relax bind mount regex

the source path can be cached from the first container now

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>

.cspell.yaml

@@ -1,36 +0,0 @@
-# yaml-language-server: $schema=https://raw.githubusercontent.com/streetsidesoftware/cspell/main/cspell.schema.json
-version: "0.2"
-language: en,en-GB
-
-dictionaryDefinitions:
-  - name: kata-terms
-    path: ./tests/spellcheck/kata-dictionary.txt
-    addWords: true
-
-dictionaries:
-  - en-GB
-  - en_US
-  - bash
-  - git
-  - golang
-  - k8s
-  - python
-  - rust
-  - companies
-  - mnemonics
-  - peopleNames
-  - softwareTerms
-  - networking-terms
-  - kata-terms
-
-ignoreRegExpList:
-  - /@[a-z\d](?:[a-z\d]|-(?=[a-z\d])){0,38}/gi  # Ignores github handles
-  # Ignore code blocks
-  - /^\s*`{3,}[\s\S]*?^\s*`{3,}/gm
-  - /`[^`\n]+`/g
-
-ignorePaths:
-  - "**/vendor/**"  # vendor files aren't owned by us
-  - "**/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/**"  # Generated files
-
-useGitignore: true

.github/actionlint.yaml

@@ -28,9 +28,3 @@ self-hosted-runner:
     - s390x-large
     - tdx
     - ubuntu-24.04-arm
-
-paths:
-  .github/workflows/**/*.{yml,yaml}:
-    ignore:
-      # We use if: false to "temporarily" skip jobs with issues
-      - 'constant expression "false" in condition'

.github/dependabot.yml

@@ -15,8 +15,6 @@ updates:
       - "/src/tools/trace-forwarder"
     schedule:
       interval: "daily"
-    cooldown:
-      default-days: 7
     ignore:
     # rust-vmm repos might cause incompatibilities on patch versions, so
     # lets handle them manually for now.
@@ -87,12 +85,8 @@ updates:
       - "src/tools/csi-kata-directvolume"
     schedule:
       interval: "daily"
-    cooldown:
-      default-days: 7
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "monthly"
-    cooldown:
-      default-days: 7

.github/workflows/actionlint.yaml

@@ -13,13 +13,18 @@ concurrency:
 jobs:
   run-actionlint:
     name: run-actionlint
+    env:
+      GH_TOKEN: ${{ github.token }}
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout the code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           persist-credentials: false
 
+      - name: Install actionlint gh extension
+        run: gh extension install https://github.com/cschleiden/gh-actionlint
+
       - name: Run actionlint
-        uses: raven-actions/actionlint@e01d1ea33dd6a5ed517d95b4c0c357560ac6f518  # v2.1.1
+        run:  gh actionlint

.github/workflows/basic-ci-amd64.yaml

@@ -47,23 +47,6 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: Install yq
-        run: |
-          ./ci/install_yq.sh
-        env:
-          INSTALL_IN_GOPATH: false
-
-      - name: Read properties from versions.yaml
-        run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
       - name: Install dependencies
         run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
         env:

.github/workflows/basic-ci-s390x.yaml

@@ -47,25 +47,8 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: Install yq
-        run: |
-          ./ci/install_yq.sh
-        env:
-          INSTALL_IN_GOPATH: false
-
-      - name: Read properties from versions.yaml
-        run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
       - name: Install dependencies
-        run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
+        run: bash tests/integration/cri-containerd/gha-run.sh
         env:
           GH_TOKEN: ${{ github.token }}
 

.github/workflows/build-checks-preview-riscv64.yaml

@@ -82,17 +82,11 @@ jobs:
           ./ci/install_yq.sh
         env:
           INSTALL_IN_GOPATH: false
-      - name: Read properties from versions.yaml
+      - name: Install golang
         if: contains(matrix.component.needs, 'golang')
         run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        if: contains(matrix.component.needs, 'golang')
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
+          ./tests/install_go.sh -f -p
+          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
       - name: Setup rust
         if: contains(matrix.component.needs, 'rust')
         run: |

.github/workflows/build-checks.yaml

@@ -94,19 +94,11 @@ jobs:
           ./ci/install_yq.sh
         env:
           INSTALL_IN_GOPATH: false
-      - name: Read properties from versions.yaml
+      - name: Install golang
         if: contains(matrix.component.needs, 'golang')
         run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        if: contains(matrix.component.needs, 'golang')
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          # Setup-go doesn't work properly with ppc64le: https://github.com/actions/setup-go/issues/648
-          architecture: ${{ contains(inputs.instance, 'ppc64le') && 'ppc64le' || '' }}
+          ./tests/install_go.sh -f -p
+          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
       - name: Setup rust
         if: contains(matrix.component.needs, 'rust')
         run: |

.github/workflows/build-kata-static-tarball-amd64.yaml

@@ -143,7 +143,7 @@ jobs:
           if-no-files-found: error
 
       - name: store-extratarballs-artifact ${{ matrix.asset }}
-        if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
+        if: ${{ matrix.asset == 'kernel' || startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: kata-artifacts-amd64-${{ matrix.asset }}-modules${{ inputs.tarball-suffix }}
@@ -168,6 +168,8 @@ jobs:
           - rootfs-image-nvidia-gpu-confidential
           - rootfs-initrd
           - rootfs-initrd-confidential
+          - rootfs-initrd-nvidia-gpu
+          - rootfs-initrd-nvidia-gpu-confidential
     steps:
       - name: Login to Kata Containers quay.io
         if: ${{ inputs.push-to-registry == 'yes' }}
@@ -233,6 +235,7 @@ jobs:
         asset:
           - busybox
           - coco-guest-components
+          - kernel-modules
           - kernel-nvidia-gpu-modules
           - pause-image
     steps:
@@ -347,16 +350,6 @@ jobs:
           ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
         env:
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-      - name: Check kata tarball size (GitHub release asset limit)
-        run: |
-          # https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas
-          GITHUB_ASSET_MAX_BYTES=2147483648
-          tarball_size=$(stat -c "%s" kata-static.tar.zst)
-          if [[ "${tarball_size}" -ge "${GITHUB_ASSET_MAX_BYTES}" ]]; then
-            echo "::error::tarball size (${tarball_size} bytes) >= GitHub release asset limit (${GITHUB_ASSET_MAX_BYTES} bytes)"
-            exit 1
-          fi
-          echo "tarball size: ${tarball_size} bytes"
       - name: store-artifacts
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
@@ -375,6 +368,7 @@ jobs:
       matrix:
         asset:
           - agent-ctl
+          - csi-kata-directvolume
           - genpolicy
           - kata-ctl
           - kata-manager
@@ -457,16 +451,6 @@ jobs:
           ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-tools-artifacts versions.yaml kata-tools-static.tar.zst
         env:
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-      - name: Check kata-tools tarball size (GitHub release asset limit)
-        run: |
-          # https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas
-          GITHUB_ASSET_MAX_BYTES=2147483648
-          tarball_size=$(stat -c "%s" kata-tools-static.tar.zst)
-          if [[ "${tarball_size}" -ge "${GITHUB_ASSET_MAX_BYTES}" ]]; then
-            echo "::error::tarball size (${tarball_size} bytes) >= GitHub release asset limit (${GITHUB_ASSET_MAX_BYTES} bytes)"
-            exit 1
-          fi
-          echo "tarball size: ${tarball_size} bytes"
       - name: store-artifacts
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:

.github/workflows/build-kata-static-tarball-arm64.yaml

@@ -152,6 +152,7 @@ jobs:
           - rootfs-image
           - rootfs-image-nvidia-gpu
           - rootfs-initrd
+          - rootfs-initrd-nvidia-gpu
     steps:
       - name: Login to Kata Containers quay.io
         if: ${{ inputs.push-to-registry == 'yes' }}
@@ -326,16 +327,6 @@ jobs:
           ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
         env:
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-      - name: Check kata tarball size (GitHub release asset limit)
-        run: |
-          # https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas
-          GITHUB_ASSET_MAX_BYTES=2147483648
-          tarball_size=$(stat -c "%s" kata-static.tar.zst)
-          if [[ "${tarball_size}" -ge "${GITHUB_ASSET_MAX_BYTES}" ]]; then
-            echo "::error::tarball size (${tarball_size} bytes) >= GitHub release asset limit (${GITHUB_ASSET_MAX_BYTES} bytes)"
-            exit 1
-          fi
-          echo "tarball size: ${tarball_size} bytes"
       - name: store-artifacts
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:

.github/workflows/build-kata-static-tarball-ppc64le.yaml

@@ -262,16 +262,6 @@ jobs:
           ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
         env:
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-      - name: Check kata tarball size (GitHub release asset limit)
-        run: |
-          # https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas
-          GITHUB_ASSET_MAX_BYTES=2147483648
-          tarball_size=$(stat -c "%s" kata-static.tar.zst)
-          if [[ "${tarball_size}" -ge "${GITHUB_ASSET_MAX_BYTES}" ]]; then
-            echo "::error::tarball size (${tarball_size} bytes) >= GitHub release asset limit (${GITHUB_ASSET_MAX_BYTES} bytes)"
-            exit 1
-          fi
-          echo "tarball size: ${tarball_size} bytes"
       - name: store-artifacts
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:

.github/workflows/build-kata-static-tarball-s390x.yaml

@@ -120,6 +120,15 @@ jobs:
           retention-days: 15
           if-no-files-found: error
 
+      - name: store-extratarballs-artifact ${{ matrix.asset }}
+        if: ${{ matrix.asset == 'kernel' }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: kata-artifacts-s390x-${{ matrix.asset }}-modules${{ inputs.tarball-suffix }}
+          path: kata-build/kata-static-${{ matrix.asset }}-modules.tar.zst
+          retention-days: 15
+          if-no-files-found: error
+
   build-asset-rootfs:
     name: build-asset-rootfs
     runs-on: s390x
@@ -350,16 +359,6 @@ jobs:
           ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
         env:
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-      - name: Check kata tarball size (GitHub release asset limit)
-        run: |
-          # https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas
-          GITHUB_ASSET_MAX_BYTES=2147483648
-          tarball_size=$(stat -c "%s" kata-static.tar.zst)
-          if [[ "${tarball_size}" -ge "${GITHUB_ASSET_MAX_BYTES}" ]]; then
-            echo "::error::tarball size (${tarball_size} bytes) >= GitHub release asset limit (${GITHUB_ASSET_MAX_BYTES} bytes)"
-            exit 1
-          fi
-          echo "tarball size: ${tarball_size} bytes"
       - name: store-artifacts
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:

.github/workflows/ci-devel.yaml

@@ -17,7 +17,6 @@ jobs:
       pr-number: "dev"
       tag: ${{ github.sha }}-dev
       target-branch: ${{ github.ref_name }}
-      extensive-matrix-autogenerated-policy: "yes"
 
     secrets:
       AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}

.github/workflows/ci-nightly.yaml

@@ -22,7 +22,6 @@ jobs:
       pr-number: "nightly"
       tag: ${{ github.sha }}-nightly
       target-branch: ${{ github.ref_name }}
-      extensive-matrix-autogenerated-policy: "yes"
     secrets:
       AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
       AZ_APPID: ${{ secrets.AZ_APPID }}

.github/workflows/ci.yaml

@@ -19,10 +19,6 @@ on:
         required: false
         type: string
         default: no
-      extensive-matrix-autogenerated-policy:
-        required: false
-        type: string
-        default: no
     secrets:
       AUTHENTICATED_IMAGE_PASSWORD:
         required: true
@@ -216,6 +212,61 @@ jobs:
           platforms: linux/amd64, linux/s390x
           file: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile
 
+  publish-csi-driver-amd64:
+    name: publish-csi-driver-amd64
+    needs: build-kata-static-tarball-amd64
+    permissions:
+      contents: read
+      packages: write
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+
+      - name: get-kata-tools-tarball
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-amd64-${{ inputs.tag }}
+          path: kata-tools-artifacts
+
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
+
+      - name: Copy binary into Docker context
+        run: |
+          # Copy to the location where the Dockerfile expects the binary.
+          mkdir -p src/tools/csi-kata-directvolume/bin/
+          cp /opt/kata/bin/csi-kata-directvolume src/tools/csi-kata-directvolume/bin/directvolplugin
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Login to Kata Containers ghcr.io
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker build and push
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
+        with:
+          tags: ghcr.io/kata-containers/csi-kata-directvolume:${{ inputs.pr-number }}
+          push: true
+          context: src/tools/csi-kata-directvolume/
+          platforms: linux/amd64
+          file: src/tools/csi-kata-directvolume/Dockerfile
+
   run-kata-monitor-tests:
     if: ${{ inputs.skip-test != 'yes' }}
     needs: build-kata-static-tarball-amd64
@@ -246,21 +297,6 @@ jobs:
       AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
       AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
 
-  run-k8s-tests-on-free-runner:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: publish-kata-deploy-payload-amd64
-    permissions:
-      contents: read
-    uses: ./.github/workflows/run-k8s-tests-on-free-runner.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-
   run-k8s-tests-on-arm64:
     if: ${{ inputs.skip-test != 'yes' }}
     needs: publish-kata-deploy-payload-arm64
@@ -294,6 +330,7 @@ jobs:
     needs:
      - publish-kata-deploy-payload-amd64
      - build-and-publish-tee-confidential-unencrypted-image
+     - publish-csi-driver-amd64
     uses: ./.github/workflows/run-kata-coco-tests.yaml
     permissions:
       contents: read
@@ -306,7 +343,6 @@ jobs:
       commit-hash: ${{ inputs.commit-hash }}
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
-      extensive-matrix-autogenerated-policy: ${{ inputs.extensive-matrix-autogenerated-policy }}
     secrets:
       AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
       AZ_APPID: ${{ secrets.AZ_APPID }}

.github/workflows/codeql.yml

@@ -72,7 +72,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -95,6 +95,6 @@ jobs:
         make -C src/runtime
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
+      uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/darwin-tests.yaml

@@ -31,22 +31,10 @@ jobs:
       with:
         persist-credentials: false
 
-    - name: Install yq
+    - name: Install golang
       run: |
-        ./ci/install_yq.sh
-      env:
-        INSTALL_IN_GOPATH: false
-
-    - name: Read properties from versions.yaml
-      run: |
-        go_version="$(yq '.languages.golang.version' versions.yaml)"
-        [ -n "$go_version" ]
-        echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-    - name: Setup Golang version ${{ env.GO_VERSION }}
-      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-      with:
-        go-version: ${{ env.GO_VERSION }}
+        ./tests/install_go.sh -f -p
+        echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
 
     - name: Install Rust
       run: ./tests/install_rust.sh

.github/workflows/docs-url-alive-check.yaml

@@ -24,22 +24,10 @@ jobs:
         fetch-depth: 0
         persist-credentials: false
 
-    - name: Install yq
+    - name: Install golang
       run: |
-        ./ci/install_yq.sh
-      env:
-        INSTALL_IN_GOPATH: false
-
-    - name: Read properties from versions.yaml
-      run: |
-        go_version="$(yq '.languages.golang.version' versions.yaml)"
-        [ -n "$go_version" ]
-        echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-    - name: Setup Golang version ${{ env.GO_VERSION }}
-      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-      with:
-        go-version: ${{ env.GO_VERSION }}
+        ./tests/install_go.sh -f -p
+        echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
 
     - name: Docs URL Alive Check
       run: |

.github/workflows/docs.yaml

@@ -16,17 +16,17 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/configure-pages@v5
+      - uses: actions/checkout@v5
         with:
           persist-credentials: false
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      - uses: actions/setup-python@v5
         with:
           python-version: 3.x
       - run: pip install zensical
       - run: zensical build --clean
-      - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
+      - uses: actions/upload-pages-artifact@v4
         with:
           path: site
-      - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
+      - uses: actions/deploy-pages@v4
         id: deployment

.github/workflows/govulncheck.yaml

@@ -27,22 +27,10 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: Install yq
+      - name: Install golang
         run: |
-          ./ci/install_yq.sh
-        env:
-          INSTALL_IN_GOPATH: false
-
-      - name: Read properties from versions.yaml
-        run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
+          ./tests/install_go.sh -f -p
+          echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
 
