DO NOT MERGE: CI test

Test of the ci-devel pipeline

.github/actionlint.yaml

@@ -10,11 +10,6 @@ self-hosted-runner:
     - amd64-nvidia-a100
     - amd64-nvidia-h100-snp
     - arm64-k8s
-    - containerd-v1.7-overlayfs
-    - containerd-v2.0-overlayfs
-    - containerd-v2.1-overlayfs
-    - containerd-v2.2
-    - containerd-v2.2-overlayfs
     - garm-ubuntu-2004
     - garm-ubuntu-2004-smaller
     - garm-ubuntu-2204
@@ -25,6 +20,7 @@ self-hosted-runner:
     - ppc64le-k8s
     - ppc64le-small
     - ubuntu-24.04-ppc64le
+    - ubuntu-24.04-s390x
     - metrics
     - riscv-builder
     - sev-snp

.github/workflows/basic-ci-amd64.yaml

@@ -71,7 +71,7 @@ jobs:
       fail-fast: false
       matrix:
         containerd_version: ['lts', 'active']
-        vmm: ['clh', 'cloud-hypervisor', 'dragonball', 'qemu']
+        vmm: ['clh', 'cloud-hypervisor', 'dragonball', 'qemu', 'qemu-runtime-rs']
     runs-on: ubuntu-22.04
     env:
       CONTAINERD_VERSION: ${{ matrix.containerd_version }}
@@ -117,7 +117,7 @@ jobs:
       fail-fast: false
       matrix:
         containerd_version: ['lts', 'active']
-        vmm: ['clh', 'qemu', 'dragonball']
+        vmm: ['clh', 'qemu', 'dragonball', 'qemu-runtime-rs']
     runs-on: ubuntu-22.04
     env:
       CONTAINERD_VERSION: ${{ matrix.containerd_version }}
@@ -147,9 +147,18 @@ jobs:
           name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
           path: kata-artifacts
 
+      - name: get-kata-tools-tarball
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
       - name: Install kata
         run: bash tests/integration/nydus/gha-run.sh install-kata kata-artifacts
 
+      - name: Install kata-tools
+        run: bash tests/integration/nydus/gha-run.sh install-kata-tools kata-tools-artifacts
+
       - name: Run nydus tests
         timeout-minutes: 10
         run: bash tests/integration/nydus/gha-run.sh run
@@ -292,6 +301,7 @@ jobs:
           - dragonball
           - qemu
           - cloud-hypervisor
+          - qemu-runtime-rs
     runs-on: ubuntu-22.04
     env:
       KATA_HYPERVISOR: ${{ matrix.vmm }}
@@ -366,8 +376,16 @@ jobs:
           name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
           path: kata-artifacts
 
-      - name: Install kata
-        run: bash tests/functional/kata-agent-apis/gha-run.sh install-kata kata-artifacts
+      - name: get-kata-tools-tarball
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
+      - name: Install kata & kata-tools
+        run: | 
+          bash tests/functional/kata-agent-apis/gha-run.sh install-kata kata-artifacts
+          bash tests/functional/kata-agent-apis/gha-run.sh install-kata-tools kata-tools-artifacts
 
       - name: Run kata agent api tests with agent-ctl
         run: bash tests/functional/kata-agent-apis/gha-run.sh run

.github/workflows/build-checks.yaml

@@ -12,7 +12,12 @@ name: Build checks
 jobs:
   check:
     name: check
-    runs-on: ${{ matrix.runner || inputs.instance }}
+    runs-on: >-
+      ${{
+        ( contains(inputs.instance, 's390x') && matrix.component.name == 'runtime' ) && 's390x' ||
+        ( contains(inputs.instance, 'ppc64le') && (matrix.component.name == 'runtime' || matrix.component.name == 'agent') ) && 'ppc64le' ||
+        inputs.instance
+      }}
     strategy:
       fail-fast: false
       matrix:
@@ -70,36 +75,6 @@ jobs:
               - protobuf-compiler
         instance:
           - ${{ inputs.instance }} 
-        include:
-          - component:
-              name: runtime
-              path: src/runtime
-              needs:
-                - golang
-                - XDG_RUNTIME_DIR
-            instance: ubuntu-24.04-s390x
-            runner: s390x
-          - component:
-              name: runtime
-              path: src/runtime
-              needs:
-                - golang
-                - XDG_RUNTIME_DIR
-            instance: ubuntu-24.04-ppc64le
-            runner: ppc64le
-          - component:
-              name: agent
-              path: src/agent
-              needs:
-                - rust
-                - libdevmapper
-                - libseccomp
-                - protobuf-compiler
-                - clang
-            instance: ubuntu-24.04-ppc64le
-            runner: ppc64le
-
-             
 
     steps:
       - name: Adjust a permission for repo

.github/workflows/build-kata-static-tarball-amd64.yaml

@@ -41,16 +41,11 @@ jobs:
       matrix:
         asset:
           - agent
-          - agent-ctl
           - busybox
           - cloud-hypervisor
           - cloud-hypervisor-glibc
           - coco-guest-components
-          - csi-kata-directvolume
           - firecracker
-          - genpolicy
-          - kata-ctl
-          - kata-manager
           - kernel
           - kernel-confidential
           - kernel-dragonball-experimental
@@ -63,7 +58,6 @@ jobs:
           - qemu
           - qemu-snp-experimental
           - qemu-tdx-experimental
-          - trace-forwarder
           - virtiofsd
         stage:
           - ${{ inputs.stage }}
@@ -121,7 +115,7 @@ jobs:
           echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
           echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"
 
-      - uses: oras-project/setup-oras@5c0b487ce3fe0ce3ab0d034e63669e426e294e4d # v1.2.2
+      - uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4
         if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
         with:
           version: "1.2.0"
@@ -171,6 +165,8 @@ jobs:
           - rootfs-image
           - rootfs-image-confidential
           - rootfs-image-mariner
+          - rootfs-image-nvidia-gpu
+          - rootfs-image-nvidia-gpu-confidential
           - rootfs-initrd
           - rootfs-initrd-confidential
           - rootfs-initrd-nvidia-gpu
@@ -362,3 +358,104 @@ jobs:
           path: kata-static.tar.zst
           retention-days: 15
           if-no-files-found: error
+
+  build-tools-asset:
+    name: build-tools-asset
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        asset:
+          - agent-ctl
+          - csi-kata-directvolume
+          - genpolicy
+          - kata-ctl
+          - kata-manager
+          - trace-forwarder
+        stage:
+          - ${{ inputs.stage }}
+    steps:
+      - name: Login to Kata Containers quay.io
+        if: ${{ inputs.push-to-registry == 'yes' }}
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: quay.io
+          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
+          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0 # This is needed in order to keep the commit ids history
+          persist-credentials: false
+
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+
+      - name: Build ${{ matrix.asset }}
+        id: build
+        run: |
+          make "${KATA_ASSET}-tarball"
+          build_dir=$(readlink -f build)
+          # store-artifact does not work with symlink
+          mkdir -p kata-tools-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-tools-build/.
+        env:
+          KATA_ASSET: ${{ matrix.asset }}
+          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
+          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
+          ARTEFACT_REGISTRY: ghcr.io
+          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
+          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+
+      - name: store-artifact ${{ matrix.asset }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: kata-tools-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
+          path: kata-tools-build/kata-static-${{ matrix.asset }}.tar.zst
+          retention-days: 15
+          if-no-files-found: error
+
+  create-kata-tools-tarball:
+    name: create-kata-tools-tarball
+    runs-on: ubuntu-22.04
+    needs: [build-tools-asset]
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0
+          fetch-tags: true
+          persist-credentials: false
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+      - name: get-artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          pattern: kata-tools-artifacts-amd64-*${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+          merge-multiple: true
+      - name: merge-artifacts
+        run: |
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-tools-artifacts versions.yaml kata-tools-static.tar.zst
+        env:
+          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+      - name: store-artifacts
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-static.tar.zst
+          retention-days: 15
+          if-no-files-found: error

.github/workflows/build-kata-static-tarball-arm64.yaml

@@ -102,7 +102,7 @@ jobs:
           echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
           echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"
 
-      - uses: oras-project/setup-oras@5c0b487ce3fe0ce3ab0d034e63669e426e294e4d # v1.2.2
+      - uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4
         if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
         with:
           version: "1.2.0"
@@ -150,6 +150,7 @@ jobs:
       matrix:
         asset:
           - rootfs-image
+          - rootfs-image-nvidia-gpu
           - rootfs-initrd
           - rootfs-initrd-nvidia-gpu
     steps:

.github/workflows/build-kata-static-tarball-ppc64le.yaml

@@ -32,7 +32,7 @@ jobs:
     permissions:
       contents: read
       packages: write
-    runs-on: ppc64le-small
+    runs-on: ubuntu-24.04-ppc64le
     strategy:
       matrix:
         asset:
@@ -89,7 +89,7 @@ jobs:
 
   build-asset-rootfs:
     name: build-asset-rootfs
-    runs-on: ppc64le-small
+    runs-on: ubuntu-24.04-ppc64le
     needs: build-asset
     permissions:
       contents: read
@@ -170,7 +170,7 @@ jobs:
 
   build-asset-shim-v2:
     name: build-asset-shim-v2
-    runs-on: ppc64le-small
+    runs-on: ubuntu-24.04-ppc64le
     needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
     permissions:
       contents: read
@@ -230,7 +230,7 @@ jobs:
 
   create-kata-tarball:
     name: create-kata-tarball
-    runs-on: ppc64le-small
+    runs-on: ubuntu-24.04-ppc64le
     needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
     permissions:
       contents: read

.github/workflows/build-kata-static-tarball-s390x.yaml

@@ -32,7 +32,7 @@ permissions: {}
 jobs:
   build-asset:
     name: build-asset
-    runs-on: s390x
+    runs-on: ubuntu-24.04-s390x
     permissions:
       contents: read
       packages: write
@@ -257,7 +257,7 @@ jobs:
 
   build-asset-shim-v2:
     name: build-asset-shim-v2
-    runs-on: s390x
+    runs-on: ubuntu-24.04-s390x
     needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
     permissions:
       contents: read
@@ -319,7 +319,7 @@ jobs:
 
   create-kata-tarball:
     name: create-kata-tarball
-    runs-on: s390x
+    runs-on: ubuntu-24.04-s390x
     needs:
       - build-asset
       - build-asset-rootfs

.github/workflows/ci-nightly-rust.yaml

@@ -0,0 +1,36 @@
+name: Kata Containers Nightly CI (Rust)
+on:
+  schedule:
+    - cron: '0 1 * * *' # Run at 1 AM UTC (1 hour after script-based nightly)
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  kata-containers-ci-on-push-rust:
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
+    uses: ./.github/workflows/ci.yaml
+    with:
+      commit-hash: ${{ github.sha }}
+      pr-number: "nightly-rust"
+      tag: ${{ github.sha }}-nightly-rust
+      target-branch: ${{ github.ref_name }}
+      build-type: "rust" # Use Rust-based build
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+      AZ_APPID: ${{ secrets.AZ_APPID }}
+      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
+      ITA_KEY: ${{ secrets.ITA_KEY }}
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
+

.github/workflows/ci.yaml

@@ -19,6 +19,11 @@ on:
         required: false
         type: string
         default: no
+      build-type:
+        description: The build type for kata-deploy. Use 'rust' for Rust-based build, empty or omit for script-based (default).
+        required: false
+        type: string
+        default: ""
     secrets:
       AUTHENTICATED_IMAGE_PASSWORD:
         required: true
@@ -72,6 +77,7 @@ jobs:
       target-branch: ${{ inputs.target-branch }}
       runner: ubuntu-22.04
       arch: amd64
+      build-type: ${{ inputs.build-type }}
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
@@ -104,6 +110,7 @@ jobs:
       target-branch: ${{ inputs.target-branch }}
       runner: ubuntu-24.04-arm
       arch: arm64
+      build-type: ${{ inputs.build-type }}
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
@@ -147,8 +154,9 @@ jobs:
       tag: ${{ inputs.tag }}-s390x
       commit-hash: ${{ inputs.commit-hash }}
       target-branch: ${{ inputs.target-branch }}
-      runner: s390x
+      runner: ubuntu-24.04-s390x
       arch: s390x
+      build-type: ${{ inputs.build-type }}
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
@@ -165,8 +173,9 @@ jobs:
       tag: ${{ inputs.tag }}-ppc64le
       commit-hash: ${{ inputs.commit-hash }}
       target-branch: ${{ inputs.target-branch }}
-      runner: ppc64le-small
+      runner: ubuntu-24.04-ppc64le
       arch: ppc64le
+      build-type: ${{ inputs.build-type }}
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
@@ -233,14 +242,14 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: get-kata-tarball
+      - name: get-kata-tools-tarball
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
-          name: kata-static-tarball-amd64-${{ inputs.tag }}
-          path: kata-artifacts
+          name: kata-tools-static-tarball-amd64-${{ inputs.tag }}
+          path: kata-tools-artifacts
 
-      - name: Install tools
-        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
 
       - name: Copy binary into Docker context
         run: |
@@ -288,7 +297,7 @@ jobs:
       tarball-suffix: -${{ inputs.tag }}
       registry: ghcr.io
       repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
+      tag: ${{ inputs.tag }}-amd64${{ inputs.build-type == 'rust' && '-rust' || '' }}
       commit-hash: ${{ inputs.commit-hash }}
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
@@ -304,7 +313,7 @@ jobs:
     with:
       registry: ghcr.io
       repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-arm64
+      tag: ${{ inputs.tag }}-arm64${{ inputs.build-type == 'rust' && '-rust' || '' }}
       commit-hash: ${{ inputs.commit-hash }}
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
@@ -314,9 +323,10 @@ jobs:
     needs: publish-kata-deploy-payload-amd64
     uses: ./.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
     with:
+      tarball-suffix: -${{ inputs.tag }}
       registry: ghcr.io
       repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
+      tag: ${{ inputs.tag }}-amd64${{ inputs.build-type == 'rust' && '-rust' || '' }}
       commit-hash: ${{ inputs.commit-hash }}
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
@@ -338,7 +348,7 @@ jobs:
       tarball-suffix: -${{ inputs.tag }}
       registry: ghcr.io
       repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
+      tag: ${{ inputs.tag }}-amd64${{ inputs.build-type == 'rust' && '-rust' || '' }}
       commit-hash: ${{ inputs.commit-hash }}
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
@@ -356,7 +366,7 @@ jobs:
     with:
       registry: ghcr.io
       repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-s390x
+      tag: ${{ inputs.tag }}-s390x${{ inputs.build-type == 'rust' && '-rust' || '' }}
       commit-hash: ${{ inputs.commit-hash }}
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
@@ -370,7 +380,7 @@ jobs:
     with:
       registry: ghcr.io
       repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-ppc64le
+      tag: ${{ inputs.tag }}-ppc64le${{ inputs.build-type == 'rust' && '-rust' || '' }}
       commit-hash: ${{ inputs.commit-hash }}
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
@@ -382,7 +392,7 @@ jobs:
     with:
       registry: ghcr.io
       repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
+      tag: ${{ inputs.tag }}-amd64${{ inputs.build-type == 'rust' && '-rust' || '' }}
       commit-hash: ${{ inputs.commit-hash }}
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
@@ -473,7 +483,7 @@ jobs:
       vmm: ${{ matrix.params.vmm }}
 
   run-cri-containerd-tests-arm64:
-    if: ${{ inputs.skip-test != 'yes' }}
+    if: false
     needs: build-kata-static-tarball-arm64
     strategy:
       fail-fast: false

.github/workflows/gatekeeper.yaml

@@ -10,7 +10,9 @@ on:
       - opened
       - synchronize
       - reopened
+      - edited
       - labeled
+      - unlabeled
 
 permissions: {}
 

.github/workflows/kata-runtime-classes-sync.yaml

@@ -1,43 +0,0 @@
-name: kata-runtime-classes-sync
-
-on:
-  pull_request:
-    types:
-      - opened
-      - edited
-      - reopened
-      - synchronize
-
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  kata-deploy-runtime-classes-check:
-    name: kata-deploy-runtime-classes-check
-    runs-on: ubuntu-22.04
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        persist-credentials: false
-    - name: Ensure the split out runtime classes match the all-in-one file
-      run: |
-        pushd tools/packaging/kata-deploy/runtimeclasses/
-        echo "::group::Combine runtime classes"
-        for runtimeClass in $(find . -type f \( -name "*.yaml" -and -not -name "kata-runtimeClasses.yaml" \) | sort); do
-            echo "Adding ${runtimeClass} to the resultingRuntimeClasses.yaml"
-            cat "${runtimeClass}" >> resultingRuntimeClasses.yaml;
-        done
-        echo "::endgroup::"
-        echo "::group::Displaying the content of resultingRuntimeClasses.yaml"
-        cat resultingRuntimeClasses.yaml
-        echo "::endgroup::"
-        echo ""
-        echo "::group::Displaying the content of kata-runtimeClasses.yaml"
-        cat kata-runtimeClasses.yaml
-        echo "::endgroup::"
-        echo ""
-        diff resultingRuntimeClasses.yaml kata-runtimeClasses.yaml

