genpolicy: Adapt to CRI-O

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>

.github/actionlint.yaml

@@ -28,9 +28,3 @@ self-hosted-runner:
     - s390x-large
     - tdx
     - ubuntu-24.04-arm
-
-paths:
-  .github/workflows/**/*.{yml,yaml}:
-    ignore:
-      # We use if: false to "temporarily" skip jobs with issues
-      - 'constant expression "false" in condition'

.github/dependabot.yml

@@ -15,8 +15,6 @@ updates:
       - "/src/tools/trace-forwarder"
     schedule:
       interval: "daily"
-    cooldown:
-      default-days: 7
     ignore:
     # rust-vmm repos might cause incompatibilities on patch versions, so
     # lets handle them manually for now.
@@ -87,12 +85,8 @@ updates:
       - "src/tools/csi-kata-directvolume"
     schedule:
       interval: "daily"
-    cooldown:
-      default-days: 7
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "monthly"
-    cooldown:
-      default-days: 7

.github/workflows/actionlint.yaml

@@ -13,13 +13,18 @@ concurrency:
 jobs:
   run-actionlint:
     name: run-actionlint
+    env:
+      GH_TOKEN: ${{ github.token }}
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout the code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           persist-credentials: false
 
+      - name: Install actionlint gh extension
+        run: gh extension install https://github.com/cschleiden/gh-actionlint
+
       - name: Run actionlint
-        uses: raven-actions/actionlint@e01d1ea33dd6a5ed517d95b4c0c357560ac6f518  # v2.1.1
+        run:  gh actionlint

.github/workflows/basic-ci-amd64.yaml

@@ -47,23 +47,6 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: Install yq
-        run: |
-          ./ci/install_yq.sh
-        env:
-          INSTALL_IN_GOPATH: false
-
-      - name: Read properties from versions.yaml
-        run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
       - name: Install dependencies
         run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
         env:

.github/workflows/basic-ci-s390x.yaml

@@ -47,25 +47,8 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: Install yq
-        run: |
-          ./ci/install_yq.sh
-        env:
-          INSTALL_IN_GOPATH: false
-
-      - name: Read properties from versions.yaml
-        run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
       - name: Install dependencies
-        run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
+        run: bash tests/integration/cri-containerd/gha-run.sh
         env:
           GH_TOKEN: ${{ github.token }}
 

.github/workflows/build-checks-preview-riscv64.yaml

@@ -82,17 +82,11 @@ jobs:
           ./ci/install_yq.sh
         env:
           INSTALL_IN_GOPATH: false
-      - name: Read properties from versions.yaml
+      - name: Install golang
         if: contains(matrix.component.needs, 'golang')
         run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        if: contains(matrix.component.needs, 'golang')
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
+          ./tests/install_go.sh -f -p
+          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
       - name: Setup rust
         if: contains(matrix.component.needs, 'rust')
         run: |

.github/workflows/build-checks.yaml

@@ -94,19 +94,11 @@ jobs:
           ./ci/install_yq.sh
         env:
           INSTALL_IN_GOPATH: false
-      - name: Read properties from versions.yaml
+      - name: Install golang
         if: contains(matrix.component.needs, 'golang')
         run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        if: contains(matrix.component.needs, 'golang')
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          # Setup-go doesn't work properly with ppc64le: https://github.com/actions/setup-go/issues/648
-          architecture: ${{ contains(inputs.instance, 'ppc64le') && 'ppc64le' || '' }}
+          ./tests/install_go.sh -f -p
+          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
       - name: Setup rust
         if: contains(matrix.component.needs, 'rust')
         run: |

.github/workflows/build-kata-static-tarball-amd64.yaml

@@ -143,7 +143,7 @@ jobs:
           if-no-files-found: error
 
       - name: store-extratarballs-artifact ${{ matrix.asset }}
-        if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
+        if: ${{ matrix.asset == 'kernel' || startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: kata-artifacts-amd64-${{ matrix.asset }}-modules${{ inputs.tarball-suffix }}
@@ -235,6 +235,7 @@ jobs:
         asset:
           - busybox
           - coco-guest-components
+          - kernel-modules
           - kernel-nvidia-gpu-modules
           - pause-image
     steps:

.github/workflows/build-kata-static-tarball-s390x.yaml

@@ -120,6 +120,15 @@ jobs:
           retention-days: 15
           if-no-files-found: error
 
+      - name: store-extratarballs-artifact ${{ matrix.asset }}
+        if: ${{ matrix.asset == 'kernel' }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: kata-artifacts-s390x-${{ matrix.asset }}-modules${{ inputs.tarball-suffix }}
+          path: kata-build/kata-static-${{ matrix.asset }}-modules.tar.zst
+          retention-days: 15
+          if-no-files-found: error
+
   build-asset-rootfs:
     name: build-asset-rootfs
     runs-on: s390x

.github/workflows/ci-devel.yaml

@@ -17,7 +17,6 @@ jobs:
       pr-number: "dev"
       tag: ${{ github.sha }}-dev
       target-branch: ${{ github.ref_name }}
-      extensive-matrix-autogenerated-policy: "yes"
 
     secrets:
       AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}

.github/workflows/ci-nightly.yaml

@@ -22,7 +22,6 @@ jobs:
       pr-number: "nightly"
       tag: ${{ github.sha }}-nightly
       target-branch: ${{ github.ref_name }}
-      extensive-matrix-autogenerated-policy: "yes"
     secrets:
       AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
       AZ_APPID: ${{ secrets.AZ_APPID }}

.github/workflows/ci.yaml

@@ -19,10 +19,6 @@ on:
         required: false
         type: string
         default: no
-      extensive-matrix-autogenerated-policy:
-        required: false
-        type: string
-        default: no
     secrets:
       AUTHENTICATED_IMAGE_PASSWORD:
         required: true
@@ -362,7 +358,6 @@ jobs:
       commit-hash: ${{ inputs.commit-hash }}
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
-      extensive-matrix-autogenerated-policy: ${{ inputs.extensive-matrix-autogenerated-policy }}
     secrets:
       AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
       AZ_APPID: ${{ secrets.AZ_APPID }}

.github/workflows/codeql.yml

@@ -72,7 +72,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -95,6 +95,6 @@ jobs:
         make -C src/runtime
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
+      uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/darwin-tests.yaml

@@ -31,22 +31,10 @@ jobs:
       with:
         persist-credentials: false
 
-    - name: Install yq
+    - name: Install golang
       run: |
-        ./ci/install_yq.sh
-      env:
-        INSTALL_IN_GOPATH: false
-
-    - name: Read properties from versions.yaml
-      run: |
-        go_version="$(yq '.languages.golang.version' versions.yaml)"
-        [ -n "$go_version" ]
-        echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-    - name: Setup Golang version ${{ env.GO_VERSION }}
-      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-      with:
-        go-version: ${{ env.GO_VERSION }}
+        ./tests/install_go.sh -f -p
+        echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
 
     - name: Install Rust
       run: ./tests/install_rust.sh

.github/workflows/docs-url-alive-check.yaml

@@ -24,22 +24,10 @@ jobs:
         fetch-depth: 0
         persist-credentials: false
 
-    - name: Install yq
+    - name: Install golang
       run: |
-        ./ci/install_yq.sh
-      env:
-        INSTALL_IN_GOPATH: false
-
-    - name: Read properties from versions.yaml
-      run: |
-        go_version="$(yq '.languages.golang.version' versions.yaml)"
-        [ -n "$go_version" ]
-        echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-    - name: Setup Golang version ${{ env.GO_VERSION }}
-      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-      with:
-        go-version: ${{ env.GO_VERSION }}
+        ./tests/install_go.sh -f -p
+        echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
 
     - name: Docs URL Alive Check
       run: |

.github/workflows/docs.yaml

@@ -16,17 +16,17 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/configure-pages@v5
+      - uses: actions/checkout@v5
         with:
           persist-credentials: false
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      - uses: actions/setup-python@v5
         with:
           python-version: 3.x
       - run: pip install zensical
       - run: zensical build --clean
-      - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
+      - uses: actions/upload-pages-artifact@v4
         with:
           path: site
-      - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
+      - uses: actions/deploy-pages@v4
         id: deployment

.github/workflows/govulncheck.yaml

@@ -27,22 +27,10 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: Install yq
+      - name: Install golang
         run: |
-          ./ci/install_yq.sh
-        env:
-          INSTALL_IN_GOPATH: false
-
-      - name: Read properties from versions.yaml
-        run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
+          ./tests/install_go.sh -f -p
+          echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
 
       - name: Install govulncheck
         run: |

.github/workflows/run-cri-containerd-tests.yaml

@@ -35,6 +35,8 @@ on:
 jobs:
   run-cri-containerd:
     name: run-cri-containerd-${{ inputs.arch }} (${{ inputs.containerd_version }}, ${{ inputs.vmm }})
+    strategy:
+      fail-fast: false
     runs-on: ${{ inputs.runner }}
     env:
       CONTAINERD_VERSION: ${{ inputs.containerd_version }}
@@ -53,25 +55,6 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: Install yq
-        run: |
-          ./ci/install_yq.sh
-        env:
-          INSTALL_IN_GOPATH: false
-
-      - name: Read properties from versions.yaml
-        run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          # Setup-go doesn't work properly with ppc64le: https://github.com/actions/setup-go/issues/648
-          architecture: ${{ inputs.arch == 'ppc64le' && 'ppc64le' || '' }}
-
       - name: Install dependencies
         timeout-minutes: 15
         run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies

.github/workflows/run-k8s-tests-on-ppc64le.yaml

@@ -57,24 +57,10 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: Install yq
+      - name: Install golang
         run: |
-          ./ci/install_yq.sh
-        env:
-          INSTALL_IN_GOPATH: false
-
-      - name: Read properties from versions.yaml
-        run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          # Setup-go doesn't work properly with ppc64le: https://github.com/actions/setup-go/issues/648
-          architecture: 'ppc64le'
+          ./tests/install_go.sh -f -p
+          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
 
       - name: Prepare the runner for k8s test suite
         run: bash "${HOME}/scripts/k8s_cluster_prepare.sh"

.github/workflows/run-kata-coco-tests.yaml

@@ -24,10 +24,6 @@ on:
         required: false
         type: string
         default: ""
-      extensive-matrix-autogenerated-policy:
-        required: false
-        type: string
-        default: no
     secrets:
       AUTHENTICATED_IMAGE_PASSWORD:
         required: true
@@ -262,28 +258,14 @@ jobs:
         timeout-minutes: 5
         run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
 
-  # Extensive matrix: autogenerated policy tests (nydus + experimental-force-guest-pull) on k0s, k3s, rke2, microk8s with qemu-coco-dev / qemu-coco-dev-runtime-rs
-  run-k8s-tests-coco-nontee-extensive-matrix:
-    if: ${{ inputs.extensive-matrix-autogenerated-policy == 'yes' }}
-    name: run-k8s-tests-coco-nontee-extensive-matrix
+  run-k8s-tests-coco-nontee-crio:
+    name: run-k8s-tests-coco-nontee-crio
     strategy:
       fail-fast: false
       matrix:
-        environment: [
-          { k8s: k0s, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
-          { k8s: k0s, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
-          { k8s: k0s, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
-          { k8s: k3s, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
-          { k8s: k3s, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
-          { k8s: k3s, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
-          { k8s: rke2, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
-          { k8s: rke2, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
-          { k8s: rke2, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
-          { k8s: microk8s, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
-          { k8s: microk8s, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
-          { k8s: microk8s, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
-        ]
-    runs-on: ubuntu-24.04
+        vmm:
+          - qemu-coco-dev
+    runs-on: fidencio-crio
     permissions:
       contents: read
     environment: ci
@@ -292,17 +274,20 @@ jobs:
       DOCKER_REPO: ${{ inputs.repo }}
       DOCKER_TAG: ${{ inputs.tag }}
       GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
+      KATA_HYPERVISOR: ${{ matrix.vmm }}
       KBS: "true"
       KBS_INGRESS: "nodeport"
-      KUBERNETES: ${{ matrix.environment.k8s }}
-      SNAPSHOTTER: ${{ matrix.environment.snapshotter }}
-      PULL_TYPE: ${{ matrix.environment.pull_type }}
-      EXPERIMENTAL_FORCE_GUEST_PULL: ${{ matrix.environment.pull_type == 'experimental-force-guest-pull' && matrix.environment.vmm || '' }}
+      KUBERNETES: "vanilla"
+      PULL_TYPE: "guest-pull"
       AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
       AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+      SNAPSHOTTER: ""
+      EXPERIMENTAL_FORCE_GUEST_PULL: ""
       AUTO_GENERATE_POLICY: "yes"
       K8S_TEST_HOST_TYPE: "all"
+      CONTAINER_ENGINE: "crio"
+      CONTAINER_RUNTIME: "crio"
+      CONTAINER_ENGINE_VERSION: "active"
       GH_TOKEN: ${{ github.token }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -326,36 +311,9 @@ jobs:
       - name: Install kata-tools
         run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
 
-      - name: Remove unnecessary directories to free up space
-        run: |
-          sudo rm -rf /usr/local/.ghcup
-          sudo rm -rf /opt/hostedtoolcache/CodeQL
-          sudo rm -rf /usr/local/lib/android
-          sudo rm -rf /usr/share/dotnet
-          sudo rm -rf /opt/ghc
-          sudo rm -rf /usr/local/share/boost
-          sudo rm -rf /usr/lib/jvm
-          sudo rm -rf /usr/share/swift
-          sudo rm -rf /usr/local/share/powershell
-          sudo rm -rf /usr/local/julia*
-          sudo rm -rf /opt/az
-          sudo rm -rf /usr/local/share/chromium
-          sudo rm -rf /opt/microsoft
-          sudo rm -rf /opt/google
-          sudo rm -rf /usr/lib/firefox
-
-      - name: Deploy ${{ matrix.environment.k8s }}
-        timeout-minutes: 15
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
-
-      - name: Install `bats`
-        run: bash tests/integration/kubernetes/gha-run.sh install-bats
-
       - name: Deploy Kata
         timeout-minutes: 20
         run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
-        env:
-          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ matrix.environment.snapshotter == 'nydus' }}
 
       - name: Deploy CoCo KBS
         timeout-minutes: 10

.github/workflows/scorecard.yaml

@@ -55,6 +55,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: results.sarif

.github/workflows/static-checks.yaml

@@ -126,16 +126,11 @@ jobs:
           ./ci/install_yq.sh
         env:
           INSTALL_IN_GOPATH: false
-      - name: Read properties from versions.yaml
+      - name: Install golang
         run: |
           cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
+          ./tests/install_go.sh -f -p
+          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
       - name: Install system dependencies
         run: |
           sudo apt-get update && sudo apt-get -y install moreutils hunspell hunspell-en-gb hunspell-en-us pandoc