       - name: Install govulncheck
         run: |

.github/workflows/osv-scanner.yaml

@@ -19,25 +19,23 @@ permissions: {}
 
 jobs:
   scan-scheduled:
-    name: Scan of whole repo
     permissions:
       actions: read # # Required to upload SARIF file to CodeQL
       contents: read  # Read commit contents
       security-events: write  # Require writing security events to upload SARIF file to security tab
     if: ${{ github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@8ae4be80636b94886b3c271caad730985ce0611c" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6" # v2.1.0
     with:
       scan-args: |-
         -r
         ./
   scan-pr:
-    name: Scan of just PR code
     permissions:
       actions: read # Required to upload SARIF file to CodeQL
       contents: read  # Read commit contents
       security-events: write  # Require writing security events to upload SARIF file to security tab
     if: ${{ github.event_name == 'pull_request' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@8ae4be80636b94886b3c271caad730985ce0611c" # v2.3.3
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6" # v2.1.0
     with:
       # Example of specifying custom arguments
       scan-args: |-

.github/workflows/run-cri-containerd-tests.yaml

@@ -35,6 +35,8 @@ on:
 jobs:
   run-cri-containerd:
     name: run-cri-containerd-${{ inputs.arch }} (${{ inputs.containerd_version }}, ${{ inputs.vmm }})
+    strategy:
+      fail-fast: false
     runs-on: ${{ inputs.runner }}
     env:
       CONTAINERD_VERSION: ${{ inputs.containerd_version }}
@@ -53,25 +55,6 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: Install yq
-        run: |
-          ./ci/install_yq.sh
-        env:
-          INSTALL_IN_GOPATH: false
-
-      - name: Read properties from versions.yaml
-        run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          # Setup-go doesn't work properly with ppc64le: https://github.com/actions/setup-go/issues/648
-          architecture: ${{ inputs.arch == 'ppc64le' && 'ppc64le' || '' }}
-
       - name: Install dependencies
         timeout-minutes: 15
         run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies

.github/workflows/run-k8s-tests-on-aks.yaml

@@ -42,6 +42,17 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
+        host_os:
+          - ubuntu
+        vmm:
+          - clh
+          - dragonball
+          - qemu
+          - qemu-runtime-rs
+          - cloud-hypervisor
+        instance-type:
+          - small
+          - normal
         include:
           - host_os: cbl-mariner
             vmm: clh
@@ -69,7 +80,6 @@ jobs:
       KUBERNETES: "vanilla"
       K8S_TEST_HOST_TYPE: ${{ matrix.instance-type }}
       GENPOLICY_PULL_METHOD: ${{ matrix.genpolicy-pull-method }}
-      RUNS_ON_AKS: "true"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

.github/workflows/run-k8s-tests-on-free-runner.yaml

@@ -1,127 +0,0 @@
-# Run Kubernetes integration tests on free GitHub runners  with a locally
-# deployed cluster (kubeadm).
-name: CI | Run kubernetes tests on free runner
-on:
-  workflow_call:
-    inputs:
-      tarball-suffix:
-        required: false
-        type: string
-      registry:
-        required: true
-        type: string
-      repo:
-        required: true
-        type: string
-      tag:
-        required: true
-        type: string
-      pr-number:
-        required: true
-        type: string
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-
-permissions: {}
-
-jobs:
-  run-k8s-tests:
-    name: run-k8s-tests
-    strategy:
-      fail-fast: false
-      matrix:
-        environment: [
-          { vmm: clh, containerd_version: lts },
-          { vmm: clh, containerd_version: active },
-          { vmm: dragonball, containerd_version: lts },
-          { vmm: dragonball, containerd_version: active },
-          { vmm: qemu, containerd_version: lts },
-          { vmm: qemu, containerd_version: active },
-          { vmm: qemu-runtime-rs, containerd_version: lts },
-          { vmm: qemu-runtime-rs, containerd_version: active },
-          { vmm: cloud-hypervisor, containerd_version: lts },
-          { vmm: cloud-hypervisor, containerd_version: active },
-        ]
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HOST_OS: ubuntu
-      KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
-      KUBERNETES: vanilla
-      K8S_TEST_HOST_TYPE: baremetal-no-attestation
-      CONTAINER_ENGINE: containerd
-      CONTAINER_ENGINE_VERSION: ${{ matrix.environment.containerd_version }}
-      GH_TOKEN: ${{ github.token }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: get-kata-tools-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-tools-artifacts
-
-      - name: Install kata-tools
-        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
-
-      - name: Remove unnecessary directories to free up space
-        run: |
-          sudo rm -rf /usr/local/.ghcup
-          sudo rm -rf /opt/hostedtoolcache/CodeQL
-          sudo rm -rf /usr/local/lib/android
-          sudo rm -rf /usr/share/dotnet
-          sudo rm -rf /opt/ghc
-          sudo rm -rf /usr/local/share/boost
-          sudo rm -rf /usr/lib/jvm
-          sudo rm -rf /usr/share/swift
-          sudo rm -rf /usr/local/share/powershell
-          sudo rm -rf /usr/local/julia*
-          sudo rm -rf /opt/az
-          sudo rm -rf /usr/local/share/chromium
-          sudo rm -rf /opt/microsoft
-          sudo rm -rf /opt/google
-          sudo rm -rf /usr/lib/firefox
-
-      - name: Deploy k8s (kubeadm)
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
-
-      - name: Install `bats`
-        run: bash tests/integration/kubernetes/gha-run.sh install-bats
-
-      - name: Deploy Kata
-        timeout-minutes: 20
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
-
-      - name: Run tests
-        timeout-minutes: 60
-        run: bash tests/integration/kubernetes/gha-run.sh run-tests
-
-      - name: Report tests
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh report-tests
-
-      - name: Delete kata-deploy
-        if: always()
-        timeout-minutes: 15
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup
-

.github/workflows/run-k8s-tests-on-ppc64le.yaml

@@ -57,24 +57,10 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: Install yq
+      - name: Install golang
         run: |
-          ./ci/install_yq.sh
-        env:
-          INSTALL_IN_GOPATH: false
-
-      - name: Read properties from versions.yaml
-        run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          # Setup-go doesn't work properly with ppc64le: https://github.com/actions/setup-go/issues/648
-          architecture: 'ppc64le'
+          ./tests/install_go.sh -f -p
+          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
 
       - name: Prepare the runner for k8s test suite
         run: bash "${HOME}/scripts/k8s_cluster_prepare.sh"

.github/workflows/run-kata-coco-tests.yaml

@@ -24,10 +24,6 @@ on:
         required: false
         type: string
         default: ""
-      extensive-matrix-autogenerated-policy:
-        required: false
-        type: string
-        default: no
     secrets:
       AUTHENTICATED_IMAGE_PASSWORD:
         required: true
@@ -110,6 +106,10 @@ jobs:
         timeout-minutes: 10
         run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
 
+      - name: Deploy CSI driver
+        timeout-minutes: 5
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
+
       - name: Run tests
         timeout-minutes: 100
         run: bash tests/integration/kubernetes/gha-run.sh run-tests
@@ -130,42 +130,52 @@ jobs:
           [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && echo "ITA_KEY=${GH_ITA_KEY}" >> "${GITHUB_ENV}"
           bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
 
+      - name: Delete CSI driver
+        timeout-minutes: 5
+        run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
+
   # Generate jobs for testing CoCo on non-TEE environments
   run-k8s-tests-coco-nontee:
     name: run-k8s-tests-coco-nontee
     strategy:
       fail-fast: false
       matrix:
-        environment: [
-          { vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
-          { vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
-          { vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
-        ]
-    runs-on: ubuntu-24.04
+        vmm:
+          - qemu-coco-dev
+          - qemu-coco-dev-runtime-rs
+        snapshotter:
+          - nydus
+        pull-type:
+          - guest-pull
+        include:
+          - pull-type: experimental-force-guest-pull
+            vmm: qemu-coco-dev
+            snapshotter: ""
+    runs-on: ubuntu-22.04
     permissions:
-      contents: read
+      id-token: write # Used for OIDC access to log into Azure
     environment: ci
     env:
       DOCKER_REGISTRY: ${{ inputs.registry }}
       DOCKER_REPO: ${{ inputs.repo }}
       DOCKER_TAG: ${{ inputs.tag }}
       GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
+      KATA_HYPERVISOR: ${{ matrix.vmm }}
       # Some tests rely on that variable to run (or not)
       KBS: "true"
       # Set the KBS ingress handler (empty string disables handling)
-      KBS_INGRESS: "nodeport"
+      KBS_INGRESS: "aks"
       KUBERNETES: "vanilla"
-      PULL_TYPE: ${{ matrix.environment.pull_type }}
+      PULL_TYPE: ${{ matrix.pull-type }}
       AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
       AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      SNAPSHOTTER: ${{ matrix.environment.snapshotter }}
-      EXPERIMENTAL_FORCE_GUEST_PULL: ${{ matrix.environment.pull_type == 'experimental-force-guest-pull' && matrix.environment.vmm || '' }}
-      AUTO_GENERATE_POLICY: "yes"
+      SNAPSHOTTER: ${{ matrix.snapshotter }}
+      EXPERIMENTAL_FORCE_GUEST_PULL: ${{ matrix.pull-type == 'experimental-force-guest-pull' && matrix.vmm || '' }}
+      # Caution: current ingress controller used to expose the KBS service
+      # requires much vCPUs, lefting only a few for the tests. Depending on the
+      # host type chose it will result on the creation of a cluster with
+      # insufficient resources.
       K8S_TEST_HOST_TYPE: "all"
-      CONTAINER_ENGINE: "containerd"
-      CONTAINER_ENGINE_VERSION: "active"
-      GH_TOKEN: ${{ github.token }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -188,36 +198,39 @@ jobs:
       - name: Install kata-tools
         run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
 
-      - name: Remove unnecessary directories to free up space
-        run: |
-          sudo rm -rf /usr/local/.ghcup
-          sudo rm -rf /opt/hostedtoolcache/CodeQL
-          sudo rm -rf /usr/local/lib/android
-          sudo rm -rf /usr/share/dotnet
-          sudo rm -rf /opt/ghc
-          sudo rm -rf /usr/local/share/boost
-          sudo rm -rf /usr/lib/jvm
-          sudo rm -rf /usr/share/swift
-          sudo rm -rf /usr/local/share/powershell
-          sudo rm -rf /usr/local/julia*
-          sudo rm -rf /opt/az
-          sudo rm -rf /usr/local/share/chromium
-          sudo rm -rf /opt/microsoft
-          sudo rm -rf /opt/google
-          sudo rm -rf /usr/lib/firefox
+      - name: Log into the Azure account
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        with:
+          client-id: ${{ secrets.AZ_APPID }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
 
-      - name: Deploy kubernetes
-        timeout-minutes: 15
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
+      - name: Create AKS cluster
+        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
+        with:
+          timeout_minutes: 15
+          max_attempts: 20
+          retry_on: error
+          retry_wait_seconds: 10
+          command: bash tests/integration/kubernetes/gha-run.sh create-cluster
 
       - name: Install `bats`
         run: bash tests/integration/kubernetes/gha-run.sh install-bats
 
+      - name: Install `kubectl`
+        uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
+        with:
+          version: 'latest'
+
+      - name: Download credentials for the Kubernetes CLI to use them
+        run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials
+
       - name: Deploy Kata
         timeout-minutes: 20
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-aks
         env:
-          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ matrix.environment.snapshotter == 'nydus' }}
+          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ env.SNAPSHOTTER == 'nydus' }}
+          AUTO_GENERATE_POLICY: ${{ env.PULL_TYPE == 'experimental-force-guest-pull' && 'no' || 'yes' }}
 
       - name: Deploy CoCo KBS
         timeout-minutes: 10
@@ -227,126 +240,9 @@ jobs:
         timeout-minutes: 10
         run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
 
-      - name: Run tests
-        timeout-minutes: 80
-        run: bash tests/integration/kubernetes/gha-run.sh run-tests
-
-      - name: Report tests
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh report-tests
-
-      - name: Delete kata-deploy
-        if: always()
-        timeout-minutes: 15
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup
-
-      - name: Delete CoCo KBS
-        if: always()
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
-
-  # Extensive matrix: autogenerated policy tests (nydus + experimental-force-guest-pull) on k0s, k3s, rke2, microk8s with qemu-coco-dev / qemu-coco-dev-runtime-rs
-  run-k8s-tests-coco-nontee-extensive-matrix:
-    if: ${{ inputs.extensive-matrix-autogenerated-policy == 'yes' }}
-    name: run-k8s-tests-coco-nontee-extensive-matrix
-    strategy:
-      fail-fast: false
-      matrix:
-        environment: [
-          { k8s: k0s, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
-          { k8s: k0s, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
-          { k8s: k0s, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
-          { k8s: k3s, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
-          { k8s: k3s, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
-          { k8s: k3s, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
-          { k8s: rke2, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
-          { k8s: rke2, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
-          { k8s: rke2, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
-          { k8s: microk8s, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
-          { k8s: microk8s, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
-          { k8s: microk8s, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
-        ]
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-    environment: ci
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
-      KBS: "true"
-      KBS_INGRESS: "nodeport"
-      KUBERNETES: ${{ matrix.environment.k8s }}
-      SNAPSHOTTER: ${{ matrix.environment.snapshotter }}
-      PULL_TYPE: ${{ matrix.environment.pull_type }}
-      EXPERIMENTAL_FORCE_GUEST_PULL: ${{ matrix.environment.pull_type == 'experimental-force-guest-pull' && matrix.environment.vmm || '' }}
-      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AUTO_GENERATE_POLICY: "yes"
-      K8S_TEST_HOST_TYPE: "all"
-      GH_TOKEN: ${{ github.token }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: get-kata-tools-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-tools-artifacts
-
-      - name: Install kata-tools
-        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
-
-      - name: Remove unnecessary directories to free up space
-        run: |
-          sudo rm -rf /usr/local/.ghcup
-          sudo rm -rf /opt/hostedtoolcache/CodeQL
-          sudo rm -rf /usr/local/lib/android
-          sudo rm -rf /usr/share/dotnet
-          sudo rm -rf /opt/ghc
-          sudo rm -rf /usr/local/share/boost
-          sudo rm -rf /usr/lib/jvm
-          sudo rm -rf /usr/share/swift
-          sudo rm -rf /usr/local/share/powershell
-          sudo rm -rf /usr/local/julia*
-          sudo rm -rf /opt/az
-          sudo rm -rf /usr/local/share/chromium
-          sudo rm -rf /opt/microsoft
-          sudo rm -rf /opt/google
-          sudo rm -rf /usr/lib/firefox
-
-      - name: Deploy ${{ matrix.environment.k8s }}
-        timeout-minutes: 15
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
-
-      - name: Install `bats`
-        run: bash tests/integration/kubernetes/gha-run.sh install-bats
-
-      - name: Deploy Kata
-        timeout-minutes: 20
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
-        env:
-          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ matrix.environment.snapshotter == 'nydus' }}
-
-      - name: Deploy CoCo KBS
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
-
-      - name: Install `kbs-client`
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
+      - name: Deploy CSI driver
+        timeout-minutes: 5
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
 
       - name: Run tests
         timeout-minutes: 80
@@ -356,15 +252,18 @@ jobs:
         if: always()
         run: bash tests/integration/kubernetes/gha-run.sh report-tests
 
-      - name: Delete kata-deploy
+      - name: Refresh OIDC token in case access token expired
+        if: always()
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        with:
+          client-id: ${{ secrets.AZ_APPID }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+
+      - name: Delete AKS cluster
         if: always()
         timeout-minutes: 15
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup
-
-      - name: Delete CoCo KBS
-        if: always()
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
+        run: bash tests/integration/kubernetes/gha-run.sh delete-cluster
 
   # Generate jobs for testing CoCo on non-TEE environments with erofs-snapshotter
   run-k8s-tests-coco-nontee-with-erofs-snapshotter:
@@ -392,7 +291,7 @@ jobs:
       KBS_INGRESS: ""
       KUBERNETES: "vanilla"
       CONTAINER_ENGINE: "containerd"
-      CONTAINER_ENGINE_VERSION: "active"
+      CONTAINER_ENGINE_VERSION: "v2.2"
       PULL_TYPE: ${{ matrix.pull-type }}
       SNAPSHOTTER: ${{ matrix.snapshotter }}
       USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: "true"
@@ -400,7 +299,6 @@ jobs:
       # We are skipping the auto generated policy tests for now,
       # but those should be enabled as soon as we work on that.
       AUTO_GENERATE_POLICY: "no"
-      GH_TOKEN: ${{ github.token }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -444,6 +342,8 @@ jobs:
       - name: Deploy kubernetes
         timeout-minutes: 15
         run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
+        env:
+          GH_TOKEN: ${{ github.token }}
 
       - name: Install `bats`
         run: bash tests/integration/kubernetes/gha-run.sh install-bats
@@ -452,6 +352,10 @@ jobs:
         timeout-minutes: 20
         run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
 
