests-on-amd64.yaml
-    with:
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-
   run-k8s-tests-on-arm64:
     if: ${{ inputs.skip-test != 'yes' }}
     needs: publish-kata-deploy-payload-arm64
@@ -437,13 +429,11 @@ jobs:
           { containerd_version: lts,    vmm: clh              },
           { containerd_version: lts,    vmm: dragonball       },
           { containerd_version: lts,    vmm: qemu             },
-          { containerd_version: lts,    vmm: stratovirt       },
           { containerd_version: lts,    vmm: cloud-hypervisor },
           { containerd_version: lts,    vmm: qemu-runtime-rs  },
           { containerd_version: active, vmm: clh              },
           { containerd_version: active, vmm: dragonball       },
           { containerd_version: active, vmm: qemu             },
-          { containerd_version: active, vmm: stratovirt       },
           { containerd_version: active, vmm: cloud-hypervisor },
           { containerd_version: active, vmm: qemu-runtime-rs  },
          ]
@@ -491,7 +481,7 @@ jobs:
       tarball-suffix: -${{ inputs.tag }}
       commit-hash: ${{ inputs.commit-hash }}
       target-branch: ${{ inputs.target-branch }}
-      runner: ppc64le
+      runner: ppc64le-small
       arch: ppc64le
       containerd_version: ${{ matrix.params.containerd_version }}
       vmm: ${{ matrix.params.vmm }}

.github/workflows/cleanup-resources.yaml

@@ -8,6 +8,7 @@ permissions: {}
 
 jobs:
   cleanup-resources:
+    name: cleanup-resources
     runs-on: ubuntu-22.04
     permissions:
       id-token: write # Used for OIDC access to log into Azure

.github/workflows/darwin-tests.yaml

@@ -15,8 +15,17 @@ concurrency:
 name: Darwin tests
 jobs:
   test:
+    name: test
     runs-on: macos-latest
     steps:
+    - name: Install Protoc
+      run: |
+        f=$(mktemp)
+        curl -sSLo "$f" https://github.com/protocolbuffers/protobuf/releases/download/v28.2/protoc-28.2-osx-aarch_64.zip
+        mkdir -p "$HOME/.local"
+        unzip -d "$HOME/.local" "$f"
+        echo "$HOME/.local/bin" >> "${GITHUB_PATH}"
+
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
@@ -27,5 +36,8 @@ jobs:
         ./tests/install_go.sh -f -p
         echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
 
+    - name: Install Rust
+      run: ./tests/install_rust.sh
+
     - name: Build utils
       run: ./ci/darwin-test.sh

.github/workflows/docs-url-alive-check.yaml

@@ -1,12 +1,14 @@
 on:
   schedule:
     - cron:  '0 23 * * 0'
+  workflow_dispatch:
 
 permissions: {}
 
 name: Docs URL Alive Check
 jobs:
   test:
+    name: test
     runs-on: ubuntu-22.04
     # don't run this action on forks
     if: github.repository_owner == 'kata-containers'
@@ -15,13 +17,12 @@ jobs:
     steps:
     - name: Set env
       run: |
-        echo "GOPATH=${{ github.workspace }}" >> "$GITHUB_ENV"
+        echo "GOPATH=${GITHUB_WORKSPACE}" >> "$GITHUB_ENV"
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0
         persist-credentials: false
-        path: ./src/github.com/${{ github.repository }}
 
     - name: Install golang
       run: |
@@ -30,4 +31,4 @@ jobs:
 
     - name: Docs URL Alive Check
       run: |
-        cd "${GOPATH}/src/github.com/${{ github.repository }}" && make docs-url-alive-check
+        make docs-url-alive-check

.github/workflows/gatekeeper-skipper.yaml

@@ -35,6 +35,7 @@ permissions: {}
 
 jobs:
   skipper:
+    name: skipper
     runs-on: ubuntu-22.04
     outputs:
       skip_build: ${{ steps.skipper.outputs.skip_build }}

.github/workflows/gatekeeper.yaml

@@ -5,7 +5,7 @@ name: Gatekeeper
 # reporting the status.
 
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] See #11332.
     types:
       - opened
       - synchronize
@@ -20,6 +20,7 @@ concurrency:
 
 jobs:
   gatekeeper:
+    name: gatekeeper
     runs-on: ubuntu-22.04
     permissions:
       actions: read

.github/workflows/govulncheck.yaml

@@ -7,6 +7,7 @@ permissions: {}
 
 jobs:
   govulncheck:
+    name: govulncheck
     runs-on: ubuntu-22.04
     strategy:
       matrix:
@@ -39,11 +40,14 @@ jobs:
       - name: Build runtime binaries
         run: |
           cd src/runtime
-          make ${{ matrix.make_target }}
+          make "${MAKE_TARGET}"
         env:
+          MAKE_TARGET: ${{ matrix.make_target }}
           SKIP_GO_VERSION_CHECK: "1"
 
       - name: Run govulncheck on ${{ matrix.binary }}
+        env:
+          BINARY: ${{ matrix.binary }}
         run: |
           cd src/runtime
-          bash ../../tests/govulncheck-runner.sh "./${{ matrix.binary }}"
+          bash ../../tests/govulncheck-runner.sh "./${BINARY}"

.github/workflows/kata-runtime-classes-sync.yaml

@@ -1,3 +1,5 @@
+name: kata-runtime-classes-sync
+
 on:
   pull_request:
     types:
@@ -14,6 +16,7 @@ concurrency:
 
 jobs:
   kata-deploy-runtime-classes-check:
+    name: kata-deploy-runtime-classes-check
     runs-on: ubuntu-22.04
     steps:
     - name: Checkout code

.github/workflows/nydus-snapshotter-version-in-sync.yaml

@@ -0,0 +1,35 @@
+name: nydus-snapshotter-version-sync
+
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - reopened
+      - synchronize
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  nydus-snapshotter-version-check:
+    name: nydus-snapshotter-version-check
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
+    - name: Ensure nydus-snapshotter-version is in sync inside our repo
+      run: |
+        dockerfile_version=$(grep "ARG NYDUS_SNAPSHOTTER_VERSION" tools/packaging/kata-deploy/Dockerfile | cut -f2 -d'=')
+        versions_version=$(yq ".externals.nydus-snapshotter.version | explode(.)" versions.yaml)
+        if [[ "${dockerfile_version}" != "${versions_version}" ]]; then
+          echo "nydus-snapshotter version must be the same in the following places: "
+          echo "- versions.yaml: ${versions_version}"
+          echo "- tools/packaging/kata-deploy/Dockerfile: ${dockerfile_version}"
+          exit 1
+        fi

.github/workflows/payload-after-push.yaml

@@ -39,6 +39,7 @@ jobs:
       target-branch: ${{ github.ref_name }}
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
 
   build-assets-s390x:
     permissions:
@@ -130,12 +131,13 @@ jobs:
       repo: kata-containers/kata-deploy-ci
       tag: kata-containers-latest-ppc64le
       target-branch: ${{ github.ref_name }}
-      runner: ppc64le
+      runner: ppc64le-small
       arch: ppc64le
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
   publish-manifest:
+    name: publish-manifest
     runs-on: ubuntu-22.04
     permissions:
       contents: read
@@ -160,3 +162,42 @@ jobs:
         env:
           KATA_DEPLOY_IMAGE_TAGS: "kata-containers-latest"
           KATA_DEPLOY_REGISTRIES: "quay.io/kata-containers/kata-deploy-ci"
+
+  upload-helm-chart-tarball:
+    name: upload-helm-chart-tarball
+    needs: publish-manifest
+    runs-on: ubuntu-22.04
+    permissions:
+      packages: write # needed to push the helm chart to ghcr.io
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Install helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+        id: install
+
+      - name: Login to the OCI registries
+        env:
+          QUAY_DEPLOYER_USERNAME: ${{ vars.QUAY_DEPLOYER_USERNAME }}
+          QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          echo "${QUAY_DEPLOYER_PASSWORD}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin
+          echo "${GITHUB_TOKEN}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin
+
+      - name: Push helm chart to the OCI registries
+        run: |
+          echo "Adjusting the Chart.yaml and values.yaml"
+          yq eval '.version = "0.0.0-dev" | .appVersion = "0.0.0-dev"' -i tools/packaging/kata-deploy/helm-chart/kata-deploy/Chart.yaml
+          yq eval '.image.reference = "quay.io/kata-containers/kata-deploy-ci" | .image.tag = "kata-containers-latest"' -i tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml
+
+          echo "Generating the chart package"
+          helm dependencies update tools/packaging/kata-deploy/helm-chart/kata-deploy
+          helm package tools/packaging/kata-deploy/helm-chart/kata-deploy
+
+          echo "Pushing the chart to the OCI registries"
+          helm push "kata-deploy-0.0.0-dev.tgz" oci://quay.io/kata-containers/kata-deploy-charts
+          helm push "kata-deploy-0.0.0-dev.tgz" oci://ghcr.io/kata-containers/kata-deploy-charts

.github/workflows/publish-kata-deploy-payload.yaml

@@ -38,6 +38,7 @@ permissions: {}
 
 jobs:
   kata-payload:
+    name: kata-payload
     permissions:
       contents: read
       packages: write

.github/workflows/release-amd64.yaml

@@ -29,6 +29,7 @@ jobs:
       attestations: write
 
   kata-deploy:
+    name: kata-deploy
     needs: build-kata-static-tarball-amd64
     permissions:
       contents: read

.github/workflows/release-arm64.yaml

@@ -8,6 +8,8 @@ on:
     secrets:
       QUAY_DEPLOYER_PASSWORD:
         required: true
+      KBUILD_SIGN_PIN:
+        required: true
 
 permissions: {}
 
@@ -19,6 +21,7 @@ jobs:
       stage: release
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
     permissions:
       contents: read
       packages: write
@@ -26,6 +29,7 @@ jobs:
       attestations: write
 
   kata-deploy:
+    name: kata-deploy
     needs: build-kata-static-tarball-arm64
     permissions:
       contents: read

.github/workflows/release-ppc64le.yaml

@@ -26,11 +26,12 @@ jobs:
       attestations: write
 
   kata-deploy:
+    name: kata-deploy
     needs: build-kata-static-tarball-ppc64le
     permissions:
       contents: read
       packages: write
-    runs-on: ppc64le
+    runs-on: ppc64le-small
     steps:
       - name: Login to Kata Containers ghcr.io
         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0

.github/workflows/release-s390x.yaml

@@ -30,6 +30,7 @@ jobs:
 
 
   kata-deploy:
+    name: kata-deploy
     needs: build-kata-static-tarball-s390x
     permissions:
       contents: read

.github/workflows/release.yaml

@@ -6,6 +6,7 @@ permissions: {}
 
 jobs:
   release:
+    name: release
     runs-on: ubuntu-22.04
     permissions:
       contents: write # needed for the `gh release create` command
@@ -48,6 +49,7 @@ jobs:
       target-arch: arm64
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
 
   build-and-push-assets-s390x:
     needs: release
@@ -77,6 +79,7 @@ jobs:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
   publish-multi-arch-images:
+    name: publish-multi-arch-images
     runs-on: ubuntu-22.04
     needs: [build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le]
     permissions:
@@ -114,6 +117,7 @@ jobs:
           KATA_DEPLOY_REGISTRIES: "quay.io/kata-containers/kata-deploy ghcr.io/kata-containers/kata-deploy"
 
   upload-multi-arch-static-tarball:
+    name: upload-multi-arch-static-tarball
     needs: [build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le]
     permissions:
       contents: write # needed for the `gh release` commands
@@ -178,6 +182,7 @@ jobs:
           ARCHITECTURE: ppc64le
 
   upload-versions-yaml:
+    name: upload-versions-yaml
     needs: release
     runs-on: ubuntu-22.04
     permissions:
@@ -195,6 +200,7 @@ jobs:
           GH_TOKEN: ${{ github.token }}
 
   upload-cargo-vendored-tarball:
+    name: upload-cargo-vendored-tarball
     needs: release
     runs-on: ubuntu-22.04
     permissions:
@@ -212,6 +218,7 @@ jobs:
           GH_TOKEN: ${{ github.token }}
 
   upload-libseccomp-tarball:
+    name: upload-libseccomp-tarball
     needs: release
     runs-on: ubuntu-22.04
     permissions:
@@ -229,6 +236,7 @@ jobs:
           GH_TOKEN: ${{ github.token }}
 
   upload-helm-chart-tarball:
+    name: upload-helm-chart-tarball
     needs: release
     runs-on: ubuntu-22.04
     permissions:
@@ -253,10 +261,11 @@ jobs:
       - name: Login to the OCI registries
         env:
           QUAY_DEPLOYER_USERNAME: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          GITHUB_ACTOR: ${{ github.actor }}
+          QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+          GITHUB_TOKEN: ${{ github.token }}
         run: |
-          echo "${{ secrets.QUAY_DEPLOYER_PASSWORD }}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin
-          echo "${{ github.token }}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin
+          echo "${QUAY_DEPLOYER_PASSWORD}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin
+          echo "${GITHUB_TOKEN}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin
 
       - name: Push helm chart to the OCI registries
         run: |
@@ -265,6 +274,7 @@ jobs:
           helm push "kata-deploy-${release_version}.tgz" oci://ghcr.io/kata-containers/kata-deploy-charts
 
   publish-release:
+    name: publish-release
     needs: [ build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le, publish-multi-arch-images, upload-multi-arch-static-tarball, upload-versions-yaml, upload-cargo-vendored-tarball, upload-libseccomp-tarball ]
     runs-on: ubuntu-22.04
     permissions:

.github/workflows/run-containerd-guest-pull-stability-tests.yaml

@@ -0,0 +1,167 @@
+name: CI | Run containerd guest pull stability tests
+on:
+  schedule:
+    - cron: "0 */1 * * *" #run every hour
+
+permissions: {}
+
+# This job relies on k8s pre-installed using kubeadm
+jobs:
+  run-containerd-guest-pull-stability-tests:
+    name: run-containerd-guest-pull-stability-tests-${{ matrix.environment.test-type }}-${{ matrix.environment.containerd }}
+    strategy:
+      fail-fast: false
+      matrix:
+        environment: [
+          { test-type: multi-snapshotter, containerd: v2.2 },
+          { test-type: force-guest-pull, containerd: v1.7 },
+          { test-type: force-guest-pull, containerd: v2.0 },
+          { test-type: force-guest-pull, containerd: v2.1 },
+          { test-type: force-guest-pull, containerd: v2.2 },
+        ]
+    env:
+      # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here.
+      IMAGES_LIST: quay.io/mongodb/mongodb-community-server@sha256:8b73733842da21b6bbb6df4d7b2449229bb3135d2ec8c6880314d88205772a11 ghcr.io/edgelesssys/redis@sha256:ecb0a964c259a166a1eb62f0eb19621d42bd1cce0bc9bb0c71c828911d4ba93d
+    runs-on: containerd-${{ matrix.environment.test-type }}-${{ matrix.environment.containerd }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Rotate the journal
+        run: sudo journalctl --rotate --vacuum-time 1s
+
+      - name: Pull the kata-deploy image to be used
+        run: sudo ctr -n k8s.io image pull quay.io/kata-containers/kata-deploy-ci:kata-containers-latest
+
+      - name: Deploy Kata Containers
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
+        env:
+          KATA_HYPERVISOR: qemu-coco-dev
+          KUBERNETES: vanilla
+          SNAPSHOTTER: ${{ matrix.environment.test-type == 'multi-snapshotter' && 'nydus' || '' }}
+          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ matrix.environment.test-type == 'multi-snapshotter' }}
+          EXPERIMENTAL_FORCE_GUEST_PULL: ${{ matrix.environment.test-type == 'force-guest-pull' && 'qemu-coco-dev' || '' }}
+
+      # This is needed as we may hit the createContainerTimeout
+      - name: Adjust Kata Containers' create_container_timeout
+        run: |
+          sudo sed -i -e 's/^\(create_container_timeout\).*=.*$/\1 = 600/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+          grep "create_container_timeout.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+
+      # This is needed in order to have enough tmpfs space inside the guest to pull the image
+      - name: Adjust Kata Containers' default_memory
+        run: |
+          sudo sed -i -e 's/^\(default_memory\).*=.*$/\1 = 4096/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+          grep "default_memory.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+
+      - name: Run a few containers using overlayfs
+        run: |
+          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
+          # shellcheck disable=SC2086
+          for img in ${IMAGES_LIST}; do
+            echo "overlayfs | Using on image: ${img}"
+            pod="$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
+            kubectl run "${pod}" \
+              -it --rm \
+              --restart=Never \
+              --image="${img}" \
+              --image-pull-policy=Always \
+              --pod-running-timeout=10m \
+              -- uname -r
+          done
+          
+      - name: Run a the same few containers using a different snapshotter
+        run: |
+          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
+          # shellcheck disable=SC2086
+          for img in ${IMAGES_LIST}; do
+            echo "nydus | Using on image: ${img}"
+            pod="kata-$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
+            kubectl run "${pod}" \
+              -it --rm \
+              --restart=Never \
+              --image="${img}" \
+              --image-pull-policy=Always \
+              --pod-running-timeout=10m \
+              --overrides='{
+                "spec": {
+                  "runtimeClassName": "kata-qemu-coco-dev"
+                }
+              }' \
+              -- uname -r
+          done
+
+      - name: Uninstall Kata Containers
+        run: bash tests/integration/kubernetes/gha-run.sh cleanup
+        env:
+          KATA_HYPERVISOR: qemu-coco-dev
+          KUBERNETES: vanilla
+          SNAPSHOTTER: nydus
+          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true
+
+      - name: Run a few containers using overlayfs
+        run: |
+          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
+          # shellcheck disable=SC2086
+          for img in ${IMAGES_LIST}; do
+            echo "overlayfs | Using on image: ${img}"
+            pod="$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
+            kubectl run "${pod}" \
+              -it --rm \
+              --restart=Never \
+              --image=${img} \
+              --image-pull-policy=Always \
+              --pod-running-timeout=10m \
+              -- uname -r
+          done
+          
+      - name: Deploy Kata Containers
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
+        env:
+          KATA_HYPERVISOR: qemu-coco-dev
+          KUBERNETES: vanilla
+          SNAPSHOTTER: nydus
+          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true
+
+      # This is needed as we may hit the createContainerTimeout
+      - name: Adjust Kata Containers' create_container_timeout
+        run: |
+          sudo sed -i -e 's/^\(create_container_timeout\).*=.*$/\1 = 600/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+          grep "create_container_timeout.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+
+      # This is needed in order to have enough tmpfs space inside the guest to pull the image
+      - name: Adjust Kata Containers' default_memory
+        run: |
+          sudo sed -i -e 's/^\(default_memory\).*=.*$/\1 = 4096/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+          grep "default_memory.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+
+      - name: Run a the same few containers using a different snapshotter
+        run: |
+          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
+          # shellcheck disable=SC2086
+          for img in ${IMAGES_LIST}; do
+            echo "nydus | Using on image: ${img}"
+            pod="kata-$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
+            kubectl run "${pod}" \
+              -it --rm \
+              --restart=Never \
+              --image="${img}" \
+              --image-pull-policy=Always \
+              --pod-running-timeout=10m \
+              --overrides='{
+                "spec": {
+                  "runtimeClassName": "kata-qemu-coco-dev"
+                }
+              }' \
+              -- uname -r
+          done
+
+      - name: Uninstall Kata Containers
+        run: bash tests/integration/kubernetes/gha-run.sh cleanup || true
+        if: always()
+        env:
+          KATA_HYPERVISOR: qemu-coco-dev
+          KUBERNETES: vanilla
+          SNAPSHOTTER: nydus
+          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true

