build(deps): bump docker/build-push-action from 5.4.0 to 6.19.2

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 5.4.0 to 6.19.2.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](ca052bb54a...10e90e3645)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-version: 6.19.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/actionlint.yaml

@@ -28,9 +28,3 @@ self-hosted-runner:
     - s390x-large
     - tdx
     - ubuntu-24.04-arm
-
-paths:
-  .github/workflows/**/*.{yml,yaml}:
-    ignore:
-      # We use if: false to "temporarily" skip jobs with issues
-      - 'constant expression "false" in condition'

.github/workflows/actionlint.yaml

@@ -13,13 +13,18 @@ concurrency:
 jobs:
   run-actionlint:
     name: run-actionlint
+    env:
+      GH_TOKEN: ${{ github.token }}
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout the code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           persist-credentials: false
 
+      - name: Install actionlint gh extension
+        run: gh extension install https://github.com/cschleiden/gh-actionlint
+
       - name: Run actionlint
-        uses: raven-actions/actionlint@e01d1ea33dd6a5ed517d95b4c0c357560ac6f518  # v2.1.1
+        run:  gh actionlint

.github/workflows/build-kubectl-image.yaml

@@ -63,7 +63,7 @@ jobs:
             type=sha,prefix=
 
       - name: Build and push multi-arch image
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: tools/packaging/kubectl/
           file: tools/packaging/kubectl/Dockerfile

.github/workflows/ci-weekly.yaml

@@ -99,7 +99,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Docker build and push
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           tags: ghcr.io/kata-containers/test-images:unencrypted-${{ inputs.pr-number }}
           push: true

.github/workflows/ci.yaml

@@ -204,7 +204,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Docker build and push
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           tags: ghcr.io/kata-containers/test-images:unencrypted-${{ inputs.pr-number }}
           push: true
@@ -259,7 +259,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Docker build and push
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           tags: ghcr.io/kata-containers/csi-kata-directvolume:${{ inputs.pr-number }}
           push: true

Cargo.lock

@@ -3922,7 +3922,6 @@ dependencies = [
  "agent",
  "anyhow",
  "common",
- "containerd-shim-protos",
  "hyper",
  "hypervisor",
  "kata-sys-util",

src/runtime-rs/crates/runtimes/Cargo.toml

@@ -11,7 +11,6 @@ lazy_static = { workspace = true }
 netns-rs = { workspace = true }
 slog = { workspace = true }
 slog-scope = { workspace = true }
-containerd-shim-protos = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread"] }
 tracing = { workspace = true }
 tracing-opentelemetry = { workspace = true }

src/runtime-rs/crates/runtimes/common/src/message.rs

@@ -6,7 +6,7 @@
 use std::sync::Arc;
 
 use anyhow::{Context, Result};
-use containerd_shim_protos::events::task::{TaskCreate, TaskDelete, TaskExit, TaskOOM, TaskStart};
+use containerd_shim_protos::events::task::{TaskExit, TaskOOM};
 use containerd_shim_protos::protobuf::Message as ProtobufMessage;
 use tokio::sync::mpsc::{channel, Receiver, Sender};
 
@@ -49,15 +49,9 @@ impl Message {
 
 const TASK_OOM_EVENT_TOPIC: &str = "/tasks/oom";
 const TASK_EXIT_EVENT_TOPIC: &str = "/tasks/exit";
-const TASK_START_EVENT_TOPIC: &str = "/tasks/start";
-const TASK_CREATE_EVENT_TOPIC: &str = "/tasks/create";
-const TASK_DELETE_EVENT_TOPIC: &str = "/tasks/delete";
 
 const TASK_OOM_EVENT_URL: &str = "containerd.events.TaskOOM";
 const TASK_EXIT_EVENT_URL: &str = "containerd.events.TaskExit";
-const TASK_START_EVENT_URL: &str = "containerd.events.TaskStart";
-const TASK_CREATE_EVENT_URL: &str = "containerd.events.TaskCreate";
-const TASK_DELETE_EVENT_URL: &str = "containerd.events.TaskDelete";
 
 pub trait Event: std::fmt::Debug + Send {
     fn r#type(&self) -> String;
@@ -92,45 +86,3 @@ impl Event for TaskExit {
         self.write_to_bytes().context("get exit value")
     }
 }
-
-impl Event for TaskStart {
-    fn r#type(&self) -> String {
-        TASK_START_EVENT_TOPIC.to_string()
-    }
-
-    fn type_url(&self) -> String {
-        TASK_START_EVENT_URL.to_string()
-    }
-
-    fn value(&self) -> Result<Vec<u8>> {
-        self.write_to_bytes().context("get start value")
-    }
-}
-
-impl Event for TaskCreate {
-    fn r#type(&self) -> String {
-        TASK_CREATE_EVENT_TOPIC.to_string()
-    }
-
-    fn type_url(&self) -> String {
-        TASK_CREATE_EVENT_URL.to_string()
-    }
-
-    fn value(&self) -> Result<Vec<u8>> {
-        self.write_to_bytes().context("get create value")
-    }
-}
-
-impl Event for TaskDelete {
-    fn r#type(&self) -> String {
-        TASK_DELETE_EVENT_TOPIC.to_string()
-    }
-
-    fn type_url(&self) -> String {
-        TASK_DELETE_EVENT_URL.to_string()
-    }
-
-    fn value(&self) -> Result<Vec<u8>> {
-        self.write_to_bytes().context("get delete value")
-    }
-}

src/runtime-rs/crates/runtimes/src/manager.rs

@@ -6,16 +6,14 @@
 
 use anyhow::{anyhow, Context, Result};
 use common::{
-    message::{Action, Message},
+    message::Message,
     types::{
-        ContainerProcess, PlatformInfo, ProcessType, SandboxConfig, SandboxRequest,
-        SandboxResponse, SandboxStatusInfo, StartSandboxInfo, TaskRequest, TaskResponse,
-        DEFAULT_SHM_SIZE,
+        ContainerProcess, PlatformInfo, SandboxConfig, SandboxRequest, SandboxResponse,
+        SandboxStatusInfo, StartSandboxInfo, TaskRequest, TaskResponse, DEFAULT_SHM_SIZE,
     },
     RuntimeHandler, RuntimeInstance, Sandbox, SandboxNetworkEnv,
 };
 
-use containerd_shim_protos::events::task::{TaskCreate, TaskDelete, TaskStart};
 use hypervisor::{
     utils::{create_dir_all_with_inherit_owner, create_vmm_user, remove_vmm_user},
     Param,
@@ -35,13 +33,13 @@ use netns_rs::{Env, NetNs};
 use nix::{sys::statfs, unistd::User};
 use oci_spec::runtime as oci;
 use persist::sandbox_persist::Persist;
-use protobuf::Message as ProtobufMessage;
 use resource::{
     cpu_mem::initial_size::InitialSizeManager,
     network::{dan_config_path, generate_netns_name},
 };
 use runtime_spec as spec;
 use shim_interface::shim_mgmt::ERR_NO_SHIM_SERVER;
+use protobuf::Message as ProtobufMessage;
 use std::{
     collections::HashMap,
     env,
@@ -482,7 +480,6 @@ impl RuntimeHandlerManager {
                 .await
                 .context("start sandbox in task handler")?;
 
-            let bundle = container_config.bundle.clone();
             let container_id = container_config.container_id.clone();
             let shim_pid = instance
                 .container_manager
@@ -504,19 +501,6 @@ impl RuntimeHandlerManager {
                 }
             });
 
-            let msg_sender = self.inner.read().await.msg_sender.clone();
-            let event = TaskCreate {
-                container_id,
-                bundle,
-                pid,
-                ..Default::default()
-            };
-            let msg = Message::new(Action::Event(Arc::new(event)));
-            msg_sender
-                .send(msg)
-                .await
-                .context("send task create event")?;
-
             Ok(TaskResponse::CreateContainer(shim_pid))
         } else {
             self.handler_task_request(req)
@@ -586,7 +570,6 @@ impl RuntimeHandlerManager {
             .context("get runtime instance")?;
         let sandbox = instance.sandbox.clone();
         let cm = instance.container_manager.clone();
-        let msg_sender = self.inner.read().await.msg_sender.clone();
 
         match req {
             TaskRequest::CreateContainer(req) => Err(anyhow!("Unreachable TaskRequest {:?}", req)),
@@ -596,20 +579,6 @@ impl RuntimeHandlerManager {
             }
             TaskRequest::DeleteProcess(process_id) => {
                 let resp = cm.delete_process(&process_id).await.context("do delete")?;
-                if process_id.process_type == ProcessType::Container {
-                    let event = TaskDelete {
-                        id: process_id.container_id().to_string(),
-                        pid: resp.pid.pid,
-                        exit_status: resp.exit_status as u32,
-                        ..Default::default()
-                    };
-                    let msg = Message::new(Action::Event(Arc::new(event)));
-                    msg_sender
-                        .send(msg)
-                        .await
-                        .context("send task delete event")?;
-                }
-
                 Ok(TaskResponse::DeleteProcess(resp))
             }
             TaskRequest::ExecProcess(req) => {
@@ -645,28 +614,12 @@ impl RuntimeHandlerManager {
                     .context("start process")?;
 
                 let pid = shim_pid.pid;
-                let process_type = process_id.process_type;
-                let container_id = process_id.container_id().to_string();
                 tokio::spawn(async move {
                     let result = sandbox.wait_process(cm, process_id, pid).await;
                     if let Err(e) = result {
                         error!(sl!(), "sandbox wait process error: {:?}", e);
                     }
                 });
-
-                if process_type == ProcessType::Container {
-                    let event = TaskStart {
-                        container_id,
-                        pid,
-                        ..Default::default()
-                    };
-                    let msg = Message::new(Action::Event(Arc::new(event)));
-                    msg_sender
-                        .send(msg)
-                        .await
-                        .context("send task start event")?;
-                }
-
                 Ok(TaskResponse::StartProcess(shim_pid))
             }
 

src/runtime/Makefile

@@ -147,14 +147,10 @@ DEFROOTFSTYPE := $(ROOTFSTYPE_EXT4)
 FIRMWAREPATH :=
 FIRMWAREVOLUMEPATH :=
 
-FIRMWAREPATH_NV = $(FIRMWAREPATH)
-
 FIRMWARETDVFPATH := $(PREFIXDEPS)/share/ovmf/OVMF.inteltdx.fd
-FIRMWARETDVFPATH_NV := $(FIRMWARETDVFPATH)
 FIRMWARETDVFVOLUMEPATH :=
 
 FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd
-FIRMWARESNPPATH_NV := $(FIRMWARESNPPATH)
 
 KERNELVERITYPARAMS ?= ""
 KERNELVERITYPARAMS_NV ?= ""
@@ -305,11 +301,9 @@ DEFDANCONF := /run/kata-containers/dans
 
 DEFFORCEGUESTPULL := false
 
-DEFKUBELETROOTDIR := /var/lib/kubelet
-
 # Device cold plug
 DEFPODRESOURCEAPISOCK := ""
-DEFPODRESOURCEAPISOCK_NV := "$(DEFKUBELETROOTDIR)/pod-resources/kubelet.sock"
+DEFPODRESOURCEAPISOCK_NV := "/var/lib/kubelet/pod-resources/kubelet.sock"
 
 SED = sed
 
@@ -474,8 +468,8 @@ ifneq (,$(QEMUCMD))
     KERNELSEPATH = $(KERNELDIR)/$(KERNELSENAME)
 
     # NVIDIA GPU specific options (all should be suffixed by _NV)
-    KERNELTYPE_NV = compressed
-    KERNELNAME_NV = $(call MAKE_KERNEL_NAME_NV,$(KERNELTYPE_NV))
+    # Normal: uncompressed (KERNELTYPE). Confidential: compressed (KERNELCONFIDENTIALTYPE).
+    KERNELNAME_NV = $(call MAKE_KERNEL_NAME_NV,$(KERNELTYPE))
     KERNELPATH_NV = $(KERNELDIR)/$(KERNELNAME_NV)
     KERNELNAME_CONFIDENTIAL_NV = $(call MAKE_KERNEL_NAME_NV,$(KERNELCONFIDENTIALTYPE))
     KERNELPATH_CONFIDENTIAL_NV = $(KERNELDIR)/$(KERNELNAME_CONFIDENTIAL_NV)
@@ -491,9 +485,6 @@ ifneq (,$(QEMUCMD))
     # using an image and /dev is already mounted.
     KERNELPARAMS_NV = "cgroup_no_v1=all"
     KERNELPARAMS_NV += "devtmpfs.mount=0"
-    KERNELPARAMS_NV += "pci=realloc"
-    KERNELPARAMS_NV += "pci=nocrs"
-    KERNELPARAMS_NV += "pci=assign-busses"
 
     # Setting this to false can lead to cgroup leakages in the host
     # Best practice for production is to set this to true
@@ -690,13 +681,10 @@ USER_VARS += KERNELPATH_FC
 USER_VARS += KERNELPATH_STRATOVIRT
 USER_VARS += KERNELVIRTIOFSPATH
 USER_VARS += FIRMWAREPATH
-USER_VARS += FIRMWAREPATH_NV
 USER_VARS += FIRMWARETDVFPATH
 USER_VARS += FIRMWAREVOLUMEPATH
 USER_VARS += FIRMWARETDVFVOLUMEPATH
 USER_VARS += FIRMWARESNPPATH
-USER_VARS += FIRMWARETDVFPATH_NV
-USER_VARS += FIRMWARESNPPATH_NV
 USER_VARS += MACHINEACCELERATORS
 USER_VARS += CPUFEATURES
 USER_VARS += TDXCPUFEATURES
@@ -797,7 +785,6 @@ USER_VARS += DEFSTATICRESOURCEMGMT_NV
 USER_VARS += DEFBINDMOUNTS
 USER_VARS += DEFCREATECONTAINERTIMEOUT
 USER_VARS += DEFDANCONF
-USER_VARS += DEFKUBELETROOTDIR
 USER_VARS += DEFFORCEGUESTPULL
 USER_VARS += DEFVFIOMODE
 USER_VARS += DEFVFIOMODE_SE

src/runtime/config/configuration-clh.toml.in

@@ -491,11 +491,6 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-fc.toml.in

@@ -382,11 +382,6 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-cca.toml.in

@@ -670,12 +670,6 @@ dan_conf = "@DEFDANCONF@"
 # the container image should be pulled in the guest, without using an external snapshotter.
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
-
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-coco-dev.toml.in

@@ -734,11 +734,6 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in

@@ -99,7 +99,7 @@ kernel_verity_params = "@KERNELVERITYPARAMS_CONFIDENTIAL_NV@"
 
 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "@FIRMWARESNPPATH_NV@"
+firmware = "@FIRMWARESNPPATH@"
 
 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
@@ -750,11 +750,6 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in

@@ -76,7 +76,7 @@ kernel_verity_params = "@KERNELVERITYPARAMS_CONFIDENTIAL_NV@"
 
 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "@FIRMWARETDVFPATH_NV@"
+firmware = "@FIRMWARETDVFPATH@"
 
 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
@@ -727,11 +727,6 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-nvidia-gpu.toml.in

@@ -58,7 +58,7 @@ kernel_verity_params = "@KERNELVERITYPARAMS_NV@"
 
 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "@FIRMWAREPATH_NV@"
+firmware = "@FIRMWAREPATH@"
 
 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
@@ -724,11 +724,6 @@ create_container_timeout = @DEFAULTTIMEOUT_NV@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-se.toml.in

@@ -712,11 +712,6 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-snp.toml.in

@@ -737,11 +737,6 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-tdx.toml.in

@@ -719,11 +719,6 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu.toml.in

@@ -723,11 +723,6 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-remote.toml.in

@@ -290,11 +290,6 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-stratovirt.toml.in

@@ -425,11 +425,6 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/go.mod

@@ -52,6 +52,7 @@ require (
 	github.com/urfave/cli v1.22.17
 	github.com/vishvananda/netlink v1.3.1
 	github.com/vishvananda/netns v0.0.5
+	gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20220601114329-47893b162965
 	go.opentelemetry.io/otel v1.35.0
 	go.opentelemetry.io/otel/exporters/jaeger v1.0.0
 	go.opentelemetry.io/otel/sdk v1.35.0

src/runtime/go.sum

@@ -309,6 +309,8 @@ github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20220601114329-47893b162965 h1:EXE1ZsUqiUWGV5Dw2oTYpXx24ffxj0//yhTB0Ppv+4s=
+gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20220601114329-47893b162965/go.mod h1:TBB3sR7/jg4RCThC/cgT4fB8mAbbMO307TycfgeR59w=
 go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80=
 go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=

src/runtime/pkg/katautils/config.go

@@ -201,7 +201,6 @@ type runtime struct {
 	DanConf                   string   `toml:"dan_conf"`
 	ForceGuestPull            bool     `toml:"experimental_force_guest_pull"`
 	PodResourceAPISock        string   `toml:"pod_resource_api_sock"`
-	KubeletRootDir            string   `toml:"kubelet_root_dir"`
 }
 
 type agent struct {
@@ -1643,7 +1642,6 @@ func LoadConfiguration(configPath string, ignoreLogging bool) (resolvedConfigPat
 
 	config.ForceGuestPull = tomlConf.Runtime.ForceGuestPull
 	config.PodResourceAPISock = tomlConf.Runtime.PodResourceAPISock
-	config.KubeletRootDir = tomlConf.Runtime.KubeletRootDir
 
 	return resolved, config, nil
 }

src/runtime/pkg/oci/utils.go

@@ -193,10 +193,6 @@ type RuntimeConfig struct {
 	//	ColdPlugVFIO != NoPort AND PodResourceAPISock != "" => kubelet
 	//		based cold plug.
 	PodResourceAPISock string
-
-	// KubeletRootDir is the kubelet root directory used to match ConfigMap/Secret
-	// volume paths (e.g. /var/lib/k0s/kubelet for k0s). If empty, default is used.
-	KubeletRootDir string
 }
 
 // AddKernelParam allows the addition of new kernel parameters to an existing
@@ -1220,8 +1216,6 @@ func SandboxConfig(ocispec specs.Spec, runtime RuntimeConfig, bundlePath, cid st
 		CreateContainerTimeout: runtime.CreateContainerTimeout,
 
 		ForceGuestPull: runtime.ForceGuestPull,
-
-		KubeletRootDir: runtime.KubeletRootDir,
 	}
 
 	if err := addAnnotations(ocispec, &sandboxConfig, runtime); err != nil {

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/bytes/bytes.go

@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package bytes
+
+import (
+	"encoding/binary"
+	"unsafe"
+)
+
+// Raw returns just the bytes without any assumptions about layout
+type Raw interface {
+	Raw() *[]byte
+}
+
+// Reader used to read various data sizes in the byte array
+type Reader interface {
+	Read8(pos int) uint8
+	Read16(pos int) uint16
+	Read32(pos int) uint32
+	Read64(pos int) uint64
+	Len() int
+}
+
+// Writer used to write various sizes of data in the byte array
+type Writer interface {
+	Write8(pos int, value uint8)
+	Write16(pos int, value uint16)
+	Write32(pos int, value uint32)
+	Write64(pos int, value uint64)
+	Len() int
+}
+
+// Bytes object for manipulating arbitrary byte arrays
+type Bytes interface {
+	Raw
+	Reader
+	Writer
+	Slice(offset int, size int) Bytes
+	LittleEndian() Bytes
+	BigEndian() Bytes
+}
+
+var nativeByteOrder binary.ByteOrder
+
+func init() {
+	buf := [2]byte{}
+	*(*uint16)(unsafe.Pointer(&buf[0])) = uint16(0x00FF)
+
+	switch buf {
+	case [2]byte{0xFF, 0x00}:
+		nativeByteOrder = binary.LittleEndian
+	case [2]byte{0x00, 0xFF}:
+		nativeByteOrder = binary.BigEndian
+	default:
+		panic("Unable to infer byte order")
+	}
+}
+
+// New raw bytearray
+func New(data *[]byte) Bytes {
+	return (*native)(data)
+}
+
+// NewLittleEndian little endian ordering of bytes
+func NewLittleEndian(data *[]byte) Bytes {
+	if nativeByteOrder == binary.LittleEndian {
+		return (*native)(data)
+	}
+
+	return (*swapbo)(data)
+}
+
+// NewBigEndian big endian ordering of bytes
+func NewBigEndian(data *[]byte) Bytes {
+	if nativeByteOrder == binary.BigEndian {
+		return (*native)(data)
+	}
+
+	return (*swapbo)(data)
+}

