genpolicy: Adapt to CRI-O

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>

.github/dependabot.yml

@@ -15,8 +15,6 @@ updates:
       - "/src/tools/trace-forwarder"
     schedule:
       interval: "daily"
-    cooldown:
-      default-days: 7
     ignore:
     # rust-vmm repos might cause incompatibilities on patch versions, so
     # lets handle them manually for now.
@@ -87,12 +85,8 @@ updates:
       - "src/tools/csi-kata-directvolume"
     schedule:
       interval: "daily"
-    cooldown:
-      default-days: 7
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "monthly"
-    cooldown:
-      default-days: 7

.github/workflows/basic-ci-amd64.yaml

@@ -47,23 +47,6 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: Install yq
-        run: |
-          ./ci/install_yq.sh
-        env:
-          INSTALL_IN_GOPATH: false
-
-      - name: Read properties from versions.yaml
-        run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
       - name: Install dependencies
         run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
         env:

.github/workflows/basic-ci-s390x.yaml

@@ -47,25 +47,8 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: Install yq
-        run: |
-          ./ci/install_yq.sh
-        env:
-          INSTALL_IN_GOPATH: false
-
-      - name: Read properties from versions.yaml
-        run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
       - name: Install dependencies
-        run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
+        run: bash tests/integration/cri-containerd/gha-run.sh
         env:
           GH_TOKEN: ${{ github.token }}
 

.github/workflows/build-checks-preview-riscv64.yaml

@@ -82,17 +82,11 @@ jobs:
           ./ci/install_yq.sh
         env:
           INSTALL_IN_GOPATH: false
-      - name: Read properties from versions.yaml
+      - name: Install golang
         if: contains(matrix.component.needs, 'golang')
         run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        if: contains(matrix.component.needs, 'golang')
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
+          ./tests/install_go.sh -f -p
+          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
       - name: Setup rust
         if: contains(matrix.component.needs, 'rust')
         run: |

.github/workflows/build-checks.yaml

@@ -94,19 +94,11 @@ jobs:
           ./ci/install_yq.sh
         env:
           INSTALL_IN_GOPATH: false
-      - name: Read properties from versions.yaml
+      - name: Install golang
         if: contains(matrix.component.needs, 'golang')
         run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        if: contains(matrix.component.needs, 'golang')
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          # Setup-go doesn't work properly with ppc64le: https://github.com/actions/setup-go/issues/648
-          architecture: ${{ contains(inputs.instance, 'ppc64le') && 'ppc64le' || '' }}
+          ./tests/install_go.sh -f -p
+          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
       - name: Setup rust
         if: contains(matrix.component.needs, 'rust')
         run: |

.github/workflows/codeql.yml

@@ -72,7 +72,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -95,6 +95,6 @@ jobs:
         make -C src/runtime
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
+      uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/darwin-tests.yaml

@@ -31,22 +31,10 @@ jobs:
       with:
         persist-credentials: false
 
-    - name: Install yq
+    - name: Install golang
       run: |
-        ./ci/install_yq.sh
-      env:
-        INSTALL_IN_GOPATH: false
-
-    - name: Read properties from versions.yaml
-      run: |
-        go_version="$(yq '.languages.golang.version' versions.yaml)"
-        [ -n "$go_version" ]
-        echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-    - name: Setup Golang version ${{ env.GO_VERSION }}
-      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-      with:
-        go-version: ${{ env.GO_VERSION }}
+        ./tests/install_go.sh -f -p
+        echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
 
     - name: Install Rust
       run: ./tests/install_rust.sh

.github/workflows/docs-url-alive-check.yaml

@@ -24,22 +24,10 @@ jobs:
         fetch-depth: 0
         persist-credentials: false
 
-    - name: Install yq
+    - name: Install golang
       run: |
-        ./ci/install_yq.sh
-      env:
-        INSTALL_IN_GOPATH: false
-
-    - name: Read properties from versions.yaml
-      run: |
-        go_version="$(yq '.languages.golang.version' versions.yaml)"
-        [ -n "$go_version" ]
-        echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-    - name: Setup Golang version ${{ env.GO_VERSION }}
-      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-      with:
-        go-version: ${{ env.GO_VERSION }}
+        ./tests/install_go.sh -f -p
+        echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
 
     - name: Docs URL Alive Check
       run: |

.github/workflows/docs.yaml

@@ -16,17 +16,17 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/configure-pages@v5
+      - uses: actions/checkout@v5
         with:
           persist-credentials: false
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      - uses: actions/setup-python@v5
         with:
           python-version: 3.x
       - run: pip install zensical
       - run: zensical build --clean
-      - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
+      - uses: actions/upload-pages-artifact@v4
         with:
           path: site
-      - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
+      - uses: actions/deploy-pages@v4
         id: deployment

