docs: Use more accurate wording for /dev hostPath behavior

I got lazy when I first added this section in 5c21b1f, so updating the
language to specify that any non-regular host file (under /dev) qualifies,
not just devices.

This matches the actual code, see:

330bfff4be/src/runtime/virtcontainers/mount.go (L57-L83)

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>

.github/actionlint.yaml

@@ -28,9 +28,3 @@ self-hosted-runner:
     - s390x-large
     - tdx
     - ubuntu-24.04-arm
-
-paths:
-  .github/workflows/**/*.{yml,yaml}:
-    ignore:
-      # We use if: false to "temporarily" skip jobs with issues
-      - 'constant expression "false" in condition'

.github/dependabot.yml

@@ -15,8 +15,6 @@ updates:
       - "/src/tools/trace-forwarder"
     schedule:
       interval: "daily"
-    cooldown:
-      default-days: 7
     ignore:
     # rust-vmm repos might cause incompatibilities on patch versions, so
     # lets handle them manually for now.
@@ -87,12 +85,8 @@ updates:
       - "src/tools/csi-kata-directvolume"
     schedule:
       interval: "daily"
-    cooldown:
-      default-days: 7
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "monthly"
-    cooldown:
-      default-days: 7

.github/workflows/actionlint.yaml

@@ -13,13 +13,18 @@ concurrency:
 jobs:
   run-actionlint:
     name: run-actionlint
+    env:
+      GH_TOKEN: ${{ github.token }}
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout the code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           persist-credentials: false
 
+      - name: Install actionlint gh extension
+        run: gh extension install https://github.com/cschleiden/gh-actionlint
+
       - name: Run actionlint
-        uses: raven-actions/actionlint@e01d1ea33dd6a5ed517d95b4c0c357560ac6f518  # v2.1.1
+        run:  gh actionlint

.github/workflows/codeql.yml

@@ -72,7 +72,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -95,6 +95,6 @@ jobs:
         make -C src/runtime
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
+      uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/docs.yaml

@@ -16,17 +16,17 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/configure-pages@v5
+      - uses: actions/checkout@v5
         with:
           persist-credentials: false
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      - uses: actions/setup-python@v5
         with:
           python-version: 3.x
       - run: pip install zensical
       - run: zensical build --clean
-      - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
+      - uses: actions/upload-pages-artifact@v4
         with:
           path: site
-      - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
+      - uses: actions/deploy-pages@v4
         id: deployment

.github/workflows/run-cri-containerd-tests.yaml

@@ -35,6 +35,8 @@ on:
 jobs:
   run-cri-containerd:
     name: run-cri-containerd-${{ inputs.arch }} (${{ inputs.containerd_version }}, ${{ inputs.vmm }})
+    strategy:
+      fail-fast: false
     runs-on: ${{ inputs.runner }}
     env:
       CONTAINERD_VERSION: ${{ inputs.containerd_version }}

.github/workflows/scorecard.yaml

@@ -55,6 +55,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: results.sarif

Cargo.lock

@@ -3922,7 +3922,6 @@ dependencies = [
  "agent",
  "anyhow",
  "common",
- "containerd-shim-protos",
  "hyper",
  "hypervisor",
  "kata-sys-util",

docs/Limitations.md

@@ -187,9 +187,10 @@ different compared to `runc` containers:
 into the guest and exposes it directly to the container.
 
 **Mounting guest devices**: When the source path of a hostPath volume is
-under `/dev`, and the path either corresponds to a host device or is not
-accessible by the Kata shim, the Kata agent bind mounts the source path
-directly from the *guest* filesystem into the container.
+under `/dev` (or `/dev` itself), and the path corresponds to a
+non-regular file (i.e., a device, directory, or any other special file)
+or is not accessible by the Kata shim, the Kata agent bind mounts the
+source path directly from the *guest* filesystem into the container.
 
 [runtime-config]: /src/runtime/README.md#configuration
 [k8s-hostpath]: https://kubernetes.io/docs/concepts/storage/volumes/#hostpath

src/runtime-rs/crates/runtimes/Cargo.toml

@@ -11,7 +11,6 @@ lazy_static = { workspace = true }
 netns-rs = { workspace = true }
 slog = { workspace = true }
 slog-scope = { workspace = true }
-containerd-shim-protos = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread"] }
 tracing = { workspace = true }
 tracing-opentelemetry = { workspace = true }

src/runtime-rs/crates/runtimes/common/src/message.rs

@@ -6,7 +6,7 @@
 use std::sync::Arc;
 
 use anyhow::{Context, Result};
-use containerd_shim_protos::events::task::{TaskCreate, TaskDelete, TaskExit, TaskOOM, TaskStart};
+use containerd_shim_protos::events::task::{TaskExit, TaskOOM};
 use containerd_shim_protos::protobuf::Message as ProtobufMessage;
 use tokio::sync::mpsc::{channel, Receiver, Sender};
 
@@ -49,15 +49,9 @@ impl Message {
 
 const TASK_OOM_EVENT_TOPIC: &str = "/tasks/oom";
 const TASK_EXIT_EVENT_TOPIC: &str = "/tasks/exit";
-const TASK_START_EVENT_TOPIC: &str = "/tasks/start";
-const TASK_CREATE_EVENT_TOPIC: &str = "/tasks/create";
-const TASK_DELETE_EVENT_TOPIC: &str = "/tasks/delete";
 
 const TASK_OOM_EVENT_URL: &str = "containerd.events.TaskOOM";
 const TASK_EXIT_EVENT_URL: &str = "containerd.events.TaskExit";
-const TASK_START_EVENT_URL: &str = "containerd.events.TaskStart";
-const TASK_CREATE_EVENT_URL: &str = "containerd.events.TaskCreate";
-const TASK_DELETE_EVENT_URL: &str = "containerd.events.TaskDelete";
 
 pub trait Event: std::fmt::Debug + Send {
     fn r#type(&self) -> String;
@@ -92,45 +86,3 @@ impl Event for TaskExit {
         self.write_to_bytes().context("get exit value")
     }
 }
-
-impl Event for TaskStart {
-    fn r#type(&self) -> String {
-        TASK_START_EVENT_TOPIC.to_string()
-    }
-
-    fn type_url(&self) -> String {
-        TASK_START_EVENT_URL.to_string()
-    }
-
-    fn value(&self) -> Result<Vec<u8>> {
-        self.write_to_bytes().context("get start value")
-    }
-}
-
-impl Event for TaskCreate {
-    fn r#type(&self) -> String {
-        TASK_CREATE_EVENT_TOPIC.to_string()
-    }
-
-    fn type_url(&self) -> String {
-        TASK_CREATE_EVENT_URL.to_string()
-    }
-
-    fn value(&self) -> Result<Vec<u8>> {
-        self.write_to_bytes().context("get create value")
-    }
-}
-
-impl Event for TaskDelete {
-    fn r#type(&self) -> String {
-        TASK_DELETE_EVENT_TOPIC.to_string()
-    }
-
-    fn type_url(&self) -> String {
-        TASK_DELETE_EVENT_URL.to_string()
-    }
-
-    fn value(&self) -> Result<Vec<u8>> {
-        self.write_to_bytes().context("get delete value")
-    }
-}

src/runtime-rs/crates/runtimes/src/manager.rs

@@ -6,16 +6,14 @@
 
 use anyhow::{anyhow, Context, Result};
 use common::{
-    message::{Action, Message},
+    message::Message,
     types::{
-        ContainerProcess, PlatformInfo, ProcessType, SandboxConfig, SandboxRequest,
-        SandboxResponse, SandboxStatusInfo, StartSandboxInfo, TaskRequest, TaskResponse,
-        DEFAULT_SHM_SIZE,
+        ContainerProcess, PlatformInfo, SandboxConfig, SandboxRequest, SandboxResponse,
+        SandboxStatusInfo, StartSandboxInfo, TaskRequest, TaskResponse, DEFAULT_SHM_SIZE,
     },
     RuntimeHandler, RuntimeInstance, Sandbox, SandboxNetworkEnv,
 };
 
-use containerd_shim_protos::events::task::{TaskCreate, TaskDelete, TaskStart};
 use hypervisor::{
     utils::{create_dir_all_with_inherit_owner, create_vmm_user, remove_vmm_user},
     Param,
@@ -35,13 +33,13 @@ use netns_rs::{Env, NetNs};
 use nix::{sys::statfs, unistd::User};
 use oci_spec::runtime as oci;
 use persist::sandbox_persist::Persist;
-use protobuf::Message as ProtobufMessage;
 use resource::{
     cpu_mem::initial_size::InitialSizeManager,
     network::{dan_config_path, generate_netns_name},
 };
 use runtime_spec as spec;
 use shim_interface::shim_mgmt::ERR_NO_SHIM_SERVER;
+use protobuf::Message as ProtobufMessage;
 use std::{
     collections::HashMap,
     env,
@@ -482,7 +480,6 @@ impl RuntimeHandlerManager {
                 .await
                 .context("start sandbox in task handler")?;
 
-            let bundle = container_config.bundle.clone();
             let container_id = container_config.container_id.clone();
             let shim_pid = instance
                 .container_manager
@@ -504,19 +501,6 @@ impl RuntimeHandlerManager {
                 }
             });
 
-            let msg_sender = self.inner.read().await.msg_sender.clone();
-            let event = TaskCreate {
-                container_id,
-                bundle,
-                pid,
-                ..Default::default()
-            };
-            let msg = Message::new(Action::Event(Arc::new(event)));
-            msg_sender
-                .send(msg)
-                .await
-                .context("send task create event")?;
-
             Ok(TaskResponse::CreateContainer(shim_pid))
         } else {
             self.handler_task_request(req)
@@ -586,7 +570,6 @@ impl RuntimeHandlerManager {
             .context("get runtime instance")?;
         let sandbox = instance.sandbox.clone();
         let cm = instance.container_manager.clone();
-        let msg_sender = self.inner.read().await.msg_sender.clone();
 
         match req {
             TaskRequest::CreateContainer(req) => Err(anyhow!("Unreachable TaskRequest {:?}", req)),
@@ -596,20 +579,6 @@ impl RuntimeHandlerManager {
             }
             TaskRequest::DeleteProcess(process_id) => {
                 let resp = cm.delete_process(&process_id).await.context("do delete")?;
-                if process_id.process_type == ProcessType::Container {
-                    let event = TaskDelete {
-                        id: process_id.container_id().to_string(),
-                        pid: resp.pid.pid,
-                        exit_status: resp.exit_status as u32,
-                        ..Default::default()
-                    };
-                    let msg = Message::new(Action::Event(Arc::new(event)));
-                    msg_sender
-                        .send(msg)
-                        .await
-                        .context("send task delete event")?;
-                }
-
                 Ok(TaskResponse::DeleteProcess(resp))
             }
             TaskRequest::ExecProcess(req) => {
@@ -645,28 +614,12 @@ impl RuntimeHandlerManager {
                     .context("start process")?;
 
                 let pid = shim_pid.pid;
-                let process_type = process_id.process_type;
-                let container_id = process_id.container_id().to_string();
                 tokio::spawn(async move {
                     let result = sandbox.wait_process(cm, process_id, pid).await;
                     if let Err(e) = result {
                         error!(sl!(), "sandbox wait process error: {:?}", e);
                     }
                 });
-
-                if process_type == ProcessType::Container {
-                    let event = TaskStart {
-                        container_id,
-                        pid,
-                        ..Default::default()
-                    };
-                    let msg = Message::new(Action::Event(Arc::new(event)));
-                    msg_sender
-                        .send(msg)
-                        .await
-                        .context("send task start event")?;
-                }
-
                 Ok(TaskResponse::StartProcess(shim_pid))
             }
 

src/runtime/Makefile

@@ -147,14 +147,10 @@ DEFROOTFSTYPE := $(ROOTFSTYPE_EXT4)
 FIRMWAREPATH :=
 FIRMWAREVOLUMEPATH :=
 
-FIRMWAREPATH_NV = $(FIRMWAREPATH)
-
 FIRMWARETDVFPATH := $(PREFIXDEPS)/share/ovmf/OVMF.inteltdx.fd
-FIRMWARETDVFPATH_NV := $(FIRMWARETDVFPATH)
 FIRMWARETDVFVOLUMEPATH :=
 
 FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd
-FIRMWARESNPPATH_NV := $(FIRMWARESNPPATH)
 
 KERNELVERITYPARAMS ?= ""
 KERNELVERITYPARAMS_NV ?= ""
@@ -276,7 +272,6 @@ DEFVIRTIOFSEXTRAARGS ?= [\"--thread-pool-size=1\", \"--announce-submounts\"]
 DEFENABLEIOTHREADS := false
 DEFINDEPIOTHREADS := 0
 DEFENABLEVHOSTUSERSTORE := false
-DEFENABLEVIRTIOMEM ?= false
 DEFVHOSTUSERSTOREPATH := $(PKGRUNDIR)/vhost-user
 DEFVALIDVHOSTUSERSTOREPATHS := [\"$(DEFVHOSTUSERSTOREPATH)\"]
 DEFFILEMEMBACKEND := ""
@@ -472,8 +467,8 @@ ifneq (,$(QEMUCMD))
     KERNELSEPATH = $(KERNELDIR)/$(KERNELSENAME)
 
     # NVIDIA GPU specific options (all should be suffixed by _NV)
-    KERNELTYPE_NV = compressed
-    KERNELNAME_NV = $(call MAKE_KERNEL_NAME_NV,$(KERNELTYPE_NV))
+    # Normal: uncompressed (KERNELTYPE). Confidential: compressed (KERNELCONFIDENTIALTYPE).
+    KERNELNAME_NV = $(call MAKE_KERNEL_NAME_NV,$(KERNELTYPE))
     KERNELPATH_NV = $(KERNELDIR)/$(KERNELNAME_NV)
     KERNELNAME_CONFIDENTIAL_NV = $(call MAKE_KERNEL_NAME_NV,$(KERNELCONFIDENTIALTYPE))
     KERNELPATH_CONFIDENTIAL_NV = $(KERNELDIR)/$(KERNELNAME_CONFIDENTIAL_NV)
@@ -489,9 +484,6 @@ ifneq (,$(QEMUCMD))
     # using an image and /dev is already mounted.
     KERNELPARAMS_NV = "cgroup_no_v1=all"
     KERNELPARAMS_NV += "devtmpfs.mount=0"
-    KERNELPARAMS_NV += "pci=realloc"
-    KERNELPARAMS_NV += "pci=nocrs"
-    KERNELPARAMS_NV += "pci=assign-busses"
 