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/bytes/native.go

@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package bytes
+
+import (
+	"unsafe"
+)
+
+type native []byte
+
+var _ Bytes = (*native)(nil)
+
+func (b *native) Read8(pos int) uint8 {
+	return (*b)[pos]
+}
+
+func (b *native) Read16(pos int) uint16 {
+	return *(*uint16)(unsafe.Pointer(&((*b)[pos])))
+}
+
+func (b *native) Read32(pos int) uint32 {
+	return *(*uint32)(unsafe.Pointer(&((*b)[pos])))
+}
+
+func (b *native) Read64(pos int) uint64 {
+	return *(*uint64)(unsafe.Pointer(&((*b)[pos])))
+}
+
+func (b *native) Write8(pos int, value uint8) {
+	(*b)[pos] = value
+}
+
+func (b *native) Write16(pos int, value uint16) {
+	*(*uint16)(unsafe.Pointer(&((*b)[pos]))) = value
+}
+
+func (b *native) Write32(pos int, value uint32) {
+	*(*uint32)(unsafe.Pointer(&((*b)[pos]))) = value
+}
+
+func (b *native) Write64(pos int, value uint64) {
+	*(*uint64)(unsafe.Pointer(&((*b)[pos]))) = value
+}
+
+func (b *native) Slice(offset int, size int) Bytes {
+	nb := (*b)[offset : offset+size]
+	return &nb
+}
+
+func (b *native) LittleEndian() Bytes {
+	return NewLittleEndian((*[]byte)(b))
+}
+
+func (b *native) BigEndian() Bytes {
+	return NewBigEndian((*[]byte)(b))
+}
+
+func (b *native) Raw() *[]byte {
+	return (*[]byte)(b)
+}
+
+func (b *native) Len() int {
+	return len(*b)
+}

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/bytes/swapbo.go

@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package bytes
+
+import (
+	"unsafe"
+)
+
+type swapbo []byte
+
+var _ Bytes = (*swapbo)(nil)
+
+func (b *swapbo) Read8(pos int) uint8 {
+	return (*b)[pos]
+}
+
+func (b *swapbo) Read16(pos int) uint16 {
+	buf := [2]byte{}
+	buf[0] = (*b)[pos+1]
+	buf[1] = (*b)[pos+0]
+	return *(*uint16)(unsafe.Pointer(&buf[0]))
+}
+
+func (b *swapbo) Read32(pos int) uint32 {
+	buf := [4]byte{}
+	buf[0] = (*b)[pos+3]
+	buf[1] = (*b)[pos+2]
+	buf[2] = (*b)[pos+1]
+	buf[3] = (*b)[pos+0]
+	return *(*uint32)(unsafe.Pointer(&buf[0]))
+}
+
+func (b *swapbo) Read64(pos int) uint64 {
+	buf := [8]byte{}
+	buf[0] = (*b)[pos+7]
+	buf[1] = (*b)[pos+6]
+	buf[2] = (*b)[pos+5]
+	buf[3] = (*b)[pos+4]
+	buf[4] = (*b)[pos+3]
+	buf[5] = (*b)[pos+2]
+	buf[6] = (*b)[pos+1]
+	buf[7] = (*b)[pos+0]
+	return *(*uint64)(unsafe.Pointer(&buf[0]))
+}
+
+func (b *swapbo) Write8(pos int, value uint8) {
+	(*b)[pos] = value
+}
+
+func (b *swapbo) Write16(pos int, value uint16) {
+	buf := [2]byte{}
+	*(*uint16)(unsafe.Pointer(&buf[0])) = value
+	(*b)[pos+0] = buf[1]
+	(*b)[pos+1] = buf[0]
+}
+
+func (b *swapbo) Write32(pos int, value uint32) {
+	buf := [4]byte{}
+	*(*uint32)(unsafe.Pointer(&buf[0])) = value
+	(*b)[pos+0] = buf[3]
+	(*b)[pos+1] = buf[2]
+	(*b)[pos+2] = buf[1]
+	(*b)[pos+3] = buf[0]
+}
+
+func (b *swapbo) Write64(pos int, value uint64) {
+	buf := [8]byte{}
+	*(*uint64)(unsafe.Pointer(&buf[0])) = value
+	(*b)[pos+0] = buf[7]
+	(*b)[pos+1] = buf[6]
+	(*b)[pos+2] = buf[5]
+	(*b)[pos+3] = buf[4]
+	(*b)[pos+4] = buf[3]
+	(*b)[pos+5] = buf[2]
+	(*b)[pos+6] = buf[1]
+	(*b)[pos+7] = buf[0]
+}
+
+func (b *swapbo) Slice(offset int, size int) Bytes {
+	nb := (*b)[offset : offset+size]
+	return &nb
+}
+
+func (b *swapbo) LittleEndian() Bytes {
+	return NewLittleEndian((*[]byte)(b))
+}
+
+func (b *swapbo) BigEndian() Bytes {
+	return NewBigEndian((*[]byte)(b))
+}
+
+func (b *swapbo) Raw() *[]byte {
+	return (*[]byte)(b)
+}
+
+func (b *swapbo) Len() int {
+	return len(*b)
+}

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/config.go

@@ -0,0 +1,143 @@
+/*
+ * Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package nvpci
+
+import (
+	"fmt"
+	"io/ioutil"
+
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/bytes"
+)
+
+const (
+	// PCICfgSpaceStandardSize represents the size in bytes of the standard config space
+	PCICfgSpaceStandardSize = 256
+	// PCICfgSpaceExtendedSize represents the size in bytes of the extended config space
+	PCICfgSpaceExtendedSize = 4096
+	// PCICapabilityListPointer represents offset for the capability list pointer
+	PCICapabilityListPointer = 0x34
+	// PCIStatusCapabilityList represents the status register bit which indicates capability list support
+	PCIStatusCapabilityList = 0x10
+	// PCIStatusBytePosition represents the position of the status register
+	PCIStatusBytePosition = 0x06
+)
+
+// ConfigSpace PCI configuration space (standard extended) file path
+type ConfigSpace struct {
+	Path string
+}
+
+// ConfigSpaceIO Interface for reading and writing raw and preconfigured values
+type ConfigSpaceIO interface {
+	bytes.Bytes
+	GetVendorID() uint16
+	GetDeviceID() uint16
+	GetPCICapabilities() (*PCICapabilities, error)
+}
+
+type configSpaceIO struct {
+	bytes.Bytes
+}
+
+// PCIStandardCapability standard PCI config space
+type PCIStandardCapability struct {
+	bytes.Bytes
+}
+
+// PCIExtendedCapability extended PCI config space
+type PCIExtendedCapability struct {
+	bytes.Bytes
+	Version uint8
+}
+
+// PCICapabilities combines the standard and extended config space
+type PCICapabilities struct {
+	Standard map[uint8]*PCIStandardCapability
+	Extended map[uint16]*PCIExtendedCapability
+}
+
+func (cs *ConfigSpace) Read() (ConfigSpaceIO, error) {
+	config, err := ioutil.ReadFile(cs.Path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open file: %v", err)
+	}
+	return &configSpaceIO{bytes.New(&config)}, nil
+}
+
+func (cs *configSpaceIO) GetVendorID() uint16 {
+	return cs.Read16(0)
+}
+
+func (cs *configSpaceIO) GetDeviceID() uint16 {
+	return cs.Read16(2)
+}
+
+func (cs *configSpaceIO) GetPCICapabilities() (*PCICapabilities, error) {
+	caps := &PCICapabilities{
+		make(map[uint8]*PCIStandardCapability),
+		make(map[uint16]*PCIExtendedCapability),
+	}
+
+	support := cs.Read8(PCIStatusBytePosition) & PCIStatusCapabilityList
+	if support == 0 {
+		return nil, fmt.Errorf("pci device does not support capability list")
+	}
+
+	soffset := cs.Read8(PCICapabilityListPointer)
+	if int(soffset) >= cs.Len() {
+		return nil, fmt.Errorf("capability list pointer out of bounds")
+	}
+
+	for soffset != 0 {
+		if soffset == 0xff {
+			return nil, fmt.Errorf("config space broken")
+		}
+		if int(soffset) >= PCICfgSpaceStandardSize {
+			return nil, fmt.Errorf("standard capability list pointer out of bounds")
+		}
+		data := cs.Read32(int(soffset))
+		id := uint8(data & 0xff)
+		caps.Standard[id] = &PCIStandardCapability{
+			cs.Slice(int(soffset), cs.Len()-int(soffset)),
+		}
+		soffset = uint8((data >> 8) & 0xff)
+	}
+
+	if cs.Len() <= PCICfgSpaceStandardSize {
+		return caps, nil
+	}
+
+	eoffset := uint16(PCICfgSpaceStandardSize)
+	for eoffset != 0 {
+		if eoffset == 0xffff {
+			return nil, fmt.Errorf("config space broken")
+		}
+		if int(eoffset) >= PCICfgSpaceExtendedSize {
+			return nil, fmt.Errorf("extended capability list pointer out of bounds")
+		}
+		data := cs.Read32(int(eoffset))
+		id := uint16(data & 0xffff)
+		version := uint8((data >> 16) & 0xf)
+		caps.Extended[id] = &PCIExtendedCapability{
+			cs.Slice(int(eoffset), cs.Len()-int(eoffset)),
+			version,
+		}
+		eoffset = uint16((data >> 4) & 0xffc)
+	}
+
+	return caps, nil
+}