.github/workflows/govulncheck.yaml

@@ -27,22 +27,10 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: Install yq
+      - name: Install golang
         run: |
-          ./ci/install_yq.sh
-        env:
-          INSTALL_IN_GOPATH: false
-
-      - name: Read properties from versions.yaml
-        run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
+          ./tests/install_go.sh -f -p
+          echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
 
       - name: Install govulncheck
         run: |

.github/workflows/run-cri-containerd-tests.yaml

@@ -35,6 +35,8 @@ on:
 jobs:
   run-cri-containerd:
     name: run-cri-containerd-${{ inputs.arch }} (${{ inputs.containerd_version }}, ${{ inputs.vmm }})
+    strategy:
+      fail-fast: false
     runs-on: ${{ inputs.runner }}
     env:
       CONTAINERD_VERSION: ${{ inputs.containerd_version }}
@@ -53,23 +55,6 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: Install yq
-        run: |
-          ./ci/install_yq.sh
-        env:
-          INSTALL_IN_GOPATH: false
-
-      - name: Read properties from versions.yaml
-        run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
       - name: Install dependencies
         timeout-minutes: 15
         run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies

.github/workflows/run-k8s-tests-on-ppc64le.yaml

@@ -57,24 +57,10 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: Install yq
+      - name: Install golang
         run: |
-          ./ci/install_yq.sh
-        env:
-          INSTALL_IN_GOPATH: false
-
-      - name: Read properties from versions.yaml
-        run: |
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          # Setup-go doesn't work properly with ppc64le: https://github.com/actions/setup-go/issues/648
-          architecture: 'ppc64le'
+          ./tests/install_go.sh -f -p
+          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
 
       - name: Prepare the runner for k8s test suite
         run: bash "${HOME}/scripts/k8s_cluster_prepare.sh"

.github/workflows/run-kata-coco-tests.yaml

@@ -258,6 +258,98 @@ jobs:
         timeout-minutes: 5
         run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
 
+  run-k8s-tests-coco-nontee-crio:
+    name: run-k8s-tests-coco-nontee-crio
+    strategy:
+      fail-fast: false
+      matrix:
+        vmm:
+          - qemu-coco-dev
+    runs-on: fidencio-crio
+    permissions:
+      contents: read
+    environment: ci
+    env:
+      DOCKER_REGISTRY: ${{ inputs.registry }}
+      DOCKER_REPO: ${{ inputs.repo }}
+      DOCKER_TAG: ${{ inputs.tag }}
+      GH_PR_NUMBER: ${{ inputs.pr-number }}
+      KATA_HYPERVISOR: ${{ matrix.vmm }}
+      KBS: "true"
+      KBS_INGRESS: "nodeport"
+      KUBERNETES: "vanilla"
+      PULL_TYPE: "guest-pull"
+      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+      SNAPSHOTTER: ""
+      EXPERIMENTAL_FORCE_GUEST_PULL: ""
+      AUTO_GENERATE_POLICY: "yes"
+      K8S_TEST_HOST_TYPE: "all"
+      CONTAINER_ENGINE: "crio"
+      CONTAINER_RUNTIME: "crio"
+      CONTAINER_ENGINE_VERSION: "active"
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+
+      - name: get-kata-tools-tarball
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
+
+      - name: Deploy Kata
+        timeout-minutes: 20
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
+
+      - name: Deploy CoCo KBS
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
+
+      - name: Install `kbs-client`
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
+
+      - name: Deploy CSI driver
+        timeout-minutes: 5
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
+
+      - name: Run tests
+        timeout-minutes: 80
+        run: bash tests/integration/kubernetes/gha-run.sh run-tests
+
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
+      - name: Delete kata-deploy
+        if: always()
+        timeout-minutes: 15
+        run: bash tests/integration/kubernetes/gha-run.sh cleanup
+
+      - name: Delete CoCo KBS
+        if: always()
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
+
+      - name: Delete CSI driver
+        if: always()
+        timeout-minutes: 5
+        run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
+
   # Generate jobs for testing CoCo on non-TEE environments with erofs-snapshotter
   run-k8s-tests-coco-nontee-with-erofs-snapshotter:
     name: run-k8s-tests-coco-nontee-with-erofs-snapshotter

.github/workflows/scorecard.yaml

@@ -55,6 +55,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: results.sarif