Cargo.lock

@@ -44,7 +44,9 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "async-trait",
+ "futures 0.1.31",
  "kata-types",
+ "log",
  "logging",
  "nix 0.26.4",
  "oci-spec 0.8.3",
@@ -139,12 +141,23 @@ version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "435a87a52755b8f27fcf321ac4f04b2802e337c8c4872923137471ec39c37532"
 dependencies = [
- "event-listener",
+ "event-listener 5.4.1",
  "event-listener-strategy",
  "futures-core",
  "pin-project-lite",
 ]
 
+[[package]]
+name = "async-channel"
+version = "1.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "81953c529336010edd6d8e358f886d9581267795c61b19475b71314bffa46d35"
+dependencies = [
+ "concurrent-queue",
+ "event-listener 2.5.3",
+ "futures-core",
+]
+
 [[package]]
 name = "async-channel"
 version = "2.5.0"
@@ -171,6 +184,21 @@ dependencies = [
  "slab",
 ]
 
+[[package]]
+name = "async-global-executor"
+version = "2.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05b1b633a2115cd122d73b955eadd9916c18c8f510ec9cd1686404c60ad1c29c"
+dependencies = [
+ "async-channel 2.5.0",
+ "async-executor",
+ "async-io",
+ "async-lock",
+ "blocking",
+ "futures-lite",
+ "once_cell",
+]
+
 [[package]]
 name = "async-io"
 version = "2.6.0"
@@ -195,7 +223,7 @@ version = "3.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5fd03604047cee9b6ce9de9f70c6cd540a0520c813cbd49bae61f33ab80ed1dc"
 dependencies = [
- "event-listener",
+ "event-listener 5.4.1",
  "event-listener-strategy",
  "pin-project-lite",
 ]
@@ -206,14 +234,14 @@ version = "2.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fc50921ec0055cdd8a16de48773bfeec5c972598674347252c0399676be7da75"
 dependencies = [
- "async-channel",
+ "async-channel 2.5.0",
  "async-io",
  "async-lock",
  "async-signal",
  "async-task",
  "blocking",
  "cfg-if 1.0.0",
- "event-listener",
+ "event-listener 5.4.1",
  "futures-lite",
  "rustix 1.1.2",
 ]
@@ -247,6 +275,32 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "async-std"
+version = "1.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2c8e079a4ab67ae52b7403632e4618815d6db36d2a010cfe41b02c1b1578f93b"
+dependencies = [
+ "async-channel 1.9.0",
+ "async-global-executor",
+ "async-io",
+ "async-lock",
+ "crossbeam-utils",
+ "futures-channel",
+ "futures-core",
+ "futures-io",
+ "futures-lite",
+ "gloo-timers",
+ "kv-log-macro",
+ "log",
+ "memchr",
+ "once_cell",
+ "pin-project-lite",
+ "pin-utils",
+ "slab",
+ "wasm-bindgen-futures",
+]
+
 [[package]]
 name = "async-task"
 version = "4.7.1"
@@ -393,7 +447,7 @@ version = "1.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e83f8d02be6967315521be875afa792a316e28d57b5a2d401897e2a7921b7f21"
 dependencies = [
- "async-channel",
+ "async-channel 2.5.0",
  "async-task",
  "futures-io",
  "futures-lite",
@@ -590,17 +644,29 @@ dependencies = [
  "containerd-shim-protos",
  "kata-sys-util",
  "kata-types",
+ "lazy_static",
  "nix 0.26.4",
  "oci-spec 0.8.3",
+ "persist",
  "protobuf",
  "protocols",
  "resource",
  "runtime-spec",
+ "serde_json",
+ "slog",
+ "slog-scope",
  "strum 0.24.1",
  "thiserror 1.0.48",
  "tokio",
+ "ttrpc",
 ]
 
+[[package]]
+name = "common-path"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2382f75942f4b3be3690fe4f86365e9c853c1587d6ee58212cebf6e2a9ccd101"
+
 [[package]]
 name = "concurrent-queue"
 version = "2.5.0"
@@ -645,7 +711,7 @@ dependencies = [
  "async-trait",
  "cgroups-rs 0.3.4",
  "containerd-shim-protos",
- "futures",
+ "futures 0.3.28",
  "go-flag",
  "lazy_static",
  "libc",
@@ -978,6 +1044,7 @@ dependencies = [
  "dbs-interrupt",
  "dbs-utils",
  "dbs-virtio-devices",
+ "downcast-rs",
  "kvm-bindings",
  "kvm-ioctls",
  "libc",
@@ -990,6 +1057,7 @@ dependencies = [
  "vfio-ioctls",
  "virtio-queue",
  "vm-memory",
+ "vmm-sys-util 0.11.1",
 ]
 
 [[package]]
@@ -1006,6 +1074,7 @@ dependencies = [
 name = "dbs-upcall"
 version = "0.3.0"
 dependencies = [
+ "anyhow",
  "dbs-utils",
  "dbs-virtio-devices",
  "log",
@@ -1200,6 +1269,12 @@ version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1435fa1053d8b2fbbe9be7e97eca7f33d37b28409959813daefc1446a14247f1"
 
+[[package]]
+name = "downcast-rs"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ea835d29036a4087793836fa931b08837ad5e957da9e23886b29586fb9b6650"
+
 [[package]]
 name = "dragonball"
 version = "0.1.0"
@@ -1220,6 +1295,7 @@ dependencies = [
  "dbs-utils",
  "dbs-virtio-devices",
  "derivative",
+ "fuse-backend-rs",
  "kvm-bindings",
  "kvm-ioctls",
  "lazy_static",
@@ -1274,18 +1350,6 @@ version = "1.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "66b7e2430c6dff6a955451e2cfc438f09cea1965a9d6f87f7e3b90decc014099"
 
-[[package]]
-name = "enum-as-inner"
-version = "0.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a1e6a265c649f3f5979b601d26f1d05ada116434c87741c9493cb56218f76cbc"
-dependencies = [
- "heck 0.5.0",
- "proc-macro2",
- "quote",
- "syn 2.0.104",
-]
-
 [[package]]
 name = "enumflags2"
 version = "0.7.12"
@@ -1339,6 +1403,12 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "event-listener"
+version = "2.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0206175f82b8d6bf6652ff7d71a1e27fd2e4efde587fd368662814d6ec1d9ce0"
+
 [[package]]
 name = "event-listener"
 version = "5.4.1"
@@ -1356,7 +1426,7 @@ version = "0.5.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8be9f3dfaaffdae2972880079a491a1a8bb7cbed0b8dd7a347f668b4150a3b93"
 dependencies = [
- "event-listener",
+ "event-listener 5.4.1",
  "pin-project-lite",
 ]
 
@@ -1484,6 +1554,12 @@ dependencies = [
  "vmm-sys-util 0.11.1",
 ]
 
+[[package]]
+name = "futures"
+version = "0.1.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3a471a38ef8ed83cd6e40aa59c1ffe17db6855c18e3604d9c4ed8c08ebc28678"
+
 [[package]]
 name = "futures"
 version = "0.3.28"
@@ -1643,6 +1719,18 @@ version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280"
 
+[[package]]
+name = "gloo-timers"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbb143cf96099802033e0d4f4963b19fd2e0b728bcf076cd9cf7f6634f092994"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "js-sys",
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "go-flag"
 version = "0.1.0"
@@ -1878,7 +1966,7 @@ dependencies = [
  "crossbeam-channel",
  "dbs-utils",
  "dragonball",
- "futures",
+ "futures 0.3.28",
  "go-flag",
  "hyper",
  "hyperlocal",
@@ -1889,8 +1977,10 @@ dependencies = [
  "libc",
  "logging",
  "nix 0.26.4",
+ "oci-spec 0.8.3",
  "path-clean",
  "persist",
+ "protobuf",
  "protocols",
  "qapi",
  "qapi-qmp",
@@ -1902,6 +1992,7 @@ dependencies = [
  "serde",
  "serde_json",
  "serial_test 2.0.0",
+ "shim-interface",
  "slog",
  "slog-scope",
  "tempfile",
@@ -2178,6 +2269,8 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "byteorder",
+ "chrono",
+ "common-path",
  "fail",
  "hex",
  "kata-types",
@@ -2186,9 +2279,11 @@ dependencies = [
  "mockall",
  "nix 0.26.4",
  "oci-spec 0.8.3",
+ "once_cell",
  "pci-ids",
  "rand 0.8.5",
  "runtime-spec",
+ "safe-path 0.1.0",
  "serde",
  "serde_json",
  "slog",
@@ -2207,8 +2302,8 @@ dependencies = [
  "byte-unit",
  "flate2",
  "glob",
+ "hex",
  "lazy_static",
- "nix 0.26.4",
  "num_cpus",
  "oci-spec 0.8.3",
  "regex",
@@ -2219,10 +2314,18 @@ dependencies = [
  "sha2 0.10.9",
  "slog",
  "slog-scope",
- "sysctl",
  "sysinfo",
  "thiserror 1.0.48",
- "toml",
+ "toml 0.5.11",
+]
+
+[[package]]
+name = "kv-log-macro"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0de8b303297635ad57c9f5059fd9cee7a47f8e8daa09df0fcd07dd39fb22977f"
+dependencies = [
+ "log",
 ]
 
 [[package]]
@@ -2543,7 +2646,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b65d130ee111430e47eed7896ea43ca693c387f097dd97376bffafbf25812128"
 dependencies = [
  "bytes",
- "futures",
+ "futures 0.3.28",
  "log",
  "netlink-packet-core",
  "netlink-sys",
@@ -2557,7 +2660,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "416060d346fbaf1f23f9512963e3e878f1a78e707cb699ba9215761754244307"
 dependencies = [
  "bytes",
- "futures",
+ "futures 0.3.28",
  "libc",
  "log",
  "tokio",
@@ -2714,7 +2817,7 @@ dependencies = [
  "log",
  "serde",
  "serde_json",
- "toml",
+ "toml 0.5.11",
 ]
 
 [[package]]
@@ -2941,7 +3044,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e785d273968748578931e4dc3b4f5ec86b26e09d9e0d66b55adda7fce742f7a"
 dependencies = [
  "async-trait",
- "futures",
+ "futures 0.3.28",
  "futures-executor",
  "headers",
  "http",
@@ -3109,9 +3212,11 @@ dependencies = [
  "async-trait",
  "kata-sys-util",
  "kata-types",
+ "libc",
  "safe-path 0.1.0",
  "serde",
  "serde_json",
+ "shim-interface",
 ]
 
 [[package]]
@@ -3521,7 +3626,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7b047adab56acc4948d4b9b58693c1f33fd13efef2d6bb5f0f66a47436ceada8"
 dependencies = [
  "bytes",
- "futures",
+ "futures 0.3.28",
  "log",
  "memchr",
  "qapi-qmp",
@@ -3803,10 +3908,11 @@ dependencies = [
  "agent",
  "anyhow",
  "async-trait",
+ "bitflags 2.10.0",
  "byte-unit",
  "cgroups-rs 0.5.0",
  "flate2",
- "futures",
+ "futures 0.3.28",
  "hex",
  "hypervisor",
  "inotify",
@@ -3816,6 +3922,7 @@ dependencies = [
  "libc",
  "logging",
  "netlink-packet-route",
+ "netlink-sys",
  "netns-rs",
  "nix 0.26.4",
  "oci-spec 0.8.3",
@@ -3900,6 +4007,7 @@ dependencies = [
  "common",
  "containerd-shim-protos",
  "go-flag",
+ "logging",
  "nix 0.26.4",
  "runtimes",
  "shim",
@@ -3910,6 +4018,7 @@ dependencies = [
 name = "runtime-spec"
 version = "0.1.0"
 dependencies = [
+ "libc",
  "serde",
  "serde_derive",
  "serde_json",
@@ -3922,8 +4031,8 @@ dependencies = [
  "agent",
  "anyhow",
  "common",
- "containerd-shim-protos",
  "hyper",
+ "hyperlocal",
  "hypervisor",
  "kata-sys-util",
  "kata-types",
@@ -4242,7 +4351,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1c789ec87f4687d022a2405cf46e0cd6284889f1839de292cadeb6c6019506f2"
 dependencies = [
  "dashmap",
- "futures",
+ "futures 0.3.28",
  "lazy_static",
  "log",
  "parking_lot",
@@ -4256,7 +4365,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0e56dd856803e253c8f298af3f4d7eb0ae5e23a737252cd90bb4f3b435033b2d"
 dependencies = [
  "dashmap",
- "futures",
+ "futures 0.3.28",
  "lazy_static",
  "log",
  "parking_lot",
@@ -4296,10 +4405,12 @@ dependencies = [
  "containerd-shim-protos",
  "kata-types",
  "logging",
+ "persist",
  "runtimes",
  "slog",
  "slog-scope",
  "tokio",
+ "tracing",
  "ttrpc",
 ]
 
@@ -4363,7 +4474,9 @@ dependencies = [
  "nix 0.26.4",
  "oci-spec 0.8.3",
  "protobuf",
+ "rand 0.8.5",
  "runtime-spec",
+ "runtimes",
  "serial_test 0.10.0",
  "service",
  "sha2 0.10.9",
@@ -4372,8 +4485,11 @@ dependencies = [
  "slog-scope",
  "slog-stdlog",
  "tempfile",
+ "tests_utils",
  "thiserror 1.0.48",
  "tokio",
+ "tracing",
+ "tracing-opentelemetry",
  "unix_socket2",
 ]
 
@@ -4383,6 +4499,7 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "common",
+ "logging",
  "runtimes",
  "tokio",
 ]
@@ -4676,20 +4793,6 @@ dependencies = [
  "syn 2.0.104",
 ]
 
-[[package]]
-name = "sysctl"
-version = "0.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cca424247104946a59dacd27eaad296223b7feec3d168a6dd04585183091eb0b"
-dependencies = [
- "bitflags 2.10.0",
- "byteorder",
- "enum-as-inner",
- "libc",
- "thiserror 2.0.12",
- "walkdir",
-]
-
 [[package]]
 name = "sysinfo"
 version = "0.34.2"
@@ -4980,12 +5083,21 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "52a15c15b1bc91f90902347eff163b5b682643aff0c8e972912cca79bd9208dd"
 dependencies = [
  "bytes",
- "futures",
+ "futures 0.3.28",
  "libc",
  "tokio",
  "vsock",
 ]
 
+[[package]]
+name = "toml"
+version = "0.4.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "758664fc71a3a69038656bee8b6be6477d2a6c315a6b81f7081f591bffa4111f"
+dependencies = [
+ "serde",
+]
+
 [[package]]
 name = "toml"
 version = "0.5.11"
@@ -5128,7 +5240,7 @@ dependencies = [
  "async-trait",
  "byteorder",
  "crossbeam",
- "futures",
+ "futures 0.3.28",
  "home",
  "libc",
  "log",
@@ -5330,13 +5442,16 @@ version = "0.1.0"
 dependencies = [
  "agent",
  "anyhow",
+ "async-std",
  "async-trait",
  "awaitgroup",
  "common",
  "containerd-shim-protos",
+ "futures 0.3.28",
  "hypervisor",
  "kata-sys-util",
  "kata-types",
+ "lazy_static",
  "libc",
  "logging",
  "nix 0.26.4",
@@ -5352,6 +5467,7 @@ dependencies = [
  "slog-scope",
  "strum 0.24.1",
  "tokio",
+ "toml 0.4.10",
  "tracing",
  "url",
  "uuid 1.18.1",
@@ -5984,7 +6100,7 @@ dependencies = [
  "async-trait",
  "blocking",
  "enumflags2",
- "event-listener",
+ "event-listener 5.4.1",
  "futures-core",
  "futures-lite",
  "hex",

docs/Limitations.md

@@ -187,10 +187,9 @@ different compared to `runc` containers:
 into the guest and exposes it directly to the container.
 