.github/workflows/run-k8s-tests-on-aks.yaml

@@ -38,6 +38,7 @@ permissions: {}
 
 jobs:
   run-k8s-tests:
+    name: run-k8s-tests
     strategy:
       fail-fast: false
       matrix:
@@ -48,7 +49,6 @@ jobs:
           - dragonball
           - qemu
           - qemu-runtime-rs
-          - stratovirt
           - cloud-hypervisor
         instance-type:
           - small
@@ -58,16 +58,13 @@ jobs:
             vmm: clh
             instance-type: small
             genpolicy-pull-method: oci-distribution
-            auto-generate-policy: yes
           - host_os: cbl-mariner
             vmm: clh
             instance-type: small
             genpolicy-pull-method: containerd
-            auto-generate-policy: yes
           - host_os: cbl-mariner
             vmm: clh
             instance-type: normal
-            auto-generate-policy: yes
     runs-on: ubuntu-22.04
     permissions:
       contents: read
@@ -81,10 +78,8 @@ jobs:
       KATA_HOST_OS: ${{ matrix.host_os }}
       KATA_HYPERVISOR: ${{ matrix.vmm }}
       KUBERNETES: "vanilla"
-      USING_NFD: "false"
       K8S_TEST_HOST_TYPE: ${{ matrix.instance-type }}
       GENPOLICY_PULL_METHOD: ${{ matrix.genpolicy-pull-method }}
-      AUTO_GENERATE_POLICY: ${{ matrix.auto-generate-policy }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -140,7 +135,7 @@ jobs:
         run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials
 
       - name: Deploy Kata
-        timeout-minutes: 10
+        timeout-minutes: 20
         run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-aks
 
       - name: Run tests
@@ -148,6 +143,7 @@ jobs:
         run: bash tests/integration/kubernetes/gha-run.sh run-tests
 
       - name: Refresh OIDC token in case access token expired
+        if: always()
         uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ secrets.AZ_APPID }}

.github/workflows/run-k8s-tests-on-amd64.yaml

@@ -1,129 +0,0 @@
-name: CI | Run kubernetes tests on amd64
-on:
-  workflow_call:
-    inputs:
-      registry:
-        required: true
-        type: string
-      repo:
-        required: true
-        type: string
-      tag:
-        required: true
-        type: string
-      pr-number:
-        required: true
-        type: string
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-
-permissions: {}
-
-jobs:
-  run-k8s-tests-amd64:
-    strategy:
-      fail-fast: false
-      matrix:
-        vmm:
-          - qemu
-        container_runtime:
-          - containerd
-        snapshotter:
-          - devmapper
-        k8s:
-          - k3s
-        include:
-          - vmm: qemu
-            container_runtime: crio
-            snapshotter: ""
-            k8s: k0s
-    runs-on: ubuntu-22.04
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      KUBERNETES: ${{ matrix.k8s }}
-      KUBERNETES_EXTRA_PARAMS: ${{ matrix.container_runtime != 'crio' && '' || '--cri-socket remote:unix:///var/run/crio/crio.sock --kubelet-extra-args --cgroup-driver="systemd"' }}
-      SNAPSHOTTER: ${{ matrix.snapshotter }}
-      USING_NFD: "false"
-      K8S_TEST_HOST_TYPE: all
-      CONTAINER_RUNTIME: ${{ matrix.container_runtime }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Remove unnecessary directories to free up space
-        run: |
-          sudo rm -rf /usr/local/.ghcup
-          sudo rm -rf /opt/hostedtoolcache/CodeQL
-          sudo rm -rf /usr/local/lib/android
-          sudo rm -rf /usr/share/dotnet
-          sudo rm -rf /opt/ghc
-          sudo rm -rf /usr/local/share/boost
-          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
-          sudo rm -rf /usr/lib/jvm
-          sudo rm -rf /usr/share/swift
-          sudo rm -rf /usr/local/share/powershell
-          sudo rm -rf /usr/local/julia*
-          sudo rm -rf /opt/az
-          sudo rm -rf /usr/local/share/chromium
-          sudo rm -rf /opt/microsoft
-          sudo rm -rf /opt/google
-          sudo rm -rf /usr/lib/firefox
-
-      - name: Configure CRI-O
-        if: matrix.container_runtime == 'crio'
-        run: bash tests/integration/kubernetes/gha-run.sh setup-crio
-
-      - name: Deploy ${{ matrix.k8s }}
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
-        env:
-          CONTAINER_RUNTIME: ${{ matrix.container_runtime }}
-
-      - name: Configure the ${{ matrix.snapshotter }} snapshotter
-        if: matrix.snapshotter != ''
-        run: bash tests/integration/kubernetes/gha-run.sh configure-snapshotter
-
-      - name: Deploy Kata
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
-
-      - name: Install `bats`
-        run: bash tests/integration/kubernetes/gha-run.sh install-bats
-
-      - name: Run tests
-        timeout-minutes: 30
-        run: bash tests/integration/kubernetes/gha-run.sh run-tests
-
-      - name: Collect artifacts ${{ matrix.vmm }}
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts
-        continue-on-error: true
-
-      - name: Archive artifacts ${{ matrix.vmm }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: k8s-tests-${{ matrix.vmm }}-${{ matrix.snapshotter }}-${{ matrix.k8s }}-${{ inputs.tag }}
-          path: /tmp/artifacts
-          retention-days: 1
-
-      - name: Delete kata-deploy
-        if: always()
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup

.github/workflows/run-k8s-tests-on-arm64.yaml

@@ -26,6 +26,7 @@ permissions: {}
 
 jobs:
   run-k8s-tests-on-arm64:
+    name: run-k8s-tests-on-arm64
     strategy:
       fail-fast: false
       matrix:
@@ -41,7 +42,6 @@ jobs:
       GH_PR_NUMBER: ${{ inputs.pr-number }}
       KATA_HYPERVISOR: ${{ matrix.vmm }}
       KUBERNETES: ${{ matrix.k8s }}
-      USING_NFD: "false"
       K8S_TEST_HOST_TYPE: all
       TARGET_ARCH: "aarch64"
     steps:
@@ -58,7 +58,7 @@ jobs:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
       - name: Deploy Kata
-        timeout-minutes: 10
+        timeout-minutes: 20
         run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
 
       - name: Install `bats`
@@ -82,5 +82,5 @@ jobs:
 
       - name: Delete kata-deploy
         if: always()
-        timeout-minutes: 5
+        timeout-minutes: 15
         run: bash tests/integration/kubernetes/gha-run.sh cleanup

.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml

@@ -29,22 +29,22 @@ permissions: {}
 
 jobs:
   run-nvidia-gpu-tests-on-amd64:
+    name: run-${{ matrix.environment.name }}-tests-on-amd64
     strategy:
       fail-fast: false
       matrix:
-        vmm:
-          - qemu-nvidia-gpu
-        k8s:
-          - kubeadm
-    runs-on: amd64-nvidia-a100
+        environment: [
+          { name: nvidia-gpu,     vmm: qemu-nvidia-gpu,     runner: amd64-nvidia-a100 },
+          { name: nvidia-gpu-snp, vmm: qemu-nvidia-gpu-snp, runner: amd64-nvidia-h100-snp },
+        ]
+    runs-on: ${{ matrix.environment.runner }}
     env:
       DOCKER_REGISTRY: ${{ inputs.registry }}
       DOCKER_REPO: ${{ inputs.repo }}
       DOCKER_TAG: ${{ inputs.tag }}
       GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      KUBERNETES: ${{ matrix.k8s }}
-      USING_NFD: "false"
+      KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
+      KUBERNETES: kubeadm
       K8S_TEST_HOST_TYPE: all
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -60,30 +60,30 @@ jobs:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
       - name: Deploy Kata
-        timeout-minutes: 10
+        timeout-minutes: 20
         run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
 
       - name: Install `bats`
         run: bash tests/integration/kubernetes/gha-run.sh install-bats
 
-      - name: Run tests
+      - name: Run tests ${{ matrix.environment.vmm }}
         timeout-minutes: 30
         run: bash tests/integration/kubernetes/gha-run.sh run-nv-tests
         env:
           NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
-      - name: Collect artifacts ${{ matrix.vmm }}
+      - name: Collect artifacts ${{ matrix.environment.vmm }}
         if: always()
         run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts
         continue-on-error: true
 
-      - name: Archive artifacts ${{ matrix.vmm }}
+      - name: Archive artifacts ${{ matrix.environment.vmm }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: k8s-tests-${{ matrix.vmm }}-${{ matrix.k8s }}-${{ inputs.tag }}
+          name: k8s-tests-${{ matrix.environment.vmm }}-kubeadm-${{ inputs.tag }}
           path: /tmp/artifacts
           retention-days: 1
 
       - name: Delete kata-deploy
         if: always()
-        timeout-minutes: 5
+        timeout-minutes: 15
         run: bash tests/integration/kubernetes/gha-run.sh cleanup

.github/workflows/run-k8s-tests-on-ppc64le.yaml

@@ -26,6 +26,7 @@ permissions: {}
 
 jobs:
   run-k8s-tests:
+    name: run-k8s-tests
     strategy:
       fail-fast: false
       matrix:
@@ -33,7 +34,7 @@ jobs:
           - qemu
         k8s:
           - kubeadm
-    runs-on: k8s-ppc64le
+    runs-on: ppc64le-k8s
     env:
       DOCKER_REGISTRY: ${{ inputs.registry }}
       DOCKER_REPO: ${{ inputs.repo }}
@@ -42,7 +43,6 @@ jobs:
       GOPATH: ${{ github.workspace }}
       KATA_HYPERVISOR: ${{ matrix.vmm }}
       KUBERNETES: ${{ matrix.k8s }}
-      USING_NFD: "false"
       TARGET_ARCH: "ppc64le"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -62,19 +62,16 @@ jobs:
           ./tests/install_go.sh -f -p
           echo "/usr/local/go/bin" >> "$GITHUB_PATH"
 
-      - name: Prepare the runner for k8s cluster creation
-        run: bash "${HOME}/scripts/k8s_cluster_cleanup.sh"
+      - name: Prepare the runner for k8s test suite
+        run: bash "${HOME}/scripts/k8s_cluster_prepare.sh"
 
-      - name: Create k8s cluster using kubeadm
-        run: bash "${HOME}/scripts/k8s_cluster_create.sh"
+      - name: Check if cluster is healthy to run the tests
+        run: bash "${HOME}/scripts/k8s_cluster_check.sh"
 
       - name: Deploy Kata
-        timeout-minutes: 10
+        timeout-minutes: 20
         run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-kubeadm
 
       - name: Run tests
         timeout-minutes: 30
         run: bash tests/integration/kubernetes/gha-run.sh run-tests
-
-      - name: Delete cluster and post cleanup actions
-        run: bash "${HOME}/scripts/k8s_cluster_cleanup.sh"

.github/workflows/run-k8s-tests-on-zvsi.yaml

@@ -29,6 +29,7 @@ permissions: {}
 
 jobs:
   run-k8s-tests:
+    name: run-k8s-tests
     strategy:
       fail-fast: false
       matrix:
@@ -45,11 +46,9 @@ jobs:
         include:
           - snapshotter: devmapper
             pull-type: default
-            using-nfd: true
             deploy-cmd: configure-snapshotter
           - snapshotter: nydus
             pull-type: guest-pull
-            using-nfd: false
             deploy-cmd: deploy-snapshotter
         exclude:
           - snapshotter: overlayfs
@@ -75,7 +74,6 @@ jobs:
       KUBERNETES: ${{ matrix.k8s }}
       PULL_TYPE: ${{ matrix.pull-type }}
       SNAPSHOTTER: ${{ matrix.snapshotter }}
-      USING_NFD: ${{ matrix.using-nfd }}
       TARGET_ARCH: "s390x"
       AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
       AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
@@ -105,11 +103,13 @@ jobs:
       # qemu-runtime-rs only works with overlayfs
       # See: https://github.com/kata-containers/kata-containers/issues/10066
       - name: Configure the ${{ matrix.snapshotter }} snapshotter
-        run: bash tests/integration/kubernetes/gha-run.sh ${{ matrix.deploy-cmd }}
+        env:
+          DEPLOY_CMD: ${{ matrix.deploy-cmd }}
+        run: bash tests/integration/kubernetes/gha-run.sh "${DEPLOY_CMD}"
         if: ${{ matrix.snapshotter != 'overlayfs' }}
 
       - name: Deploy Kata
-        timeout-minutes: 10
+        timeout-minutes: 20
         run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-zvsi
 
       - name: Uninstall previous `kbs-client`

.github/workflows/run-kata-coco-stability-tests.yaml

@@ -40,6 +40,7 @@ permissions: {}
 jobs:
   # Generate jobs for testing CoCo on non-TEE environments
   run-stability-k8s-tests-coco-nontee:
+    name: run-stability-k8s-tests-coco-nontee
     strategy:
       fail-fast: false
       matrix:
@@ -69,7 +70,6 @@ jobs:
       AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
       AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
       SNAPSHOTTER: ${{ matrix.snapshotter }}
-      USING_NFD: "false"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -140,6 +140,7 @@ jobs:
         run: bash tests/stability/gha-stability-run.sh run-tests
 
       - name: Refresh OIDC token in case access token expired
+        if: always()
         uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ secrets.AZ_APPID }}

.github/workflows/run-kata-coco-tests.yaml

@@ -39,17 +39,17 @@ on:
 permissions: {}
 
 jobs:
-  run-k8s-tests-on-tdx:
+  run-k8s-tests-on-tee:
+    name: run-k8s-tests-on-tee
     strategy:
       fail-fast: false
       matrix:
-        vmm:
-          - qemu-tdx
-        snapshotter:
-          - nydus
-        pull-type:
-          - guest-pull
-    runs-on: tdx
+        include:
+          - runner: tdx
+            vmm: qemu-tdx
+          - runner: sev-snp
+            vmm: qemu-snp
+    runs-on: ${{ matrix.runner }}
     env:
       DOCKER_REGISTRY: ${{ inputs.registry }}
       DOCKER_REPO: ${{ inputs.repo }}
@@ -57,15 +57,14 @@ jobs:
       GH_PR_NUMBER: ${{ inputs.pr-number }}
       KATA_HYPERVISOR: ${{ matrix.vmm }}
       KUBERNETES: "vanilla"
-      USING_NFD: "true"
       KBS: "true"
       K8S_TEST_HOST_TYPE: "baremetal"
       KBS_INGRESS: "nodeport"
-      SNAPSHOTTER: ${{ matrix.snapshotter }}
-      PULL_TYPE: ${{ matrix.pull-type }}
+      SNAPSHOTTER: "nydus"
+      PULL_TYPE: "guest-pull"
       AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
       AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      ITA_KEY: ${{ secrets.ITA_KEY }}
+      GH_ITA_KEY: ${{ secrets.ITA_KEY }}
       AUTO_GENERATE_POLICY: "yes"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -80,13 +79,9 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: Deploy Snapshotter
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
-
       - name: Deploy Kata
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-tdx
+        timeout-minutes: 20
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
 
       - name: Uninstall previous `kbs-client`
         timeout-minutes: 10
@@ -95,6 +90,8 @@ jobs:
       - name: Deploy CoCo KBS
         timeout-minutes: 10
         run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
+        env:
+          ITA_KEY: ${{ env.KATA_HYPERVISOR == 'qemu-tdx' && env.GH_ITA_KEY || '' }}
 