.github/workflows/static-checks.yaml

@@ -126,16 +126,11 @@ jobs:
           ./ci/install_yq.sh
         env:
           INSTALL_IN_GOPATH: false
-      - name: Read properties from versions.yaml
+      - name: Install golang
         run: |
           cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
-          go_version="$(yq '.languages.golang.version' versions.yaml)"
-          [ -n "$go_version" ]
-          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
-      - name: Setup Golang version ${{ env.GO_VERSION }}
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
+          ./tests/install_go.sh -f -p
+          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
       - name: Install system dependencies
         run: |
           sudo apt-get update && sudo apt-get -y install moreutils hunspell hunspell-en-gb hunspell-en-us pandoc

Cargo.lock

@@ -44,7 +44,9 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "async-trait",
+ "futures 0.1.31",
  "kata-types",
+ "log",
  "logging",
  "nix 0.26.4",
  "oci-spec 0.8.3",
@@ -139,12 +141,23 @@ version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "435a87a52755b8f27fcf321ac4f04b2802e337c8c4872923137471ec39c37532"
 dependencies = [
- "event-listener",
+ "event-listener 5.4.1",
  "event-listener-strategy",
  "futures-core",
  "pin-project-lite",
 ]
 
+[[package]]
+name = "async-channel"
+version = "1.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "81953c529336010edd6d8e358f886d9581267795c61b19475b71314bffa46d35"
+dependencies = [
+ "concurrent-queue",
+ "event-listener 2.5.3",
+ "futures-core",
+]
+
 [[package]]
 name = "async-channel"
 version = "2.5.0"
@@ -171,6 +184,21 @@ dependencies = [
  "slab",
 ]
 
+[[package]]
+name = "async-global-executor"
+version = "2.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05b1b633a2115cd122d73b955eadd9916c18c8f510ec9cd1686404c60ad1c29c"
+dependencies = [
+ "async-channel 2.5.0",
+ "async-executor",
+ "async-io",
+ "async-lock",
+ "blocking",
+ "futures-lite",
+ "once_cell",
+]
+
 [[package]]
 name = "async-io"
 version = "2.6.0"
@@ -195,7 +223,7 @@ version = "3.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5fd03604047cee9b6ce9de9f70c6cd540a0520c813cbd49bae61f33ab80ed1dc"
 dependencies = [
- "event-listener",
+ "event-listener 5.4.1",
  "event-listener-strategy",
  "pin-project-lite",
 ]
@@ -206,14 +234,14 @@ version = "2.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fc50921ec0055cdd8a16de48773bfeec5c972598674347252c0399676be7da75"
 dependencies = [
- "async-channel",
+ "async-channel 2.5.0",
  "async-io",
  "async-lock",
  "async-signal",
  "async-task",
  "blocking",
  "cfg-if 1.0.0",
- "event-listener",
+ "event-listener 5.4.1",
  "futures-lite",
  "rustix 1.1.2",
 ]
@@ -247,6 +275,32 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "async-std"
+version = "1.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2c8e079a4ab67ae52b7403632e4618815d6db36d2a010cfe41b02c1b1578f93b"
+dependencies = [
+ "async-channel 1.9.0",
+ "async-global-executor",
+ "async-io",
+ "async-lock",
+ "crossbeam-utils",
+ "futures-channel",
+ "futures-core",
+ "futures-io",
+ "futures-lite",
+ "gloo-timers",
+ "kv-log-macro",
+ "log",
+ "memchr",
+ "once_cell",
+ "pin-project-lite",
+ "pin-utils",
+ "slab",
+ "wasm-bindgen-futures",
+]
+
 [[package]]
 name = "async-task"
 version = "4.7.1"
@@ -393,7 +447,7 @@ version = "1.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e83f8d02be6967315521be875afa792a316e28d57b5a2d401897e2a7921b7f21"
 dependencies = [
- "async-channel",
+ "async-channel 2.5.0",
  "async-task",
  "futures-io",
  "futures-lite",
@@ -590,17 +644,29 @@ dependencies = [
  "containerd-shim-protos",
  "kata-sys-util",
  "kata-types",
+ "lazy_static",
  "nix 0.26.4",
  "oci-spec 0.8.3",
+ "persist",
  "protobuf",
  "protocols",
  "resource",
  "runtime-spec",
+ "serde_json",
+ "slog",
+ "slog-scope",
  "strum 0.24.1",
  "thiserror 1.0.48",
  "tokio",
+ "ttrpc",
 ]
 