 **Mounting guest devices**: When the source path of a hostPath volume is
-under `/dev` (or `/dev` itself), and the path corresponds to a
-non-regular file (i.e., a device, directory, or any other special file)
-or is not accessible by the Kata shim, the Kata agent bind mounts the
-source path directly from the *guest* filesystem into the container.
+under `/dev`, and the path either corresponds to a host device or is not
+accessible by the Kata shim, the Kata agent bind mounts the source path
+directly from the *guest* filesystem into the container.
 
 [runtime-config]: /src/runtime/README.md#configuration
 [k8s-hostpath]: https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
@@ -227,35 +226,6 @@ Importantly, the default behavior to pass the host devices to a
 privileged container is not supported in Kata Containers and needs to be
 disabled, see [Privileged Kata Containers](how-to/privileged.md).
 
-## Guest pulled container images
-
-When using features like **nydus guest-pull**, set user/group IDs explicitly in the pod spec.
-If the ID values are omitted:
-
-- Your workload might be executed with unexpected user/group ID values, because image layers
-  may be unavailable to containerd, so image config (including user/group) is not applied.
-- If using policy or genpolicy, the generated policy may detect these unexpected values and
-  reject the creation of workload containers.
-
-Set `securityContext` explicitly. Use **pod-level** `spec.securityContext` (for Pods) or
-`spec.template.spec.securityContext` (for controllers like Deployments) and/or **container-level**
-`spec.containers[].securityContext`. Include at least:
-- `runAsUser` — primary user ID
-- `runAsGroup` — primary group ID
-- `fsGroup` — volume group ownership (often reflected as a supplemental group)
-- `supplementalGroups` — list of additional group IDs (if needed)
-
-Example:
-
- ```yaml
- # Explicit user/group/supplementary groups to support nydus guest-pull
- securityContext:
-   runAsUser: 0
-   runAsGroup: 0
-   fsGroup: 0
-   supplementalGroups: [1, 2, 3, 4, 6, 10, 11, 20, 26, 27]
- ```
-
 # Appendices
 
 ## The constraints challenge

docs/how-to/how-to-use-the-kata-agent-policy.md

@@ -99,9 +99,6 @@ The [`genpolicy`](../../src/tools/genpolicy/) application can be used to generat
 
 **Warning** Users should review carefully the automatically-generated Policy, and modify the Policy file if needed to match better their use case, before using this Policy.
 
-**Important — User / Group / Supplemental groups for Policy and genpolicy**
-When using features like **nydus guest-pull**, set user/group IDs explicitly in the pod spec, as described in [Limitations](../Limitations.md#guest-pulled-container-images).
-
 See the [`genpolicy` documentation](../../src/tools/genpolicy/README.md) and the [Policy contents examples](#policy-contents) for additional information.
 
 ## Policy contents

src/agent/Cargo.lock

@@ -743,6 +743,12 @@ version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990"
 
+[[package]]
+name = "common-path"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2382f75942f4b3be3690fe4f86365e9c853c1587d6ee58212cebf6e2a9ccd101"
+
 [[package]]
 name = "concurrent-queue"
 version = "2.5.0"
@@ -1092,18 +1098,6 @@ dependencies = [
  "serde",
 ]
 
-[[package]]
-name = "enum-as-inner"
-version = "0.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a1e6a265c649f3f5979b601d26f1d05ada116434c87741c9493cb56218f76cbc"
-dependencies = [
- "heck 0.5.0",
- "proc-macro2",
- "quote",
- "syn 2.0.101",
-]
-
 [[package]]
 name = "enumflags2"
 version = "0.7.11"
@@ -2108,6 +2102,8 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "byteorder",
+ "chrono",
+ "common-path",
  "fail",
  "hex",
  "kata-types",
@@ -2116,9 +2112,11 @@ dependencies = [
  "mockall",
  "nix 0.26.4",
  "oci-spec",
+ "once_cell",
  "pci-ids",
  "rand",
  "runtime-spec",
+ "safe-path",
  "serde",
  "serde_json",
  "slog",
@@ -2137,8 +2135,8 @@ dependencies = [
  "byte-unit",
  "flate2",
  "glob",
+ "hex",
  "lazy_static",
- "nix 0.26.4",
  "num_cpus",
  "oci-spec",
  "regex",
@@ -2149,7 +2147,6 @@ dependencies = [
  "sha2 0.10.9",
  "slog",
  "slog-scope",
- "sysctl",
  "sysinfo",
  "thiserror 1.0.69",
  "toml",
@@ -2309,6 +2306,7 @@ name = "mem-agent"
 version = "0.2.0"
 dependencies = [
  "anyhow",
+ "async-trait",
  "chrono",
  "maplit",
  "nix 0.30.1",
@@ -3577,6 +3575,7 @@ dependencies = [
 name = "runtime-spec"
 version = "0.1.0"
 dependencies = [
+ "libc",
  "serde",
  "serde_derive",
  "serde_json",
@@ -4216,20 +4215,6 @@ dependencies = [
  "syn 2.0.101",
 ]
 
-[[package]]
-name = "sysctl"
-version = "0.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cca424247104946a59dacd27eaad296223b7feec3d168a6dd04585183091eb0b"
-dependencies = [
- "bitflags 2.9.0",
- "byteorder",
- "enum-as-inner",
- "libc",
- "thiserror 2.0.12",
- "walkdir",
-]
-
 [[package]]
 name = "sysinfo"
 version = "0.34.2"

src/dragonball/Cargo.toml

@@ -48,6 +48,7 @@ vmm-sys-util = { workspace = true }
 virtio-queue = { workspace = true, optional = true }
 vm-memory = { workspace = true, features = ["backend-mmap"] }
 crossbeam-channel = "0.5.6"
+fuse-backend-rs = "0.10.5"
 vfio-bindings = { workspace = true, optional = true }
 vfio-ioctls = { workspace = true, optional = true }
 
@@ -85,6 +86,3 @@ host-device = ["dep:vfio-bindings", "dep:vfio-ioctls", "dep:dbs-pci"]
 unexpected_cfgs = { level = "warn", check-cfg = [
   'cfg(feature, values("test-mock"))',
 ] }
-
-[package.metadata.cargo-machete]
-ignored = ["vfio-bindings"]

src/dragonball/dbs_pci/Cargo.toml

@@ -23,22 +23,24 @@ dbs-interrupt = { workspace = true, features = [
     "kvm-legacy-irq",
     "kvm-msi-irq",
 ] }
+downcast-rs = "1.2.0"
 byteorder = "1.4.3"
 serde = "1.0.27"
 
-vm-memory = { workspace = true }
-kvm-ioctls = { workspace = true }
-kvm-bindings = { workspace = true }
-vfio-ioctls = { workspace = true }
-vfio-bindings = { workspace = true }
+vm-memory = {workspace = true}
+kvm-ioctls = {workspace = true}
+kvm-bindings = {workspace = true}
+vfio-ioctls = {workspace = true}
+vfio-bindings = {workspace = true}
 libc = "0.2.39"
-virtio-queue = { workspace = true }
-dbs-utils = { workspace = true }
+vmm-sys-util = {workspace = true}
+virtio-queue = {workspace = true}
+dbs-utils = {workspace = true}
 
 
 [dev-dependencies]
 dbs-arch = { workspace = true }
-kvm-ioctls = { workspace = true }
+kvm-ioctls = {workspace = true}
 test-utils = { workspace = true }
 nix = { workspace = true }
 

src/dragonball/dbs_upcall/Cargo.toml

@@ -11,6 +11,7 @@ keywords = ["dragonball", "secure-sandbox", "devices", "upcall", "virtio"]
 readme = "README.md"
 
 [dependencies]
+anyhow = "1"
 log = "0.4.14"
 thiserror = "1"
 timerfd = "1.2.0"

src/dragonball/dbs_virtio_devices/Cargo.toml

@@ -24,8 +24,8 @@ dbs-boot = { workspace = true }
 epoll = ">=4.3.1, <4.3.2"
 io-uring = "0.5.2"
 fuse-backend-rs = { version = "0.10.5", optional = true }
-kvm-bindings = { workspace = true }
-kvm-ioctls = { workspace = true }
+kvm-bindings = { workspace = true}
+kvm-ioctls = {workspace = true}
 libc = "0.2.119"
 log = "0.4.14"
 nix = "0.24.3"
@@ -37,16 +37,19 @@ serde = "1.0.27"
 serde_json = "1.0.9"
 thiserror = "1"
 threadpool = "1"
-virtio-bindings = { workspace = true }
-virtio-queue = { workspace = true }
-vmm-sys-util = { workspace = true }
+virtio-bindings = {workspace = true}
+virtio-queue = {workspace = true}
+vmm-sys-util = {workspace = true}
 vm-memory = { workspace = true, features = ["backend-mmap"] }
 sendfd = "0.4.3"
 vhost-rs = { version = "0.6.1", package = "vhost", optional = true }
 timerfd = "1.0"
 
 [dev-dependencies]
-vm-memory = { workspace = true, features = ["backend-mmap", "backend-atomic"] }
+vm-memory = { workspace = true, features = [
+    "backend-mmap",
+    "backend-atomic",
+] }
 test-utils = { workspace = true }
 
 [features]

src/dragonball/dbs_virtio_devices/src/lib.rs

@@ -439,19 +439,19 @@ pub mod tests {
             VirtqDesc { desc }
         }
 
-        pub fn addr(&self) -> VolatileRef<'_, u64> {
+        pub fn addr(&self) -> VolatileRef<u64> {
             self.desc.get_ref(offset_of!(DescriptorTmp, addr)).unwrap()
         }
 
-        pub fn len(&self) -> VolatileRef<'_, u32> {
+        pub fn len(&self) -> VolatileRef<u32> {
             self.desc.get_ref(offset_of!(DescriptorTmp, len)).unwrap()
         }
 
-        pub fn flags(&self) -> VolatileRef<'_, u16> {
+        pub fn flags(&self) -> VolatileRef<u16> {
             self.desc.get_ref(offset_of!(DescriptorTmp, flags)).unwrap()
         }
 
-        pub fn next(&self) -> VolatileRef<'_, u16> {
+        pub fn next(&self) -> VolatileRef<u16> {
             self.desc.get_ref(offset_of!(DescriptorTmp, next)).unwrap()
         }
 
@@ -513,11 +513,11 @@ pub mod tests {
             self.start.unchecked_add(self.ring.len() as GuestUsize)
         }
 
-        pub fn flags(&self) -> VolatileRef<'_, u16> {
+        pub fn flags(&self) -> VolatileRef<u16> {
             self.ring.get_ref(0).unwrap()
         }
 
-        pub fn idx(&self) -> VolatileRef<'_, u16> {
+        pub fn idx(&self) -> VolatileRef<u16> {
             self.ring.get_ref(2).unwrap()
         }
 
@@ -525,12 +525,12 @@ pub mod tests {
             4 + mem::size_of::<T>() * (i as usize)
         }
 
-        pub fn ring(&self, i: u16) -> VolatileRef<'_, T> {
+        pub fn ring(&self, i: u16) -> VolatileRef<T> {
             assert!(i < self.qsize);
             self.ring.get_ref(Self::ring_offset(i)).unwrap()
         }
 
-        pub fn event(&self) -> VolatileRef<'_, u16> {
+        pub fn event(&self) -> VolatileRef<u16> {
             self.ring.get_ref(Self::ring_offset(self.qsize)).unwrap()
         }
 
@@ -602,7 +602,7 @@ pub mod tests {
             (self.dtable.len() / VirtqDesc::dtable_len(1)) as u16
         }
 
-        pub fn dtable(&self, i: u16) -> VirtqDesc<'_> {
+        pub fn dtable(&self, i: u16) -> VirtqDesc {
             VirtqDesc::new(&self.dtable, i)
         }
 

src/dragonball/dbs_virtio_devices/src/vhost/vhost_user/fs.rs

@@ -865,11 +865,11 @@ mod tests {
             0
         );
         let config: [u8; 8] = [0; 8];
-        let _ = VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::write_config(
+        VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::write_config(
             &mut dev, 0, &config,
         );
         let mut data: [u8; 8] = [1; 8];
-        let _ = VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::read_config(
+        VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::read_config(
             &mut dev, 0, &mut data,
         );
         assert_eq!(config, data);

src/dragonball/dbs_virtio_devices/src/vsock/mod.rs

@@ -339,7 +339,7 @@ mod tests {
             }
         }
 
-        pub fn create_event_handler_context(&self) -> EventHandlerContext<'_> {
+        pub fn create_event_handler_context(&self) -> EventHandlerContext {
             const QSIZE: u16 = 256;
 
             let guest_rxvq = GuestQ::new(GuestAddress(0x0010_0000), &self.mem, QSIZE);

src/libs/kata-sys-util/Cargo.toml

@@ -13,10 +13,13 @@ edition = "2018"
 [dependencies]
 anyhow = "1.0.31"
 byteorder = "1.4.3"
+chrono = "0.4.0"
+common-path = "=1.0.0"
 fail = "0.5.0"
 lazy_static = "1.4.0"
 libc = "0.2.100"
 nix = "0.26.4"
+once_cell = "1.9.0"
 serde = { version = "1.0.138", features = ["derive"] }
 serde_json = "1.0.73"
 slog = "2.5.2"
@@ -31,7 +34,10 @@ mockall = "0.13.1"
 kata-types = { path = "../kata-types" }
 oci-spec = { version = "0.8.1", features = ["runtime"] }
 runtime-spec = { path = "../runtime-spec" }
+safe-path = { path = "../safe-path" }
 