.github/workflows/payload-after-push.yaml

@@ -82,6 +82,7 @@ jobs:
       target-branch: ${{ github.ref_name }}
       runner: ubuntu-22.04
       arch: amd64
+      build-type: "" # Use script-based build (default)
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
@@ -99,6 +100,7 @@ jobs:
       target-branch: ${{ github.ref_name }}
       runner: ubuntu-24.04-arm
       arch: arm64
+      build-type: "" # Use script-based build (default)
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
@@ -116,6 +118,7 @@ jobs:
       target-branch: ${{ github.ref_name }}
       runner: s390x
       arch: s390x
+      build-type: "" # Use script-based build (default)
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
@@ -133,6 +136,7 @@ jobs:
       target-branch: ${{ github.ref_name }}
       runner: ppc64le-small
       arch: ppc64le
+      build-type: "" # Use script-based build (default)
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 

.github/workflows/publish-kata-deploy-payload.yaml

@@ -30,6 +30,11 @@ on:
         description: The arch of the tarball.
         required: true
         type: string
+      build-type:
+        description: The build type for kata-deploy. Use 'rust' for Rust-based build, empty or omit for script-based (default).
+        required: false
+        type: string
+        default: ""
     secrets:
       QUAY_DEPLOYER_PASSWORD:
         required: true
@@ -50,6 +55,25 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
+      - name: Remove unnecessary directories to free up space
+        run: |
+          sudo rm -rf /usr/local/.ghcup
+          sudo rm -rf /opt/hostedtoolcache/CodeQL
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /opt/ghc
+          sudo rm -rf /usr/local/share/boost
+          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
+          sudo rm -rf /usr/lib/jvm
+          sudo rm -rf /usr/share/swift
+          sudo rm -rf /usr/local/share/powershell
+          sudo rm -rf /usr/local/julia*
+          sudo rm -rf /opt/az
+          sudo rm -rf /usr/local/share/chromium
+          sudo rm -rf /opt/microsoft
+          sudo rm -rf /opt/google
+          sudo rm -rf /usr/lib/firefox
+
       - name: Rebase atop of the latest target branch
         run: |
           ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
@@ -83,8 +107,10 @@ jobs:
           REGISTRY: ${{ inputs.registry }}
           REPO: ${{ inputs.repo }}
           TAG: ${{ inputs.tag }}
+          BUILD_TYPE: ${{ inputs.build-type }}
         run: |
           ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
           "$(pwd)/kata-static.tar.zst" \
           "${REGISTRY}/${REPO}" \
-          "${TAG}"
+          "${TAG}" \
+          "${BUILD_TYPE}"

.github/workflows/release-ppc64le.yaml

@@ -31,7 +31,7 @@ jobs:
     permissions:
       contents: read
       packages: write
-    runs-on: ppc64le-small
+    runs-on: ubuntu-24.04-ppc64le
     steps:
       - name: Login to Kata Containers ghcr.io
         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0

.github/workflows/release-s390x.yaml

@@ -35,7 +35,7 @@ jobs:
     permissions:
       contents: read
       packages: write
-    runs-on: s390x
+    runs-on: ubuntu-24.04-s390x
     steps:
       - name: Login to Kata Containers ghcr.io
         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0

.github/workflows/release.yaml

@@ -181,6 +181,23 @@ jobs:
           GH_TOKEN: ${{ github.token }}
           ARCHITECTURE: ppc64le
 
+      - name: Set KATA_TOOLS_STATIC_TARBALL env var
+        run: |
+          tarball=$(pwd)/kata-tools-static.tar.zst
+          echo "KATA_TOOLS_STATIC_TARBALL=${tarball}" >> "$GITHUB_ENV"
+
+      - name: Download amd64 tools artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-amd64
+
+      - name: Upload amd64 static tarball tools to GitHub
+        run: |
+          ./tools/packaging/release/release.sh upload-kata-tools-static-tarball
+        env:
+          GH_TOKEN: ${{ github.token }}
+          ARCHITECTURE: amd64
+
   upload-versions-yaml:
     name: upload-versions-yaml
     needs: release

.github/workflows/run-containerd-guest-pull-stability-tests.yaml

@@ -1,167 +0,0 @@
-name: CI | Run containerd guest pull stability tests
-on:
-  schedule:
-    - cron: "0 */1 * * *" #run every hour
-
-permissions: {}
-
-# This job relies on k8s pre-installed using kubeadm
-jobs:
-  run-containerd-guest-pull-stability-tests:
-    name: run-containerd-guest-pull-stability-tests-${{ matrix.environment.test-type }}-${{ matrix.environment.containerd }}
-    strategy:
-      fail-fast: false
-      matrix:
-        environment: [
-          { test-type: multi-snapshotter, containerd: v2.2 },
-          { test-type: force-guest-pull, containerd: v1.7 },
-          { test-type: force-guest-pull, containerd: v2.0 },
-          { test-type: force-guest-pull, containerd: v2.1 },
-          { test-type: force-guest-pull, containerd: v2.2 },
-        ]
-    env:
-      # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here.
-      IMAGES_LIST: quay.io/mongodb/mongodb-community-server@sha256:8b73733842da21b6bbb6df4d7b2449229bb3135d2ec8c6880314d88205772a11 ghcr.io/edgelesssys/redis@sha256:ecb0a964c259a166a1eb62f0eb19621d42bd1cce0bc9bb0c71c828911d4ba93d
-    runs-on: containerd-${{ matrix.environment.test-type }}-${{ matrix.environment.containerd }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-
-      - name: Rotate the journal
-        run: sudo journalctl --rotate --vacuum-time 1s
-
-      - name: Pull the kata-deploy image to be used
-        run: sudo ctr -n k8s.io image pull quay.io/kata-containers/kata-deploy-ci:kata-containers-latest
-
-      - name: Deploy Kata Containers
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
-        env:
-          KATA_HYPERVISOR: qemu-coco-dev
-          KUBERNETES: vanilla
-          SNAPSHOTTER: ${{ matrix.environment.test-type == 'multi-snapshotter' && 'nydus' || '' }}
-          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ matrix.environment.test-type == 'multi-snapshotter' }}
-          EXPERIMENTAL_FORCE_GUEST_PULL: ${{ matrix.environment.test-type == 'force-guest-pull' && 'qemu-coco-dev' || '' }}
-
-      # This is needed as we may hit the createContainerTimeout
-      - name: Adjust Kata Containers' create_container_timeout
-        run: |
-          sudo sed -i -e 's/^\(create_container_timeout\).*=.*$/\1 = 600/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-          grep "create_container_timeout.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-
-      # This is needed in order to have enough tmpfs space inside the guest to pull the image
-      - name: Adjust Kata Containers' default_memory
-        run: |
-          sudo sed -i -e 's/^\(default_memory\).*=.*$/\1 = 4096/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-          grep "default_memory.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-
-      - name: Run a few containers using overlayfs
-        run: |
-          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
-          # shellcheck disable=SC2086
-          for img in ${IMAGES_LIST}; do
-            echo "overlayfs | Using on image: ${img}"
-            pod="$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
-            kubectl run "${pod}" \
-              -it --rm \
-              --restart=Never \
-              --image="${img}" \
-              --image-pull-policy=Always \
-              --pod-running-timeout=10m \
-              -- uname -r
-          done
-          
-      - name: Run a the same few containers using a different snapshotter
-        run: |
-          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
-          # shellcheck disable=SC2086
-          for img in ${IMAGES_LIST}; do
-            echo "nydus | Using on image: ${img}"
-            pod="kata-$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
-            kubectl run "${pod}" \
-              -it --rm \
-              --restart=Never \
-              --image="${img}" \
-              --image-pull-policy=Always \
-              --pod-running-timeout=10m \
-              --overrides='{
-                "spec": {
-                  "runtimeClassName": "kata-qemu-coco-dev"
-                }
-              }' \
-              -- uname -r
-          done
-
-      - name: Uninstall Kata Containers
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup
-        env:
-          KATA_HYPERVISOR: qemu-coco-dev
-          KUBERNETES: vanilla
-          SNAPSHOTTER: nydus
-          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true
-
-      - name: Run a few containers using overlayfs
-        run: |
-          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
-          # shellcheck disable=SC2086
-          for img in ${IMAGES_LIST}; do
-            echo "overlayfs | Using on image: ${img}"
-            pod="$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
-            kubectl run "${pod}" \
-              -it --rm \
-              --restart=Never \
-              --image=${img} \
-              --image-pull-policy=Always \
-              --pod-running-timeout=10m \
-              -- uname -r
-          done
-          
-      - name: Deploy Kata Containers
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
-        env:
-          KATA_HYPERVISOR: qemu-coco-dev
-          KUBERNETES: vanilla
-          SNAPSHOTTER: nydus
-          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true
-
-      # This is needed as we may hit the createContainerTimeout
-      - name: Adjust Kata Containers' create_container_timeout
-        run: |
-          sudo sed -i -e 's/^\(create_container_timeout\).*=.*$/\1 = 600/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-          grep "create_container_timeout.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-
-      # This is needed in order to have enough tmpfs space inside the guest to pull the image
-      - name: Adjust Kata Containers' default_memory
-        run: |
-          sudo sed -i -e 's/^\(default_memory\).*=.*$/\1 = 4096/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-          grep "default_memory.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-
-      - name: Run a the same few containers using a different snapshotter
-        run: |
-          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
-          # shellcheck disable=SC2086
-          for img in ${IMAGES_LIST}; do
-            echo "nydus | Using on image: ${img}"
-            pod="kata-$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
-            kubectl run "${pod}" \
-              -it --rm \
-              --restart=Never \
-              --image="${img}" \
-              --image-pull-policy=Always \
-              --pod-running-timeout=10m \
-              --overrides='{
-                "spec": {
-                  "runtimeClassName": "kata-qemu-coco-dev"
-                }
-              }' \
-              -- uname -r
-          done
-
-      - name: Uninstall Kata Containers
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup || true
-        if: always()
-        env:
-          KATA_HYPERVISOR: qemu-coco-dev
-          KUBERNETES: vanilla
-          SNAPSHOTTER: nydus
-          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true

.github/workflows/run-k8s-tests-on-aks.yaml

@@ -93,14 +93,14 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: get-kata-tarball
+      - name: get-kata-tools-tarball
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
 
-      - name: Install kata
-        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
 
       - name: Download Azure CLI
         uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
@@ -142,6 +142,10 @@ jobs:
         timeout-minutes: 60
         run: bash tests/integration/kubernetes/gha-run.sh run-tests
 
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
       - name: Refresh OIDC token in case access token expired
         if: always()
         uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0

.github/workflows/run-k8s-tests-on-arm64.yaml

@@ -68,6 +68,10 @@ jobs:
         timeout-minutes: 30
         run: bash tests/integration/kubernetes/gha-run.sh run-tests
 
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
       - name: Collect artifacts ${{ matrix.vmm }}
         if: always()
         run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts

.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml

@@ -1,7 +1,10 @@
-name: CI | Run NVIDIA GPU kubernetes tests on arm64
+name: CI | Run NVIDIA GPU kubernetes tests on amd64
 on:
   workflow_call:
     inputs:
+      tarball-suffix:
+        required: true
+        type: string
       registry:
         required: true
         type: string
@@ -45,6 +48,7 @@ jobs:
       GH_PR_NUMBER: ${{ inputs.pr-number }}
       KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
       KUBERNETES: kubeadm
+      KBS: ${{ matrix.environment.name == 'nvidia-gpu-snp' && 'true' || 'false' }}
       K8S_TEST_HOST_TYPE: baremetal
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -59,6 +63,15 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
+      - name: get-kata-tools-tarball
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
+
       - name: Uninstall previous `kbs-client`
         if: matrix.environment.name != 'nvidia-gpu'
         timeout-minutes: 10
@@ -89,6 +102,11 @@ jobs:
         run: bash tests/integration/kubernetes/gha-run.sh run-nv-tests
         env:
           NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
+
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
       - name: Collect artifacts ${{ matrix.environment.vmm }}
         if: always()
         run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts

.github/workflows/run-k8s-tests-on-ppc64le.yaml

@@ -75,3 +75,7 @@ jobs:
       - name: Run tests
         timeout-minutes: 30
         run: bash tests/integration/kubernetes/gha-run.sh run-tests
+
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests

.github/workflows/run-k8s-tests-on-zvsi.yaml

@@ -131,6 +131,10 @@ jobs:
         timeout-minutes: 60
         run: bash tests/integration/kubernetes/gha-run.sh run-tests
 
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
       - name: Delete kata-deploy
         if: always()
         run: bash tests/integration/kubernetes/gha-run.sh cleanup-zvsi

.github/workflows/run-kata-coco-stability-tests.yaml

@@ -46,6 +46,7 @@ jobs:
       matrix:
         vmm:
           - qemu-coco-dev
+          - qemu-coco-dev-runtime-rs
         snapshotter:
           - nydus
         pull-type:
@@ -83,14 +84,14 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: get-kata-tarball
+      - name: get-kata-tools-tarball
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
 
-      - name: Install kata
-        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
 
       - name: Log into the Azure account
         uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
@@ -139,6 +140,10 @@ jobs:
         timeout-minutes: 300
         run: bash tests/stability/gha-stability-run.sh run-tests
 
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
       - name: Refresh OIDC token in case access token expired
         if: always()
         uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0

.github/workflows/run-kata-coco-tests.yaml

@@ -79,6 +79,15 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
+      - name: get-kata-tools-tarball
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
+
       - name: Deploy Kata
         timeout-minutes: 20
         run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
@@ -159,6 +168,7 @@ jobs:
       AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
       AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
       SNAPSHOTTER: ${{ matrix.snapshotter }}
+      EXPERIMENTAL_FORCE_GUEST_PULL: ${{ matrix.pull-type == 'experimental-force-guest-pull' && matrix.vmm || '' }}
       # Caution: current ingress controller used to expose the KBS service
       # requires much vCPUs, lefting only a few for the tests. Depending on the
       # host type chose it will result on the creation of a cluster with
@@ -177,14 +187,14 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: get-kata-tarball
+      - name: get-kata-tools-tarball
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
 
-      - name: Install kata
-        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
 
       - name: Log into the Azure account
         uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
@@ -217,7 +227,6 @@ jobs:
         timeout-minutes: 20
         run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-aks
         env:
-          EXPERIMENTAL_FORCE_GUEST_PULL: ${{ env.PULL_TYPE == 'experimental-force-guest-pull' && env.KATA_HYPERVISOR || '' }}
           USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ env.SNAPSHOTTER == 'nydus' }}
           AUTO_GENERATE_POLICY: ${{ env.PULL_TYPE == 'experimental-force-guest-pull' && 'no' || 'yes' }}
 
@@ -301,6 +310,15 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
+      - name: get-kata-tools-tarball
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
+
       - name: Remove unnecessary directories to free up space
         run: |
           sudo rm -rf /usr/local/.ghcup

.github/workflows/run-kata-deploy-tests-on-aks.yaml

@@ -102,6 +102,10 @@ jobs:
       - name: Run tests
         run: bash tests/functional/kata-deploy/gha-run.sh run-tests
 
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
       - name: Refresh OIDC token in case access token expired
         if: always()
         uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0

.github/workflows/run-kata-deploy-tests.yaml

@@ -85,3 +85,7 @@ jobs:
 
       - name: Run tests
         run: bash tests/functional/kata-deploy/gha-run.sh run-tests
+
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests

.github/workflows/static-checks-self-hosted.yaml

@@ -29,7 +29,7 @@ jobs:
       matrix:
         instance:
           - "ubuntu-24.04-arm"
-          - "s390x"
+          - "ubuntu-24.04-s390x"
           - "ubuntu-24.04-ppc64le"
     uses: ./.github/workflows/build-checks.yaml
     with:

.gitignore

@@ -18,3 +18,4 @@ src/tools/log-parser/kata-log-parser
 tools/packaging/static-build/agent/install_libseccomp.sh
 .envrc
 .direnv
+**/.DS_Store