+[[package]]
+name = "common-path"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2382f75942f4b3be3690fe4f86365e9c853c1587d6ee58212cebf6e2a9ccd101"
+
 [[package]]
 name = "concurrent-queue"
 version = "2.5.0"
@@ -645,7 +711,7 @@ dependencies = [
  "async-trait",
  "cgroups-rs 0.3.4",
  "containerd-shim-protos",
- "futures",
+ "futures 0.3.28",
  "go-flag",
  "lazy_static",
  "libc",
@@ -978,6 +1044,7 @@ dependencies = [
  "dbs-interrupt",
  "dbs-utils",
  "dbs-virtio-devices",
+ "downcast-rs",
  "kvm-bindings",
  "kvm-ioctls",
  "libc",
@@ -990,6 +1057,7 @@ dependencies = [
  "vfio-ioctls",
  "virtio-queue",
  "vm-memory",
+ "vmm-sys-util 0.11.1",
 ]
 
 [[package]]
@@ -1006,6 +1074,7 @@ dependencies = [
 name = "dbs-upcall"
 version = "0.3.0"
 dependencies = [
+ "anyhow",
  "dbs-utils",
  "dbs-virtio-devices",
  "log",
@@ -1200,6 +1269,12 @@ version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1435fa1053d8b2fbbe9be7e97eca7f33d37b28409959813daefc1446a14247f1"
 
+[[package]]
+name = "downcast-rs"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ea835d29036a4087793836fa931b08837ad5e957da9e23886b29586fb9b6650"
+
 [[package]]
 name = "dragonball"
 version = "0.1.0"
@@ -1220,6 +1295,7 @@ dependencies = [
  "dbs-utils",
  "dbs-virtio-devices",
  "derivative",
+ "fuse-backend-rs",
  "kvm-bindings",
  "kvm-ioctls",
  "lazy_static",
@@ -1274,18 +1350,6 @@ version = "1.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "66b7e2430c6dff6a955451e2cfc438f09cea1965a9d6f87f7e3b90decc014099"
 
-[[package]]
-name = "enum-as-inner"
-version = "0.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a1e6a265c649f3f5979b601d26f1d05ada116434c87741c9493cb56218f76cbc"
-dependencies = [
- "heck 0.5.0",
- "proc-macro2",
- "quote",
- "syn 2.0.104",
-]
-
 [[package]]
 name = "enumflags2"
 version = "0.7.12"
@@ -1339,6 +1403,12 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "event-listener"
+version = "2.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0206175f82b8d6bf6652ff7d71a1e27fd2e4efde587fd368662814d6ec1d9ce0"
+
 [[package]]
 name = "event-listener"
 version = "5.4.1"
@@ -1356,7 +1426,7 @@ version = "0.5.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8be9f3dfaaffdae2972880079a491a1a8bb7cbed0b8dd7a347f668b4150a3b93"
 dependencies = [
- "event-listener",
+ "event-listener 5.4.1",
  "pin-project-lite",
 ]
 
@@ -1484,6 +1554,12 @@ dependencies = [
  "vmm-sys-util 0.11.1",
 ]
 
+[[package]]
+name = "futures"
+version = "0.1.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3a471a38ef8ed83cd6e40aa59c1ffe17db6855c18e3604d9c4ed8c08ebc28678"
+
 [[package]]
 name = "futures"
 version = "0.3.28"
@@ -1643,6 +1719,18 @@ version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280"
 
+[[package]]
+name = "gloo-timers"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbb143cf96099802033e0d4f4963b19fd2e0b728bcf076cd9cf7f6634f092994"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "js-sys",
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "go-flag"
 version = "0.1.0"
@@ -1878,7 +1966,7 @@ dependencies = [
  "crossbeam-channel",
  "dbs-utils",
  "dragonball",
- "futures",
+ "futures 0.3.28",
  "go-flag",
  "hyper",
  "hyperlocal",
@@ -1889,8 +1977,10 @@ dependencies = [
  "libc",
  "logging",
  "nix 0.26.4",
+ "oci-spec 0.8.3",
  "path-clean",
  "persist",
+ "protobuf",
  "protocols",
  "qapi",
  "qapi-qmp",
@@ -1902,6 +1992,7 @@ dependencies = [
  "serde",
  "serde_json",
  "serial_test 2.0.0",
+ "shim-interface",
  "slog",
  "slog-scope",
  "tempfile",
@@ -2178,6 +2269,8 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "byteorder",
+ "chrono",
+ "common-path",
  "fail",
  "hex",
  "kata-types",
@@ -2186,9 +2279,11 @@ dependencies = [
  "mockall",
  "nix 0.26.4",
  "oci-spec 0.8.3",
+ "once_cell",
  "pci-ids",
  "rand 0.8.5",
  "runtime-spec",
+ "safe-path 0.1.0",
  "serde",
  "serde_json",
  "slog",
@@ -2207,8 +2302,8 @@ dependencies = [
  "byte-unit",
  "flate2",
  "glob",
+ "hex",
  "lazy_static",
- "nix 0.26.4",
  "num_cpus",
  "oci-spec 0.8.3",
  "regex",
@@ -2219,10 +2314,18 @@ dependencies = [
  "sha2 0.10.9",
  "slog",
  "slog-scope",
- "sysctl",
  "sysinfo",
  "thiserror 1.0.48",
- "toml",
+ "toml 0.5.11",
+]
+
+[[package]]
+name = "kv-log-macro"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0de8b303297635ad57c9f5059fd9cee7a47f8e8daa09df0fcd07dd39fb22977f"
+dependencies = [
+ "log",
 ]
 