       - name: Install `kbs-client`
         timeout-minutes: 10
@@ -108,102 +105,19 @@ jobs:
         timeout-minutes: 100
         run: bash tests/integration/kubernetes/gha-run.sh run-tests
 
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
       - name: Delete kata-deploy
         if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup-tdx
-
-      - name: Delete Snapshotter
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
+        run: bash tests/integration/kubernetes/gha-run.sh cleanup
 
       - name: Delete CoCo KBS
         if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
-
-      - name: Delete CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
-
-  run-k8s-tests-sev-snp:
-    strategy:
-      fail-fast: false
-      matrix:
-        vmm:
-          - qemu-snp
-        snapshotter:
-          - nydus
-        pull-type:
-          - guest-pull
-    runs-on: sev-snp
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      KUBECONFIG: /home/kata/.kube/config
-      KUBERNETES: "vanilla"
-      USING_NFD: "false"
-      KBS: "true"
-      KBS_INGRESS: "nodeport"
-      K8S_TEST_HOST_TYPE: "baremetal"
-      SNAPSHOTTER: ${{ matrix.snapshotter }}
-      PULL_TYPE: ${{ matrix.pull-type }}
-      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AUTO_GENERATE_POLICY: "yes"
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
         run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Deploy Snapshotter
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
-
-      - name: Deploy Kata
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-snp
-
-      - name: Uninstall previous `kbs-client`
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
-
-      - name: Deploy CoCo KBS
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
-
-      - name: Install `kbs-client`
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
-
-      - name: Deploy CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
-
-      - name: Run tests
-        timeout-minutes: 50
-        run: bash tests/integration/kubernetes/gha-run.sh run-tests
-
-      - name: Delete kata-deploy
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup-snp
-
-      - name: Delete Snapshotter
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
-
-      - name: Delete CoCo KBS
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
+          [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && echo "ITA_KEY=${GH_ITA_KEY}" >> "${GITHUB_ENV}"
+          bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
 
       - name: Delete CSI driver
         timeout-minutes: 5
@@ -211,6 +125,7 @@ jobs:
 
   # Generate jobs for testing CoCo on non-TEE environments
   run-k8s-tests-coco-nontee:
+    name: run-k8s-tests-coco-nontee
     strategy:
       fail-fast: false
       matrix:
@@ -220,6 +135,9 @@ jobs:
           - nydus
         pull-type:
           - guest-pull
+        include:
+          - pull-type: experimental-force-guest-pull
+            snapshotter: ""
     runs-on: ubuntu-22.04
     permissions:
       id-token: write # Used for OIDC access to log into Azure
@@ -244,8 +162,6 @@ jobs:
       # host type chose it will result on the creation of a cluster with
       # insufficient resources.
       K8S_TEST_HOST_TYPE: "all"
-      USING_NFD: "false"
-      AUTO_GENERATE_POLICY: "yes"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -295,13 +211,13 @@ jobs:
       - name: Download credentials for the Kubernetes CLI to use them
         run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials
 
-      - name: Deploy Snapshotter
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
-
       - name: Deploy Kata
-        timeout-minutes: 10
+        timeout-minutes: 20
         run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-aks
+        env:
+          EXPERIMENTAL_FORCE_GUEST_PULL: ${{ env.PULL_TYPE == 'experimental-force-guest-pull' && env.KATA_HYPERVISOR || '' }}
+          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ env.SNAPSHOTTER == 'nydus' }}
+          AUTO_GENERATE_POLICY: ${{ env.PULL_TYPE == 'experimental-force-guest-pull' && 'no' || 'yes' }}
 
       - name: Deploy CoCo KBS
         timeout-minutes: 10
@@ -324,6 +240,7 @@ jobs:
         run: bash tests/integration/kubernetes/gha-run.sh report-tests
 
       - name: Refresh OIDC token in case access token expired
+        if: always()
         uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ secrets.AZ_APPID }}
@@ -333,3 +250,94 @@ jobs:
       - name: Delete AKS cluster
         if: always()
         run: bash tests/integration/kubernetes/gha-run.sh delete-cluster
+
+  # Generate jobs for testing CoCo on non-TEE environments with erofs-snapshotter
+  run-k8s-tests-coco-nontee-with-erofs-snapshotter:
+    name: run-k8s-tests-coco-nontee-with-erofs-snapshotter
+    strategy:
+      fail-fast: false
+      matrix:
+        vmm:
+          - qemu-coco-dev
+        snapshotter:
+          - erofs
+        pull-type:
+          - default
+    runs-on: ubuntu-24.04
+    environment: ci
+    env:
+      DOCKER_REGISTRY: ${{ inputs.registry }}
+      DOCKER_REPO: ${{ inputs.repo }}
+      DOCKER_TAG: ${{ inputs.tag }}
+      GH_PR_NUMBER: ${{ inputs.pr-number }}
+      KATA_HYPERVISOR: ${{ matrix.vmm }}
+      # Some tests rely on that variable to run (or not)
+      KBS: "false"
+      # Set the KBS ingress handler (empty string disables handling)
+      KBS_INGRESS: ""
+      KUBERNETES: "vanilla"
+      CONTAINER_ENGINE: "containerd"
+      CONTAINER_ENGINE_VERSION: "v2.2"
+      PULL_TYPE: ${{ matrix.pull-type }}
+      SNAPSHOTTER: ${{ matrix.snapshotter }}
+      USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: "true"
+      K8S_TEST_HOST_TYPE: "all"
+      # We are skipping the auto generated policy tests for now,
+      # but those should be enabled as soon as we work on that.
+      AUTO_GENERATE_POLICY: "no"
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+
+      - name: Remove unnecessary directories to free up space
+        run: |
+          sudo rm -rf /usr/local/.ghcup
+          sudo rm -rf /opt/hostedtoolcache/CodeQL
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /opt/ghc
+          sudo rm -rf /usr/local/share/boost
+          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
+          sudo rm -rf /usr/lib/jvm
+          sudo rm -rf /usr/share/swift
+          sudo rm -rf /usr/local/share/powershell
+          sudo rm -rf /usr/local/julia*
+          sudo rm -rf /opt/az
+          sudo rm -rf /usr/local/share/chromium
+          sudo rm -rf /opt/microsoft
+          sudo rm -rf /opt/google
+          sudo rm -rf /usr/lib/firefox
+
+      - name: Deploy kubernetes
+        timeout-minutes: 15
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+      - name: Install `bats`
+        run: bash tests/integration/kubernetes/gha-run.sh install-bats
+
+      - name: Deploy Kata
+        timeout-minutes: 20
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
+
+      - name: Deploy CSI driver
+        timeout-minutes: 5
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
+
+      - name: Run tests
+        timeout-minutes: 80
+        run: bash tests/integration/kubernetes/gha-run.sh run-tests
+
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests

.github/workflows/run-kata-deploy-tests-on-aks.yaml

@@ -33,6 +33,7 @@ permissions: {}
 
 jobs:
   run-kata-deploy-tests:
+    name: run-kata-deploy-tests
     strategy:
       fail-fast: false
       matrix:
@@ -58,7 +59,6 @@ jobs:
       KATA_HOST_OS: ${{ matrix.host_os }}
       KATA_HYPERVISOR: ${{ matrix.vmm }}
       KUBERNETES: "vanilla"
-      USING_NFD: "false"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -103,6 +103,7 @@ jobs:
         run: bash tests/functional/kata-deploy/gha-run.sh run-tests
 
       - name: Refresh OIDC token in case access token expired
+        if: always()
         uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ secrets.AZ_APPID }}

.github/workflows/run-kata-deploy-tests.yaml

@@ -26,6 +26,7 @@ permissions: {}
 
 jobs:
   run-kata-deploy-tests:
+    name: run-kata-deploy-tests
     strategy:
       fail-fast: false
       matrix:
@@ -44,7 +45,6 @@ jobs:
       GH_PR_NUMBER: ${{ inputs.pr-number }}
       KATA_HYPERVISOR: ${{ matrix.vmm }}
       KUBERNETES: ${{ matrix.k8s }}
-      USING_NFD: "false"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

.github/workflows/run-kata-monitor-tests.yaml

@@ -17,6 +17,7 @@ permissions: {}
 
 jobs:
   run-monitor:
+    name: run-monitor
     strategy:
       fail-fast: false
       matrix:

.github/workflows/run-metrics.yaml

@@ -26,6 +26,7 @@ permissions: {}
 
 jobs:
   run-metrics:
+    name: run-metrics
     strategy:
       # We can set this to true whenever we're 100% sure that
       # the all the tests are not flaky, otherwise we'll fail
@@ -43,7 +44,6 @@ jobs:
       DOCKER_TAG: ${{ inputs.tag }}
       GH_PR_NUMBER: ${{ inputs.pr-number }}
       K8S_TEST_HOST_TYPE: "baremetal"
-      USING_NFD: "false"
       KUBERNETES: kubeadm
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/run-runk-tests.yaml

@@ -17,6 +17,7 @@ permissions: {}
 
 jobs:
   run-runk:
+    name: run-runk
     # Skip runk tests as we have no maintainers. TODO: Decide when to remove altogether
     if: false
     runs-on: ubuntu-22.04

.github/workflows/shellcheck.yaml

@@ -18,6 +18,7 @@ concurrency:
 
 jobs:
   shellcheck:
+    name: shellcheck
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout the code

.github/workflows/shellcheck_required.yaml

@@ -19,6 +19,7 @@ concurrency:
 
 jobs:
   shellcheck-required:
+    name: shellcheck-required
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout the code

.github/workflows/stale.yaml

@@ -8,6 +8,7 @@ permissions: {}
 
 jobs:
   stale:
+    name: stale
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0

.github/workflows/static-checks-self-hosted.yaml

@@ -30,7 +30,7 @@ jobs:
         instance:
           - "ubuntu-22.04-arm"
           - "s390x"
-          - "ppc64le"
+          - "ubuntu-24.04-ppc64le"
     uses: ./.github/workflows/build-checks.yaml
     with:
       instance: ${{ matrix.instance }}

.github/workflows/static-checks.yaml

@@ -22,6 +22,7 @@ jobs:
       target-branch: ${{ github.event.pull_request.base.ref }}
 
   check-kernel-config-version:
+    name: check-kernel-config-version
     needs: skipper
     if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
     runs-on: ubuntu-22.04
@@ -54,6 +55,7 @@ jobs:
       instance: ubuntu-22.04
 
   build-checks-depending-on-kvm:
+    name: build-checks-depending-on-kvm
     runs-on: ubuntu-22.04
     needs: skipper
     if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
@@ -88,13 +90,16 @@ jobs:
       - name: Running `${{ matrix.command }}` for ${{ matrix.component }}
         run: |
           export PATH="$PATH:${HOME}/.cargo/bin"
-          cd ${{ matrix.component-path }}
-          ${{ matrix.command }}
+          cd "${COMPONENT_PATH}"
+          eval "${COMMAND}"
         env:
+          COMMAND: ${{ matrix.command }}
+          COMPONENT_PATH: ${{ matrix.component-path }}
           RUST_BACKTRACE: "1"
           RUST_LIB_BACKTRACE: "0"
 
   static-checks:
+    name: static-checks
     runs-on: ubuntu-22.04
     needs: skipper
     if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
@@ -117,13 +122,13 @@ jobs:
           path: ./src/github.com/${{ github.repository }}
       - name: Install yq
         run: |
-          cd "${GOPATH}/src/github.com/${{ github.repository }}"
+          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
           ./ci/install_yq.sh
         env:
           INSTALL_IN_GOPATH: false
       - name: Install golang
         run: |
-          cd "${GOPATH}/src/github.com/${{ github.repository }}"
+          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
           ./tests/install_go.sh -f -p
           echo "/usr/local/go/bin" >> "$GITHUB_PATH"
       - name: Install system dependencies
@@ -131,7 +136,7 @@ jobs:
           sudo apt-get update && sudo apt-get -y install moreutils hunspell hunspell-en-gb hunspell-en-us pandoc
       - name: Install open-policy-agent
         run: |
-          cd "${GOPATH}/src/github.com/${{ github.repository }}"
+          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
           ./tests/install_opa.sh
       - name: Install regorus
         env:
@@ -139,11 +144,13 @@ jobs:
           ARTEFACT_REGISTRY_USERNAME: "${{ github.actor }}"
           ARTEFACT_REGISTRY_PASSWORD: "${{ secrets.GITHUB_TOKEN }}"
         run: |
-          "${GOPATH}/src/github.com/${{ github.repository }}/tests/install_regorus.sh"
+          "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}/tests/install_regorus.sh"
       - name: Run check
+        env:
+          CMD: ${{ matrix.cmd }}
         run: |
           export PATH="${PATH}:${GOPATH}/bin"
-          cd "${GOPATH}/src/github.com/${{ github.repository }}" && ${{ matrix.cmd }}
+          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}" && ${CMD}
 
   govulncheck:
     needs: skipper
@@ -151,6 +158,7 @@ jobs:
     uses: ./.github/workflows/govulncheck.yaml
 
   codegen:
+    name: codegen
     runs-on: ubuntu-22.04
     needs: skipper
     if: ${{ needs.skipper.outputs.skip_static != 'yes' }}

.github/workflows/zizmor.yaml

@@ -1,7 +1,6 @@
 name: GHA security analysis
 
 on:
-  push:
   pull_request:
 
 permissions: {}
@@ -12,10 +11,8 @@ concurrency:
 
 jobs:
   zizmor:
+    name: zizmor
     runs-on: ubuntu-22.04
-    permissions:
-      contents: read
-      security-events: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -24,6 +21,9 @@ jobs:
           persist-credentials: false
 
       - name: Run zizmor
-        uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1
+        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
         with:
+          advanced-security: false
+          annotations: true
           persona: auditor
+          version: v1.13.0

.github/zizmor.yml

@@ -0,0 +1,3 @@
+rules:
+  undocumented-permissions:
+    disable: true

VERSION

@@ -1 +1 @@
-3.21.0
+3.22.0

ci/darwin-test.sh

@@ -8,6 +8,7 @@ set -e
 
 cidir=$(dirname "$0")
 runtimedir=${cidir}/../src/runtime
+genpolicydir=${cidir}/../src/tools/genpolicy
 
 build_working_packages() {
 	# working packages:
@@ -40,3 +41,11 @@ build_working_packages() {
 }
 
 build_working_packages
+
+build_genpolicy() {
+	echo "building genpolicy"
+	pushd "${genpolicydir}" &>/dev/null
+	make TRIPLE=aarch64-apple-darwin build
+}
+
+build_genpolicy

ci/openshift-ci/cluster/install_kata.sh

@@ -43,19 +43,22 @@ WORKAROUND_9206_CRIO=${WORKAROUND_9206_CRIO:-no}
 # Leverage kata-deploy to install Kata Containers in the cluster.
 #
 apply_kata_deploy() {
-	local deploy_file="tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml"
-	pushd "${katacontainers_repo_dir}" || die
-	sed -ri "s#(\s+image:) .*#\1 ${KATA_DEPLOY_IMAGE}#" "${deploy_file}"
+	if ! command -v helm &>/dev/null; then
+		echo "Helm not installed, installing in current location..."
+		PATH=".:${PATH}"
+		curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | HELM_INSTALL_DIR='.' bash -s -- --no-sudo
+	fi
 
-	info "Applying kata-deploy"
-	oc apply -f tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml
 	oc label --overwrite ns kube-system pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/warn=baseline pod-security.kubernetes.io/audit=baseline
-	oc apply -f "${deploy_file}"
-	oc -n kube-system wait --timeout=10m --for=condition=Ready -l name=kata-deploy pod
+	local version chart
+	version=$(curl -sSL https://api.github.com/repos/kata-containers/kata-containers/releases/latest | jq .tag_name | tr -d '"')
+	chart="oci://ghcr.io/kata-containers/kata-deploy-charts/kata-deploy"
 
-	info "Adding the kata runtime classes"
-	oc apply -f tools/packaging/kata-deploy/runtimeclasses/kata-runtimeClasses.yaml
-	popd || die
+	# Ensure any potential leftover is cleaned up ... and this secret usually is not in case of previous failures
+	oc delete secret sh.helm.release.v1.kata-deploy.v1 -n kube-system || true
+
+	echo "Installing kata using helm ${chart} ${version}"
+	helm install kata-deploy --wait --namespace kube-system --set "image.reference=${KATA_DEPLOY_IMAGE%%:*},image.tag=${KATA_DEPLOY_IMAGE##*:}" "${chart}" --version "${version}"
 }
 
 
@@ -174,13 +177,13 @@ wait_for_app_pods_message() {
 	local namespace="$5"
 	[[ -z "${pod_count}" ]] && pod_count=1
 	[[ -z "${timeout}" ]] && timeout=60
-	[[ -n "${namespace}" ]] && namespace=" -n ${namespace} "
+	[[ -n "${namespace}" ]] && namespace=("-n" "${namespace}")
 	local pod
 	local pods
 	local i
 	SECONDS=0
 	while :; do
-		mapfile -t pods < <(oc get pods -l app="${app}" --no-headers=true "${namespace}" | awk '{print $1}')
+		mapfile -t pods < <(oc get pods -l app="${app}" --no-headers=true "${namespace[@]}" | awk '{print $1}')
 		[[ "${#pods}" -ge "${pod_count}" ]] && break
 		if [[ "${SECONDS}" -gt "${timeout}" ]]; then
 			printf "Unable to find ${pod_count} pods for '-l app=\"${app}\"' in ${SECONDS}s (%s)" "${pods[@]}"
@@ -190,7 +193,7 @@ wait_for_app_pods_message() {
 	local log
 	for pod in "${pods[@]}"; do
 		while :; do
-			log=$(oc logs "${namespace}" "${pod}")
+			log=$(oc logs "${namespace[@]}" "${pod}")
 			echo "${log}" | grep "${message}" -q && echo "Found $(echo "${log}" | grep "${message}") in ${pod}'s log (${SECONDS})" && break;
 			if [[ "${SECONDS}" -gt "${timeout}" ]]; then
 				echo -n "Message '${message}' not present in '${pod}' pod of the '-l app=\"${app}\"' "

ci/openshift-ci/peer-pods-azure.sh

@@ -12,6 +12,33 @@
 
 SCRIPT_DIR=$(dirname "$0")
 