Cargo.toml

@@ -0,0 +1,139 @@
+[workspace.package]
+authors = ["The Kata Containers community <kata-dev@lists.katacontainers.io>"]
+edition = "2018"
+license = "Apache-2.0"
+rust-version = "1.85.1"
+
+[workspace]
+members = [
+  # Dragonball
+  "src/dragonball",
+  "src/dragonball/dbs_acpi",
+  "src/dragonball/dbs_address_space",
+  "src/dragonball/dbs_allocator",
+  "src/dragonball/dbs_arch",
+  "src/dragonball/dbs_boot",
+  "src/dragonball/dbs_device",
+  "src/dragonball/dbs_interrupt",
+  "src/dragonball/dbs_legacy_devices",
+  "src/dragonball/dbs_pci",
+  "src/dragonball/dbs_tdx",
+  "src/dragonball/dbs_upcall",
+  "src/dragonball/dbs_utils",
+  "src/dragonball/dbs_virtio_devices",
+
+  # runtime-rs
+  "src/runtime-rs",
+  "src/runtime-rs/crates/agent",
+  "src/runtime-rs/crates/hypervisor",
+  "src/runtime-rs/crates/persist",
+  "src/runtime-rs/crates/resource",
+  "src/runtime-rs/crates/runtimes",
+  "src/runtime-rs/crates/service",
+  "src/runtime-rs/crates/shim",
+  "src/runtime-rs/crates/shim-ctl",
+  "src/runtime-rs/tests/utils",
+]
+resolver = "2"
+
+# TODO: Add all excluded crates to root workspace
+exclude = [
+  "src/agent",
+  "src/tools",
+  "src/libs",
+
+  # kata-deploy binary is standalone and has its own Cargo.toml for now
+  "tools/packaging/kata-deploy/binary",
+
+  # We are cloning and building rust packages under
+  # "tools/packaging/kata-deploy/local-build/build" folder, which may mislead
+  # those packages to think they are part of the kata root workspace
+  "tools/packaging/kata-deploy/local-build/build",
+]
+
+[workspace.dependencies]
+# Rust-VMM crates
+event-manager = "0.2.1"
+kvm-bindings = "0.6.0"
+kvm-ioctls = "=0.12.1"
+linux-loader = "0.8.0"
+seccompiler = "0.5.0"
+vfio-bindings = "0.3.0"
+vfio-ioctls = "0.1.0"
+virtio-bindings = "0.1.0"
+virtio-queue = "0.7.0"
+vm-fdt = "0.2.0"
+vm-memory = "0.10.0"
+vm-superio = "0.5.0"
+vmm-sys-util = "0.11.0"
+
+# Local dependencies from Dragonball Sandbox crates
+dragonball = { path = "src/dragonball" }
+dbs-acpi = { path = "src/dragonball/dbs_acpi" }
+dbs-address-space = { path = "src/dragonball/dbs_address_space" }
+dbs-allocator = { path = "src/dragonball/dbs_allocator" }
+dbs-arch = { path = "src/dragonball/dbs_arch" }
+dbs-boot = { path = "src/dragonball/dbs_boot" }
+dbs-device = { path = "src/dragonball/dbs_device" }
+dbs-interrupt = { path = "src/dragonball/dbs_interrupt" }
+dbs-legacy-devices = { path = "src/dragonball/dbs_legacy_devices" }
+dbs-pci = { path = "src/dragonball/dbs_pci" }
+dbs-tdx = { path = "src/dragonball/dbs_tdx" }
+dbs-upcall = { path = "src/dragonball/dbs_upcall" }
+dbs-utils = { path = "src/dragonball/dbs_utils" }
+dbs-virtio-devices = { path = "src/dragonball/dbs_virtio_devices" }
+
+# Local dependencies from runtime-rs
+agent = { path = "src/runtime-rs/crates/agent" }
+hypervisor = { path = "src/runtime-rs/crates/hypervisor" }
+persist = { path = "src/runtime-rs/crates/persist" }
+resource = { path = "src/runtime-rs/crates/resource" }
+runtimes = { path = "src/runtime-rs/crates/runtimes" }
+service = { path = "src/runtime-rs/crates/service" }
+tests_utils = { path = "src/runtime-rs/tests/utils" }
+ch-config = { path = "src/runtime-rs/crates/hypervisor/ch-config" }
+common = { path = "src/runtime-rs/crates/runtimes/common" }
+linux_container = { path = "src/runtime-rs/crates/runtimes/linux_container" }
+virt_container = { path = "src/runtime-rs/crates/runtimes/virt_container" }
+wasm_container = { path = "src/runtime-rs/crates/runtimes/wasm_container" }
+
+# Local dependencies from `src/lib`
+kata-sys-util = { path = "src/libs/kata-sys-util" }
+kata-types = { path = "src/libs/kata-types", features = ["safe-path"] }
+logging = { path = "src/libs/logging" }
+protocols = { path = "src/libs/protocols", features = ["async"] }
+runtime-spec = { path = "src/libs/runtime-spec" }
+safe-path = { path = "src/libs/safe-path" }
+shim-interface = { path = "src/libs/shim-interface" }
+test-utils = { path = "src/libs/test-utils" }
+
+# Outside dependencies
+actix-rt = "2.7.0"
+anyhow = "1.0"
+async-trait = "0.1.48"
+containerd-shim = { version = "0.10.0", features = ["async"] }
+containerd-shim-protos = { version = "0.10.0", features = ["async"] }
+go-flag = "0.1.0"
+hyper = "0.14.20"
+hyperlocal = "0.8.0"
+lazy_static = "1.4"
+libc = "0.2"
+log = "0.4.14"
+netns-rs = "0.1.0"
+# Note: nix needs to stay sync'd with libs versions
+nix = "0.26.4"
+oci-spec = { version = "0.8.1", features = ["runtime"] }
+protobuf = "3.7.2"
+rand = "0.8.4"
+serde = { version = "1.0.145", features = ["derive"] }
+serde_json = "1.0.91"
+slog = "2.5.2"
+slog-scope = "4.4.0"
+strum = { version = "0.24.0", features = ["derive"] }
+tempfile = "3.19.1"
+thiserror = "1.0"
+tokio = "1.46.1"
+tracing = "0.1.41"
+tracing-opentelemetry = "0.18.0"
+ttrpc = "0.8.4"
+url = "2.5.4"

VERSION

@@ -1 +1 @@
-3.23.0
+3.24.0

ci/install_libseccomp.sh

@@ -11,6 +11,10 @@ script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 source "${script_dir}/../tests/common.bash"
 
+# Path to the ORAS cache helper for downloading tarballs (sourced when needed)
+# Use ORAS_CACHE_HELPER env var (set by build.sh in Docker) or fallback to repo path
+oras_cache_helper="${ORAS_CACHE_HELPER:-${script_dir}/../tools/packaging/scripts/download-with-oras-cache.sh}"
+
 # The following variables if set on the environment will change the behavior
 # of gperf and libseccomp configure scripts, that may lead this script to
 # fail. So let's ensure they are unset here.
@@ -44,6 +48,9 @@ fi
 gperf_tarball="gperf-${gperf_version}.tar.gz"
 gperf_tarball_url="${gperf_url}/${gperf_tarball}"
 
+# Use ORAS cache for gperf downloads (gperf upstream can be unreliable)
+USE_ORAS_CACHE="${USE_ORAS_CACHE:-yes}"
+
 # We need to build the libseccomp library from sources to create a static
 # library for the musl libc.
 # However, ppc64le, riscv64 and s390x have no musl targets in Rust. Hence, we do
@@ -68,7 +75,23 @@ trap finish EXIT
 build_and_install_gperf() {
 	echo "Build and install gperf version ${gperf_version}"
 	mkdir -p "${gperf_install_dir}"
-	curl -sLO "${gperf_tarball_url}"
+
+	# Use ORAS cache if available and enabled
+	if [[ "${USE_ORAS_CACHE}" == "yes" ]] && [[ -f "${oras_cache_helper}" ]]; then
+		echo "Using ORAS cache for gperf download"
+		source "${oras_cache_helper}"
+		local cached_tarball
+		cached_tarball=$(download_component gperf "$(pwd)")
+		if [[ -f "${cached_tarball}" ]]; then
+			gperf_tarball="${cached_tarball}"
+		else
+			echo "ORAS cache download failed, falling back to direct download"
+			curl -sLO "${gperf_tarball_url}"
+		fi
+	else
+		curl -sLO "${gperf_tarball_url}"
+	fi
+
 	tar -xf "${gperf_tarball}"
 	pushd "gperf-${gperf_version}"
 	# Unset $CC for configure, we will always use native for gperf

docs/README.md

@@ -83,3 +83,7 @@ Documents that help to understand and contribute to Kata Containers.
 If you have a suggestion for how we can improve the
 [website](https://katacontainers.io), please raise an issue (or a PR) on
 [the repository that holds the source for the website](https://github.com/OpenStackweb/kata-netlify-refresh).
+
+### Toolchain Guidance
+
+* [Toolchain Guidance](./Toochain-Guidance.md)

docs/Toochain-Guidance.md

@@ -0,0 +1,39 @@
+# Toolchains
+
+As a community we want to strike a balance between having up-to-date toolchains, to receive the
+latest security fixes and to be able to benefit from new features and packages, whilst not being
+too bleeding edge and disrupting downstream and other consumers. As a result we have the following
+guidelines (note, not hard rules) for our go and rust toolchains that we are attempting to try out:
+
+## Go toolchain
+
+Go is released [every six months](https://go.dev/wiki/Go-Release-Cycle) with support for the
+[last two major release versions](https://go.dev/doc/devel/release#policy). We always want to
+ensure that we are on a supported version so we receive security fixes. To try and make
+things easier for some of our users, we aim to be using the older of the two supported major
+versions, unless there is a compelling reason to adopt the newer version.
+
+In practice this means that we bump our major version of the go toolchain every six months to
+version (1.x-1) in response to a new version (1.x) coming out, which makes our current version
+(1.x-2) no longer supported. We will bump the minor version whenever required to satisfy
+dependency updates, or security fixes.
+
+Our go toolchain version is recorded in [`versions.yaml`](../versions.yaml) under
+`.languages.golang.version` and should match with the version in our `go.mod` files.
+
+## Rust toolchain
+
+Rust has a [six week](https://doc.rust-lang.org/book/appendix-05-editions.html#:~:text=The%20Rust%20language%20and%20compiler,these%20tiny%20changes%20add%20up.)
+release cycle and they only support the latest stable release, so if we wanted to remain on a
+supported release we would only ever build with the latest stable and bump every 6 weeks.
+However feedback from our community has indicated that this is a challenge as downstream consumers
+often want to get rust from their distro, or downstream fork and these struggle to keep up with
+the six week release schedule. As a result the community has agreed to try out a policy of
+"stable-2", where we aim to build with a rust version that is two versions behind the latest stable
+version.
+
+In practice this should mean that we bump our rust toolchain every six weeks, to version
+1.x-2 when 1.x is released as stable and we should be picking up the latest point release
+of that version, if there were any.
+
+The rust-toolchain that we are using is recorded in [`rust-toolchain.toml`](../rust-toolchain.toml).

docs/how-to/how-to-set-sandbox-config-kata.md

@@ -97,6 +97,8 @@ There are several kinds of Kata configurations and they are listed below.
 | `io.katacontainers.config.hypervisor.use_legacy_serial` | `boolean` | uses legacy serial device for guest's console (QEMU) |
 | `io.katacontainers.config.hypervisor.default_gpus` | uint32 | the minimum number of GPUs required for the VM. Only used by remote hypervisor to help with instance selection |
 | `io.katacontainers.config.hypervisor.default_gpu_model` | string | the GPU model required for the VM. Only used by remote hypervisor to help with instance selection |
+| `io.katacontainers.config.hypervisor.block_device_num_queues` | `usize` | The number of queues to use for block devices (runtime-rs only) |
+| `io.katacontainers.config.hypervisor.block_device_queue_size` | uint32 | The size of the of the queue to use for block devices (runtime-rs only) |
 
 ## Container Options
 | Key | Value Type | Comments |

src/agent/Cargo.lock

@@ -459,15 +459,9 @@ version = "0.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "08807e080ed7f9d5433fa9b275196cfc35414f66a0c79d864dc51a0d825231a3"
 dependencies = [
- "bit-vec 0.8.0",
+ "bit-vec",
 ]
 
-[[package]]
-name = "bit-vec"
-version = "0.6.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb"
-
 [[package]]
 name = "bit-vec"
 version = "0.8.0"
@@ -1250,7 +1244,6 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7ced92e76e966ca2fd84c8f7aa01a4aea65b0eb6648d72f7c8f3e2764a67fece"
 dependencies = [
  "crc32fast",
- "libz-sys",
  "miniz_oxide",
 ]
 
@@ -2266,17 +2259,6 @@ dependencies = [
  "uuid 0.8.2",
 ]
 
-[[package]]
-name = "libz-sys"
-version = "1.1.22"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b70e7a7df205e92a1a4cd9aaae7898dac0aa555503cc0a649494d0d60e7651d"
-dependencies = [
- "cc",
- "pkg-config",
- "vcpkg",
-]
-
 [[package]]
 name = "linux-raw-sys"
 version = "0.3.8"
@@ -3719,7 +3701,7 @@ dependencies = [
  "anyhow",
  "async-trait",
  "awaitgroup",
- "bit-vec 0.6.3",
+ "bit-vec",
  "capctl",
  "caps",
  "cfg-if",
@@ -4821,12 +4803,6 @@ version = "1.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "943ce29a8a743eb10d6082545d861b24f9d1b160b7d741e0f2cdf726bec909c5"
 
-[[package]]
-name = "vcpkg"
-version = "0.2.15"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
-
 [[package]]
 name = "version_check"
 version = "0.9.5"

src/agent/Cargo.toml

@@ -186,7 +186,7 @@ base64 = "0.22"
 sha2 = "0.10.8"
 async-compression = { version = "0.4.22", features = ["tokio", "gzip"] }
 
-container-device-interface = "0.1.0"
+container-device-interface = "0.1.1"
 
 [target.'cfg(target_arch = "s390x")'.dependencies]
 pv_core = { git = "https://github.com/ibm-s390-linux/s390-tools", rev = "4942504a9a2977d49989a5e5b7c1c8e07dc0fa41", package = "s390_pv_core" }
@@ -206,6 +206,7 @@ lto = true
 seccomp = ["rustjail/seccomp"]
 standard-oci-runtime = ["rustjail/standard-oci-runtime"]
 agent-policy = ["kata-agent-policy"]
+init-data = []
 
 [[bin]]
 name = "kata-agent"

src/agent/Makefile

@@ -41,6 +41,14 @@ ifeq ($(AGENT_POLICY),yes)
     override EXTRA_RUSTFEATURES += agent-policy
 endif
 
+##VAR INIT_DATA=yes|no define if agent enables the init data feature
+INIT_DATA ?= yes
+
+# Enable the init data fature of rust build
+ifeq ($(INIT_DATA),yes)
+    override EXTRA_RUSTFEATURES += init-data
+endif
+
 include ../../utils.mk
 
 ##VAR STANDARD_OCI_RUNTIME=yes|no define if agent enables standard oci runtime feature

src/agent/policy/src/policy.rs

@@ -10,7 +10,7 @@ use anyhow::{bail, Result};
 use slog::{debug, error, info, warn};
 use tokio::io::AsyncWriteExt;
 
-static POLICY_LOG_FILE: &str = "/tmp/policy.txt";
+static POLICY_LOG_FILE: &str = "/tmp/policy.jsonl";
 static POLICY_DEFAULT_FILE: &str = "/etc/kata-opa/default-policy.rego";
 
 /// Convenience macro to obtain the scope logger
@@ -26,7 +26,7 @@ pub struct AgentPolicy {
     /// When true policy errors are ignored, for debug purposes.
     allow_failures: bool,
 
-    /// "/tmp/policy.txt" log file for policy activity.
+    /// "/tmp/policy.jsonl" log file for policy activity.
     log_file: Option<tokio::fs::File>,
 
     /// Regorus engine
@@ -213,7 +213,7 @@ impl AgentPolicy {
                     //   The Policy text can be obtained directly from the pod YAML.
                 }
                 _ => {
-                    let log_entry = format!("[\"ep\":\"{ep}\",{input}],\n\n");
+                    let log_entry = format!("{{\"kind\":\"{ep}\",\"request\":{input}}}\n");
 
                     if let Err(e) = log_file.write_all(log_entry.as_bytes()).await {
                         warn!(sl!(), "policy: log_eval_input: write_all failed: {}", e);

src/agent/rustjail/Cargo.toml

@@ -44,7 +44,7 @@ async-trait.workspace = true
 inotify = "0.9.2"
 libseccomp = { version = "0.3.0", optional = true }
 zbus = "3.12.0"
-bit-vec = "0.6.3"
+bit-vec = "0.8.0"
 xattr = "0.2.3"
 
 # Local dependencies

src/agent/src/initdata.rs

@@ -9,6 +9,7 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
+#[cfg(feature = "init-data")]
 use std::{os::unix::fs::FileTypeExt, path::Path};
 
 use anyhow::{bail, Context, Result};
@@ -37,14 +38,24 @@ pub const AA_CONFIG_PATH: &str = concatcp!(INITDATA_PATH, "/aa.toml");
 pub const CDH_CONFIG_PATH: &str = concatcp!(INITDATA_PATH, "/cdh.toml");
 
 /// Magic number of initdata device
+#[cfg(feature = "init-data")]
 pub const INITDATA_MAGIC_NUMBER: &[u8] = b"initdata";
 
 /// initdata device with disk type 'vd*'
+#[cfg(feature = "init-data")]
 const INITDATA_PREFIX_DISK_VDX: &str = "vd";
 
 /// initdata device with disk type 'sd*'
+#[cfg(feature = "init-data")]
 const INITDATA_PREFIX_DISK_SDX: &str = "sd";
 
+#[cfg(not(feature = "init-data"))]
+async fn detect_initdata_device(logger: &Logger) -> Result<Option<String>> {
+    debug!(logger, "Initdata is disabled");
+    Ok(None)
+}
+
+#[cfg(feature = "init-data")]
 async fn detect_initdata_device(logger: &Logger) -> Result<Option<String>> {
     let dev_dir = Path::new("/dev");
     let mut read_dir = tokio::fs::read_dir(dev_dir).await?;

src/agent/src/mount.rs

@@ -88,7 +88,7 @@ pub fn baremount(
 
     let destination_str = destination.to_string_lossy();
     if let Ok(m) = get_linux_mount_info(destination_str.deref()) {
-        if m.fs_type == fs_type {
+        if m.fs_type == fs_type && !flags.contains(MsFlags::MS_REMOUNT) {
             slog_info!(logger, "{source:?} is already mounted at {destination:?}");
             return Ok(());
         }

src/agent/src/netlink.rs

@@ -401,11 +401,10 @@ impl Handle {
                 }
 
                 if let RouteAttribute::Oif(index) = attribute {
-                    route.device = self
-                        .find_link(LinkFilter::Index(*index))
-                        .await
-                        .context(format!("error looking up device {index}"))?
-                        .name();
+                    route.device = match self.find_link(LinkFilter::Index(*index)).await {
+                        Ok(link) => link.name(),
+                        Err(_) => String::new(),
+                    };
                 }
             }
 