 [[package]]
@@ -2543,7 +2646,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b65d130ee111430e47eed7896ea43ca693c387f097dd97376bffafbf25812128"
 dependencies = [
  "bytes",
- "futures",
+ "futures 0.3.28",
  "log",
  "netlink-packet-core",
  "netlink-sys",
@@ -2557,7 +2660,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "416060d346fbaf1f23f9512963e3e878f1a78e707cb699ba9215761754244307"
 dependencies = [
  "bytes",
- "futures",
+ "futures 0.3.28",
  "libc",
  "log",
  "tokio",
@@ -2714,7 +2817,7 @@ dependencies = [
  "log",
  "serde",
  "serde_json",
- "toml",
+ "toml 0.5.11",
 ]
 
 [[package]]
@@ -2941,7 +3044,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e785d273968748578931e4dc3b4f5ec86b26e09d9e0d66b55adda7fce742f7a"
 dependencies = [
  "async-trait",
- "futures",
+ "futures 0.3.28",
  "futures-executor",
  "headers",
  "http",
@@ -3109,9 +3212,11 @@ dependencies = [
  "async-trait",
  "kata-sys-util",
  "kata-types",
+ "libc",
  "safe-path 0.1.0",
  "serde",
  "serde_json",
+ "shim-interface",
 ]
 
 [[package]]
@@ -3521,7 +3626,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7b047adab56acc4948d4b9b58693c1f33fd13efef2d6bb5f0f66a47436ceada8"
 dependencies = [
  "bytes",
- "futures",
+ "futures 0.3.28",
  "log",
  "memchr",
  "qapi-qmp",
@@ -3803,10 +3908,11 @@ dependencies = [
  "agent",
  "anyhow",
  "async-trait",
+ "bitflags 2.10.0",
  "byte-unit",
  "cgroups-rs 0.5.0",
  "flate2",
- "futures",
+ "futures 0.3.28",
  "hex",
  "hypervisor",
  "inotify",
@@ -3816,6 +3922,7 @@ dependencies = [
  "libc",
  "logging",
  "netlink-packet-route",
+ "netlink-sys",
  "netns-rs",
  "nix 0.26.4",
  "oci-spec 0.8.3",
@@ -3900,6 +4007,7 @@ dependencies = [
  "common",
  "containerd-shim-protos",
  "go-flag",
+ "logging",
  "nix 0.26.4",
  "runtimes",
  "shim",
@@ -3910,6 +4018,7 @@ dependencies = [
 name = "runtime-spec"
 version = "0.1.0"
 dependencies = [
+ "libc",
  "serde",
  "serde_derive",
  "serde_json",
@@ -3923,6 +4032,7 @@ dependencies = [
  "anyhow",
  "common",
  "hyper",
+ "hyperlocal",
  "hypervisor",
  "kata-sys-util",
  "kata-types",
@@ -4241,7 +4351,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1c789ec87f4687d022a2405cf46e0cd6284889f1839de292cadeb6c6019506f2"
 dependencies = [
  "dashmap",
- "futures",
+ "futures 0.3.28",
  "lazy_static",
  "log",
  "parking_lot",
@@ -4255,7 +4365,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0e56dd856803e253c8f298af3f4d7eb0ae5e23a737252cd90bb4f3b435033b2d"
 dependencies = [
  "dashmap",
- "futures",
+ "futures 0.3.28",
  "lazy_static",
  "log",
  "parking_lot",
@@ -4295,10 +4405,12 @@ dependencies = [
  "containerd-shim-protos",
  "kata-types",
  "logging",
+ "persist",
  "runtimes",
  "slog",
  "slog-scope",
  "tokio",
+ "tracing",
  "ttrpc",
 ]
 