+##################
+# Helper functions
+##################
+
+# Sparse "git clone" supporting old git version
+# $1  - origin
+# $2  - revision
+# $3- - sparse checkout paths
+# Note: uses pushd to change into the clonned directory!
+git_sparse_clone() {
+  local origin="$1"
+  local revision="$2"
+  shift 2
+  local sparse_paths=("$@")
+
+  local repo
+  repo=$(basename -s .git "${origin}")
+
+  git init "${repo}"
+  pushd "${repo}" || exit 1
+  git remote add origin "${origin}"
+  git fetch --depth 1 origin "${revision}"
+  git sparse-checkout init --cone
+  git sparse-checkout set "${sparse_paths[@]}"
+  git checkout FETCH_HEAD
+}
+
 ###############################
 # Disable security to allow e2e
 ###############################
@@ -148,11 +175,7 @@ echo "CAA_TAG=\"${CAA_TAG}\""
 echo "PP_IMAGE_ID=\"${PP_IMAGE_ID}\""
 
 # Clone and configure caa
-git clone --revision "${CAA_GIT_SHA:-main}" --depth 1 --no-checkout https://github.com/confidential-containers/cloud-api-adaptor.git
-pushd cloud-api-adaptor
-git sparse-checkout init --cone
-git sparse-checkout set src/cloud-api-adaptor/install/
-git checkout
+git_sparse_clone "https://github.com/confidential-containers/cloud-api-adaptor.git" "${CAA_GIT_SHA:-main}" "src/cloud-api-adaptor/install/"
 echo "CAA_GIT_SHA=\"$(git rev-parse HEAD)\""
 pushd src/cloud-api-adaptor
 cat <<EOF > install/overlays/azure/workload-identity.yaml
@@ -219,11 +242,7 @@ echo "AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET}" >> install/overlays/azure/serv
 echo "AZURE_TENANT_ID=${AZURE_TENANT_ID}" >> install/overlays/azure/service-principal.env
 
 # Deploy Operator
-git clone --revision "${OPERATOR_SHA:-main}" --depth 1 --no-checkout https://github.com/confidential-containers/operator
-pushd operator
-git sparse-checkout init --cone
-git sparse-checkout set "config/"
-git checkout
+git_sparse_clone "https://github.com/confidential-containers/operator" "${OPERATOR_SHA:-main}" "config/"
 echo "OPERATOR_SHA=\"$(git rev-parse HEAD)\""
 oc apply -k "config/release"
 oc apply -k "config/samples/ccruntime/peer-pods"

docs/Developer-Guide.md

@@ -450,7 +450,7 @@ You can build and install the guest kernel image as shown [here](../tools/packag
 # Install a hypervisor
 
 When setting up Kata using a [packaged installation method](install/README.md#installing-on-a-linux-system), the
-`QEMU` VMM is installed automatically. Cloud-Hypervisor, Firecracker and StratoVirt VMMs are available from the [release tarballs](https://github.com/kata-containers/kata-containers/releases), as well as through [`kata-deploy`](../tools/packaging/kata-deploy/README.md).
+`QEMU` VMM is installed automatically. Cloud-Hypervisor, Firecracker and StratoVirt VMMs are available from the [release tarballs](https://github.com/kata-containers/kata-containers/releases), as well as through [`kata-deploy`](../tools/packaging/kata-deploy/helm-chart/README.md).
 You may choose to manually build your VMM/hypervisor.
 
 ## Build a custom QEMU

docs/Limitations.md

@@ -166,19 +166,65 @@ moment.
 See [this issue](https://github.com/kata-containers/runtime/issues/2812) for more details.
 [Another issue](https://github.com/kata-containers/kata-containers/issues/1728) focuses on the case of `emptyDir`.
 
-## Host resource sharing
+### Kubernetes [hostPath][k8s-hostpath] volumes
 
-### Privileged containers
+In Kata, Kubernetes hostPath volumes can mount host directories and
+regular files into the guest VM via filesystem sharing, if it is enabled
+through the `shared_fs` [configuration][runtime-config] flag.
+
+By default:
+
+ - Non-TEE environment: Filesystem sharing is used to mount host files.
+ - TEE environment: Filesystem sharing is disabled. Instead, host files
+   are copied into the guest VM when the container starts, and file
+   changes are *not* synchronized between the host and the guest.
+
+In some cases, the behavior of hostPath volumes in Kata is further
+different compared to `runc` containers:
+
+**Mounting host block devices**: When a hostPath volume is of type
+[`BlockDevice`][k8s-blockdevice], Kata hotplugs the host block device
+into the guest and exposes it directly to the container.
+
+**Mounting guest devices**: When the source path of a hostPath volume is
+under `/dev`, and the path either corresponds to a host device or is not
+accessible by the Kata shim, the Kata agent bind mounts the source path
+directly from the *guest* filesystem into the container.
+
+[runtime-config]: /src/runtime/README.md#configuration
+[k8s-hostpath]: https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
+[k8s-blockdevice]: https://kubernetes.io/docs/concepts/storage/volumes/#hostpath-volume-types
+
+### Mounting `procfs` and `sysfs`
+
+For security reasons, the following mounts are disallowed:
+
+| Type              | Source    | Destination                      | Rationale      |
+|-------------------|-----------|----------------------------------|----------------|
+| `bind`            | `!= proc` | `/proc`                          | CVE-2019-16884 |
+| `bind`            | `*`       | `/proc/*` (see exceptions below) | CVE-2019-16884 |
+| `proc \|\| sysfs` | `*`       | not a directory (e.g. symlink)   | CVE-2019-19921 |
+
+For bind mounts under /proc, these destinations are allowed:
+	
+ * `/proc/cpuinfo`
+ * `/proc/diskstats`
+ * `/proc/meminfo`
+ * `/proc/stat`
+ * `/proc/swaps`
+ * `/proc/uptime`
+ * `/proc/loadavg`
+ * `/proc/net/dev`
+
+## Privileged containers
 
 Privileged support in Kata is essentially different from `runc` containers.
-The container runs with elevated capabilities within the guest and is granted
-access to guest devices instead of the host devices.
+The container runs with elevated capabilities within the guest.
 This is also true with using `securityContext privileged=true` with Kubernetes.
 
-The container may also be granted full access to a subset of host devices
-(https://github.com/kata-containers/runtime/issues/1568).
-
-See [Privileged Kata Containers](how-to/privileged.md) for how to configure some of this behavior.
+Importantly, the default behavior to pass the host devices to a
+privileged container is not supported in Kata Containers and needs to be
+disabled, see [Privileged Kata Containers](how-to/privileged.md).
 
 # Appendices
 

docs/how-to/README.md

@@ -31,6 +31,7 @@
 - [Setting Sysctls with Kata](how-to-use-sysctls-with-kata.md)
 - [What Is VMCache and How To Enable It](what-is-vm-cache-and-how-do-I-use-it.md)
 - [What Is VM Templating and How To Enable It](what-is-vm-templating-and-how-do-I-use-it.md)
+- [How to Use Template in runtime-rs](how-to-use-template-in-runtime-rs.md)
 - [Privileged Kata Containers](privileged.md)
 - [How to load kernel modules in Kata Containers](how-to-load-kernel-modules-with-kata.md)
 - [How to use Kata Containers with `virtio-mem`](how-to-use-virtio-mem-with-kata.md)
@@ -48,3 +49,4 @@
 - [How to use the Kata Agent Policy](how-to-use-the-kata-agent-policy.md)
 - [How to pull images in the guest](how-to-pull-images-in-guest-with-kata.md)
 - [How to use mem-agent to decrease the memory usage of Kata container](how-to-use-memory-agent.md)
+- [How to use seccomp with runtime-rs](how-to-use-seccomp-with-runtime-rs.md)

docs/how-to/how-to-run-kata-containers-with-SE-VMs.md

@@ -318,7 +318,7 @@ Finally, an operational kata container with IBM Secure Execution is now running.
 
 It is reasonable to expect that the manual steps mentioned above can be easily executed.
 Typically, you can use
-[kata-deploy](https://github.com/kata-containers/kata-containers/blob/main/tools/packaging/kata-deploy/README.md)
+[kata-deploy](https://github.com/kata-containers/kata-containers/blob/main/tools/packaging/kata-deploy/helm-chart/README.md)
 to install Kata Containers on a Kubernetes cluster. However, when leveraging IBM Secure Execution,
 you need to employ the confidential container's
 [operator](https://github.com/confidential-containers/operator).

docs/how-to/how-to-use-kata-containers-with-firecracker.md

@@ -104,12 +104,20 @@ LOW_WATER_MARK=32768
 sudo dmsetup create "${POOL_NAME}" \
     --table "0 ${LENGTH_IN_SECTORS} thin-pool ${META_DEV} ${DATA_DEV} ${DATA_BLOCK_SIZE} ${LOW_WATER_MARK}"
 
+# Determine plugin name based on containerd config version
+CONFIG_VERSION=$(containerd config dump | awk '/^version/ {print $3}')
+if [ "$CONFIG_VERSION" -ge 2 ]; then
+    PLUGIN="io.containerd.snapshotter.v1.devmapper"
+else
+    PLUGIN="devmapper"
+fi
+
 cat << EOF
 #
 # Add this to your config.toml configuration file and restart containerd daemon
 #
 [plugins]
-  [plugins.devmapper]
+  [plugins."${PLUGIN}"]
     pool_name = "${POOL_NAME}"
     root_path = "${DATA_DIR}"
     base_image_size = "10GB"

docs/how-to/how-to-use-seccomp-with-runtime-rs.md

@@ -0,0 +1,44 @@
+## Introduction
+
+To enhance security, Kata Containers supports using seccomp to restrict the hypervisor's system calls. Previously, this was only supported for a subset of hypervisors in runtime-go. Now, the runtime-rs also supports seccomp. This document describes how to enable/disable the seccomp feature for the corresponding hypervisor in runtime-rs.
+
+## Pre-requisites
+
+1. Ensure your system's kernel supports **seccomp**.
+2. Confirm that each of the following virtual machines can run correctly on your system.
+
+## Configure seccomp
+
+With the exception of `qemu`, seccomp is enabled by default for all other supported hypervisors. Their corresponding built-in functionalities are also enabled by default.
+
+### QEMU
+
+As with runtime-go, you need to modify the following in your **configuration file**. These parameters will be passed directly to the `qemu` startup command line. For more details on the parameters, you can refer to: [https://www.qemu.org/docs/master/system/qemu-manpage.html](https://www.qemu.org/docs/master/system/qemu-manpage.html)
+
+``` toml
+# Qemu seccomp sandbox feature
+# comma-separated list of seccomp sandbox features to control the syscall access.
+# For example, `seccompsandbox= "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
+# Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox
+# Another note: enabling this feature may reduce performance, you may enable
+# /proc/sys/net/core/bpf_jit_enable to reduce the impact. see https://man7.org/linux/man-pages/man8/bpfc.8.html
+seccompsandbox="on,obsolete=deny,spawn=deny,resourcecontrol=deny"
+```
+### Cloud Hypervisor, Firecracker and Dragonball
+
+The **seccomp** functionality is enabled by default for the following three hypervisors: `cloud hypervisor`, `firecracker`, and `dragonball`.
+
+The seccomp rules for `cloud hypervisor` and `firecracker` are built directly into their executable files. For `dragonball`, the relevant configuration is currently located at `src/runtime-rs/crates/hypervisor/src/dragonball/seccomp.rs`.
+
+To disable this functionality for these hypervisors, you can modify the following configuration options in your **configuration file**.
+
+``` toml
+# Disable the 'seccomp' feature from Cloud Hypervisor, firecracker or dragonball, default false
+disable_seccomp = true
+```
+
+## Implementation details
+
+For `qemu`, `cloud hypervisor`, and `firecracker`, their **seccomp** functionality is built into the respective executable files you are using. **runtime-rs** simply provides command-line arguments for their launch based on the configuration file.
+
+For `dragonball`, a set of allowed system calls is currently provided for the entire **runtime-rs** process, and the process is prevented from using any system calls outside of this whitelist. As mentioned above, this set is located at `src/runtime-rs/crates/hypervisor/src/dragonball/seccomp.rs`.

docs/how-to/how-to-use-template-in-runtime-rs.md

@@ -0,0 +1,119 @@
+# How to Use Template in runtime-rs
+
+## What is VM Templating
+
+VM templating is a Kata Containers feature that enables new VM creation using a cloning technique. When enabled, new VMs are created by cloning from a pre-created template VM, and they will share the same initramfs, kernel and agent memory in readonly mode. It is very much like a process fork done by the kernel but here we *fork* VMs.
+
+For more details on VM templating, refer to the [What is VM templating and how do I use it](./what-is-vm-templating-and-how-do-I-use-it.md) article.
+
+## How to Enable VM Templating
+
+VM templating can be enabled by changing your Kata Containers config file (`/opt/kata/share/defaults/kata-containers/runtime-rs/configuration.toml`, overridden by `/etc/kata-containers/configuration.toml` if provided) such that:
+
+- `qemu` version `v4.1.0` or above is specified in `hypervisor.qemu`->`path` section
+- `enable_template = true`
+- `template_path = "/run/vc/vm/template"` (default value, can be customized as needed)
+- `initrd =` is set
+- `image =` option is commented out or removed
+- `shared_fs =` option is commented out or removed
+- `default_memory =` should be set to more than 256MB
+
+Then you can create a VM template for later usage by calling:
+
+### Initialize and create the VM template
+The `factory init` command creates a VM template by launching a new VM, initializing the Kata Agent, then pausing and saving its state (memory and device snapshots) to the template directory. This saved template is used to rapidly clone new VMs using QEMU's memory sharing capabilities.
+
+```bash
+sudo kata-ctl factory init
+```
+
+### Check the status of the VM template
+
+The `factory status` command checks whether a VM template currently exists by verifying the presence of template files (memory snapshot and device state). It will output "VM factory is on" if the template exists, or "VM factory is off" otherwise.
+
+```bash
+sudo kata-ctl factory status
+```
+
+### Destroy and clean up the VM template
+
+The `factory destroy` command removes the VM template by remove the `tmpfs` filesystem and deleting the template directory along with all its contents.
+
+```bash
+sudo kata-ctl factory destroy
+```
+
+## How to Create a New VM from VM Template
+In the Go version of Kata Containers, the VM templating mechanism is implemented using virtio-9p (9pfs). However, 9pfs is not supported in runtime-rs due to its poor performance, limited cache coherence, and security risks. Instead, runtime-rs adopts `VirtioFS` as the default mechanism to provide rootfs for containers and VMs.
+
+Yet, when enabling the VM template mechanism, `VirtioFS` introduces conflicts in memory sharing because its DAX-based shared memory mapping overlaps with the template's page-sharing design. To resolve these conflicts and ensure strict isolation between cloned VMs, runtime-rs replaces `VirtioFS` with the snapshotter approach — specifically, the `blockfile` snapshotter.
+
+The `blockfile` snapshotter is used in runtime-rs because it provides each VM with an independent block-based root filesystem, ensuring strong isolation and full compatibility with the VM templating mechanism.
+
+### Configure Snapshotter
+
+#### Check if `Blockfile` Snapshotter is Available
+```bash
+ctr plugins ls | grep blockfile
+```
+
+If not available, continue with the following steps:
+
+#### Create Scratch File
+```bash
+dd if=/dev/zero of=/opt/containerd/blockfile bs=1M count=500
+sudo mkfs.ext4 /opt/containerd/blockfile
+```
+
+#### Configure containerd
+Edit the containerd configuration file:
+```bash
+sudo vim /etc/containerd/config.toml
+```
+Add or modify the following configuration for the `blockfile` snapshotter:
+```toml
+[plugins."io.containerd.snapshotter.v1.blockfile"]
+  scratch_file = "/opt/containerd/blockfile"
+  root_path = ""
+  fs_type = "ext4"
+  mount_options = []
+  recreate_scratch = true
+```
+
+#### Restart containerd
+After modifying the configuration, restart containerd to apply changes:
+
+```bash
+sudo systemctl restart containerd
+```
+
+### Run Container with `blockfile` Snapshotter
+After the VM template is created, you can pull an image and run a container using the `blockfile` snapshotter:
+
+```bash
+ctr run --rm -t --snapshotter blockfile docker.io/library/busybox:latest template sh
+```
+
+We can verify whether a VM was launched from a template or started normally by checking the launch parameters — if the parameters contain `incoming`, it indicates that the VM was started from a template rather than created directly.
+
+## Performance Test
+
+The comparative experiment between **template-based VM** creation and **direct VM** creation showed that the template-based approach achieved a ≈ **73.2%** reduction in startup latency (average launch time of **0.6s** vs. **0.82s**) and a ≈ **79.8%** reduction in memory usage (average memory usage of **178.2 MiB** vs. **223.2 MiB**), demonstrating significant improvements in VM startup efficiency and resource utilization.
+
+The test script is as follows:
+
+```bash
+# Clear the page cache, dentries, and inodes to free up memory
+echo 3 | sudo tee /proc/sys/vm/drop_caches
+
+# Display the current memory usage
+free -h
+
+# Create 100 normal VMs and template-based VMs, and track the time
+time for I in $(seq 100); do
+  echo -n " ${I}th"  # Display the iteration number
+  ctr run -d --runtime io.containerd.kata.v2 --snapshotter blockfile docker.io/library/busybox:latest normal/template${I}
+done
+
+# Display the memory usage again after running the test
+free -h

docs/how-to/how-to-use-virtio-fs-with-kata.md

@@ -6,4 +6,4 @@ Container deployments utilize explicit or implicit file sharing between host fil
 
 As of the 2.0 release of Kata Containers, [virtio-fs](https://virtio-fs.gitlab.io/) is the default filesystem sharing mechanism.
 