@@ -1005,10 +1004,6 @@ mod tests {
             .expect("Failed to list routes");
 
         assert_ne!(all.len(), 0);
-
-        for r in &all {
-            assert_ne!(r.device.len(), 0);
-        }
     }
 
     #[tokio::test]

src/agent/src/rpc.rs

@@ -72,7 +72,7 @@ use crate::network::setup_guest_dns;
 use crate::passfd_io;
 use crate::pci;
 use crate::random;
-use crate::sandbox::Sandbox;
+use crate::sandbox::{Sandbox, SandboxError};
 use crate::storage::{add_storages, update_ephemeral_mounts, STORAGE_HANDLERS};
 use crate::util;
 use crate::version::{AGENT_VERSION, API_VERSION};
@@ -141,6 +141,16 @@ pub fn ttrpc_error(code: ttrpc::Code, err: impl Debug) -> ttrpc::Error {
     get_rpc_status(code, format!("{:?}", err))
 }
 
+/// Convert SandboxError to ttrpc error with appropriate code.
+/// Process not found errors map to NOT_FOUND, others to INVALID_ARGUMENT.
+fn sandbox_err_to_ttrpc(err: SandboxError) -> ttrpc::Error {
+    let code = match &err {
+        SandboxError::InitProcessNotFound | SandboxError::InvalidExecId => ttrpc::Code::NOT_FOUND,
+        SandboxError::InvalidContainerId => ttrpc::Code::INVALID_ARGUMENT,
+    };
+    ttrpc_error(code, err)
+}
+
 #[cfg(not(feature = "agent-policy"))]
 async fn is_allowed(_req: &impl serde::Serialize) -> ttrpc::Result<()> {
     Ok(())
@@ -460,7 +470,9 @@ impl AgentService {
         let mut sig: libc::c_int = req.signal as libc::c_int;
         {
             let mut sandbox = self.sandbox.lock().await;
-            let p = sandbox.find_container_process(cid.as_str(), eid.as_str())?;
+            let p = sandbox
+                .find_container_process(cid.as_str(), eid.as_str())
+                .map_err(sandbox_err_to_ttrpc)?;
             // For container initProcess, if it hasn't installed handler for "SIGTERM" signal,
             // it will ignore the "SIGTERM" signal sent to it, thus send it "SIGKILL" signal
             // instead of "SIGTERM" to terminate it.
@@ -568,7 +580,9 @@ impl AgentService {
         let (exit_send, mut exit_recv) = tokio::sync::mpsc::channel(100);
         let exit_rx = {
             let mut sandbox = self.sandbox.lock().await;
-            let p = sandbox.find_container_process(cid.as_str(), eid.as_str())?;
+            let p = sandbox
+                .find_container_process(cid.as_str(), eid.as_str())
+                .map_err(sandbox_err_to_ttrpc)?;
 
             p.exit_watchers.push(exit_send);
             pid = p.pid;
@@ -665,7 +679,9 @@ impl AgentService {
         let term_exit_notifier;
         let reader = {
             let mut sandbox = self.sandbox.lock().await;
-            let p = sandbox.find_container_process(cid.as_str(), eid.as_str())?;
+            let p = sandbox
+                .find_container_process(cid.as_str(), eid.as_str())
+                .map_err(sandbox_err_to_ttrpc)?;
 
             term_exit_notifier = p.term_exit_notifier.clone();
 
@@ -947,12 +963,7 @@ impl agent_ttrpc::AgentService for AgentService {
 
         let p = sandbox
             .find_container_process(cid.as_str(), eid.as_str())
-            .map_err(|e| {
-                ttrpc_error(
-                    ttrpc::Code::INVALID_ARGUMENT,
-                    format!("invalid argument: {:?}", e),
-                )
-            })?;
+            .map_err(sandbox_err_to_ttrpc)?;
 
         p.close_stdin().await;
 
@@ -970,12 +981,7 @@ impl agent_ttrpc::AgentService for AgentService {
         let mut sandbox = self.sandbox.lock().await;
         let p = sandbox
             .find_container_process(req.container_id(), req.exec_id())
-            .map_err(|e| {
-                ttrpc_error(
-                    ttrpc::Code::UNAVAILABLE,
-                    format!("invalid argument: {:?}", e),
-                )
-            })?;
+            .map_err(sandbox_err_to_ttrpc)?;
 
         let fd = p
             .term_master
@@ -2629,12 +2635,12 @@ mod tests {
             },
             TestData {
                 create_container: false,
-                result: Err(anyhow!(crate::sandbox::ERR_INVALID_CONTAINER_ID)),
+                result: Err(anyhow!(crate::sandbox::SandboxError::InvalidContainerId)),
                 ..Default::default()
             },
             TestData {
                 container_id: "8181",
-                result: Err(anyhow!(crate::sandbox::ERR_INVALID_CONTAINER_ID)),
+                result: Err(anyhow!(crate::sandbox::SandboxError::InvalidContainerId)),
                 ..Default::default()
             },
             TestData {

src/agent/src/sandbox.rs

@@ -32,6 +32,7 @@ use rustjail::container::BaseContainer;
 use rustjail::container::LinuxContainer;
 use rustjail::process::Process;
 use slog::Logger;
+use thiserror::Error;
 use tokio::sync::mpsc::{channel, Receiver, Sender};
 use tokio::sync::oneshot;
 use tokio::sync::Mutex;
@@ -47,7 +48,16 @@ use crate::storage::StorageDeviceGeneric;
 use crate::uevent::{Uevent, UeventMatcher};
 use crate::watcher::BindWatcher;
 
-pub const ERR_INVALID_CONTAINER_ID: &str = "Invalid container id";
+/// Errors that can occur when looking up processes in the sandbox.
+#[derive(Debug, Error)]
+pub enum SandboxError {
+    #[error("Invalid container id")]
+    InvalidContainerId,
+    #[error("Process not found: init process missing")]
+    InitProcessNotFound,
+    #[error("Process not found: invalid exec id")]
+    InvalidExecId,
+}
 
 type UeventWatcher = (Box<dyn UeventMatcher>, oneshot::Sender<Uevent>);
 
@@ -282,10 +292,14 @@ impl Sandbox {
         None
     }
 
-    pub fn find_container_process(&mut self, cid: &str, eid: &str) -> Result<&mut Process> {
+    pub fn find_container_process(
+        &mut self,
+        cid: &str,
+        eid: &str,
+    ) -> Result<&mut Process, SandboxError> {
         let ctr = self
             .get_container(cid)
-            .ok_or_else(|| anyhow!(ERR_INVALID_CONTAINER_ID))?;
+            .ok_or(SandboxError::InvalidContainerId)?;
 
         if eid.is_empty() {
             let init_pid = ctr.init_process_pid;
@@ -293,10 +307,11 @@ impl Sandbox {
                 .processes
                 .values_mut()
                 .find(|p| p.pid == init_pid)
-                .ok_or_else(|| anyhow!("cannot find init process!"));
+                .ok_or(SandboxError::InitProcessNotFound);
         }
 
-        ctr.get_process(eid).map_err(|_| anyhow!("Invalid exec id"))
+        ctr.get_process(eid)
+            .map_err(|_| SandboxError::InvalidExecId)
     }
 
     #[instrument]

src/dragonball/Cargo.toml

@@ -9,58 +9,6 @@ repository = "https://github.com/kata-containers/kata-containers.git"
 license = "Apache-2.0"
 edition = "2018"
 
-[workspace]
-members = [
-  "dbs_acpi",
-  "dbs_address_space",
-  "dbs_allocator",
-  "dbs_arch",
-  "dbs_boot",
-  "dbs_device",
-  "dbs_interrupt",
-  "dbs_legacy_devices",
-  "dbs_pci",
-  "dbs_tdx",
-  "dbs_upcall",
-  "dbs_utils",
-  "dbs_virtio_devices",
-]
-resolver = "2"
-
-[workspace.dependencies]
-# Rust-VMM crates
-event-manager = "0.2.1"
-kvm-bindings = "0.6.0"
-kvm-ioctls = "=0.12.1"
-linux-loader = "0.8.0"
-seccompiler = "0.5.0"
-vfio-bindings = "0.3.0"
-vfio-ioctls = "0.1.0"
-virtio-bindings = "0.1.0"
-virtio-queue = "0.7.0"
-vm-fdt = "0.2.0"
-vm-memory = "0.10.0"
-vm-superio = "0.5.0"
-vmm-sys-util = "0.11.0"
-
-# Local dependencies from Dragonball Sandbox crates
-dbs-acpi = { path = "dbs_acpi" }
-dbs-address-space = { path = "dbs_address_space" }
-dbs-allocator = { path = "dbs_allocator" }
-dbs-arch = { path = "dbs_arch" }
-dbs-boot = { path = "dbs_boot" }
-dbs-device = { path = "dbs_device" }
-dbs-interrupt = { path = "dbs_interrupt" }
-dbs-legacy-devices = { path = "dbs_legacy_devices" }
-dbs-pci = { path = "dbs_pci" }
-dbs-tdx = { path = "dbs_tdx" }
-dbs-upcall = { path = "dbs_upcall" }
-dbs-utils = { path = "dbs_utils" }
-dbs-virtio-devices = { path = "dbs_virtio_devices" }
-
-# Local dependencies from `src/lib`
-test-utils = { path = "../libs/test-utils" }
-
 [dependencies]
 anyhow = "1.0.32"
 arc-swap = "1.5.0"
@@ -83,12 +31,12 @@ kvm-bindings = { workspace = true }
 kvm-ioctls = { workspace = true }
 lazy_static = "1.2"
 libc = "0.2.39"
-linux-loader = {workspace = true}
+linux-loader = { workspace = true }
 log = "0.4.14"
 nix = "0.24.2"
 procfs = "0.12.0"
 prometheus = { version = "0.14.0", features = ["process"] }
-seccompiler = {workspace = true}
+seccompiler = { workspace = true }
 serde = "1.0.27"
 serde_derive = "1.0.27"
 serde_json = "1.0.9"
@@ -96,7 +44,7 @@ slog = "2.5.2"
 slog-scope = "4.4.0"
 thiserror = "1"
 tracing = "0.1.41"
-vmm-sys-util = {workspace = true}
+vmm-sys-util = { workspace = true }
 virtio-queue = { workspace = true, optional = true }
 vm-memory = { workspace = true, features = ["backend-mmap"] }
 crossbeam-channel = "0.5.6"
@@ -118,14 +66,14 @@ virtio-blk = ["dbs-virtio-devices/virtio-blk", "virtio-queue"]
 virtio-net = ["dbs-virtio-devices/virtio-net", "virtio-queue"]
 # virtio-fs only work on atomic-guest-memory
 virtio-fs = [
-    "dbs-virtio-devices/virtio-fs-pro",
-    "virtio-queue",
-    "atomic-guest-memory",
+  "dbs-virtio-devices/virtio-fs-pro",
+  "virtio-queue",
+  "atomic-guest-memory",
 ]
 virtio-mem = [
-    "dbs-virtio-devices/virtio-mem",
-    "virtio-queue",
-    "atomic-guest-memory",
+  "dbs-virtio-devices/virtio-mem",
+  "virtio-queue",
+  "atomic-guest-memory",
 ]
 virtio-balloon = ["dbs-virtio-devices/virtio-balloon", "virtio-queue"]
 vhost-net = ["dbs-virtio-devices/vhost-net"]
@@ -136,5 +84,5 @@ host-device = ["dep:vfio-bindings", "dep:vfio-ioctls", "dep:dbs-pci"]
 
 [lints.rust]
 unexpected_cfgs = { level = "warn", check-cfg = [
-    'cfg(feature, values("test-mock"))',
+  'cfg(feature, values("test-mock"))',
 ] }

src/dragonball/dbs_arch/Cargo.toml

@@ -21,6 +21,8 @@ libc = ">=0.2.39"
 
 [dev-dependencies]
 vm-memory = { workspace = true, features = ["backend-mmap"] }
+test-utils = { workspace = true }
+nix = { workspace = true }
 
 [package.metadata.docs.rs]
 all-features = true

src/dragonball/dbs_arch/src/aarch64/gic/mod.rs

@@ -205,12 +205,12 @@ pub fn create_gic(vm: &VmFd, vcpu_count: u64) -> Result<Box<dyn GICDevice>> {
 
 #[cfg(test)]
 mod tests {
-
     use super::*;
     use kvm_ioctls::Kvm;
 
     #[test]
     fn test_create_gic() {
+        test_utils::skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         assert!(create_gic(&vm, 1).is_ok());

src/dragonball/dbs_arch/src/aarch64/pmu.rs

@@ -150,6 +150,7 @@ mod tests {
 
     #[test]
     fn test_create_pmu() {
+        test_utils::skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         let vcpu = vm.create_vcpu(0).unwrap();

src/dragonball/dbs_arch/src/aarch64/regs.rs

@@ -166,9 +166,11 @@ pub fn read_mpidr(vcpu: &VcpuFd) -> Result<u64> {
 mod tests {
     use super::*;
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
 
     #[test]
     fn test_setup_regs() {
+        skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         let vcpu = vm.create_vcpu(0).unwrap();
@@ -185,6 +187,7 @@ mod tests {
 
     #[test]
     fn test_read_mpidr() {
+        skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         let vcpu = vm.create_vcpu(0).unwrap();

src/dragonball/dbs_arch/src/x86_64/interrupts.rs

@@ -78,6 +78,7 @@ pub fn set_lint(vcpu: &VcpuFd) -> Result<()> {
 mod tests {
     use super::*;
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
 
     const KVM_APIC_REG_SIZE: usize = 0x400;
 
@@ -100,6 +101,7 @@ mod tests {
 
     #[test]
     fn test_setlint() {
+        skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         assert!(kvm.check_extension(kvm_ioctls::Cap::Irqchip));
         let vm = kvm.create_vm().unwrap();
@@ -126,6 +128,7 @@ mod tests {
 
     #[test]
     fn test_setlint_fails() {
+        skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         let vcpu = vm.create_vcpu(0).unwrap();

src/dragonball/dbs_arch/src/x86_64/regs.rs

@@ -271,6 +271,7 @@ mod tests {
     use super::*;
     use crate::x86_64::gdt::gdt_entry;
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use vm_memory::{Bytes, GuestAddress, GuestMemoryMmap};
 
     const BOOT_GDT_OFFSET: u64 = 0x500;
@@ -334,6 +335,7 @@ mod tests {
 
     #[test]
     fn test_setup_fpu() {
+        skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         let vcpu = vm.create_vcpu(0).unwrap();
@@ -356,6 +358,7 @@ mod tests {
     #[test]
     #[allow(clippy::cast_ptr_alignment)]
     fn test_setup_msrs() {
+        skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         let vcpu = vm.create_vcpu(0).unwrap();
@@ -384,6 +387,7 @@ mod tests {
 
     #[test]
     fn test_setup_regs() {
+        skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         let vcpu = vm.create_vcpu(0).unwrap();

src/dragonball/dbs_boot/Cargo.toml

@@ -24,3 +24,5 @@ vm-fdt = {workspace= true}
 vm-memory = { workspace = true, features = ["backend-mmap"] }
 device_tree = ">=1.1.0"
 dbs-device = { workspace = true }
+test-utils = { workspace = true }
+nix = { workspace = true }

src/dragonball/dbs_boot/src/aarch64/fdt.rs

@@ -399,6 +399,7 @@ mod tests {
     use device_tree::DeviceTree;
     use kvm_bindings::{kvm_vcpu_init, KVM_ARM_VCPU_PMU_V3, KVM_ARM_VCPU_PSCI_0_2};
     use kvm_ioctls::{Kvm, VcpuFd, VmFd};
+    use test_utils::skip_if_not_root;
     use vm_memory::GuestMemoryMmap;
 
     use super::super::tests::MMIODeviceInfo;
@@ -460,6 +461,7 @@ mod tests {
 
     #[test]
     fn test_create_fdt_with_devices() {
+        skip_if_not_root!();
         let regions = arch_memory_regions(FDT_MAX_SIZE + 0x1000);
         let mem = GuestMemoryMmap::<()>::from_ranges(&regions).expect("Cannot initialize memory");
         let dev_info: HashMap<(DeviceType, String), MMIODeviceInfo> = [
@@ -498,6 +500,7 @@ mod tests {
 
     #[test]
     fn test_create_fdt() {
+        skip_if_not_root!();
         let regions = arch_memory_regions(FDT_MAX_SIZE + 0x1000);
         let mem = GuestMemoryMmap::<()>::from_ranges(&regions).expect("Cannot initialize memory");
         let kvm = Kvm::new().unwrap();
@@ -532,6 +535,7 @@ mod tests {
 
     #[test]
     fn test_create_fdt_with_initrd() {
+        skip_if_not_root!();
         let regions = arch_memory_regions(FDT_MAX_SIZE + 0x1000);
         let mem = GuestMemoryMmap::<()>::from_ranges(&regions).expect("Cannot initialize memory");
         let kvm = Kvm::new().unwrap();
@@ -570,6 +574,7 @@ mod tests {
 