@@ -4362,7 +4474,9 @@ dependencies = [
  "nix 0.26.4",
  "oci-spec 0.8.3",
  "protobuf",
+ "rand 0.8.5",
  "runtime-spec",
+ "runtimes",
  "serial_test 0.10.0",
  "service",
  "sha2 0.10.9",
@@ -4371,8 +4485,11 @@ dependencies = [
  "slog-scope",
  "slog-stdlog",
  "tempfile",
+ "tests_utils",
  "thiserror 1.0.48",
  "tokio",
+ "tracing",
+ "tracing-opentelemetry",
  "unix_socket2",
 ]
 
@@ -4382,6 +4499,7 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "common",
+ "logging",
  "runtimes",
  "tokio",
 ]
@@ -4675,20 +4793,6 @@ dependencies = [
  "syn 2.0.104",
 ]
 
-[[package]]
-name = "sysctl"
-version = "0.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cca424247104946a59dacd27eaad296223b7feec3d168a6dd04585183091eb0b"
-dependencies = [
- "bitflags 2.10.0",
- "byteorder",
- "enum-as-inner",
- "libc",
- "thiserror 2.0.12",
- "walkdir",
-]
-
 [[package]]
 name = "sysinfo"
 version = "0.34.2"
@@ -4979,12 +5083,21 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "52a15c15b1bc91f90902347eff163b5b682643aff0c8e972912cca79bd9208dd"
 dependencies = [
  "bytes",
- "futures",
+ "futures 0.3.28",
  "libc",
  "tokio",
  "vsock",
 ]
 
+[[package]]
+name = "toml"
+version = "0.4.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "758664fc71a3a69038656bee8b6be6477d2a6c315a6b81f7081f591bffa4111f"
+dependencies = [
+ "serde",
+]
+
 [[package]]
 name = "toml"
 version = "0.5.11"
@@ -5127,7 +5240,7 @@ dependencies = [
  "async-trait",
  "byteorder",
  "crossbeam",
- "futures",
+ "futures 0.3.28",
  "home",
  "libc",
  "log",
@@ -5329,13 +5442,16 @@ version = "0.1.0"
 dependencies = [
  "agent",
  "anyhow",
+ "async-std",
  "async-trait",
  "awaitgroup",
  "common",
  "containerd-shim-protos",
+ "futures 0.3.28",
  "hypervisor",
  "kata-sys-util",
  "kata-types",
+ "lazy_static",
  "libc",
  "logging",
  "nix 0.26.4",
@@ -5351,6 +5467,7 @@ dependencies = [
  "slog-scope",
  "strum 0.24.1",
  "tokio",
+ "toml 0.4.10",
  "tracing",
  "url",
  "uuid 1.18.1",
@@ -5983,7 +6100,7 @@ dependencies = [
  "async-trait",
  "blocking",
  "enumflags2",
- "event-listener",
+ "event-listener 5.4.1",
  "futures-core",
  "futures-lite",
  "hex",

src/agent/Cargo.lock

@@ -743,6 +743,12 @@ version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990"
 
+[[package]]
+name = "common-path"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2382f75942f4b3be3690fe4f86365e9c853c1587d6ee58212cebf6e2a9ccd101"
+
 [[package]]
 name = "concurrent-queue"
 version = "2.5.0"
@@ -1092,18 +1098,6 @@ dependencies = [
  "serde",
 ]
 
-[[package]]
-name = "enum-as-inner"
-version = "0.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a1e6a265c649f3f5979b601d26f1d05ada116434c87741c9493cb56218f76cbc"
-dependencies = [
- "heck 0.5.0",
- "proc-macro2",
- "quote",
- "syn 2.0.101",
-]
-
 [[package]]
 name = "enumflags2"
 version = "0.7.11"
@@ -2108,6 +2102,8 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "byteorder",
+ "chrono",
+ "common-path",
  "fail",
  "hex",
  "kata-types",
@@ -2116,9 +2112,11 @@ dependencies = [
  "mockall",
  "nix 0.26.4",
  "oci-spec",
+ "once_cell",
  "pci-ids",
  "rand",
  "runtime-spec",
+ "safe-path",
  "serde",
  "serde_json",
  "slog",
@@ -2137,8 +2135,8 @@ dependencies = [
  "byte-unit",
  "flate2",
  "glob",
+ "hex",
  "lazy_static",
- "nix 0.26.4",
  "num_cpus",
  "oci-spec",
  "regex",
@@ -2149,7 +2147,6 @@ dependencies = [
  "sha2 0.10.9",
  "slog",
  "slog-scope",
- "sysctl",
  "sysinfo",
  "thiserror 1.0.69",
  "toml",
@@ -2309,6 +2306,7 @@ name = "mem-agent"
 version = "0.2.0"
 dependencies = [
  "anyhow",
+ "async-trait",
  "chrono",
  "maplit",
  "nix 0.30.1",
@@ -3577,6 +3575,7 @@ dependencies = [
 name = "runtime-spec"
 version = "0.1.0"
 dependencies = [
+ "libc",
  "serde",
  "serde_derive",
  "serde_json",
@@ -4216,20 +4215,6 @@ dependencies = [
  "syn 2.0.101",
 ]
 