+      - name: Deploy CSI driver
+        timeout-minutes: 5
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
+
       - name: Run tests
         timeout-minutes: 80
         run: bash tests/integration/kubernetes/gha-run.sh run-tests
@@ -459,8 +363,3 @@ jobs:
       - name: Report tests
         if: always()
         run: bash tests/integration/kubernetes/gha-run.sh report-tests
-
-      - name: Delete kata-deploy
-        if: always()
-        timeout-minutes: 15
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup

.github/workflows/scorecard.yaml

@@ -55,6 +55,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: results.sarif

.github/workflows/spellcheck.yaml

@@ -1,30 +0,0 @@
-name: Spelling check
-
-on: ["pull_request"]
-
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  check-spelling:
-    name: check-spelling
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Check Spelling
-        uses: streetsidesoftware/cspell-action@9cd41bb518a24fefdafd9880cbab8f0ceba04d28  # 8.3.0
-        with:
-          files: |
-            **/*.md
-            **/*.rst
-            **/*.txt
-          incremental_files_only: true
-          config: ".cspell.yaml"

.github/workflows/static-checks.yaml

@@ -126,19 +126,14 @@ jobs:
           ./ci/install_yq.sh
         env:
           INSTALL_IN_GOPATH: false
-      - name: Read properties from versions.yaml
+      - name: Install golang
         run: |
           cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
+          ./tests/install_go.sh -f -p
+          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
       - name: Install system dependencies
         run: |
-          sudo apt-get update && sudo apt-get -y install moreutils
+          sudo apt-get update && sudo apt-get -y install moreutils hunspell hunspell-en-gb hunspell-en-us pandoc
       - name: Install open-policy-agent
         run: |
           cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"

.gitignore

@@ -20,6 +20,3 @@ tools/packaging/static-build/agent/install_libseccomp.sh
 .direnv
 **/.DS_Store
 site/
-opt/
-tools/packaging/kernel/configs/**/.config
-root_hash.txt

Cargo.toml

@@ -22,9 +22,6 @@ members = [
   "src/dragonball/dbs_utils",
   "src/dragonball/dbs_virtio_devices",
 
-  # genpolicy
-  "src/tools/genpolicy",
-
   # runtime-rs
   "src/runtime-rs",
   "src/runtime-rs/crates/agent",
@@ -110,9 +107,6 @@ safe-path = { path = "src/libs/safe-path" }
 shim-interface = { path = "src/libs/shim-interface" }
 test-utils = { path = "src/libs/test-utils" }
 
-# Local dependencies from `src/agent`
-kata-agent-policy = { path = "src/agent/policy" }
-
 # Outside dependencies
 actix-rt = "2.7.0"
 anyhow = "1.0"

VERSION

@@ -1 +1 @@
-3.28.0
+3.26.0

ci/README.md

@@ -378,7 +378,7 @@ that is used in the test" section.  From there you can see exactly what you'll
 have to use when deploying kata-deploy in your local cluster.
 
 > [!NOTE]
-> TODO: @wainersm TO FINISH THIS PART BASED ON HIS PR TO RUN A LOCAL CI
+> TODO: WAINER TO FINISH THIS PART BASED ON HIS PR TO RUN A LOCAL CI
 
 ## Adding new runners
 

ci/openshift-ci/README.md

@@ -98,7 +98,7 @@ Let's say the OCP pipeline passed running with
 but failed running with
 ``quay.io/kata-containers/kata-deploy-ci:kata-containers-9f512c016e75599a4a921bd84ea47559fe610057-amd64``
 and you'd like to know which PR caused the regression. You can either run with
-all the 60 tags between or you can utilize the [`bisecter`](https://github.com/ldoktor/bisecter)
+all the 60 tags between or you can utilize the [bisecter](https://github.com/ldoktor/bisecter)
 to optimize the number of steps in between.
 
 Before running the bisection you need a reproducer script. Sample one called

docs/Developer-Guide.md

@@ -730,7 +730,7 @@ sudo sed -i -e 's/^kernel_params = "\(.*\)"/kernel_params = "\1 agent.debug_cons
 
 ##### Connecting to the debug console
 
-Next, connect to the debug console. The VSOCK paths vary slightly between each
+Next, connect to the debug console. The VSOCKS paths vary slightly between each
 VMM solution.
 
 In case of cloud-hypervisor, connect to the `vsock` as shown:

docs/Documentation-Requirements.md

@@ -188,14 +188,15 @@ and compare them with standard tools (e.g. `diff(1)`).
 # Spelling
 
 Since this project uses a number of terms not found in conventional
-dictionaries, we have a [kata-dictionary](../tests/spellcheck/kata-dictionary.txt)
-that contains some project specific terms we use.
+dictionaries, we have a
+[spell checking tool](https://github.com/kata-containers/kata-containers/tree/main/tests/cmd/check-spelling)
+that checks both dictionary words and the additional terms we use.
 
-You can run the `cspell` checking tool on your document before raising a PR to ensure it
+Run the spell checking tool on your document before raising a PR to ensure it
 is free of mistakes.
 
 If your document introduces new terms, you need to update the custom
-dictionary to incorporate the new words.
+dictionary used by the spell checking tool to incorporate the new words.
 
 # Names
 

docs/Limitations.md

@@ -187,10 +187,9 @@ different compared to `runc` containers:
 into the guest and exposes it directly to the container.
 
 **Mounting guest devices**: When the source path of a hostPath volume is
-under `/dev` (or `/dev` itself), and the path corresponds to a
-non-regular file (i.e., a device, directory, or any other special file)
-or is not accessible by the Kata shim, the Kata agent bind mounts the
-source path directly from the *guest* filesystem into the container.
+under `/dev`, and the path either corresponds to a host device or is not
+accessible by the Kata shim, the Kata agent bind mounts the source path
+directly from the *guest* filesystem into the container.
 
 [runtime-config]: /src/runtime/README.md#configuration
 [k8s-hostpath]: https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
@@ -227,35 +226,6 @@ Importantly, the default behavior to pass the host devices to a
 privileged container is not supported in Kata Containers and needs to be
 disabled, see [Privileged Kata Containers](how-to/privileged.md).
 
-## Guest pulled container images
-
-When using features like **nydus guest-pull**, set user/group IDs explicitly in the pod spec.
-If the ID values are omitted:
-
-- Your workload might be executed with unexpected user/group ID values, because image layers
-  may be unavailable to containerd, so image config (including user/group) is not applied.
-- If using policy or genpolicy, the generated policy may detect these unexpected values and
-  reject the creation of workload containers.
-
-Set `securityContext` explicitly. Use **pod-level** `spec.securityContext` (for Pods) or
-`spec.template.spec.securityContext` (for controllers like Deployments) and/or **container-level**
-`spec.containers[].securityContext`. Include at least:
-- `runAsUser` — primary user ID
-- `runAsGroup` — primary group ID
-- `fsGroup` — volume group ownership (often reflected as a supplemental group)
-- `supplementalGroups` — list of additional group IDs (if needed)
-
-Example:
-
- ```yaml
- # Explicit user/group/supplementary groups to support nydus guest-pull
- securityContext:
-   runAsUser: 0
-   runAsGroup: 0
-   fsGroup: 0
-   supplementalGroups: [1, 2, 3, 4, 6, 10, 11, 20, 26, 27]
- ```
-
 # Appendices
 
 ## The constraints challenge

docs/Release-Process.md

@@ -1,64 +1,57 @@
 # How to do a Kata Containers Release
-
 This document lists the tasks required to create a Kata Release.
 
 ## Requirements
 
 - GitHub permissions to run workflows.
 
-## Release Model
+## Versioning
 
-Kata Containers follows a rolling release model with monthly snapshots.
-New features, bug fixes, and improvements are continuously integrated into
-`main`. Each month, a snapshot is tagged as a new `MINOR` release.
+The Kata Containers project uses [semantic versioning](http://semver.org/) for all releases.
+Semantic versions are comprised of three fields in the form:
 
-### Versioning
+```
+MAJOR.MINOR.PATCH
+```
 
-Releases use the `MAJOR.MINOR.PATCH` scheme. Monthly snapshots increment
-`MINOR`; `PATCH` is typically `0`. Major releases are rare (years apart) and
-signal significant architectural changes that may require updates to container
-managers (Containerd, CRI-O) or other infrastructure. Breaking changes in
-`MINOR` releases are avoided where possible, but may occasionally occur as
-features are deprecated or removed.
+When `MINOR` increases, the new release adds **new features** but *without changing the existing behavior*.
 
-### No Stable Branches
+When `MAJOR` increases, the new release adds **new features, bug fixes, or
+both** and which **changes the behavior from the previous release** (incompatible with previous releases).
 
-The Kata Containers project does not maintain stable branches (see
-[#9064](https://github.com/kata-containers/kata-containers/issues/9064)).
-Bug fixes land on `main` and ship in the next monthly snapshot rather than
-being backported. Downstream projects that need extended support or compliance
-certifications should select a monthly snapshot as their stable base and manage
-their own validation and patch backporting from there.
+A major release will also likely require a change of the container manager version used,
+-for example Containerd or CRI-O. Please refer to the release notes for further details.
+
+**Important** : the Kata Containers project doesn't have stable branches (see
+[this issue](https://github.com/kata-containers/kata-containers/issues/9064) for details).
+Bug fixes are released as part of `MINOR` or `MAJOR` releases only. `PATCH` is always `0`.
 
 ## Release Process
 
 ### Bump the `VERSION` and `Chart.yaml` file
 
-When the `kata-containers/kata-containers` repository is ready for a new
-release, first create a PR to set the release in the [`VERSION`](./../VERSION)
-file and update the `version` and `appVersion` in the
-[`Chart.yaml`](./../tools/packaging/kata-deploy/helm-chart/kata-deploy/Chart.yaml)
-file and have it merged.
+When the `kata-containers/kata-containers` repository is ready for a new release,
+first create a PR to set the release in the [`VERSION`](./../VERSION) file and update the
+`version` and `appVersion` in the
+[`Chart.yaml`](./../tools/packaging/kata-deploy/helm-chart/kata-deploy/Chart.yaml) file and
+have it merged.
 
 ### Lock the `main` branch
 
-In order to prevent any PRs getting merged during the release process, and
-slowing the release process down, by impacting the payload caches, we have
-recently trialed setting the `main` branch to read only whilst the release
-action runs.
+In order to prevent any PRs getting merged during the release process, and slowing the release
+process down, by impacting the payload caches, we have recently trailed setting the `main`
+branch to read only whilst the release action runs.
 
 > [!NOTE]
 > Admin permission is needed to complete this task.
 
 ### Wait for the `VERSION` bump PR payload publish to complete
 
-To reduce the chance of need to re-run the release workflow, check the [CI |
-Publish Kata Containers
-payload](https://github.com/kata-containers/kata-containers/actions/workflows/payload-after-push.yaml)
+To reduce the chance of need to re-run the release workflow, check the
+[CI | Publish Kata Containers payload](https://github.com/kata-containers/kata-containers/actions/workflows/payload-after-push.yaml)
 once the `VERSION` PR bump has merged to check that the assets build correctly
 and are cached, so that the release process can just download these artifacts
-rather than needing to build them all, which takes time and can reveal errors in
-infra.
+rather than needing to build them all, which takes time and can reveal errors in infra.
 
 ### Check GitHub Actions
 
@@ -70,10 +63,11 @@ release artifacts.
 > [!NOTE]
 > Write permissions to trigger the action.
 
-The action is manually triggered and is responsible for generating a new release
-(including a new tag), pushing those to the `kata-containers/kata-containers`
-repository. The new release is initially created as a draft. It is promoted to
-an official release when the whole workflow has completed successfully.
+The action is manually triggered and is responsible for generating a new
+release (including a new tag), pushing those to the
+`kata-containers/kata-containers` repository. The new release is initially
+created as a draft. It is promoted to an official release when the whole
+workflow has completed successfully.
 
 Check the [actions status
 page](https://github.com/kata-containers/kata-containers/actions) to verify all
@@ -81,13 +75,12 @@ steps in the actions workflow have completed successfully. On success, a static
 tarball containing Kata release artifacts will be uploaded to the [Release
 page](https://github.com/kata-containers/kata-containers/releases).
 
-If the workflow fails because of some external environmental causes, e.g.
-network timeout, simply re-run the failed jobs until they eventually succeed.
+If the workflow fails because of some external environmental causes, e.g. network
+timeout, simply re-run the failed jobs until they eventually succeed.
 
-If for some reason you need to cancel the workflow or re-run it entirely, go
-first to the [Release
-page](https://github.com/kata-containers/kata-containers/releases) and delete
-the draft release from the previous run.
+If for some reason you need to cancel the workflow or re-run it entirely, go first
+to the [Release page](https://github.com/kata-containers/kata-containers/releases) and
+delete the draft release from the previous run.
 
 ### Unlock the `main` branch
 
@@ -97,8 +90,9 @@ an admin to do it.
 ### Improve the release notes
 
 Release notes are auto-generated by the GitHub CLI tool used as part of our
-release workflow.  However, some manual tweaking may still be necessary in order
-to highlight the most important features and bug fixes in a specific release.
+release workflow.  However, some manual tweaking may still be necessary in
+order to highlight the most important features and bug fixes in a specific
+release.
 
 With this in mind, please, poke @channel on #kata-dev and people who worked on
 the release will be able to contribute to that.

docs/code-pr-advice.md

@@ -231,6 +231,12 @@ Run the
 [markdown checker](https://github.com/kata-containers/kata-containers/tree/main/tests/cmd/check-markdown)
 on your documentation changes.
 
+### Spell check
+
+Run the
+[spell checker](https://github.com/kata-containers/kata-containers/tree/main/tests/cmd/check-spelling)
+on your documentation changes.
+
 ## Finally
 
 You may wish to read the documentation that the

docs/design/kata-api-design.md

@@ -43,7 +43,7 @@ To fulfill the [Kata design requirements](kata-design-requirements.md), and base
 |`sandbox.AddInterface(inf)`| Add new NIC to the sandbox.|
 |`sandbox.RemoveInterface(inf)`| Remove a NIC from the sandbox.|
 |`sandbox.ListInterfaces()`| List all NICs and their configurations in the sandbox, return a `pbTypes.Interface` list.|
-|`sandbox.UpdateRoutes(routes)`| Update the sandbox route table (e.g. for port mapping support), return a `pbTypes.Route` list.|
+|`sandbox.UpdateRoutes(routes)`| Update the sandbox route table (e.g. for portmapping support), return a `pbTypes.Route` list.|
 |`sandbox.ListRoutes()`| List the sandbox route table, return a `pbTypes.Route` list.|
 
 ### Sandbox Relay API

docs/design/kata-nydus-design.md

@@ -8,7 +8,7 @@ The following benchmarking result shows the performance improvement compared wit
 
 ## Proposal - Bring `lazyload` ability to Kata Containers
 
-`Nydusd` is a fuse/`virtiofs` daemon which is provided by `nydus` project and it supports `PassthroughFS` and [`rafs`](https://github.com/dragonflyoss/image-service/blob/master/docs/nydus-design.md) (Registry Acceleration File System) natively, so in Kata Containers, we can use `nydusd` in place of `virtiofsd` and mount `nydus` image to guest in the meanwhile.
+`Nydusd` is a fuse/`virtiofs` daemon which is provided by `nydus` project and it supports `PassthroughFS` and [RAFS](https://github.com/dragonflyoss/image-service/blob/master/docs/nydus-design.md) (Registry Acceleration File System) natively, so in Kata Containers, we can use `nydusd` in place of `virtiofsd` and mount `nydus` image to guest in the meanwhile.
 
 The process of creating/starting Kata Containers with `virtiofsd`,
 

docs/how-to/containerd-kata.md

@@ -23,7 +23,7 @@ workloads with isolated sandboxes (i.e. Kata Containers).
 