     # Setting this to false can lead to cgroup leakages in the host
     # Best practice for production is to set this to true
@@ -688,13 +680,10 @@ USER_VARS += KERNELPATH_FC
 USER_VARS += KERNELPATH_STRATOVIRT
 USER_VARS += KERNELVIRTIOFSPATH
 USER_VARS += FIRMWAREPATH
-USER_VARS += FIRMWAREPATH_NV
 USER_VARS += FIRMWARETDVFPATH
 USER_VARS += FIRMWAREVOLUMEPATH
 USER_VARS += FIRMWARETDVFVOLUMEPATH
 USER_VARS += FIRMWARESNPPATH
-USER_VARS += FIRMWARETDVFPATH_NV
-USER_VARS += FIRMWARESNPPATH_NV
 USER_VARS += MACHINEACCELERATORS
 USER_VARS += CPUFEATURES
 USER_VARS += TDXCPUFEATURES
@@ -775,7 +764,6 @@ USER_VARS += DEFENABLEANNOTATIONS
 USER_VARS += DEFENABLEANNOTATIONS_COCO
 USER_VARS += DEFENABLEIOTHREADS
 USER_VARS += DEFINDEPIOTHREADS
-USER_VARS += DEFENABLEVIRTIOMEM
 USER_VARS += DEFSECCOMPSANDBOXPARAM
 USER_VARS += DEFENABLEVHOSTUSERSTORE
 USER_VARS += DEFVHOSTUSERSTOREPATH

src/runtime/arch/s390x-options.mk

@@ -18,6 +18,3 @@ ifneq (,$(NEEDS_CC_SETTING))
 	CC := gcc
 	export CC
 endif
-
-# Enable virtio-mem for s390x
-DEFENABLEVIRTIOMEM = true

src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in

@@ -99,7 +99,7 @@ kernel_verity_params = "@KERNELVERITYPARAMS_CONFIDENTIAL_NV@"
 
 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "@FIRMWARESNPPATH_NV@"
+firmware = "@FIRMWARESNPPATH@"
 
 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables

src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in

@@ -76,7 +76,7 @@ kernel_verity_params = "@KERNELVERITYPARAMS_CONFIDENTIAL_NV@"
 
 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "@FIRMWARETDVFPATH_NV@"
+firmware = "@FIRMWARETDVFPATH@"
 
 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables

src/runtime/config/configuration-qemu-nvidia-gpu.toml.in

@@ -58,7 +58,7 @@ kernel_verity_params = "@KERNELVERITYPARAMS_NV@"
 
 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "@FIRMWAREPATH_NV@"
+firmware = "@FIRMWAREPATH@"
 
 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables

src/runtime/config/configuration-qemu.toml.in

@@ -142,7 +142,7 @@ memory_offset = 0
 # Please note that this option should be used with the command
 # "echo 1 > /proc/sys/vm/overcommit_memory".
 # Default false
-enable_virtio_mem = @DEFENABLEVIRTIOMEM@
+enable_virtio_mem = false
 
 # Disable hotplugging host block devices to guest VMs for container rootfs.
 # In case of a storage driver like devicemapper where a container's

src/runtime/go.mod

@@ -52,6 +52,7 @@ require (
 	github.com/urfave/cli v1.22.17
 	github.com/vishvananda/netlink v1.3.1
 	github.com/vishvananda/netns v0.0.5
+	gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20220601114329-47893b162965
 	go.opentelemetry.io/otel v1.35.0
 	go.opentelemetry.io/otel/exporters/jaeger v1.0.0
 	go.opentelemetry.io/otel/sdk v1.35.0

src/runtime/go.sum

@@ -309,6 +309,8 @@ github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20220601114329-47893b162965 h1:EXE1ZsUqiUWGV5Dw2oTYpXx24ffxj0//yhTB0Ppv+4s=
+gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20220601114329-47893b162965/go.mod h1:TBB3sR7/jg4RCThC/cgT4fB8mAbbMO307TycfgeR59w=
 go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80=
 go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=

src/runtime/pkg/govmm/.github/workflows/main.yml

@@ -14,11 +14,11 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Install Go
-        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go-version }}
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
       - name: golangci-lint

src/runtime/pkg/govmm/qemu/qmp.go

@@ -1446,18 +1446,11 @@ func (q *QMP) ExecMemdevAdd(ctx context.Context, qomtype, id, mempath string, si
 		"memdev": id,
 	}
 
-	var transport VirtioTransport
-	if transport.isVirtioCCW(nil) {
-		if addr != "" {
-			args["devno"] = addr
-		}
-	} else {
-		if bus != "" {
-			args["bus"] = bus
-		}
-		if addr != "" {
-			args["addr"] = addr
-		}
+	if bus != "" {
+		args["bus"] = bus
+	}
+	if addr != "" {
+		args["addr"] = addr
 	}
 
 	err = q.executeCommand(ctx, "device_add", args, nil)

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/bytes/bytes.go

@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package bytes
+
+import (
+	"encoding/binary"
+	"unsafe"
+)
+
+// Raw returns just the bytes without any assumptions about layout
+type Raw interface {
+	Raw() *[]byte
+}
+
+// Reader used to read various data sizes in the byte array
+type Reader interface {
+	Read8(pos int) uint8
+	Read16(pos int) uint16
+	Read32(pos int) uint32
+	Read64(pos int) uint64
+	Len() int
+}
+
+// Writer used to write various sizes of data in the byte array
+type Writer interface {
+	Write8(pos int, value uint8)
+	Write16(pos int, value uint16)
+	Write32(pos int, value uint32)
+	Write64(pos int, value uint64)
+	Len() int
+}
+
+// Bytes object for manipulating arbitrary byte arrays
+type Bytes interface {
+	Raw
+	Reader
+	Writer
+	Slice(offset int, size int) Bytes
+	LittleEndian() Bytes
+	BigEndian() Bytes
+}
+
+var nativeByteOrder binary.ByteOrder
+
+func init() {
+	buf := [2]byte{}
+	*(*uint16)(unsafe.Pointer(&buf[0])) = uint16(0x00FF)
+
+	switch buf {
+	case [2]byte{0xFF, 0x00}:
+		nativeByteOrder = binary.LittleEndian
+	case [2]byte{0x00, 0xFF}:
+		nativeByteOrder = binary.BigEndian
+	default:
+		panic("Unable to infer byte order")
+	}
+}
+
+// New raw bytearray
+func New(data *[]byte) Bytes {
+	return (*native)(data)
+}
+
+// NewLittleEndian little endian ordering of bytes
+func NewLittleEndian(data *[]byte) Bytes {
+	if nativeByteOrder == binary.LittleEndian {
+		return (*native)(data)
+	}
+
+	return (*swapbo)(data)
+}
+
+// NewBigEndian big endian ordering of bytes
+func NewBigEndian(data *[]byte) Bytes {
+	if nativeByteOrder == binary.BigEndian {
+		return (*native)(data)
+	}
+
+	return (*swapbo)(data)
+}

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/bytes/native.go

@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package bytes
+
+import (
+	"unsafe"
+)
+
+type native []byte
+
+var _ Bytes = (*native)(nil)
+
+func (b *native) Read8(pos int) uint8 {
+	return (*b)[pos]
+}
+
+func (b *native) Read16(pos int) uint16 {
+	return *(*uint16)(unsafe.Pointer(&((*b)[pos])))
+}
+
+func (b *native) Read32(pos int) uint32 {
+	return *(*uint32)(unsafe.Pointer(&((*b)[pos])))
+}
+
+func (b *native) Read64(pos int) uint64 {
+	return *(*uint64)(unsafe.Pointer(&((*b)[pos])))
+}
+
+func (b *native) Write8(pos int, value uint8) {
+	(*b)[pos] = value
+}
+
+func (b *native) Write16(pos int, value uint16) {
+	*(*uint16)(unsafe.Pointer(&((*b)[pos]))) = value
+}
+
+func (b *native) Write32(pos int, value uint32) {
+	*(*uint32)(unsafe.Pointer(&((*b)[pos]))) = value
+}
+
+func (b *native) Write64(pos int, value uint64) {
+	*(*uint64)(unsafe.Pointer(&((*b)[pos]))) = value
+}
+
+func (b *native) Slice(offset int, size int) Bytes {
+	nb := (*b)[offset : offset+size]
+	return &nb
+}
+
+func (b *native) LittleEndian() Bytes {
+	return NewLittleEndian((*[]byte)(b))
+}
+
+func (b *native) BigEndian() Bytes {
+	return NewBigEndian((*[]byte)(b))
+}
+
+func (b *native) Raw() *[]byte {
+	return (*[]byte)(b)
+}
+
+func (b *native) Len() int {
+	return len(*b)
+}

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/bytes/swapbo.go

@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package bytes
+
+import (
+	"unsafe"
+)
+
+type swapbo []byte
+
+var _ Bytes = (*swapbo)(nil)
+
+func (b *swapbo) Read8(pos int) uint8 {
+	return (*b)[pos]
+}
+
+func (b *swapbo) Read16(pos int) uint16 {
+	buf := [2]byte{}
+	buf[0] = (*b)[pos+1]
+	buf[1] = (*b)[pos+0]
+	return *(*uint16)(unsafe.Pointer(&buf[0]))
+}
+
+func (b *swapbo) Read32(pos int) uint32 {
+	buf := [4]byte{}
+	buf[0] = (*b)[pos+3]
+	buf[1] = (*b)[pos+2]
+	buf[2] = (*b)[pos+1]
+	buf[3] = (*b)[pos+0]
+	return *(*uint32)(unsafe.Pointer(&buf[0]))
+}
+
+func (b *swapbo) Read64(pos int) uint64 {
+	buf := [8]byte{}
+	buf[0] = (*b)[pos+7]
+	buf[1] = (*b)[pos+6]
+	buf[2] = (*b)[pos+5]
+	buf[3] = (*b)[pos+4]
+	buf[4] = (*b)[pos+3]
+	buf[5] = (*b)[pos+2]
+	buf[6] = (*b)[pos+1]
+	buf[7] = (*b)[pos+0]
+	return *(*uint64)(unsafe.Pointer(&buf[0]))
+}
+
+func (b *swapbo) Write8(pos int, value uint8) {
+	(*b)[pos] = value
+}
+
+func (b *swapbo) Write16(pos int, value uint16) {
+	buf := [2]byte{}
+	*(*uint16)(unsafe.Pointer(&buf[0])) = value
+	(*b)[pos+0] = buf[1]
+	(*b)[pos+1] = buf[0]
+}
+
+func (b *swapbo) Write32(pos int, value uint32) {
+	buf := [4]byte{}
+	*(*uint32)(unsafe.Pointer(&buf[0])) = value
+	(*b)[pos+0] = buf[3]
+	(*b)[pos+1] = buf[2]
+	(*b)[pos+2] = buf[1]
+	(*b)[pos+3] = buf[0]
+}
+
+func (b *swapbo) Write64(pos int, value uint64) {
+	buf := [8]byte{}
+	*(*uint64)(unsafe.Pointer(&buf[0])) = value
+	(*b)[pos+0] = buf[7]
+	(*b)[pos+1] = buf[6]
+	(*b)[pos+2] = buf[5]
+	(*b)[pos+3] = buf[4]
+	(*b)[pos+4] = buf[3]
+	(*b)[pos+5] = buf[2]
+	(*b)[pos+6] = buf[1]
+	(*b)[pos+7] = buf[0]
+}
+
+func (b *swapbo) Slice(offset int, size int) Bytes {
+	nb := (*b)[offset : offset+size]
+	return &nb
+}
+
+func (b *swapbo) LittleEndian() Bytes {
+	return NewLittleEndian((*[]byte)(b))
+}
+
+func (b *swapbo) BigEndian() Bytes {
+	return NewBigEndian((*[]byte)(b))
+}
+
+func (b *swapbo) Raw() *[]byte {
+	return (*[]byte)(b)
+}
+
+func (b *swapbo) Len() int {
+	return len(*b)
+}

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/config.go

@@ -0,0 +1,143 @@
+/*
+ * Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package nvpci
+
+import (
+	"fmt"
+	"io/ioutil"
+
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/bytes"
+)
+
+const (
+	// PCICfgSpaceStandardSize represents the size in bytes of the standard config space
+	PCICfgSpaceStandardSize = 256
+	// PCICfgSpaceExtendedSize represents the size in bytes of the extended config space
+	PCICfgSpaceExtendedSize = 4096
+	// PCICapabilityListPointer represents offset for the capability list pointer
+	PCICapabilityListPointer = 0x34
+	// PCIStatusCapabilityList represents the status register bit which indicates capability list support
+	PCIStatusCapabilityList = 0x10
+	// PCIStatusBytePosition represents the position of the status register
+	PCIStatusBytePosition = 0x06
+)
+
+// ConfigSpace PCI configuration space (standard extended) file path
+type ConfigSpace struct {
+	Path string
+}
+
+// ConfigSpaceIO Interface for reading and writing raw and preconfigured values
+type ConfigSpaceIO interface {
+	bytes.Bytes
+	GetVendorID() uint16
+	GetDeviceID() uint16
+	GetPCICapabilities() (*PCICapabilities, error)
+}
+
+type configSpaceIO struct {
+	bytes.Bytes
+}
+
+// PCIStandardCapability standard PCI config space
+type PCIStandardCapability struct {
+	bytes.Bytes
+}
+
+// PCIExtendedCapability extended PCI config space
+type PCIExtendedCapability struct {
+	bytes.Bytes
+	Version uint8
+}
+
+// PCICapabilities combines the standard and extended config space
+type PCICapabilities struct {
+	Standard map[uint8]*PCIStandardCapability
+	Extended map[uint16]*PCIExtendedCapability
+}
+
+func (cs *ConfigSpace) Read() (ConfigSpaceIO, error) {
+	config, err := ioutil.ReadFile(cs.Path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open file: %v", err)
+	}
+	return &configSpaceIO{bytes.New(&config)}, nil
+}
+
+func (cs *configSpaceIO) GetVendorID() uint16 {
+	return cs.Read16(0)
+}
+
+func (cs *configSpaceIO) GetDeviceID() uint16 {
+	return cs.Read16(2)
+}
+
+func (cs *configSpaceIO) GetPCICapabilities() (*PCICapabilities, error) {
+	caps := &PCICapabilities{
+		make(map[uint8]*PCIStandardCapability),
+		make(map[uint16]*PCIExtendedCapability),
+	}
+
+	support := cs.Read8(PCIStatusBytePosition) & PCIStatusCapabilityList
+	if support == 0 {
+		return nil, fmt.Errorf("pci device does not support capability list")
+	}
+
+	soffset := cs.Read8(PCICapabilityListPointer)
+	if int(soffset) >= cs.Len() {
+		return nil, fmt.Errorf("capability list pointer out of bounds")
+	}
+
+	for soffset != 0 {
+		if soffset == 0xff {
+			return nil, fmt.Errorf("config space broken")
+		}
+		if int(soffset) >= PCICfgSpaceStandardSize {
+			return nil, fmt.Errorf("standard capability list pointer out of bounds")
+		}
+		data := cs.Read32(int(soffset))
+		id := uint8(data & 0xff)
+		caps.Standard[id] = &PCIStandardCapability{
+			cs.Slice(int(soffset), cs.Len()-int(soffset)),
+		}
+		soffset = uint8((data >> 8) & 0xff)
+	}
+
+	if cs.Len() <= PCICfgSpaceStandardSize {
+		return caps, nil
+	}
+
+	eoffset := uint16(PCICfgSpaceStandardSize)
+	for eoffset != 0 {
+		if eoffset == 0xffff {
+			return nil, fmt.Errorf("config space broken")
+		}
+		if int(eoffset) >= PCICfgSpaceExtendedSize {
+			return nil, fmt.Errorf("extended capability list pointer out of bounds")
+		}
+		data := cs.Read32(int(eoffset))
+		id := uint16(data & 0xffff)
+		version := uint8((data >> 16) & 0xf)
+		caps.Extended[id] = &PCIExtendedCapability{
+			cs.Slice(int(eoffset), cs.Len()-int(eoffset)),
+			version,
+		}
+		eoffset = uint16((data >> 4) & 0xffc)
+	}
+
+	return caps, nil
+}