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/mmio/mmio.go

@@ -0,0 +1,127 @@
+/*
+ * Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package mmio
+
+import (
+	"fmt"
+	"os"
+	"syscall"
+	"unsafe"
+
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/bytes"
+)
+
+// Mmio memory map a region
+type Mmio interface {
+	bytes.Raw
+	bytes.Reader
+	bytes.Writer
+	Sync() error
+	Close() error
+	Slice(offset int, size int) Mmio
+	LittleEndian() Mmio
+	BigEndian() Mmio
+}
+
+type mmio struct {
+	bytes.Bytes
+}
+
+func open(path string, offset int, size int, flags int) (Mmio, error) {
+	var mmapFlags int
+	switch flags {
+	case os.O_RDONLY:
+		mmapFlags = syscall.PROT_READ
+	case os.O_RDWR:
+		mmapFlags = syscall.PROT_READ | syscall.PROT_WRITE
+	default:
+		return nil, fmt.Errorf("invalid flags: %v", flags)
+	}
+
+	file, err := os.OpenFile(path, flags, 0)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open file: %v", err)
+	}
+	defer file.Close()
+
+	fi, err := file.Stat()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get file info: %v", err)
+	}
+
+	if size > int(fi.Size()) {
+		return nil, fmt.Errorf("requested size larger than file size")
+	}
+
+	if size < 0 {
+		size = int(fi.Size())
+	}
+
+	mmap, err := syscall.Mmap(
+		int(file.Fd()),
+		int64(offset),
+		size,
+		mmapFlags,
+		syscall.MAP_SHARED)
+	if err != nil {
+		return nil, fmt.Errorf("failed to mmap file: %v", err)
+	}
+
+	return &mmio{bytes.New(&mmap)}, nil
+}
+
+// OpenRO open region readonly
+func OpenRO(path string, offset int, size int) (Mmio, error) {
+	return open(path, offset, size, os.O_RDONLY)
+}
+
+// OpenRW open region read write
+func OpenRW(path string, offset int, size int) (Mmio, error) {
+	return open(path, offset, size, os.O_RDWR)
+}
+
+func (m *mmio) Slice(offset int, size int) Mmio {
+	return &mmio{m.Bytes.Slice(offset, size)}
+}
+
+func (m *mmio) LittleEndian() Mmio {
+	return &mmio{m.Bytes.LittleEndian()}
+}
+
+func (m *mmio) BigEndian() Mmio {
+	return &mmio{m.Bytes.BigEndian()}
+}
+
+func (m *mmio) Close() error {
+	err := syscall.Munmap(*m.Bytes.Raw())
+	if err != nil {
+		return fmt.Errorf("failed to munmap file: %v", err)
+	}
+	return nil
+}
+
+func (m *mmio) Sync() error {
+	_, _, errno := syscall.Syscall(
+		syscall.SYS_MSYNC,
+		uintptr(unsafe.Pointer(&(*m.Bytes.Raw())[0])),
+		uintptr(m.Len()),
+		uintptr(syscall.MS_SYNC|syscall.MS_INVALIDATE))
+	if errno != 0 {
+		return fmt.Errorf("failed to msync file: %v", errno)
+	}
+	return nil
+}

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/mmio/mock.go

@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package mmio
+
+import (
+	"fmt"
+
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/bytes"
+)
+
+type mockMmio struct {
+	mmio
+	source *[]byte
+	offset int
+	rw     bool
+}
+
+func mockOpen(source *[]byte, offset int, size int, rw bool) (Mmio, error) {
+	if size < 0 {
+		size = len(*source) - offset
+	}
+	if (offset + size) > len(*source) {
+		return nil, fmt.Errorf("offset+size out of range")
+	}
+
+	data := append([]byte{}, (*source)[offset:offset+size]...)
+
+	m := &mockMmio{}
+	m.Bytes = bytes.New(&data).LittleEndian()
+	m.source = source
+	m.offset = offset
+	m.rw = rw
+
+	return m, nil
+}
+
+// MockOpenRO open read only
+func MockOpenRO(source *[]byte, offset int, size int) (Mmio, error) {
+	return mockOpen(source, offset, size, false)
+}
+
+// MockOpenRW open read write
+func MockOpenRW(source *[]byte, offset int, size int) (Mmio, error) {
+	return mockOpen(source, offset, size, true)
+}
+
+func (m *mockMmio) Close() error {
+	m = &mockMmio{}
+	return nil
+}
+
+func (m *mockMmio) Sync() error {
+	if !m.rw {
+		return fmt.Errorf("opened read-only")
+	}
+	for i := range *m.Bytes.Raw() {
+		(*m.source)[m.offset+i] = (*m.Bytes.Raw())[i]
+	}
+	return nil
+}

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/mock.go

@@ -0,0 +1,141 @@
+/*
+ * Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package nvpci
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/bytes"
+)
+
+// MockNvpci mock pci device
+type MockNvpci struct {
+	*nvpci
+}
+
+var _ Interface = (*MockNvpci)(nil)
+
+// NewMockNvpci create new mock PCI and remove old devices
+func NewMockNvpci() (mock *MockNvpci, rerr error) {
+	rootDir, err := ioutil.TempDir("", "")
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if rerr != nil {
+			os.RemoveAll(rootDir)
+		}
+	}()
+
+	mock = &MockNvpci{
+		NewFrom(rootDir).(*nvpci),
+	}
+
+	return mock, nil
+}
+
+// Cleanup remove the mocked PCI devices root folder
+func (m *MockNvpci) Cleanup() {
+	os.RemoveAll(m.pciDevicesRoot)
+}
+
+// AddMockA100 Create an A100 like GPU mock device
+func (m *MockNvpci) AddMockA100(address string, numaNode int) error {
+	deviceDir := filepath.Join(m.pciDevicesRoot, address)
+	err := os.MkdirAll(deviceDir, 0755)
+	if err != nil {
+		return err
+	}
+
+	vendor, err := os.Create(filepath.Join(deviceDir, "vendor"))
+	if err != nil {
+		return err
+	}
+	_, err = vendor.WriteString(fmt.Sprintf("0x%x", PCINvidiaVendorID))
+	if err != nil {
+		return err
+	}
+
+	class, err := os.Create(filepath.Join(deviceDir, "class"))
+	if err != nil {
+		return err
+	}
+	_, err = class.WriteString(fmt.Sprintf("0x%x", PCI3dControllerClass))
+	if err != nil {
+		return err
+	}
+
+	device, err := os.Create(filepath.Join(deviceDir, "device"))
+	if err != nil {
+		return err
+	}
+	_, err = device.WriteString("0x20bf")
+	if err != nil {
+		return err
+	}
+
+	numa, err := os.Create(filepath.Join(deviceDir, "numa_node"))
+	if err != nil {
+		return err
+	}
+	_, err = numa.WriteString(fmt.Sprintf("%v", numaNode))
+	if err != nil {
+		return err
+	}
+
+	config, err := os.Create(filepath.Join(deviceDir, "config"))
+	if err != nil {
+		return err
+	}
+	_data := make([]byte, PCICfgSpaceStandardSize)
+	data := bytes.New(&_data)
+	data.Write16(0, PCINvidiaVendorID)
+	data.Write16(2, uint16(0x20bf))
+	data.Write8(PCIStatusBytePosition, PCIStatusCapabilityList)
+	_, err = config.Write(*data.Raw())
+	if err != nil {
+		return err
+	}
+
+	bar0 := []uint64{0x00000000c2000000, 0x00000000c2ffffff, 0x0000000000040200}
+	resource, err := os.Create(filepath.Join(deviceDir, "resource"))
+	if err != nil {
+		return err
+	}
+	_, err = resource.WriteString(fmt.Sprintf("0x%x 0x%x 0x%x", bar0[0], bar0[1], bar0[2]))
+	if err != nil {
+		return err
+	}
+
+	pmcID := uint32(0x170000a1)
+	resource0, err := os.Create(filepath.Join(deviceDir, "resource0"))
+	if err != nil {
+		return err
+	}
+	_data = make([]byte, bar0[1]-bar0[0]+1)
+	data = bytes.New(&_data).LittleEndian()
+	data.Write32(0, pmcID)
+	_, err = resource0.Write(*data.Raw())
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/nvpci.go