     #[test]
     fn test_create_fdt_with_pmu() {
+        skip_if_not_root!();
         let regions = arch_memory_regions(FDT_MAX_SIZE + 0x1000);
         let mem = GuestMemoryMmap::<()>::from_ranges(&regions).expect("Cannot initialize memory");
         let kvm = Kvm::new().unwrap();

src/dragonball/dbs_boot/src/aarch64/fdt_utils.rs

@@ -304,6 +304,7 @@ mod tests {
 
     #[test]
     fn test_fdtutils_fdt_device_info() {
+        test_utils::skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         let gic = create_gic(&vm, 0).unwrap();

src/dragonball/dbs_boot/src/aarch64/mod.rs

@@ -68,6 +68,7 @@ pub fn initrd_load_addr<M: GuestMemory>(guest_mem: &M, initrd_size: u64) -> supe
     }
 }
 
+#[allow(missing_docs)]
 #[cfg(test)]
 pub mod tests {
     use dbs_arch::{DeviceInfoForFDT, Error as ArchError};

src/dragonball/dbs_boot/src/x86_64/mod.rs

@@ -258,6 +258,7 @@ mod tests {
 
     #[test]
     fn test_setup_page_tables() {
+        test_utils::skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         let vcpu = vm.create_vcpu(0).unwrap();

src/dragonball/dbs_interrupt/Cargo.toml

@@ -18,6 +18,10 @@ kvm-ioctls = { workspace = true, optional = true }
 libc = "0.2"
 vmm-sys-util = {workspace = true}
 
+[dev-dependencies]
+test-utils = { workspace = true }
+nix = { workspace = true }
+
 [features]
 default = ["legacy-irq", "msi-irq"]
 

src/dragonball/dbs_interrupt/src/kvm/legacy_irq.rs

@@ -220,6 +220,7 @@ impl InterruptSourceGroup for LegacyIrq {
 mod test {
     use super::*;
     use crate::manager::tests::create_vm_fd;
+    use test_utils::skip_if_not_root;
 
     const MASTER_PIC: usize = 7;
     const SLAVE_PIC: usize = 8;
@@ -228,6 +229,7 @@ mod test {
     #[test]
     #[allow(unreachable_patterns)]
     fn test_legacy_interrupt_group() {
+        skip_if_not_root!();
         let vmfd = Arc::new(create_vm_fd());
         let rounting = Arc::new(KvmIrqRouting::new(vmfd.clone()));
         let base = 0;
@@ -263,6 +265,7 @@ mod test {
 
     #[test]
     fn test_irq_routing_initialize_legacy() {
+        skip_if_not_root!();
         let vmfd = Arc::new(create_vm_fd());
         let routing = KvmIrqRouting::new(vmfd.clone());
 
@@ -278,6 +281,7 @@ mod test {
 
     #[test]
     fn test_routing_opt() {
+        skip_if_not_root!();
         let vmfd = Arc::new(create_vm_fd());
         let routing = KvmIrqRouting::new(vmfd.clone());
 
@@ -309,6 +313,7 @@ mod test {
 
     #[test]
     fn test_routing_set_routing() {
+        skip_if_not_root!();
         let vmfd = Arc::new(create_vm_fd());
         let routing = KvmIrqRouting::new(vmfd.clone());
 

src/dragonball/dbs_interrupt/src/kvm/mod.rs

@@ -271,6 +271,7 @@ pub fn from_sys_util_errno(e: vmm_sys_util::errno::Error) -> std::io::Error {
 pub(crate) mod tests {
     use super::*;
     use crate::manager::tests::create_vm_fd;
+    use test_utils::skip_if_not_root;
 
     fn create_irq_group(
         manager: Arc<KvmIrqManager>,
@@ -306,11 +307,13 @@ pub(crate) mod tests {
 
     #[test]
     fn test_create_kvm_irq_manager() {
+        skip_if_not_root!();
         let _ = create_kvm_irq_manager();
     }
 
     #[test]
     fn test_kvm_irq_manager_opt() {
+        skip_if_not_root!();
         let vmfd = Arc::new(create_vm_fd());
         vmfd.create_irq_chip().unwrap();
         let manager = Arc::new(KvmIrqManager::new(vmfd.clone()));

src/dragonball/dbs_interrupt/src/kvm/msi_irq.rs

@@ -202,10 +202,12 @@ impl InterruptSourceGroup for MsiIrq {
 mod test {
     use super::*;
     use crate::manager::tests::create_vm_fd;
+    use test_utils::skip_if_not_root;
 
     #[test]
     #[allow(unreachable_patterns)]
     fn test_msi_interrupt_group() {
+        skip_if_not_root!();
         let vmfd = Arc::new(create_vm_fd());
         vmfd.create_irq_chip().unwrap();
 

src/dragonball/dbs_interrupt/src/manager.rs

@@ -451,6 +451,7 @@ pub(crate) mod tests {
 
     use dbs_device::resources::{DeviceResources, MsiIrqType, Resource};
     use kvm_ioctls::{Kvm, VmFd};
+    use test_utils::skip_if_not_root;
 
     use super::*;
     use crate::KvmIrqManager;
@@ -502,6 +503,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_create_device_interrupt_manager() {
+        skip_if_not_root!();
         let mut mgr = create_interrupt_manager();
 
         assert_eq!(mgr.mode, DeviceInterruptMode::Disabled);
@@ -537,6 +539,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_device_interrupt_manager_switch_mode() {
+        skip_if_not_root!();
         let mut mgr = create_interrupt_manager();
 
         // Can't switch working mode in enabled state.
@@ -621,6 +624,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_msi_config() {
+        skip_if_not_root!();
         let mut interrupt_manager = create_interrupt_manager();
 
         assert!(interrupt_manager.set_msi_data(512, 0).is_err());
@@ -638,6 +642,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_set_working_mode_after_activated() {
+        skip_if_not_root!();
         let mut interrupt_manager = create_interrupt_manager();
         interrupt_manager.activated = true;
         assert!(interrupt_manager
@@ -659,6 +664,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_disable2legacy() {
+        skip_if_not_root!();
         let mut interrupt_manager = create_interrupt_manager();
         interrupt_manager.activated = false;
         interrupt_manager.mode = DeviceInterruptMode::Disabled;
@@ -669,6 +675,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_disable2nonlegacy() {
+        skip_if_not_root!();
         let mut interrupt_manager = create_interrupt_manager();
         interrupt_manager.activated = false;
         interrupt_manager.mode = DeviceInterruptMode::Disabled;
@@ -679,6 +686,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_legacy2nonlegacy() {
+        skip_if_not_root!();
         let mut interrupt_manager = create_interrupt_manager();
         interrupt_manager.activated = false;
         interrupt_manager.mode = DeviceInterruptMode::Disabled;
@@ -692,6 +700,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_nonlegacy2legacy() {
+        skip_if_not_root!();
         let mut interrupt_manager = create_interrupt_manager();
         interrupt_manager.activated = false;
         interrupt_manager.mode = DeviceInterruptMode::Disabled;
@@ -705,6 +714,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_update() {
+        skip_if_not_root!();
         let mut interrupt_manager = create_interrupt_manager();
         interrupt_manager
             .set_working_mode(DeviceInterruptMode::GenericMsiIrq)
@@ -721,6 +731,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_get_configs() {
+        skip_if_not_root!();
         // legacy irq config
         {
             let interrupt_manager = create_interrupt_manager();
@@ -762,6 +773,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_reset_configs() {
+        skip_if_not_root!();
         let mut interrupt_manager = create_interrupt_manager();
 
         interrupt_manager.reset_configs(DeviceInterruptMode::LegacyIrq);

src/dragonball/dbs_interrupt/src/notifier.rs

@@ -235,6 +235,7 @@ mod tests {
     use super::*;
 
     use crate::{InterruptManager, InterruptSourceType};
+    use test_utils::skip_if_not_root;
 
     const VIRTIO_INTR_VRING: u32 = 0x01;
     const VIRTIO_INTR_CONFIG: u32 = 0x02;
@@ -250,6 +251,7 @@ mod tests {
     #[cfg(feature = "kvm-legacy-irq")]
     #[test]
     fn test_create_legacy_notifier() {
+        skip_if_not_root!();
         let (_vmfd, irq_manager) = crate::kvm::tests::create_kvm_irq_manager();
         let group = irq_manager
             .create_group(InterruptSourceType::LegacyIrq, 0, 1)
@@ -280,6 +282,7 @@ mod tests {
     #[cfg(feature = "kvm-msi-irq")]
     #[test]
     fn test_virtio_msi_notifier() {
+        skip_if_not_root!();
         let (_vmfd, irq_manager) = crate::kvm::tests::create_kvm_irq_manager();
         let group = irq_manager
             .create_group(InterruptSourceType::MsiIrq, 0, 3)

src/dragonball/dbs_pci/Cargo.toml

@@ -41,6 +41,8 @@ dbs-utils = {workspace = true}
 [dev-dependencies]
 dbs-arch = { workspace = true }
 kvm-ioctls = {workspace = true}
+test-utils = { workspace = true }
+nix = { workspace = true }
 
 [lints.rust]
 unexpected_cfgs = { level = "warn", check-cfg = [

src/dragonball/dbs_pci/src/msi.rs

@@ -654,6 +654,7 @@ mod tests {
     use dbs_device::resources::{DeviceResources, MsiIrqType, Resource};
     use dbs_interrupt::KvmIrqManager;
     use kvm_ioctls::{Kvm, VmFd};
+    use test_utils::skip_if_not_root;
 
     use super::*;
 
@@ -735,6 +736,7 @@ mod tests {
 
     #[test]
     fn test_msi_state_struct() {
+        skip_if_not_root!();
         let flags = MSI_CTL_ENABLE | MSI_CTL_64_BITS | MSI_CTL_PER_VECTOR | 0x6 | 0x20;
         let mut cap = MsiCap::new(0xa5, flags);
 

src/dragonball/dbs_pci/src/msix.rs

@@ -361,6 +361,7 @@ mod tests {
     use dbs_device::resources::{DeviceResources, MsiIrqType, Resource};
     use dbs_interrupt::KvmIrqManager;
     use kvm_ioctls::{Kvm, VmFd};
+    use test_utils::skip_if_not_root;
 
     use super::*;
 
@@ -422,6 +423,7 @@ mod tests {
 
     #[test]
     fn test_set_msg_ctl() {
+        skip_if_not_root!();
         let mut config = MsixState::new(0x10);
         let mut intr_mgr = create_interrupt_manager();
 
@@ -452,6 +454,7 @@ mod tests {
 
     #[test]
     fn test_read_write_table() {
+        skip_if_not_root!();
         let mut intr_mgr = create_interrupt_manager();
         let mut config = MsixState::new(0x10);
 

src/dragonball/dbs_pci/src/virtio_pci.rs

@@ -1159,11 +1159,12 @@ impl<
 #[cfg(test)]
 pub(crate) mod tests {
     #[cfg(target_arch = "aarch64")]
-    use arch::aarch64::gic::create_gic;
+    use dbs_arch::gic::create_gic;
     use dbs_device::resources::MsiIrqType;
     use dbs_interrupt::kvm::KvmIrqManager;
     use dbs_utils::epoll_manager::EpollManager;
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use virtio_queue::QueueSync;
     use vm_memory::{GuestMemoryMmap, GuestRegionMmap, GuestUsize, MmapRegion};
 
@@ -1496,6 +1497,7 @@ pub(crate) mod tests {
     #[cfg(any(target_arch = "x86", target_arch = "x86_64"))]
     #[test]
     fn test_virtio_pci_device_activate() {
+        skip_if_not_root!();
         let mut d: VirtioPciDevice<_, _, _> = get_pci_device();
         assert_eq!(d.state().queues.len(), 2);
         assert!(!d.state().check_queues_valid());
@@ -1554,6 +1556,7 @@ pub(crate) mod tests {
     #[cfg(any(target_arch = "x86", target_arch = "x86_64"))]
     #[test]
     fn test_bus_device_reset() {
+        skip_if_not_root!();
         let mut d: VirtioPciDevice<_, _, _> = get_pci_device();
 
         assert_eq!(d.state().queues.len(), 2);
@@ -1578,6 +1581,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_virtio_pci_device_resources() {
+        skip_if_not_root!();
         let d: VirtioPciDevice<_, _, _> = get_pci_device();
 
         let resources = d.get_assigned_resources();
@@ -1595,6 +1599,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_virtio_pci_register_ioevent() {
+        skip_if_not_root!();
         let d: VirtioPciDevice<_, _, _> = get_pci_device();
         d.register_ioevent().unwrap();
         assert!(d.ioevent_registered.load(Ordering::SeqCst));
@@ -1616,6 +1621,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_read_bar() {
+        skip_if_not_root!();
         let d: VirtioPciDevice<_, _, _> = get_pci_device();
         let origin_data = vec![1u8];
         // driver status

src/dragonball/dbs_utils/Cargo.toml

@@ -22,3 +22,5 @@ vmm-sys-util = {workspace = true}
 
 [dev-dependencies]
 serde_json = "1.0.9"
+test-utils = { workspace = true }
+nix = { workspace = true }

src/dragonball/dbs_utils/src/net/tap.rs

@@ -278,6 +278,7 @@ impl AsRawFd for Tap {
     }
 }
 
+#[cfg(test)]
 mod tests {
     #![allow(dead_code)]
 
@@ -285,6 +286,7 @@ mod tests {
     use std::net::Ipv4Addr;
     use std::str;
     use std::sync::atomic::{AtomicUsize, Ordering};
+    use test_utils::skip_if_not_root;
 
     use super::*;
 
@@ -388,6 +390,7 @@ mod tests {
 
     #[test]
     fn test_tap_name() {
+        skip_if_not_root!();
         // Sanity check that the assumed max iface name length is correct.
         assert_eq!(
             IFACE_NAME_MAX_LEN,
@@ -414,11 +417,13 @@ mod tests {
 
     #[test]
     fn test_tap_partial_eq() {
+        skip_if_not_root!();
         assert_ne!(Tap::new().unwrap(), Tap::new().unwrap());
     }
 
     #[test]
     fn test_tap_configure() {
+        skip_if_not_root!();
         // `fetch_add` adds to the current value, returning the previous value.
         let next_ip = NEXT_IP.fetch_add(1, Ordering::SeqCst);
 
@@ -451,6 +456,7 @@ mod tests {
 
     #[test]
     fn test_tap_enable() {
+        skip_if_not_root!();
         let tap = Tap::new().unwrap();
         let ret = tap.enable();
         assert!(ret.is_ok());
@@ -458,6 +464,7 @@ mod tests {
 
     #[test]
     fn test_tap_get_ifreq() {
+        skip_if_not_root!();
         let tap = Tap::new().unwrap();
         let ret = tap.get_ifreq();
         assert_eq!(
@@ -468,6 +475,7 @@ mod tests {
 
     #[test]
     fn test_raw_fd() {
+        skip_if_not_root!();
         let tap = Tap::new().unwrap();
         assert_eq!(tap.as_raw_fd(), tap.tap_file.as_raw_fd());
     }

src/dragonball/dbs_virtio_devices/Cargo.toml

@@ -50,6 +50,7 @@ vm-memory = { workspace = true, features = [
     "backend-mmap",
     "backend-atomic",
 ] }
+test-utils = { workspace = true }
 
 [features]
 virtio-mmio = []

src/dragonball/dbs_virtio_devices/src/balloon.rs

@@ -748,6 +748,7 @@ pub(crate) mod tests {
     use dbs_device::resources::DeviceResources;
     use dbs_utils::epoll_manager::SubscriberOps;
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use vm_memory::GuestMemoryMmap;
     use vmm_sys_util::eventfd::EventFd;
 
@@ -803,6 +804,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_balloon_virtio_device_normal() {
+        skip_if_not_root!();
         let epoll_mgr = EpollManager::default();
         let config = BalloonConfig {
             f_deflate_on_oom: true,
@@ -857,6 +859,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_balloon_virtio_device_active() {
+        skip_if_not_root!();
         let epoll_mgr = EpollManager::default();
 
         // check queue sizes error
@@ -923,6 +926,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_balloon_set_size() {
+        skip_if_not_root!();
         let epoll_mgr = EpollManager::default();
         let config = BalloonConfig {
             f_deflate_on_oom: true,
@@ -936,6 +940,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_balloon_epoll_handler_handle_event() {
+        skip_if_not_root!();
         let handler = create_balloon_epoll_handler();
         let event_fd = EventFd::new(0).unwrap();
         let mgr = EpollManager::default();
@@ -968,6 +973,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_balloon_epoll_handler_process_report_queue() {
+        skip_if_not_root!();
         let mut handler = create_balloon_epoll_handler();
         let m = &handler.config.vm_as.clone();
 
@@ -997,6 +1003,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_balloon_epoll_handler_process_queue() {
+        skip_if_not_root!();
         let mut handler = create_balloon_epoll_handler();
         let m = &handler.config.vm_as.clone();
         // invalid idx

src/dragonball/dbs_virtio_devices/src/block/device.rs

@@ -376,6 +376,7 @@ mod tests {
     use dbs_interrupt::NoopNotifier;
     use dbs_utils::rate_limiter::{TokenBucket, TokenType};
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use virtio_queue::QueueSync;
     use vm_memory::{Bytes, GuestAddress, GuestMemoryMmap, GuestRegionMmap};
     use vmm_sys_util::eventfd::EventFd;
@@ -909,6 +910,7 @@ mod tests {
 