 [dev-dependencies]
+num_cpus = "1.13.1"
+serial_test = "0.5.1"
 tempfile = "3.19.1"
 test-utils = { path = "../test-utils" }

src/libs/kata-types/Cargo.toml

@@ -29,14 +29,12 @@ serde-enum-str = "0.4"
 sysinfo = "0.34.2"
 sha2 = "0.10.8"
 flate2 = "1.1"
-nix = "0.26.4"
+hex = "0.4"
+
 oci-spec = { version = "0.8.1", features = ["runtime"] }
 
 safe-path = { path = "../safe-path", optional = true }
 
-[target.'cfg(target_os = "macos")'.dependencies]
-sysctl = "0.7.1"
-
 [dev-dependencies]
 tempfile = "3.19.1"
 test-utils = { path = "../test-utils" }

src/libs/kata-types/src/config/hypervisor/mod.rs

@@ -26,6 +26,7 @@
 use super::{default, ConfigOps, ConfigPlugin, TomlConfig};
 use crate::annotations::KATA_ANNO_CFG_HYPERVISOR_PREFIX;
 use crate::{resolve_path, sl, validate_path};
+use byte_unit::{Byte, Unit};
 use lazy_static::lazy_static;
 use regex::RegexSet;
 use serde_enum_str::{Deserialize_enum_str, Serialize_enum_str};
@@ -33,6 +34,7 @@ use std::collections::HashMap;
 use std::io::{self, Result};
 use std::path::Path;
 use std::sync::{Arc, Mutex};
+use sysinfo::{MemoryRefreshKind, RefreshKind, System};
 
 mod dragonball;
 pub use self::dragonball::{DragonballConfig, HYPERVISOR_NAME_DRAGONBALL};
@@ -1005,57 +1007,6 @@ fn default_guest_swap_create_threshold_secs() -> u64 {
     60
 }
 
-/// Get host memory size in MiB.
-/// Retrieves the total physical memory of the host across different platforms.
-fn host_memory_mib() -> io::Result<u64> {
-    // Select a platform-specific implementation via a function pointer.
-    let get_memory: fn() -> io::Result<u64> = {
-        #[cfg(target_os = "linux")]
-        {
-            || {
-                let info = nix::sys::sysinfo::sysinfo().map_err(io::Error::other)?;
-                Ok(info.ram_total() / (1024 * 1024)) // MiB
-            }
-        }
-
-        #[cfg(target_os = "macos")]
-        {
-            || {
-                use sysctl::{Ctl, CtlValue, Sysctl};
-
-                let v = Ctl::new("hw.memsize")
-                    .map_err(io::Error::other)?
-                    .value()
-                    .map_err(io::Error::other)?;
-
-                let bytes = match v {
-                    CtlValue::S64(x) if x >= 0 => x as u64,
-                    other => {
-                        return Err(io::Error::new(
-                            io::ErrorKind::InvalidData,
-                            format!("unexpected sysctl hw.memsize value type: {:?}", other),
-                        ));
-                    }
-                };
-
-                Ok(bytes / (1024 * 1024)) // MiB
-            }
-        }
-
-        #[cfg(not(any(target_os = "linux", target_os = "macos")))]
-        {
-            || {
-                Err(io::Error::new(
-                    io::ErrorKind::Unsupported,
-                    "host memory query not implemented on this platform",
-                ))
-            }
-        }
-    };
-
-    get_memory()
-}
-
 impl MemoryInfo {
     /// Adjusts the configuration information after loading from a configuration file.
     ///
@@ -1067,15 +1018,13 @@ impl MemoryInfo {
             self.file_mem_backend,
             "Memory backend file {} is invalid: {}"
         )?;
-
-        let host_memory = host_memory_mib()?;
-
-        if u64::from(self.default_memory) > host_memory {
-            self.default_memory = host_memory as u32;
-        }
-
-        if self.default_maxmemory == 0 || u64::from(self.default_maxmemory) > host_memory {
-            self.default_maxmemory = host_memory as u32;
+        if self.default_maxmemory == 0 {
+            let s = System::new_with_specifics(
+                RefreshKind::nothing().with_memory(MemoryRefreshKind::everything()),
+            );
+            self.default_maxmemory = Byte::from_u64(s.total_memory())
+                .get_adjusted_unit(Unit::MiB)
+                .get_value() as u32;
         }
         Ok(())
     }
@@ -1218,29 +1167,6 @@ pub struct SecurityInfo {
     #[serde(default)]
     pub sev_snp_guest: bool,
 
-    /// SNP 'ID Block' and 'ID Authentication Information Structure'.
-    /// If one of snp_id_block or snp_id_auth is specified, the other must be specified, too.
-    /// Notice that the default SNP policy of QEMU (0x30000) is used by Kata, if not explicitly
-    /// set via 'snp_guest_policy' option. The IDBlock contains the guest policy as field, and
-    /// it must match the value from 'snp_guest_policy' or, if unset, the QEMU default policy.
-    /// 96-byte, base64-encoded blob to provide the 'ID Block' structure for the
-    /// SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
-    #[serde(default)]
-    pub snp_id_block: String,
-
-    /// 4096-byte, base64-encoded blob to provide the 'ID Authentication Information Structure'
-    /// for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
-    #[serde(default)]
-    pub snp_id_auth: String,
-
-    /// SNP Guest Policy, the 'POLICY' parameter to the SNP_LAUNCH_START command.
-    /// If unset, the QEMU default policy (0x30000) will be used.
-    /// Notice that the guest policy is enforced at VM launch, and your pod VMs
-    /// won't start at all if the policy denys it. This will be indicated by a
-    /// 'SNP_LAUNCH_START' error.
-    #[serde(default = "default_snp_guest_policy")]
-    pub snp_guest_policy: u32,
-
     /// Path to OCI hook binaries in the *guest rootfs*.
     ///
     /// This setting does not affect host-side hooks, which must instead be
@@ -1302,10 +1228,6 @@ fn default_qgs_port() -> u32 {
     4050
 }
 
-fn default_snp_guest_policy() -> u32 {
-    0x30000
-}
-
 impl SecurityInfo {
     /// Adjusts the security configuration information after loading from a configuration file.
     ///

src/libs/mem-agent/Cargo.toml

@@ -10,6 +10,7 @@ anyhow = "1.0"
 page_size = "0.6"
 chrono = "0.4"
 tokio = { version = "1.45.1", features = ["full"] }
+async-trait = "0.1"
 maplit = "1.0"
 nix = { version = "0.30.1", features = ["fs", "sched"] }
 

src/libs/runtime-spec/Cargo.toml

@@ -9,3 +9,4 @@ license = "Apache-2.0"
 serde = "1.0.131"
 serde_derive = "1.0.131"
 serde_json = "1.0.73"
+libc = "0.2.112"

src/runtime-rs/Cargo.toml

@@ -28,4 +28,5 @@ nix = { workspace = true }
 tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
 shim = { path = "crates/shim" }
 common = { workspace = true }
+logging = { workspace = true }
 runtimes = { workspace = true }

src/runtime-rs/crates/agent/Cargo.toml

@@ -5,9 +5,13 @@ authors = { workspace = true }
 edition = { workspace = true }
 license = { workspace = true }
 
+[dev-dependencies]
+futures = "0.1.27"
+
 [dependencies]
 anyhow = { workspace = true }
 async-trait = { workspace = true }
+log = { workspace = true }
 protobuf = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
@@ -27,6 +31,3 @@ protocols = { workspace = true, features = ["async"] }
 
 [features]
 default = []
-
-[package.metadata.cargo-machete]
-ignored = ["slog-scope"]

src/runtime-rs/crates/hypervisor/Cargo.toml

@@ -28,6 +28,8 @@ path-clean = "1.0.1"
 lazy_static = { workspace = true }
 tracing = { workspace = true }
 ttrpc = { workspace = true, features = ["async"] }
+protobuf = { workspace = true }
+oci-spec = { workspace = true }
 futures = "0.3.25"
 safe-path = "0.1.0"
 crossbeam-channel = "0.5.6"
@@ -42,6 +44,7 @@ kata-sys-util = { workspace = true }
 kata-types = { workspace = true }
 logging = { workspace = true }
 protocols = { workspace = true, features = ["async"] }
+shim-interface = { workspace = true }
 persist = { workspace = true }
 ch-config = { workspace = true, optional = true }
 tests_utils = { workspace = true }

src/runtime-rs/crates/hypervisor/ch-config/src/lib.rs

@@ -110,16 +110,6 @@ pub struct DeviceConfig {
     pub pci_segment: u16,
 }
 
-#[derive(Serialize, Deserialize, Clone, Copy, Debug, PartialEq, Eq, Default)]
-pub enum ImageType {
-    FixedVhd,
-    Qcow2,
-    Raw,
-    Vhdx,
-    #[default]
-    Unknown,
-}
-
 #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, Default)]
 pub struct DiskConfig {
     pub path: Option<PathBuf>,
@@ -145,8 +135,6 @@ pub struct DiskConfig {
     pub disable_io_uring: bool,
     #[serde(default)]
     pub pci_segment: u16,
-    #[serde(default)]
-    pub image_type: ImageType,
 }
 
 #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, Default)]

src/runtime-rs/crates/hypervisor/src/ch/inner_device.rs

@@ -27,7 +27,6 @@ use ch_config::ch_api::{
 };
 use ch_config::convert::DEFAULT_NUM_PCI_SEGMENTS;
 use ch_config::DiskConfig;
-use ch_config::ImageType;
 use ch_config::{net_util::MacAddr, DeviceConfig, FsConfig, NetConfig, VsockConfig};
 use kata_sys_util::netns::NetnsGuard;
 use kata_types::config::hypervisor::RateLimiterConfig;
@@ -551,7 +550,6 @@ impl TryFrom<BlockConfig> for DiskConfig {
             readonly: blkcfg.is_readonly,
             num_queues: blkcfg.num_queues,
             queue_size: blkcfg.queue_size as u16,
-            image_type: ImageType::Raw,
             ..Default::default()
         };
 

src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs

@@ -256,8 +256,29 @@ struct Memory {
 
 impl Memory {
     fn new(config: &HypervisorConfig) -> Memory {
-        let mem_size = config.memory_info.default_memory as u64;
-        let max_mem_size = config.memory_info.default_maxmemory as u64;
+        // Move this to QemuConfig::adjust_config()?
+
+        let mut mem_size = config.memory_info.default_memory as u64;
+        let mut max_mem_size = config.memory_info.default_maxmemory as u64;
+
+        if let Ok(sysinfo) = nix::sys::sysinfo::sysinfo() {
+            let host_memory = sysinfo.ram_total() >> 20;
+
+            if mem_size > host_memory {
+                info!(sl!(), "'default_memory' given in configuration.toml is greater than host memory, adjusting to host memory");
+                mem_size = host_memory
+            }
+
+            if max_mem_size == 0 || max_mem_size > host_memory {
+                max_mem_size = host_memory
+            }
+        } else {
+            warn!(sl!(), "Failed to get host memory size, cannot verify or adjust configuration.toml's 'default_maxmemory'");
+
+            if max_mem_size == 0 {
+                max_mem_size = mem_size;
+            };
+        }
 
         // Memory sizes are given in megabytes in configuration.toml so we
         // need to convert them to bytes for storage.
@@ -279,18 +300,6 @@ impl Memory {
         self.memory_backend_file = Some(mem_file.clone());
         self
     }
-
-    #[allow(dead_code)]
-    fn set_maxmem_size(&mut self, max_size: u64) -> &mut Self {
-        self.max_size = max_size;
-        self
-    }
-
-    #[allow(dead_code)]
-    fn set_num_slots(&mut self, num_slots: u32) -> &mut Self {
-        self.num_slots = num_slots;
-        self
-    }
 }
 
 #[async_trait]
@@ -1879,7 +1888,6 @@ struct ObjectSevSnpGuest {
     reduced_phys_bits: u32,
     kernel_hashes: bool,
     host_data: Option<String>,
-    policy: u32,
     is_snp: bool,
 }
 
@@ -1891,15 +1899,9 @@ impl ObjectSevSnpGuest {
             reduced_phys_bits,
             kernel_hashes: true,
             host_data,
-            policy: 0x30000,
             is_snp,
         }
     }
-
-    fn set_policy(&mut self, policy: u32) -> &mut Self {
-        self.policy = policy;
-        self
-    }
 }
 
 #[async_trait]
@@ -1922,7 +1924,6 @@ impl ToQemuParams for ObjectSevSnpGuest {
                 "kernel-hashes={}",
                 if self.kernel_hashes { "on" } else { "off" }
             ));
-            params.push(format!("policy=0x{:x}", self.policy));
             if let Some(host_data) = &self.host_data {
                 params.push(format!("host-data={host_data}"))
             }
@@ -2578,19 +2579,13 @@ impl<'a> QemuCmdLine<'a> {
         firmware: &str,
         host_data: &Option<String>,
     ) {
-        // For SEV-SNP, memory overcommit is not supported. we only set the memory size.
-        self.memory.set_maxmem_size(0).set_num_slots(0);
-
-        let mut sev_snp_object =
+        let sev_snp_object =
             ObjectSevSnpGuest::new(true, cbitpos, phys_addr_reduction, host_data.clone());
-        sev_snp_object.set_policy(self.config.security_info.snp_guest_policy);
-
         self.devices.push(Box::new(sev_snp_object));
 
         self.devices.push(Box::new(Bios::new(firmware.to_owned())));
 
         self.machine
-            .set_kernel_irqchip("split")
             .set_confidential_guest_support("snp")
             .set_nvdimm(false);
 

src/runtime-rs/crates/persist/Cargo.toml

@@ -8,10 +8,12 @@ license = { workspace = true }
 [dependencies]
 async-trait = { workspace = true }
 anyhow = { workspace = true }
+libc = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 
 # Local dependencies
 kata-sys-util = { workspace = true }
 kata-types = { workspace = true }
+shim-interface = { workspace = true }
 safe-path = { workspace = true }

src/runtime-rs/crates/resource/Cargo.toml

@@ -15,6 +15,7 @@ test-utils = { workspace = true }
 actix-rt = { workspace = true }
 anyhow = { workspace = true }
 async-trait = { workspace = true }
+bitflags = "2.9.0"
 byte-unit = "5.1.6"
 cgroups-rs = { version = "0.5.0", features = ["oci"] }
 futures = "0.3.11"
@@ -40,6 +41,7 @@ hex = "0.4"
 