@@ -0,0 +1,316 @@
+/*
+ * Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package nvpci
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"sort"
+	"strconv"
+	"strings"
+)
+
+const (
+	// PCIDevicesRoot represents base path for all pci devices under sysfs
+	PCIDevicesRoot = "/sys/bus/pci/devices"
+	// PCINvidiaVendorID represents PCI vendor id for NVIDIA
+	PCINvidiaVendorID uint16 = 0x10de
+	// PCIVgaControllerClass represents the PCI class for VGA Controllers
+	PCIVgaControllerClass uint32 = 0x030000
+	// PCI3dControllerClass represents the PCI class for 3D Graphics accellerators
+	PCI3dControllerClass uint32 = 0x030200
+	// PCINvSwitchClass represents the PCI class for NVSwitches
+	PCINvSwitchClass uint32 = 0x068000
+)
+
+// Interface allows us to get a list of all NVIDIA PCI devices
+type Interface interface {
+	GetAllDevices() ([]*NvidiaPCIDevice, error)
+	Get3DControllers() ([]*NvidiaPCIDevice, error)
+	GetVGAControllers() ([]*NvidiaPCIDevice, error)
+	GetNVSwitches() ([]*NvidiaPCIDevice, error)
+	GetGPUs() ([]*NvidiaPCIDevice, error)
+}
+
+// MemoryResources a more human readable handle
+type MemoryResources map[int]*MemoryResource
+
+// ResourceInterface exposes some higher level functions of resources
+type ResourceInterface interface {
+	GetTotalAddressableMemory(bool) (uint64, uint64)
+}
+
+type nvpci struct {
+	pciDevicesRoot string
+}
+
+var _ Interface = (*nvpci)(nil)
+var _ ResourceInterface = (*MemoryResources)(nil)
+
+// NvidiaPCIDevice represents a PCI device for an NVIDIA product
+type NvidiaPCIDevice struct {
+	Path      string
+	Address   string
+	Vendor    uint16
+	Class     uint32
+	Device    uint16
+	NumaNode  int
+	Config    *ConfigSpace
+	Resources MemoryResources
+}
+
+// IsVGAController if class == 0x300
+func (d *NvidiaPCIDevice) IsVGAController() bool {
+	return d.Class == PCIVgaControllerClass
+}
+
+// Is3DController if class == 0x302
+func (d *NvidiaPCIDevice) Is3DController() bool {
+	return d.Class == PCI3dControllerClass
+}
+
+// IsNVSwitch if classe == 0x068
+func (d *NvidiaPCIDevice) IsNVSwitch() bool {
+	return d.Class == PCINvSwitchClass
+}
+
+// IsGPU either VGA for older cards or 3D for newer
+func (d *NvidiaPCIDevice) IsGPU() bool {
+	return d.IsVGAController() || d.Is3DController()
+}
+
+// IsResetAvailable some devices can be reset without rebooting,
+// check if applicable
+func (d *NvidiaPCIDevice) IsResetAvailable() bool {
+	_, err := os.Stat(path.Join(d.Path, "reset"))
+	return err == nil
+}
+
+// Reset perform a reset to apply a new configuration at HW level
+func (d *NvidiaPCIDevice) Reset() error {
+	err := ioutil.WriteFile(path.Join(d.Path, "reset"), []byte("1"), 0)
+	if err != nil {
+		return fmt.Errorf("unable to write to reset file: %v", err)
+	}
+	return nil
+}
+
+// New interface that allows us to get a list of all NVIDIA PCI devices
+func New() Interface {
+	return &nvpci{PCIDevicesRoot}
+}
+
+// NewFrom interface allows us to get a list of all NVIDIA PCI devices at a specific root directory
+func NewFrom(root string) Interface {
+	return &nvpci{root}
+}
+
+// GetAllDevices returns all Nvidia PCI devices on the system
+func (p *nvpci) GetAllDevices() ([]*NvidiaPCIDevice, error) {
+	deviceDirs, err := ioutil.ReadDir(p.pciDevicesRoot)
+	if err != nil {
+		return nil, fmt.Errorf("unable to read PCI bus devices: %v", err)
+	}
+
+	var nvdevices []*NvidiaPCIDevice
+	for _, deviceDir := range deviceDirs {
+		devicePath := path.Join(p.pciDevicesRoot, deviceDir.Name())
+		nvdevice, err := NewDevice(devicePath)
+		if err != nil {
+			return nil, fmt.Errorf("error constructing NVIDIA PCI device %s: %v", deviceDir.Name(), err)
+		}
+		if nvdevice == nil {
+			continue
+		}
+		nvdevices = append(nvdevices, nvdevice)
+	}
+
+	addressToID := func(address string) uint64 {
+		address = strings.ReplaceAll(address, ":", "")
+		address = strings.ReplaceAll(address, ".", "")
+		id, _ := strconv.ParseUint(address, 16, 64)
+		return id
+	}
+
+	sort.Slice(nvdevices, func(i, j int) bool {
+		return addressToID(nvdevices[i].Address) < addressToID(nvdevices[j].Address)
+	})
+
+	return nvdevices, nil
+}
+
+// NewDevice constructs an NvidiaPCIDevice
+func NewDevice(devicePath string) (*NvidiaPCIDevice, error) {
+	address := path.Base(devicePath)
+
+	vendor, err := ioutil.ReadFile(path.Join(devicePath, "vendor"))
+	if err != nil {
+		return nil, fmt.Errorf("unable to read PCI device vendor id for %s: %v", address, err)
+	}
+	vendorStr := strings.TrimSpace(string(vendor))
+	vendorID, err := strconv.ParseUint(vendorStr, 0, 16)
+	if err != nil {
+		return nil, fmt.Errorf("unable to convert vendor string to uint16: %v", vendorStr)
+	}
+
+	if uint16(vendorID) != PCINvidiaVendorID {
+		return nil, nil
+	}
+
+	class, err := ioutil.ReadFile(path.Join(devicePath, "class"))
+	if err != nil {
+		return nil, fmt.Errorf("unable to read PCI device class for %s: %v", address, err)
+	}
+	classStr := strings.TrimSpace(string(class))
+	classID, err := strconv.ParseUint(classStr, 0, 32)
+	if err != nil {
+		return nil, fmt.Errorf("unable to convert class string to uint32: %v", classStr)
+	}
+
+	device, err := ioutil.ReadFile(path.Join(devicePath, "device"))
+	if err != nil {
+		return nil, fmt.Errorf("unable to read PCI device id for %s: %v", address, err)
+	}
+	deviceStr := strings.TrimSpace(string(device))
+	deviceID, err := strconv.ParseUint(deviceStr, 0, 16)
+	if err != nil {
+		return nil, fmt.Errorf("unable to convert device string to uint16: %v", deviceStr)
+	}
+
+	numa, err := ioutil.ReadFile(path.Join(devicePath, "numa_node"))
+	if err != nil {
+		return nil, fmt.Errorf("unable to read PCI NUMA node for %s: %v", address, err)
+	}
+	numaStr := strings.TrimSpace(string(numa))
+	numaNode, err := strconv.ParseInt(numaStr, 0, 64)
+	if err != nil {
+		return nil, fmt.Errorf("unable to convert NUMA node string to int64: %v", numaNode)
+	}
+
+	config := &ConfigSpace{
+		Path: path.Join(devicePath, "config"),
+	}
+
+	resource, err := ioutil.ReadFile(path.Join(devicePath, "resource"))
+	if err != nil {
+		return nil, fmt.Errorf("unable to read PCI resource file for %s: %v", address, err)
+	}
+
+	resources := make(map[int]*MemoryResource)
+	for i, line := range strings.Split(strings.TrimSpace(string(resource)), "\n") {
+		values := strings.Split(line, " ")
+		if len(values) != 3 {
+			return nil, fmt.Errorf("more than 3 entries in line '%d' of resource file", i)
+		}
+
+		start, _ := strconv.ParseUint(values[0], 0, 64)
+		end, _ := strconv.ParseUint(values[1], 0, 64)
+		flags, _ := strconv.ParseUint(values[2], 0, 64)
+
+		if (end - start) != 0 {
+			resources[i] = &MemoryResource{
+				uintptr(start),
+				uintptr(end),
+				flags,
+				fmt.Sprintf("%s/resource%d", devicePath, i),
+			}
+		}
+	}
+
+	nvdevice := &NvidiaPCIDevice{
+		Path:      devicePath,
+		Address:   address,
+		Vendor:    uint16(vendorID),
+		Class:     uint32(classID),
+		Device:    uint16(deviceID),
+		NumaNode:  int(numaNode),
+		Config:    config,
+		Resources: resources,
+	}
+
+	return nvdevice, nil
+}
+
+// Get3DControllers returns all NVIDIA 3D Controller PCI devices on the system
+func (p *nvpci) Get3DControllers() ([]*NvidiaPCIDevice, error) {
+	devices, err := p.GetAllDevices()
+	if err != nil {
+		return nil, fmt.Errorf("error getting all NVIDIA devices: %v", err)
+	}
+
+	var filtered []*NvidiaPCIDevice
+	for _, d := range devices {
+		if d.Is3DController() {
+			filtered = append(filtered, d)
+		}
+	}
+
+	return filtered, nil
+}
+
+// GetVGAControllers returns all NVIDIA VGA Controller PCI devices on the system
+func (p *nvpci) GetVGAControllers() ([]*NvidiaPCIDevice, error) {
+	devices, err := p.GetAllDevices()
+	if err != nil {
+		return nil, fmt.Errorf("error getting all NVIDIA devices: %v", err)
+	}
+
+	var filtered []*NvidiaPCIDevice
+	for _, d := range devices {
+		if d.IsVGAController() {
+			filtered = append(filtered, d)
+		}
+	}
+
+	return filtered, nil
+}
+
+// GetNVSwitches returns all NVIDIA NVSwitch PCI devices on the system
+func (p *nvpci) GetNVSwitches() ([]*NvidiaPCIDevice, error) {
+	devices, err := p.GetAllDevices()
+	if err != nil {
+		return nil, fmt.Errorf("error getting all NVIDIA devices: %v", err)
+	}
+
+	var filtered []*NvidiaPCIDevice
+	for _, d := range devices {
+		if d.IsNVSwitch() {
+			filtered = append(filtered, d)
+		}
+	}
+
+	return filtered, nil
+}
+
+// GetGPUs returns all NVIDIA GPU devices on the system
+func (p *nvpci) GetGPUs() ([]*NvidiaPCIDevice, error) {
+	devices, err := p.GetAllDevices()
+	if err != nil {
+		return nil, fmt.Errorf("error getting all NVIDIA devices: %v", err)
+	}
+
+	var filtered []*NvidiaPCIDevice
+	for _, d := range devices {
+		if d.IsGPU() {
+			filtered = append(filtered, d)
+		}
+	}
+
+	return filtered, nil
+}