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/mmio/mmio.go

@@ -0,0 +1,127 @@
+/*
+ * Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package mmio
+
+import (
+	"fmt"
+	"os"
+	"syscall"
+	"unsafe"
+
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/bytes"
+)
+
+// Mmio memory map a region
+type Mmio interface {
+	bytes.Raw
+	bytes.Reader
+	bytes.Writer
+	Sync() error
+	Close() error
+	Slice(offset int, size int) Mmio
+	LittleEndian() Mmio
+	BigEndian() Mmio
+}
+
+type mmio struct {
+	bytes.Bytes
+}
+
+func open(path string, offset int, size int, flags int) (Mmio, error) {
+	var mmapFlags int
+	switch flags {
+	case os.O_RDONLY:
+		mmapFlags = syscall.PROT_READ
+	case os.O_RDWR:
+		mmapFlags = syscall.PROT_READ | syscall.PROT_WRITE
+	default:
+		return nil, fmt.Errorf("invalid flags: %v", flags)
+	}
+
+	file, err := os.OpenFile(path, flags, 0)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open file: %v", err)
+	}
+	defer file.Close()
+
+	fi, err := file.Stat()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get file info: %v", err)
+	}
+
+	if size > int(fi.Size()) {
+		return nil, fmt.Errorf("requested size larger than file size")
+	}
+
+	if size < 0 {
+		size = int(fi.Size())
+	}
+
+	mmap, err := syscall.Mmap(
+		int(file.Fd()),
+		int64(offset),
+		size,
+		mmapFlags,
+		syscall.MAP_SHARED)
+	if err != nil {
+		return nil, fmt.Errorf("failed to mmap file: %v", err)
+	}
+
+	return &mmio{bytes.New(&mmap)}, nil
+}
+
+// OpenRO open region readonly
+func OpenRO(path string, offset int, size int) (Mmio, error) {
+	return open(path, offset, size, os.O_RDONLY)
+}
+
+// OpenRW open region read write
+func OpenRW(path string, offset int, size int) (Mmio, error) {
+	return open(path, offset, size, os.O_RDWR)
+}
+
+func (m *mmio) Slice(offset int, size int) Mmio {
+	return &mmio{m.Bytes.Slice(offset, size)}
+}
+
+func (m *mmio) LittleEndian() Mmio {
+	return &mmio{m.Bytes.LittleEndian()}
+}
+
+func (m *mmio) BigEndian() Mmio {
+	return &mmio{m.Bytes.BigEndian()}
+}
+
+func (m *mmio) Close() error {
+	err := syscall.Munmap(*m.Bytes.Raw())
+	if err != nil {
+		return fmt.Errorf("failed to munmap file: %v", err)
+	}
+	return nil
+}
+
+func (m *mmio) Sync() error {
+	_, _, errno := syscall.Syscall(
+		syscall.SYS_MSYNC,
+		uintptr(unsafe.Pointer(&(*m.Bytes.Raw())[0])),
+		uintptr(m.Len()),
+		uintptr(syscall.MS_SYNC|syscall.MS_INVALIDATE))
+	if errno != 0 {
+		return fmt.Errorf("failed to msync file: %v", errno)
+	}
+	return nil
+}

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/mmio/mock.go

@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package mmio
+
+import (
+	"fmt"
+
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/bytes"
+)
+
+type mockMmio struct {
+	mmio
+	source *[]byte
+	offset int
+	rw     bool
+}
+
+func mockOpen(source *[]byte, offset int, size int, rw bool) (Mmio, error) {
+	if size < 0 {
+		size = len(*source) - offset
+	}
+	if (offset + size) > len(*source) {
+		return nil, fmt.Errorf("offset+size out of range")
+	}
+
+	data := append([]byte{}, (*source)[offset:offset+size]...)
+
+	m := &mockMmio{}
+	m.Bytes = bytes.New(&data).LittleEndian()
+	m.source = source
+	m.offset = offset
+	m.rw = rw
+
+	return m, nil
+}
+
+// MockOpenRO open read only
+func MockOpenRO(source *[]byte, offset int, size int) (Mmio, error) {
+	return mockOpen(source, offset, size, false)
+}
+
+// MockOpenRW open read write
+func MockOpenRW(source *[]byte, offset int, size int) (Mmio, error) {
+	return mockOpen(source, offset, size, true)
+}
+
+func (m *mockMmio) Close() error {
+	m = &mockMmio{}
+	return nil
+}
+
+func (m *mockMmio) Sync() error {
+	if !m.rw {
+		return fmt.Errorf("opened read-only")
+	}
+	for i := range *m.Bytes.Raw() {
+		(*m.source)[m.offset+i] = (*m.Bytes.Raw())[i]
+	}
+	return nil
+}

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/mock.go

@@ -0,0 +1,141 @@
+/*
+ * Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package nvpci
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/bytes"
+)
+
+// MockNvpci mock pci device
+type MockNvpci struct {
+	*nvpci
+}
+
+var _ Interface = (*MockNvpci)(nil)
+
+// NewMockNvpci create new mock PCI and remove old devices
+func NewMockNvpci() (mock *MockNvpci, rerr error) {
+	rootDir, err := ioutil.TempDir("", "")
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if rerr != nil {
+			os.RemoveAll(rootDir)
+		}
+	}()
+
+	mock = &MockNvpci{
+		NewFrom(rootDir).(*nvpci),
+	}
+
+	return mock, nil
+}
+
+// Cleanup remove the mocked PCI devices root folder
+func (m *MockNvpci) Cleanup() {
+	os.RemoveAll(m.pciDevicesRoot)
+}
+
+// AddMockA100 Create an A100 like GPU mock device
+func (m *MockNvpci) AddMockA100(address string, numaNode int) error {
+	deviceDir := filepath.Join(m.pciDevicesRoot, address)
+	err := os.MkdirAll(deviceDir, 0755)
+	if err != nil {
+		return err
+	}
+
+	vendor, err := os.Create(filepath.Join(deviceDir, "vendor"))
+	if err != nil {
+		return err
+	}
+	_, err = vendor.WriteString(fmt.Sprintf("0x%x", PCINvidiaVendorID))
+	if err != nil {
+		return err
+	}
+
+	class, err := os.Create(filepath.Join(deviceDir, "class"))
+	if err != nil {
+		return err
+	}
+	_, err = class.WriteString(fmt.Sprintf("0x%x", PCI3dControllerClass))
+	if err != nil {
+		return err
+	}
+
+	device, err := os.Create(filepath.Join(deviceDir, "device"))
+	if err != nil {
+		return err
+	}
+	_, err = device.WriteString("0x20bf")
+	if err != nil {
+		return err
+	}
+
+	numa, err := os.Create(filepath.Join(deviceDir, "numa_node"))
+	if err != nil {
+		return err
+	}
+	_, err = numa.WriteString(fmt.Sprintf("%v", numaNode))
+	if err != nil {
+		return err
+	}
+
+	config, err := os.Create(filepath.Join(deviceDir, "config"))
+	if err != nil {
+		return err
+	}
+	_data := make([]byte, PCICfgSpaceStandardSize)
+	data := bytes.New(&_data)
+	data.Write16(0, PCINvidiaVendorID)
+	data.Write16(2, uint16(0x20bf))
+	data.Write8(PCIStatusBytePosition, PCIStatusCapabilityList)
+	_, err = config.Write(*data.Raw())
+	if err != nil {
+		return err
+	}
+
+	bar0 := []uint64{0x00000000c2000000, 0x00000000c2ffffff, 0x0000000000040200}
+	resource, err := os.Create(filepath.Join(deviceDir, "resource"))
+	if err != nil {
+		return err
+	}
+	_, err = resource.WriteString(fmt.Sprintf("0x%x 0x%x 0x%x", bar0[0], bar0[1], bar0[2]))
+	if err != nil {
+		return err
+	}
+
+	pmcID := uint32(0x170000a1)
+	resource0, err := os.Create(filepath.Join(deviceDir, "resource0"))
+	if err != nil {
+		return err
+	}
+	_data = make([]byte, bar0[1]-bar0[0]+1)
+	data = bytes.New(&_data).LittleEndian()
+	data.Write32(0, pmcID)
+	_, err = resource0.Write(*data.Raw())
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/nvpci.go

@@ -0,0 +1,316 @@
+/*
+ * Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package nvpci
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"sort"
+	"strconv"
+	"strings"
+)
+
+const (
+	// PCIDevicesRoot represents base path for all pci devices under sysfs
+	PCIDevicesRoot = "/sys/bus/pci/devices"
+	// PCINvidiaVendorID represents PCI vendor id for NVIDIA
+	PCINvidiaVendorID uint16 = 0x10de
+	// PCIVgaControllerClass represents the PCI class for VGA Controllers
+	PCIVgaControllerClass uint32 = 0x030000
+	// PCI3dControllerClass represents the PCI class for 3D Graphics accellerators
+	PCI3dControllerClass uint32 = 0x030200
+	// PCINvSwitchClass represents the PCI class for NVSwitches
+	PCINvSwitchClass uint32 = 0x068000
+)
+
+// Interface allows us to get a list of all NVIDIA PCI devices
+type Interface interface {
+	GetAllDevices() ([]*NvidiaPCIDevice, error)
+	Get3DControllers() ([]*NvidiaPCIDevice, error)
+	GetVGAControllers() ([]*NvidiaPCIDevice, error)
+	GetNVSwitches() ([]*NvidiaPCIDevice, error)
+	GetGPUs() ([]*NvidiaPCIDevice, error)
+}
+
+// MemoryResources a more human readable handle
+type MemoryResources map[int]*MemoryResource
+
+// ResourceInterface exposes some higher level functions of resources
+type ResourceInterface interface {
+	GetTotalAddressableMemory(bool) (uint64, uint64)
+}
+
+type nvpci struct {
+	pciDevicesRoot string
+}
+
+var _ Interface = (*nvpci)(nil)
+var _ ResourceInterface = (*MemoryResources)(nil)
+
+// NvidiaPCIDevice represents a PCI device for an NVIDIA product
+type NvidiaPCIDevice struct {
+	Path      string
+	Address   string
+	Vendor    uint16
+	Class     uint32
+	Device    uint16
+	NumaNode  int
+	Config    *ConfigSpace
+	Resources MemoryResources
+}
+
+// IsVGAController if class == 0x300
+func (d *NvidiaPCIDevice) IsVGAController() bool {
+	return d.Class == PCIVgaControllerClass
+}
+
+// Is3DController if class == 0x302
+func (d *NvidiaPCIDevice) Is3DController() bool {
+	return d.Class == PCI3dControllerClass
+}
+
+// IsNVSwitch if classe == 0x068
+func (d *NvidiaPCIDevice) IsNVSwitch() bool {
+	return d.Class == PCINvSwitchClass
+}
+
+// IsGPU either VGA for older cards or 3D for newer
+func (d *NvidiaPCIDevice) IsGPU() bool {
+	return d.IsVGAController() || d.Is3DController()
+}
+
+// IsResetAvailable some devices can be reset without rebooting,
+// check if applicable
+func (d *NvidiaPCIDevice) IsResetAvailable() bool {
+	_, err := os.Stat(path.Join(d.Path, "reset"))
+	return err == nil
+}
+
+// Reset perform a reset to apply a new configuration at HW level
+func (d *NvidiaPCIDevice) Reset() error {
+	err := ioutil.WriteFile(path.Join(d.Path, "reset"), []byte("1"), 0)
+	if err != nil {
+		return fmt.Errorf("unable to write to reset file: %v", err)
+	}
+	return nil
+}
+
+// New interface that allows us to get a list of all NVIDIA PCI devices
+func New() Interface {
+	return &nvpci{PCIDevicesRoot}
+}
+
+// NewFrom interface allows us to get a list of all NVIDIA PCI devices at a specific root directory
+func NewFrom(root string) Interface {
+	return &nvpci{root}
+}
+
+// GetAllDevices returns all Nvidia PCI devices on the system
+func (p *nvpci) GetAllDevices() ([]*NvidiaPCIDevice, error) {
+	deviceDirs, err := ioutil.ReadDir(p.pciDevicesRoot)
+	if err != nil {
+		return nil, fmt.Errorf("unable to read PCI bus devices: %v", err)
+	}
+
+	var nvdevices []*NvidiaPCIDevice
+	for _, deviceDir := range deviceDirs {
+		devicePath := path.Join(p.pciDevicesRoot, deviceDir.Name())
+		nvdevice, err := NewDevice(devicePath)
+		if err != nil {
+			return nil, fmt.Errorf("error constructing NVIDIA PCI device %s: %v", deviceDir.Name(), err)
+		}
+		if nvdevice == nil {
+			continue
+		}
+		nvdevices = append(nvdevices, nvdevice)
+	}
+
+	addressToID := func(address string) uint64 {
+		address = strings.ReplaceAll(address, ":", "")
+		address = strings.ReplaceAll(address, ".", "")
+		id, _ := strconv.ParseUint(address, 16, 64)
+		return id
+	}
+
+	sort.Slice(nvdevices, func(i, j int) bool {
+		return addressToID(nvdevices[i].Address) < addressToID(nvdevices[j].Address)
+	})
+
+	return nvdevices, nil
+}
+
+// NewDevice constructs an NvidiaPCIDevice
+func NewDevice(devicePath string) (*NvidiaPCIDevice, error) {
+	address := path.Base(devicePath)
+
+	vendor, err := ioutil.ReadFile(path.Join(devicePath, "vendor"))
+	if err != nil {
+		return nil, fmt.Errorf("unable to read PCI device vendor id for %s: %v", address, err)
+	}
+	vendorStr := strings.TrimSpace(string(vendor))
+	vendorID, err := strconv.ParseUint(vendorStr, 0, 16)
+	if err != nil {
+		return nil, fmt.Errorf("unable to convert vendor string to uint16: %v", vendorStr)
+	}
+
+	if uint16(vendorID) != PCINvidiaVendorID {
+		return nil, nil
+	}
+
+	class, err := ioutil.ReadFile(path.Join(devicePath, "class"))
+	if err != nil {
+		return nil, fmt.Errorf("unable to read PCI device class for %s: %v", address, err)
+	}
+	classStr := strings.TrimSpace(string(class))
+	classID, err := strconv.ParseUint(classStr, 0, 32)
+	if err != nil {
+		return nil, fmt.Errorf("unable to convert class string to uint32: %v", classStr)
+	}
+
+	device, err := ioutil.ReadFile(path.Join(devicePath, "device"))
+	if err != nil {
+		return nil, fmt.Errorf("unable to read PCI device id for %s: %v", address, err)
+	}
+	deviceStr := strings.TrimSpace(string(device))
+	deviceID, err := strconv.ParseUint(deviceStr, 0, 16)
+	if err != nil {
+		return nil, fmt.Errorf("unable to convert device string to uint16: %v", deviceStr)
+	}
+
+	numa, err := ioutil.ReadFile(path.Join(devicePath, "numa_node"))
+	if err != nil {
+		return nil, fmt.Errorf("unable to read PCI NUMA node for %s: %v", address, err)
+	}
+	numaStr := strings.TrimSpace(string(numa))
+	numaNode, err := strconv.ParseInt(numaStr, 0, 64)
+	if err != nil {
+		return nil, fmt.Errorf("unable to convert NUMA node string to int64: %v", numaNode)
+	}
+
+	config := &ConfigSpace{
+		Path: path.Join(devicePath, "config"),
+	}
+
+	resource, err := ioutil.ReadFile(path.Join(devicePath, "resource"))
+	if err != nil {
+		return nil, fmt.Errorf("unable to read PCI resource file for %s: %v", address, err)
+	}
+
+	resources := make(map[int]*MemoryResource)
+	for i, line := range strings.Split(strings.TrimSpace(string(resource)), "\n") {
+		values := strings.Split(line, " ")
+		if len(values) != 3 {
+			return nil, fmt.Errorf("more than 3 entries in line '%d' of resource file", i)
+		}
+
+		start, _ := strconv.ParseUint(values[0], 0, 64)
+		end, _ := strconv.ParseUint(values[1], 0, 64)
+		flags, _ := strconv.ParseUint(values[2], 0, 64)
+
+		if (end - start) != 0 {
+			resources[i] = &MemoryResource{
+				uintptr(start),
+				uintptr(end),
+				flags,
+				fmt.Sprintf("%s/resource%d", devicePath, i),
+			}
+		}
+	}
+
+	nvdevice := &NvidiaPCIDevice{
+		Path:      devicePath,
+		Address:   address,
+		Vendor:    uint16(vendorID),
+		Class:     uint32(classID),
+		Device:    uint16(deviceID),
+		NumaNode:  int(numaNode),
+		Config:    config,
+		Resources: resources,
+	}
+
+	return nvdevice, nil
+}
+
+// Get3DControllers returns all NVIDIA 3D Controller PCI devices on the system
+func (p *nvpci) Get3DControllers() ([]*NvidiaPCIDevice, error) {
+	devices, err := p.GetAllDevices()
+	if err != nil {
+		return nil, fmt.Errorf("error getting all NVIDIA devices: %v", err)
+	}
+
+	var filtered []*NvidiaPCIDevice
+	for _, d := range devices {
+		if d.Is3DController() {
+			filtered = append(filtered, d)
+		}
+	}
+
+	return filtered, nil
+}
+
+// GetVGAControllers returns all NVIDIA VGA Controller PCI devices on the system
+func (p *nvpci) GetVGAControllers() ([]*NvidiaPCIDevice, error) {
+	devices, err := p.GetAllDevices()
+	if err != nil {
+		return nil, fmt.Errorf("error getting all NVIDIA devices: %v", err)
+	}
+
+	var filtered []*NvidiaPCIDevice
+	for _, d := range devices {
+		if d.IsVGAController() {
+			filtered = append(filtered, d)
+		}
+	}
+
+	return filtered, nil
+}
+
+// GetNVSwitches returns all NVIDIA NVSwitch PCI devices on the system
+func (p *nvpci) GetNVSwitches() ([]*NvidiaPCIDevice, error) {
+	devices, err := p.GetAllDevices()
+	if err != nil {
+		return nil, fmt.Errorf("error getting all NVIDIA devices: %v", err)
+	}
+
+	var filtered []*NvidiaPCIDevice
+	for _, d := range devices {
+		if d.IsNVSwitch() {
+			filtered = append(filtered, d)
+		}
+	}
+
+	return filtered, nil
+}
+
+// GetGPUs returns all NVIDIA GPU devices on the system
+func (p *nvpci) GetGPUs() ([]*NvidiaPCIDevice, error) {
+	devices, err := p.GetAllDevices()
+	if err != nil {
+		return nil, fmt.Errorf("error getting all NVIDIA devices: %v", err)
+	}
+
+	var filtered []*NvidiaPCIDevice
+	for _, d := range devices {
+		if d.IsGPU() {
+			filtered = append(filtered, d)
+		}
+	}
+
+	return filtered, nil
+}