 ## Dependencies from `rust-netlink`
 netlink-packet-route = "0.26"
+netlink-sys = "0.8"
 rtnetlink = "0.19"
 
 # Local dependencies
@@ -52,7 +54,3 @@ persist = { workspace = true }
 tests_utils = { workspace = true }
 
 [features]
-
-
-[package.metadata.cargo-machete]
-ignored = ["slog-scope"]

src/runtime-rs/crates/runtimes/Cargo.toml

@@ -11,7 +11,6 @@ lazy_static = { workspace = true }
 netns-rs = { workspace = true }
 slog = { workspace = true }
 slog-scope = { workspace = true }
-containerd-shim-protos = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread"] }
 tracing = { workspace = true }
 tracing-opentelemetry = { workspace = true }
@@ -27,6 +26,7 @@ opentelemetry-jaeger = { version = "0.17.0", features = [
 ] }
 tracing-subscriber = { version = "0.3", features = ["registry", "std"] }
 hyper = { workspace = true, features = ["stream", "server", "http1"] }
+hyperlocal = { workspace = true }
 serde_json = { workspace = true }
 nix = "0.25.0"
 url = { workspace = true }

src/runtime-rs/crates/runtimes/common/Cargo.toml

@@ -11,14 +11,20 @@ license = { workspace = true }
 anyhow = { workspace = true }
 async-trait = { workspace = true }
 containerd-shim-protos = { workspace = true, features = ["sandbox"] }
+lazy_static = { workspace = true }
 nix = { workspace = true }
 protobuf = { workspace = true }
+serde_json = { workspace = true }
+slog = { workspace = true }
+slog-scope = { workspace = true }
 strum = { workspace = true }
 thiserror = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread", "process", "fs"] }
+ttrpc = { workspace = true }
 oci-spec = { workspace = true }
 
 # Local dependencies
+persist = { workspace = true }
 agent = { workspace = true }
 kata-sys-util = { workspace = true }
 kata-types = { workspace = true }

src/runtime-rs/crates/runtimes/common/src/message.rs

@@ -6,7 +6,7 @@
 use std::sync::Arc;
 
 use anyhow::{Context, Result};
-use containerd_shim_protos::events::task::{TaskCreate, TaskDelete, TaskExit, TaskOOM, TaskStart};
+use containerd_shim_protos::events::task::{TaskExit, TaskOOM};
 use containerd_shim_protos::protobuf::Message as ProtobufMessage;
 use tokio::sync::mpsc::{channel, Receiver, Sender};
 
@@ -49,15 +49,9 @@ impl Message {
 
 const TASK_OOM_EVENT_TOPIC: &str = "/tasks/oom";
 const TASK_EXIT_EVENT_TOPIC: &str = "/tasks/exit";
-const TASK_START_EVENT_TOPIC: &str = "/tasks/start";
-const TASK_CREATE_EVENT_TOPIC: &str = "/tasks/create";
-const TASK_DELETE_EVENT_TOPIC: &str = "/tasks/delete";
 
 const TASK_OOM_EVENT_URL: &str = "containerd.events.TaskOOM";
 const TASK_EXIT_EVENT_URL: &str = "containerd.events.TaskExit";
-const TASK_START_EVENT_URL: &str = "containerd.events.TaskStart";
-const TASK_CREATE_EVENT_URL: &str = "containerd.events.TaskCreate";
-const TASK_DELETE_EVENT_URL: &str = "containerd.events.TaskDelete";
 
 pub trait Event: std::fmt::Debug + Send {
     fn r#type(&self) -> String;
@@ -92,45 +86,3 @@ impl Event for TaskExit {
         self.write_to_bytes().context("get exit value")
     }
 }
-
-impl Event for TaskStart {
-    fn r#type(&self) -> String {
-        TASK_START_EVENT_TOPIC.to_string()
-    }
-
-    fn type_url(&self) -> String {
-        TASK_START_EVENT_URL.to_string()
-    }
-
-    fn value(&self) -> Result<Vec<u8>> {
-        self.write_to_bytes().context("get start value")
-    }
-}
-
-impl Event for TaskCreate {
-    fn r#type(&self) -> String {
-        TASK_CREATE_EVENT_TOPIC.to_string()
-    }
-
-    fn type_url(&self) -> String {
-        TASK_CREATE_EVENT_URL.to_string()
-    }
-
-    fn value(&self) -> Result<Vec<u8>> {
-        self.write_to_bytes().context("get create value")
-    }
-}
-
-impl Event for TaskDelete {
-    fn r#type(&self) -> String {
-        TASK_DELETE_EVENT_TOPIC.to_string()
-    }
-
-    fn type_url(&self) -> String {
-        TASK_DELETE_EVENT_URL.to_string()
-    }
-
-    fn value(&self) -> Result<Vec<u8>> {
-        self.write_to_bytes().context("get delete value")
-    }
-}

src/runtime-rs/crates/runtimes/src/manager.rs

@@ -6,16 +6,14 @@
 
 use anyhow::{anyhow, Context, Result};
 use common::{
-    message::{Action, Message},
+    message::Message,
     types::{
-        ContainerProcess, PlatformInfo, ProcessType, SandboxConfig, SandboxRequest,
-        SandboxResponse, SandboxStatusInfo, StartSandboxInfo, TaskRequest, TaskResponse,
-        DEFAULT_SHM_SIZE,
+        ContainerProcess, PlatformInfo, SandboxConfig, SandboxRequest, SandboxResponse,
+        SandboxStatusInfo, StartSandboxInfo, TaskRequest, TaskResponse, DEFAULT_SHM_SIZE,
     },
     RuntimeHandler, RuntimeInstance, Sandbox, SandboxNetworkEnv,
 };
 
-use containerd_shim_protos::events::task::{TaskCreate, TaskDelete, TaskStart};
 use hypervisor::{
     utils::{create_dir_all_with_inherit_owner, create_vmm_user, remove_vmm_user},
     Param,
@@ -35,13 +33,13 @@ use netns_rs::{Env, NetNs};
 use nix::{sys::statfs, unistd::User};
 use oci_spec::runtime as oci;
 use persist::sandbox_persist::Persist;
-use protobuf::Message as ProtobufMessage;
 use resource::{
     cpu_mem::initial_size::InitialSizeManager,
     network::{dan_config_path, generate_netns_name},
 };
 use runtime_spec as spec;
 use shim_interface::shim_mgmt::ERR_NO_SHIM_SERVER;
+use protobuf::Message as ProtobufMessage;
 use std::{
     collections::HashMap,
     env,
@@ -482,7 +480,6 @@ impl RuntimeHandlerManager {
                 .await
                 .context("start sandbox in task handler")?;
 
-            let bundle = container_config.bundle.clone();
             let container_id = container_config.container_id.clone();
             let shim_pid = instance
                 .container_manager
@@ -504,19 +501,6 @@ impl RuntimeHandlerManager {
                 }
             });
 
-            let msg_sender = self.inner.read().await.msg_sender.clone();
-            let event = TaskCreate {
-                container_id,
-                bundle,
-                pid,
-                ..Default::default()
-            };
-            let msg = Message::new(Action::Event(Arc::new(event)));
-            msg_sender
-                .send(msg)
-                .await
-                .context("send task create event")?;
-
             Ok(TaskResponse::CreateContainer(shim_pid))
         } else {
             self.handler_task_request(req)
@@ -586,7 +570,6 @@ impl RuntimeHandlerManager {
             .context("get runtime instance")?;
         let sandbox = instance.sandbox.clone();
         let cm = instance.container_manager.clone();
-        let msg_sender = self.inner.read().await.msg_sender.clone();
 
         match req {
             TaskRequest::CreateContainer(req) => Err(anyhow!("Unreachable TaskRequest {:?}", req)),
@@ -596,20 +579,6 @@ impl RuntimeHandlerManager {
             }
             TaskRequest::DeleteProcess(process_id) => {
                 let resp = cm.delete_process(&process_id).await.context("do delete")?;
-                if process_id.process_type == ProcessType::Container {
-                    let event = TaskDelete {
-                        id: process_id.container_id().to_string(),
-                        pid: resp.pid.pid,
-                        exit_status: resp.exit_status as u32,
-                        ..Default::default()
-                    };
-                    let msg = Message::new(Action::Event(Arc::new(event)));
-                    msg_sender
-                        .send(msg)
-                        .await
-                        .context("send task delete event")?;
-                }
-
                 Ok(TaskResponse::DeleteProcess(resp))
             }
             TaskRequest::ExecProcess(req) => {
@@ -645,28 +614,12 @@ impl RuntimeHandlerManager {
                     .context("start process")?;
 
                 let pid = shim_pid.pid;
-                let process_type = process_id.process_type;
-                let container_id = process_id.container_id().to_string();
                 tokio::spawn(async move {
                     let result = sandbox.wait_process(cm, process_id, pid).await;
                     if let Err(e) = result {
                         error!(sl!(), "sandbox wait process error: {:?}", e);
                     }
                 });
-
-                if process_type == ProcessType::Container {
-                    let event = TaskStart {
-                        container_id,
-                        pid,
-                        ..Default::default()
-                    };
-                    let msg = Message::new(Action::Event(Arc::new(event)));
-                    msg_sender
-                        .send(msg)
-                        .await
-                        .context("send task start event")?;
-                }
-
                 Ok(TaskResponse::StartProcess(shim_pid))
             }
 

src/runtime-rs/crates/runtimes/virt_container/Cargo.toml

@@ -10,6 +10,8 @@ anyhow = { workspace = true }
 async-trait = { workspace = true }
 awaitgroup = "0.6.0"
 containerd-shim-protos = { workspace = true }
+futures = "0.3.19"
+lazy_static = { workspace = true }
 libc = { workspace = true }
 nix = { workspace = true }
 protobuf = { workspace = true }
@@ -19,7 +21,9 @@ serde_json = { workspace = true }
 slog = { workspace = true }
 slog-scope = { workspace = true }
 tokio = { workspace = true }
+toml = "0.4.2"
 url = { workspace = true }
+async-std = "1.12.0"
 tracing = { workspace = true }
 oci-spec = { workspace = true }
 strum = { workspace = true }
@@ -44,7 +48,3 @@ cloud-hypervisor = ["hypervisor/cloud-hypervisor"]
 
 # Enable the build-in VMM Dragtonball
 dragonball = ["hypervisor/dragonball"]
-
-
-[package.metadata.cargo-machete]
-ignored = ["slog-scope"]

src/runtime-rs/crates/service/Cargo.toml

@@ -11,6 +11,7 @@ async-trait = { workspace = true }
 slog = { workspace = true }
 slog-scope = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread"] }
+tracing = { workspace = true }
 ttrpc = { workspace = true }
 containerd-shim-protos = { workspace = true, features = ["async", "sandbox"] }
 containerd-shim = { workspace = true }
@@ -20,7 +21,4 @@ common = { workspace = true }
 logging = { workspace = true }
 kata-types = { workspace = true }
 runtimes = { workspace = true }
-
-
-[package.metadata.cargo-machete]
-ignored = ["slog-scope"]
+persist = { workspace = true }

src/runtime-rs/crates/shim-ctl/Cargo.toml

@@ -9,8 +9,9 @@ license = { workspace = true }
 
 [dependencies]
 anyhow = { workspace = true }
-tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
+tokio = { workspace = true, features = [ "rt", "rt-multi-thread" ] }
 
 # Local dependencies
 common = { workspace = true }
+logging = { workspace = true }
 runtimes = { workspace = true }

src/runtime-rs/crates/shim/Cargo.toml

@@ -36,6 +36,8 @@ slog-stdlog = "4.1.0"
 thiserror = { workspace = true }
 tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
 unix_socket2 = "0.5.4"
+tracing = { workspace = true }
+tracing-opentelemetry = { workspace = true }
 oci-spec = { workspace = true }
 
 # Local dependencies
@@ -44,7 +46,12 @@ kata-sys-util = { workspace = true }
 logging = { workspace = true }
 runtime-spec = { workspace = true }
 service = { workspace = true }
+runtimes = { workspace = true }
 
 [dev-dependencies]
 tempfile = { workspace = true }
+rand = { workspace = true }
 serial_test = "0.10.0"
+
+# Local dev-dependencies
+tests_utils = { workspace = true }

src/runtime/Makefile

@@ -147,14 +147,10 @@ DEFROOTFSTYPE := $(ROOTFSTYPE_EXT4)
 FIRMWAREPATH :=
 FIRMWAREVOLUMEPATH :=
 
-FIRMWAREPATH_NV = $(FIRMWAREPATH)
-
 FIRMWARETDVFPATH := $(PREFIXDEPS)/share/ovmf/OVMF.inteltdx.fd
-FIRMWARETDVFPATH_NV := $(FIRMWARETDVFPATH)
 FIRMWARETDVFVOLUMEPATH :=
 
 FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd
-FIRMWARESNPPATH_NV := $(FIRMWARESNPPATH)
 
 KERNELVERITYPARAMS ?= ""
 KERNELVERITYPARAMS_NV ?= ""
@@ -276,7 +272,6 @@ DEFVIRTIOFSEXTRAARGS ?= [\"--thread-pool-size=1\", \"--announce-submounts\"]
 DEFENABLEIOTHREADS := false
 DEFINDEPIOTHREADS := 0
 DEFENABLEVHOSTUSERSTORE := false
-DEFENABLEVIRTIOMEM ?= false
 DEFVHOSTUSERSTOREPATH := $(PKGRUNDIR)/vhost-user
 DEFVALIDVHOSTUSERSTOREPATHS := [\"$(DEFVHOSTUSERSTOREPATH)\"]
 DEFFILEMEMBACKEND := ""
@@ -305,11 +300,9 @@ DEFDANCONF := /run/kata-containers/dans
 
 DEFFORCEGUESTPULL := false
 
-DEFKUBELETROOTDIR := /var/lib/kubelet
-
 # Device cold plug
 DEFPODRESOURCEAPISOCK := ""
-DEFPODRESOURCEAPISOCK_NV := "$(DEFKUBELETROOTDIR)/pod-resources/kubelet.sock"
+DEFPODRESOURCEAPISOCK_NV := "/var/lib/kubelet/pod-resources/kubelet.sock"
 
 SED = sed
 
@@ -474,8 +467,8 @@ ifneq (,$(QEMUCMD))
     KERNELSEPATH = $(KERNELDIR)/$(KERNELSENAME)
 
     # NVIDIA GPU specific options (all should be suffixed by _NV)
-    KERNELTYPE_NV = compressed
-    KERNELNAME_NV = $(call MAKE_KERNEL_NAME_NV,$(KERNELTYPE_NV))
+    # Normal: uncompressed (KERNELTYPE). Confidential: compressed (KERNELCONFIDENTIALTYPE).
+    KERNELNAME_NV = $(call MAKE_KERNEL_NAME_NV,$(KERNELTYPE))
     KERNELPATH_NV = $(KERNELDIR)/$(KERNELNAME_NV)
     KERNELNAME_CONFIDENTIAL_NV = $(call MAKE_KERNEL_NAME_NV,$(KERNELCONFIDENTIALTYPE))
     KERNELPATH_CONFIDENTIAL_NV = $(KERNELDIR)/$(KERNELNAME_CONFIDENTIAL_NV)
@@ -491,9 +484,6 @@ ifneq (,$(QEMUCMD))
     # using an image and /dev is already mounted.
     KERNELPARAMS_NV = "cgroup_no_v1=all"
     KERNELPARAMS_NV += "devtmpfs.mount=0"
-    KERNELPARAMS_NV += "pci=realloc"
-    KERNELPARAMS_NV += "pci=nocrs"
-    KERNELPARAMS_NV += "pci=assign-busses"
 