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/resources.go

@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package nvpci
+
+import (
+	"fmt"
+	"sort"
+
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/mmio"
+)
+
+const (
+	pmcEndianRegister = 0x4
+	pmcLittleEndian   = 0x0
+	pmcBigEndian      = 0x01000001
+)
+
+// MemoryResource represents a mmio region
+type MemoryResource struct {
+	Start uintptr
+	End   uintptr
+	Flags uint64
+	Path  string
+}
+
+// OpenRW read write mmio region
+func (mr *MemoryResource) OpenRW() (mmio.Mmio, error) {
+	rw, err := mmio.OpenRW(mr.Path, 0, int(mr.End-mr.Start+1))
+	if err != nil {
+		return nil, fmt.Errorf("failed to open file for mmio: %v", err)
+	}
+	switch rw.Read32(pmcEndianRegister) {
+	case pmcBigEndian:
+		return rw.BigEndian(), nil
+	case pmcLittleEndian:
+		return rw.LittleEndian(), nil
+	}
+	return nil, fmt.Errorf("unknown endianness for mmio: %v", err)
+}
+
+// OpenRO read only mmio region
+func (mr *MemoryResource) OpenRO() (mmio.Mmio, error) {
+	ro, err := mmio.OpenRO(mr.Path, 0, int(mr.End-mr.Start+1))
+	if err != nil {
+		return nil, fmt.Errorf("failed to open file for mmio: %v", err)
+	}
+	switch ro.Read32(pmcEndianRegister) {
+	case pmcBigEndian:
+		return ro.BigEndian(), nil
+	case pmcLittleEndian:
+		return ro.LittleEndian(), nil
+	}
+	return nil, fmt.Errorf("unknown endianness for mmio: %v", err)
+}
+
+// From Bit Twiddling Hacks, great resource for all low level bit manipulations
+func calcNextPowerOf2(n uint64) uint64 {
+	n--
+	n |= n >> 1
+	n |= n >> 2
+	n |= n >> 4
+	n |= n >> 8
+	n |= n >> 16
+	n |= n >> 32
+	n++
+
+	return n
+}
+
+// GetTotalAddressableMemory will accumulate the 32bit and 64bit memory windows
+// of each BAR and round the value if needed to the next power of 2; first
+// return value is the accumulated 32bit addresable memory size the second one
+// is the accumulated 64bit addressable memory size in bytes. These values are
+// needed to configure virtualized environments.
+func (mrs MemoryResources) GetTotalAddressableMemory(roundUp bool) (uint64, uint64) {
+	const pciIOVNumBAR = 6
+	const pciBaseAddressMemTypeMask = 0x06
+	const pciBaseAddressMemType32 = 0x00 /* 32 bit address */
+	const pciBaseAddressMemType64 = 0x04 /* 64 bit address */
+
+	// We need to sort the resources so the first 6 entries are the BARs
+	// How a map is represented in memory is not guaranteed, it is not an
+	// array. Keys do not have an order.
+	keys := make([]int, 0, len(mrs))
+	for k := range mrs {
+		keys = append(keys, k)
+	}
+	sort.Ints(keys)
+
+	numBAR := 0
+	memSize32bit := uint64(0)
+	memSize64bit := uint64(0)
+
+	for _, key := range keys {
+		// The PCIe spec only defines 5 BARs per device, we're
+		// discarding everything after the 5th entry of the resources
+		// file, see lspci.c
+		if key >= pciIOVNumBAR || numBAR == pciIOVNumBAR {
+			break
+		}
+		numBAR = numBAR + 1
+
+		region := mrs[key]
+
+		flags := region.Flags & pciBaseAddressMemTypeMask
+		memType32bit := flags == pciBaseAddressMemType32
+		memType64bit := flags == pciBaseAddressMemType64
+
+		memSize := (region.End - region.Start) + 1
+
+		if memType32bit {
+			memSize32bit = memSize32bit + uint64(memSize)
+		}
+		if memType64bit {
+			memSize64bit = memSize64bit + uint64(memSize)
+		}
+
+	}
+
+	if roundUp {
+		memSize32bit = calcNextPowerOf2(memSize32bit)
+		memSize64bit = calcNextPowerOf2(memSize64bit)
+	}
+
+	return memSize32bit, memSize64bit
+}

src/runtime/vendor/modules.txt

@@ -539,6 +539,11 @@ github.com/vishvananda/netns
 # github.com/x448/float16 v0.8.4
 ## explicit; go 1.11
 github.com/x448/float16
+# gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20220601114329-47893b162965
+## explicit; go 1.16
+gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci
+gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/bytes
+gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/mmio
 # go.mongodb.org/mongo-driver v1.14.0
 ## explicit; go 1.18
 go.mongodb.org/mongo-driver/bson

src/runtime/virtcontainers/fs_share_linux.go

@@ -58,20 +58,19 @@ func unmountNoFollow(path string) error {
 	return syscall.Unmount(path, syscall.MNT_DETACH|UmountNoFollow)
 }
 
-// resolveRootDirWithBase returns the resolved (followed symlink) kubelet root path.
-// If base is non-empty it is used as the root; otherwise defaultKubernetesRootDir is used.
-func resolveRootDirWithBase(base string) string {
-	if base == "" {
-		base = defaultKubernetesRootDir
-	}
-	rootDir, err := os.Readlink(base)
+// Resolve the K8S root dir if it is a symbolic link
+func resolveRootDir() string {
+	rootDir, err := os.Readlink(defaultKubernetesRootDir)
 	if err != nil {
-		return base
+		// Use the default root dir in case of any errors resolving the root dir symlink
+		return defaultKubernetesRootDir
 	}
+	// Make root dir an absolute path if needed
 	if !filepath.IsAbs(rootDir) {
-		rootDir, err = filepath.Abs(filepath.Join(filepath.Dir(base), rootDir))
+		rootDir, err = filepath.Abs(filepath.Join(filepath.Dir(defaultKubernetesRootDir), rootDir))
 		if err != nil {
-			return base
+			// Use the default root dir in case of any errors resolving the root dir symlink
+			return defaultKubernetesRootDir
 		}
 	}
 	return rootDir
@@ -100,14 +99,9 @@ func NewFilesystemShare(s *Sandbox) (*FilesystemShare, error) {
 		return nil, fmt.Errorf("Creating watcher returned error %w", err)
 	}
 
-	baseRoot := ""
-	if s.config != nil {
-		baseRoot = s.config.KubeletRootDir
-	}
-	kubernetesRootDir := resolveRootDirWithBase(baseRoot)
-	quotedRoot := regexp.QuoteMeta(kubernetesRootDir)
-	configVolRegex := regexp.MustCompile("^" + quotedRoot + configVolRegexString)
-	timestampDirRegex := regexp.MustCompile("^" + quotedRoot + configVolRegexString + timestampDirRegexString)
+	kubernetesRootDir := resolveRootDir()
+	configVolRegex := regexp.MustCompile("^" + kubernetesRootDir + configVolRegexString)
+	timestampDirRegex := regexp.MustCompile("^" + kubernetesRootDir + configVolRegexString + timestampDirRegexString)
 
 	return &FilesystemShare{
 		prepared:           false,

src/runtime/virtcontainers/qemu.go

@@ -812,6 +812,21 @@ func (q *qemu) createPCIeTopology(qemuConfig *govmmQemu.Config, hypervisorConfig
 	// into a PCIe Root Port or PCIe Switch.
 	// For more details, please see https://github.com/qemu/qemu/blob/master/docs/pcie.txt
 
+	// Deduce the right values for mem-reserve and pref-64-reserve memory regions
+	memSize32bit, memSize64bit := q.arch.getBARsMaxAddressableMemory()
+
+	// The default OVMF MMIO aperture is too small for some PCIe devices
+	// with huge BARs so we need to increase it.
+	// memSize64bit is in bytes, convert to MB, OVMF expects MB as a string
+	if strings.Contains(strings.ToLower(hypervisorConfig.FirmwarePath), "ovmf") {
+		pciMmio64Mb := fmt.Sprintf("%d", (memSize64bit / 1024 / 1024))
+		fwCfg := govmmQemu.FwCfg{
+			Name: "opt/ovmf/X-PciMmio64Mb",
+			Str:  pciMmio64Mb,
+		}
+		qemuConfig.FwCfg = append(qemuConfig.FwCfg, fwCfg)
+	}
+
 	// Get the number of hot(cold)-pluggable ports needed from the provided
 	// VFIO devices
 	var numOfPluggablePorts uint32 = 0
@@ -882,7 +897,7 @@ func (q *qemu) createPCIeTopology(qemuConfig *govmmQemu.Config, hypervisorConfig
 		if numOfPluggablePorts > maxPCIeRootPort {
 			return fmt.Errorf("Number of PCIe Root Ports exceeed allowed max of %d", maxPCIeRootPort)
 		}
-		qemuConfig.Devices = q.arch.appendPCIeRootPortDevice(qemuConfig.Devices, numOfPluggablePorts)
+		qemuConfig.Devices = q.arch.appendPCIeRootPortDevice(qemuConfig.Devices, numOfPluggablePorts, memSize32bit, memSize64bit)
 		return nil
 	}
 	if vfioOnSwitchPort {
@@ -892,12 +907,12 @@ func (q *qemu) createPCIeTopology(qemuConfig *govmmQemu.Config, hypervisorConfig
 		if numOfPluggablePorts > maxPCIeSwitchPort {
 			return fmt.Errorf("Number of PCIe Switch Ports exceeed allowed max of %d", maxPCIeSwitchPort)
 		}
-		qemuConfig.Devices = q.arch.appendPCIeSwitchPortDevice(qemuConfig.Devices, numOfPluggablePorts)
+		qemuConfig.Devices = q.arch.appendPCIeSwitchPortDevice(qemuConfig.Devices, numOfPluggablePorts, memSize32bit, memSize64bit)
 		return nil
 	}
 	// If both Root Port and Switch Port are not enabled, check if QemuVirt need add pcie root port.
 	if machineType == QemuVirt {
-		qemuConfig.Devices = q.arch.appendPCIeRootPortDevice(qemuConfig.Devices, numOfPluggablePorts)
+		qemuConfig.Devices = q.arch.appendPCIeRootPortDevice(qemuConfig.Devices, numOfPluggablePorts, memSize32bit, memSize64bit)
 	}
 	return nil
 }
@@ -2662,7 +2677,7 @@ func genericMemoryTopology(memoryMb, hostMemoryMb uint64, slots uint8, memoryOff
 }
 