src/runtime/vendor/gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/resources.go

@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package nvpci
+
+import (
+	"fmt"
+	"sort"
+
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/mmio"
+)
+
+const (
+	pmcEndianRegister = 0x4
+	pmcLittleEndian   = 0x0
+	pmcBigEndian      = 0x01000001
+)
+
+// MemoryResource represents a mmio region
+type MemoryResource struct {
+	Start uintptr
+	End   uintptr
+	Flags uint64
+	Path  string
+}
+
+// OpenRW read write mmio region
+func (mr *MemoryResource) OpenRW() (mmio.Mmio, error) {
+	rw, err := mmio.OpenRW(mr.Path, 0, int(mr.End-mr.Start+1))
+	if err != nil {
+		return nil, fmt.Errorf("failed to open file for mmio: %v", err)
+	}
+	switch rw.Read32(pmcEndianRegister) {
+	case pmcBigEndian:
+		return rw.BigEndian(), nil
+	case pmcLittleEndian:
+		return rw.LittleEndian(), nil
+	}
+	return nil, fmt.Errorf("unknown endianness for mmio: %v", err)
+}
+
+// OpenRO read only mmio region
+func (mr *MemoryResource) OpenRO() (mmio.Mmio, error) {
+	ro, err := mmio.OpenRO(mr.Path, 0, int(mr.End-mr.Start+1))
+	if err != nil {
+		return nil, fmt.Errorf("failed to open file for mmio: %v", err)
+	}
+	switch ro.Read32(pmcEndianRegister) {
+	case pmcBigEndian:
+		return ro.BigEndian(), nil
+	case pmcLittleEndian:
+		return ro.LittleEndian(), nil
+	}
+	return nil, fmt.Errorf("unknown endianness for mmio: %v", err)
+}
+
+// From Bit Twiddling Hacks, great resource for all low level bit manipulations
+func calcNextPowerOf2(n uint64) uint64 {
+	n--
+	n |= n >> 1
+	n |= n >> 2
+	n |= n >> 4
+	n |= n >> 8
+	n |= n >> 16
+	n |= n >> 32
+	n++
+
+	return n
+}
+
+// GetTotalAddressableMemory will accumulate the 32bit and 64bit memory windows
+// of each BAR and round the value if needed to the next power of 2; first
+// return value is the accumulated 32bit addresable memory size the second one
+// is the accumulated 64bit addressable memory size in bytes. These values are
+// needed to configure virtualized environments.
+func (mrs MemoryResources) GetTotalAddressableMemory(roundUp bool) (uint64, uint64) {
+	const pciIOVNumBAR = 6
+	const pciBaseAddressMemTypeMask = 0x06
+	const pciBaseAddressMemType32 = 0x00 /* 32 bit address */
+	const pciBaseAddressMemType64 = 0x04 /* 64 bit address */
+
+	// We need to sort the resources so the first 6 entries are the BARs
+	// How a map is represented in memory is not guaranteed, it is not an
+	// array. Keys do not have an order.
+	keys := make([]int, 0, len(mrs))
+	for k := range mrs {
+		keys = append(keys, k)
+	}
+	sort.Ints(keys)
+
+	numBAR := 0
+	memSize32bit := uint64(0)
+	memSize64bit := uint64(0)
+
+	for _, key := range keys {
+		// The PCIe spec only defines 5 BARs per device, we're
+		// discarding everything after the 5th entry of the resources
+		// file, see lspci.c
+		if key >= pciIOVNumBAR || numBAR == pciIOVNumBAR {
+			break
+		}
+		numBAR = numBAR + 1
+
+		region := mrs[key]
+
+		flags := region.Flags & pciBaseAddressMemTypeMask
+		memType32bit := flags == pciBaseAddressMemType32
+		memType64bit := flags == pciBaseAddressMemType64
+
+		memSize := (region.End - region.Start) + 1
+
+		if memType32bit {
+			memSize32bit = memSize32bit + uint64(memSize)
+		}
+		if memType64bit {
+			memSize64bit = memSize64bit + uint64(memSize)
+		}
+
+	}
+
+	if roundUp {
+		memSize32bit = calcNextPowerOf2(memSize32bit)
+		memSize64bit = calcNextPowerOf2(memSize64bit)
+	}
+
+	return memSize32bit, memSize64bit
+}

src/runtime/vendor/modules.txt

@@ -539,6 +539,11 @@ github.com/vishvananda/netns
 # github.com/x448/float16 v0.8.4
 ## explicit; go 1.11
 github.com/x448/float16
+# gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20220601114329-47893b162965
+## explicit; go 1.16
+gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci
+gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/bytes
+gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci/mmio
 # go.mongodb.org/mongo-driver v1.14.0
 ## explicit; go 1.18
 go.mongodb.org/mongo-driver/bson

src/runtime/virtcontainers/hypervisor.go

@@ -92,10 +92,9 @@ const (
 )
 
 var (
-	hvLogger                        = logrus.WithField("source", "virtcontainers/hypervisor")
-	noGuestMemHotplugErr      error = errors.New("guest memory hotplug not supported")
-	s390xVirtioMemRequiredErr error = errors.New("memory hotplug on s390x requires virtio-mem to be enabled")
-	conflictingAssets         error = errors.New("cannot set both image and initrd at the same time")
+	hvLogger                   = logrus.WithField("source", "virtcontainers/hypervisor")
+	noGuestMemHotplugErr error = errors.New("guest memory hotplug not supported")
+	conflictingAssets    error = errors.New("cannot set both image and initrd at the same time")
 )
 
 // In some architectures the maximum number of vCPUs depends on the number of physical cores.

src/runtime/virtcontainers/qemu.go

@@ -812,6 +812,21 @@ func (q *qemu) createPCIeTopology(qemuConfig *govmmQemu.Config, hypervisorConfig
 	// into a PCIe Root Port or PCIe Switch.
 	// For more details, please see https://github.com/qemu/qemu/blob/master/docs/pcie.txt
 
+	// Deduce the right values for mem-reserve and pref-64-reserve memory regions
+	memSize32bit, memSize64bit := q.arch.getBARsMaxAddressableMemory()
+
+	// The default OVMF MMIO aperture is too small for some PCIe devices
+	// with huge BARs so we need to increase it.
+	// memSize64bit is in bytes, convert to MB, OVMF expects MB as a string
+	if strings.Contains(strings.ToLower(hypervisorConfig.FirmwarePath), "ovmf") {
+		pciMmio64Mb := fmt.Sprintf("%d", (memSize64bit / 1024 / 1024))
+		fwCfg := govmmQemu.FwCfg{
+			Name: "opt/ovmf/X-PciMmio64Mb",
+			Str:  pciMmio64Mb,
+		}
+		qemuConfig.FwCfg = append(qemuConfig.FwCfg, fwCfg)
+	}
+
 	// Get the number of hot(cold)-pluggable ports needed from the provided
 	// VFIO devices
 	var numOfPluggablePorts uint32 = 0
@@ -882,7 +897,7 @@ func (q *qemu) createPCIeTopology(qemuConfig *govmmQemu.Config, hypervisorConfig
 		if numOfPluggablePorts > maxPCIeRootPort {
 			return fmt.Errorf("Number of PCIe Root Ports exceeed allowed max of %d", maxPCIeRootPort)
 		}
-		qemuConfig.Devices = q.arch.appendPCIeRootPortDevice(qemuConfig.Devices, numOfPluggablePorts)
+		qemuConfig.Devices = q.arch.appendPCIeRootPortDevice(qemuConfig.Devices, numOfPluggablePorts, memSize32bit, memSize64bit)
 		return nil
 	}
 	if vfioOnSwitchPort {
@@ -892,12 +907,12 @@ func (q *qemu) createPCIeTopology(qemuConfig *govmmQemu.Config, hypervisorConfig
 		if numOfPluggablePorts > maxPCIeSwitchPort {
 			return fmt.Errorf("Number of PCIe Switch Ports exceeed allowed max of %d", maxPCIeSwitchPort)
 		}
-		qemuConfig.Devices = q.arch.appendPCIeSwitchPortDevice(qemuConfig.Devices, numOfPluggablePorts)
+		qemuConfig.Devices = q.arch.appendPCIeSwitchPortDevice(qemuConfig.Devices, numOfPluggablePorts, memSize32bit, memSize64bit)
 		return nil
 	}
 	// If both Root Port and Switch Port are not enabled, check if QemuVirt need add pcie root port.
 	if machineType == QemuVirt {
-		qemuConfig.Devices = q.arch.appendPCIeRootPortDevice(qemuConfig.Devices, numOfPluggablePorts)
+		qemuConfig.Devices = q.arch.appendPCIeRootPortDevice(qemuConfig.Devices, numOfPluggablePorts, memSize32bit, memSize64bit)
 	}
 	return nil
 }
@@ -981,64 +996,37 @@ func (q *qemu) setupVirtioMem(ctx context.Context) error {
 		return err
 	}
 
-	machineType := q.HypervisorConfig().HypervisorMachineType
-
-	var driver, addr, devAddr, bus string
-	var bridge types.Bridge
-
-	if machineType == QemuCCWVirtio {
-		driver = "virtio-mem-ccw"
-
-		addr, bridge, err = q.arch.addDeviceToBridge(ctx, "virtiomem-dev", types.CCW)
-		if err != nil {
-			return err
-		}
-
-		defer func() {
-			if err != nil {
-				q.arch.removeDeviceFromBridge("virtiomem-dev")
-			}
-		}()
-
-		devAddr, err = bridge.AddressFormatCCW(addr)
-		if err != nil {
-			return err
-		}
-	} else {
-		driver = "virtio-mem-pci"
-
-		addr, bridge, err = q.arch.addDeviceToBridge(ctx, "virtiomem-dev", types.PCI)
-		if err != nil {
-			return err
-		}
-
-		defer func() {
-			if err != nil {
-				q.arch.removeDeviceFromBridge("virtiomem-dev")
-			}
-		}()
-
-		devAddr = addr
-		bus = bridge.ID
-
-		// Hot add virtioMem dev to pcie-root-port for QemuVirt
-		if machineType == QemuVirt {
-			devAddr = "00"
-			bus = fmt.Sprintf("%s%d", config.PCIeRootPortPrefix, len(config.PCIeDevicesPerPort[config.RootPort]))
-			dev := config.VFIODev{ID: "virtiomem"}
-			config.PCIeDevicesPerPort[config.RootPort] = append(config.PCIeDevicesPerPort[config.RootPort], dev)
-		}
+	addr, bridge, err := q.arch.addDeviceToBridge(ctx, "virtiomem-dev", types.PCI)
+	if err != nil {
+		return err
 	}
 