     # Setting this to false can lead to cgroup leakages in the host
     # Best practice for production is to set this to true
@@ -690,13 +680,10 @@ USER_VARS += KERNELPATH_FC
 USER_VARS += KERNELPATH_STRATOVIRT
 USER_VARS += KERNELVIRTIOFSPATH
 USER_VARS += FIRMWAREPATH
-USER_VARS += FIRMWAREPATH_NV
 USER_VARS += FIRMWARETDVFPATH
 USER_VARS += FIRMWAREVOLUMEPATH
 USER_VARS += FIRMWARETDVFVOLUMEPATH
 USER_VARS += FIRMWARESNPPATH
-USER_VARS += FIRMWARETDVFPATH_NV
-USER_VARS += FIRMWARESNPPATH_NV
 USER_VARS += MACHINEACCELERATORS
 USER_VARS += CPUFEATURES
 USER_VARS += TDXCPUFEATURES
@@ -777,7 +764,6 @@ USER_VARS += DEFENABLEANNOTATIONS
 USER_VARS += DEFENABLEANNOTATIONS_COCO
 USER_VARS += DEFENABLEIOTHREADS
 USER_VARS += DEFINDEPIOTHREADS
-USER_VARS += DEFENABLEVIRTIOMEM
 USER_VARS += DEFSECCOMPSANDBOXPARAM
 USER_VARS += DEFENABLEVHOSTUSERSTORE
 USER_VARS += DEFVHOSTUSERSTOREPATH
@@ -797,7 +783,6 @@ USER_VARS += DEFSTATICRESOURCEMGMT_NV
 USER_VARS += DEFBINDMOUNTS
 USER_VARS += DEFCREATECONTAINERTIMEOUT
 USER_VARS += DEFDANCONF
-USER_VARS += DEFKUBELETROOTDIR
 USER_VARS += DEFFORCEGUESTPULL
 USER_VARS += DEFVFIOMODE
 USER_VARS += DEFVFIOMODE_SE

src/runtime/arch/s390x-options.mk

@@ -18,6 +18,3 @@ ifneq (,$(NEEDS_CC_SETTING))
 	CC := gcc
 	export CC
 endif
-
-# Enable virtio-mem for s390x
-DEFENABLEVIRTIOMEM = true

src/runtime/cmd/kata-monitor/main.go

@@ -196,7 +196,7 @@ func indexPageText(w http.ResponseWriter, r *http.Request) {
 	formatter := fmt.Sprintf("%%-%ds: %%s\n", spacing)
 
 	for _, endpoint := range endpoints {
-		fmt.Fprintf(w, formatter, endpoint.path, endpoint.desc)
+		w.Write([]byte(fmt.Sprintf(formatter, endpoint.path, endpoint.desc)))
 	}
 }
 

src/runtime/cmd/kata-runtime/kata-check_amd64.go

@@ -63,7 +63,7 @@ func setCPUtype(hypervisorType vc.HypervisorType) error {
 	cpuType = getCPUtype()
 
 	if cpuType == cpuTypeUnknown {
-		return fmt.Errorf("Unknown CPU Type")
+		return fmt.Errorf("Unknow CPU Type")
 	} else if cpuType == cpuTypeIntel {
 		var kvmIntelParams map[string]string
 		onVMM, err := vc.RunningOnVMM(procCPUInfo)

src/runtime/cmd/kata-runtime/kata-check_amd64_test.go

@@ -55,17 +55,18 @@ func TestCCCheckCLIFunction(t *testing.T) {
 	var moduleData []testModuleData
 
 	cpuType = getCPUtype()
-	moduleData = []testModuleData{}
-
-	switch cpuType {
-	case cpuTypeIntel:
+	if cpuType == cpuTypeIntel {
 		cpuData = []testCPUData{
 			{archGenuineIntel, "lm vmx sse4_1", false},
 		}
-	case cpuTypeAMD:
+
+		moduleData = []testModuleData{}
+	} else if cpuType == cpuTypeAMD {
 		cpuData = []testCPUData{
 			{archAuthenticAMD, "lm svm sse4_1", false},
 		}
+
+		moduleData = []testModuleData{}
 	}
 
 	genericCheckCLIFunction(t, cpuData, moduleData)
@@ -275,8 +276,7 @@ func TestCheckHostIsVMContainerCapable(t *testing.T) {
 	var moduleData []testModuleData
 	cpuType = getCPUtype()
 
-	switch cpuType {
-	case cpuTypeIntel:
+	if cpuType == cpuTypeIntel {
 		cpuData = []testCPUData{
 			{"", "", true},
 			{"Intel", "", true},
@@ -292,7 +292,7 @@ func TestCheckHostIsVMContainerCapable(t *testing.T) {
 			{filepath.Join(sysModuleDir, "kvm_intel/parameters/nested"), "Y", false},
 			{filepath.Join(sysModuleDir, "kvm_intel/parameters/unrestricted_guest"), "Y", false},
 		}
-	case cpuTypeAMD:
+	} else if cpuType == cpuTypeAMD {
 		cpuData = []testCPUData{
 			{"", "", true},
 			{"AMD", "", true},
@@ -340,7 +340,7 @@ func TestCheckHostIsVMContainerCapable(t *testing.T) {
 		// Write the following into the denylist file
 		// blacklist <mod>
 		// install <mod> /bin/false
-		_, err = fmt.Fprintf(denylistFile, "blacklist %s\ninstall %s /bin/false\n", mod, mod)
+		_, err = denylistFile.WriteString(fmt.Sprintf("blacklist %s\ninstall %s /bin/false\n", mod, mod))
 		assert.Nil(err)
 	}
 	denylistFile.Close()
@@ -505,10 +505,9 @@ func TestSetCPUtype(t *testing.T) {
 	assert.NotEmpty(archRequiredKernelModules)
 
 	cpuType = getCPUtype()
-	switch cpuType {
-	case cpuTypeIntel:
+	if cpuType == cpuTypeIntel {
 		assert.Equal(archRequiredCPUFlags["vmx"], "Virtualization support")
-	case cpuTypeAMD:
+	} else if cpuType == cpuTypeAMD {
 		assert.Equal(archRequiredCPUFlags["svm"], "Virtualization support")
 	}
 

src/runtime/cmd/kata-runtime/kata-check_test.go

@@ -17,6 +17,7 @@ import (
 	"testing"
 
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katatestutils"
+	ktu "github.com/kata-containers/kata-containers/src/runtime/pkg/katatestutils"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils"
 	vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	"github.com/sirupsen/logrus"
@@ -508,7 +509,7 @@ func TestCheckCheckCPUAttribs(t *testing.T) {
 }
 
 func TestCheckHaveKernelModule(t *testing.T) {
-	if tc.NotValid(katatestutils.NeedRoot()) {
+	if tc.NotValid(ktu.NeedRoot()) {
 		t.Skip(testDisabledAsNonRoot)
 	}
 
@@ -637,8 +638,8 @@ func TestCheckCheckKernelModules(t *testing.T) {
 func TestCheckCheckKernelModulesUnreadableFile(t *testing.T) {
 	assert := assert.New(t)
 
-	if tc.NotValid(katatestutils.NeedNonRoot()) {
-		t.Skip(katatestutils.TestDisabledNeedNonRoot)
+	if tc.NotValid(ktu.NeedNonRoot()) {
+		t.Skip(ktu.TestDisabledNeedNonRoot)
 	}
 
 	dir := t.TempDir()

src/runtime/cmd/kata-runtime/kata-env_amd64_test.go

@@ -56,10 +56,9 @@ func TestEnvGetEnvInfoSetsCPUType(t *testing.T) {
 	assert.NotEmpty(archRequiredKernelModules)
 
 	cpuType = getCPUtype()
-	switch cpuType {
-	case cpuTypeIntel:
+	if cpuType == cpuTypeIntel {
 		assert.Equal(archRequiredCPUFlags["vmx"], "Virtualization support")
-	case cpuTypeAMD:
+	} else if cpuType == cpuTypeAMD {
 		assert.Equal(archRequiredCPUFlags["svm"], "Virtualization support")
 	}
 

src/runtime/cmd/kata-runtime/kata-env_test.go

@@ -14,6 +14,7 @@ import (
 	"path"
 	"path/filepath"
 	"runtime"
+	goruntime "runtime"
 	"strings"
 	"testing"
 
@@ -183,7 +184,7 @@ func genericGetExpectedHostDetails(tmpdir string, expectedVendor string, expecte
 	}
 
 	const expectedKernelVersion = "99.1"
-	const expectedArch = runtime.GOARCH
+	const expectedArch = goruntime.GOARCH
 
 	expectedDistro := DistroInfo{
 		Name:    "Foo",
@@ -253,7 +254,7 @@ VERSION_ID="%s"
 		}
 	}
 
-	if runtime.GOARCH == "arm64" {
+	if goruntime.GOARCH == "arm64" {
 		expectedHostDetails.CPU.Vendor = "ARM Limited"
 		expectedHostDetails.CPU.Model = "v8"
 	}

src/runtime/cmd/kata-runtime/kata-iptables.go

@@ -55,9 +55,9 @@ var getIPTablesCommand = cli.Command{
 			return err
 		}
 
-		url := containerdshim.IPTablesURL
+		url := containerdshim.IPTablesUrl
 		if isIPv6 {
-			url = containerdshim.IP6TablesURL
+			url = containerdshim.IP6TablesUrl
 		}
 		body, err := shimclient.DoGet(sandboxID, defaultTimeout, url)
 		if err != nil {
@@ -108,9 +108,9 @@ var setIPTablesCommand = cli.Command{
 			return err
 		}
 
-		url := containerdshim.IPTablesURL
+		url := containerdshim.IPTablesUrl
 		if isIPv6 {
-			url = containerdshim.IP6TablesURL
+			url = containerdshim.IP6TablesUrl
 		}
 
 		if err = shimclient.DoPut(sandboxID, defaultTimeout, url, "application/octet-stream", buf); err != nil {

src/runtime/cmd/kata-runtime/kata-policy.go

@@ -62,7 +62,7 @@ var setPolicyCommand = cli.Command{
 			return err
 		}
 
-		url := containerdshim.PolicyURL
+		url := containerdshim.PolicyUrl
 
 		if err = shimclient.DoPut(sandboxID, defaultTimeout, url, "application/octet-stream", buf); err != nil {
 			return fmt.Errorf("Error observed when making policy-set request(%s): %s", policyFile, err)

src/runtime/cmd/kata-runtime/kata-volume.go

@@ -126,7 +126,7 @@ var resizeCommand = cli.Command{
 
 // Stats retrieves the filesystem stats of the direct volume inside the guest.
 func Stats(volumePath string) ([]byte, error) {
-	sandboxID, err := volume.GetSandboxIDForVolume(volumePath)
+	sandboxId, err := volume.GetSandboxIdForVolume(volumePath)
 	if err != nil {
 		return nil, err
 	}
@@ -136,8 +136,8 @@ func Stats(volumePath string) ([]byte, error) {
 	}
 
 	urlSafeDevicePath := url.PathEscape(volumeMountInfo.Device)
-	body, err := shimclient.DoGet(sandboxID, defaultTimeout,
-		fmt.Sprintf("%s?%s=%s", containerdshim.DirectVolumeStatURL, containerdshim.DirectVolumePathKey, urlSafeDevicePath))
+	body, err := shimclient.DoGet(sandboxId, defaultTimeout,
+		fmt.Sprintf("%s?%s=%s", containerdshim.DirectVolumeStatUrl, containerdshim.DirectVolumePathKey, urlSafeDevicePath))
 	if err != nil {
 		return nil, err
 	}
@@ -146,7 +146,7 @@ func Stats(volumePath string) ([]byte, error) {
 
 // Resize resizes a direct volume inside the guest.
 func Resize(volumePath string, size uint64) error {
-	sandboxID, err := volume.GetSandboxIDForVolume(volumePath)
+	sandboxId, err := volume.GetSandboxIdForVolume(volumePath)
 	if err != nil {
 		return err
 	}
@@ -163,5 +163,5 @@ func Resize(volumePath string, size uint64) error {
 	if err != nil {
 		return err
 	}
-	return shimclient.DoPost(sandboxID, defaultTimeout, containerdshim.DirectVolumeResizeURL, "application/json", encoded)
+	return shimclient.DoPost(sandboxId, defaultTimeout, containerdshim.DirectVolumeResizeUrl, "application/json", encoded)
 }

src/runtime/cmd/kata-runtime/release.go

@@ -94,12 +94,11 @@ func releaseURLIsValid(url string) error {
 func getReleaseURL(currentVersion semver.Version) (url string, err error) {
 	major := currentVersion.Major
 
-	switch major {
-	case 0:
+	if major == 0 {
 		return "", fmt.Errorf("invalid current version: %v", currentVersion)
-	case 1:
+	} else if major == 1 {
 		url = kataLegacyReleaseURL
-	default:
+	} else {
 		url = kataReleaseURL
 	}
 

src/runtime/config/configuration-clh.toml.in

@@ -491,11 +491,6 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-fc.toml.in

@@ -382,11 +382,6 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-cca.toml.in

@@ -670,12 +670,6 @@ dan_conf = "@DEFDANCONF@"
 # the container image should be pulled in the guest, without using an external snapshotter.
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
-
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-coco-dev.toml.in

@@ -734,11 +734,6 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in

@@ -99,7 +99,7 @@ kernel_verity_params = "@KERNELVERITYPARAMS_CONFIDENTIAL_NV@"
 
 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "@FIRMWARESNPPATH_NV@"
+firmware = "@FIRMWARESNPPATH@"
 
 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
@@ -750,11 +750,6 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in

@@ -76,7 +76,7 @@ kernel_verity_params = "@KERNELVERITYPARAMS_CONFIDENTIAL_NV@"
 
 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "@FIRMWARETDVFPATH_NV@"
+firmware = "@FIRMWARETDVFPATH@"
 
 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
@@ -727,11 +727,6 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-nvidia-gpu.toml.in

@@ -58,7 +58,7 @@ kernel_verity_params = "@KERNELVERITYPARAMS_NV@"
 
 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "@FIRMWAREPATH_NV@"
+firmware = "@FIRMWAREPATH@"
 
 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
@@ -724,11 +724,6 @@ create_container_timeout = @DEFAULTTIMEOUT_NV@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-se.toml.in

@@ -712,11 +712,6 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-snp.toml.in

@@ -737,11 +737,6 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-tdx.toml.in

@@ -719,11 +719,6 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu.toml.in

@@ -142,7 +142,7 @@ memory_offset = 0
 # Please note that this option should be used with the command
 # "echo 1 > /proc/sys/vm/overcommit_memory".
 # Default false
-enable_virtio_mem = @DEFENABLEVIRTIOMEM@
+enable_virtio_mem = false
 