-[[package]]
-name = "sysctl"
-version = "0.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cca424247104946a59dacd27eaad296223b7feec3d168a6dd04585183091eb0b"
-dependencies = [
- "bitflags 2.9.0",
- "byteorder",
- "enum-as-inner",
- "libc",
- "thiserror 2.0.12",
- "walkdir",
-]
-
 [[package]]
 name = "sysinfo"
 version = "0.34.2"

src/dragonball/Cargo.toml

@@ -48,6 +48,7 @@ vmm-sys-util = { workspace = true }
 virtio-queue = { workspace = true, optional = true }
 vm-memory = { workspace = true, features = ["backend-mmap"] }
 crossbeam-channel = "0.5.6"
+fuse-backend-rs = "0.10.5"
 vfio-bindings = { workspace = true, optional = true }
 vfio-ioctls = { workspace = true, optional = true }
 
@@ -85,6 +86,3 @@ host-device = ["dep:vfio-bindings", "dep:vfio-ioctls", "dep:dbs-pci"]
 unexpected_cfgs = { level = "warn", check-cfg = [
   'cfg(feature, values("test-mock"))',
 ] }
-
-[package.metadata.cargo-machete]
-ignored = ["vfio-bindings"]

src/dragonball/dbs_pci/Cargo.toml

@@ -23,22 +23,24 @@ dbs-interrupt = { workspace = true, features = [
     "kvm-legacy-irq",
     "kvm-msi-irq",
 ] }
+downcast-rs = "1.2.0"
 byteorder = "1.4.3"
 serde = "1.0.27"
 
-vm-memory = { workspace = true }
-kvm-ioctls = { workspace = true }
-kvm-bindings = { workspace = true }
-vfio-ioctls = { workspace = true }
-vfio-bindings = { workspace = true }
+vm-memory = {workspace = true}
+kvm-ioctls = {workspace = true}
+kvm-bindings = {workspace = true}
+vfio-ioctls = {workspace = true}
+vfio-bindings = {workspace = true}
 libc = "0.2.39"
-virtio-queue = { workspace = true }
-dbs-utils = { workspace = true }
+vmm-sys-util = {workspace = true}
+virtio-queue = {workspace = true}
+dbs-utils = {workspace = true}
 
 
 [dev-dependencies]
 dbs-arch = { workspace = true }
-kvm-ioctls = { workspace = true }
+kvm-ioctls = {workspace = true}
 test-utils = { workspace = true }
 nix = { workspace = true }
 

src/dragonball/dbs_upcall/Cargo.toml

@@ -11,6 +11,7 @@ keywords = ["dragonball", "secure-sandbox", "devices", "upcall", "virtio"]
 readme = "README.md"
 
 [dependencies]
+anyhow = "1"
 log = "0.4.14"
 thiserror = "1"
 timerfd = "1.2.0"

src/dragonball/dbs_virtio_devices/Cargo.toml

@@ -24,8 +24,8 @@ dbs-boot = { workspace = true }
 epoll = ">=4.3.1, <4.3.2"
 io-uring = "0.5.2"
 fuse-backend-rs = { version = "0.10.5", optional = true }
-kvm-bindings = { workspace = true }
-kvm-ioctls = { workspace = true }
+kvm-bindings = { workspace = true}
+kvm-ioctls = {workspace = true}
 libc = "0.2.119"
 log = "0.4.14"
 nix = "0.24.3"
@@ -37,16 +37,19 @@ serde = "1.0.27"
 serde_json = "1.0.9"
 thiserror = "1"
 threadpool = "1"
-virtio-bindings = { workspace = true }
-virtio-queue = { workspace = true }
-vmm-sys-util = { workspace = true }
+virtio-bindings = {workspace = true}
+virtio-queue = {workspace = true}
+vmm-sys-util = {workspace = true}
 vm-memory = { workspace = true, features = ["backend-mmap"] }
 sendfd = "0.4.3"
 vhost-rs = { version = "0.6.1", package = "vhost", optional = true }
 timerfd = "1.0"
 
 [dev-dependencies]
-vm-memory = { workspace = true, features = ["backend-mmap", "backend-atomic"] }
+vm-memory = { workspace = true, features = [
+    "backend-mmap",
+    "backend-atomic",
+] }
 test-utils = { workspace = true }
 