-	err = q.qmpMonitorCh.qmp.ExecMemdevAdd(q.qmpMonitorCh.ctx, memoryBack, "virtiomem", target, sizeMB, share, driver, "virtiomem0", devAddr, bus)
+	defer func() {
+		if err != nil {
+			q.arch.removeDeviceFromBridge("virtiomem-dev")
+		}
+	}()
+
+	bridgeID := bridge.ID
+
+	// Hot add virtioMem dev to pcie-root-port for QemuVirt
+	machineType := q.HypervisorConfig().HypervisorMachineType
+	if machineType == QemuVirt {
+		addr = "00"
+		bridgeID = fmt.Sprintf("%s%d", config.PCIeRootPortPrefix, len(config.PCIeDevicesPerPort[config.RootPort]))
+		dev := config.VFIODev{ID: "virtiomem"}
+		config.PCIeDevicesPerPort[config.RootPort] = append(config.PCIeDevicesPerPort[config.RootPort], dev)
+	}
+
+	err = q.qmpMonitorCh.qmp.ExecMemdevAdd(q.qmpMonitorCh.ctx, memoryBack, "virtiomem", target, sizeMB, share, "virtio-mem-pci", "virtiomem0", addr, bridgeID)
 	if err == nil {
-		q.Logger().Infof("Setup %dMB %s success", sizeMB, driver)
+		q.Logger().Infof("Setup %dMB virtio-mem-pci success", sizeMB)
 	} else {
 		help := ""
 		if strings.Contains(err.Error(), "Cannot allocate memory") {
 			help = ".  Please use command \"echo 1 > /proc/sys/vm/overcommit_memory\" handle it."
 		}
-		err = fmt.Errorf("Add %dMB %s fail %s%s", sizeMB, driver, err.Error(), help)
+		err = fmt.Errorf("Add %dMB virtio-mem-pci fail %s%s", sizeMB, err.Error(), help)
 	}
 
 	return err
@@ -2218,14 +2206,10 @@ func (q *qemu) hotplugRemoveCPUs(amount uint32) (uint32, error) {
 }
 
 func (q *qemu) hotplugMemory(memDev *MemoryDevice, op Operation) (int, error) {
+
 	if !q.arch.supportGuestMemoryHotplug() {
 		return 0, noGuestMemHotplugErr
 	}
-
-	if q.HypervisorConfig().HypervisorMachineType == QemuCCWVirtio && !q.config.VirtioMem {
-		return 0, s390xVirtioMemRequiredErr
-	}
-
 	if memDev.SizeMB < 0 {
 		return 0, fmt.Errorf("cannot hotplug negative size (%d) memory", memDev.SizeMB)
 	}
@@ -2261,30 +2245,7 @@ func (q *qemu) hotplugMemory(memDev *MemoryDevice, op Operation) (int, error) {
 
 }
 
-// resizeVirtioMem resizes the virtio-mem device to the specified size in MB
-func (q *qemu) resizeVirtioMem(newSizeMB int) error {
-	if newSizeMB < 0 {
-		return fmt.Errorf("cannot resize virtio-mem device to negative size (%d) memory", newSizeMB)
-	}
-	sizeByte := uint64(newSizeMB) * 1024 * 1024
-	err := q.qmpMonitorCh.qmp.ExecQomSet(q.qmpMonitorCh.ctx, "virtiomem0", "requested-size", sizeByte)
-	if err != nil {
-		q.Logger().WithError(err).Error("failed to resize virtio-mem device")
-		return err
-	}
-	q.state.HotpluggedMemory = newSizeMB
-	return nil
-}
-
 func (q *qemu) hotplugAddMemory(memDev *MemoryDevice) (int, error) {
-	if q.config.VirtioMem {
-		newHotpluggedMB := q.state.HotpluggedMemory + memDev.SizeMB
-		if err := q.resizeVirtioMem(newHotpluggedMB); err != nil {
-			return 0, err
-		}
-		return memDev.SizeMB, nil
-	}
-
 	memoryDevices, err := q.qmpMonitorCh.qmp.ExecQueryMemoryDevices(q.qmpMonitorCh.ctx)
 	if err != nil {
 		return 0, fmt.Errorf("failed to query memory devices: %v", err)
@@ -2499,10 +2460,13 @@ func (q *qemu) ResizeMemory(ctx context.Context, reqMemMB uint32, memoryBlockSiz
 	var addMemDevice MemoryDevice
 	if q.config.VirtioMem && currentMemory != reqMemMB {
 		q.Logger().WithField("hotplug", "memory").Debugf("resize memory from %dMB to %dMB", currentMemory, reqMemMB)
-		newSizeMB := int(reqMemMB) - int(q.config.MemorySize)
-		if err := q.resizeVirtioMem(newSizeMB); err != nil {
+		sizeByte := uint64(reqMemMB - q.config.MemorySize)
+		sizeByte = sizeByte * 1024 * 1024
+		err := q.qmpMonitorCh.qmp.ExecQomSet(q.qmpMonitorCh.ctx, "virtiomem0", "requested-size", sizeByte)
+		if err != nil {
 			return 0, MemoryDevice{}, err
 		}
+		q.state.HotpluggedMemory = int(sizeByte / 1024 / 1024)
 		return reqMemMB, MemoryDevice{}, nil
 	}
 
@@ -2662,7 +2626,7 @@ func genericMemoryTopology(memoryMb, hostMemoryMb uint64, slots uint8, memoryOff
 }
 
 // genericAppendPCIeRootPort appends to devices the given pcie-root-port
-func genericAppendPCIeRootPort(devices []govmmQemu.Device, number uint32, machineType string) []govmmQemu.Device {
+func genericAppendPCIeRootPort(devices []govmmQemu.Device, number uint32, machineType string, memSize32bit uint64, memSize64bit uint64) []govmmQemu.Device {
 	var (
 		bus           string
 		chassis       string
@@ -2688,6 +2652,8 @@ func genericAppendPCIeRootPort(devices []govmmQemu.Device, number uint32, machin
 				Slot:          strconv.FormatUint(uint64(i), 10),
 				Multifunction: multiFunction,
 				Addr:          addr,
+				MemReserve:    fmt.Sprintf("%dB", memSize32bit),
+				Pref64Reserve: fmt.Sprintf("%dB", memSize64bit),
 			},
 		)
 	}
@@ -2716,7 +2682,7 @@ func genericAppendPCIeRootPort(devices []govmmQemu.Device, number uint32, machin
 //          -------------           --------------
 */
 // genericAppendPCIeSwitch adds a PCIe Swtich
-func genericAppendPCIeSwitchPort(devices []govmmQemu.Device, number uint32, machineType string) []govmmQemu.Device {
+func genericAppendPCIeSwitchPort(devices []govmmQemu.Device, number uint32, machineType string, memSize32bit uint64, memSize64bit uint64) []govmmQemu.Device {
 
 	// Q35, Virt have the correct PCIe support,
 	// hence ignore all other machines
@@ -2733,6 +2699,8 @@ func genericAppendPCIeSwitchPort(devices []govmmQemu.Device, number uint32, mach
 		Slot:          strconv.FormatUint(uint64(0), 10),
 		Multifunction: false,
 		Addr:          "0",
+		MemReserve:    fmt.Sprintf("%dB", memSize32bit),
+		Pref64Reserve: fmt.Sprintf("%dB", memSize64bit),
 	}
 
 	devices = append(devices, pcieRootPort)
@@ -2756,6 +2724,8 @@ func genericAppendPCIeSwitchPort(devices []govmmQemu.Device, number uint32, mach
 			Bus:     pcieSwitchUpstreamPort.ID,
 			Chassis: fmt.Sprintf("%d", nextChassis),
 			Slot:    strconv.FormatUint(uint64(i), 10),
+			// TODO: MemReserve:    fmt.Sprintf("%dB", memSize32bit),
+			// TODO: Pref64Reserve: fmt.Sprintf("%dB", memSize64bit),
 		}
 		devices = append(devices, pcieSwitchDownstreamPort)
 	}

src/runtime/virtcontainers/qemu_arch_base.go

@@ -18,6 +18,7 @@ import (
 	"strings"
 
 	govmmQemu "github.com/kata-containers/kata-containers/src/runtime/pkg/govmm/qemu"
+	"gitlab.com/nvidia/cloud-native/go-nvlib/pkg/nvpci"
 
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/device/config"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/types"
@@ -152,10 +153,10 @@ type qemuArch interface {
 	setIgnoreSharedMemoryMigrationCaps(context.Context, *govmmQemu.QMP) error
 
 	// appendPCIeRootPortDevice appends a pcie-root-port device to pcie.0 bus
-	appendPCIeRootPortDevice(devices []govmmQemu.Device, number uint32) []govmmQemu.Device
+	appendPCIeRootPortDevice(devices []govmmQemu.Device, number uint32, memSize32bit uint64, memSize64bit uint64) []govmmQemu.Device
 
 	// appendPCIeSwitch appends a ioh3420 device to a pcie-root-port
-	appendPCIeSwitchPortDevice(devices []govmmQemu.Device, number uint32) []govmmQemu.Device
+	appendPCIeSwitchPortDevice(devices []govmmQemu.Device, number uint32, memSize32bit uint64, memSize64bit uint64) []govmmQemu.Device
 
 	// append vIOMMU device
 	appendIOMMU(devices []govmmQemu.Device) ([]govmmQemu.Device, error)
@@ -169,6 +170,10 @@ type qemuArch interface {
 	// be used with the -bios option, ommit -bios option if the path is empty.
 	appendProtectionDevice(devices []govmmQemu.Device, firmware, firmwareVolume string, initdataDigest []byte) ([]govmmQemu.Device, string, error)
 
+	// scans the PCIe space and returns the biggest BAR sizes for 32-bit
+	// and 64-bit addressable memory
+	getBARsMaxAddressableMemory() (uint64, uint64)
+
 	// Query QMP to find a device's PCI path given its QOM path or ID
 	qomGetPciPath(qemuID string, qmpCh *qmpChannel) (types.PciPath, error)
 
@@ -870,13 +875,46 @@ func (q *qemuArchBase) addBridge(b types.Bridge) {
 }
 
 // appendPCIeRootPortDevice appends to devices the given pcie-root-port
-func (q *qemuArchBase) appendPCIeRootPortDevice(devices []govmmQemu.Device, number uint32) []govmmQemu.Device {
-	return genericAppendPCIeRootPort(devices, number, q.qemuMachine.Type)
+func (q *qemuArchBase) appendPCIeRootPortDevice(devices []govmmQemu.Device, number uint32, memSize32bit uint64, memSize64bit uint64) []govmmQemu.Device {
+	return genericAppendPCIeRootPort(devices, number, q.qemuMachine.Type, memSize32bit, memSize64bit)
 }
 
 // appendPCIeSwitchPortDevice appends a PCIe Switch with <number> ports
-func (q *qemuArchBase) appendPCIeSwitchPortDevice(devices []govmmQemu.Device, number uint32) []govmmQemu.Device {
-	return genericAppendPCIeSwitchPort(devices, number, q.qemuMachine.Type)
+func (q *qemuArchBase) appendPCIeSwitchPortDevice(devices []govmmQemu.Device, number uint32, memSize32bit uint64, memSize64bit uint64) []govmmQemu.Device {
+	return genericAppendPCIeSwitchPort(devices, number, q.qemuMachine.Type, memSize32bit, memSize64bit)
+}
+
+// getBARsMaxAddressableMemory we need to know the BAR sizes to configure the
+// PCIe Root Port or PCIe Downstream Port attaching a device with huge BARs.
+func (q *qemuArchBase) getBARsMaxAddressableMemory() (uint64, uint64) {
+
+	pci := nvpci.New()
+	devs, _ := pci.GetAllDevices()
+
+	// Since we do not know which devices are going to be hotplugged,
+	// we're going to use the GPU with the biggest BARs to initialize the
+	// root port, this should work for all other devices as well.
+	// defaults are 2MB for both, if no suitable devices found
+	max32bit := uint64(2 * 1024 * 1024)
+	max64bit := uint64(2 * 1024 * 1024)
+
+	for _, dev := range devs {
+		if !dev.IsGPU() {
+			continue
+		}
+		memSize32bit, memSize64bit := dev.Resources.GetTotalAddressableMemory(true)
+		if max32bit < memSize32bit {
+			max32bit = memSize32bit
+		}
+		if max64bit < memSize64bit {
+			max64bit = memSize64bit
+		}
+	}
+	// The actual 32bit is most of the time a power of 2 but we need some
+	// buffer so double that to leave space for other IO functions.
+	// The 64bit size is not a power of 2 and hence is already rounded up
+	// to the higher value.
+	return max32bit * 2, max64bit
 }
 
 // appendIOMMU appends a virtual IOMMU device

src/runtime/virtcontainers/qemu_s390x.go

@@ -199,8 +199,10 @@ func (q *qemuS390x) appendVhostUserDevice(ctx context.Context, devices []govmmQe
 	return devices, nil
 }
 