 # Disable hotplugging host block devices to guest VMs for container rootfs.
 # In case of a storage driver like devicemapper where a container's
@@ -723,11 +723,6 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-remote.toml.in

@@ -290,11 +290,6 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-stratovirt.toml.in

@@ -425,11 +425,6 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
 
-# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
-# volume paths for propagation. Override for distros that use a different path
-# (e.g. k0s: /var/lib/k0s/kubelet).
-kubelet_root_dir = "@DEFKUBELETROOTDIR@"
-
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/go.mod

@@ -1,14 +1,14 @@
 module github.com/kata-containers/kata-containers/src/runtime
 
 // Keep in sync with version in versions.yaml
-go 1.25.7
+go 1.24.13
 
 // WARNING: Do NOT use `replace` directives as those break dependabot:
 // https://github.com/kata-containers/kata-containers/issues/11020
 
 require (
 	code.cloudfoundry.org/bytefmt v0.0.0-20211005130812-5bb3c17173e5
-	github.com/BurntSushi/toml v1.6.0
+	github.com/BurntSushi/toml v1.5.0
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/blang/semver/v4 v4.0.0
 	github.com/container-orchestrated-devices/container-device-interface v0.6.0
@@ -52,10 +52,11 @@ require (
 	github.com/urfave/cli v1.22.17
 	github.com/vishvananda/netlink v1.3.1
 	github.com/vishvananda/netns v0.0.5
-	go.opentelemetry.io/otel v1.40.0
+	gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20220601114329-47893b162965
+	go.opentelemetry.io/otel v1.35.0
 	go.opentelemetry.io/otel/exporters/jaeger v1.0.0
-	go.opentelemetry.io/otel/sdk v1.40.0
-	go.opentelemetry.io/otel/trace v1.40.0
+	go.opentelemetry.io/otel/sdk v1.35.0
+	go.opentelemetry.io/otel/trace v1.35.0
 	golang.org/x/oauth2 v0.30.0
 	golang.org/x/sys v0.40.0
 	google.golang.org/grpc v1.72.0
@@ -126,9 +127,9 @@ require (
 	github.com/x448/float16 v0.8.4 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
-	go.opentelemetry.io/otel/metric v1.40.0 // indirect
+	go.opentelemetry.io/otel/metric v1.35.0 // indirect
 	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect
 	golang.org/x/mod v0.31.0 // indirect
 	golang.org/x/net v0.49.0 // indirect

src/runtime/go.sum

@@ -8,9 +8,8 @@ github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h
 github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 h1:59MxjQVfjXsBpLy+dbd2/ELV5ofnUkUZBvWSC85sheA=
 github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0/go.mod h1:OahwfttHWG6eJ0clwcfBAHoDI6X/LV/15hx/wlMZSrU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
-github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
-github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
@@ -266,8 +265,8 @@ github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ
 github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
-github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/safchain/ethtool v0.6.2 h1:O3ZPFAKEUEfbtE6J/feEe2Ft7dIJ2Sy8t4SdMRiIMHY=
@@ -309,29 +308,31 @@ github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20220601114329-47893b162965 h1:EXE1ZsUqiUWGV5Dw2oTYpXx24ffxj0//yhTB0Ppv+4s=
+gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20220601114329-47893b162965/go.mod h1:TBB3sR7/jg4RCThC/cgT4fB8mAbbMO307TycfgeR59w=
 go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80=
 go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
-go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 h1:CV7UdSGJt/Ao6Gp4CXckLxVRRsRgDHoI8XjbL3PDl8s=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0/go.mod h1:FRmFuRJfag1IZ2dPkHnEoSFVgTVPUd2qf5Vi69hLb8I=
 go.opentelemetry.io/otel v1.0.0/go.mod h1:AjRVh9A5/5DE7S+mZtTR6t8vpKKryam+0lREnfmS4cg=
-go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
-go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
 go.opentelemetry.io/otel/exporters/jaeger v1.0.0 h1:cLhx8llHw02h5JTqGqaRbYn+QVKHmrzD9vEbKnSPk5U=
 go.opentelemetry.io/otel/exporters/jaeger v1.0.0/go.mod h1:q10N1AolE1JjqKrFJK2tYw0iZpmX+HBaXBtuCzRnBGQ=
-go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
-go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
+go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
+go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
 go.opentelemetry.io/otel/sdk v1.0.0/go.mod h1:PCrDHlSy5x1kjezSdL37PhbFUMjrsLRshJ2zCzeXwbM=
-go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
-go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
-go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
-go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
+go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
+go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
+go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
+go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
 go.opentelemetry.io/otel/trace v1.0.0/go.mod h1:PXTWqayeFUlJV1YDNhsJYB184+IvAH814St6o6ajzIs=
-go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
-go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
+go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
+go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
 go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=

src/runtime/pkg/containerd-shim-v2/create.go

@@ -40,6 +40,7 @@ import (
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils/katatrace"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/oci"
+	vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/compatoci"
 	"tags.cncf.io/container-device-interface/pkg/cdi"
 )
@@ -51,7 +52,7 @@ var defaultStartManagementServerFunc startManagementServerFunc = func(s *service
 	shimLog.Info("management server started")
 }
 
-func copyLayersToMounts(rootFs *virtcontainers.RootFs, spec *specs.Spec) error {
+func copyLayersToMounts(rootFs *vc.RootFs, spec *specs.Spec) error {
 	for _, o := range rootFs.Options {
 		if !strings.HasPrefix(o, annotations.FileSystemLayer) {
 			continue
@@ -74,7 +75,7 @@ func copyLayersToMounts(rootFs *virtcontainers.RootFs, spec *specs.Spec) error {
 }
 
 func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*container, error) {
-	rootFs := virtcontainers.RootFs{}
+	rootFs := vc.RootFs{}
 	if len(r.Rootfs) == 1 {
 		m := r.Rootfs[0]
 		rootFs.Source = m.Source
@@ -107,7 +108,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*con
 	}
 
 	switch containerType {
-	case virtcontainers.PodSandbox, virtcontainers.SingleContainer:
+	case vc.PodSandbox, vc.SingleContainer:
 		if s.sandbox != nil {
 			return nil, fmt.Errorf("cannot create another sandbox in sandbox: %s", s.sandbox.ID())
 		}
@@ -150,7 +151,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*con
 		//   2. If this is not a sandbox infrastructure container, but instead a standalone single container (analogous to "docker run..."),
 		//	then the container spec itself will contain appropriate sizing information for the entire sandbox (since it is
 		//	a single container.
-		if containerType == virtcontainers.PodSandbox {
+		if containerType == vc.PodSandbox {
 			s.config.SandboxCPUs, s.config.SandboxMemMB = oci.CalculateSandboxSizing(ociSpec)
 		} else {
 			s.config.SandboxCPUs, s.config.SandboxMemMB = oci.CalculateContainerSizing(ociSpec)
@@ -202,7 +203,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*con
 			defaultStartManagementServerFunc(s, ctx, ociSpec)
 		}
 
-	case virtcontainers.PodContainer:
+	case vc.PodContainer:
 		span, ctx := katatrace.Trace(s.ctx, shimLog, "create", shimTracingTags)
 		defer span.End()
 
@@ -324,7 +325,7 @@ func checkAndMount(s *service, r *taskAPI.CreateTaskRequest) (bool, error) {
 			return false, nil
 		}
 
-		if virtcontainers.IsNydusRootFSType(m.Type) {
+		if vc.IsNydusRootFSType(m.Type) {
 			// if kata + nydus, do not mount
 			return false, nil
 		}
@@ -360,7 +361,7 @@ func doMount(mounts []*containerd_types.Mount, rootfs string) error {
 	return nil
 }
 
-func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxID string) error {
+func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxId string) error {
 	userName, err := utils.CreateVmmUser()
 	if err != nil {
 		return err
@@ -369,7 +370,7 @@ func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxID stri
 		if err != nil {
 			shimLog.WithFields(logrus.Fields{
 				"user_name":  userName,
-				"sandbox_id": sandboxID,
+				"sandbox_id": sandboxId,
 			}).WithError(err).Warn("configure non root hypervisor failed, delete the user")
 			if err2 := utils.RemoveVmmUser(userName); err2 != nil {
 				shimLog.WithField("userName", userName).WithError(err).Warn("failed to remove user")
@@ -397,7 +398,7 @@ func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxID stri
 		"user_name":  userName,
 		"uid":        uid,
 		"gid":        gid,
-		"sandbox_id": sandboxID,
+		"sandbox_id": sandboxId,
 	}).Debug("successfully created a non root user for the hypervisor")
 
 	userTmpDir := path.Join("/run/user/", fmt.Sprint(uid))
@@ -409,7 +410,7 @@ func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxID stri
 		}
 	}
 
-	if err = os.Mkdir(userTmpDir, virtcontainers.DirMode); err != nil {
+	if err = os.Mkdir(userTmpDir, vc.DirMode); err != nil {
 		return err
 	}
 	defer func() {

src/runtime/pkg/containerd-shim-v2/shim_management.go

@@ -34,13 +34,13 @@ import (
 
 const (
 	DirectVolumePathKey   = "path"
-	AgentURL              = "/agent-url"
-	DirectVolumeStatURL   = "/direct-volume/stats"
-	DirectVolumeResizeURL = "/direct-volume/resize"
-	IPTablesURL           = "/iptables"
-	PolicyURL             = "/policy"
-	IP6TablesURL          = "/ip6tables"
-	MetricsURL            = "/metrics"
+	AgentUrl              = "/agent-url"
+	DirectVolumeStatUrl   = "/direct-volume/stats"
+	DirectVolumeResizeUrl = "/direct-volume/resize"
+	IPTablesUrl           = "/iptables"
+	PolicyUrl             = "/policy"
+	IP6TablesUrl          = "/ip6tables"
+	MetricsUrl            = "/metrics"
 )
 
 var (
@@ -288,13 +288,13 @@ func (s *service) startManagementServer(ctx context.Context, ociSpec *specs.Spec
 
 	// bind handler
 	m := http.NewServeMux()
-	m.Handle(MetricsURL, http.HandlerFunc(s.serveMetrics))
-	m.Handle(AgentURL, http.HandlerFunc(s.agentURL))
-	m.Handle(DirectVolumeStatURL, http.HandlerFunc(s.serveVolumeStats))
-	m.Handle(DirectVolumeResizeURL, http.HandlerFunc(s.serveVolumeResize))
-	m.Handle(IPTablesURL, http.HandlerFunc(s.ipTablesHandler))
-	m.Handle(PolicyURL, http.HandlerFunc(s.policyHandler))
-	m.Handle(IP6TablesURL, http.HandlerFunc(s.ip6TablesHandler))
+	m.Handle(MetricsUrl, http.HandlerFunc(s.serveMetrics))
+	m.Handle(AgentUrl, http.HandlerFunc(s.agentURL))
+	m.Handle(DirectVolumeStatUrl, http.HandlerFunc(s.serveVolumeStats))
+	m.Handle(DirectVolumeResizeUrl, http.HandlerFunc(s.serveVolumeResize))
+	m.Handle(IPTablesUrl, http.HandlerFunc(s.ipTablesHandler))
+	m.Handle(PolicyUrl, http.HandlerFunc(s.policyHandler))
+	m.Handle(IP6TablesUrl, http.HandlerFunc(s.ip6TablesHandler))
 	s.mountPprofHandle(m, ociSpec)
 
 	// register shim metrics
@@ -373,7 +373,7 @@ func ClientSocketAddress(id string) (string, error) {
 	if _, err := os.Stat(socketPath); err != nil {
 		socketPath = SocketPathRust(id)
 		if _, err := os.Stat(socketPath); err != nil {
-			return "", fmt.Errorf("it fails to stat both %s and %s with error %v", SocketPathGo(id), SocketPathRust(id), err)
+			return "", fmt.Errorf("It fails to stat both %s and %s with error %v.", SocketPathGo(id), SocketPathRust(id), err)
 		}
 	}
 

src/runtime/pkg/device/drivers/vfio.go

@@ -139,7 +139,7 @@ func (device *VFIODevice) Detach(ctx context.Context, devReceiver api.DeviceRece
 		}
 	}()
 
-	if device.DeviceInfo.ColdPlug {
+	if device.GenericDevice.DeviceInfo.ColdPlug {
 		// nothing to detach, device was cold plugged
 		deviceLogger().WithFields(logrus.Fields{
 			"device-group": device.DeviceInfo.HostPath,
@@ -264,7 +264,7 @@ func GetVFIODetails(deviceFileName, iommuDevicesPath string) (deviceBDF, deviceS
 // getMediatedBDF returns the BDF of a VF
 // Expected input string format is /sys/devices/pci0000:d7/BDF0/BDF1/.../MDEVBDF/UUID
 func getMediatedBDF(deviceSysfsDev string) string {
-	tokens := strings.Split(deviceSysfsDev, "/")
+	tokens := strings.SplitN(deviceSysfsDev, "/", -1)
 	if len(tokens) < 4 {
 		return ""
 	}

src/runtime/pkg/device/manager/manager.go

@@ -59,11 +59,15 @@ func NewDeviceManager(blockDriver string, vhostUserStoreEnabled bool, vhostUserS
 		vhostUserReconnectTimeout: vhostUserReconnect,
 		devices:                   make(map[string]api.Device),
 	}
-
-	switch blockDriver {
-	case config.VirtioMmio, config.VirtioBlock, config.Nvdimm, config.VirtioBlockCCW:
-		dm.blockDriver = blockDriver
-	default:
+	if blockDriver == config.VirtioMmio {
+		dm.blockDriver = config.VirtioMmio
+	} else if blockDriver == config.VirtioBlock {
+		dm.blockDriver = config.VirtioBlock
+	} else if blockDriver == config.Nvdimm {
+		dm.blockDriver = config.Nvdimm
+	} else if blockDriver == config.VirtioBlockCCW {
+		dm.blockDriver = config.VirtioBlockCCW
+	} else {
 		dm.blockDriver = config.VirtioSCSI
 	}
 

src/runtime/pkg/direct-volume/utils.go

@@ -99,18 +99,18 @@ func VolumeMountInfo(volumePath string) (*MountInfo, error) {
 	return &mountInfo, nil
 }
 
-// RecordSandboxID associates a sandbox id with a direct volume.
-func RecordSandboxID(sandboxID string, volumePath string) error {
+// RecordSandboxId associates a sandbox id with a direct volume.
+func RecordSandboxId(sandboxId string, volumePath string) error {
 	encodedPath := b64.URLEncoding.EncodeToString([]byte(volumePath))
 	mountInfoFilePath := filepath.Join(kataDirectVolumeRootPath, encodedPath, mountInfoFileName)
 	if _, err := os.Stat(mountInfoFilePath); err != nil {
 		return err
 	}
 