-virtio-fs support works out of the box for `cloud-hypervisor` and `qemu`, when Kata Containers is deployed using `kata-deploy`. Learn more about `kata-deploy` and how to use `kata-deploy` in Kubernetes [here](../../tools/packaging/kata-deploy/README.md#kubernetes-quick-start).
+virtio-fs support works out of the box for `cloud-hypervisor` and `qemu`, when Kata Containers is deployed using `kata-deploy`. Learn more about `kata-deploy` and how to use `kata-deploy` in Kubernetes [here](../../tools/packaging/kata-deploy/helm-chart/README.md).

docs/how-to/privileged.md

@@ -1,22 +1,25 @@
 # Privileged Kata Containers
 
+> [!WARNING]
+> Whilst this functionality is supported, it can decrease the security of Kata Containers if not configured correctly.
+
 Kata Containers supports creation of containers that are "privileged" (i.e. have additional capabilities and access
 that is not normally granted).
 
-## Warnings
+## Enabling privileged containers without host devices
 
-**Warning:** Whilst this functionality is supported, it can decrease the security of Kata Containers if not configured 
-correctly.
+> [!TIP]
+> When Kata Containers is installed through
+> [kata-deploy](/tools/packaging/kata-deploy/helm-chart/README.md#kata-deploy-helm-chart), this mitigation is configured
+> out of the box, hence there is no action required in that case.
 
-### Host Devices
+By default, a privileged container attempts to expose all devices from the host. This is generally not supported in Kata
+Containers as the container is running a different kernel than the host.
 
-By default, when privileged is enabled for a container, all the `/dev/*` block devices from the host are mounted
-into the guest. This will allow the privileged container inside the Kata guest to gain access to mount any block device 
-from the host, a potentially undesirable side-effect that decreases the security of Kata.
+Instead, the following sections document how to disable this behavior in different container runtimes. Note that this
+mitigation does not affect a container's ability to mount *guest* devices.
 
-The following sections document how to configure this behavior in different container runtimes.
-
-#### Containerd
+## Containerd
 
 The Containerd allows configuring the privileged host devices behavior for each runtime in the containerd config. This is
 done with the `privileged_without_host_devices` option. Setting this to `true` will disable hot plugging of the host 
@@ -43,7 +46,7 @@ See below example config:
  - [How to use Kata Containers and containerd with Kubernetes](how-to-use-k8s-with-containerd-and-kata.md)
  - [Containerd CRI config documentation](https://github.com/containerd/containerd/blob/main/docs/cri/config.md)
 
-#### CRI-O
+## CRI-O
 
 Similar to containerd, CRI-O allows configuring the privileged host devices
 behavior for each runtime in the CRI config. This is done with the 

docs/install/README.md

@@ -8,50 +8,11 @@ Kata Containers requires nested virtualization or bare metal. Check
 [hardware requirements](./../../README.md#hardware-requirements) to see if your system is capable of running Kata 
 Containers.
 
-## Packaged installation methods
-
-The packaged installation method uses your distribution's native package format (such as RPM or DEB).
-
-> **Note:**
->
-> We encourage you to select an installation method that provides
-> automatic updates, to ensure you get the latest security updates and
-> bug fixes.
-
-| Installation method                                  | Description                                                                                  | Automatic updates | Use case                                                                                      |
-|------------------------------------------------------|----------------------------------------------------------------------------------------------|-------------------|-----------------------------------------------------------------------------------------------|
-| [Using official distro packages](#official-packages) | Kata packages provided by Linux distributions official repositories                          | yes               | Recommended for most users.                                                                   |
-| [Automatic](#automatic-installation)                 | Run a single command to install a full system                                                | **No!**           | For those wanting the latest release quickly.                                                 |
-| [Using kata-deploy Helm chart](#kata-deploy-helm-chart)       | The preferred way to deploy the Kata Containers distributed binaries on a Kubernetes cluster | **No!**           | Best way to give it a try on kata-containers on an already up and running Kubernetes cluster. |
-
-### Kata Deploy Helm Chart
-
-The Kata Deploy Helm chart is a convenient way to install all of the binaries and
+The Kata Deploy Helm chart is the preferred  way to install all of the binaries and
 artifacts required to run Kata Containers on Kubernetes.
 
 [Use Kata Deploy Helm Chart](/tools/packaging/kata-deploy/helm-chart/README.md) to install Kata Containers on a Kubernetes Cluster.
 
-### Official packages
-
-Kata packages are provided by official distribution repositories for:
-
-| Distribution (link to installation guide)                | Minimum versions                                                               |
-|----------------------------------------------------------|--------------------------------------------------------------------------------|
-| [CentOS](centos-installation-guide.md)                   | 8                                                                              |
-| [Fedora](fedora-installation-guide.md)                   | 34                                                                             |
-
-### Automatic Installation
-
-[Use `kata-manager`](/utils/README.md) to automatically install a working Kata Containers system.
-
-## Installing on a Cloud Service Platform
-
-* [Amazon Web Services (AWS)](aws-installation-guide.md)
-* [Google Compute Engine (GCE)](gce-installation-guide.md)
-* [Microsoft Azure](azure-installation-guide.md)
-* [Minikube](minikube-installation-guide.md)
-* [VEXXHOST OpenStack Cloud](vexxhost-installation-guide.md)
-
 ## Further information
 
 * [upgrading document](../Upgrading.md)

docs/install/aws-installation-guide.md

@@ -1,135 +0,0 @@
-# Install Kata Containers on Amazon Web Services
-
-Kata Containers on Amazon Web Services (AWS) makes use of [i3.metal](https://aws.amazon.com/ec2/instance-types/i3/) instances. Most of the installation procedure is identical to that for Kata on your preferred distribution, except that you have to run it on bare metal instances since AWS doesn't support nested virtualization yet. This guide walks you through creating an i3.metal instance.
-
-## Install and Configure AWS CLI
-
-### Requirements
-
-* Python:
-  * Python 2 version 2.6.5+
-  * Python 3 version 3.3+
-
-### Install
-
-Install with this command:
-
-```bash
-$ pip install awscli --upgrade --user
-```
-
-### Configure
-
-First, verify it:
-
-```bash
-$ aws --version
-```
-
-Then configure it:
-
-```bash
-$ aws configure
-```
-
-Specify the required parameters:
-
-```
-AWS Access Key ID []: <your-key-id-from-iam>
-AWS Secret Access Key []: <your-secret-access-key-from-iam>
-Default region name []: <your-aws-region-for-your-i3-metal-instance>
-Default output format [None]: <yaml-or-json-or-empty>
-```
-
-Alternatively, you can create the files: `~/.aws/credentials` and `~/.aws/config`:
-
-```bash
-$ cat <<EOF > ~/.aws/credentials
-[default]
-aws_access_key_id = <your-key-id-from-iam>
-aws_secret_access_key = <your-secret-access-key-from-iam>
-EOF
-$ cat <<EOF > ~/.aws/config
-[default]
-region = <your-aws-region-for-your-i3-metal-instance>
-EOF
-```
-
-For more information on how to get AWS credentials please refer to [this guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html). Alternatively, you can ask the administrator of your AWS account to issue one with the AWS CLI:
-
-```sh
-$ aws_username="myusername"
-$ aws iam create-access-key --user-name="$aws_username"
-```
-
-More general AWS CLI guidelines can be found [here](https://docs.aws.amazon.com/cli/latest/userguide/installing.html).
-
-## Create or Import an EC2 SSH key pair
-
-You will need this to access your instance.
-
-To create:
-
-```bash
-$ aws ec2 create-key-pair --key-name MyKeyPair | grep KeyMaterial | cut -d: -f2- | tr -d ' \n\"\,' > MyKeyPair.pem
-$ chmod 400 MyKeyPair.pem
-```
-
-Alternatively to import using your public SSH key:
-
-```bash
-$ aws ec2 import-key-pair --key-name "MyKeyPair" --public-key-material file://MyKeyPair.pub
-```
-
-## Launch i3.metal instance
-
-Get the latest Bionic Ubuntu AMI (Amazon Image) or the latest AMI for the Linux distribution you would like to use. For example:
-
-```bash
-$ aws ec2 describe-images --owners 099720109477 --filters "Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server*" --query 'sort_by(Images, &CreationDate)[].ImageId '
-```
-
-This command will produce output similar to the following:
-
-```
-[
-    ...
-    "ami-063aa838bd7631e0b",
-    "ami-03d5270fcb641f79b"
-]
-```
-
-Launch the EC2 instance and pick IP the `INSTANCEID`:
-
-```bash
-$ aws ec2 run-instances --image-id ami-03d5270fcb641f79b --count 1 --instance-type i3.metal --key-name MyKeyPair --associate-public-ip-address > /tmp/aws.json
-$ export INSTANCEID=$(grep InstanceId /tmp/aws.json | cut -d: -f2- | tr -d ' \n\"\,')
-```
-
-Wait for the instance to come up, the output of the following command should be `running`:
-
-```bash
-$ aws ec2 describe-instances --instance-id=${INSTANCEID} | grep running | cut -d: -f2- | tr -d ' \"\,'
-```
-
-Get the public IP address for the instances:
-
-```bash
-$ export IP=$(aws ec2 describe-instances --instance-id=${INSTANCEID} | grep PublicIpAddress | cut -d: -f2- | tr -d ' \n\"\,')
-```
-
-Refer to [this guide](https://docs.aws.amazon.com/cli/latest/userguide/cli-ec2-launch.html) for more details on how to launch instances with the AWS CLI.
-
-SSH into the machine
-
-```bash
-$ ssh -i MyKeyPair.pem ubuntu@${IP}
-```
-
-Go onto the next step.
-
-## Install Kata
-
-The process for installing Kata itself on bare metal is identical to that of a virtualization-enabled VM.
-
-For detailed information to install Kata on your distribution of choice, see the [Kata Containers installation user guides](../install/README.md).

docs/install/azure-installation-guide.md

@@ -1,18 +0,0 @@
-# Install Kata Containers on Microsoft Azure
-
-Kata Containers on Azure use nested virtualization to provide an identical installation
-experience to Kata on your preferred Linux distribution.
-
-This guide assumes you have an Azure account set up and tools to remotely login to your virtual
-machine (SSH). Instructions will use the Azure Portal to avoid
-local dependencies and setup.
-
-## Create a new virtual machine with nesting support
-
-Create a new virtual machine with:
-* Nesting support (v3 series)
-* your distro of choice
-
-## Set up with distribution specific quick start
-
-Follow distribution specific [install guides](../install/README.md#packaged-installation-methods).

docs/install/centos-installation-guide.md

@@ -1,21 +0,0 @@
-# Install Kata Containers on CentOS
-
-1. Install the Kata Containers components with the following commands:
-
-   ```bash
-   $ sudo -E dnf install -y centos-release-advanced-virtualization
-   $ sudo -E dnf module disable -y virt:rhel
-   $ source /etc/os-release
-   $ cat <<EOF | sudo -E tee /etc/yum.repos.d/kata-containers.repo
-     [kata-containers]
-     name=Kata Containers
-     baseurl=http://mirror.centos.org/\$contentdir/\$releasever/virt/\$basearch/kata-containers
-     enabled=1
-     gpgcheck=1
-     skip_if_unavailable=1
-     EOF
-   $ sudo -E dnf install -y kata-containers
-   ```
-
-2. Decide which container manager to use and select the corresponding link that follows:
-   - [Kubernetes](../Developer-Guide.md#run-kata-containers-with-kubernetes)

docs/install/fedora-installation-guide.md

@@ -1,10 +0,0 @@
-# Install Kata Containers on Fedora
-
-1. Install the Kata Containers components with the following commands:
-
-   ```bash
-   $ sudo -E dnf -y install kata-containers
-   ```
-
-2. Decide which container manager to use and select the corresponding link that follows:
-   - [Kubernetes](../Developer-Guide.md#run-kata-containers-with-kubernetes)

docs/install/gce-installation-guide.md

@@ -1,127 +0,0 @@
-# Install Kata Containers on Google Compute Engine
-
-Kata Containers on Google Compute Engine (GCE) makes use of [nested virtualization](https://cloud.google.com/compute/docs/instances/enable-nested-virtualization-vm-instances). Most of the installation procedure is identical to that for Kata on your preferred distribution, but enabling nested virtualization currently requires extra steps on GCE. This guide walks you through creating an image and instance with nested virtualization enabled. Note that `kata-runtime check` checks for nested virtualization, but does not fail if support is not found.
-
-As a pre-requisite this guide assumes an installed and configured instance of the [Google Cloud SDK](https://cloud.google.com/sdk/downloads). For a zero-configuration option, all of the commands below were been tested under [Google Cloud Shell](https://cloud.google.com/shell/) (as of Jun 2018). Verify your `gcloud` installation and configuration:
-
-```bash
-$ gcloud info || { echo "ERROR: no Google Cloud SDK"; exit 1; }
-```
-
-## Create an Image with Nested Virtualization Enabled
-
-VM images on GCE are grouped into families under projects. Officially supported images are automatically discoverable with `gcloud compute images list`. That command produces a list similar to the following (likely with different image names):
-
-```bash
-$ gcloud compute images list
-NAME                                                  PROJECT            FAMILY                            DEPRECATED  STATUS
-centos-7-v20180523                                    centos-cloud       centos-7                                      READY
-coreos-stable-1745-5-0-v20180531                      coreos-cloud       coreos-stable                                 READY
-cos-beta-67-10575-45-0                                cos-cloud          cos-beta                                      READY
-cos-stable-66-10452-89-0                              cos-cloud          cos-stable                                    READY
-debian-9-stretch-v20180510                            debian-cloud       debian-9                                      READY
-rhel-7-v20180522                                      rhel-cloud         rhel-7                                        READY
-sles-11-sp4-v20180523                                 suse-cloud         sles-11                                       READY
-ubuntu-1604-xenial-v20180522                          ubuntu-os-cloud    ubuntu-1604-lts                               READY
-ubuntu-1804-bionic-v20180522                          ubuntu-os-cloud    ubuntu-1804-lts                               READY
-```
-
-Each distribution has its own project, and each project can host images for multiple versions of the distribution, typically grouped into families. We recommend you select images by project and family, rather than by name. This ensures any scripts or other automation always works with a non-deprecated image, including security updates, updates to GCE-specific scripts, etc.
-
-### Create the Image
-
-The following example (substitute your preferred distribution project and image family) produces an image with nested virtualization enabled in your currently active GCE project:
-
-```bash
-$ SOURCE_IMAGE_PROJECT=ubuntu-os-cloud
-$ SOURCE_IMAGE_FAMILY=ubuntu-1804-lts
-$ IMAGE_NAME=${SOURCE_IMAGE_FAMILY}-nested
-
-$ gcloud compute images create \
-    --source-image-project $SOURCE_IMAGE_PROJECT \
-    --source-image-family $SOURCE_IMAGE_FAMILY \
-    --licenses=https://www.googleapis.com/compute/v1/projects/vm-options/global/licenses/enable-vmx \
-    $IMAGE_NAME
-```
-
-If successful, `gcloud` reports that the image was created. Verify that the image has the nested virtualization license with `gcloud compute images describe $IMAGE_NAME`. This produces output like the following (some fields have been removed for clarity and to redact personal info):
-
-```yaml
-diskSizeGb: '10'
-kind: compute#image
-licenseCodes:
-  - '1002001'
-  - '5926592092274602096'
-licenses:
-  - https://www.googleapis.com/compute/v1/projects/vm-options/global/licenses/enable-vmx
-  - https://www.googleapis.com/compute/v1/projects/ubuntu-os-cloud/global/licenses/ubuntu-1804-lts
-name: ubuntu-1804-lts-nested
-sourceImage: https://www.googleapis.com/compute/v1/projects/ubuntu-os-cloud/global/images/ubuntu-1804-bionic-v20180522
-sourceImageId: '3280575157699667619'
-sourceType: RAW
-status: READY
-```
-
-The primary criterion of interest here is the presence of the `enable-vmx` license. Without that licence Kata will not work. Without that license Kata does not work. The presence of that license instructs the Google Compute Engine hypervisor to enable Intel's VT-x instructions in virtual machines created from the image. Note that nested virtualization is only available in VMs running on Intel Haswell or later CPU micro-architectures.
-
-### Verify VMX is Available
-
-Assuming you created a nested-enabled image using the previous instructions, verify that VMs created from this image are VMX-enabled with the following:
-
-1. Create a VM from the image created previously:
-
-    ```bash
-    $ gcloud compute instances create \
-        --image $IMAGE_NAME \
-        --machine-type n1-standard-2 \
-        --min-cpu-platform "Intel Broadwell" \
-        kata-testing
-    ```
-
-> **NOTE**: In most zones the `--min-cpu-platform` argument can be omitted. It is only necessary in GCE Zones that include hosts based on Intel's Ivybridge platform.
-
-2. Verify that the VMX CPUID flag is set:
-
-    ```bash
-    $ gcloud compute ssh kata-testing
-    
-    # While ssh'd into the VM:
-    $ [ -z "$(lscpu|grep GenuineIntel)" ] && { echo "ERROR: Need an Intel CPU"; exit 1; }
-    ```
-
-If this fails, ensure you created your instance from the correct image and that the previously listed `enable-vmx` license is included.
-
-## Install Kata
-
-The process for installing Kata itself on a virtualization-enabled VM is identical to that for bare metal.
-
-For detailed information to install Kata on your distribution of choice, see the [Kata Containers installation user guides](../install/README.md).
-
-## Create a Kata-enabled Image
-
-Optionally, after installing Kata, create an image to preserve the fruits of your labor:
-
-```bash
-$ gcloud compute instances stop kata-testing
-$ gcloud compute images create \
-    --source-disk kata-testing \
-    kata-base
-```
-
-The result is an image that includes any changes made to the `kata-testing` instance as well as the `enable-vmx` flag. Verify this with `gcloud compute images describe kata-base`. The result, which omits some fields for clarity, should be similar to the following:
-
-```yaml
-diskSizeGb: '10'
-kind: compute#image
-licenseCodes:
-  - '1002001'
-  - '5926592092274602096'
-licenses:
-  - https://www.googleapis.com/compute/v1/projects/vm-options/global/licenses/enable-vmx
-  - https://www.googleapis.com/compute/v1/projects/ubuntu-os-cloud/global/licenses/ubuntu-1804-lts
-name: kata-base
-selfLink: https://www.googleapis.com/compute/v1/projects/my-kata-project/global/images/kata-base
-sourceDisk: https://www.googleapis.com/compute/v1/projects/my-kata-project/zones/us-west1-a/disks/kata-testing
-sourceType: RAW
-status: READY
-```

docs/install/kata-containers-3.0-rust-runtime-installation-guide.md

@@ -32,7 +32,7 @@ architectures:
 