+// supportGuestMemoryHotplug return false for s390x architecture. The pc-dimm backend device for s390x
+// is not support. PC-DIMM is not listed in the devices supported by qemu-system-s390x -device help
 func (q *qemuS390x) supportGuestMemoryHotplug() bool {
-	return q.protection == noneProtection
+	return false
 }
 
 func (q *qemuS390x) appendNetwork(ctx context.Context, devices []govmmQemu.Device, endpoint Endpoint) ([]govmmQemu.Device, error) {

src/runtime/virtcontainers/qemu_test.go

@@ -8,14 +8,12 @@
 package virtcontainers
 
 import (
-	"bufio"
 	"bytes"
 	"compress/gzip"
 	"context"
 	"encoding/binary"
 	"fmt"
 	"io"
-	"net"
 	"os"
 	"path"
 	"path/filepath"
@@ -827,376 +825,3 @@ func TestPrepareInitdataImage(t *testing.T) {
 		})
 	}
 }
-
-// startTestQMPServer starts a goroutine acting as a minimal QMP server on serverConn.
-// It sends the QMP hello banner and responds to commands with the given responses
-// (one response string per command, in order). After all responses are sent,
-// it keeps the connection open until the client closes it.
-func startTestQMPServer(t *testing.T, serverConn net.Conn, responses []string) {
-	t.Helper()
-	go func() {
-		defer serverConn.Close()
-		hello := `{"QMP":{"version":{"qemu":{"micro":0,"minor":0,"major":5},"package":""},"capabilities":[]}}` + "\n"
-		if _, err := serverConn.Write([]byte(hello)); err != nil {
-			return
-		}
-		scanner := bufio.NewScanner(serverConn)
-		for _, resp := range responses {
-			if !scanner.Scan() {
-				return
-			}
-			if _, err := serverConn.Write([]byte(resp + "\n")); err != nil {
-				return
-			}
-		}
-		// Keep reading (and ignoring) any additional commands to keep connection alive
-		for scanner.Scan() {
-		}
-	}()
-}
-
-// TestHotplugAddMemoryVirtioMem verifies that when VirtioMem is enabled,
-// hotplugAddMemory resizes the existing virtio-mem device via qom-set
-// instead of adding a new pc-dimm, and updates HotpluggedMemory on success.
-func TestHotplugAddMemoryVirtioMem(t *testing.T) {
-	assert := assert.New(t)
-
-	serverConn, clientConn := net.Pipe()
-	startTestQMPServer(t, serverConn, []string{`{"return":{}}`})
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	disconnectedCh := make(chan struct{})
-	cfg := govmmQemu.QMPConfig{Logger: newQMPLogger()}
-	qmp, _, err := govmmQemu.QMPStartWithConn(ctx, clientConn, cfg, disconnectedCh)
-	assert.NoError(err)
-
-	defer func() {
-		qmp.Shutdown()
-		<-disconnectedCh
-	}()
-
-	q := &qemu{
-		config: HypervisorConfig{
-			VirtioMem: true,
-		},
-		state: QemuState{
-			HotpluggedMemory: 100,
-		},
-		qmpMonitorCh: qmpChannel{
-			qmp: qmp,
-			ctx: ctx,
-		},
-	}
-
-	memDev := &MemoryDevice{SizeMB: 128}
-	n, err := q.hotplugAddMemory(memDev)
-	assert.NoError(err)
-	assert.Equal(128, n)
-	// HotpluggedMemory should reflect the cumulative total: initial 100 + added 128
-	assert.Equal(228, q.state.HotpluggedMemory)
-}
-
-// TestHotplugAddMemoryVirtioMemMultipleOperations verifies that
-// multiple virtio-mem resize operations accumulate correctly.
-func TestHotplugAddMemoryVirtioMemMultipleOperations(t *testing.T) {
-	assert := assert.New(t)
-
-	serverConn, clientConn := net.Pipe()
-	// Three successful resize operations
-	responses := []string{
-		`{"return":{}}`,
-		`{"return":{}}`,
-		`{"return":{}}`,
-	}
-	startTestQMPServer(t, serverConn, responses)
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	disconnectedCh := make(chan struct{})
-	cfg := govmmQemu.QMPConfig{Logger: newQMPLogger()}
-	qmp, _, err := govmmQemu.QMPStartWithConn(ctx, clientConn, cfg, disconnectedCh)
-	assert.NoError(err)
-
-	defer func() {
-		qmp.Shutdown()
-		<-disconnectedCh
-	}()
-
-	q := &qemu{
-		config: HypervisorConfig{
-			VirtioMem: true,
-		},
-		state: QemuState{
-			HotpluggedMemory: 0,
-		},
-		qmpMonitorCh: qmpChannel{
-			qmp: qmp,
-			ctx: ctx,
-		},
-	}
-
-	// First resize: 0 -> 128MB
-	memDev1 := &MemoryDevice{SizeMB: 128}
-	n, err := q.hotplugAddMemory(memDev1)
-	assert.NoError(err)
-	assert.Equal(128, n)
-	assert.Equal(128, q.state.HotpluggedMemory)
-
-	// Second resize: 128 -> 384MB
-	memDev2 := &MemoryDevice{SizeMB: 256}
-	n, err = q.hotplugAddMemory(memDev2)
-	assert.NoError(err)
-	assert.Equal(256, n)
-	assert.Equal(384, q.state.HotpluggedMemory)
-
-	// Third resize: 384 -> 896MB
-	memDev3 := &MemoryDevice{SizeMB: 512}
-	n, err = q.hotplugAddMemory(memDev3)
-	assert.NoError(err)
-	assert.Equal(512, n)
-	assert.Equal(896, q.state.HotpluggedMemory)
-}
-
-// TestHotplugAddMemoryVirtioMemZeroSize verifies behavior
-// when attempting to add zero memory with virtio-mem.
-func TestHotplugAddMemoryVirtioMemZeroSize(t *testing.T) {
-	assert := assert.New(t)
-
-	serverConn, clientConn := net.Pipe()
-	startTestQMPServer(t, serverConn, []string{`{"return":{}}`})
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	disconnectedCh := make(chan struct{})
-	cfg := govmmQemu.QMPConfig{Logger: newQMPLogger()}
-	qmp, _, err := govmmQemu.QMPStartWithConn(ctx, clientConn, cfg, disconnectedCh)
-	assert.NoError(err)
-
-	defer func() {
-		qmp.Shutdown()
-		<-disconnectedCh
-	}()
-
-	q := &qemu{
-		config: HypervisorConfig{
-			VirtioMem: true,
-		},
-		state: QemuState{
-			HotpluggedMemory: 100,
-		},
-		qmpMonitorCh: qmpChannel{
-			qmp: qmp,
-			ctx: ctx,
-		},
-	}
-
-	memDev := &MemoryDevice{SizeMB: 0}
-	n, err := q.hotplugAddMemory(memDev)
-	assert.NoError(err)
-	assert.Equal(0, n)
-	// State should remain unchanged
-	assert.Equal(100, q.state.HotpluggedMemory)
-}
-
-// TestHotplugAddMemoryVirtioMemError verifies that on a QMP failure
-// the error is propagated and HotpluggedMemory is not updated.
-func TestHotplugAddMemoryVirtioMemError(t *testing.T) {
-	assert := assert.New(t)
-
-	serverConn, clientConn := net.Pipe()
-	startTestQMPServer(t, serverConn, []string{`{"error":{"class":"GenericError","desc":"test error"}}`})
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	disconnectedCh := make(chan struct{})
-	cfg := govmmQemu.QMPConfig{Logger: newQMPLogger()}
-	qmp, _, err := govmmQemu.QMPStartWithConn(ctx, clientConn, cfg, disconnectedCh)
-	assert.NoError(err)
-
-	defer func() {
-		qmp.Shutdown()
-		<-disconnectedCh
-	}()
-
-	q := &qemu{
-		config: HypervisorConfig{
-			VirtioMem: true,
-		},
-		state: QemuState{
-			HotpluggedMemory: 100,
-		},
-		qmpMonitorCh: qmpChannel{
-			qmp: qmp,
-			ctx: ctx,
-		},
-	}
-
-	memDev := &MemoryDevice{SizeMB: 128}
-	n, err := q.hotplugAddMemory(memDev)
-	assert.Error(err)
-	assert.Equal(0, n)
-	// HotpluggedMemory must not be updated when the QMP command fails
-	assert.Equal(100, q.state.HotpluggedMemory)
-}
-
-// TestHotplugAddMemoryDIMM verifies the traditional DIMM-based hotplug path
-// when VirtioMem is disabled. It should query existing memory devices,
-// allocate a new slot, and hotplug the DIMM.
-func TestHotplugAddMemoryDIMM(t *testing.T) {
-	assert := assert.New(t)
-
-	serverConn, clientConn := net.Pipe()
-	// Responses: query-memory-devices, object-add, device_add
-	responses := []string{
-		`{"return":[]}`, // query-memory-devices: empty
-		`{"return":{}}`, // object-add: success
-		`{"return":{}}`, // device_add: success
-	}
-	startTestQMPServer(t, serverConn, responses)
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	disconnectedCh := make(chan struct{})
-	cfg := govmmQemu.QMPConfig{Logger: newQMPLogger()}
-	qmp, _, err := govmmQemu.QMPStartWithConn(ctx, clientConn, cfg, disconnectedCh)
-	assert.NoError(err)
-
-	defer func() {
-		qmp.Shutdown()
-		<-disconnectedCh
-	}()
-
-	q := &qemu{
-		config: HypervisorConfig{
-			VirtioMem: false, // Traditional DIMM path
-		},
-		qemuConfig: govmmQemu.Config{
-			Knobs: govmmQemu.Knobs{
-				HugePages: false,
-			},
-		},
-		state: QemuState{
-			HotpluggedMemory: 100,
-		},
-		qmpMonitorCh: qmpChannel{
-			qmp: qmp,
-			ctx: ctx,
-		},
-	}
-
-	memDev := &MemoryDevice{SizeMB: 256}
-	n, err := q.hotplugAddMemory(memDev)
-	assert.NoError(err)
-	assert.Equal(256, n)
-	assert.Equal(0, memDev.Slot) // Should get slot 0 when no devices exist
-	assert.Equal(356, q.state.HotpluggedMemory)
-}
-
-// TestHotplugAddMemoryDIMMHotplugError verifies error handling
-// when the actual hotplug operation fails.
-func TestHotplugAddMemoryDIMMHotplugError(t *testing.T) {
-	assert := assert.New(t)
-
-	serverConn, clientConn := net.Pipe()
-	// Responses: query-memory-devices succeeds, object-add fails
-	responses := []string{
-		`{"return":[]}`, // query-memory-devices: success
-		`{"error":{"class":"GenericError","desc":"hotplug failed"}}`, // object-add: fails
-	}
-	startTestQMPServer(t, serverConn, responses)
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	disconnectedCh := make(chan struct{})
-	cfg := govmmQemu.QMPConfig{Logger: newQMPLogger()}
-	qmp, _, err := govmmQemu.QMPStartWithConn(ctx, clientConn, cfg, disconnectedCh)
-	assert.NoError(err)
-
-	defer func() {
-		qmp.Shutdown()
-		<-disconnectedCh
-	}()
-
-	q := &qemu{
-		config: HypervisorConfig{
-			VirtioMem: false,
-		},
-		qemuConfig: govmmQemu.Config{
-			Knobs: govmmQemu.Knobs{
-				HugePages: false,
-			},
-		},
-		state: QemuState{
-			HotpluggedMemory: 100,
-		},
-		qmpMonitorCh: qmpChannel{
-			qmp: qmp,
-			ctx: ctx,
-		},
-	}
-
-	memDev := &MemoryDevice{SizeMB: 256}
-	n, err := q.hotplugAddMemory(memDev)
-	assert.Error(err)
-	assert.Equal(0, n)
-	// HotpluggedMemory should not be updated on error
-	assert.Equal(100, q.state.HotpluggedMemory)
-}
-
-// TestHotplugAddMemoryVirtioMemNegativeSize verifies that
-// adding a memory device with negative size is handled gracefully.
-func TestHotplugAddMemoryVirtioMemNegativeSize(t *testing.T) {
-	assert := assert.New(t)
-
-	// No need to start a QMP server since the error should be caught
-	// before any QMP command is issued
-	q := &qemu{
-		config: HypervisorConfig{
-			VirtioMem: true,
-		},
-		state: QemuState{
-			HotpluggedMemory: 100,
-		},
-	}
-
-	memDev := &MemoryDevice{SizeMB: -128}
-	n, err := q.hotplugAddMemory(memDev)
-	assert.EqualError(err, "cannot resize virtio-mem device to negative size (-28) memory")
-	assert.Equal(0, n)
-	// State should remain unchanged
-	assert.Equal(100, q.state.HotpluggedMemory)
-}
-
-// TestResizeMemoryVirtioMemNegativeSize verifies that
-// ResizeMemory with VirtioMem handles negative hotplug size gracefully.
-func TestResizeMemoryVirtioMemNegativeSize(t *testing.T) {
-	assert := assert.New(t)
-
-	q := &qemu{
-		config: HypervisorConfig{
-			VirtioMem:  true,
-			MemorySize: 2048, // 2GB base memory
-		},
-		state: QemuState{
-			HotpluggedMemory: 100,
-		},
-		qmpMonitorCh: qmpChannel{
-			qmp: &govmmQemu.QMP{},
-		},
-	}
-
-	// Request size less than base memory would result in negative hotplug size
-	newMem, memDev, err := q.ResizeMemory(context.Background(), 1024, 128, false)
-	assert.EqualError(err, "cannot resize virtio-mem device to negative size (-1024) memory")
-	assert.Equal(uint32(0), newMem)
-	assert.Equal(MemoryDevice{}, memDev)
-	// State should remain unchanged
-	assert.Equal(100, q.state.HotpluggedMemory)
-}

src/tools/genpolicy/rules.rego

@@ -781,6 +781,9 @@ allow_linux_sysctl(p_linux, i_linux) if {
 allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) if {
     print("allow_by_bundle_or_sandbox_id: start")
 
+    bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"]
+    bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "")
+
     key := "io.kubernetes.cri.sandbox-id"
 
     p_regex := p_oci.Annotations[key]
@@ -789,15 +792,7 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) if {
     print("allow_by_bundle_or_sandbox_id: sandbox_id =", sandbox_id, "regex =", p_regex)
     regex.match(p_regex, sandbox_id)
 
-    i_root := i_oci.Root.Path
-    p_root_pattern1 := p_oci.Root.Path
-    p_root_pattern2 := replace(p_root_pattern1, "$(root_path)", policy_data.common.root_path)
-    # Bundle path segment can be a 64-char hex (OCI bundle ID) or the runtime's container/bundle identifier used in paths (e.g. short ID or CRI container ID).
-    p_root_pattern3 := replace(p_root_pattern2, "$(bundle-id)", "([0-9a-f]{64}|[a-z0-9][a-z0-9.-]*)")
-    print("allow_by_bundle_or_sandbox_id: i_root =", i_root, "regex =", p_root_pattern3)
-
-    # Verify that the root path matches the substituted pattern and extract the bundle-id.
-    bundle_id := regex.find_all_string_submatch_n(p_root_pattern3, i_root, 1)[0][1]
+    allow_root_path(p_oci, i_oci, bundle_id)
 
     # Match each input mount with a Policy mount.
     # Reject possible attempts to match multiple input mounts with a single Policy mount.
@@ -1096,6 +1091,23 @@ is_ip_other_byte(component) if {
     number <= 255
 }
 
+# OCI root.Path
+allow_root_path(p_oci, i_oci, bundle_id) if {
+    i_path := i_oci.Root.Path
+    p_path1 := p_oci.Root.Path
+    print("allow_root_path: i_path =", i_path, "p_path1 =", p_path1)
+
+    p_path2 := replace(p_path1, "$(root_path)", policy_data.common.root_path)
+    print("allow_root_path: p_path2 =", p_path2)
+
+    p_path3 := replace(p_path2, "$(bundle-id)", bundle_id)
+    print("allow_root_path: p_path3 =", p_path3)
+
+    p_path3 == i_path
+
+    print("allow_root_path: true")
+}
+
 # device mounts
 # allow_mount returns the policy index (p_index) if a given input mount matches a policy mount.
 allow_mount(p_oci, i_mount, bundle_id, sandbox_id):= p_index if {

src/tools/genpolicy/tests/policy/testdata/createcontainer/generate_name/testcases.json

@@ -6,7 +6,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
           "io.katacontainers.pkg.oci.container_type": "pod_sandbox",
           "io.kubernetes.cri.container-type": "sandbox",
           "io.kubernetes.cri.sandbox-id": "0000000000000000000000000000000000000000000000000000000000000000",
@@ -128,7 +128,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/bundle-id/rootfs",
           "Readonly": true
         },
         "Version": "1.1.0"
@@ -142,7 +142,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
           "io.katacontainers.pkg.oci.container_type": "pod_sandbox",
           "io.kubernetes.cri.container-type": "sandbox",
           "io.kubernetes.cri.sandbox-id": "0000000000000000000000000000000000000000000000000000000000000000",
@@ -264,7 +264,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/bundle-id/rootfs",
           "Readonly": true
         },
         "Version": "1.1.0"

src/tools/genpolicy/tests/policy/testdata/createcontainer/gpu_vfio_cdi/testcases.json