 // genericAppendPCIeRootPort appends to devices the given pcie-root-port
-func genericAppendPCIeRootPort(devices []govmmQemu.Device, number uint32, machineType string) []govmmQemu.Device {
+func genericAppendPCIeRootPort(devices []govmmQemu.Device, number uint32, machineType string, memSize32bit uint64, memSize64bit uint64) []govmmQemu.Device {
 	var (
 		bus           string
 		chassis       string
@@ -2688,6 +2703,8 @@ func genericAppendPCIeRootPort(devices []govmmQemu.Device, number uint32, machin
 				Slot:          strconv.FormatUint(uint64(i), 10),
 				Multifunction: multiFunction,
 				Addr:          addr,
+				MemReserve:    fmt.Sprintf("%dB", memSize32bit),
+				Pref64Reserve: fmt.Sprintf("%dB", memSize64bit),
 			},
 		)
 	}
@@ -2716,7 +2733,7 @@ func genericAppendPCIeRootPort(devices []govmmQemu.Device, number uint32, machin
 //          -------------           --------------
 */
 // genericAppendPCIeSwitch adds a PCIe Swtich
-func genericAppendPCIeSwitchPort(devices []govmmQemu.Device, number uint32, machineType string) []govmmQemu.Device {
+func genericAppendPCIeSwitchPort(devices []govmmQemu.Device, number uint32, machineType string, memSize32bit uint64, memSize64bit uint64) []govmmQemu.Device {
 
 	// Q35, Virt have the correct PCIe support,
 	// hence ignore all other machines
@@ -2733,6 +2750,8 @@ func genericAppendPCIeSwitchPort(devices []govmmQemu.Device, number uint32, mach
 		Slot:          strconv.FormatUint(uint64(0), 10),
 		Multifunction: false,
 		Addr:          "0",
+		MemReserve:    fmt.Sprintf("%dB", memSize32bit),
+		Pref64Reserve: fmt.Sprintf("%dB", memSize64bit),
 	}
 
 	devices = append(devices, pcieRootPort)
@@ -2756,6 +2775,8 @@ func genericAppendPCIeSwitchPort(devices []govmmQemu.Device, number uint32, mach
 			Bus:     pcieSwitchUpstreamPort.ID,
 			Chassis: fmt.Sprintf("%d", nextChassis),
 			Slot:    strconv.FormatUint(uint64(i), 10),
+			// TODO: MemReserve:    fmt.Sprintf("%dB", memSize32bit),
+			// TODO: Pref64Reserve: fmt.Sprintf("%dB", memSize64bit),
 		}
 		devices = append(devices, pcieSwitchDownstreamPort)
 	}

src/runtime/virtcontainers/qemu_arch_base.go

@@ -18,6 +18,7 @@ import (
 	"strings"
 
 	govmmQemu "github.com/kata-containers/kata-containers/src/runtime/pkg/govmm/qemu"
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci"
 
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/device/config"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/types"
@@ -152,10 +153,10 @@ type qemuArch interface {
 	setIgnoreSharedMemoryMigrationCaps(context.Context, *govmmQemu.QMP) error
 
 	// appendPCIeRootPortDevice appends a pcie-root-port device to pcie.0 bus
-	appendPCIeRootPortDevice(devices []govmmQemu.Device, number uint32) []govmmQemu.Device
+	appendPCIeRootPortDevice(devices []govmmQemu.Device, number uint32, memSize32bit uint64, memSize64bit uint64) []govmmQemu.Device
 
 	// appendPCIeSwitch appends a ioh3420 device to a pcie-root-port
-	appendPCIeSwitchPortDevice(devices []govmmQemu.Device, number uint32) []govmmQemu.Device
+	appendPCIeSwitchPortDevice(devices []govmmQemu.Device, number uint32, memSize32bit uint64, memSize64bit uint64) []govmmQemu.Device
 
 	// append vIOMMU device
 	appendIOMMU(devices []govmmQemu.Device) ([]govmmQemu.Device, error)
@@ -169,6 +170,10 @@ type qemuArch interface {
 	// be used with the -bios option, ommit -bios option if the path is empty.
 	appendProtectionDevice(devices []govmmQemu.Device, firmware, firmwareVolume string, initdataDigest []byte) ([]govmmQemu.Device, string, error)
 
+	// scans the PCIe space and returns the biggest BAR sizes for 32-bit
+	// and 64-bit addressable memory
+	getBARsMaxAddressableMemory() (uint64, uint64)
+
 	// Query QMP to find a device's PCI path given its QOM path or ID
 	qomGetPciPath(qemuID string, qmpCh *qmpChannel) (types.PciPath, error)
 
@@ -870,13 +875,46 @@ func (q *qemuArchBase) addBridge(b types.Bridge) {
 }
 
 // appendPCIeRootPortDevice appends to devices the given pcie-root-port
-func (q *qemuArchBase) appendPCIeRootPortDevice(devices []govmmQemu.Device, number uint32) []govmmQemu.Device {
-	return genericAppendPCIeRootPort(devices, number, q.qemuMachine.Type)
+func (q *qemuArchBase) appendPCIeRootPortDevice(devices []govmmQemu.Device, number uint32, memSize32bit uint64, memSize64bit uint64) []govmmQemu.Device {
+	return genericAppendPCIeRootPort(devices, number, q.qemuMachine.Type, memSize32bit, memSize64bit)
 }
 
 // appendPCIeSwitchPortDevice appends a PCIe Switch with <number> ports
-func (q *qemuArchBase) appendPCIeSwitchPortDevice(devices []govmmQemu.Device, number uint32) []govmmQemu.Device {
-	return genericAppendPCIeSwitchPort(devices, number, q.qemuMachine.Type)
+func (q *qemuArchBase) appendPCIeSwitchPortDevice(devices []govmmQemu.Device, number uint32, memSize32bit uint64, memSize64bit uint64) []govmmQemu.Device {
+	return genericAppendPCIeSwitchPort(devices, number, q.qemuMachine.Type, memSize32bit, memSize64bit)
+}
+
+// getBARsMaxAddressableMemory we need to know the BAR sizes to configure the
+// PCIe Root Port or PCIe Downstream Port attaching a device with huge BARs.
+func (q *qemuArchBase) getBARsMaxAddressableMemory() (uint64, uint64) {
+
+	pci := nvpci.New()
+	devs, _ := pci.GetAllDevices()
+
+	// Since we do not know which devices are going to be hotplugged,
+	// we're going to use the GPU with the biggest BARs to initialize the
+	// root port, this should work for all other devices as well.
+	// defaults are 2MB for both, if no suitable devices found
+	max32bit := uint64(2 * 1024 * 1024)
+	max64bit := uint64(2 * 1024 * 1024)
+
+	for _, dev := range devs {
+		if !dev.IsGPU() {
+			continue
+		}
+		memSize32bit, memSize64bit := dev.Resources.GetTotalAddressableMemory(true)
+		if max32bit < memSize32bit {
+			max32bit = memSize32bit
+		}
+		if max64bit < memSize64bit {
+			max64bit = memSize64bit
+		}
+	}
+	// The actual 32bit is most of the time a power of 2 but we need some
+	// buffer so double that to leave space for other IO functions.
+	// The 64bit size is not a power of 2 and hence is already rounded up
+	// to the higher value.
+	return max32bit * 2, max64bit
 }
 
 // appendIOMMU appends a virtual IOMMU device

src/runtime/virtcontainers/sandbox.go

@@ -189,11 +189,6 @@ type SandboxConfig struct {
 
 	// ForceGuestPull enforces guest pull independent of snapshotter annotations.
 	ForceGuestPull bool
-
-	// KubeletRootDir is the kubelet root directory (e.g. /var/lib/kubelet or
-	// /var/lib/k0s/kubelet for k0s). If empty, the runtime uses the default
-	// /var/lib/kubelet for matching ConfigMap/Secret volume paths.
-	KubeletRootDir string
 }
 
 // valid checks that the sandbox configuration is valid.

tools/packaging/kata-deploy/binary/src/artifacts/install.rs

@@ -71,7 +71,7 @@ fn get_hypervisor_name(shim: &str) -> Result<&str> {
     }
 }
 
-pub async fn install_artifacts(config: &Config, container_runtime: &str) -> Result<()> {
+pub async fn install_artifacts(config: &Config) -> Result<()> {
     info!("copying kata artifacts onto host");
 
     // Create the installation directory if it doesn't exist
@@ -99,12 +99,12 @@ pub async fn install_artifacts(config: &Config, container_runtime: &str) -> Resu
     set_executable_permissions(&config.host_install_dir)?;
 
     for shim in &config.shims_for_arch {
-        configure_shim_config(config, shim, container_runtime).await?;
+        configure_shim_config(config, shim).await?;
     }
 
     // Install custom runtime configuration files if enabled
     if config.custom_runtimes_enabled && !config.custom_runtimes.is_empty() {
-        install_custom_runtime_configs(config, container_runtime)?;
+        install_custom_runtime_configs(config)?;
     }
 
     if std::env::var("HOST_OS").unwrap_or_default() == "cbl-mariner" {
@@ -146,12 +146,7 @@ pub async fn remove_artifacts(config: &Config) -> Result<()> {
 
 /// Write the common drop-in configuration files for a shim.
 /// This is shared between standard runtimes and custom runtimes.
-fn write_common_drop_ins(
-    config: &Config,
-    shim: &str,
-    config_d_dir: &str,
-    container_runtime: &str,
-) -> Result<()> {
+fn write_common_drop_ins(config: &Config, shim: &str, config_d_dir: &str) -> Result<()> {
     info!("Generating drop-in configuration files for shim: {}", shim);
 