     #[test]
     fn test_block_virtio_device_active() {
+        skip_if_not_root!();
         let device_id = "dummy_device_id";
         let epoll_mgr = EpollManager::default();
 

src/dragonball/dbs_virtio_devices/src/device.rs

@@ -579,6 +579,7 @@ pub(crate) mod tests {
     };
     use dbs_utils::epoll_manager::{EventOps, Events, MutEventSubscriber};
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use virtio_queue::QueueSync;
     use vm_memory::{GuestMemoryAtomic, GuestMemoryMmap, GuestMemoryRegion, MmapRegion};
 
@@ -629,6 +630,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_create_virtio_queue_config() {
+        skip_if_not_root!();
         let (_vmfd, irq_manager) = crate::tests::create_vm_and_irq_manager();
         let group = irq_manager
             .create_group(InterruptSourceType::LegacyIrq, 0, 1)
@@ -660,6 +662,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_clone_virtio_queue_config() {
+        skip_if_not_root!();
         let (_vmfd, irq_manager) = crate::tests::create_vm_and_irq_manager();
         let group = irq_manager
             .create_group(InterruptSourceType::LegacyIrq, 0, 1)
@@ -698,6 +701,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_create_virtio_device_config() {
+        skip_if_not_root!();
         let mut device_config = create_virtio_device_config();
 
         device_config.notify_device_changes().unwrap();
@@ -783,6 +787,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_virtio_device() {
+        skip_if_not_root!();
         let epoll_mgr = EpollManager::default();
 
         let avail_features = 0x1234 << 32 | 0x4567;

src/dragonball/dbs_virtio_devices/src/fs/device.rs

@@ -962,6 +962,7 @@ pub mod tests {
     use std::io::Write;
     use std::path::PathBuf;
     use std::sync::Arc;
+    use test_utils::skip_if_not_root;
 
     use dbs_device::resources::DeviceResources;
     use dbs_interrupt::NoopNotifier;
@@ -1187,6 +1188,7 @@ pub mod tests {
 
     #[test]
     fn test_virtio_fs_device_active() {
+        skip_if_not_root!();
         let epoll_manager = EpollManager::default();
         {
             // config queue size is not 2
@@ -1675,6 +1677,7 @@ pub mod tests {
 
     #[test]
     fn test_register_mmap_region() {
+        skip_if_not_root!();
         let epoll_manager = EpollManager::default();
         let rate_limiter = RateLimiter::new(100, 0, 300, 10, 0, 300).unwrap();
         let mut fs: VirtioFs<Arc<GuestMemoryMmap>> = VirtioFs::new(
@@ -1717,6 +1720,7 @@ pub mod tests {
 
     #[test]
     fn test_get_resource_requirements() {
+        skip_if_not_root!();
         let epoll_manager = EpollManager::default();
         let rate_limiter = RateLimiter::new(100, 0, 300, 10, 0, 300).unwrap();
         let dax_on = 0x4000;
@@ -1761,6 +1765,7 @@ pub mod tests {
 
     #[test]
     fn test_set_resource() {
+        skip_if_not_root!();
         let epoll_manager = EpollManager::default();
         let rate_limiter = RateLimiter::new(100, 0, 300, 10, 0, 300).unwrap();
         let mut fs: VirtioFs<Arc<GuestMemoryMmap>> = VirtioFs::new(

src/dragonball/dbs_virtio_devices/src/fs/handler.rs

@@ -503,6 +503,7 @@ pub mod tests {
     use dbs_utils::epoll_manager::EpollManager;
     use dbs_utils::epoll_manager::SubscriberOps;
     use dbs_utils::rate_limiter::TokenBucket;
+    use test_utils::skip_if_not_root;
     use vm_memory::{GuestAddress, GuestMemoryMmap};
     use vmm_sys_util::tempfile::TempFile;
 
@@ -636,6 +637,7 @@ pub mod tests {
 
     #[test]
     fn test_fs_get_patch_rate_limiters() {
+        skip_if_not_root!();
         let mut handler = create_fs_epoll_handler(String::from("1"));
         let tokenbucket = TokenBucket::new(1, 1, 4);
 
@@ -705,6 +707,7 @@ pub mod tests {
 
     #[test]
     fn test_fs_epoll_handler_handle_event() {
+        skip_if_not_root!();
         let handler = create_fs_epoll_handler("test_1".to_string());
         let event_fd = EventFd::new(0).unwrap();
         let mgr = EpollManager::default();
@@ -740,6 +743,7 @@ pub mod tests {
 
     #[test]
     fn test_fs_epoll_handler_handle_unknown_event() {
+        skip_if_not_root!();
         let handler = create_fs_epoll_handler("test_1".to_string());
         let event_fd = EventFd::new(0).unwrap();
         let mgr = EpollManager::default();
@@ -756,6 +760,7 @@ pub mod tests {
 
     #[test]
     fn test_fs_epoll_handler_process_queue() {
+        skip_if_not_root!();
         {
             let mut handler = create_fs_epoll_handler("test_1".to_string());
 

src/dragonball/dbs_virtio_devices/src/mem.rs

@@ -1345,6 +1345,7 @@ pub(crate) mod tests {
     use std::ffi::CString;
     use std::fs::File;
     use std::os::unix::io::FromRawFd;
+    use test_utils::skip_if_not_root;
 
     use dbs_device::resources::DeviceResources;
     use dbs_interrupt::NoopNotifier;
@@ -1797,6 +1798,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_mem_virtio_device_set_resource() {
+        skip_if_not_root!();
         let epoll_mgr = EpollManager::default();
         let id = "mem0".to_string();
         let factory = Arc::new(Mutex::new(DummyMemRegionFactory {}));
@@ -1874,6 +1876,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_mem_virtio_device_activate() {
+        skip_if_not_root!();
         let epoll_mgr = EpollManager::default();
         let id = "mem0".to_string();
         let factory = Arc::new(Mutex::new(DummyMemRegionFactory {}));
@@ -1976,6 +1979,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_mem_virtio_device_remove() {
+        skip_if_not_root!();
         let epoll_mgr = EpollManager::default();
         let id = "mem0".to_string();
         let factory = Arc::new(Mutex::new(DummyMemRegionFactory {}));
@@ -2011,6 +2015,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_mem_epoll_handler_handle_event() {
+        skip_if_not_root!();
         let handler = create_mem_epoll_handler("test_1".to_string());
         let event_fd = EventFd::new(0).unwrap();
         let mgr = EpollManager::default();
@@ -2032,6 +2037,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_mem_epoll_handler_process_queue() {
+        skip_if_not_root!();
         let mut handler = create_mem_epoll_handler("test_1".to_string());
         let m = &handler.config.vm_as.clone();
         // fail to parse available descriptor chain

src/dragonball/dbs_virtio_devices/src/mmio/mmio_state.rs

@@ -609,6 +609,7 @@ where
 #[cfg(test)]
 pub(crate) mod tests {
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use virtio_queue::QueueSync;
     use vm_memory::{GuestAddress, GuestMemoryMmap, GuestRegionMmap};
 
@@ -652,6 +653,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_virtio_mmio_state_new() {
+        skip_if_not_root!();
         let mut state = get_mmio_state(false, false, 1);
 
         assert_eq!(state.queues.len(), 3);

src/dragonball/dbs_virtio_devices/src/mmio/mmio_v2.rs

@@ -494,6 +494,7 @@ where
 pub(crate) mod tests {
     use std::any::Any;
     use std::sync::Mutex;
+    use test_utils::skip_if_not_root;
 
     use byteorder::{ByteOrder, LittleEndian};
     use dbs_device::resources::{MsiIrqType, Resource, ResourceConstraint};
@@ -708,6 +709,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_virtio_mmio_v2_device_new() {
+        skip_if_not_root!();
         // test create error.
         let resources = DeviceResources::new();
         let mem = Arc::new(GuestMemoryMmap::from_ranges(&[(GuestAddress(0), 0x1000)]).unwrap());
@@ -769,6 +771,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_bus_device_read() {
+        skip_if_not_root!();
         let mut d = get_mmio_device();
 
         let mut buf = vec![0xff, 0, 0xfe, 0];
@@ -894,6 +897,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_bus_device_write() {
+        skip_if_not_root!();
         let mut d = get_mmio_device();
 
         let mut buf = vec![0; 5];
@@ -1023,6 +1027,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_bus_device_activate() {
+        skip_if_not_root!();
         // invalid state transition should failed
         let mut d = get_mmio_device();
 
@@ -1140,6 +1145,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_bus_device_reset() {
+        skip_if_not_root!();
         let resources = get_device_resource(false, false);
         let mut d = get_mmio_device_inner(true, 0, resources);
         let mut buf = vec![0; 4];
@@ -1169,6 +1175,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_mmiov2_device_resources() {
+        skip_if_not_root!();
         let d = get_mmio_device();
 
         let resources = d.get_assigned_resources();
@@ -1185,6 +1192,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_mmio_v2_device_msi() {
+        skip_if_not_root!();
         let resources = get_device_resource(true, false);
         let mut d = get_mmio_device_inner(true, 0, resources);
 
@@ -1227,6 +1235,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_mmio_shared_memory() {
+        skip_if_not_root!();
         let resources = get_device_resource(true, true);
         let d = get_mmio_device_inner(true, 0, resources);
 

src/dragonball/dbs_virtio_devices/src/net.rs

@@ -848,6 +848,7 @@ mod tests {
     use dbs_utils::epoll_manager::SubscriberOps;
     use dbs_utils::rate_limiter::TokenBucket;
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use vm_memory::{GuestAddress, GuestMemoryMmap};
 
     use super::*;
@@ -900,6 +901,7 @@ mod tests {
 
     #[test]
     fn test_net_virtio_device_normal() {
+        skip_if_not_root!();
         let next_ip = NEXT_IP.fetch_add(1, Ordering::SeqCst);
         let tap = Tap::open_named(&format!("tap{next_ip}"), false).unwrap();
         let epoll_mgr = EpollManager::default();
@@ -963,6 +965,7 @@ mod tests {
 
     #[test]
     fn test_net_virtio_device_active() {
+        skip_if_not_root!();
         let epoll_mgr = EpollManager::default();
         {
             // config queue size is not 2
@@ -1112,6 +1115,7 @@ mod tests {
 
     #[test]
     fn test_net_set_patch_rate_limiters() {
+        skip_if_not_root!();
         let next_ip = NEXT_IP.fetch_add(1, Ordering::SeqCst);
         let tap = Tap::open_named(&format!("tap{next_ip}"), false).unwrap();
         let epoll_mgr = EpollManager::default();
@@ -1150,6 +1154,7 @@ mod tests {
 
     #[test]
     fn test_net_get_patch_rate_limiters() {
+        skip_if_not_root!();
         let mut handler = create_net_epoll_handler("test_1".to_string());
         let tokenbucket = TokenBucket::new(1, 1, 4);
 
@@ -1174,6 +1179,7 @@ mod tests {
 
     #[test]
     fn test_net_epoll_handler_handle_event() {
+        skip_if_not_root!();
         let handler = create_net_epoll_handler("test_1".to_string());
         let event_fd = EventFd::new(0).unwrap();
         let mgr = EpollManager::default();
@@ -1212,6 +1218,7 @@ mod tests {
 
     #[test]
     fn test_net_epoll_handler_handle_unknown_event() {
+        skip_if_not_root!();
         let handler = create_net_epoll_handler("test_1".to_string());
         let event_fd = EventFd::new(0).unwrap();
         let mgr = EpollManager::default();
@@ -1228,6 +1235,7 @@ mod tests {
 
     #[test]
     fn test_net_epoll_handler_process_queue() {
+        skip_if_not_root!();
         {
             let mut handler = create_net_epoll_handler("test_1".to_string());
 
@@ -1253,6 +1261,7 @@ mod tests {
 
     #[test]
     fn test_net_bandwidth_rate_limiter() {
+        skip_if_not_root!();
         let handler = create_net_epoll_handler("test_1".to_string());
 
         let event_fd = EventFd::new(0).unwrap();
@@ -1330,6 +1339,7 @@ mod tests {
 
     #[test]
     fn test_net_ops_rate_limiter() {
+        skip_if_not_root!();
         let handler = create_net_epoll_handler("test_1".to_string());
 
         let event_fd = EventFd::new(0).unwrap();

src/dragonball/dbs_virtio_devices/src/notifier.rs

@@ -44,9 +44,11 @@ pub fn create_queue_notifier(
 mod tests {
     use super::*;
     use dbs_interrupt::InterruptManager;
+    use test_utils::skip_if_not_root;
 
     #[test]
     fn test_create_virtio_legacy_notifier() {
+        skip_if_not_root!();
         let (_vmfd, irq_manager) = crate::tests::create_vm_and_irq_manager();
         let group = irq_manager
             .create_group(InterruptSourceType::LegacyIrq, 0, 1)
@@ -68,6 +70,7 @@ mod tests {
 
     #[test]
     fn test_create_virtio_msi_notifier() {
+        skip_if_not_root!();
         let (_vmfd, irq_manager) = crate::tests::create_vm_and_irq_manager();
         let group = irq_manager
             .create_group(InterruptSourceType::MsiIrq, 0, 3)

src/dragonball/dbs_virtio_devices/src/vhost/vhost_kern/net.rs

@@ -682,6 +682,7 @@ mod tests {
     };
     use dbs_utils::epoll_manager::SubscriberOps;
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use virtio_queue::{Queue, QueueSync};
     use vm_memory::{GuestAddress, GuestMemoryMmap, GuestRegionMmap};
     use vmm_sys_util::eventfd::EventFd;
@@ -718,6 +719,7 @@ mod tests {
 
     #[test]
     fn test_vhost_kern_net_virtio_normal() {
+        skip_if_not_root!();
         let guest_mac_str = "11:22:33:44:55:66";
         let guest_mac = MacAddr::parse_str(guest_mac_str).unwrap();
         let queue_sizes = Arc::new(vec![128]);
@@ -757,6 +759,7 @@ mod tests {
 
     #[test]
     fn test_vhost_kern_net_virtio_activate() {
+        skip_if_not_root!();
         let guest_mac_str = "11:22:33:44:55:66";
         let guest_mac = MacAddr::parse_str(guest_mac_str).unwrap();
         // Invalid queue sizes
@@ -841,6 +844,7 @@ mod tests {
 
     #[test]
     fn test_vhost_kern_net_epoll_handler_handle_event() {
+        skip_if_not_root!();
         let handler = create_vhost_kern_net_epoll_handler("test_1".to_string());
         let event_fd = EventFd::new(0).unwrap();
         let mgr = EpollManager::default();

src/dragonball/dbs_virtio_devices/src/vhost/vhost_user/block.rs

@@ -631,7 +631,7 @@ mod tests {
 
     #[test]
     fn test_vhost_user_block_virtio_device_spdk() {
-        let socket_path = "/tmp/vhost.1";
+        let socket_path = concat!("vhost.", line!());
 
         let handler = thread::spawn(move || {
             let listener = Listener::new(socket_path, true).unwrap();
@@ -692,7 +692,7 @@ mod tests {
 
     #[test]
     fn test_vhost_user_block_virtio_device_activate_spdk() {
-        let socket_path = "/tmp/vhost.2";
+        let socket_path = concat!("vhost.", line!());
 
         let handler = thread::spawn(move || {
             // create vhost user block device

src/dragonball/dbs_virtio_devices/src/vhost/vhost_user/fs.rs

@@ -810,7 +810,7 @@ mod tests {
 
     #[test]
     fn test_vhost_user_fs_virtio_device_normal() {
-        let device_socket = "/tmp/vhost.1";
+        let device_socket = concat!("vhost.", line!());
         let tag = "test_fs";
 
         let handler = thread::spawn(move || {
@@ -879,7 +879,7 @@ mod tests {
 
     #[test]
     fn test_vhost_user_fs_virtio_device_activate() {
-        let device_socket = "/tmp/vhost.1";
+        let device_socket = concat!("vhost.", line!());
         let tag = "test_fs";
 
         let handler = thread::spawn(move || {

src/dragonball/dbs_virtio_devices/src/vhost/vhost_user/net.rs

@@ -604,6 +604,7 @@ mod tests {
     use dbs_interrupt::{InterruptManager, InterruptSourceType, MsiNotifier, NoopNotifier};
     use dbs_utils::epoll_manager::EpollManager;
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use vhost_rs::vhost_user::message::VhostUserU64;
     use vhost_rs::vhost_user::{VhostUserProtocolFeatures, VhostUserVirtioFeatures};
     use virtio_queue::QueueSync;
@@ -647,7 +648,7 @@ mod tests {
 
     #[test]
     fn test_vhost_user_net_virtio_device_normal() {
-        let device_socket = "/tmp/vhost.1";
+        let device_socket = concat!("vhost.", line!());
         let queue_sizes = Arc::new(vec![128]);
         let epoll_mgr = EpollManager::default();
         let handler = thread::spawn(move || {
@@ -697,7 +698,8 @@ mod tests {
 
     #[test]
     fn test_vhost_user_net_virtio_device_activate() {
-        let device_socket = "/tmp/vhost.1";
+        skip_if_not_root!();
+        let device_socket = concat!("vhost.", line!());
         let queue_sizes = Arc::new(vec![128]);
         let epoll_mgr = EpollManager::default();
         let handler = thread::spawn(move || {

src/dragonball/dbs_virtio_devices/src/vsock/device.rs

@@ -208,6 +208,7 @@ mod tests {
     use dbs_device::resources::DeviceResources;
     use dbs_interrupt::NoopNotifier;
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use virtio_queue::QueueSync;
     use vm_memory::{GuestAddress, GuestMemoryMmap, GuestRegionMmap};
 