 ### Kata Deploy Installation
 
-Follow the [`kata-deploy`](../../tools/packaging/kata-deploy/README.md).
+Follow the [`kata-deploy`](../../tools/packaging/kata-deploy/helm-chart/README.md).
 ### Official packages
 `ToDo`
 ### Automatic Installation

docs/install/vexxhost-installation-guide.md

@@ -1,16 +0,0 @@
-# Install Kata Containers on VEXXHOST
-
-Kata Containers on VEXXHOST use nested virtualization to provide an identical
-installation experience to Kata on your preferred Linux distribution.
-
-This guide assumes you have an OpenStack public cloud account set up and tools
-to remotely connect to your virtual machine (SSH).
-
-## Create a new virtual machine with nesting support
-
-All regions support nested virtualization using the V2 flavors (those prefixed
-with v2).  The recommended machine type for container workloads is `v2-highcpu` range.
-
-## Set up with distribution specific quick start
-
-Follow distribution specific [install guides](../install/README.md#packaged-installation-methods).

docs/use-cases/using-Intel-QAT-and-kata.md

@@ -419,7 +419,7 @@ You might need to disable Docker before initializing Kubernetes. Be aware
 that the OpenSSL container image built above will need to be exported from
 Docker and imported into containerd.
 
-If Kata is installed through [`kata-deploy`](../../tools/packaging/kata-deploy/README.md)
+If Kata is installed through [`kata-deploy`](../../tools/packaging/kata-deploy/helm-chart/README.md)
 there will be multiple `configuration.toml` files associated with different
 hypervisors. Rather than add in the custom Kata kernel, Kata rootfs, and
 kernel modules to each `configuration.toml` as the default, instead use

src/agent/Cargo.lock

@@ -665,30 +665,6 @@ dependencies = [
  "shlex",
 ]
 
-[[package]]
-name = "cdi"
-version = "0.1.0"
-source = "git+https://github.com/cncf-tags/container-device-interface-rs?rev=3b1e83dda5efcc83c7a4f134466ec006b37109c9#3b1e83dda5efcc83c7a4f134466ec006b37109c9"
-dependencies = [
- "anyhow",
- "clap",
- "const_format",
- "jsonschema",
- "lazy_static",
- "libc",
- "nix 0.24.3",
- "notify",
- "oci-spec",
- "once_cell",
- "path-clean",
- "regex",
- "semver",
- "serde",
- "serde_derive",
- "serde_json",
- "serde_yaml",
-]
-
 [[package]]
 name = "cfg-if"
 version = "1.0.0"
@@ -808,6 +784,31 @@ dependencies = [
  "unicode-xid",
 ]
 
+[[package]]
+name = "container-device-interface"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "653849f0c250f73d9afab4b2a9a6b07adaee1f34c44ffa6f2d2c3f9392002c1a"
+dependencies = [
+ "anyhow",
+ "clap",
+ "const_format",
+ "jsonschema",
+ "lazy_static",
+ "libc",
+ "nix 0.24.3",
+ "notify",
+ "oci-spec",
+ "once_cell",
+ "path-clean",
+ "regex",
+ "semver",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "serde_yaml",
+]
+
 [[package]]
 name = "core-foundation-sys"
 version = "0.8.7"
@@ -2049,11 +2050,11 @@ dependencies = [
  "async-trait",
  "base64 0.22.1",
  "capctl",
- "cdi",
  "cfg-if",
  "cgroups-rs",
  "clap",
  "const_format",
+ "container-device-interface",
  "derivative",
  "futures",
  "ipnetwork",
@@ -2064,7 +2065,7 @@ dependencies = [
  "libc",
  "log",
  "logging",
- "mem-agent-lib",
+ "mem-agent",
  "netlink-packet-core",
  "netlink-packet-route",
  "netlink-sys 0.7.0",
@@ -2350,7 +2351,7 @@ dependencies = [
 ]
 
 [[package]]
-name = "mem-agent-lib"
+name = "mem-agent"
 version = "0.2.0"
 dependencies = [
  "anyhow",

src/agent/Cargo.toml

@@ -13,8 +13,12 @@ lazy_static = "1.3.0"
 ttrpc = { version = "0.8.4", features = ["async"], default-features = false }
 protobuf = "3.7.2"
 libc = "0.2.94"
-# Notes: nix needs to stay in sync with libs
+
+# Notes:
+# - Needs to stay in sync with libs
+# - Upgrading to 0.27+ will require code changes (see #11842)
 nix = "0.26.4"
+
 capctl = "0.2.0"
 scan_fmt = "0.2.6"
 scopeguard = "1.0.0"
@@ -81,10 +85,10 @@ kata-agent-policy = { path = "policy" }
 rustjail = { path = "rustjail" }
 vsock-exporter = { path = "vsock-exporter" }
 
-mem-agent = { path = "../mem-agent", package = "mem-agent-lib" }
+mem-agent = { path = "../libs/mem-agent" }
 
 kata-sys-util = { path = "../libs/kata-sys-util" }
-kata-types = { path = "../libs/kata-types" }
+kata-types = { path = "../libs/kata-types", features = ["safe-path"] }
 # Note: this crate sets the slog 'max_*' features which allows the log level
 # to be modified at runtime.
 logging = { path = "../libs/logging" }
@@ -163,9 +167,6 @@ clap.workspace = true
 strum.workspace = true
 strum_macros.workspace = true
 
-# Agent Policy
-cdi = { git = "https://github.com/cncf-tags/container-device-interface-rs", rev = "3b1e83dda5efcc83c7a4f134466ec006b37109c9" }
-
 # Local dependencies
 kata-agent-policy = { workspace = true, optional = true }
 mem-agent.workspace = true
@@ -185,6 +186,8 @@ base64 = "0.22"
 sha2 = "0.10.8"
 async-compression = { version = "0.4.22", features = ["tokio", "gzip"] }
 
+container-device-interface = "0.1.0"
+
 [target.'cfg(target_arch = "s390x")'.dependencies]
 pv_core = { git = "https://github.com/ibm-s390-linux/s390-tools", rev = "4942504a9a2977d49989a5e5b7c1c8e07dc0fa41", package = "s390_pv_core" }
 

src/agent/rustjail/src/container.rs

@@ -1037,6 +1037,12 @@ impl BaseContainer for LinuxContainer {
         let child_stderr: std::process::Stdio;
 
         if tty {
+            // NOTE(#11842): This code will require changes if we upgrade to nix 0.27+:
+            // - `pseudo` will contain OwnedFds instead of RawFds.
+            // - We'll have to use `OwnedFd::into_raw_fd()` which will
+            //   transfer the ownership to the caller.
+            // - The duplication strategy will not change.
+
             let pseudo = pty::openpty(None, None)?;
             p.term_master = Some(pseudo.master);
             let _ = fcntl::fcntl(pseudo.master, FcntlArg::F_SETFD(FdFlag::FD_CLOEXEC))
@@ -1045,8 +1051,8 @@ impl BaseContainer for LinuxContainer {
                 .map_err(|e| warn!(logger, "fcntl pseudo.slave {:?}", e));
 
             child_stdin = unsafe { std::process::Stdio::from_raw_fd(pseudo.slave) };
-            child_stdout = unsafe { std::process::Stdio::from_raw_fd(pseudo.slave) };
-            child_stderr = unsafe { std::process::Stdio::from_raw_fd(pseudo.slave) };
+            child_stdout = unsafe { std::process::Stdio::from_raw_fd(unistd::dup(pseudo.slave)?) };
+            child_stderr = unsafe { std::process::Stdio::from_raw_fd(unistd::dup(pseudo.slave)?) };
 
             if let Some(proc_io) = &mut p.proc_io {
                 // A reference count used to clean up the term master fd.
@@ -1914,7 +1920,7 @@ mod tests {
         let cgroups_path = format!(
             "/{}/dummycontainer{}",
             CGROUP_PARENT,
-            since_the_epoch.as_millis()
+            since_the_epoch.as_micros()
         );
 
         let mut spec = SpecBuilder::default()

src/agent/rustjail/src/mount.rs

@@ -5,6 +5,7 @@
 
 use anyhow::{anyhow, Context, Result};
 use libc::uid_t;
+use nix::errno::Errno;
 use nix::fcntl::{self, OFlag};
 #[cfg(not(test))]
 use nix::mount;
@@ -336,25 +337,19 @@ fn check_proc_mount(m: &Mount) -> Result<()> {
 
     if mount_dest == PROC_PATH {
         // only allow a mount on-top of proc if it's source is "proc"
-        unsafe {
-            let mut stats = MaybeUninit::<libc::statfs>::uninit();
-            let mount_source = m.source().as_ref().unwrap().display().to_string();
-            if mount_source
-                .with_nix_path(|path| libc::statfs(path.as_ptr(), stats.as_mut_ptr()))
-                .is_ok()
-            {
-                if stats.assume_init().f_type == PROC_SUPER_MAGIC {
-                    return Ok(());
-                }
-            } else {
-                return Ok(());
-            }
+        let mount_source = m.source().as_ref().unwrap().display().to_string();
 
-            return Err(anyhow!(format!(
+        let mut stats = MaybeUninit::<libc::statfs>::uninit();
+        let statfs_ret = mount_source
+            .with_nix_path(|path| unsafe { libc::statfs(path.as_ptr(), stats.as_mut_ptr()) })?;
+
+        return match Errno::result(statfs_ret) {
+            Ok(_) if unsafe { stats.assume_init().f_type } == PROC_SUPER_MAGIC => Ok(()),
+            Ok(_) | Err(_) => Err(anyhow!(format!(
                 "{} cannot be mounted to {} because it is not of type proc",
                 &mount_source, &mount_dest
-            )));
-        }
+            ))),
+        };
     }
 
     if mount_dest.starts_with(PROC_PATH) {

src/agent/src/device/mod.rs

@@ -15,6 +15,7 @@ use anyhow::{anyhow, Context, Result};
 use cdi::annotations::parse_annotations;
 use cdi::cache::{new_cache, with_auto_refresh, CdiOption};
 use cdi::spec_dirs::with_spec_dirs;
+use container_device_interface as cdi;
 use kata_types::device::DeviceHandlerManager;
 use nix::sys::stat;
 use oci::{LinuxDeviceCgroup, Spec};

src/agent/src/mount.rs

@@ -336,11 +336,17 @@ mod tests {
         let plain = slog_term::PlainSyncDecorator::new(std::io::stdout());
         let logger = Logger::root(slog_term::FullFormat::new(plain).build().fuse(), o!());
 
+        // Detect actual filesystem types mounted in this environment
+        // Z runners mount /dev as tmpfs, while normal systems use devtmpfs
+        let dev_fs_type = get_mount_fs_type("/dev").unwrap_or_else(|_| String::from("devtmpfs"));
+        let proc_fs_type = get_mount_fs_type("/proc").unwrap_or_else(|_| String::from("proc"));
+        let sys_fs_type = get_mount_fs_type("/sys").unwrap_or_else(|_| String::from("sysfs"));
+
         let test_cases = [
-            ("dev", "/dev", "devtmpfs"),
-            ("udev", "/dev", "devtmpfs"),
-            ("proc", "/proc", "proc"),
-            ("sysfs", "/sys", "sysfs"),
+            ("dev", "/dev", dev_fs_type.as_str()),
+            ("udev", "/dev", dev_fs_type.as_str()),
+            ("proc", "/proc", proc_fs_type.as_str()),
+            ("sysfs", "/sys", sys_fs_type.as_str()),
         ];
 
         for &(source, destination, fs_type) in &test_cases {
@@ -381,6 +387,22 @@ mod tests {
         let drain = slog::Discard;
         let logger = slog::Logger::root(drain, o!());
 
+        // Detect filesystem type of root directory
+        let tmp_fs_type = get_mount_fs_type("/").unwrap_or_else(|_| String::from("unknown"));
+
+        // Error messages that vary based on filesystem type
+        const DEFAULT_ERROR_EPERM: &str = "Operation not permitted";
+        const BTRFS_ERROR_ENODEV: &str = "No such device";
+
+        // Helper to select error message based on filesystem type (e.g. btrfs for s390x runners)
+        let get_error_msg = |default: &'static str, btrfs_specific: &'static str| -> &'static str {
+            if tmp_fs_type == "btrfs" && !btrfs_specific.is_empty() {
+                btrfs_specific
+            } else {
+                default
+            }
+        };
+
         let tests = &[
             TestData {
                 test_user: TestUserType::Any,
@@ -416,7 +438,7 @@ mod tests {
                 fs_type: "bind",
                 flags: MsFlags::empty(),
                 options: "bind",
-                error_contains: "Operation not permitted",
+                error_contains: get_error_msg(DEFAULT_ERROR_EPERM, BTRFS_ERROR_ENODEV),
             },
             TestData {
                 test_user: TestUserType::NonRootOnly,
@@ -496,7 +518,14 @@ mod tests {
 
             let err = result.unwrap_err();
             let error_msg = format!("{}", err);
-            assert!(error_msg.contains(d.error_contains), "{}", msg);
+
+            assert!(
+                error_msg.contains(d.error_contains),
+                "{}: expected error containing '{}', got '{}'",
+                msg,
+                d.error_contains,
+                error_msg
+            );
         }
     }
 

src/agent/src/netlink.rs

@@ -401,7 +401,11 @@ impl Handle {
                 }
 
                 if let RouteAttribute::Oif(index) = attribute {
-                    route.device = self.find_link(LinkFilter::Index(*index)).await?.name();
+                    route.device = self
+                        .find_link(LinkFilter::Index(*index))
+                        .await
+                        .context(format!("error looking up device {index}"))?
+                        .name();
                 }
             }
 
@@ -909,10 +913,27 @@ mod tests {
     use super::*;
     use netlink_packet_route::address::AddressHeader;
     use netlink_packet_route::link::LinkHeader;
+    use serial_test::serial;
     use std::iter;
     use std::process::Command;
     use test_utils::skip_if_not_root;
 
+    // Constants for ARP neighbor tests
+    const TEST_DUMMY_INTERFACE: &str = "dummy_for_arp";
+    const TEST_ARP_IP: &str = "192.0.2.127";
+
+    /// Helper function to check if the result is a netlink EACCES error
+    fn is_netlink_permission_error<T>(result: &Result<T>) -> bool {
+        if let Err(e) = result {
+            let error_string = format!("{:?}", e);
+            if error_string.contains("code: Some(-13)") {
+                println!("INFO: skipping test - netlink operations are restricted in this environment (EACCES)");
+                return true;
+            }
+        }
+        false
+    }
+
     #[tokio::test]
     async fn find_link_by_name() {
         let message = Handle::new()
@@ -972,11 +993,15 @@ mod tests {
     }
 
     #[tokio::test]
+    #[serial(arp_neighbor_tests)]
     async fn list_routes() {
+        clean_env_for_test_add_one_arp_neighbor(TEST_DUMMY_INTERFACE, TEST_ARP_IP);
+        let devices: Vec<Interface> = Handle::new().unwrap().list_interfaces().await.unwrap();
         let all = Handle::new()
             .unwrap()
             .list_routes()
             .await
+            .context(format!("available devices: {:?}", devices))
             .expect("Failed to list routes");
 
         assert_ne!(all.len(), 0);
@@ -1032,10 +1057,14 @@ mod tests {
         let lo = handle.find_link(LinkFilter::Name("lo")).await.unwrap();
 
         for network in list {
-            handle
-                .add_addresses(lo.index(), iter::once(network))
-                .await
-                .expect("Failed to add IP");
+            let result = handle.add_addresses(lo.index(), iter::once(network)).await;
+
+            // Skip test if netlink operations are restricted (EACCES = -13)
+            if is_netlink_permission_error(&result) {
+                return;
+            }
+
+            result.expect("Failed to add IP");
 