-	return os.WriteFile(filepath.Join(kataDirectVolumeRootPath, encodedPath, sandboxID), []byte(""), 0600)
+	return os.WriteFile(filepath.Join(kataDirectVolumeRootPath, encodedPath, sandboxId), []byte(""), 0600)
 }
 
-func GetSandboxIDForVolume(volumePath string) (string, error) {
+func GetSandboxIdForVolume(volumePath string) (string, error) {
 	files, err := os.ReadDir(filepath.Join(kataDirectVolumeRootPath, b64.URLEncoding.EncodeToString([]byte(volumePath))))
 	if err != nil {
 		return "", err

src/runtime/pkg/direct-volume/utils_test.go

@@ -56,7 +56,7 @@ func TestAdd(t *testing.T) {
 	assert.Nil(t, err)
 }
 
-func TestRecordSandboxID(t *testing.T) {
+func TestRecordSandboxId(t *testing.T) {
 	var err error
 	kataDirectVolumeRootPath = t.TempDir()
 
@@ -73,22 +73,22 @@ func TestRecordSandboxID(t *testing.T) {
 	// Add the mount info
 	assert.Nil(t, Add(volumePath, string(buf)))
 
-	sandboxID := uuid.Generate().String()
-	err = RecordSandboxID(sandboxID, volumePath)
+	sandboxId := uuid.Generate().String()
+	err = RecordSandboxId(sandboxId, volumePath)
 	assert.Nil(t, err)
 
-	id, err := GetSandboxIDForVolume(volumePath)
+	id, err := GetSandboxIdForVolume(volumePath)
 	assert.Nil(t, err)
-	assert.Equal(t, sandboxID, id)
+	assert.Equal(t, sandboxId, id)
 }
 
-func TestRecordSandboxIDNoMountInfoFile(t *testing.T) {
+func TestRecordSandboxIdNoMountInfoFile(t *testing.T) {
 	var err error
 	kataDirectVolumeRootPath = t.TempDir()
 
 	var volumePath = "/a/b/c"
-	sandboxID := uuid.Generate().String()
-	err = RecordSandboxID(sandboxID, volumePath)
+	sandboxId := uuid.Generate().String()
+	err = RecordSandboxId(sandboxId, volumePath)
 	assert.Error(t, err)
 	assert.True(t, errors.Is(err, os.ErrNotExist))
 }

src/runtime/pkg/govmm/.github/workflows/main.yml

@@ -14,11 +14,11 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Install Go
-        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go-version }}
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
       - name: golangci-lint

src/runtime/pkg/govmm/qemu/qemu.go

@@ -496,8 +496,8 @@ type TdxQomObject struct {
 	Debug                 *bool         `json:"debug,omitempty"`
 }
 
-func (s *SocketAddress) String() string {
-	b, err := json.Marshal(*s)
+func (this *SocketAddress) String() string {
+	b, err := json.Marshal(*this)
 
 	if err != nil {
 		log.Fatalf("Unable to marshal SocketAddress object: %s", err.Error())
@@ -507,8 +507,8 @@ func (s *SocketAddress) String() string {
 	return string(b)
 }
 
-func (t *TdxQomObject) String() string {
-	b, err := json.Marshal(*t)
+func (this *TdxQomObject) String() string {
+	b, err := json.Marshal(*this)
 
 	if err != nil {
 		log.Fatalf("Unable to marshal TDX QOM object: %s", err.Error())

src/runtime/pkg/govmm/qemu/qmp.go

@@ -1446,18 +1446,11 @@ func (q *QMP) ExecMemdevAdd(ctx context.Context, qomtype, id, mempath string, si
 		"memdev": id,
 	}
 
-	var transport VirtioTransport
-	if transport.isVirtioCCW(nil) {
-		if addr != "" {
-			args["devno"] = addr
-		}
-	} else {
-		if bus != "" {
-			args["bus"] = bus
-		}
-		if addr != "" {
-			args["addr"] = addr
-		}
+	if bus != "" {
+		args["bus"] = bus
+	}
+	if addr != "" {
+		args["addr"] = addr
 	}
 
 	err = q.executeCommand(ctx, "device_add", args, nil)

src/runtime/pkg/kata-monitor/metrics.go

@@ -259,7 +259,7 @@ func (km *KataMonitor) aggregateSandboxMetrics(encoder expfmt.Encoder, filterFam
 }
 
 func getParsedMetrics(sandboxID string, sandboxMetadata sandboxCRIMetadata) ([]*dto.MetricFamily, error) {
-	body, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.MetricsURL)
+	body, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.MetricsUrl)
 	if err != nil {
 		return nil, err
 	}
@@ -269,7 +269,7 @@ func getParsedMetrics(sandboxID string, sandboxMetadata sandboxCRIMetadata) ([]*
 
 // GetSandboxMetrics will get sandbox's metrics from shim
 func GetSandboxMetrics(sandboxID string) (string, error) {
-	body, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.MetricsURL)
+	body, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.MetricsUrl)
 	if err != nil {
 		return "", err
 	}

src/runtime/pkg/kata-monitor/metrics_test.go

@@ -138,11 +138,9 @@ func TestEncodeMetricFamily(t *testing.T) {
 			continue
 		}
 		// only check kata_monitor_running_shim_count and kata_monitor_scrape_count
-		switch fields[0] {
-		case "kata_monitor_running_shim_count":
+		if fields[0] == "kata_monitor_running_shim_count" {
 			assert.Equal("11", fields[1], "kata_monitor_running_shim_count should be 11")
-
-		case "kata_monitor_scrape_count":
+		} else if fields[0] == "kata_monitor_scrape_count" {
 			assert.Equal("2", fields[1], "kata_monitor_scrape_count should be 2")
 		}
 	}

src/runtime/pkg/kata-monitor/monitor.go

@@ -184,7 +184,7 @@ func (km *KataMonitor) GetAgentURL(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	data, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.AgentURL)
+	data, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.AgentUrl)
 	if err != nil {
 		commonServeError(w, http.StatusBadRequest, err)
 		return
@@ -206,14 +206,14 @@ func (km *KataMonitor) ListSandboxes(w http.ResponseWriter, r *http.Request) {
 
 func listSandboxesText(sandboxes []string, w http.ResponseWriter) {
 	for _, s := range sandboxes {
-		fmt.Fprintf(w, "%s\n", s)
+		w.Write([]byte(fmt.Sprintf("%s\n", s)))
 	}
 }
 func listSandboxesHtml(sandboxes []string, w http.ResponseWriter) {
 	w.Write([]byte("<h1>Sandbox list</h1>\n"))
 	w.Write([]byte("<ul>\n"))
 	for _, s := range sandboxes {
-		fmt.Fprintf(w, "<li>%s: <a href='/debug/pprof/?sandbox=%s'>pprof</a>, <a href='/metrics?sandbox=%s'>metrics</a>, <a href='/agent-url?sandbox=%s'>agent-url</a></li>\n", s, s, s, s)
+		w.Write([]byte(fmt.Sprintf("<li>%s: <a href='/debug/pprof/?sandbox=%s'>pprof</a>, <a href='/metrics?sandbox=%s'>metrics</a>, <a href='/agent-url?sandbox=%s'>agent-url</a></li>\n", s, s, s, s)))
 	}
 	w.Write([]byte("</ul>\n"))
 }

src/runtime/pkg/kata-monitor/pprof.go

@@ -98,7 +98,7 @@ func (km *KataMonitor) ExpvarHandler(w http.ResponseWriter, r *http.Request) {
 // PprofIndex handles other `/debug/pprof/` requests
 func (km *KataMonitor) PprofIndex(w http.ResponseWriter, r *http.Request) {
 	if len(strings.TrimPrefix(r.URL.Path, "/debug/pprof/")) == 0 {
-		km.proxyRequest(w, r, copyResponseAddingSandboxIDToHref)
+		km.proxyRequest(w, r, copyResponseAddingSandboxIdToHref)
 	} else {
 		km.proxyRequest(w, r, nil)
 	}
@@ -132,7 +132,7 @@ func copyResponse(req *http.Request, w io.Writer, r io.Reader) error {
 	return err
 }
 
-func copyResponseAddingSandboxIDToHref(req *http.Request, w io.Writer, r io.Reader) error {
+func copyResponseAddingSandboxIdToHref(req *http.Request, w io.Writer, r io.Reader) error {
 	sb, err := getSandboxIDFromReq(req)
 	if err != nil {
 		monitorLog.WithError(err).Warning("missing sandbox query in pprof url")

src/runtime/pkg/kata-monitor/pprof_test.go

@@ -15,7 +15,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestCopyResponseAddingSandboxIDToHref(t *testing.T) {
+func TestCopyResponseAddingSandboxIdToHref(t *testing.T) {
 	assert := assert.New(t)
 
 	htmlIn := strings.NewReader(`
@@ -112,6 +112,6 @@ Profile Descriptions:
 
 	req := &http.Request{URL: &url.URL{RawQuery: "sandbox=1234567890"}}
 	buf := bytes.NewBuffer(nil)
-	copyResponseAddingSandboxIDToHref(req, buf, htmlIn)
+	copyResponseAddingSandboxIdToHref(req, buf, htmlIn)
 	assert.Equal(htmlExpected, buf)
 }

src/runtime/pkg/katatestutils/constraints.go

@@ -98,8 +98,8 @@ func getKernelVersion() (string, error) {
 // These kernel version can't be parsed by the current lib and lead to panic
 // therefore the '+' should be removed.
 func fixKernelVersion(version string) string {
-	version = strings.ReplaceAll(version, "_", "-")
-	return strings.ReplaceAll(version, "+", "")
+	version = strings.Replace(version, "_", "-", -1)
+	return strings.Replace(version, "+", "", -1)
 }
 
 // handleKernelVersion checks that the current kernel version is compatible with

src/runtime/pkg/katatestutils/utils.go

@@ -23,7 +23,7 @@ const (
 	testDirMode  = os.FileMode(0750)
 	testFileMode = os.FileMode(0640)
 
-	busyboxConfigJSON = `
+	busyboxConfigJson = `
 {
 	"ociVersion": "1.0.1-dev",
 	"process": {
@@ -359,7 +359,7 @@ func SetupOCIConfigFile(t *testing.T) (rootPath string, bundlePath, ociConfigFil
 	assert.NoError(err)
 
 	ociConfigFile = filepath.Join(bundlePath, "config.json")
-	err = os.WriteFile(ociConfigFile, []byte(busyboxConfigJSON), testFileMode)
+	err = os.WriteFile(ociConfigFile, []byte(busyboxConfigJson), testFileMode)
 	assert.NoError(err)
 
 	return tmpdir, bundlePath, ociConfigFile

src/runtime/pkg/katautils/config.go

@@ -22,6 +22,7 @@ import (
 	govmmQemu "github.com/kata-containers/kata-containers/src/runtime/pkg/govmm/qemu"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils/katatrace"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/oci"
+	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	exp "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/experimental"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/types"
@@ -201,7 +202,6 @@ type runtime struct {
 	DanConf                   string   `toml:"dan_conf"`
 	ForceGuestPull            bool     `toml:"experimental_force_guest_pull"`
 	PodResourceAPISock        string   `toml:"pod_resource_api_sock"`
-	KubeletRootDir            string   `toml:"kubelet_root_dir"`
 }
 
 type agent struct {
@@ -1643,7 +1643,6 @@ func LoadConfiguration(configPath string, ignoreLogging bool) (resolvedConfigPat
 
 	config.ForceGuestPull = tomlConf.Runtime.ForceGuestPull
 	config.PodResourceAPISock = tomlConf.Runtime.PodResourceAPISock
-	config.KubeletRootDir = tomlConf.Runtime.KubeletRootDir
 
 	return resolved, config, nil
 }
@@ -1901,8 +1900,8 @@ func checkConfig(config oci.RuntimeConfig) error {
 // checkPCIeConfig ensures the PCIe configuration is valid.
 // Only allow one of the following settings for cold-plug:
 // no-port, root-port, switch-port
-func checkPCIeConfig(coldPlug config.PCIePort, hotPlug config.PCIePort, machineType string, hypervisorType vc.HypervisorType) error {
-	if hypervisorType != vc.QemuHypervisor && hypervisorType != vc.ClhHypervisor {
+func checkPCIeConfig(coldPlug config.PCIePort, hotPlug config.PCIePort, machineType string, hypervisorType virtcontainers.HypervisorType) error {
+	if hypervisorType != virtcontainers.QemuHypervisor && hypervisorType != virtcontainers.ClhHypervisor {
 		kataUtilsLogger.Warn("Advanced PCIe Topology only available for QEMU/CLH hypervisor, ignoring hot(cold)_vfio_port setting")
 		return nil
 	}
@@ -1918,7 +1917,7 @@ func checkPCIeConfig(coldPlug config.PCIePort, hotPlug config.PCIePort, machineT
 	if machineType != "q35" && machineType != "virt" {
 		return nil
 	}
-	if hypervisorType == vc.ClhHypervisor {
+	if hypervisorType == virtcontainers.ClhHypervisor {
 		if coldPlug != config.NoPort {
 			return fmt.Errorf("cold-plug not supported on CLH")
 		}

src/runtime/pkg/katautils/create_test.go

@@ -21,6 +21,7 @@ import (
 	config "github.com/kata-containers/kata-containers/src/runtime/pkg/device/config"
 	ktu "github.com/kata-containers/kata-containers/src/runtime/pkg/katatestutils"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/oci"
+	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/compatoci"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/vcmock"
@@ -426,7 +427,7 @@ func TestVfioChecksClh(t *testing.T) {
 
 	// Check valid CLH vfio configs
 	f := func(coldPlug, hotPlug config.PCIePort) error {
-		return checkPCIeConfig(coldPlug, hotPlug, defaultMachineType, vc.ClhHypervisor)
+		return checkPCIeConfig(coldPlug, hotPlug, defaultMachineType, virtcontainers.ClhHypervisor)
 	}
 	assert.NoError(f(config.NoPort, config.NoPort))
 	assert.NoError(f(config.NoPort, config.RootPort))
@@ -440,7 +441,7 @@ func TestVfioCheckQemu(t *testing.T) {
 
 	// Check valid Qemu vfio configs
 	f := func(coldPlug, hotPlug config.PCIePort) error {
-		return checkPCIeConfig(coldPlug, hotPlug, defaultMachineType, vc.QemuHypervisor)
+		return checkPCIeConfig(coldPlug, hotPlug, defaultMachineType, virtcontainers.QemuHypervisor)
 	}
 
 	assert.NoError(f(config.NoPort, config.NoPort))

src/runtime/pkg/katautils/logger_test.go

@@ -90,7 +90,7 @@ func TestNewSystemLogHook(t *testing.T) {
 
 	output := string(bytes)
 	output = strings.TrimSpace(output)
-	output = strings.ReplaceAll(output, `"`, "")
+	output = strings.Replace(output, `"`, "", -1)
 
 	fields := strings.Fields(output)