 As a result, the CRI implementations extended their semantics for the requirements:
 
-- At the beginning, [`Frakti`](https://github.com/kubernetes/frakti) checks the network configuration of a Pod, and
+- At the beginning, [Frakti](https://github.com/kubernetes/frakti) checks the network configuration of a Pod, and
   treat Pod with `host` network as trusted, while others are treated as untrusted.
 - The containerd introduced an annotation for untrusted Pods since [v1.0](https://github.com/containerd/cri/blob/v1.0.0-rc.0/docs/config.md):
   ```yaml

docs/how-to/how-to-run-kata-containers-with-SNP-VMs.md

@@ -18,7 +18,7 @@ The host kernel must be equal to or later than upstream version [6.11](https://c
 
 [`sev-utils`](https://github.com/amd/sev-utils/blob/coco-202501150000/docs/snp.md) is an easy way to install the required host kernel with the `setup-host` command. However, it will also build compatible guest kernel, OVMF, and QEMU components which are not necessary as these components are packaged with kata. The `sev-utils` script utility can be used with these additional components to test the memory encrypted launch and attestation of a base QEMU SNP guest.
 
-For a simplified way to build just the upstream compatible host kernel, use the Confidential Containers fork of [`amdese-amdsev`](https://github.com/confidential-containers/amdese-amdsev/tree/amd-snp-202501150000). Individual components can be built by running the following command:
+For a simplified way to build just the upstream compatible host kernel, use the Confidential Containers fork of [AMDESE AMDSEV](https://github.com/confidential-containers/amdese-amdsev/tree/amd-snp-202501150000). Individual components can be built by running the following command:
 
 ```
 ./build.sh kernel host --install
@@ -65,7 +65,7 @@ $ ./configure --enable-virtfs --target-list=x86_64-softmmu --enable-debug
 $ make -j "$(nproc)"
 $ popd
 ```
-- Create cert-chain for SNP attestation ( using [`snphost`](https://github.com/virtee/snphost/blob/main/docs/snphost.1.adoc) )
+- Create cert-chain for SNP attestation ( using [snphost](https://github.com/virtee/snphost/blob/main/docs/snphost.1.adoc) )
 ```bash
 $ git clone https://github.com/virtee/snphost.git && cd snphost/
 $ cargo build
@@ -178,3 +178,4 @@ sudo reboot
 ```bash
 sudo rmmod kvm_amd && sudo modprobe kvm_amd sev_snp=0
 ```
+

docs/how-to/how-to-use-k8s-with-containerd-and-kata.md

@@ -49,8 +49,6 @@ In order to allow Kubelet to use containerd (using the CRI interface), configure
   EOF
   ```
 
-  For Kata Containers (and especially CoCo / Confidential Containers tests), use at least `--runtime-request-timeout=600s` (10m) so CRI CreateContainerRequest does not time out.
-
 - Inform systemd about the new configuration
 
   ```bash

docs/how-to/how-to-use-memory-agent.md

@@ -315,7 +315,7 @@ $ kata-agent-ctl connect --server-address "unix:///var/run/kata/$PODID/root/kata
 ### compact_threshold
 Control the mem-agent compaction function compact threshold.<br>
 compact_threshold is the pages number.<br>
-When examining the `/proc/pagetypeinfo`, if there's an increase in the number of movable pages of orders smaller than the compact_order compared to the amount following the previous compaction period, and this increase surpasses a certain threshold specifically, more than compact_threshold number of pages, or the number of free pages has decreased by compact_threshold since the previous compaction. Current compact run period will not do compaction because there is no enough fragmented pages to be compaction.<br>
+When examining the /proc/pagetypeinfo, if there's an increase in the number of movable pages of orders smaller than the compact_order compared to the amount following the previous compaction period, and this increase surpasses a certain threshold specifically, more than compact_threshold number of pages, or the number of free pages has decreased by compact_threshold since the previous compaction. Current compact run period will not do compaction because there is no enough fragmented pages to be compaction.<br>
 This design aims to minimize the impact of unnecessary compaction calls on system performance.<br>
 Default to 1024.
 

docs/how-to/how-to-use-the-kata-agent-policy.md

@@ -99,9 +99,6 @@ The [`genpolicy`](../../src/tools/genpolicy/) application can be used to generat
 
 **Warning** Users should review carefully the automatically-generated Policy, and modify the Policy file if needed to match better their use case, before using this Policy.
 
-**Important — User / Group / Supplemental groups for Policy and genpolicy**
-When using features like **nydus guest-pull**, set user/group IDs explicitly in the pod spec, as described in [Limitations](../Limitations.md#guest-pulled-container-images).
-
 See the [`genpolicy` documentation](../../src/tools/genpolicy/README.md) and the [Policy contents examples](#policy-contents) for additional information.
 
 ## Policy contents

docs/how-to/run-kata-with-crictl.md

@@ -8,7 +8,7 @@
 
 > **Note:** `cri-tools` is only used for debugging and validation purpose, and don't use it to run production workloads.
 
-> **Note:** For how to install and configure `cri-tools` with CRI runtimes like `containerd` or CRI-O, please also refer to other [how-tos](./README.md).
+> **Note:** For how to install and configure `cri-tools` with CRI runtimes like `containerd` or CRI-O, please also refer to other [howtos](./README.md).
 
 ## Use `crictl` run Pods in Kata containers
 

docs/threat-model/threat-model.md

@@ -175,7 +175,7 @@ specific).
 
 ##### Dragonball networking
 
-For Dragonball, the `virtio-net` backend default is within Dragonball's VMM.
+For Dragonball, the `virtio-net` backend default is within Dragonbasll's VMM.
 
 
 #### virtio-vsock

osv-scanner.toml

@@ -1,8 +0,0 @@
-[[IgnoredVulns]]
-# yaml-rust is unmaintained.
-# We tried the most promising alternative in https://github.com/kata-containers/kata-containers/pull/12509,
-# but its literal quoting is not conformant.
-id = "RUSTSEC-2024-0320"
-ignoreUntil = 2026-10-01 # TODO(burgerdev): revisit yml library ecosystem
-reason = "No alternative currently supports 'yes' strings correctly; genpolicy processes only trusted input."
-

rust-toolchain.toml

@@ -1,3 +1,3 @@
 [toolchain]
 # Keep in sync with versions.yaml
-channel = "1.92"
+channel = "1.91"

src/agent/Cargo.toml

@@ -63,9 +63,9 @@ cgroups = { package = "cgroups-rs", git = "https://github.com/kata-containers/cg
 
 # Tracing
 tracing = "0.1.41"
-tracing-subscriber = "0.3.20"
-tracing-opentelemetry = "0.17.0"
-opentelemetry = { version = "0.17.0", features = ["rt-tokio"] }
+tracing-subscriber = "0.2.18"
+tracing-opentelemetry = "0.13.0"
+opentelemetry = { version = "0.14.0", features = ["rt-tokio-current-thread"] }
 
 # Configuration
 serde = { version = "1.0.129", features = ["derive"] }
@@ -78,6 +78,7 @@ strum_macros = "0.26.2"
 tempfile = "3.19.1"
 which = "4.3.0"
 rstest = "0.18.0"
+async-std = { version = "1.12.0", features = ["attributes"] }
 
 # Local dependencies
 kata-agent-policy = { path = "policy" }
@@ -194,6 +195,7 @@ pv_core = { git = "https://github.com/ibm-s390-linux/s390-tools", rev = "4942504
 tempfile.workspace = true
 which.workspace = true
 rstest.workspace = true
+async-std.workspace = true
 
 test-utils.workspace = true
 

src/agent/policy/Cargo.toml

@@ -18,8 +18,6 @@ serde_json.workspace = true
 # Agent Policy
 regorus = { version = "0.2.8", default-features = false, features = [
     "arc",
-    "base64",
-    "base64url",
     "regex",
     "std",
 ] }

src/agent/rustjail/src/mount.rs

@@ -857,7 +857,7 @@ fn mount_from(
         dest.as_str(),
         Some(mount_typ.as_str()),
         flags,
-        Some(d.as_str()).filter(|s| !s.is_empty()),
+        Some(d.as_str()),
     )
     .inspect_err(|e| log_child!(cfd_log, "mount error: {:?}", e))?;
 

src/agent/src/mount.rs

@@ -89,7 +89,7 @@ pub fn baremount(
     let destination_str = destination.to_string_lossy();
     if let Ok(m) = get_linux_mount_info(destination_str.deref()) {
         if m.fs_type == fs_type && !flags.contains(MsFlags::MS_REMOUNT) {
-            slog::info!(logger, "{source:?} is already mounted at {destination:?}");
+            slog_info!(logger, "{source:?} is already mounted at {destination:?}");
             return Ok(());
         }
     }

src/agent/src/namespace.rs

@@ -110,10 +110,8 @@ impl Namespace {
 
                 unshare(cf)?;
 
-                if ns_type == NamespaceType::Uts {
-                    if let Some(host) = hostname {
-                        nix::unistd::sethostname(host)?;
-                    }
+                if ns_type == NamespaceType::Uts && hostname.is_some() {
+                    nix::unistd::sethostname(hostname.unwrap())?;
                 }
                 // Bind mount the new namespace from the current thread onto the mount point to persist it.
 

src/agent/src/rpc.rs

@@ -2308,6 +2308,9 @@ fn is_sealed_secret_path(source_path: &str) -> bool {
 }
 
 async fn cdh_handler_trusted_storage(oci: &mut Spec) -> Result<()> {
+    if !confidential_data_hub::is_cdh_client_initialized() {
+        return Ok(());
+    }
     let linux = oci
         .linux()
         .as_ref()
@@ -2317,10 +2320,23 @@ async fn cdh_handler_trusted_storage(oci: &mut Spec) -> Result<()> {
         for specdev in devices.iter() {
             if specdev.path().as_path().to_str() == Some(TRUSTED_IMAGE_STORAGE_DEVICE) {
                 let dev_major_minor = format!("{}:{}", specdev.major(), specdev.minor());
-                cdh_secure_mount(
-                    "block-device",
-                    &dev_major_minor,
-                    "luks2",
+                let secure_storage_integrity = AGENT_CONFIG.secure_storage_integrity.to_string();
+                info!(
+                    sl(),
+                    "trusted_store device major:min {}, enable data integrity {}",
+                    dev_major_minor,
+                    secure_storage_integrity
+                );
+
+                let options = std::collections::HashMap::from([
+                    ("deviceId".to_string(), dev_major_minor),
+                    ("encryptType".to_string(), "LUKS".to_string()),
+                    ("dataIntegrity".to_string(), secure_storage_integrity),
+                ]);
+                confidential_data_hub::secure_mount(
+                    "BlockDevice",
+                    &options,
+                    vec![],
                     KATA_IMAGE_WORK_DIR,
                 )
                 .await?;
@@ -2331,49 +2347,6 @@ async fn cdh_handler_trusted_storage(oci: &mut Spec) -> Result<()> {
     Ok(())
 }
 
-pub(crate) async fn cdh_secure_mount(
-    device_type: &str,
-    device_id: &str,
-    encrypt_type: &str,
-    mount_point: &str,
-) -> Result<()> {
-    if !confidential_data_hub::is_cdh_client_initialized() {
-        return Ok(());
-    }
-
-    let integrity = AGENT_CONFIG.secure_storage_integrity.to_string();
-
-    info!(
-        sl(),
-        "cdh_secure_mount: device_type {}, device_id {}, encrypt_type {}, integrity {}",
-        device_type,
-        device_id,
-        encrypt_type,
-        integrity
-    );
-
-    let options = std::collections::HashMap::from([
-        ("deviceId".to_string(), device_id.to_string()),
-        ("sourceType".to_string(), "empty".to_string()),
-        ("targetType".to_string(), "fileSystem".to_string()),
-        ("filesystemType".to_string(), "ext4".to_string()),
-        ("mkfsOpts".to_string(), "-E lazy_journal_init".to_string()),
-        ("encryptionType".to_string(), encrypt_type.to_string()),
-        ("dataIntegrity".to_string(), integrity),
-    ]);
-
-    std::fs::create_dir_all(mount_point).inspect_err(|e| {
-        error!(
-            sl(),
-            "Failed to create mount point directory {}: {:?}", mount_point, e
-        );
-    })?;
-
-    confidential_data_hub::secure_mount(device_type, &options, vec![], mount_point).await?;
-
-    Ok(())
-}
-
 async fn cdh_handler_sealed_secrets(oci: &mut Spec) -> Result<()> {
     if !confidential_data_hub::is_cdh_client_initialized() {
         return Ok(());

src/agent/src/sandbox.rs

@@ -65,12 +65,6 @@ type UeventWatcher = (Box<dyn UeventMatcher>, oneshot::Sender<Uevent>);
 pub struct StorageState {
     count: Arc<AtomicU32>,
     device: Arc<dyn StorageDevice>,
-
-    /// Whether the storage is shared across multiple containers (e.g.
-    /// block-based emptyDirs). Shared storages should not be cleaned up
-    /// when a container exits; cleanup happens only when the sandbox is
-    /// destroyed.
-    shared: bool,
 }
 
 impl Debug for StorageState {
@@ -80,11 +74,17 @@ impl Debug for StorageState {
 }
 
 impl StorageState {
-    fn new(shared: bool) -> Self {
+    fn new() -> Self {
         StorageState {
             count: Arc::new(AtomicU32::new(1)),
             device: Arc::new(StorageDeviceGeneric::default()),
-            shared,
+        }
+    }
+
+    pub fn from_device(device: Arc<dyn StorageDevice>) -> Self {
+        Self {
+            count: Arc::new(AtomicU32::new(1)),
+            device,
         }
     }
 
@@ -92,10 +92,6 @@ impl StorageState {
         self.device.path()
     }
 
-    pub fn is_shared(&self) -> bool {
-        self.shared
-    }
-
     pub async fn ref_count(&self) -> u32 {
         self.count.load(Ordering::Relaxed)
     }
@@ -175,10 +171,8 @@ impl Sandbox {
 
     /// Add a new storage object or increase reference count of existing one.
     /// The caller may detect new storage object by checking `StorageState.refcount == 1`.
-    /// The `shared` flag indicates if this storage is shared across multiple containers;
-    /// if true, cleanup will be skipped when containers exit.
     #[instrument]
-    pub async fn add_sandbox_storage(&mut self, path: &str, shared: bool) -> StorageState {
+    pub async fn add_sandbox_storage(&mut self, path: &str) -> StorageState {
         match self.storages.entry(path.to_string()) {
             Entry::Occupied(e) => {
                 let state = e.get().clone();
@@ -186,7 +180,7 @@ impl Sandbox {
                 state
             }
             Entry::Vacant(e) => {
-                let state = StorageState::new(shared);
+                let state = StorageState::new();
                 e.insert(state.clone());
                 state
             }
@@ -194,32 +188,22 @@ impl Sandbox {
     }
 
     /// Update the storage device associated with a path.
-    /// Preserves the existing shared flag and reference count.
     pub fn update_sandbox_storage(
         &mut self,
         path: &str,
         device: Arc<dyn StorageDevice>,
     ) -> std::result::Result<Arc<dyn StorageDevice>, Arc<dyn StorageDevice>> {
-        match self.storages.get(path) {
-            None => Err(device),
-            Some(existing) => {
-                let state = StorageState {
-                    device,
-                    ..existing.clone()
-                };
-                // Safe to unwrap() because we have just ensured existence of entry via get().
-                let state = self.storages.insert(path.to_string(), state).unwrap();
-                Ok(state.device)
-            }
+        if !self.storages.contains_key(path) {
+            return Err(device);
         }
+
+        let state = StorageState::from_device(device);
+        // Safe to unwrap() because we have just ensured existence of entry.
+        let state = self.storages.insert(path.to_string(), state).unwrap();
+        Ok(state.device)
     }
 
     /// Decrease reference count and destroy the storage object if reference count reaches zero.
-    ///
-    /// For shared storages (e.g., emptyDir volumes), cleanup is skipped even when refcount
-    /// reaches zero. The storage entry is kept in the map so subsequent containers can reuse
-    /// the already-mounted storage. Actual cleanup happens when the sandbox is destroyed.
-    ///
     /// Returns `Ok(true)` if the reference count has reached zero and the storage object has been
     /// removed.
     #[instrument]
@@ -228,10 +212,6 @@ impl Sandbox {
             None => Err(anyhow!("Sandbox storage with path {} not found", path)),
             Some(state) => {
                 if state.dec_and_test_ref_count().await {
-                    if state.is_shared() {
-                        state.count.store(1, Ordering::Release);
-                        return Ok(false);
-                    }
                     if let Some(storage) = self.storages.remove(path) {
                         storage.device.cleanup()?;
                     }
@@ -740,7 +720,7 @@ mod tests {
         let tmpdir_path = tmpdir.path().to_str().unwrap();
 
         // Add a new sandbox storage
-        let new_storage = s.add_sandbox_storage(tmpdir_path, false).await;
+        let new_storage = s.add_sandbox_storage(tmpdir_path).await;
 
         // Check the reference counter
         let ref_count = new_storage.ref_count().await;
@@ -750,7 +730,7 @@ mod tests {
         );
 
         // Use the existing sandbox storage
-        let new_storage = s.add_sandbox_storage(tmpdir_path, false).await;
+        let new_storage = s.add_sandbox_storage(tmpdir_path).await;
 