             // Make sure the address is there
             let result = handle
@@ -1050,10 +1079,14 @@ mod tests {
             assert!(result.is_some());
 
             // Update it
-            handle
-                .add_addresses(lo.index(), iter::once(network))
-                .await
-                .expect("Failed to delete address");
+            let result = handle.add_addresses(lo.index(), iter::once(network)).await;
+
+            // Skip test if netlink operations are restricted (EACCES = -13)
+            if is_netlink_permission_error(&result) {
+                return;
+            }
+
+            result.expect("Failed to delete address");
         }
     }
 
@@ -1088,7 +1121,7 @@ mod tests {
             .expect("prepare: failed to delete neigh");
     }
 
-    fn prepare_env_for_test_add_one_arp_neighbor(dummy_name: &str, ip: &str) {
+    async fn prepare_env_for_test_add_one_arp_neighbor(dummy_name: &str, ip: &str) {
         clean_env_for_test_add_one_arp_neighbor(dummy_name, ip);
         // modprobe dummy
         Command::new("modprobe")
@@ -1102,9 +1135,9 @@ mod tests {
             .output()
             .expect("failed to add dummy interface");
 
-        // ip addr add 192.168.0.2/16 dev dummy
+        // ip addr add 192.0.2.2/24 dev dummy
         Command::new("ip")
-            .args(["addr", "add", "192.168.0.2/16", "dev", dummy_name])
+            .args(["addr", "add", "192.0.2.2/24", "dev", dummy_name])
             .output()
             .expect("failed to add ip for dummy");
 
@@ -1113,24 +1146,26 @@ mod tests {
             .args(["link", "set", dummy_name, "up"])
             .output()
             .expect("failed to up dummy");
+
+        // Wait briefly to ensure the IP address addition is fully complete
+        tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
     }
 
     #[tokio::test]
+    #[serial(arp_neighbor_tests)]
     async fn test_add_one_arp_neighbor() {
         skip_if_not_root!();
 
         let mac = "6a:92:3a:59:70:aa";
-        let to_ip = "169.254.1.1";
-        let dummy_name = "dummy_for_arp";
 
-        prepare_env_for_test_add_one_arp_neighbor(dummy_name, to_ip);
+        prepare_env_for_test_add_one_arp_neighbor(TEST_DUMMY_INTERFACE, TEST_ARP_IP).await;
 
         let mut ip_address = IPAddress::new();
-        ip_address.set_address(to_ip.to_string());
+        ip_address.set_address(TEST_ARP_IP.to_string());
 
         let mut neigh = ARPNeighbor::new();
         neigh.set_toIPAddress(ip_address);
-        neigh.set_device(dummy_name.to_string());
+        neigh.set_device(TEST_DUMMY_INTERFACE.to_string());
         neigh.set_lladdr(mac.to_string());
         neigh.set_state(0x80);
 
@@ -1141,15 +1176,24 @@ mod tests {
             .expect("Failed to add ARP neighbor");
 
         // ip neigh show dev dummy ip
-        let stdout = Command::new("ip")
-            .args(["neigh", "show", "dev", dummy_name, to_ip])
+        let output = Command::new("ip")
+            .args(["neigh", "show", "dev", TEST_DUMMY_INTERFACE, TEST_ARP_IP])
             .output()
-            .expect("failed to show neigh")
-            .stdout;
+            .expect("failed to show neigh");
 
-        let stdout = std::str::from_utf8(&stdout).expect("failed to convert stdout");
-        assert_eq!(stdout.trim(), format!("{} lladdr {} PERMANENT", to_ip, mac));
+        let stdout = std::str::from_utf8(&output.stdout).expect("failed to convert stdout");
+        let stderr = std::str::from_utf8(&output.stderr).expect("failed to convert stderr");
+        assert!(
+            output.status.success(),
+            "`ip neigh show` returned exit code {:?}. stderr: {:?}",
+            output.status.code(),
+            stderr
+        );
+        assert_eq!(
+            stdout.trim(),
+            format!("{} lladdr {} PERMANENT", TEST_ARP_IP, mac)
+        );
 
-        clean_env_for_test_add_one_arp_neighbor(dummy_name, to_ip);
+        clean_env_for_test_add_one_arp_neighbor(TEST_DUMMY_INTERFACE, TEST_ARP_IP);
     }
 }

src/agent/src/random.rs

@@ -59,10 +59,26 @@ pub fn reseed_rng(data: &[u8]) -> Result<()> {
 #[cfg(test)]
 mod tests {
     use super::*;
+    use nix::errno::Errno;
     use std::fs::File;
     use std::io::prelude::*;
     use test_utils::skip_if_not_root;
 
+    /// Helper function to check if the result is an EPERM error
+    fn is_permission_error(result: &Result<()>) -> bool {
+        if let Err(e) = result {
+            if let Some(errno) = e.downcast_ref::<Errno>() {
+                if *errno == Errno::EPERM {
+                    println!(
+                        "EPERM: skipping test - reseeding RNG is not permitted in this environment"
+                    );
+                    return true;
+                }
+            }
+        }
+        false
+    }
+
     #[test]
     fn test_reseed_rng() {
         skip_if_not_root!();
@@ -73,6 +89,9 @@ mod tests {
         // Ensure the buffer was filled.
         assert!(n == POOL_SIZE);
         let ret = reseed_rng(&seed);
+        if is_permission_error(&ret) {
+            return;
+        }
         assert!(ret.is_ok());
     }
 
@@ -85,6 +104,9 @@ mod tests {
         // Ensure the buffer was filled.
         assert!(n == POOL_SIZE);
         let ret = reseed_rng(&seed);
+        if is_permission_error(&ret) {
+            return;
+        }
         if nix::unistd::Uid::effective().is_root() {
             assert!(ret.is_ok());
         } else {

src/agent/src/rpc.rs

@@ -2417,7 +2417,7 @@ mod tests {
         let cgroups_path = format!(
             "/{}/dummycontainer{}",
             CGROUP_PARENT,
-            since_the_epoch.as_millis()
+            since_the_epoch.as_micros()
         );
 
         let spec = SpecBuilder::default()
@@ -2481,6 +2481,26 @@ mod tests {
         // normally this module should eixsts...
         m.name = "bridge".to_string();
         let result = load_kernel_module(&m);
+
+        // Skip test if loading kernel modules is not permitted
+        // or kernel module is not found
+        if let Err(e) = &result {
+            let error_string = format!("{:?}", e);
+            // Let's print out the error message first
+            println!("DEBUG: error: {}", error_string);
+            if error_string.contains("Operation not permitted")
+                || error_string.contains("EPERM")
+                || error_string.contains("Permission denied")
+            {
+                println!("INFO: skipping test - loading kernel modules is not permitted in this environment");
+                return;
+            }
+            if error_string.contains("not found") {
+                println!("INFO: skipping test - kernel module is not found in this environment");
+                return;
+            }
+        }
+
         assert!(result.is_ok(), "load module should success");
     }
 

src/agent/src/sandbox.rs

@@ -858,7 +858,7 @@ mod tests {
         let cgroups_path = format!(
             "/{}/dummycontainer{}",
             CGROUP_PARENT,
-            since_the_epoch.as_millis()
+            since_the_epoch.as_micros()
         );
 
         let spec = SpecBuilder::default()

src/dragonball/Cargo.lock

@@ -344,20 +344,26 @@ name = "dbs-pci"
 version = "0.1.0"
 dependencies = [
  "byteorder",
+ "dbs-address-space",
  "dbs-allocator",
  "dbs-arch",
  "dbs-boot",
  "dbs-device",
  "dbs-interrupt",
+ "dbs-utils",
+ "dbs-virtio-devices",
  "downcast-rs",
  "kvm-bindings",
  "kvm-ioctls",
  "libc",
  "log",
+ "serde",
  "thiserror 1.0.48",
  "vfio-bindings",
  "vfio-ioctls",
+ "virtio-queue",
  "vm-memory",
+ "vmm-sys-util",
 ]
 
 [[package]]
@@ -1115,9 +1121,9 @@ dependencies = [
 
 [[package]]
 name = "kvm-ioctls"
-version = "0.12.0"
+version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c3a321cabd827642499c77e27314f388dd83a717a5ca716b86476fb947f73ae4"
+checksum = "3d592c9b0da14bacab1fe89c78e7ed873b20cf7f502d0fc26f628d733215b1e5"
 dependencies = [
  "kvm-bindings",
  "libc",
@@ -1810,9 +1816,9 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
 
 [[package]]
 name = "seccompiler"
-version = "0.2.0"
+version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e01d1292a1131b22ccea49f30bd106f1238b5ddeec1a98d39268dcc31d540e68"
+checksum = "a4ae55de56877481d112a559bbc12667635fdaf5e005712fd4e2b2fa50ffc884"
 dependencies = [
  "libc",
 ]

src/dragonball/Cargo.toml

@@ -31,9 +31,9 @@ resolver = "2"
 # Rust-VMM crates
 event-manager = "0.2.1"
 kvm-bindings = "0.6.0"
-kvm-ioctls = "0.12.0"
+kvm-ioctls = "=0.12.1"
 linux-loader = "0.8.0"
-seccompiler = "0.2.0"
+seccompiler = "0.5.0"
 vfio-bindings = "0.3.0"
 vfio-ioctls = "0.1.0"
 virtio-bindings = "0.1.0"

src/dragonball/dbs_device/src/device_manager.rs

@@ -18,7 +18,7 @@
 //!
 //! # Examples
 //!
-//! Creating a dummy deivce which implement DeviceIo trait, and register it to [IoManager] with
+//! Creating a dummy device which implement DeviceIo trait, and register it to [IoManager] with
 //! trapped MMIO/PIO address ranges:
 //!
 //! ```

src/dragonball/src/api/v1/vmm_action.rs

@@ -479,14 +479,13 @@ impl VmmService {
         use self::StartMicroVmError::MicroVMAlreadyRunning;
         use self::VmmActionError::StartMicroVm;
 
-        let vmm_seccomp_filter = vmm.vmm_seccomp_filter();
-        let vcpu_seccomp_filter = vmm.vcpu_seccomp_filter();
+        let seccomp_filters = vmm.seccomp_filters();
         let vm = vmm.get_vm_mut().ok_or(VmmActionError::InvalidVMID)?;
         if vm.is_vm_initialized() {
             return Err(StartMicroVm(MicroVMAlreadyRunning));
         }
 
-        vm.start_microvm(event_mgr, vmm_seccomp_filter, vcpu_seccomp_filter)
+        vm.start_microvm(event_mgr, seccomp_filters)
             .map(|_| VmmData::Empty)
             .map_err(StartMicroVm)
     }

src/dragonball/src/error.rs

@@ -219,6 +219,10 @@ pub enum StartMicroVmError {
     /// Failed to register DMA memory address range.
     #[error("failure while registering DMA address range: {0:?}")]
     RegisterDMAAddress(#[source] VfioDeviceError),
+
+    /// Cannot build seccomp filters.
+    #[error("failure while configuring seccomp filters: {0}")]
+    SeccompFilters(#[source] seccompiler::Error),
 }
 
 /// Errors associated with starting the instance.

src/dragonball/src/lib.rs

@@ -48,7 +48,7 @@ mod vmm;
 
 pub use self::error::StartMicroVmError;
 pub use self::io_manager::IoManagerCached;
-pub use self::vmm::Vmm;
+pub use self::vmm::{Vmm, ALL_THREADS, VCPU_THREAD, VMM_THREAD};
 
 /// Success exit code.
 pub const EXIT_CODE_OK: u8 = 0;

src/dragonball/src/vm/mod.rs

@@ -1,6 +1,7 @@
 // Copyright (C) 2021 Alibaba Cloud. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
+use std::collections::HashMap;
 use std::io::{self, Read, Seek, SeekFrom};
 use std::ops::Deref;
 use std::os::unix::io::RawFd;
@@ -18,6 +19,7 @@ use dbs_utils::time::TimestampUs;
 use kvm_ioctls::VmFd;
 use linux_loader::loader::{KernelLoader, KernelLoaderResult};
 use seccompiler::BpfProgram;
+use seccompiler::{apply_filter_all_threads, Error as SecError};
 use serde_derive::{Deserialize, Serialize};
 use slog::{error, info};
 use vm_memory::{Bytes, GuestAddress, GuestAddressSpace};
@@ -42,6 +44,7 @@ use crate::resource_manager::ResourceManager;
 use crate::vcpu::{VcpuManager, VcpuManagerError};
 #[cfg(feature = "hotplug")]
 use crate::vcpu::{VcpuResizeError, VcpuResizeInfo};
+use crate::{ALL_THREADS, VCPU_THREAD, VMM_THREAD};
 #[cfg(target_arch = "aarch64")]
 use dbs_arch::gic::Error as GICError;
 
@@ -709,10 +712,27 @@ impl Vm {
     pub fn start_microvm(
         &mut self,
         event_mgr: &mut EventManager,
-        vmm_seccomp_filter: BpfProgram,
-        vcpu_seccomp_filter: BpfProgram,
+        seccomp_filters: HashMap<String, BpfProgram>,
     ) -> std::result::Result<(), StartMicroVmError> {
         info!(self.logger, "VM: received instance start command");
+
+        if let Some(process_seccomp_filter) = seccomp_filters.get(ALL_THREADS) {
+            // Load seccomp filters for the whole process.
+            // Execution panics if filters cannot be loaded, use --seccomp-level=0 if skipping filters
+            // altogether is the desired behaviour.
+            if let Err(e) = apply_filter_all_threads(process_seccomp_filter) {
+                if !matches!(e, SecError::EmptyFilter) {
+                    error!(
+                        self.logger,
+                        "VM: failed to apply process-wide seccomp filters: {}", e
+                    );
+                    return Err(StartMicroVmError::SeccompFilters(e));
+                }
+            } else {
+                info!(self.logger, "VM: process-wide seccomp filters applied");
+            }
+        }
+
         if self.is_vm_initialized() {
             return Err(StartMicroVmError::MicroVMAlreadyRunning);
         }
@@ -738,8 +758,14 @@ impl Vm {
                 AddressManagerError::GuestMemoryNotInitialized,
             ))?;
 
-        self.init_vcpu_manager(vm_as.clone(), vcpu_seccomp_filter)
-            .map_err(StartMicroVmError::Vcpu)?;
+        self.init_vcpu_manager(
+            vm_as.clone(),
+            seccomp_filters
+                .get(VCPU_THREAD)
+                .cloned()
+                .unwrap_or_default(),
+        )
+        .map_err(StartMicroVmError::Vcpu)?;
         self.init_microvm(event_mgr.epoll_manager(), vm_as.clone(), request_ts)?;
         self.init_configure_system(&vm_as)?;
         #[cfg(feature = "dbs-upcall")]
@@ -751,7 +777,7 @@ impl Vm {
         info!(self.logger, "VM: start vcpus");
         self.vcpu_manager()
             .map_err(StartMicroVmError::Vcpu)?
-            .start_boot_vcpus(vmm_seccomp_filter)
+            .start_boot_vcpus(seccomp_filters.get(VMM_THREAD).cloned().unwrap_or_default())
             .map_err(StartMicroVmError::Vcpu)?;
 
         // Use expect() to crash if the other thread poisoned this lock.

src/dragonball/src/vmm.rs

@@ -6,6 +6,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the THIRD-PARTY file.
 