@@ -9,7 +9,7 @@
         "Annotations": {
           "cdi.k8s.io/vfio1": "nvidia.com/gpu=0",
           "cdi.k8s.io/vfio2": "nvidia.com/gpu=1",
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/gpu-container",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "gpu-container",
           "io.kubernetes.cri.container-type": "container",
@@ -73,7 +73,7 @@
           "Terminal": false,
           "User": {"AdditionalGids": [0], "GID": 0, "UID": 65535, "Username": ""}
         },
-        "Root": {"Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs", "Readonly": false},
+        "Root": {"Path": "/run/kata-containers/gpu-container/rootfs", "Readonly": false},
         "Solaris": null,
         "Version": "1.1.0",
         "Windows": null
@@ -115,7 +115,7 @@
         "Annotations": {
           "cdi.k8s.io/vfio1": "nvidia.com/gpu=0",
           "cdi.k8s.io/vfio3": "nvidia.com/gpu=2",
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/gpu-container",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "gpu-container",
           "io.kubernetes.cri.container-type": "container",
@@ -179,7 +179,7 @@
           "Terminal": false,
           "User": {"AdditionalGids": [0], "GID": 0, "UID": 65535, "Username": ""}
         },
-        "Root": {"Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs", "Readonly": false},
+        "Root": {"Path": "/run/kata-containers/gpu-container/rootfs", "Readonly": false},
         "Solaris": null,
         "Version": "1.1.0",
         "Windows": null
@@ -219,7 +219,7 @@
       "type": "CreateContainer",
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/gpu-container",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "gpu-container",
           "io.kubernetes.cri.container-type": "container",
@@ -283,7 +283,7 @@
           "Terminal": false,
           "User": {"AdditionalGids": [0], "GID": 0, "UID": 65535, "Username": ""}
         },
-        "Root": {"Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs", "Readonly": false},
+        "Root": {"Path": "/run/kata-containers/gpu-container/rootfs", "Readonly": false},
         "Solaris": null,
         "Version": "1.1.0",
         "Windows": null
@@ -325,7 +325,7 @@
         "Annotations": {
           "cdi.k8s.io/vfio1": "nvidia.com/gpu=0",
           "cdi.k8s.io/vfioABC": "nvidia.com/gpu=1",
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/gpu-container",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "gpu-container",
           "io.kubernetes.cri.container-type": "container",
@@ -389,7 +389,7 @@
           "Terminal": false,
           "User": {"AdditionalGids": [0], "GID": 0, "UID": 65535, "Username": ""}
         },
-        "Root": {"Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs", "Readonly": false},
+        "Root": {"Path": "/run/kata-containers/gpu-container/rootfs", "Readonly": false},
         "Solaris": null,
         "Version": "1.1.0",
         "Windows": null
@@ -431,7 +431,7 @@
         "Annotations": {
           "cdi.k8s.io/vfio1": "invalid-format",
           "cdi.k8s.io/vfio2": "nvidia.com/gpu=1",
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/gpu-container",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "gpu-container",
           "io.kubernetes.cri.container-type": "container",
@@ -495,7 +495,7 @@
           "Terminal": false,
           "User": {"AdditionalGids": [0], "GID": 0, "UID": 65535, "Username": ""}
         },
-        "Root": {"Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs", "Readonly": false},
+        "Root": {"Path": "/run/kata-containers/gpu-container/rootfs", "Readonly": false},
         "Solaris": null,
         "Version": "1.1.0",
         "Windows": null
@@ -536,7 +536,7 @@
       "OCI": {
         "Annotations": {
           "cdi.k8s.io/vfio1": "nvidia.com/gpu=0",
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/gpu-container",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "gpu-container",
           "io.kubernetes.cri.container-type": "container",
@@ -600,7 +600,7 @@
           "Terminal": false,
           "User": {"AdditionalGids": [0], "GID": 0, "UID": 65535, "Username": ""}
         },
-        "Root": {"Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs", "Readonly": false},
+        "Root": {"Path": "/run/kata-containers/gpu-container/rootfs", "Readonly": false},
         "Solaris": null,
         "Version": "1.1.0",
         "Windows": null
@@ -642,7 +642,7 @@
         "Annotations": {
           "cdi.k8s.io/vfio1": "nvidia.com/gpu=0",
           "cdi.k8s.io/vfio3": "nvidia.com/gpu=1",
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/gpu-container",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "gpu-container",
           "io.kubernetes.cri.container-type": "container",
@@ -706,7 +706,7 @@
           "Terminal": false,
           "User": {"AdditionalGids": [0], "GID": 0, "UID": 65535, "Username": ""}
         },
-        "Root": {"Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs", "Readonly": false},
+        "Root": {"Path": "/run/kata-containers/gpu-container/rootfs", "Readonly": false},
         "Solaris": null,
         "Version": "1.1.0",
         "Windows": null
@@ -748,7 +748,7 @@
         "Annotations": {
           "cdi.k8s.io/vfio1": "nvidia.com/gpu=0",
           "cdi.k8s.io/vfio2": "nvidia.com/gpu=1",
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/gpu-container",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "gpu-container",
           "io.kubernetes.cri.container-type": "container",
@@ -812,7 +812,7 @@
           "Terminal": false,
           "User": {"AdditionalGids": [0], "GID": 0, "UID": 65535, "Username": ""}
         },
-        "Root": {"Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs", "Readonly": false},
+        "Root": {"Path": "/run/kata-containers/gpu-container/rootfs", "Readonly": false},
         "Solaris": null,
         "Version": "1.1.0",
         "Windows": null
@@ -854,7 +854,7 @@
         "Annotations": {
           "cdi.k8s.io/vfio1": "nvidia.com/gpu=0",
           "cdi.k8s.io/vfio2": "nvidia.com/gpu=1",
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/gpu-container",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "gpu-container",
           "io.kubernetes.cri.container-type": "container",
@@ -918,7 +918,7 @@
           "Terminal": false,
           "User": {"AdditionalGids": [0], "GID": 0, "UID": 65535, "Username": ""}
         },
-        "Root": {"Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs", "Readonly": false},
+        "Root": {"Path": "/run/kata-containers/gpu-container/rootfs", "Readonly": false},
         "Solaris": null,
         "Version": "1.1.0",
         "Windows": null
@@ -944,7 +944,7 @@
       "OCI": {
         "Annotations": {
           "cdi.k8s.io/vfio1": "nvidia.com/gpu=0",
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/gpu-container",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "gpu-container",
           "io.kubernetes.cri.container-type": "container",
@@ -1008,7 +1008,7 @@
           "Terminal": false,
           "User": {"AdditionalGids": [0], "GID": 0, "UID": 65535, "Username": ""}
         },
-        "Root": {"Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs", "Readonly": false},
+        "Root": {"Path": "/run/kata-containers/gpu-container/rootfs", "Readonly": false},
         "Solaris": null,
         "Version": "1.1.0",
         "Windows": null
@@ -1033,7 +1033,7 @@
       "type": "CreateContainer",
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/gpu-container",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "gpu-container",
           "io.kubernetes.cri.container-type": "container",
@@ -1097,7 +1097,7 @@
           "Terminal": false,
           "User": {"AdditionalGids": [0], "GID": 0, "UID": 65535, "Username": ""}
         },
-        "Root": {"Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs", "Readonly": false},
+        "Root": {"Path": "/run/kata-containers/gpu-container/rootfs", "Readonly": false},
         "Solaris": null,
         "Version": "1.1.0",
         "Windows": null

src/tools/genpolicy/tests/policy/testdata/createcontainer/network_namespace/testcases.json

@@ -6,7 +6,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
           "io.katacontainers.pkg.oci.container_type": "pod_sandbox",
           "io.kubernetes.cri.container-type": "sandbox",
           "io.kubernetes.cri.sandbox-id": "0000000000000000000000000000000000000000000000000000000000000000",
@@ -128,7 +128,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/bundle-id/rootfs",
           "Readonly": true
         },
         "Version": "1.1.0"
@@ -142,7 +142,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
           "io.katacontainers.pkg.oci.container_type": "pod_sandbox",
           "io.kubernetes.cri.container-type": "sandbox",
           "io.kubernetes.cri.sandbox-id": "0000000000000000000000000000000000000000000000000000000000000000",
@@ -264,7 +264,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/bundle-id/rootfs",
           "Readonly": true
         },
         "Version": "1.1.0"
@@ -278,7 +278,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
           "io.katacontainers.pkg.oci.container_type": "pod_sandbox",
           "io.kubernetes.cri.container-type": "sandbox",
           "io.kubernetes.cri.sandbox-id": "0000000000000000000000000000000000000000000000000000000000000000",
@@ -396,7 +396,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/bundle-id/rootfs",
           "Readonly": true
         },
         "Version": "1.1.0"
@@ -410,7 +410,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
           "io.katacontainers.pkg.oci.container_type": "pod_sandbox",
           "io.kubernetes.cri.container-type": "sandbox",
           "io.kubernetes.cri.sandbox-id": "0000000000000000000000000000000000000000000000000000000000000000",
@@ -532,7 +532,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/bundle-id/rootfs",
           "Readonly": true
         },
         "Version": "1.1.0"

src/tools/genpolicy/tests/policy/testdata/createcontainer/security_context/runas/testcases.json

@@ -254,7 +254,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/dummy",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "dummy",
           "io.kubernetes.cri.container-type": "container",
@@ -411,7 +411,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-c26fcab88aa5d50b-data",
+            "source": "/run/kata-containers/shared/containers/dummy-c26fcab88aa5d50b-data",
             "type_": "bind"
           },
           {
@@ -421,7 +421,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-d62fcc4f2e8b5659-node-conf",
+            "source": "/run/kata-containers/shared/containers/dummy-d62fcc4f2e8b5659-node-conf",
             "type_": "bind"
           },
           {
@@ -431,7 +431,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-dc49e1ba3ec278c5-hosts",
+            "source": "/run/kata-containers/shared/containers/dummy-dc49e1ba3ec278c5-hosts",
             "type_": "bind"
           },
           {
@@ -441,7 +441,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-2e8b2725e7ce6844-termination-log",
+            "source": "/run/kata-containers/shared/containers/dummy-2e8b2725e7ce6844-termination-log",
             "type_": "bind"
           },
           {
@@ -451,7 +451,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-717ad4c50963e851-hostname",
+            "source": "/run/kata-containers/shared/containers/dummy-717ad4c50963e851-hostname",
             "type_": "bind"
           },
           {
@@ -461,7 +461,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-d8f5f7c88a297469-resolv.conf",
+            "source": "/run/kata-containers/shared/containers/dummy-d8f5f7c88a297469-resolv.conf",
             "type_": "bind"
           },
           {
@@ -479,7 +479,7 @@
               "rprivate",
               "ro"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-4db7c43db401ed9e-serviceaccount",
+            "source": "/run/kata-containers/shared/containers/dummy-4db7c43db401ed9e-serviceaccount",
             "type_": "bind"
           }
         ],
@@ -570,7 +570,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/dummy/rootfs",
           "Readonly": false
         },
         "Solaris": null,

src/tools/genpolicy/tests/policy/testdata/createcontainer/security_context/supplemental_groups/testcases.json

@@ -6,7 +6,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/dummy",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "dummy",
           "io.kubernetes.cri.container-type": "container",
@@ -163,7 +163,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-c26fcab88aa5d50b-data",
+            "source": "/run/kata-containers/shared/containers/dummy-c26fcab88aa5d50b-data",
             "type_": "bind"
           },
           {
@@ -173,7 +173,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-d62fcc4f2e8b5659-node-conf",
+            "source": "/run/kata-containers/shared/containers/dummy-d62fcc4f2e8b5659-node-conf",
             "type_": "bind"
           },
           {
@@ -183,7 +183,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-dc49e1ba3ec278c5-hosts",
+            "source": "/run/kata-containers/shared/containers/dummy-dc49e1ba3ec278c5-hosts",
             "type_": "bind"
           },
           {
@@ -193,7 +193,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-2e8b2725e7ce6844-termination-log",
+            "source": "/run/kata-containers/shared/containers/dummy-2e8b2725e7ce6844-termination-log",
             "type_": "bind"
           },
           {
@@ -203,7 +203,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-717ad4c50963e851-hostname",
+            "source": "/run/kata-containers/shared/containers/dummy-717ad4c50963e851-hostname",
             "type_": "bind"
           },
           {
@@ -213,7 +213,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-d8f5f7c88a297469-resolv.conf",
+            "source": "/run/kata-containers/shared/containers/dummy-d8f5f7c88a297469-resolv.conf",
             "type_": "bind"
           },
           {
@@ -231,7 +231,7 @@
               "rprivate",
               "ro"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-4db7c43db401ed9e-serviceaccount",
+            "source": "/run/kata-containers/shared/containers/dummy-4db7c43db401ed9e-serviceaccount",
             "type_": "bind"
           }
         ],
@@ -324,7 +324,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/dummy/rootfs",
           "Readonly": false
         },
         "Solaris": null,
@@ -340,7 +340,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/dummy",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "dummy",
           "io.kubernetes.cri.container-type": "container",
@@ -497,7 +497,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-c26fcab88aa5d50b-data",
+            "source": "/run/kata-containers/shared/containers/dummy-c26fcab88aa5d50b-data",
             "type_": "bind"
           },
           {
@@ -507,7 +507,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-d62fcc4f2e8b5659-node-conf",
+            "source": "/run/kata-containers/shared/containers/dummy-d62fcc4f2e8b5659-node-conf",
             "type_": "bind"
           },
           {
@@ -517,7 +517,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-dc49e1ba3ec278c5-hosts",
+            "source": "/run/kata-containers/shared/containers/dummy-dc49e1ba3ec278c5-hosts",
             "type_": "bind"
           },
           {
@@ -527,7 +527,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-2e8b2725e7ce6844-termination-log",
+            "source": "/run/kata-containers/shared/containers/dummy-2e8b2725e7ce6844-termination-log",
             "type_": "bind"
           },
           {
@@ -537,7 +537,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-717ad4c50963e851-hostname",
+            "source": "/run/kata-containers/shared/containers/dummy-717ad4c50963e851-hostname",
             "type_": "bind"
           },
           {
@@ -547,7 +547,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-d8f5f7c88a297469-resolv.conf",
+            "source": "/run/kata-containers/shared/containers/dummy-d8f5f7c88a297469-resolv.conf",
             "type_": "bind"
           },
           {
@@ -565,7 +565,7 @@
               "rprivate",
               "ro"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-4db7c43db401ed9e-serviceaccount",
+            "source": "/run/kata-containers/shared/containers/dummy-4db7c43db401ed9e-serviceaccount",
             "type_": "bind"
           }
         ],
@@ -659,7 +659,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/dummy/rootfs",
           "Readonly": false
         },
         "Solaris": null,

src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/testcases.json

@@ -6,7 +6,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "dummy",
           "io.kubernetes.cri.container-type": "container",
@@ -126,7 +126,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/bundle-id/rootfs",
           "Readonly": false
         },
         "Version": "1.1.0"

src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/container_image/testcases.json