         // Since we are using existing storage, the reference counter
         // should be 2 by now.
@@ -791,7 +771,7 @@ mod tests {
 
         assert!(bind_mount(srcdir_path, destdir_path, &logger).is_ok());
 
-        s.add_sandbox_storage(destdir_path, false).await;
+        s.add_sandbox_storage(destdir_path).await;
         let storage = StorageDeviceGeneric::new(destdir_path.to_string());
         assert!(s
             .update_sandbox_storage(destdir_path, Arc::new(storage))
@@ -809,7 +789,7 @@ mod tests {
             let other_dir_path = other_dir.path().to_str().unwrap();
             other_dir_str = other_dir_path.to_string();
 
-            s.add_sandbox_storage(other_dir_path, false).await;
+            s.add_sandbox_storage(other_dir_path).await;
             let storage = StorageDeviceGeneric::new(other_dir_path.to_string());
             assert!(s
                 .update_sandbox_storage(other_dir_path, Arc::new(storage))
@@ -828,9 +808,9 @@ mod tests {
         let storage_path = "/tmp/testEphe";
 
         // Add a new sandbox storage
-        s.add_sandbox_storage(storage_path, false).await;
+        s.add_sandbox_storage(storage_path).await;
         // Use the existing sandbox storage
-        let state = s.add_sandbox_storage(storage_path, false).await;
+        let state = s.add_sandbox_storage(storage_path).await;
         assert!(
             state.ref_count().await > 1,
             "Expects false as the storage is not new."

src/agent/src/storage/block_handler.rs

@@ -6,7 +6,7 @@
 
 use crate::linux_abi::pcipath_from_dev_tree_path;
 use std::fs;
-use std::os::unix::fs::{MetadataExt, PermissionsExt};
+use std::os::unix::fs::PermissionsExt;
 use std::path::Path;
 use std::sync::Arc;
 
@@ -17,7 +17,6 @@ use kata_types::device::{
     DRIVER_BLK_MMIO_TYPE, DRIVER_BLK_PCI_TYPE, DRIVER_NVDIMM_TYPE, DRIVER_SCSI_TYPE,
 };
 use kata_types::mount::StorageDevice;
-use nix::sys::stat::{major, minor};
 use protocols::agent::Storage;
 use tracing::instrument;
 
@@ -30,45 +29,10 @@ use crate::device::block_device_handler::{
 };
 use crate::device::nvdimm_device_handler::wait_for_pmem_device;
 use crate::device::scsi_device_handler::get_scsi_device_name;
-use crate::storage::{
-    common_storage_handler, new_device, set_ownership, StorageContext, StorageHandler,
-};
-use slog::Logger;
+use crate::storage::{common_storage_handler, new_device, StorageContext, StorageHandler};
 #[cfg(target_arch = "s390x")]
 use std::str::FromStr;
 
-fn get_device_number(dev_path: &str, metadata: Option<&fs::Metadata>) -> Result<String> {
-    let dev_id = match metadata {
-        Some(m) => m.rdev(),
-        None => {
-            let m =
-                fs::metadata(dev_path).context(format!("get metadata on file {:?}", dev_path))?;
-            m.rdev()
-        }
-    };
-    Ok(format!("{}:{}", major(dev_id), minor(dev_id)))
-}
-
-async fn handle_block_storage(
-    logger: &Logger,
-    storage: &Storage,
-    dev_num: &str,
-) -> Result<Arc<dyn StorageDevice>> {
-    let has_ephemeral_encryption = storage
-        .driver_options
-        .contains(&"encryption_key=ephemeral".to_string());
-
-    if has_ephemeral_encryption {
-        crate::rpc::cdh_secure_mount("block-device", dev_num, "luks2", &storage.mount_point)
-            .await?;
-        set_ownership(logger, storage)?;
-        new_device(storage.mount_point.clone())
-    } else {
-        let path = common_storage_handler(logger, storage)?;
-        new_device(path)
-    }
-}
-
 #[derive(Debug)]
 pub struct VirtioBlkMmioHandler {}
 
@@ -111,8 +75,6 @@ impl StorageHandler for VirtioBlkPciHandler {
         mut storage: Storage,
         ctx: &mut StorageContext,
     ) -> Result<Arc<dyn StorageDevice>> {
-        let dev_num: String;
-
         // If hot-plugged, get the device node path based on the PCI path
         // otherwise use the virt path provided in Storage Source
         if storage.source.starts_with("/dev") {
@@ -122,16 +84,15 @@ impl StorageHandler for VirtioBlkPciHandler {
             if mode & libc::S_IFBLK == 0 {
                 return Err(anyhow!("Invalid device {}", &storage.source));
             }
-            dev_num = get_device_number(&storage.source, Some(&metadata))?;
         } else {
             let (root_complex, pcipath) = pcipath_from_dev_tree_path(&storage.source)?;
             let dev_path =
                 get_virtio_blk_pci_device_name(ctx.sandbox, root_complex, &pcipath).await?;
             storage.source = dev_path;
-            dev_num = get_device_number(&storage.source, None)?;
         }
 
-        handle_block_storage(ctx.logger, &storage, &dev_num).await
+        let path = common_storage_handler(ctx.logger, &storage)?;
+        new_device(path)
     }
 }
 
@@ -190,10 +151,10 @@ impl StorageHandler for ScsiHandler {
     ) -> Result<Arc<dyn StorageDevice>> {
         // Retrieve the device path from SCSI address.
         let dev_path = get_scsi_device_name(ctx.sandbox, &storage.source).await?;
-        storage.source = dev_path.clone();
+        storage.source = dev_path;
 
-        let dev_num = get_device_number(&dev_path, None)?;
-        handle_block_storage(ctx.logger, &storage, &dev_num).await
+        let path = common_storage_handler(ctx.logger, &storage)?;
+        new_device(path)
     }
 }
 

src/agent/src/storage/mod.rs

@@ -172,11 +172,7 @@ pub async fn add_storages(
 
     for storage in storages {
         let path = storage.mount_point.clone();
-        let state = sandbox
-            .lock()
-            .await
-            .add_sandbox_storage(&path, storage.shared)
-            .await;
+        let state = sandbox.lock().await.add_sandbox_storage(&path).await;
         if state.ref_count().await > 1 {
             if let Some(path) = state.path() {
                 if !path.is_empty() {

src/agent/src/tracer.rs

@@ -5,8 +5,7 @@
 
 use anyhow::Result;
 use opentelemetry::sdk::propagation::TraceContextPropagator;
-use opentelemetry::trace::TracerProvider;
-use opentelemetry::{global, sdk::trace::Config};
+use opentelemetry::{global, sdk::trace::Config, trace::TracerProvider};
 use slog::{info, o, Logger};
 use std::collections::HashMap;
 use tracing_opentelemetry::OpenTelemetryLayer;
@@ -24,12 +23,15 @@ pub fn setup_tracing(name: &'static str, logger: &Logger) -> Result<()> {
     let config = Config::default();
 
     let builder = opentelemetry::sdk::trace::TracerProvider::builder()
-        .with_batch_exporter(exporter, opentelemetry::runtime::Tokio)
+        .with_batch_exporter(exporter, opentelemetry::runtime::TokioCurrentThread)
         .with_config(config);
 
     let provider = builder.build();
 
-    let tracer = provider.tracer(name);
+    // We don't need a versioned tracer.
+    let version = None;
+
+    let tracer = provider.get_tracer(name, version);
 
     let _global_provider = global::set_tracer_provider(provider);
 

src/agent/vsock-exporter/Cargo.toml

@@ -10,7 +10,7 @@ libc.workspace = true
 thiserror.workspace = true
 opentelemetry = { workspace = true, features = ["serialize"] }
 tokio-vsock.workspace = true
-serde_json = "1.0"
+bincode = "1.3.3"
 byteorder = "1.4.3"
 slog = { workspace = true, features = [
     "dynamic-keys",

src/agent/vsock-exporter/src/lib.rs

@@ -58,7 +58,7 @@ pub enum Error {
     #[error("connection error: {0}")]
     ConnectionError(String),
     #[error("serialisation error: {0}")]
-    SerialisationError(#[from] serde_json::Error),
+    SerialisationError(#[from] bincode::Error),
     #[error("I/O error: {0}")]
     IOError(#[from] std::io::Error),
 }
@@ -81,7 +81,8 @@ async fn write_span(
     let mut writer = writer.lock().await;
 
     let encoded_payload: Vec<u8> =
-        serde_json::to_vec(span).map_err(|e| make_io_error(e.to_string()))?;
+        bincode::serialize(&span).map_err(|e| make_io_error(e.to_string()))?;
+
     let payload_len: u64 = encoded_payload.len() as u64;
 
     let mut payload_len_as_bytes: [u8; HEADER_SIZE_BYTES as usize] =

src/dragonball/Cargo.toml

@@ -48,6 +48,7 @@ vmm-sys-util = { workspace = true }
 virtio-queue = { workspace = true, optional = true }
 vm-memory = { workspace = true, features = ["backend-mmap"] }
 crossbeam-channel = "0.5.6"
+fuse-backend-rs = "0.10.5"
 vfio-bindings = { workspace = true, optional = true }
 vfio-ioctls = { workspace = true, optional = true }
 
@@ -85,6 +86,3 @@ host-device = ["dep:vfio-bindings", "dep:vfio-ioctls", "dep:dbs-pci"]
 unexpected_cfgs = { level = "warn", check-cfg = [
   'cfg(feature, values("test-mock"))',
 ] }
-
-[package.metadata.cargo-machete]
-ignored = ["vfio-bindings"]

src/dragonball/dbs_boot/README.md

@@ -10,10 +10,10 @@ This repository contains the following submodules:
 | Name | Arch| Description |
 | --- | --- | --- |
 | [`bootparam`](src/x86_64/bootparam.rs) | x86_64 | Magic addresses externally used to lay out x86_64 VMs |
-| [`fdt`](src/aarch64/fdt.rs) | aarch64| Create FDT for Aarch64 systems |
-| [`layout`](src/x86_64/layout.rs) | x86_64 | x86_64 layout constants |
-| [`layout`](src/aarch64/layout.rs/) | aarch64 | aarch64 layout constants |
-| [`mptable`](src/x86_64/mptable.rs) | x86_64 | MP Table configurations used for defining VM boot status |
+| [fdt](src/aarch64/fdt.rs) | aarch64| Create FDT for Aarch64 systems |
+| [layout](src/x86_64/layout.rs) | x86_64 | x86_64 layout constants |
+| [layout](src/aarch64/layout.rs/) | aarch64 | aarch64 layout constants |
+| [mptable](src/x86_64/mptable.rs) | x86_64 | MP Table configurations used for defining VM boot status |
 
 ## Acknowledgement
 

src/dragonball/dbs_legacy_devices/src/serial.rs

@@ -242,7 +242,7 @@ mod tests {
 
         let metrics = Arc::new(SerialDeviceMetrics::default());
 
-        let out: Arc<Mutex<Option<Box<dyn std::io::Write + Send + 'static>>>> =
+        let out: Arc<Mutex<Option<Box<(dyn std::io::Write + Send + 'static)>>>> =
             Arc::new(Mutex::new(Some(Box::new(std::io::sink()))));
         let mut serial = SerialDevice {
             serial: Serial::with_events(

src/dragonball/dbs_pci/Cargo.toml

@@ -23,22 +23,24 @@ dbs-interrupt = { workspace = true, features = [
     "kvm-legacy-irq",
     "kvm-msi-irq",
 ] }
+downcast-rs = "1.2.0"
 byteorder = "1.4.3"
 serde = "1.0.27"
 
-vm-memory = { workspace = true }
-kvm-ioctls = { workspace = true }
-kvm-bindings = { workspace = true }
-vfio-ioctls = { workspace = true }
-vfio-bindings = { workspace = true }
+vm-memory = {workspace = true}
+kvm-ioctls = {workspace = true}
+kvm-bindings = {workspace = true}
+vfio-ioctls = {workspace = true}
+vfio-bindings = {workspace = true}
 libc = "0.2.39"
-virtio-queue = { workspace = true }
-dbs-utils = { workspace = true }
+vmm-sys-util = {workspace = true}
+virtio-queue = {workspace = true}
+dbs-utils = {workspace = true}
 
 
 [dev-dependencies]
 dbs-arch = { workspace = true }
-kvm-ioctls = { workspace = true }
+kvm-ioctls = {workspace = true}
 test-utils = { workspace = true }
 nix = { workspace = true }
 

src/dragonball/dbs_pci/src/virtio_pci.rs

@@ -1174,6 +1174,7 @@ pub(crate) mod tests {
     use dbs_virtio_devices::Result as VirtIoResult;
     use dbs_virtio_devices::{
         ActivateResult, VirtioDeviceConfig, VirtioDeviceInfo, VirtioSharedMemory,
+        DEVICE_ACKNOWLEDGE, DEVICE_DRIVER, DEVICE_DRIVER_OK, DEVICE_FEATURES_OK, DEVICE_INIT,
     };
 
     use dbs_address_space::{AddressSpaceLayout, AddressSpaceRegion, AddressSpaceRegionType};

src/dragonball/dbs_tdx/README.md

@@ -3,7 +3,7 @@
 This crate is a collection of modules that provides helpers and utilities to create a TDX Dragonball VM.
 
 Currently this crate involves:
-- `tdx-ioctls`
+- tdx-ioctls
 
 ## Acknowledgement
 

src/dragonball/dbs_upcall/Cargo.toml

@@ -11,6 +11,7 @@ keywords = ["dragonball", "secure-sandbox", "devices", "upcall", "virtio"]
 readme = "README.md"
 
 [dependencies]
+anyhow = "1"
 log = "0.4.14"
 thiserror = "1"
 timerfd = "1.2.0"

src/dragonball/dbs_utils/src/epoll_manager.rs

@@ -99,61 +99,76 @@ impl Default for EpollManager {
 #[cfg(test)]
 mod tests {
     use super::*;
-    use std::os::fd::AsRawFd;
-    use std::sync::mpsc::channel;
-    use std::time::Duration;
+    use std::os::unix::io::AsRawFd;
     use vmm_sys_util::{epoll::EventSet, eventfd::EventFd};
 
     struct DummySubscriber {
-        pub event: Arc<EventFd>,
-        pub notify: std::sync::mpsc::Sender<()>,
+        pub event: EventFd,
     }
 
     impl DummySubscriber {
-        fn new(event: Arc<EventFd>, notify: std::sync::mpsc::Sender<()>) -> Self {
-            Self { event, notify }
+        fn new() -> Self {
+            Self {
+                event: EventFd::new(0).unwrap(),
+            }
         }
     }
 
     impl MutEventSubscriber for DummySubscriber {
-        fn init(&mut self, ops: &mut EventOps) {
-            ops.add(Events::new(self.event.as_ref(), EventSet::IN))
-                .unwrap();
-        }
-
         fn process(&mut self, events: Events, _ops: &mut EventOps) {
-            if events.fd() == self.event.as_raw_fd() && events.event_set().contains(EventSet::IN) {
-                let _ = self.event.read();
-                let _ = self.notify.send(());
+            let source = events.fd();
+            let event_set = events.event_set();
+            assert_ne!(source, self.event.as_raw_fd());
+            match event_set {
+                EventSet::IN => {
+                    unreachable!()
+                }
+                EventSet::OUT => {
+                    self.event.read().unwrap();
+                }
+                _ => {
+                    unreachable!()
+                }
             }
         }
+
+        fn init(&mut self, _ops: &mut EventOps) {}
     }
 
     #[test]
     fn test_epoll_manager() {
-        let epoll_manager = EpollManager::default();
-        let (stop_tx, stop_rx) = channel::<()>();
-        let worker_mgr = epoll_manager.clone();
-        let worker = std::thread::spawn(move || {
-            while stop_rx.try_recv().is_err() {
-                let _ = worker_mgr.handle_events(50);
+        let mut epoll_manager = EpollManager::default();
+        let epoll_manager_clone = epoll_manager.clone();
+        let thread = std::thread::spawn(move || loop {
+            let count = epoll_manager_clone.handle_events(-1).unwrap();
+            if count == 0 {
+                continue;
             }
+            assert_eq!(count, 1);
+            break;
         });
-
-        let (notify_tx, notify_rx) = channel::<()>();
-
-        let event = Arc::new(EventFd::new(0).unwrap());
-        let handler = DummySubscriber::new(event.clone(), notify_tx);
+        let handler = DummySubscriber::new();
+        let event = handler.event.try_clone().unwrap();
         let id = epoll_manager.add_subscriber(Box::new(handler));
 
+        thread.join().unwrap();
+
+        epoll_manager
+            .add_event(id, Events::new(&event, EventSet::OUT))
+            .unwrap();
         event.write(1).unwrap();
 