     // 1. Installation prefix adjustments (if not default)
@@ -168,15 +163,6 @@ fn write_common_drop_ins(
         write_drop_in_file(config_d_dir, "20-debug.toml", &debug_content)?;
     }
 
-    // 2b. k0s: set kubelet root dir so ConfigMap/Secret volume propagation works (non-Rust shims only)
-    if (container_runtime == "k0s-worker" || container_runtime == "k0s-controller")
-        && !utils::is_rust_shim(shim)
-    {
-        info!("  - k0s: setting kubelet_root_dir for ConfigMap/Secret propagation");
-        let k0s_content = generate_k0s_kubelet_root_drop_in();
-        write_drop_in_file(config_d_dir, "22-k0s-kubelet-root.toml", &k0s_content)?;
-    }
-
     // 3. Combined kernel_params (proxy, debug, etc.)
     // Reads base kernel_params from original config and combines with new params
     let kernel_params_content = generate_kernel_params_drop_in(config, shim)?;
@@ -190,8 +176,8 @@ fn write_common_drop_ins(
 
 /// Each custom runtime gets an isolated directory under custom-runtimes/{handler}/
 /// Custom runtimes inherit the same drop-in configurations as standard runtimes
-/// (installation prefix, debug, kernel_params, and for k0s on Go/remote runtime: kubelet root) plus any user-provided overrides.
-fn install_custom_runtime_configs(config: &Config, container_runtime: &str) -> Result<()> {
+/// (installation prefix, debug, kernel_params) plus any user-provided overrides.
+fn install_custom_runtime_configs(config: &Config) -> Result<()> {
     info!("Installing custom runtime configuration files");
 
     for runtime in &config.custom_runtimes {
@@ -239,7 +225,7 @@ fn install_custom_runtime_configs(config: &Config, container_runtime: &str) -> R
         }
 
         // Generate the common drop-in files (shared with standard runtimes)
-        write_common_drop_ins(config, &runtime.base_config, &config_d_dir, container_runtime)?;
+        write_common_drop_ins(config, &runtime.base_config, &config_d_dir)?;
 
         // Copy user-provided drop-in file if provided (at 50-overrides.toml)
         if let Some(ref drop_in_src) = runtime.drop_in_file {
@@ -504,7 +490,7 @@ fn remove_runtime_directory(config: &Config, shim: &str) -> Result<()> {
     Ok(())
 }
 
-async fn configure_shim_config(config: &Config, shim: &str, container_runtime: &str) -> Result<()> {
+async fn configure_shim_config(config: &Config, shim: &str) -> Result<()> {
     // Set up the runtime directory structure with symlink to original config
     setup_runtime_directory(config, shim)?;
 
@@ -527,7 +513,7 @@ async fn configure_shim_config(config: &Config, shim: &str, container_runtime: &
     }
 
     // Generate common drop-in files (shared with custom runtimes)
-    write_common_drop_ins(config, shim, &config_d_dir, container_runtime)?;
+    write_common_drop_ins(config, shim, &config_d_dir)?;
 
     configure_hypervisor_annotations(config, shim, &kata_config_file).await?;
 
@@ -692,19 +678,6 @@ fn generate_installation_prefix_drop_in(config: &Config, shim: &str) -> Result<S
     Ok(content)
 }
 
-/// Generate drop-in content for k0s kubelet root directory.
-/// k0s uses /var/lib/k0s/kubelet instead of /var/lib/kubelet; setting this
-/// allows the runtime to match ConfigMap/Secret volume paths for propagation.
-fn generate_k0s_kubelet_root_drop_in() -> String {
-    r#"# k0s kubelet root directory
-# Generated by kata-deploy for k0s (ConfigMap/Secret volume propagation)
-
-[runtime]
-kubelet_root_dir = "/var/lib/k0s/kubelet"
-"#
-    .to_string()
-}
-
 /// Generate drop-in content for debug configuration.
 /// Enables debug settings for the hypervisor, runtime, and agent.
 /// Note: kernel_params for debug are handled separately in generate_kernel_params_drop_in

tools/packaging/kata-deploy/binary/src/artifacts/snapshotters.rs

@@ -4,7 +4,6 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use crate::config::Config;
-use crate::runtime::containerd;
 use crate::utils;
 use crate::utils::toml as toml_utils;
 use anyhow::Result;
@@ -89,12 +88,15 @@ pub async fn configure_snapshotter(
     // Get all paths and drop-in capability in one call
     let paths = config.get_containerd_paths(runtime).await?;
 
-    // Runtime plugin id (from paths or by reading config), then map to table where disable_snapshot_annotations lives.
-    let runtime_plugin_id = match &paths.plugin_id {
-        Some(id) => id.as_str(),
-        None => containerd::get_containerd_pluginid(&paths.config_file)?,
+    // Read containerd version from config_file to determine pluginid
+    let pluginid = if fs::read_to_string(&paths.config_file)
+        .unwrap_or_default()
+        .contains("version = 3")
+    {
+        "\"io.containerd.cri.v1.images\""
+    } else {
+        "\"io.containerd.grpc.v1.cri\".containerd"
     };
-    let pluginid = containerd::pluginid_for_snapshotter_annotations(runtime_plugin_id, &paths.config_file)?;
 
     let configuration_file: std::path::PathBuf = if paths.use_drop_in {
         // Only add /host prefix if path is not in /etc/containerd (which is mounted from host)

tools/packaging/kata-deploy/binary/src/main.rs

@@ -189,7 +189,7 @@ async fn install(config: &config::Config, runtime: &str) -> Result<()> {
 
     runtime::containerd::setup_containerd_config_files(runtime, config).await?;
 
-    artifacts::install_artifacts(config, runtime).await?;
+    artifacts::install_artifacts(config).await?;
 
     runtime::configure_cri_runtime(config, runtime).await?;
 

tools/packaging/kata-deploy/binary/src/runtime/containerd.rs

@@ -33,11 +33,8 @@ const CONTAINERD_V2_CRI_PLUGIN_ID: &str = "\"io.containerd.grpc.v1.cri\"";
 const CONTAINERD_LEGACY_CRI_PLUGIN_ID: &str = "cri";
 /// Plugin ID for CRI images in containerd config v3 (version = 3).
 const CONTAINERD_CRI_IMAGES_PLUGIN_ID: &str = "\"io.containerd.cri.v1.images\"";
-/// Plugin table for CRI containerd in v2 (disable_snapshot_annotations lives here).
-const CONTAINERD_CRI_CONTAINERD_TABLE_V2: &str = "\"io.containerd.grpc.v1.cri\".containerd";
 
-/// Reads config and returns the CRI plugin ID used for *runtime* config (runtimes, snapshotter-per-runtime).
-pub(crate) fn get_containerd_pluginid(config_file: &str) -> Result<&'static str> {
+fn get_containerd_pluginid(config_file: &str) -> Result<&'static str> {
     let content = fs::read_to_string(config_file)
         .with_context(|| format!("Failed to read containerd config file: {}", config_file))?;
 
@@ -55,24 +52,6 @@ fn is_containerd_v3_config(pluginid: &str) -> bool {
     pluginid == CONTAINERD_V3_RUNTIME_PLUGIN_ID
 }
 
-/// Maps the runtime plugin ID (from get_containerd_pluginid) to the plugin table where
-/// disable_snapshot_annotations lives. In v3 that's the *images* plugin; in v2 the CRI .containerd subtable.
-pub(crate) fn pluginid_for_snapshotter_annotations(
-    runtime_plugin_id: &str,
-    config_file: &str,
-) -> Result<&'static str> {
-    if runtime_plugin_id == CONTAINERD_V3_RUNTIME_PLUGIN_ID {
-        Ok(CONTAINERD_CRI_IMAGES_PLUGIN_ID)
-    } else if runtime_plugin_id == CONTAINERD_V2_CRI_PLUGIN_ID {
-        Ok(CONTAINERD_CRI_CONTAINERD_TABLE_V2)
-    } else {
-        anyhow::bail!(
-            "Containerd config {} has no \"version = 2\" or \"version = 3\"; cannot determine CRI plugin for snapshotter config",
-            config_file
-        )
-    }
-}
-
 fn get_containerd_output_path(paths: &ContainerdPaths) -> PathBuf {
     if paths.use_drop_in {
         if paths.drop_in_file.starts_with("/etc/containerd/") {
@@ -657,40 +636,6 @@ mod tests {
         }
     }
 
-    /// pluginid_for_snapshotter_annotations maps runtime plugin id to the table where disable_snapshot_annotations lives.
-    #[rstest]
-    #[case(CONTAINERD_V3_RUNTIME_PLUGIN_ID, CONTAINERD_CRI_IMAGES_PLUGIN_ID, false)]
-    #[case(CONTAINERD_V2_CRI_PLUGIN_ID, CONTAINERD_CRI_CONTAINERD_TABLE_V2, false)]
-    #[case(CONTAINERD_LEGACY_CRI_PLUGIN_ID, "", true)]
-    fn test_pluginid_for_snapshotter_annotations(
-        #[case] runtime_plugin_id: &str,
-        #[case] expected_plugin_id: &str,
-        #[case] expect_err: bool,
-    ) {
-        let config_file = "/etc/containerd/config.toml";
-        let result = pluginid_for_snapshotter_annotations(runtime_plugin_id, config_file);
-        if expect_err {
-            let err = result.unwrap_err();
-            assert!(
-                err.to_string().contains(config_file),
-                "error should mention config file: {}",
-                err
-            );
-            assert!(
-                err.to_string().contains("version = 2") || err.to_string().contains("version = 3"),
-                "error should mention version: {}",
-                err
-            );
-        } else {
-            assert_eq!(
-                result.unwrap(),
-                expected_plugin_id,
-                "runtime_plugin_id={}",
-                runtime_plugin_id
-            );
-        }
-    }
-
     /// Written containerd config (e.g. drop-in) must not start with blank lines when written to an initially empty file.
     #[rstest]
     #[case(CONTAINERD_V3_RUNTIME_PLUGIN_ID)]