@@ -243,6 +244,7 @@ mod tests {
 
     #[test]
     fn test_virtio_device() {
+        skip_if_not_root!();
         let mut ctx = TestContext::new();
         let device_features = VSOCK_AVAIL_FEATURES;
         let driver_features: u64 = VSOCK_AVAIL_FEATURES | 1 | (1 << 32);

src/dragonball/dbs_virtio_devices/src/vsock/epoll_handler.rs

@@ -310,6 +310,7 @@ where
 
 #[cfg(test)]
 mod tests {
+    use test_utils::skip_if_not_root;
     use vm_memory::{Bytes, GuestAddress, GuestMemoryMmap};
     use vmm_sys_util::epoll::EventSet;
 
@@ -320,6 +321,7 @@ mod tests {
 
     #[test]
     fn test_irq() {
+        skip_if_not_root!();
         let test_ctx = TestContext::new();
         let mut ctx = test_ctx.create_event_handler_context();
         ctx.arti_activate(&test_ctx.mem);
@@ -329,6 +331,7 @@ mod tests {
 
     #[test]
     fn test_txq_event() {
+        skip_if_not_root!();
         // Test case:
         // - the driver has something to send (there's data in the TX queue);
         //   and
@@ -411,6 +414,7 @@ mod tests {
 
     #[test]
     fn test_rxq_event() {
+        skip_if_not_root!();
         // Test case:
         // - there is pending RX data in the backend; and
         // - the driver makes RX buffers available; and
@@ -468,6 +472,7 @@ mod tests {
 
     #[test]
     fn test_backend_event() {
+        skip_if_not_root!();
         // Test case:
         // - a backend event is received; and
         // - the backend has pending RX data.
@@ -567,6 +572,7 @@ mod tests {
 
     #[test]
     fn test_vsock_bof() {
+        skip_if_not_root!();
         const GAP_SIZE: usize = 768 << 20;
         const FIRST_AFTER_GAP: usize = 1 << 32;
         const GAP_START_ADDR: usize = FIRST_AFTER_GAP - GAP_SIZE;

src/dragonball/src/device_manager/balloon_dev_mgr.rs

@@ -298,6 +298,7 @@ mod tests {
     use super::*;
     use crate::device_manager::tests::create_address_space;
     use crate::test_utils::tests::create_vm_for_test;
+    use test_utils::skip_if_not_root;
 
     impl Default for BalloonDeviceConfigInfo {
         fn default() -> Self {
@@ -330,6 +331,7 @@ mod tests {
 
     #[test]
     fn test_balloon_insert_or_update_device() {
+        skip_if_not_root!();
         //Init vm for test.
         let mut vm = create_vm_for_test();
 
@@ -354,6 +356,7 @@ mod tests {
 
     #[test]
     fn test_balloon_attach_device() {
+        skip_if_not_root!();
         //Init vm and insert balloon config for test.
         let mut vm = create_vm_for_test();
         let device_op_ctx = DeviceOpContext::new(
@@ -393,6 +396,7 @@ mod tests {
 
     #[test]
     fn test_balloon_update_device() {
+        skip_if_not_root!();
         //Init vm for test.
         let mut vm = create_vm_for_test();
         let device_op_ctx = DeviceOpContext::new(

src/dragonball/src/device_manager/mem_dev_mgr.rs

@@ -618,6 +618,7 @@ impl MemRegionFactory for MemoryRegionFactory {
 
 #[cfg(test)]
 mod tests {
+    use test_utils::skip_if_not_root;
     use vm_memory::GuestMemoryRegion;
 
     use super::*;
@@ -656,6 +657,7 @@ mod tests {
 
     #[test]
     fn test_mem_insert_or_update_device() {
+        skip_if_not_root!();
         // Init vm for test.
         let mut vm = create_vm_for_test();
 
@@ -681,6 +683,7 @@ mod tests {
 
     #[test]
     fn test_mem_attach_device() {
+        skip_if_not_root!();
         // Init vm and insert mem config for test.
         let mut vm = create_vm_for_test();
         let dummy_mem_device = MemDeviceConfigInfo::default();
@@ -710,6 +713,7 @@ mod tests {
 
     #[test]
     fn test_mem_create_region() {
+        skip_if_not_root!();
         let vm = create_vm_for_test();
         let ctx = DeviceOpContext::new(
             Some(vm.epoll_manager().clone()),

src/dragonball/src/device_manager/vhost_net_dev_mgr.rs

@@ -277,6 +277,7 @@ impl Default for VhostNetDeviceMgr {
 mod tests {
     use dbs_utils::net::MacAddr;
     use dbs_virtio_devices::Error as VirtioError;
+    use test_utils::skip_if_not_root;
 
     use crate::{
         device_manager::{
@@ -289,6 +290,7 @@ mod tests {
 
     #[test]
     fn test_create_vhost_net_device() {
+        skip_if_not_root!();
         let vm = create_vm_for_test();
         let mgr = DeviceManager::new_test_mgr();
         let id_1 = String::from("id_1");
@@ -321,6 +323,7 @@ mod tests {
 
     #[test]
     fn test_attach_vhost_net_device() {
+        skip_if_not_root!();
         // Init vm for test.
         let mut vm = create_vm_for_test();
         let device_op_ctx = DeviceOpContext::new(
@@ -373,6 +376,7 @@ mod tests {
 
     #[test]
     fn test_insert_vhost_net_device() {
+        skip_if_not_root!();
         let vm = create_vm_for_test();
         let mut mgr = DeviceManager::new_test_mgr();
 
@@ -437,6 +441,7 @@ mod tests {
 
     #[test]
     fn test_vhost_net_insert_error_cases() {
+        skip_if_not_root!();
         let vm = create_vm_for_test();
         let mut mgr = DeviceManager::new_test_mgr();
 

src/dragonball/src/device_manager/vhost_user_net_dev_mgr.rs

@@ -219,9 +219,11 @@ impl Default for VhostUserNetDeviceMgr {
 mod tests {
     use super::*;
     use crate::test_utils::tests::create_vm_for_test;
+    use test_utils::skip_if_not_root;
 
     #[test]
     fn test_create_vhost_user_net_device() {
+        skip_if_not_root!();
         let vm = create_vm_for_test();
         let mgr = DeviceManager::new_test_mgr();
         let sock_1 = String::from("id_1");
@@ -249,6 +251,7 @@ mod tests {
 
     #[test]
     fn test_insert_vhost_user_net_device() {
+        skip_if_not_root!();
         let vm = create_vm_for_test();
         let mut mgr = DeviceManager::new_test_mgr();
         let sock_1 = String::from("id_1");
@@ -277,6 +280,7 @@ mod tests {
 
     #[test]
     fn test_vhost_user_net_insert_error_cases() {
+        skip_if_not_root!();
         let vm = create_vm_for_test();
         let mut mgr = DeviceManager::new_test_mgr();
         let sock_1 = String::from("id_1");

src/libs/kata-types/src/annotations/mod.rs

@@ -283,6 +283,13 @@ pub const KATA_ANNO_CFG_HYPERVISOR_DEFAULT_GPUS: &str =
 pub const KATA_ANNO_CFG_HYPERVISOR_DEFAULT_GPU_MODEL: &str =
     "io.katacontainers.config.hypervisor.default_gpu_model";
 
+/// Block device specific annotation for num_queues
+pub const KATA_ANNO_CFG_HYPERVISOR_BLOCK_DEV_NUM_QUEUES: &str =
+    "io.katacontainers.config.hypervisor.block_device_num_queues";
+/// Block device specific annotation for queue_size
+pub const KATA_ANNO_CFG_HYPERVISOR_BLOCK_DEV_QUEUE_SIZE: &str =
+    "io.katacontainers.config.hypervisor.block_device_queue_size";
+
 // Runtime related annotations
 /// Prefix for Runtime configurations.
 pub const KATA_ANNO_CFG_RUNTIME_PREFIX: &str = "io.katacontainers.config.runtime.";
@@ -503,6 +510,7 @@ impl Annotation {
         let u32_err = io::Error::new(io::ErrorKind::InvalidData, "parse u32 error".to_string());
         let u64_err = io::Error::new(io::ErrorKind::InvalidData, "parse u64 error".to_string());
         let i32_err = io::Error::new(io::ErrorKind::InvalidData, "parse i32 error".to_string());
+        let usize_err = io::Error::new(io::ErrorKind::InvalidData, "parse usize error".to_string());
         let hv = config.hypervisor.get_mut(hypervisor_name).ok_or_else(|| {
             io::Error::new(
                 io::ErrorKind::InvalidData,
@@ -620,7 +628,7 @@ impl Annotation {
                         hv.boot_info.kernel = value.to_string();
                     }
                     KATA_ANNO_CFG_HYPERVISOR_KERNEL_PARAMS => {
-                        hv.boot_info.kernel_params = value.to_string();
+                        hv.boot_info.replace_kernel_params(value);
                     }
                     KATA_ANNO_CFG_HYPERVISOR_IMAGE_PATH => {
                         hv.boot_info.validate_boot_path(value)?;
@@ -960,7 +968,26 @@ impl Annotation {
                             return Err(u32_err);
                         }
                     },
-
+                    KATA_ANNO_CFG_HYPERVISOR_BLOCK_DEV_NUM_QUEUES => {
+                        match self.get_value::<usize>(key) {
+                            Ok(v) => {
+                                hv.blockdev_info.num_queues = v.unwrap_or_default();
+                            }
+                            Err(_e) => {
+                                return Err(usize_err);
+                            }
+                        }
+                    }
+                    KATA_ANNO_CFG_HYPERVISOR_BLOCK_DEV_QUEUE_SIZE => {
+                        match self.get_value::<u32>(key) {
+                            Ok(v) => {
+                                hv.blockdev_info.queue_size = v.unwrap_or_default();
+                            }
+                            Err(_e) => {
+                                return Err(u32_err);
+                            }
+                        }
+                    }
                     _ => {
                         return Err(io::Error::new(
                             io::ErrorKind::InvalidInput,

src/libs/kata-types/src/config/default.rs

@@ -41,11 +41,13 @@ pub const DEFAULT_BLOCK_NVDIMM_MEM_OFFSET: u64 = 0;
 pub const DEFAULT_BLOCK_DEVICE_AIO_THREADS: &str = "threads";
 pub const DEFAULT_BLOCK_DEVICE_AIO_NATIVE: &str = "native";
 pub const DEFAULT_BLOCK_DEVICE_AIO: &str = "io_uring";
+pub const DEFAULT_BLOCK_DEVICE_NUM_QUEUES: u32 = 1;
+pub const DEFAULT_BLOCK_DEVICE_QUEUE_SIZE: u32 = 128;
 
 pub const DEFAULT_SHARED_FS_TYPE: &str = "virtio-fs";
 pub const DEFAULT_VIRTIO_FS_CACHE_MODE: &str = "never";
 pub const DEFAULT_VIRTIO_FS_DAX_SIZE_MB: u32 = 1024;
-pub const DEFAULT_SHARED_9PFS_SIZE_MB: u32 = 128 * 1024;
+pub const DEFAULT_SHARED_9PFS_SIZE_MB: u32 = 8 * 1024;
 pub const MIN_SHARED_9PFS_SIZE_MB: u32 = 4 * 1024;
 pub const MAX_SHARED_9PFS_SIZE_MB: u32 = 8 * 1024 * 1024;
 
@@ -110,3 +112,6 @@ pub const MAX_REMOTE_VCPUS: u32 = 32;
 pub const MIN_REMOTE_MEMORY_SIZE_MB: u32 = 64;
 pub const DEFAULT_REMOTE_MEMORY_SIZE_MB: u32 = 128;
 pub const DEFAULT_REMOTE_MEMORY_SLOTS: u32 = 128;
+
+// Default configuration for factory/templating
+pub const DEFAULT_TEMPLATE_PATH: &str = "/run/vc/vm/template";

src/libs/kata-types/src/config/hypervisor/mod.rs

@@ -189,6 +189,13 @@ pub struct BlockDeviceInfo {
     /// increases the initial max rate
     #[serde(default)]
     pub disk_rate_limiter_ops_one_time_burst: Option<u64>,
+
+    /// virtio queue size. Size: byte
+    #[serde(default)]
+    pub queue_size: u32,
+    /// block device multi-queue
+    #[serde(default)]
+    pub num_queues: usize,
 }
 
 impl BlockDeviceInfo {
@@ -219,6 +226,15 @@ impl BlockDeviceInfo {
                 ));
             }
         }
+
+        if self.num_queues == 0 {
+            self.num_queues = default::DEFAULT_BLOCK_DEVICE_NUM_QUEUES as usize;
+        }
+
+        if self.queue_size == 0 {
+            self.queue_size = default::DEFAULT_BLOCK_DEVICE_QUEUE_SIZE;
+        }
+
         if self.memory_offset == 0 {
             self.memory_offset = default::DEFAULT_BLOCK_NVDIMM_MEM_OFFSET;
         }
@@ -358,6 +374,71 @@ impl BootInfo {
         self.kernel_params = p.join(KERNEL_PARAM_DELIMITER);
     }
 
+    /// Replace kernel parameters with the same key.
+    ///
+    /// For each parameter in the new_params string, if a parameter with the same key
+    /// already exists in kernel_params, it will be removed before adding the new one.
+    /// This allows selective parameter override from annotations without replacing
+    /// the entire kernel command line.
+    pub fn replace_kernel_params(&mut self, new_params: &str) {
+        if new_params.is_empty() {
+            return;
+        }
+
+        // Parse existing kernel parameters into a map
+        let mut existing_params: Vec<(String, String)> = Vec::new();
+        for param in self.kernel_params.split(KERNEL_PARAM_DELIMITER) {
+            let param = param.trim();
+            if param.is_empty() {
+                continue;
+            }
+            // Split by '=' to get key and value
+            if let Some(eq_pos) = param.find('=') {
+                let key = param[..eq_pos].to_string();
+                let value = param[eq_pos + 1..].to_string();
+                existing_params.push((key, value));
+            } else {
+                // Parameter without value (like "quiet")
+                existing_params.push((param.to_string(), String::new()));
+            }
+        }
+
+        // Parse new parameters and collect keys to replace
+        let mut new_param_keys: Vec<String> = Vec::new();
+        let mut new_param_list: Vec<String> = Vec::new();
+        for param in new_params.split(KERNEL_PARAM_DELIMITER) {
+            let param = param.trim();
+            if param.is_empty() {
+                continue;
+            }
+            if let Some(eq_pos) = param.find('=') {
+                let key = param[..eq_pos].to_string();
+                new_param_keys.push(key);
+            } else {
+                new_param_keys.push(param.to_string());
+            }
+            new_param_list.push(param.to_string());
+        }
+
+        // Remove existing parameters that will be replaced
+        existing_params.retain(|(key, _)| !new_param_keys.contains(key));
+
+        // Reconstruct kernel_params: existing params + new params
+        let mut all_params: Vec<String> = existing_params
+            .iter()
+            .map(|(key, value)| {
+                if value.is_empty() {
+                    key.clone()
+                } else {
+                    format!("{}={}", key, value)
+                }
+            })
+            .collect();
+        all_params.extend(new_param_list);
+
+        self.kernel_params = all_params.join(KERNEL_PARAM_DELIMITER);
+    }
+
     /// Validate guest kernel image annotation.
     pub fn validate_boot_path(&self, path: &str) -> Result<()> {
         validate_path!(path, "path {} is invalid{}")?;

src/libs/kata-types/src/config/hypervisor/qemu.rs

@@ -91,6 +91,10 @@ impl ConfigPlugin for QemuConfig {
             if qemu.memory_info.memory_slots == 0 {
                 qemu.memory_info.memory_slots = default::DEFAULT_QEMU_MEMORY_SLOTS;
             }
+
+            if qemu.factory.template_path.is_empty() {
+                qemu.factory.template_path = default::DEFAULT_TEMPLATE_PATH.to_string();
+            }
         }
 
         Ok(())

src/libs/kata-types/src/config/hypervisor/remote.rs

@@ -65,6 +65,11 @@ impl ConfigPlugin for RemoteConfig {
             if remote.memory_info.memory_slots == 0 {
                 remote.memory_info.memory_slots = default::DEFAULT_REMOTE_MEMORY_SLOTS
             }
+
+            // Apply factory defaults
+            if remote.factory.template_path.is_empty() {
+                remote.factory.template_path = default::DEFAULT_TEMPLATE_PATH.to_string();
+            }
         }
 
         Ok(())

src/libs/kata-types/src/cpu.rs

@@ -25,6 +25,7 @@ pub enum Error {
 }
 
 /// Assigned CPU resources for a Linux container.
+/// Stores fractional vCPU allocation for more precise resource tracking.
 #[derive(Clone, Default, Debug)]
 pub struct LinuxContainerCpuResources {
     shares: u64,
@@ -32,7 +33,8 @@ pub struct LinuxContainerCpuResources {
     quota: i64,
     cpuset: CpuSet,
     nodeset: NumaNodeSet,
-    calculated_vcpu_time_ms: Option<u64>,
+    /// Calculated fractional vCPU allocation, e.g., 0.25 means 1/4 of a CPU.
+    calculated_vcpu: Option<f64>,
 }
 
 impl LinuxContainerCpuResources {
@@ -61,10 +63,10 @@ impl LinuxContainerCpuResources {
         &self.nodeset
     }
 