-        notify_rx
-            .recv_timeout(Duration::from_secs(2))
-            .expect("timeout waiting for subscriber to be processed");
+        let epoll_manager_clone = epoll_manager.clone();
+        let thread = std::thread::spawn(move || loop {
+            let count = epoll_manager_clone.handle_events(-1).unwrap();
+            if count == 0 {
+                continue;
+            }
+            assert_eq!(count, 2);
+            break;
+        });
 
-        epoll_manager.clone().remove_subscriber(id).unwrap();
-        let _ = stop_tx.send(());
-        worker.join().unwrap();
+        thread.join().unwrap();
+        epoll_manager.remove_subscriber(id).unwrap();
     }
 }

src/dragonball/dbs_virtio_devices/Cargo.toml

@@ -24,8 +24,8 @@ dbs-boot = { workspace = true }
 epoll = ">=4.3.1, <4.3.2"
 io-uring = "0.5.2"
 fuse-backend-rs = { version = "0.10.5", optional = true }
-kvm-bindings = { workspace = true }
-kvm-ioctls = { workspace = true }
+kvm-bindings = { workspace = true}
+kvm-ioctls = {workspace = true}
 libc = "0.2.119"
 log = "0.4.14"
 nix = "0.24.3"
@@ -37,16 +37,19 @@ serde = "1.0.27"
 serde_json = "1.0.9"
 thiserror = "1"
 threadpool = "1"
-virtio-bindings = { workspace = true }
-virtio-queue = { workspace = true }
-vmm-sys-util = { workspace = true }
+virtio-bindings = {workspace = true}
+virtio-queue = {workspace = true}
+vmm-sys-util = {workspace = true}
 vm-memory = { workspace = true, features = ["backend-mmap"] }
 sendfd = "0.4.3"
 vhost-rs = { version = "0.6.1", package = "vhost", optional = true }
 timerfd = "1.0"
 
 [dev-dependencies]
-vm-memory = { workspace = true, features = ["backend-mmap", "backend-atomic"] }
+vm-memory = { workspace = true, features = [
+    "backend-mmap",
+    "backend-atomic",
+] }
 test-utils = { workspace = true }
 
 [features]

src/dragonball/dbs_virtio_devices/src/fs/device.rs

@@ -5,7 +5,6 @@
 use std::any::Any;
 use std::collections::HashMap;
 use std::ffi::CString;
-use std::fs;
 use std::fs::File;
 use std::io::{BufRead, BufReader, Read};
 use std::marker::PhantomData;
@@ -454,17 +453,6 @@ impl<AS: GuestAddressSpace> VirtioFs<AS> {
         prefetch_list_path: Option<String>,
     ) -> FsResult<()> {
         debug!("http_server rafs");
-        let currentnetns = fs::read_link("/proc/self/ns/net").unwrap_or_default();
-        info!("========fupan====1==netns={:?}", currentnetns);
-
-        let tid = unsafe { libc::syscall(libc::SYS_gettid) as i32 };
-
-        let netnspath = format!("/proc/{}/ns/net", tid);
-        let netns = fs::read_link(netnspath.as_str()).unwrap_or_default();
-        info!("========fupan====2==netns={:?}", netns);
-
-        info!("========fupan====3==config={:?}", config);
-
         let file = Path::new(&source);
         let (mut rafs, rafs_cfg) = match config.as_ref() {
             Some(cfg) => {

src/dragonball/dbs_virtio_devices/src/lib.rs

@@ -439,19 +439,19 @@ pub mod tests {
             VirtqDesc { desc }
         }
 
-        pub fn addr(&self) -> VolatileRef<'_, u64> {
+        pub fn addr(&self) -> VolatileRef<u64> {
             self.desc.get_ref(offset_of!(DescriptorTmp, addr)).unwrap()
         }
 
-        pub fn len(&self) -> VolatileRef<'_, u32> {
+        pub fn len(&self) -> VolatileRef<u32> {
             self.desc.get_ref(offset_of!(DescriptorTmp, len)).unwrap()
         }
 
-        pub fn flags(&self) -> VolatileRef<'_, u16> {
+        pub fn flags(&self) -> VolatileRef<u16> {
             self.desc.get_ref(offset_of!(DescriptorTmp, flags)).unwrap()
         }
 
-        pub fn next(&self) -> VolatileRef<'_, u16> {
+        pub fn next(&self) -> VolatileRef<u16> {
             self.desc.get_ref(offset_of!(DescriptorTmp, next)).unwrap()
         }
 
@@ -513,11 +513,11 @@ pub mod tests {
             self.start.unchecked_add(self.ring.len() as GuestUsize)
         }
 
-        pub fn flags(&self) -> VolatileRef<'_, u16> {
+        pub fn flags(&self) -> VolatileRef<u16> {
             self.ring.get_ref(0).unwrap()
         }
 
-        pub fn idx(&self) -> VolatileRef<'_, u16> {
+        pub fn idx(&self) -> VolatileRef<u16> {
             self.ring.get_ref(2).unwrap()
         }
 
@@ -525,12 +525,12 @@ pub mod tests {
             4 + mem::size_of::<T>() * (i as usize)
         }
 
-        pub fn ring(&self, i: u16) -> VolatileRef<'_, T> {
+        pub fn ring(&self, i: u16) -> VolatileRef<T> {
             assert!(i < self.qsize);
             self.ring.get_ref(Self::ring_offset(i)).unwrap()
         }
 
-        pub fn event(&self) -> VolatileRef<'_, u16> {
+        pub fn event(&self) -> VolatileRef<u16> {
             self.ring.get_ref(Self::ring_offset(self.qsize)).unwrap()
         }
 
@@ -602,7 +602,7 @@ pub mod tests {
             (self.dtable.len() / VirtqDesc::dtable_len(1)) as u16
         }
 
-        pub fn dtable(&self, i: u16) -> VirtqDesc<'_> {
+        pub fn dtable(&self, i: u16) -> VirtqDesc {
             VirtqDesc::new(&self.dtable, i)
         }
 

src/dragonball/dbs_virtio_devices/src/vhost/vhost_kern/net.rs

@@ -690,15 +690,6 @@ mod tests {
     use crate::tests::{create_address_space, create_vm_and_irq_manager};
     use crate::{create_queue_notifier, VirtioQueueConfig};
 
-    fn unique_tap_name(prefix: &str) -> String {
-        use std::sync::atomic::{AtomicUsize, Ordering};
-        static CNT: AtomicUsize = AtomicUsize::new(0);
-        let n = CNT.fetch_add(1, Ordering::Relaxed);
-
-        // "vtap" + pid(<=5) + n(<=3) => max len <= 15
-        format!("{}{:x}{:x}", prefix, std::process::id() & 0xfff, n & 0xfff)
-    }
-
     fn create_vhost_kern_net_epoll_handler(
         id: String,
     ) -> NetEpollHandler<Arc<GuestMemoryMmap>, QueueSync, GuestRegionMmap> {
@@ -732,16 +723,13 @@ mod tests {
         let guest_mac = MacAddr::parse_str(guest_mac_str).unwrap();
         let queue_sizes = Arc::new(vec![128]);
         let epoll_mgr = EpollManager::default();
-        let tap_name = unique_tap_name("vtap");
-        let dev_result: VirtioResult<Net<Arc<GuestMemoryMmap>, QueueSync, GuestRegionMmap>> =
-            Net::new(tap_name.clone(), Some(&guest_mac), queue_sizes, epoll_mgr);
-        let mut dev: Net<Arc<GuestMemoryMmap>, QueueSync, GuestRegionMmap> = match dev_result {
-            Ok(d) => d,
-            Err(e) => {
-                eprintln!("skip test: failed to create tap {}: {:?}", tap_name, e);
-                return;
-            }
-        };
+        let mut dev: Net<Arc<GuestMemoryMmap>, QueueSync, GuestRegionMmap> = Net::new(
+            String::from("test_vhosttap"),
+            Some(&guest_mac),
+            queue_sizes,
+            epoll_mgr,
+        )
+        .unwrap();
 
         assert_eq!(dev.device_type(), TYPE_NET);
 
@@ -777,16 +765,14 @@ mod tests {
         {
             let queue_sizes = Arc::new(vec![128]);
             let epoll_mgr = EpollManager::default();
-            let tap_name = unique_tap_name("vtap");
-            let dev_result: VirtioResult<Net<Arc<GuestMemoryMmap>, QueueSync, GuestRegionMmap>> =
-                Net::new(tap_name.clone(), Some(&guest_mac), queue_sizes, epoll_mgr);
-            let mut dev: Net<Arc<GuestMemoryMmap>, QueueSync, GuestRegionMmap> = match dev_result {
-                Ok(d) => d,
-                Err(e) => {
-                    eprintln!("skip test: failed to create tap {}: {:?}", tap_name, e);
-                    return;
-                }
-            };
+            let mut dev: Net<Arc<GuestMemoryMmap>, QueueSync, GuestRegionMmap> = Net::new(
+                String::from("test_vhosttap"),
+                Some(&guest_mac),
+                queue_sizes,
+                epoll_mgr,
+            )
+            .unwrap();
+
             let queues = vec![
                 VirtioQueueConfig::create(128, 0).unwrap(),
                 VirtioQueueConfig::create(128, 0).unwrap(),
@@ -823,17 +809,13 @@ mod tests {
             let queue_eventfd2 = Arc::new(EventFd::new(0).unwrap());
             let queue_sizes = Arc::new(vec![128, 128]);
             let epoll_mgr = EpollManager::default();
-
-            let tap_name = unique_tap_name("vtap");
-            let dev_result: VirtioResult<Net<Arc<GuestMemoryMmap>, Queue, GuestRegionMmap>> =
-                Net::new(tap_name.clone(), Some(&guest_mac), queue_sizes, epoll_mgr);
-            let mut dev: Net<Arc<GuestMemoryMmap>, Queue, GuestRegionMmap> = match dev_result {
-                Ok(d) => d,
-                Err(e) => {
-                    eprintln!("skip test: failed to create tap {}: {:?}", tap_name, e);
-                    return;
-                }
-            };
+            let mut dev: Net<Arc<GuestMemoryMmap>, Queue, GuestRegionMmap> = Net::new(
+                String::from("test_vhosttap"),
+                Some(&guest_mac),
+                queue_sizes,
+                epoll_mgr,
+            )
+            .unwrap();
 
             let queues = vec![
                 VirtioQueueConfig::new(queue, queue_eventfd, notifier.clone(), 1),

src/dragonball/dbs_virtio_devices/src/vhost/vhost_user/fs.rs

@@ -865,11 +865,11 @@ mod tests {
             0
         );
         let config: [u8; 8] = [0; 8];
-        let _ = VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::write_config(
+        VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::write_config(
             &mut dev, 0, &config,
         );
         let mut data: [u8; 8] = [1; 8];
-        let _ = VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::read_config(
+        VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::read_config(
             &mut dev, 0, &mut data,
         );
         assert_eq!(config, data);

src/dragonball/dbs_virtio_devices/src/vhost/vhost_user/net.rs

@@ -590,7 +590,6 @@ where
 mod tests {
     use std::sync::Arc;
     use std::thread;
-    use std::time::{Duration, Instant};
 
     use dbs_device::resources::DeviceResources;
     use dbs_interrupt::{InterruptManager, InterruptSourceType, MsiNotifier, NoopNotifier};
@@ -610,16 +609,19 @@ mod tests {
     };
     use crate::{VirtioDevice, VirtioDeviceConfig, VirtioQueueConfig, TYPE_NET};
 
-    fn connect_slave(path: &str, timeout: Duration) -> Option<Endpoint<MasterReq>> {
-        let deadline = Instant::now() + timeout;
+    fn connect_slave(path: &str) -> Option<Endpoint<MasterReq>> {
+        let mut retry_count = 5;
         loop {
             match Endpoint::<MasterReq>::connect(path) {
-                Ok(ep) => return Some(ep),
+                Ok(endpoint) => return Some(endpoint),
                 Err(_) => {
-                    if Instant::now() >= deadline {
+                    if retry_count > 0 {
+                        std::thread::sleep(std::time::Duration::from_millis(100));
+                        retry_count -= 1;
+                        continue;
+                    } else {
                         return None;
                     }
-                    thread::sleep(Duration::from_millis(20));
                 }
             }
         }
@@ -637,88 +639,62 @@ mod tests {
 
     #[test]
     fn test_vhost_user_net_virtio_device_normal() {
-        let dir_path = std::path::Path::new("/tmp");
-        let socket_path = dir_path.join(format!(
-            "vhost-user-net-{}-{:?}.sock",
-            std::process::id(),
-            thread::current().id()
-        ));
-        let socket_str = socket_path.to_str().unwrap().to_string();
-
-        let _ = std::fs::remove_file(&socket_path);
-
-        let queue_sizes = Arc::new(vec![128u16]);
+        let device_socket = concat!("vhost.", line!());
+        let queue_sizes = Arc::new(vec![128]);
         let epoll_mgr = EpollManager::default();
-
-        let socket_for_slave = socket_str.clone();
-        let slave_th = thread::spawn(move || {
-            let mut slave = connect_slave(&socket_for_slave, Duration::from_secs(5))
-                .unwrap_or_else(|| panic!("slave connect timeout: {}", socket_for_slave));
+        let handler = thread::spawn(move || {
+            let mut slave = connect_slave(device_socket).unwrap();
             create_vhost_user_net_slave(&mut slave);
         });
-
-        let (tx, rx) = std::sync::mpsc::channel();
-        let socket_for_master = socket_str.clone();
-        let queue_sizes_for_master = queue_sizes.clone();
-        let epoll_mgr_for_master = epoll_mgr.clone();
-        thread::spawn(move || {
-            let res = VhostUserNet::<Arc<GuestMemoryMmap>>::new_server(
-                &socket_for_master,
-                None,
-                queue_sizes_for_master,
-                epoll_mgr_for_master,
-            );
-            let _ = tx.send(res);
-        });
-
-        let dev_res = rx
-            .recv_timeout(Duration::from_secs(5))
-            .unwrap_or_else(|_| panic!("new_server() stuck/timeout: {}", socket_str));
-
-        let dev: VhostUserNet<Arc<GuestMemoryMmap>> = dev_res.unwrap_or_else(|e| {
-            panic!(
-                "new_server() returned error: {:?}, socket={}",
-                e, socket_str
-            )
-        });
-
+        let mut dev: VhostUserNet<Arc<GuestMemoryMmap>> =
+            VhostUserNet::new_server(device_socket, None, queue_sizes, epoll_mgr).unwrap();
         assert_eq!(
             VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::device_type(&dev),
             TYPE_NET
         );
-
-        let queue_size = [128u16];
+        let queue_size = [128];
         assert_eq!(
             VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::queue_max_sizes(
                 &dev
             ),
             &queue_size[..]
         );
-
-        slave_th.join().unwrap();
-
-        let _ = std::fs::remove_file(&socket_path);
-        drop(dev);
+        assert_eq!(
+            VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::get_avail_features(&dev, 0),
+            dev.device().device_info.get_avail_features(0)
+        );
+        assert_eq!(
+            VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::get_avail_features(&dev, 1),
+            dev.device().device_info.get_avail_features(1)
+        );
+        assert_eq!(
+            VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::get_avail_features(&dev, 2),
+            dev.device().device_info.get_avail_features(2)
+        );
+        VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::set_acked_features(
+            &mut dev, 2, 0,
+        );
+        assert_eq!(VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::get_avail_features(&dev, 2), 0);
+        let config: [u8; 8] = [0; 8];
+        let _ = VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::write_config(
+            &mut dev, 0, &config,
+        );
+        let mut data: [u8; 8] = [1; 8];
+        let _ = VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::read_config(
+            &mut dev, 0, &mut data,
+        );
+        assert_eq!(config, data);
+        handler.join().unwrap();
     }
 