@@ -6,7 +6,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "redis",
           "io.kubernetes.cri.container-type": "container",
@@ -67,7 +67,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-a1b2c3d4e5f6g7h8-data",
+            "source": "/run/kata-containers/shared/containers/bundle-id-a1b2c3d4e5f6g7h8-data",
             "type_": "bind"
           },
           {
@@ -77,7 +77,7 @@
               "rprivate",
               "rw"
             ],
-            "source": "/run/kata-containers/shared/containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855-a1b2c3d4e5f6g7h8-node-conf",
+            "source": "/run/kata-containers/shared/containers/bundle-id-a1b2c3d4e5f6g7h8-node-conf",
             "type_": "bind"
           }
         ],
@@ -116,7 +116,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/bundle-id/rootfs",
           "Readonly": false
         },
         "Version": "1.1.0"

src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/emptydir/testcases.json

@@ -6,7 +6,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "dummy",
           "io.kubernetes.cri.container-type": "container",
@@ -159,7 +159,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/bundle-id/rootfs",
           "Readonly": false
         },
         "Version": "1.1.0"
@@ -219,7 +219,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "dummy",
           "io.kubernetes.cri.container-type": "container",
@@ -352,7 +352,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/bundle-id/rootfs",
           "Readonly": false
         },
         "Version": "1.1.0"
@@ -412,7 +412,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "dummy",
           "io.kubernetes.cri.container-type": "container",
@@ -555,7 +555,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/bundle-id/rootfs",
           "Readonly": false
         },
         "Version": "1.1.0"
@@ -615,7 +615,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "dummy",
           "io.kubernetes.cri.container-type": "container",
@@ -742,7 +742,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/bundle-id/rootfs",
           "Readonly": false
         },
         "Version": "1.1.0"
@@ -802,7 +802,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "dummy",
           "io.kubernetes.cri.container-type": "container",
@@ -945,7 +945,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/bundle-id/rootfs",
           "Readonly": false
         },
         "Version": "1.1.0"
@@ -959,7 +959,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "dummy",
           "io.kubernetes.cri.container-type": "container",
@@ -1102,7 +1102,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/bundle-id/rootfs",
           "Readonly": false
         },
         "Version": "1.1.0"
@@ -1116,7 +1116,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "dummy",
           "io.kubernetes.cri.container-type": "container",
@@ -1289,7 +1289,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/bundle-id/rootfs",
           "Readonly": false
         },
         "Version": "1.1.0"
@@ -1349,7 +1349,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "dummy",
           "io.kubernetes.cri.container-type": "container",
@@ -1482,7 +1482,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/bundle-id/rootfs",
           "Readonly": false
         },
         "Version": "1.1.0"
@@ -1542,7 +1542,7 @@
     "request": {
       "OCI": {
         "Annotations": {
-          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+          "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id",
           "io.katacontainers.pkg.oci.container_type": "pod_container",
           "io.kubernetes.cri.container-name": "dummy",
           "io.kubernetes.cri.container-type": "container",
@@ -1675,7 +1675,7 @@
           }
         },
         "Root": {
-          "Path": "/run/kata-containers/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/rootfs",
+          "Path": "/run/kata-containers/bundle-id/rootfs",
           "Readonly": false
         },
         "Version": "1.1.0"

tests/integration/cri-containerd/integration-tests.sh

@@ -268,15 +268,11 @@ function TestContainerMemoryUpdate() {
 		info "TestContainerMemoryUpdate skipped for qemu with runtime-rs"
 		info "Please check out https://github.com/kata-containers/kata-containers/issues/9375"
 		return
-	elif [[ "${KATA_HYPERVISOR}" != "qemu" ]] || [[ "${ARCH}" == "ppc64le" ]]; then
+	elif [[ "${KATA_HYPERVISOR}" != "qemu" ]] || [[ "${ARCH}" == "ppc64le" ]] || [[ "${ARCH}" == "s390x" ]]; then
 		return
 	fi
 
 	for virtio_mem_enabled in 1 0; do
-		# On s390x, only run the test when virtio_mem is enabled
-		if [[ "${ARCH}" == "s390x" ]] && [[ $virtio_mem_enabled -eq 0 ]]; then
-			continue
-		fi
 		PrepareContainerMemoryUpdate $virtio_mem_enabled
 		DoContainerMemoryUpdate $virtio_mem_enabled
 	done
@@ -286,7 +282,7 @@ function PrepareContainerMemoryUpdate() {
 	test_virtio_mem=$1
 
 	if [ $test_virtio_mem -eq 1 ]; then
-		if [[ "$ARCH" != "x86_64" ]] && [[ "$ARCH" != "aarch64" ]] && [[ "$ARCH" != "s390x" ]]; then
+		if [[ "$ARCH" != "x86_64" ]] && [[ "$ARCH" != "aarch64" ]]; then
 			return
 		fi
 		info "Test container memory update with virtio-mem"

tools/packaging/kata-deploy/binary/src/artifacts/snapshotters.rs

@@ -4,7 +4,6 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use crate::config::Config;
-use crate::runtime::containerd;
 use crate::utils;
 use crate::utils::toml as toml_utils;
 use anyhow::Result;
@@ -89,12 +88,15 @@ pub async fn configure_snapshotter(
     // Get all paths and drop-in capability in one call
     let paths = config.get_containerd_paths(runtime).await?;
 
-    // Runtime plugin id (from paths or by reading config), then map to table where disable_snapshot_annotations lives.
-    let runtime_plugin_id = match &paths.plugin_id {
-        Some(id) => id.as_str(),
-        None => containerd::get_containerd_pluginid(&paths.config_file)?,
+    // Read containerd version from config_file to determine pluginid
+    let pluginid = if fs::read_to_string(&paths.config_file)
+        .unwrap_or_default()
+        .contains("version = 3")
+    {
+        "\"io.containerd.cri.v1.images\""
+    } else {
+        "\"io.containerd.grpc.v1.cri\".containerd"
     };
-    let pluginid = containerd::pluginid_for_snapshotter_annotations(runtime_plugin_id, &paths.config_file)?;
 
     let configuration_file: std::path::PathBuf = if paths.use_drop_in {
         // Only add /host prefix if path is not in /etc/containerd (which is mounted from host)

tools/packaging/kata-deploy/binary/src/runtime/containerd.rs

@@ -33,11 +33,8 @@ const CONTAINERD_V2_CRI_PLUGIN_ID: &str = "\"io.containerd.grpc.v1.cri\"";
 const CONTAINERD_LEGACY_CRI_PLUGIN_ID: &str = "cri";
 /// Plugin ID for CRI images in containerd config v3 (version = 3).
 const CONTAINERD_CRI_IMAGES_PLUGIN_ID: &str = "\"io.containerd.cri.v1.images\"";
-/// Plugin table for CRI containerd in v2 (disable_snapshot_annotations lives here).
-const CONTAINERD_CRI_CONTAINERD_TABLE_V2: &str = "\"io.containerd.grpc.v1.cri\".containerd";
 
-/// Reads config and returns the CRI plugin ID used for *runtime* config (runtimes, snapshotter-per-runtime).
-pub(crate) fn get_containerd_pluginid(config_file: &str) -> Result<&'static str> {
+fn get_containerd_pluginid(config_file: &str) -> Result<&'static str> {
     let content = fs::read_to_string(config_file)
         .with_context(|| format!("Failed to read containerd config file: {}", config_file))?;
 
@@ -55,24 +52,6 @@ fn is_containerd_v3_config(pluginid: &str) -> bool {
     pluginid == CONTAINERD_V3_RUNTIME_PLUGIN_ID
 }
 
-/// Maps the runtime plugin ID (from get_containerd_pluginid) to the plugin table where
-/// disable_snapshot_annotations lives. In v3 that's the *images* plugin; in v2 the CRI .containerd subtable.
-pub(crate) fn pluginid_for_snapshotter_annotations(
-    runtime_plugin_id: &str,
-    config_file: &str,
-) -> Result<&'static str> {
-    if runtime_plugin_id == CONTAINERD_V3_RUNTIME_PLUGIN_ID {
-        Ok(CONTAINERD_CRI_IMAGES_PLUGIN_ID)
-    } else if runtime_plugin_id == CONTAINERD_V2_CRI_PLUGIN_ID {
-        Ok(CONTAINERD_CRI_CONTAINERD_TABLE_V2)
-    } else {
-        anyhow::bail!(
-            "Containerd config {} has no \"version = 2\" or \"version = 3\"; cannot determine CRI plugin for snapshotter config",
-            config_file
-        )
-    }
-}
-
 fn get_containerd_output_path(paths: &ContainerdPaths) -> PathBuf {
     if paths.use_drop_in {
         if paths.drop_in_file.starts_with("/etc/containerd/") {
@@ -657,40 +636,6 @@ mod tests {
         }
     }
 
-    /// pluginid_for_snapshotter_annotations maps runtime plugin id to the table where disable_snapshot_annotations lives.
-    #[rstest]
-    #[case(CONTAINERD_V3_RUNTIME_PLUGIN_ID, CONTAINERD_CRI_IMAGES_PLUGIN_ID, false)]
-    #[case(CONTAINERD_V2_CRI_PLUGIN_ID, CONTAINERD_CRI_CONTAINERD_TABLE_V2, false)]
-    #[case(CONTAINERD_LEGACY_CRI_PLUGIN_ID, "", true)]
-    fn test_pluginid_for_snapshotter_annotations(
-        #[case] runtime_plugin_id: &str,
-        #[case] expected_plugin_id: &str,
-        #[case] expect_err: bool,
-    ) {
-        let config_file = "/etc/containerd/config.toml";
-        let result = pluginid_for_snapshotter_annotations(runtime_plugin_id, config_file);
-        if expect_err {
-            let err = result.unwrap_err();
-            assert!(
-                err.to_string().contains(config_file),
-                "error should mention config file: {}",
-                err
-            );
-            assert!(
-                err.to_string().contains("version = 2") || err.to_string().contains("version = 3"),
-                "error should mention version: {}",
-                err
-            );
-        } else {
-            assert_eq!(
-                result.unwrap(),
-                expected_plugin_id,
-                "runtime_plugin_id={}",
-                runtime_plugin_id
-            );
-        }
-    }
-
     /// Written containerd config (e.g. drop-in) must not start with blank lines when written to an initially empty file.
     #[rstest]
     #[case(CONTAINERD_V3_RUNTIME_PLUGIN_ID)]

tools/packaging/kata-deploy/helm-chart/README.md

@@ -127,10 +127,8 @@ All values can be overridden with --set key=value or a custom `-f myvalues.yaml`
 |-----|-------------|---------|
 | `imagePullPolicy` | Set the DaemonSet pull policy | `Always` |
 | `imagePullSecrets` | Enable pulling from a private registry via pull secret | `""` |
-| `image.reference` | Fully qualified image reference (for digest pinning use the full image e.g. `…@sha256:...`; tag is ignored) | `quay.io/kata-containers/kata-deploy` |
-| `image.tag` | Tag of the image reference (defaults to chart `AppVersion` when empty) | `""` |
-| `kubectlImage.reference` | Fully qualified `kubectl` image reference (for digest pinning use the full image e.g. `…@sha256:...` and leave `kubectlImage.tag` empty) | `quay.io/kata-containers/kubectl` |
-| `kubectlImage.tag` | Tag of the `kubectl` image reference | `latest` |
+| `image.reference` | Fully qualified image reference | `quay.io/kata-containers/kata-deploy` |
+| `image.tag` | Tag of the image reference | `""` |
 | `k8sDistribution` | Set the k8s distribution to use: `k8s`, `k0s`, `k3s`, `rke2`, `microk8s` | `k8s` |
 | `nodeSelector` | Node labels for pod assignment. Allows restricting deployment to specific nodes | `{}` |
 | `runtimeClasses.enabled` | Enable Helm-managed `runtimeClass` creation (recommended) | `true` |

tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/_helpers.tpl

@@ -334,36 +334,6 @@ Builds per-shim semicolon-separated list: "shim1=value1;shim2=value2"
 {{- join ";" $proxies -}}
 {{- end -}}
 
-{{/*
-Main kata-deploy image reference for the DaemonSet.
-Supports tag (reference:tag) and digest (reference@sha256:...) formats.
-When reference contains "@" (digest), use reference as-is; otherwise use reference:tag (tag defaults to Chart.AppVersion).
-*/}}
-{{- define "kata-deploy.image" -}}
-{{- $ref := .Values.image.reference -}}
-{{- $tag := default .Chart.AppVersion .Values.image.tag | toString -}}
-{{- if contains "@" $ref -}}
-{{- $ref -}}
-{{- else -}}
-{{- printf "%s:%s" $ref $tag -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-kubectl image reference for verification and cleanup jobs.
-Supports tag (reference:tag) and digest (reference@sha256:...) formats.
-When reference already contains "@" (digest) or tag is empty, use reference as-is.
-*/}}
-{{- define "kata-deploy.kubectlImage" -}}
-{{- $ref := .Values.kubectlImage.reference -}}
-{{- $tag := .Values.kubectlImage.tag | toString -}}
-{{- if or (contains "@" $ref) (eq $tag "") -}}
-{{- $ref -}}
-{{- else -}}
-{{- printf "%s:%s" $ref $tag -}}
-{{- end -}}
-{{- end -}}
-
 {{/*
 Get snapshotter setup list from structured config
 */}}

tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/kata-cleanup-rbac-job.yaml

@@ -33,7 +33,7 @@ spec:
 {{- end }}
       containers:
         - name: rb-cleanup
-          image: {{ include "kata-deploy.kubectlImage" . }}
+          image: quay.io/kata-containers/kubectl:latest
           command:
             - bash
             - -c

tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/kata-deploy.yaml

@@ -133,7 +133,7 @@ spec:
       terminationGracePeriodSeconds: 120
       containers:
       - name: kube-kata
-        image: {{ include "kata-deploy.image" . }}
+        image: {{ .Values.image.reference }}:{{ default .Chart.AppVersion .Values.image.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         command: ["/usr/bin/kata-deploy", "install"]
         env:

tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/verification-job.yaml

@@ -42,7 +42,7 @@ spec:
       serviceAccountName: {{ include "kata-deploy.fullname" . }}-verification
       containers:
         - name: verify
-          image: {{ include "kata-deploy.kubectlImage" . }}
+          image: quay.io/kata-containers/kubectl:latest
           command:
             - bash
             - -c

tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml

@@ -6,10 +6,6 @@ image:
   reference: quay.io/kata-containers/kata-deploy
   tag: ""
 
-kubectlImage:
-  reference: quay.io/kata-containers/kubectl
-  tag: latest
-
 k8sDistribution: "k8s"  # k8s, k3s, rke2, k0s, microk8s
 
 # Node selector and tolerations to control which nodes the kata-deploy daemonset runs on

tools/packaging/kernel/configs/fragments/s390/virtio.conf

@@ -1,2 +0,0 @@
-CONFIG_VIRTIO_MEM=y
-CONFIG_MEMORY_HOTREMOVE=y

tools/packaging/kernel/kata_config_version

@@ -1 +1 @@
-183
+182