-    /// Get number of vCPUs to fulfill the CPU resource request, `None` means unconstrained.
-    pub fn get_vcpus(&self) -> Option<u64> {
-        self.calculated_vcpu_time_ms
-            .map(|v| v.saturating_add(999) / 1000)
+    /// Get the number of vCPUs assigned to the container as a fractional value.
+    /// Returns `None` if unconstrained (no limit).
+    pub fn get_vcpus(&self) -> Option<f64> {
+        self.calculated_vcpu
     }
 }
 
@@ -75,15 +77,18 @@ impl TryFrom<&oci::LinuxCpu> for LinuxContainerCpuResources {
     fn try_from(value: &oci::LinuxCpu) -> Result<Self, Self::Error> {
         let period = value.period().unwrap_or(0);
         let quota = value.quota().unwrap_or(-1);
-        let value_cpus = value.cpus().as_ref().map_or("", |cpus| cpus);
+        let value_cpus = value.cpus().as_deref().unwrap_or("");
         let cpuset = CpuSet::from_str(value_cpus).map_err(Error::InvalidCpuSet)?;
-        let value_mems = value.mems().as_ref().map_or("", |mems| mems);
+        let value_mems = value.mems().as_deref().unwrap_or("");
         let nodeset = NumaNodeSet::from_str(value_mems).map_err(Error::InvalidNodeSet)?;
 
-        // If quota is -1, it means the CPU resource request is unconstrained. In that case,
-        // we don't currently assign additional CPUs.
-        let milli_sec = if quota >= 0 && period != 0 {
-            Some((quota as u64).saturating_mul(1000) / period)
+        // Calculate fractional vCPUs:
+        // If quota >= 0 and period > 0, vCPUs = quota / period.
+        // Otherwise, if cpuset is non-empty, derive from cpuset length.
+        let vcpu_fraction = if quota >= 0 && period > 0 {
+            Some(quota as f64 / period as f64)
+        } else if !cpuset.is_empty() {
+            Some(cpuset.len() as f64)
         } else {
             None
         };
@@ -94,16 +99,18 @@ impl TryFrom<&oci::LinuxCpu> for LinuxContainerCpuResources {
             quota,
             cpuset,
             nodeset,
-            calculated_vcpu_time_ms: milli_sec,
+            calculated_vcpu: vcpu_fraction,
         })
     }
 }
 
-/// Assigned CPU resources for a Linux sandbox/pod.
+/// Aggregated CPU resources for a Linux sandbox/pod.
+/// Tracks cumulative fractional vCPU allocation across all containers in the pod.
 #[derive(Default, Debug)]
 pub struct LinuxSandboxCpuResources {
     shares: u64,
-    calculated_vcpu_time_ms: u64,
+    /// Total fractional vCPU allocation for the sandbox.
+    calculated_vcpu: f64,
     cpuset: CpuSet,
     nodeset: NumaNodeSet,
 }
@@ -122,9 +129,9 @@ impl LinuxSandboxCpuResources {
         self.shares
     }
 
-    /// Get assigned vCPU time in ms.
-    pub fn calculated_vcpu_time_ms(&self) -> u64 {
-        self.calculated_vcpu_time_ms
+    /// Return the cumulative fractional vCPU allocation for the sandbox.
+    pub fn calculated_vcpu(&self) -> f64 {
+        self.calculated_vcpu
     }
 
     /// Get the CPU set.
@@ -137,19 +144,23 @@ impl LinuxSandboxCpuResources {
         &self.nodeset
     }
 
-    /// Get number of vCPUs to fulfill the CPU resource request.
-    pub fn get_vcpus(&self) -> u64 {
-        if self.calculated_vcpu_time_ms == 0 && !self.cpuset.is_empty() {
-            self.cpuset.len() as u64
-        } else {
-            self.calculated_vcpu_time_ms.saturating_add(999) / 1000
+    /// Get the number of vCPUs for the sandbox as a fractional value.
+    /// If no quota and cpuset is defined, return cpuset length as float.
+    pub fn get_vcpus(&self) -> f64 {
+        if self.calculated_vcpu == 0.0 {
+            if !self.cpuset.is_empty() {
+                return self.cpuset.len() as f64;
+            }
+            return 0.0;
         }
+        self.calculated_vcpu
     }
 
-    /// Merge resources assigned to a container into the sandbox/pod resources.
+    /// Merge container CPU resources into this sandbox CPU resource object.
+    /// Aggregates fractional vCPU allocation and extends cpuset/nodeset.
     pub fn merge(&mut self, container_resource: &LinuxContainerCpuResources) -> &mut Self {
-        if let Some(v) = container_resource.calculated_vcpu_time_ms.as_ref() {
-            self.calculated_vcpu_time_ms += v;
+        if let Some(v) = container_resource.calculated_vcpu {
+            self.calculated_vcpu += v;
         }
         self.cpuset.extend(&container_resource.cpuset);
         self.nodeset.extend(&container_resource.nodeset);
@@ -160,16 +171,16 @@ impl LinuxSandboxCpuResources {
 #[cfg(test)]
 mod tests {
     use super::*;
+    const EPSILON: f64 = 0.0001;
 
     #[test]
     fn test_linux_container_cpu_resources() {
         let resources = LinuxContainerCpuResources::default();
 
         assert_eq!(resources.shares(), 0);
-        assert_eq!(resources.calculated_vcpu_time_ms, None);
         assert!(resources.cpuset.is_empty());
         assert!(resources.nodeset.is_empty());
-        assert!(resources.calculated_vcpu_time_ms.is_none());
+        assert!(resources.get_vcpus().is_none());
 
         let mut linux_cpu = oci::LinuxCpu::default();
         linux_cpu.set_shares(Some(2048));
@@ -182,11 +193,20 @@ mod tests {
         assert_eq!(resources.shares(), 2048);
         assert_eq!(resources.period(), 100);
         assert_eq!(resources.quota(), 1001);
-        assert_eq!(resources.calculated_vcpu_time_ms, Some(10010));
-        assert_eq!(resources.get_vcpus().unwrap(), 11);
+
+        // Expected fractional vCPUs = quota / period
+        let expected_vcpus = 1001.0 / 100.0;
+        assert!(
+            (resources.get_vcpus().unwrap() - expected_vcpus).abs() < EPSILON,
+            "got {}, expect {}",
+            resources.get_vcpus().unwrap(),
+            expected_vcpus
+        );
+
         assert_eq!(resources.cpuset().len(), 3);
         assert_eq!(resources.nodeset().len(), 1);
 
+        // Test cpuset-only path (no quota)
         let mut linux_cpu = oci::LinuxCpu::default();
         linux_cpu.set_shares(Some(2048));
         linux_cpu.set_cpus(Some("1".to_string()));
@@ -196,8 +216,10 @@ mod tests {
         assert_eq!(resources.shares(), 2048);
         assert_eq!(resources.period(), 0);
         assert_eq!(resources.quota(), -1);
-        assert_eq!(resources.calculated_vcpu_time_ms, None);
-        assert!(resources.get_vcpus().is_none());
+        assert!(
+            (resources.get_vcpus().unwrap() - 1.0).abs() < EPSILON,
+            "cpuset size vCPU mismatch"
+        );
         assert_eq!(resources.cpuset().len(), 1);
         assert_eq!(resources.nodeset().len(), 2);
     }
@@ -207,8 +229,7 @@ mod tests {
         let mut sandbox = LinuxSandboxCpuResources::new(1024);
 
         assert_eq!(sandbox.shares(), 1024);
-        assert_eq!(sandbox.get_vcpus(), 0);
-        assert_eq!(sandbox.calculated_vcpu_time_ms(), 0);
+        assert_eq!(sandbox.get_vcpus(), 0.0);
         assert!(sandbox.cpuset().is_empty());
         assert!(sandbox.nodeset().is_empty());
 
@@ -222,11 +243,20 @@ mod tests {
         let resources = LinuxContainerCpuResources::try_from(&linux_cpu).unwrap();
         sandbox.merge(&resources);
         assert_eq!(sandbox.shares(), 1024);
-        assert_eq!(sandbox.get_vcpus(), 11);
-        assert_eq!(sandbox.calculated_vcpu_time_ms(), 10010);
+
+        // vCPUs after merge = quota / period
+        let expected_vcpus = 1001.0 / 100.0;
+        assert!(
+            (sandbox.get_vcpus() - expected_vcpus).abs() < EPSILON,
+            "sandbox vCPU mismatch: got {}, expect {}",
+            sandbox.get_vcpus(),
+            expected_vcpus
+        );
+
         assert_eq!(sandbox.cpuset().len(), 3);
         assert_eq!(sandbox.nodeset().len(), 1);
 
+        // Merge cpuset-only container
         let mut linux_cpu = oci::LinuxCpu::default();
         linux_cpu.set_shares(Some(2048));
         linux_cpu.set_cpus(Some("1,4".to_string()));
@@ -236,8 +266,15 @@ mod tests {
         sandbox.merge(&resources);
 
         assert_eq!(sandbox.shares(), 1024);
-        assert_eq!(sandbox.get_vcpus(), 11);
-        assert_eq!(sandbox.calculated_vcpu_time_ms(), 10010);
+
+        // Expect quota-based + cpuset len (since cpuset is treated as allocation)
+        let expected_after_merge = expected_vcpus + resources.get_vcpus().unwrap();
+        assert!(
+            (sandbox.get_vcpus() - expected_after_merge).abs() < EPSILON,
+            "sandbox vCPU mismatch after cpuset merge: got {}, expect {}",
+            sandbox.get_vcpus(),
+            expected_after_merge
+        );
         assert_eq!(sandbox.cpuset().len(), 4);
         assert_eq!(sandbox.nodeset().len(), 2);
     }

src/libs/mem-agent/src/compact.rs

@@ -52,7 +52,8 @@ pub struct Config {
     // the next compact_force_times times, a compaction will be forced
     // regardless of the system's memory situation.
     // If compact_force_times is set to 0, will do force compaction each time.
-    // If compact_force_times is set to std::u64::MAX, will never do force compaction.
+    // If compact_force_times is set to std::u64::MAX, u64::MAX - 1, or i64::MAX, will never do force compaction.
+    // Note: Using i64::MAX (9223372036854775807) instead of u64::MAX to avoid TOML parser issues.
     pub compact_force_times: u64,
 }
 
@@ -67,7 +68,7 @@ impl Default for Config {
             compact_sec_max: 5 * 60,
             compact_order: PAGE_REPORTING_MIN_ORDER,
             compact_threshold: 2 << PAGE_REPORTING_MIN_ORDER,
-            compact_force_times: u64::MAX,
+            compact_force_times: i64::MAX as u64,
         }
     }
 }
@@ -133,7 +134,7 @@ impl CompactCore {
     }
 
     fn need_force_compact(&self) -> bool {
-        if self.config.compact_force_times == u64::MAX {
+        if self.config.compact_force_times >= i64::MAX as u64 {
             return false;
         }
 

src/runtime-rs/Cargo.toml

@@ -1,77 +1,31 @@
-[workspace]
-members = [
-    "crates/agent",
-    "crates/hypervisor",
-    "crates/persist",
-    "crates/resource",
-    "crates/runtimes",
-    "crates/service",
-    "crates/shim",
-    "crates/shim-ctl",
+[package]
+name = "runtime-rs"
+version = "0.1.0"
+authors = { workspace = true }
+description = "Containerd shim runtime for Kata Containers"
+keywords = ["kata-containers", "shim"]
+repository = "https://github.com/kata-containers/kata-containers.git"
+license = { workspace = true }
+edition = { workspace = true }
 
-    "tests/utils",
-]
+[[bin]]
+name = "containerd-shim-kata-v2"
+path = "crates/shim/src/bin/main.rs"
 
-[workspace.package]
-authors = ["The Kata Containers community <kata-dev@lists.katacontainers.io>"]
-edition = "2018"
-license = "Apache-2.0"
+[[bin]]
+name = "shim-ctl"
+path = "crates/shim-ctl/src/main.rs"
 
-[workspace.dependencies]
-agent = { path = "crates/agent" }
-hypervisor = { path = "crates/hypervisor" }
-persist = { path = "crates/persist" }
-resource = { path = "crates/resource" }
-runtimes = { path = "crates/runtimes" }
-service = { path = "crates/service" }
-tests_utils = { path = "tests/utils" }
+[features]
+dragonball = ["runtimes/dragonball"]
+cloud-hypervisor = ["runtimes/cloud-hypervisor"]
 
-ch-config = { path = "crates/hypervisor/ch-config" }
-common = { path = "crates/runtimes/common" }
-linux_container = { path = "crates/runtimes/linux_container" }
-virt_container = { path = "crates/runtimes/virt_container" }
-wasm_container = { path = "crates/runtimes/wasm_container" }
-
-# Local dependencies from `src/libs`
-kata-sys-util = { path = "../libs/kata-sys-util" }
-kata-types = { path = "../libs/kata-types", features = ["safe-path"] }
-logging = { path = "../libs/logging" }
-protocols = { path = "../libs/protocols", features = ["async"] }
-runtime-spec = { path = "../libs/runtime-spec" }
-safe-path = { path = "../libs/safe-path" }
-shim-interface = { path = "../libs/shim-interface" }
-test-utils = { path = "../libs/test-utils" }
-
-# Local dependencies from `src/dragonball`
-dragonball = { path = "../dragonball" }
-dbs-utils = { path = "../dragonball/dbs_utils" }
-
-actix-rt = "2.7.0"
-anyhow = "1.0"
-async-trait = "0.1.48"
-containerd-shim = { version = "0.10.0", features = ["async"] }
-containerd-shim-protos = { version = "0.10.0", features = ["async"] }
-go-flag = "0.1.0"
-hyper = "0.14.20"
-hyperlocal = "0.8.0"
-lazy_static = "1.4"
-libc = "0.2"
-log = "0.4.14"
-netns-rs = "0.1.0"
-# Note: nix needs to stay sync'd with libs versions
-nix = "0.26.4"
-oci-spec = { version = "0.8.1", features = ["runtime"] }
-protobuf = "3.7.2"
-rand = "0.8.4"
-serde = { version = "1.0.145", features = ["derive"] }
-serde_json = "1.0.91"
-slog = "2.5.2"
-slog-scope = "4.4.0"
-strum = { version = "0.24.0", features = ["derive"] }
-tempfile = "3.19.1"
-thiserror = "1.0"
-tokio = "1.46.1"
-tracing = "0.1.41"
-tracing-opentelemetry = "0.18.0"
-ttrpc = "0.8.4"
-url = "2.5.4"
+[dependencies]
+anyhow = { workspace = true }
+go-flag = { workspace = true }
+nix = { workspace = true }
+tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
+shim = { path = "crates/shim" }
+common = { workspace = true }
+logging = { workspace = true }
+runtimes = { workspace = true }

src/runtime-rs/Makefile

@@ -150,8 +150,8 @@ DEFMEMSLOTS := 10
 DEFMAXMEMSZ := 0
 ##VAR DEFBRIDGES=<number> Default number of bridges
 DEFBRIDGES := 0
-DEFENABLEANNOTATIONS := [\"kernel_params\"]
-DEFENABLEANNOTATIONS_COCO := [\"kernel_params\",\"cc_init_data\"]
+DEFENABLEANNOTATIONS := [\"enable_iommu\", \"virtio_fs_extra_args\", \"kernel_params\", \"default_vcpus\", \"default_memory\"]
+DEFENABLEANNOTATIONS_COCO := [\"enable_iommu\", \"virtio_fs_extra_args\", \"kernel_params\", \"default_vcpus\", \"default_memory\", \"cc_init_data\"]
 DEFDISABLEGUESTSECCOMP := true
 DEFDISABLEGUESTEMPTYDIR := false
 ##VAR DEFAULTEXPFEATURES=[features] Default experimental features enabled
@@ -328,7 +328,7 @@ ifneq (,$(QEMUCMD))
     KERNELPATH_COCO = $(KERNELDIR)/$(KERNEL_NAME_COCO)
 
     # overriding options
-    DEFSTATICRESOURCEMGMT_QEMU := true
+    DEFSTATICRESOURCEMGMT_QEMU := false
 
     # qemu-specific options
     DEFSANDBOXCGROUPONLY_QEMU := false
@@ -347,8 +347,13 @@ endif
     DEFBLOCKDEVICEAIO_QEMU := io_uring
     DEFNETWORKMODEL_QEMU := tcfilter
     DEFDISABLEGUESTSELINUX := true
-    DEFSECCOMPSANDBOXPARAM := on,obsolete=deny,spawn=deny,resourcecontrol=deny
-    DEFGUESTSELINUXLABEL := system_u:system_r:container_t
+    # Default is empty string "" to match Rust default None (when commented out in config).
+    # Most users will want to set this to "on,obsolete=deny,spawn=deny,resourcecontrol=deny"
+    # for better security. Note: "elevateprivileges=deny" doesn't work with daemonize option.
+    DEFSECCOMPSANDBOXPARAM := ""
+    # Default is empty string "" to match Rust default None (when commented out in config).
+    # Most users will want to set this to "system_u:system_r:container_t" for SELinux support.
+    DEFGUESTSELINUXLABEL := ""
 endif
 
 ifneq (,$(FCCMD))
@@ -578,7 +583,7 @@ ifneq ($(EXTRA_RUSTFEATURES),)
 endif
 
 
-TARGET_PATH = target/$(TRIPLE)/$(BUILD_TYPE)/$(TARGET)
+TARGET_PATH = ../../target/$(TRIPLE)/$(BUILD_TYPE)/$(TARGET)
 
 ##VAR DESTDIR=<path> is a directory prepended to each installed target file
 DESTDIR ?= /