     #[test]
     fn test_vhost_user_net_virtio_device_activate() {
         skip_if_kvm_unaccessable!();
-        let dir_path = std::path::Path::new("/tmp");
-        let socket_path = dir_path.join(format!(
-            "vhost-user-net-{}-{:?}.sock",
-            std::process::id(),
-            thread::current().id()
-        ));
-        let socket_str = socket_path.to_str().unwrap().to_string();
-        let _ = std::fs::remove_file(&socket_path);
-
-        let queue_sizes = Arc::new(vec![128u16]);
+        let device_socket = concat!("vhost.", line!());
+        let queue_sizes = Arc::new(vec![128]);
         let epoll_mgr = EpollManager::default();
-        let socket_for_slave = socket_str.clone();
-        let slave_th = thread::spawn(move || {
-            let mut slave = connect_slave(&socket_for_slave, Duration::from_secs(10))
-                .unwrap_or_else(|| panic!("slave connect timeout: {}", socket_for_slave));
+        let handler = thread::spawn(move || {
+            let mut slave = connect_slave(device_socket).unwrap();
             create_vhost_user_net_slave(&mut slave);
             let mut pfeatures = VhostUserProtocolFeatures::all();
             // A workaround for no support for `INFLIGHT_SHMFD`. File an issue to track
@@ -726,30 +702,8 @@ mod tests {
             pfeatures -= VhostUserProtocolFeatures::INFLIGHT_SHMFD;
             negotiate_slave(&mut slave, pfeatures, true, 1);
         });
-
-        let (tx, rx) = std::sync::mpsc::channel();
-        let socket_for_master = socket_str.clone();
-        let queue_sizes_for_master = queue_sizes.clone();
-        let epoll_mgr_for_master = epoll_mgr.clone();
-        thread::spawn(move || {
-            let res = VhostUserNet::<Arc<GuestMemoryMmap>>::new_server(
-                &socket_for_master,
-                None,
-                queue_sizes_for_master,
-                epoll_mgr_for_master,
-            );
-            let _ = tx.send(res);
-        });
-        let mut dev: VhostUserNet<Arc<GuestMemoryMmap>> = rx
-            .recv_timeout(Duration::from_secs(10))
-            .unwrap_or_else(|_| panic!("new_server() stuck/timeout: {}", socket_str))
-            .unwrap_or_else(|e| {
-                panic!(
-                    "new_server() returned error: {:?}, socket={}",
-                    e, socket_str
-                )
-            });
-
+        let mut dev: VhostUserNet<Arc<GuestMemoryMmap>> =
+            VhostUserNet::new_server(device_socket, None, queue_sizes, epoll_mgr).unwrap();
         // invalid queue size
         {
             let kvm = Kvm::new().unwrap();
@@ -806,9 +760,6 @@ mod tests {
                 );
             dev.activate(config).unwrap();
         }
-        slave_th.join().unwrap();
-
-        let _ = std::fs::remove_file(&socket_path);
-        drop(dev);
+        handler.join().unwrap();
     }
 }

src/dragonball/dbs_virtio_devices/src/vsock/backend/inner.rs

@@ -867,96 +867,56 @@ mod tests {
             .set_read_timeout(Some(Duration::from_millis(150)))
             .is_ok());
 
-        // stage:
-        // 0 = handler started
-        // 1 = first read timed out (main can do first write now)
-        // 2 = timeout cancelled, handler is about to do 3rd blocking read
-        let stage = Arc::new((Mutex::new(0u32), Condvar::new()));
-        let stage2 = Arc::clone(&stage);
-
-        let handler = thread::spawn(move || {
-            // notify started
-            {
-                let (lock, cvar) = &*stage2;
-                let mut s = lock.lock().unwrap();
-                *s = 0;
+        let cond_pair = Arc::new((Mutex::new(false), Condvar::new()));
+        let cond_pair_2 = Arc::clone(&cond_pair);
+        let handler = thread::Builder::new()
+            .spawn(move || {
+                // notify handler thread start
+                let (lock, cvar) = &*cond_pair_2;
+                let mut started = lock.lock().unwrap();
+                *started = true;
                 cvar.notify_one();
-            }
+                drop(started);
 
-            let mut reader_buf = [0u8; 5];
+                let start_time1 = Instant::now();
+                let mut reader_buf = [0; 5];
+                // first read would timed out
+                assert_eq!(
+                    outer_stream.read_exact(&mut reader_buf).unwrap_err().kind(),
+                    ErrorKind::TimedOut
+                );
+                let end_time1 = Instant::now().duration_since(start_time1).as_millis();
+                assert!((150..250).contains(&end_time1));
 
-            // 1) first read should timed out
-            let start_time1 = Instant::now();
-            assert_eq!(
-                outer_stream.read_exact(&mut reader_buf).unwrap_err().kind(),
-                ErrorKind::TimedOut
-            );
-            let end_time1 = start_time1.elapsed().as_millis();
-            assert!((150..300).contains(&end_time1));
+                // second read would ok
+                assert!(outer_stream.read_exact(&mut reader_buf).is_ok());
+                assert_eq!(reader_buf, [1, 2, 3, 4, 5]);
 
-            outer_stream
-                .set_read_timeout(Some(Duration::from_secs(10)))
-                .unwrap();
+                // cancel the read timeout
+                let start_time2 = Instant::now();
+                outer_stream.set_read_timeout(None).unwrap();
+                assert!(outer_stream.read_exact(&mut reader_buf).is_ok());
+                let end_time2 = Instant::now().duration_since(start_time2).as_millis();
+                assert!(end_time2 >= 500);
+            })
+            .unwrap();
 
-            // notify main: timeout observed, now do first write
-            {
-                let (lock, cvar) = &*stage2;
-                let mut s = lock.lock().unwrap();
-                *s = 1;
-                cvar.notify_one();
-            }
-
-            // 2) second read should ok (main will write after stage==1)
-            outer_stream.read_exact(&mut reader_buf).unwrap();
-            assert_eq!(reader_buf, [1, 2, 3, 4, 5]);
-
-            // 3) cancel timeout, then do a blocking read; notify main before blocking
-            outer_stream.set_read_timeout(None).unwrap();
-            {
-                let (lock, cvar) = &*stage2;
-                let mut s = lock.lock().unwrap();
-                *s = 2;
-                cvar.notify_one();
-            }
-
-            let start_time2 = Instant::now();
-            outer_stream.read_exact(&mut reader_buf).unwrap();
-            let end_time2 = start_time2.elapsed().as_millis();
-            assert!(end_time2 >= 500);
-            assert_eq!(reader_buf, [1, 2, 3, 4, 5]);
-        });
-
-        // wait handler started (stage==0)
-        {
-            let (lock, cvar) = &*stage;
-            let mut s = lock.lock().unwrap();
-            while *s != 0 {
-                s = cvar.wait(s).unwrap();
-            }
+        // wait handler thread started
+        let (lock, cvar) = &*cond_pair;
+        let mut started = lock.lock().unwrap();
+        while !*started {
+            started = cvar.wait(started).unwrap();
         }
 
-        // wait first timeout done (stage==1), then do first write
-        {
-            let (lock, cvar) = &*stage;
-            let mut s = lock.lock().unwrap();
-            while *s < 1 {
-                s = cvar.wait(s).unwrap();
-            }
-        }
-        inner_stream.write_all(&[1, 2, 3, 4, 5]).unwrap();
-
-        // wait handler cancelled timeout and is about to block-read (stage==2)
-        {
-            let (lock, cvar) = &*stage;
-            let mut s = lock.lock().unwrap();
-            while *s < 2 {
-                s = cvar.wait(s).unwrap();
-            }
-        }
+        // sleep 300ms, test timeout
+        thread::sleep(Duration::from_millis(300));
+        let writer_buf = [1, 2, 3, 4, 5];
+        inner_stream.write_all(&writer_buf).unwrap();
 
         // sleep 500ms again, test cancel timeout
         thread::sleep(Duration::from_millis(500));
-        inner_stream.write_all(&[1, 2, 3, 4, 5]).unwrap();
+        let writer_buf = [1, 2, 3, 4, 5];
+        inner_stream.write_all(&writer_buf).unwrap();
 
         handler.join().unwrap();
     }

src/dragonball/dbs_virtio_devices/src/vsock/mod.rs

@@ -339,7 +339,7 @@ mod tests {
             }
         }
 
-        pub fn create_event_handler_context(&self) -> EventHandlerContext<'_> {
+        pub fn create_event_handler_context(&self) -> EventHandlerContext {
             const QSIZE: u16 = 256;
 
             let guest_rxvq = GuestQ::new(GuestAddress(0x0010_0000), &self.mem, QSIZE);

src/dragonball/src/signal_handler.rs

@@ -120,7 +120,7 @@ mod tests {
 
     use libc::{cpu_set_t, syscall};
     use std::convert::TryInto;
-    use std::{mem, thread};
+    use std::{mem, process, thread};
 
     use seccompiler::{apply_filter, BpfProgram, SeccompAction, SeccompFilter};
 
@@ -157,16 +157,6 @@ mod tests {
         let child = thread::spawn(move || {
             assert!(register_signal_handlers().is_ok());
 
-            // Trigger SIGBUS/SIGSEGV *before* installing the seccomp filter.
-            // Call SIGBUS signal handler.
-            assert_eq!(METRICS.read().unwrap().signals.sigbus.count(), 0);
-            unsafe { libc::raise(SIGBUS) };
-
-            // Call SIGSEGV signal handler.
-            assert_eq!(METRICS.read().unwrap().signals.sigsegv.count(), 0);
-            unsafe { libc::raise(SIGSEGV) };
-
-            // Install a seccomp filter that traps a known syscall so that we can verify SIGSYS handling.
             let filter = SeccompFilter::new(
                 vec![(libc::SYS_mkdirat, vec![])].into_iter().collect(),
                 SeccompAction::Allow,
@@ -178,8 +168,20 @@ mod tests {
             assert!(apply_filter(&TryInto::<BpfProgram>::try_into(filter).unwrap()).is_ok());
             assert_eq!(METRICS.read().unwrap().seccomp.num_faults.count(), 0);
 
-            // Invoke the blacklisted syscall to trigger SIGSYS and exercise the SIGSYS handler.
+            // Call the blacklisted `SYS_mkdirat`.
             unsafe { syscall(libc::SYS_mkdirat, "/foo/bar\0") };
+
+            // Call SIGBUS signal handler.
+            assert_eq!(METRICS.read().unwrap().signals.sigbus.count(), 0);
+            unsafe {
+                syscall(libc::SYS_kill, process::id(), SIGBUS);
+            }
+
+            // Call SIGSEGV signal handler.
+            assert_eq!(METRICS.read().unwrap().signals.sigsegv.count(), 0);
+            unsafe {
+                syscall(libc::SYS_kill, process::id(), SIGSEGV);
+            }
         });
         assert!(child.join().is_ok());
 

src/libs/kata-sys-util/Cargo.toml

@@ -13,10 +13,13 @@ edition = "2018"
 [dependencies]
 anyhow = "1.0.31"
 byteorder = "1.4.3"
+chrono = "0.4.0"
+common-path = "=1.0.0"
 fail = "0.5.0"
 lazy_static = "1.4.0"
 libc = "0.2.100"
 nix = "0.26.4"
+once_cell = "1.9.0"
 serde = { version = "1.0.138", features = ["derive"] }
 serde_json = "1.0.73"
 slog = "2.5.2"
@@ -31,7 +34,10 @@ mockall = "0.13.1"
 kata-types = { path = "../kata-types" }
 oci-spec = { version = "0.8.1", features = ["runtime"] }
 runtime-spec = { path = "../runtime-spec" }
+safe-path = { path = "../safe-path" }
 
 [dev-dependencies]
+num_cpus = "1.13.1"
+serial_test = "0.5.1"
 tempfile = "3.19.1"
 test-utils = { path = "../test-utils" }

src/libs/kata-types/Cargo.toml

@@ -29,14 +29,12 @@ serde-enum-str = "0.4"
 sysinfo = "0.34.2"
 sha2 = "0.10.8"
 flate2 = "1.1"
-nix = "0.26.4"
+hex = "0.4"
+
 oci-spec = { version = "0.8.1", features = ["runtime"] }
 
 safe-path = { path = "../safe-path", optional = true }
 
-[target.'cfg(target_os = "macos")'.dependencies]
-sysctl = "0.7.1"
-
 [dev-dependencies]
 tempfile = "3.19.1"
 test-utils = { path = "../test-utils" }

src/libs/kata-types/src/config/hypervisor/ch.rs

@@ -13,7 +13,6 @@ use super::{default, register_hypervisor_plugin};
 use crate::config::default::MAX_CH_VCPUS;
 use crate::config::default::MIN_CH_MEMORY_SIZE_MB;
 
-use crate::config::hypervisor::VIRTIO_BLK_MMIO;
 use crate::config::{ConfigPlugin, TomlConfig};
 use crate::{resolve_path, validate_path};
 
@@ -105,16 +104,6 @@ impl ConfigPlugin for CloudHypervisorConfig {
                 ));
             }
 
-            // CoCo guest hardening: virtio-mmio is not hardened for confidential computing.
-            if ch.security_info.confidential_guest
-                && ch.boot_info.vm_rootfs_driver == VIRTIO_BLK_MMIO
-            {
-                return Err(std::io::Error::other(
-                    "Confidential guests must not use virtio-blk-mmio (use virtio-blk-pci); \
-                     virtio-mmio is not hardened for CoCo",
-                ));
-            }
-
             if ch.boot_info.kernel.is_empty() {
                 return Err(std::io::Error::other("Guest kernel image for CH is empty"));
             }

src/libs/kata-types/src/config/hypervisor/mod.rs

@@ -26,6 +26,7 @@
 use super::{default, ConfigOps, ConfigPlugin, TomlConfig};
 use crate::annotations::KATA_ANNO_CFG_HYPERVISOR_PREFIX;
 use crate::{resolve_path, sl, validate_path};
+use byte_unit::{Byte, Unit};
 use lazy_static::lazy_static;
 use regex::RegexSet;
 use serde_enum_str::{Deserialize_enum_str, Serialize_enum_str};
@@ -33,6 +34,7 @@ use std::collections::HashMap;
 use std::io::{self, Result};
 use std::path::Path;
 use std::sync::{Arc, Mutex};
+use sysinfo::{MemoryRefreshKind, RefreshKind, System};
 
 mod dragonball;
 pub use self::dragonball::{DragonballConfig, HYPERVISOR_NAME_DRAGONBALL};
@@ -1005,57 +1007,6 @@ fn default_guest_swap_create_threshold_secs() -> u64 {
     60
 }
 
-/// Get host memory size in MiB.
-/// Retrieves the total physical memory of the host across different platforms.
-fn host_memory_mib() -> io::Result<u64> {
-    // Select a platform-specific implementation via a function pointer.
-    let get_memory: fn() -> io::Result<u64> = {
-        #[cfg(target_os = "linux")]
-        {
-            || {
-                let info = nix::sys::sysinfo::sysinfo().map_err(io::Error::other)?;
-                Ok(info.ram_total() / (1024 * 1024)) // MiB
-            }
-        }
-
-        #[cfg(target_os = "macos")]
-        {
-            || {
-                use sysctl::{Ctl, CtlValue, Sysctl};
-
-                let v = Ctl::new("hw.memsize")
-                    .map_err(io::Error::other)?
-                    .value()
-                    .map_err(io::Error::other)?;
-
-                let bytes = match v {
-                    CtlValue::S64(x) if x >= 0 => x as u64,
-                    other => {
-                        return Err(io::Error::new(
-                            io::ErrorKind::InvalidData,
-                            format!("unexpected sysctl hw.memsize value type: {:?}", other),
-                        ));
-                    }
-                };
-
-                Ok(bytes / (1024 * 1024)) // MiB
-            }
-        }
-
-        #[cfg(not(any(target_os = "linux", target_os = "macos")))]
-        {
-            || {
-                Err(io::Error::new(
-                    io::ErrorKind::Unsupported,
-                    "host memory query not implemented on this platform",
-                ))
-            }
-        }
-    };
-
-    get_memory()
-}
-
 impl MemoryInfo {
     /// Adjusts the configuration information after loading from a configuration file.
     ///
@@ -1067,15 +1018,13 @@ impl MemoryInfo {
             self.file_mem_backend,
             "Memory backend file {} is invalid: {}"
         )?;
-
-        let host_memory = host_memory_mib()?;
-
-        if u64::from(self.default_memory) > host_memory {
-            self.default_memory = host_memory as u32;
-        }
-
-        if self.default_maxmemory == 0 || u64::from(self.default_maxmemory) > host_memory {
-            self.default_maxmemory = host_memory as u32;
+        if self.default_maxmemory == 0 {
+            let s = System::new_with_specifics(
+                RefreshKind::nothing().with_memory(MemoryRefreshKind::everything()),
+            );
+            self.default_maxmemory = Byte::from_u64(s.total_memory())
+                .get_adjusted_unit(Unit::MiB)
+                .get_value() as u32;
         }
         Ok(())
     }
@@ -1218,29 +1167,6 @@ pub struct SecurityInfo {
     #[serde(default)]
     pub sev_snp_guest: bool,
 