+use std::collections::HashMap;
 use std::fmt::Formatter;
 use std::os::unix::io::RawFd;
 use std::sync::{Arc, Mutex, RwLock};
@@ -22,6 +23,19 @@ use crate::event_manager::{EventContext, EventManager};
 use crate::vm::Vm;
 use crate::{EXIT_CODE_GENERIC_ERROR, EXIT_CODE_OK};
 
+// Thread types to which the seccomp restrictions apply
+// Currently the restrictions are applied to the whole process
+// More thread types can be added later to accommodate more granular constraints.
+
+/// Union of restrictions for all threads;
+/// The corresponding restrictions are applied to the whole process
+/// This type should be used with any other thread type which has specific restrictions
+pub const ALL_THREADS: &str = "all";
+/// VMM thread
+pub const VMM_THREAD: &str = "vmm";
+/// Vcpu thread
+pub const VCPU_THREAD: &str = "vcpu";
+
 /// Global coordinator to manage API servers, virtual machines, upgrade etc.
 ///
 /// Originally firecracker assumes an VMM only manages an VM, and doesn't distinguish VMM and VM.
@@ -41,8 +55,7 @@ pub struct Vmm {
     // Will change to a HashMap when enabling 1 VMM with multiple VMs.
     vm: Vm,
 
-    vcpu_seccomp_filter: BpfProgram,
-    vmm_seccomp_filter: BpfProgram,
+    seccomp_filters: HashMap<String, BpfProgram>,
 }
 
 impl Vmm {
@@ -50,8 +63,7 @@ impl Vmm {
     pub fn new(
         api_shared_info: Arc<RwLock<InstanceInfo>>,
         api_event_fd: EventFd,
-        vmm_seccomp_filter: BpfProgram,
-        vcpu_seccomp_filter: BpfProgram,
+        seccomp_filters: HashMap<String, BpfProgram>,
         kvm_fd: Option<RawFd>,
     ) -> Result<Self> {
         let epoll_manager = EpollManager::default();
@@ -59,8 +71,7 @@ impl Vmm {
             api_shared_info,
             api_event_fd,
             epoll_manager,
-            vmm_seccomp_filter,
-            vcpu_seccomp_filter,
+            seccomp_filters,
             kvm_fd,
         )
     }
@@ -70,8 +81,7 @@ impl Vmm {
         api_shared_info: Arc<RwLock<InstanceInfo>>,
         api_event_fd: EventFd,
         epoll_manager: EpollManager,
-        vmm_seccomp_filter: BpfProgram,
-        vcpu_seccomp_filter: BpfProgram,
+        seccomp_filters: HashMap<String, BpfProgram>,
         kvm_fd: Option<RawFd>,
     ) -> Result<Self> {
         let vm = Vm::new(kvm_fd, api_shared_info, epoll_manager.clone())?;
@@ -81,8 +91,7 @@ impl Vmm {
             event_ctx,
             epoll_manager,
             vm,
-            vcpu_seccomp_filter,
-            vmm_seccomp_filter,
+            seccomp_filters,
         })
     }
 
@@ -96,14 +105,9 @@ impl Vmm {
         Some(&mut self.vm)
     }
 
-    /// Get the seccomp rules for vCPU threads.
-    pub fn vcpu_seccomp_filter(&self) -> BpfProgram {
-        self.vcpu_seccomp_filter.clone()
-    }
-
-    /// Get the seccomp rules for VMM threads.
-    pub fn vmm_seccomp_filter(&self) -> BpfProgram {
-        self.vmm_seccomp_filter.clone()
+    /// Get all seccomp rules.
+    pub fn seccomp_filters(&self) -> HashMap<String, BpfProgram> {
+        self.seccomp_filters.clone()
     }
 
     /// Run the event loop to service API requests.
@@ -206,14 +210,15 @@ impl std::fmt::Debug for Vmm {
         f.debug_struct("Vmm")
             .field("event_ctx", &self.event_ctx)
             .field("vm", &self.vm.shared_info())
-            .field("vcpu_seccomp_filter", &self.vcpu_seccomp_filter)
-            .field("vmm_seccomp_filter", &self.vmm_seccomp_filter)
+            .field("seccomp_filters", &self.seccomp_filters)
             .finish()
     }
 }
 
 #[cfg(test)]
 pub(crate) mod tests {
+    use std::collections::HashMap;
+
     use test_utils::skip_if_not_root;
 
     use super::*;
@@ -221,17 +226,8 @@ pub(crate) mod tests {
     pub fn create_vmm_instance(epoll_manager: EpollManager) -> Vmm {
         let info = Arc::new(RwLock::new(InstanceInfo::default()));
         let event_fd = EventFd::new(libc::EFD_NONBLOCK).unwrap();
-        let seccomp_filter: BpfProgram = Vec::new();
 
-        Vmm::new_with_epoll_manager(
-            info,
-            event_fd,
-            epoll_manager,
-            seccomp_filter.clone(),
-            seccomp_filter,
-            None,
-        )
-        .unwrap()
+        Vmm::new_with_epoll_manager(info, event_fd, epoll_manager, HashMap::new(), None).unwrap()
     }
 
     #[test]

src/libs/Cargo.toml

@@ -3,8 +3,9 @@ members = [
     "kata-sys-util",
     "kata-types",
     "logging",
-    "runtime-spec",
+    "mem-agent",
     "protocols",
+    "runtime-spec",
     "safe-path",
     "shim-interface",
     "test-utils",

src/libs/kata-sys-util/src/mount.rs

@@ -1088,7 +1088,7 @@ mod tests {
         assert!(parse_mount_options(&options).is_err());
 
         let idx = options.len() - 1;
-        options[idx] = " ".repeat(4097);
+        options[idx] = " ".repeat(*MAX_MOUNT_PARAM_SIZE + 1);
         assert!(parse_mount_options(&options).is_err());
     }
 

src/libs/kata-sys-util/src/pcilibs/pci_manager.rs

@@ -297,18 +297,16 @@ mod tests {
     use super::*;
     use std::fs;
     use std::io::Write;
-    use std::path::{Path, PathBuf};
+    use std::path::PathBuf;
 
-    const MOCK_PCI_DEVICES_ROOT: &str = "tests/mock_devices";
     // domain number
     const TEST_PCI_DEV_DOMAIN: &str = "0000";
-    // sysfs path
-    const MOCK_SYS_BUS_PCI_DEVICES: &str = "/tmp/bus/pci/devices";
 
     // Mock data
-    fn setup_mock_device_files() {
+    fn setup_mock_device_files() -> tempfile::TempDir {
+        let dir = tempfile::tempdir().expect("tempdir should not fail");
         // Create mock path and files for PCI devices
-        let device_path = PathBuf::from(MOCK_PCI_DEVICES_ROOT).join("0000:ff:1f.0");
+        let device_path = dir.path().join("0000:ff:1f.0");
         fs::create_dir_all(&device_path).unwrap();
         fs::write(device_path.join("vendor"), "0x8086").unwrap();
         fs::write(device_path.join("device"), "0x1234").unwrap();
@@ -319,13 +317,7 @@ mod tests {
             "0x00000000 0x0000ffff 0x00000404\n",
         )
         .unwrap();
-    }
-    // Mock data
-    fn cleanup_mock_device_files() {
-        // Create mock path and files for PCI devices
-        let device_path = PathBuf::from(MOCK_PCI_DEVICES_ROOT).join("0000:ff:1f.0");
-        // Clean up
-        let _ = fs::remove_file(device_path);
+        dir
     }
 
     #[test]
@@ -380,10 +372,10 @@ mod tests {
     #[test]
     fn test_get_all_devices() {
         // Setup mock data
-        setup_mock_device_files();
+        let tmpdir = setup_mock_device_files();
 
         // Initialize PCI device manager with the mock path
-        let manager = PCIDeviceManager::new(MOCK_PCI_DEVICES_ROOT);
+        let manager = PCIDeviceManager::new(&tmpdir.path().to_string_lossy());
 
         // Get all devices
         let devices_result = manager.get_all_devices(None);
@@ -396,17 +388,14 @@ mod tests {
         assert_eq!(device.vendor, 0x8086);
         assert_eq!(device.device, 0x1234);
         assert_eq!(device.class, 0x060100);
-
-        // Cleanup mock data
-        cleanup_mock_device_files()
     }
 
     #[test]
     fn test_parse_resources() {
-        setup_mock_device_files();
+        let tmpdir = setup_mock_device_files();
 
-        let manager = PCIDeviceManager::new(MOCK_PCI_DEVICES_ROOT);
-        let device_path = PathBuf::from(MOCK_PCI_DEVICES_ROOT).join("0000:ff:1f.0");
+        let manager = PCIDeviceManager::new(&tmpdir.path().to_string_lossy());
+        let device_path = tmpdir.path().join("0000:ff:1f.0");
 
         let resources_result = manager.parse_resources(&device_path);
         assert!(resources_result.is_ok());
@@ -418,17 +407,14 @@ mod tests {
         assert_eq!(resource.start, 0x00000000);
         assert_eq!(resource.end, 0x0000ffff);
         assert_eq!(resource.flags, 0x00000404);
-
-        cleanup_mock_device_files();
     }
 
     #[test]
     fn test_is_pcie_device() {
         // Create a mock PCI device config file
         let bdf = format!("{}:ff:00.0", TEST_PCI_DEV_DOMAIN);
-        let config_path = Path::new(MOCK_SYS_BUS_PCI_DEVICES)
-            .join(&bdf)
-            .join("config");
+        let tmpdir = tempfile::tempdir().expect("tempdir should not fail");
+        let config_path = tmpdir.path().join(&bdf).join("config");
         let _ = fs::create_dir_all(config_path.parent().unwrap());
 
         // Write a file with a size larger than PCI_CONFIG_SPACE_SZ
@@ -437,9 +423,6 @@ mod tests {
         file.write_all(&vec![0; 512]).unwrap();
 
         // It should be true
-        assert!(is_pcie_device("ff:00.0", MOCK_SYS_BUS_PCI_DEVICES));
-
-        // Clean up
-        let _ = fs::remove_file(config_path);
+        assert!(is_pcie_device("ff:00.0", &tmpdir.path().to_string_lossy()));
     }
 }

src/libs/kata-types/Cargo.toml

@@ -32,7 +32,8 @@ flate2 = { version = "1.0", features = ["zlib"] }
 hex = "0.4"
 
 oci-spec = { version = "0.8.1", features = ["runtime"] }
-safe-path = { path = "../safe-path" }
+
+safe-path = { path = "../safe-path", optional = true }
 
 [dev-dependencies]
 tempfile = "3.19.1"
@@ -42,3 +43,4 @@ nix = "0.26.4"
 [features]
 default = []
 enable-vendor = []
+safe-path = ["dep:safe-path"] # safe-path is platform-specific

src/libs/kata-types/src/config/default.rs

@@ -9,6 +9,7 @@
 use crate::config::agent::AGENT_NAME_KATA;
 use crate::config::hypervisor::HYPERVISOR_NAME_DRAGONBALL;
 use crate::config::runtime::RUNTIME_NAME_VIRTCONTAINER;
+use crate::machine_type::MACHINE_TYPE_Q35_TYPE;
 use lazy_static::lazy_static;
 
 lazy_static! {
@@ -65,7 +66,7 @@ pub const MIN_DRAGONBALL_MEMORY_SIZE_MB: u32 = 64;
 pub const DEFAULT_QEMU_BINARY_PATH: &str = "/usr/bin/qemu-system-x86_64";
 pub const DEFAULT_QEMU_ROOTFS_TYPE: &str = "ext4";
 pub const DEFAULT_QEMU_CONTROL_PATH: &str = "";
-pub const DEFAULT_QEMU_MACHINE_TYPE: &str = "q35";
+pub const DEFAULT_QEMU_MACHINE_TYPE: &str = MACHINE_TYPE_Q35_TYPE;
 pub const DEFAULT_QEMU_ENTROPY_SOURCE: &str = "/dev/urandom";
 pub const DEFAULT_QEMU_GUEST_KERNEL_IMAGE: &str = "vmlinuz";
 pub const DEFAULT_QEMU_GUEST_KERNEL_PARAMS: &str = "";

src/libs/kata-types/src/config/hypervisor/mod.rs

@@ -49,7 +49,7 @@ mod remote;
 pub use self::remote::{RemoteConfig, HYPERVISOR_NAME_REMOTE};
 
 mod rate_limiter;
-pub use self::rate_limiter::RateLimiterConfig;
+pub use self::rate_limiter::{RateLimiterConfig, DEFAULT_RATE_LIMITER_REFILL_TIME};
 
 /// Virtual PCI block device driver.
 pub const VIRTIO_BLK_PCI: &str = "virtio-blk-pci";
@@ -878,6 +878,26 @@ impl NetworkInfo {
     }
 }
 
+/// Configuration information for rootless user.
+#[derive(Clone, Debug, Default, Deserialize, Serialize)]
+pub struct RootlessUser {
+    /// The UID of the rootless user.
+    #[serde(default)]
+    pub uid: u32,
+
+    /// The GID of the rootless user.
+    #[serde(default)]
+    pub gid: u32,
+
+    /// The supplementary groups of the rootless user.
+    #[serde(default)]
+    pub groups: Vec<u32>,
+
+    /// The username of the rootless user.
+    #[serde(default)]
+    pub user_name: String,
+}
+
 /// Configuration information for security settings.
 #[derive(Clone, Debug, Default, Deserialize, Serialize)]
 pub struct SecurityInfo {
@@ -889,6 +909,14 @@ pub struct SecurityInfo {
     #[serde(default)]
     pub rootless: bool,
 
+    /// Configuration information for rootless user.
+    ///
+    /// This field must be set if the `rootless` configuration above is enabled.
+    /// It contains the UID, GID, supplementary groups, and the user name of the non-root user
+    /// that will be used to run the VMM process.
+    #[serde(default)]
+    pub rootless_user: Option<RootlessUser>,
+
     /// Disables `seccomp` for the guest VM.
     #[serde(default)]
     pub disable_seccomp: bool,
@@ -1196,6 +1224,52 @@ pub struct RemoteInfo {
     pub default_gpu_model: String,
 }
 
+/// Configuration information for vm template.
+#[derive(Clone, Debug, Default, Deserialize, Serialize)]
+pub struct VmTemplateInfo {
+    /// Indicate whether the VM is being created as a template VM.
+    #[serde(default)]
+    pub boot_to_be_template: bool,
+
+    /// Indicate whether the VM should be created from an existing template VM.
+    #[serde(default)]
+    pub boot_from_template: bool,
+
+    /// memory_path is the memory file path of VM memory.
+    #[serde(default)]
+    pub memory_path: String,
+
+    /// device_state_path is the VM device state file path.
+    #[serde(default)]
+    pub device_state_path: String,
+}
+
+impl VmTemplateInfo {
+    /// Adjust the configuration information after loading from configuration file.
+    pub fn adjust_config(&mut self) -> Result<()> {
+        Ok(())
+    }
+
+    /// Validate the configuration information.
+    pub fn validate(&self) -> Result<()> {
+        Ok(())
+    }
+}
+
+/// Configuration information for VM factory (templating, caches, etc.).
+#[derive(Clone, Debug, Default, Deserialize, Serialize)]
+pub struct Factory {
+    /// Enable VM templating support.
+    /// When enabled, new VMs may be created from a template to speed up creation.
+    #[serde(default, rename = "enable_template")]
+    pub enable_template: bool,
+
+    /// Specifies the path of template.
+    /// Example: "/run/vc/vm/template"
+    #[serde(default)]
+    pub template_path: String,
+}
+
 /// Common configuration information for hypervisors.
 #[derive(Clone, Debug, Default, Deserialize, Serialize)]
 pub struct Hypervisor {
@@ -1286,6 +1360,14 @@ pub struct Hypervisor {
     #[serde(default, flatten)]
     pub remote_info: RemoteInfo,
 
+    /// vm template configuration information.
+    #[serde(default, flatten)]
+    pub vm_template: VmTemplateInfo,
+
+    /// VM factory configuration information.
+    #[serde(default)]
+    pub factory: Factory,
+
     /// A sandbox annotation used to specify the host path to the `prefetch_files.list`
     /// for the container image being used. The runtime will pass this path to the
     /// Hypervisor to search for the corresponding prefetch list file.
@@ -1359,6 +1441,7 @@ impl ConfigOps for Hypervisor {
                 hv.network_info.adjust_config()?;
                 hv.security_info.adjust_config()?;
                 hv.shared_fs.adjust_config()?;
+                hv.vm_template.adjust_config()?;
                 resolve_path!(
                     hv.prefetch_list_path,
                     "prefetch_list_path `{}` is invalid: {}"
@@ -1396,6 +1479,7 @@ impl ConfigOps for Hypervisor {
                 hv.network_info.validate()?;
                 hv.security_info.validate()?;
                 hv.shared_fs.validate()?;
+                hv.vm_template.validate()?;
                 validate_path!(hv.path, "Hypervisor binary path `{}` is invalid: {}")?;
                 validate_path!(
                     hv.ctlpath,

src/libs/kata-types/src/config/hypervisor/rate_limiter.rs

@@ -6,10 +6,10 @@
 
 use serde::{Deserialize, Serialize};
 
-// The DEFAULT_RATE_LIMITER_REFILL_TIME is used for calculating the rate at
-// which a TokenBucket is replinished, in cases where a RateLimiter is
-// applied to either network or disk I/O.
-pub(crate) const DEFAULT_RATE_LIMITER_REFILL_TIME: u64 = 1000;
+/// The DEFAULT_RATE_LIMITER_REFILL_TIME is used for calculating the rate at
+/// which a TokenBucket is replinished, in cases where a RateLimiter is
+/// applied to either network or disk I/O.
+pub const DEFAULT_RATE_LIMITER_REFILL_TIME: u64 = 1000;
 
 #[derive(Clone, Copy, Debug, Default, Deserialize, Serialize, PartialEq, Eq)]
 pub struct TokenBucketConfig {

src/libs/kata-types/src/config/mod.rs

@@ -24,8 +24,9 @@ pub mod hypervisor;
 pub use self::agent::Agent;
 use self::default::DEFAULT_AGENT_DBG_CONSOLE_PORT;
 pub use self::hypervisor::{
-    BootInfo, CloudHypervisorConfig, DragonballConfig, FirecrackerConfig, Hypervisor, QemuConfig,
-    RemoteConfig, HYPERVISOR_NAME_DRAGONBALL, HYPERVISOR_NAME_FIRECRACKER, HYPERVISOR_NAME_QEMU,
+    BootInfo, CloudHypervisorConfig, DragonballConfig, Factory, FirecrackerConfig, Hypervisor,
+    QemuConfig, RemoteConfig, HYPERVISOR_NAME_DRAGONBALL, HYPERVISOR_NAME_FIRECRACKER,
+    HYPERVISOR_NAME_QEMU,
 };
 
 mod runtime;
@@ -177,6 +178,15 @@ impl TomlConfig {
         Ok(config)
     }
 
+    /// Get the `Factory` configuration from the active hypervisor.
+    pub fn get_factory(&self) -> Factory {
+        let hypervisor_name = self.runtime.hypervisor_name.as_str();
+        self.hypervisor
+            .get(hypervisor_name)
+            .map(|hv| hv.factory.clone())
+            .unwrap_or_default()
+    }
+
     /// Adjust Kata configuration information.
     pub fn adjust_config(&mut self) -> Result<()> {
         Hypervisor::adjust_config(self)?;