-    /// SNP 'ID Block' and 'ID Authentication Information Structure'.
-    /// If one of snp_id_block or snp_id_auth is specified, the other must be specified, too.
-    /// Notice that the default SNP policy of QEMU (0x30000) is used by Kata, if not explicitly
-    /// set via 'snp_guest_policy' option. The IDBlock contains the guest policy as field, and
-    /// it must match the value from 'snp_guest_policy' or, if unset, the QEMU default policy.
-    /// 96-byte, base64-encoded blob to provide the 'ID Block' structure for the
-    /// SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
-    #[serde(default)]
-    pub snp_id_block: String,
-
-    /// 4096-byte, base64-encoded blob to provide the 'ID Authentication Information Structure'
-    /// for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
-    #[serde(default)]
-    pub snp_id_auth: String,
-
-    /// SNP Guest Policy, the 'POLICY' parameter to the SNP_LAUNCH_START command.
-    /// If unset, the QEMU default policy (0x30000) will be used.
-    /// Notice that the guest policy is enforced at VM launch, and your pod VMs
-    /// won't start at all if the policy denys it. This will be indicated by a
-    /// 'SNP_LAUNCH_START' error.
-    #[serde(default = "default_snp_guest_policy")]
-    pub snp_guest_policy: u32,
-
     /// Path to OCI hook binaries in the *guest rootfs*.
     ///
     /// This setting does not affect host-side hooks, which must instead be
@@ -1302,10 +1228,6 @@ fn default_qgs_port() -> u32 {
     4050
 }
 
-fn default_snp_guest_policy() -> u32 {
-    0x30000
-}
-
 impl SecurityInfo {
     /// Adjusts the security configuration information after loading from a configuration file.
     ///

src/libs/kata-types/src/config/hypervisor/qemu.rs

@@ -124,17 +124,6 @@ impl ConfigPlugin for QemuConfig {
                 ));
             }
 
-            // CoCo guest hardening: virtio-mmio transport is not hardened for confidential
-            // computing; only virtio-pci is. Ensure we never use virtio-blk-mmio for rootfs.
-            if qemu.security_info.confidential_guest
-                && qemu.boot_info.vm_rootfs_driver == VIRTIO_BLK_MMIO
-            {
-                return Err(std::io::Error::other(
-                    "Confidential guests must not use virtio-blk-mmio (use virtio-blk-pci); \
-                     virtio-mmio is not hardened for CoCo",
-                ));
-            }
-
             if qemu.boot_info.kernel.is_empty() {
                 return Err(std::io::Error::other(
                     "Guest kernel image for qemu is empty",

src/libs/mem-agent/Cargo.toml

@@ -10,6 +10,7 @@ anyhow = "1.0"
 page_size = "0.6"
 chrono = "0.4"
 tokio = { version = "1.45.1", features = ["full"] }
+async-trait = "0.1"
 maplit = "1.0"
 nix = { version = "0.30.1", features = ["fs", "sched"] }
 

src/libs/protocols/protos/agent.proto

@@ -520,11 +520,6 @@ message Storage {
 	// FSGroup consists of the group ID and group ownership change policy
 	// that the mounted volume must have its group ID changed to when specified.
 	FSGroup fs_group = 7;
-	// Shared indicates this storage is shared across multiple containers
-	// (e.g., block-based emptyDirs). When true, the agent should not clean up
-	// the storage when a container using it exits, as other containers
-	// may still need it. Cleanup will happen when the sandbox is destroyed.
-	bool shared = 8;
 }
 
 // Device represents only the devices that could have been defined through the

src/libs/protocols/protos/confidential_data_hub.proto

@@ -24,7 +24,9 @@ message SecureMountRequest {
     string mount_point = 4;
 }
 
-message SecureMountResponse {}
+message SecureMountResponse {
+    string mount_path = 1;
+}
 
 message ImagePullRequest {
     // - `image_url`: The reference of the image to pull

src/libs/runtime-spec/Cargo.toml

@@ -9,3 +9,4 @@ license = "Apache-2.0"
 serde = "1.0.131"
 serde_derive = "1.0.131"
 serde_json = "1.0.73"
+libc = "0.2.112"

src/libs/safe-path/README.md

@@ -4,7 +4,7 @@ Safe Path
 
 A library to safely handle filesystem paths, typically for container runtimes.
 
-There are often path related attacks, such as symlink based attacks, time-of-check to time-of-use (TOCTOU) attacks. The `safe-path` crate
+There are often path related attacks, such as symlink based attacks, TOCTTOU attacks. The `safe-path` crate
 provides several functions and utility structures to protect against path resolution related attacks.
 
 ## Support

src/runtime-rs/Cargo.toml

@@ -28,4 +28,5 @@ nix = { workspace = true }
 tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
 shim = { path = "crates/shim" }
 common = { workspace = true }
+logging = { workspace = true }
 runtimes = { workspace = true }

src/runtime-rs/Makefile

@@ -15,11 +15,6 @@ PROJECT_URL = https://github.com/kata-containers
 PROJECT_COMPONENT = containerd-shim-kata-v2
 CONTAINERD_RUNTIME_NAME = io.containerd.kata.v2
 
-# This snippet finds all packages inside runtime-rs. Used for tessting.
-PACKAGES := $(shell cargo metadata --no-deps --format-version 1 | \
-                    jq -r '.packages[] | select(.manifest_path | contains("runtime-rs")) | .name')
-PACKAGE_FLAGS := $(patsubst %,-p %,$(PACKAGES))
-
 include ../../utils.mk
 
 ARCH_DIR = arch
@@ -50,9 +45,9 @@ test:
 else
 ##TARGET default: build code
 default: runtime show-header
-##TARGET test: run cargo tests for runtime-rs and all its sub-crates.
+##TARGET test: run cargo tests
 test: static-checks-build
-	@cargo test $(PACKAGE_FLAGS) --target $(TRIPLE) $(EXTRA_RUSTFEATURES) -- --nocapture  --skip bindgen
+	@cargo test --all --target $(TRIPLE) $(EXTRA_RUSTFEATURES) -- --nocapture  --skip bindgen
 install: install-runtime install-configs
 endif
 
@@ -63,8 +58,6 @@ else
     include $(ARCH_FILE)
 endif
 
-
-
 ifeq ($(PREFIX),)
 PREFIX := /usr
 EXEC_PREFIX := $(PREFIX)/local
@@ -187,7 +180,7 @@ DEFNETQUEUES := 1
 DEFENABLEANNOTATIONS := [\"enable_iommu\", \"virtio_fs_extra_args\", \"kernel_params\", \"kernel_verity_params\", \"default_vcpus\", \"default_memory\"]
 DEFENABLEANNOTATIONS_COCO := [\"enable_iommu\", \"virtio_fs_extra_args\", \"kernel_params\", \"kernel_verity_params\", \"default_vcpus\", \"default_memory\", \"cc_init_data\"]
 DEFDISABLEGUESTSECCOMP := true
-DEFDISABLEGUESTEMPTYDIR := false
+DEFDISABLEGUESTEMPTYDIR := true
 ##VAR DEFAULTEXPFEATURES=[features] Default experimental features enabled
 DEFAULTEXPFEATURES := []
 DEFDISABLESELINUX := false
@@ -305,7 +298,7 @@ ifneq (,$(CLHCMD))
     KERNELTYPE_CLH = uncompressed
     KERNEL_NAME_CLH = $(call MAKE_KERNEL_NAME,$(KERNELTYPE_CLH))
     KERNELPATH_CLH = $(KERNELDIR)/$(KERNEL_NAME_CLH)
-    VMROOTFSDRIVER_CLH := virtio-blk-pci
+    VMROOTFSDRIVER_CLH := virtio-pmem
 
     DEFSANDBOXCGROUPONLY_CLH := true
     DEFSTATICRESOURCEMGMT_CLH := false
@@ -740,7 +733,7 @@ static-checks-build: $(GENERATED_FILES)
 $(TARGET): $(GENERATED_FILES) $(TARGET_PATH)
 
 $(TARGET_PATH): $(SOURCES) | show-summary
-	@RUSTFLAGS="$(EXTRA_RUSTFLAGS) --deny warnings" cargo build -p runtime-rs --target $(TRIPLE) $(if $(findstring release,$(BUILD_TYPE)),--release) $(EXTRA_RUSTFEATURES)
+	@RUSTFLAGS="$(EXTRA_RUSTFLAGS) --deny warnings" cargo build --target $(TRIPLE) $(if $(findstring release,$(BUILD_TYPE)),--release) $(EXTRA_RUSTFEATURES)
 
 $(GENERATED_FILES): %: %.in
 	@sed \
@@ -776,7 +769,7 @@ endif
 
 ##TARGET run: build and run agent
 run:
-	@cargo run -p runtime-rs --target $(TRIPLE)
+	@cargo run --target $(TRIPLE)
 
 show-header:
 	@printf "%s - version %s (commit %s)\n\n" "$(TARGET)" "$(VERSION)" "$(COMMIT_MSG)"

src/runtime-rs/config/configuration-cloud-hypervisor.toml.in

@@ -22,8 +22,6 @@ rootfs_type = @DEFROOTFSTYPE@
 
 # Block storage driver to be used for the VM rootfs is backed
 # by a block device.
-#
-# virtio-pmem is not supported with Cloud Hypervisor.
 vm_rootfs_driver = "@VMROOTFSDRIVER_CLH@"
 
 # Path to the firmware.

src/runtime-rs/crates/agent/Cargo.toml

@@ -5,9 +5,13 @@ authors = { workspace = true }
 edition = { workspace = true }
 license = { workspace = true }
 
+[dev-dependencies]
+futures = "0.1.27"
+
 [dependencies]
 anyhow = { workspace = true }
 async-trait = { workspace = true }
+log = { workspace = true }
 protobuf = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
@@ -27,6 +31,3 @@ protocols = { workspace = true, features = ["async"] }
 
 [features]
 default = []
-
-[package.metadata.cargo-machete]
-ignored = ["slog-scope"]

src/runtime-rs/crates/hypervisor/Cargo.toml

@@ -28,6 +28,8 @@ path-clean = "1.0.1"
 lazy_static = { workspace = true }
 tracing = { workspace = true }
 ttrpc = { workspace = true, features = ["async"] }
+protobuf = { workspace = true }
+oci-spec = { workspace = true }
 futures = "0.3.25"
 safe-path = "0.1.0"
 crossbeam-channel = "0.5.6"
@@ -42,6 +44,7 @@ kata-sys-util = { workspace = true }
 kata-types = { workspace = true }
 logging = { workspace = true }
 protocols = { workspace = true, features = ["async"] }
+shim-interface = { workspace = true }
 persist = { workspace = true }
 ch-config = { workspace = true, optional = true }
 tests_utils = { workspace = true }

src/runtime-rs/crates/hypervisor/ch-config/src/convert.rs

@@ -118,11 +118,13 @@ impl TryFrom<NamedHypervisorConfig> for VmConfig {
 
         // Note how CH handles the different image types:
         //
+        // - A standard image is specified in PmemConfig.
         // - An initrd/initramfs is specified in PayloadConfig.
-        // - An image is specified in DiskConfig.
-        //   Note: pmem is not used as it's not properly supported by Cloud Hypervisor.
+        // - A confidential guest image is specified by a DiskConfig.
         //   - If TDX is enabled, the firmware (`td-shim` [1]) must be
         //     specified in PayloadConfig.
+        // - A confidential guest initrd is specified by a PayloadConfig with
+        //   firmware.
         //
         // [1] - https://github.com/confidential-containers/td-shim
         let boot_info = cfg.boot_info;
@@ -138,6 +140,14 @@ impl TryFrom<NamedHypervisorConfig> for VmConfig {
             return Err(VmConfigError::NoBootFile);
         }
 
+        let pmem = if use_initrd || guest_protection_is_tdx(guest_protection_to_use.clone()) {
+            None
+        } else {
+            let pmem = PmemConfig::try_from(&boot_info).map_err(VmConfigError::PmemError)?;
+
+            Some(vec![pmem])
+        };
+
         let payload = Some(
             PayloadConfig::try_from((
                 boot_info.clone(),
@@ -149,7 +159,7 @@ impl TryFrom<NamedHypervisorConfig> for VmConfig {
 
         let mut disks: Vec<DiskConfig> = vec![];
 
-        if use_image {
+        if use_image && guest_protection_is_tdx(guest_protection_to_use.clone()) {
             let disk = DiskConfig::try_from(boot_info).map_err(VmConfigError::DiskError)?;
 
             disks.push(disk);
@@ -189,6 +199,7 @@ impl TryFrom<NamedHypervisorConfig> for VmConfig {
             fs,
             net,
             devices: host_devices,
+            pmem,
             disks,
             vsock: Some(vsock),
             rng,
@@ -1645,6 +1656,7 @@ mod tests {
         let (memory_info_confidential_guest, mem_config_confidential_guest) =
             make_memory_objects(79, usable_max_mem_bytes, true);
 
+        let (_, pmem_config_with_image) = make_bootinfo_pmemconfig_objects(image);
         let (machine_info, rng_config) = make_machineinfo_rngconfig_objects(entropy_source);
 
         let payload_firmware = None;
@@ -1652,7 +1664,6 @@ mod tests {
         let (boot_info_with_initrd, payload_config_with_initrd) =
             make_bootinfo_payloadconfig_objects(kernel, initramfs, payload_firmware, None);
 
-        let (_, disk_config_with_image) = make_bootinfo_diskconfig_objects(image);
         let (_, disk_config_confidential_guest_image) = make_bootinfo_diskconfig_objects(image);
 
         let boot_info_tdx_image = BootInfo {
@@ -1751,7 +1762,7 @@ mod tests {
             vsock: Some(valid_vsock.clone()),
 
             // rootfs image specific
-            disks: Some(vec![disk_config_with_image]),
+            pmem: Some(vec![pmem_config_with_image]),
 
             payload: Some(PayloadConfig {
                 kernel: Some(PathBuf::from(kernel)),

src/runtime-rs/crates/hypervisor/ch-config/src/lib.rs

@@ -110,16 +110,6 @@ pub struct DeviceConfig {
     pub pci_segment: u16,
 }
 
-#[derive(Serialize, Deserialize, Clone, Copy, Debug, PartialEq, Eq, Default)]
-pub enum ImageType {
-    FixedVhd,
-    Qcow2,
-    Raw,
-    Vhdx,
-    #[default]
-    Unknown,
-}
-
 #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, Default)]
 pub struct DiskConfig {
     pub path: Option<PathBuf>,
@@ -145,8 +135,6 @@ pub struct DiskConfig {
     pub disable_io_uring: bool,
     #[serde(default)]
     pub pci_segment: u16,
-    #[serde(default)]
-    pub image_type: ImageType,
 }
 
 #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, Default)]

src/runtime-rs/crates/hypervisor/src/ch/inner.rs

@@ -123,12 +123,7 @@ impl CloudHypervisorInner {
         }
     }
 
-    pub fn set_hypervisor_config(&mut self, mut config: HypervisorConfig) {
-        // virtio-pmem is not supported for Cloud Hypervisor.
-        if config.boot_info.vm_rootfs_driver == crate::VM_ROOTFS_DRIVER_PMEM {
-            config.boot_info.vm_rootfs_driver = crate::VM_ROOTFS_DRIVER_BLK.to_string();
-        }
-
+    pub fn set_hypervisor_config(&mut self, config: HypervisorConfig) {
         self.config = config;
     }
 

src/runtime-rs/crates/hypervisor/src/ch/inner_device.rs

@@ -27,7 +27,6 @@ use ch_config::ch_api::{
 };
 use ch_config::convert::DEFAULT_NUM_PCI_SEGMENTS;
 use ch_config::DiskConfig;
-use ch_config::ImageType;
 use ch_config::{net_util::MacAddr, DeviceConfig, FsConfig, NetConfig, VsockConfig};
 use kata_sys_util::netns::NetnsGuard;
 use kata_types::config::hypervisor::RateLimiterConfig;
@@ -470,10 +469,7 @@ impl CloudHypervisorInner {
                     net_config.id = None;
 
                     net_config.num_queues = network_queues_pairs * 2;
-                    info!(
-                        sl!(),
-                        "network device queue pairs {:?}", network_queues_pairs
-                    );
+                    info!(sl!(), "network device queue pairs {:?}", network_queues_pairs);
 
                     // we need ensure opening network device happens in netns.
                     let netns = self.netns.clone().unwrap_or_default();
@@ -554,7 +550,6 @@ impl TryFrom<BlockConfig> for DiskConfig {
             readonly: blkcfg.is_readonly,
             num_queues: blkcfg.num_queues,
             queue_size: blkcfg.queue_size as u16,
-            image_type: ImageType::Raw,
             ..Default::default()
         };