 [features]

src/dragonball/dbs_virtio_devices/src/lib.rs

@@ -439,19 +439,19 @@ pub mod tests {
             VirtqDesc { desc }
         }
 
-        pub fn addr(&self) -> VolatileRef<'_, u64> {
+        pub fn addr(&self) -> VolatileRef<u64> {
             self.desc.get_ref(offset_of!(DescriptorTmp, addr)).unwrap()
         }
 
-        pub fn len(&self) -> VolatileRef<'_, u32> {
+        pub fn len(&self) -> VolatileRef<u32> {
             self.desc.get_ref(offset_of!(DescriptorTmp, len)).unwrap()
         }
 
-        pub fn flags(&self) -> VolatileRef<'_, u16> {
+        pub fn flags(&self) -> VolatileRef<u16> {
             self.desc.get_ref(offset_of!(DescriptorTmp, flags)).unwrap()
         }
 
-        pub fn next(&self) -> VolatileRef<'_, u16> {
+        pub fn next(&self) -> VolatileRef<u16> {
             self.desc.get_ref(offset_of!(DescriptorTmp, next)).unwrap()
         }
 
@@ -513,11 +513,11 @@ pub mod tests {
             self.start.unchecked_add(self.ring.len() as GuestUsize)
         }
 
-        pub fn flags(&self) -> VolatileRef<'_, u16> {
+        pub fn flags(&self) -> VolatileRef<u16> {
             self.ring.get_ref(0).unwrap()
         }
 
-        pub fn idx(&self) -> VolatileRef<'_, u16> {
+        pub fn idx(&self) -> VolatileRef<u16> {
             self.ring.get_ref(2).unwrap()
         }
 
@@ -525,12 +525,12 @@ pub mod tests {
             4 + mem::size_of::<T>() * (i as usize)
         }
 
-        pub fn ring(&self, i: u16) -> VolatileRef<'_, T> {
+        pub fn ring(&self, i: u16) -> VolatileRef<T> {
             assert!(i < self.qsize);
             self.ring.get_ref(Self::ring_offset(i)).unwrap()
         }
 
-        pub fn event(&self) -> VolatileRef<'_, u16> {
+        pub fn event(&self) -> VolatileRef<u16> {
             self.ring.get_ref(Self::ring_offset(self.qsize)).unwrap()
         }
 
@@ -602,7 +602,7 @@ pub mod tests {
             (self.dtable.len() / VirtqDesc::dtable_len(1)) as u16
         }
 
-        pub fn dtable(&self, i: u16) -> VirtqDesc<'_> {
+        pub fn dtable(&self, i: u16) -> VirtqDesc {
             VirtqDesc::new(&self.dtable, i)
         }
 

src/dragonball/dbs_virtio_devices/src/vhost/vhost_user/fs.rs

@@ -865,11 +865,11 @@ mod tests {
             0
         );
         let config: [u8; 8] = [0; 8];
-        let _ = VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::write_config(
+        VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::write_config(
             &mut dev, 0, &config,
         );
         let mut data: [u8; 8] = [1; 8];
-        let _ = VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::read_config(
+        VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::read_config(
             &mut dev, 0, &mut data,
         );
         assert_eq!(config, data);

src/dragonball/dbs_virtio_devices/src/vsock/mod.rs

@@ -339,7 +339,7 @@ mod tests {
             }
         }
 
-        pub fn create_event_handler_context(&self) -> EventHandlerContext<'_> {
+        pub fn create_event_handler_context(&self) -> EventHandlerContext {
             const QSIZE: u16 = 256;
 
             let guest_rxvq = GuestQ::new(GuestAddress(0x0010_0000), &self.mem, QSIZE);

src/libs/kata-sys-util/Cargo.toml

@@ -13,10 +13,13 @@ edition = "2018"
 [dependencies]
 anyhow = "1.0.31"
 byteorder = "1.4.3"
+chrono = "0.4.0"
+common-path = "=1.0.0"
 fail = "0.5.0"
 lazy_static = "1.4.0"
 libc = "0.2.100"
 nix = "0.26.4"
+once_cell = "1.9.0"
 serde = { version = "1.0.138", features = ["derive"] }
 serde_json = "1.0.73"
 slog = "2.5.2"
@@ -31,7 +34,10 @@ mockall = "0.13.1"
 kata-types = { path = "../kata-types" }
 oci-spec = { version = "0.8.1", features = ["runtime"] }
 runtime-spec = { path = "../runtime-spec" }
+safe-path = { path = "../safe-path" }
 
 [dev-dependencies]
+num_cpus = "1.13.1"
+serial_test = "0.5.1"
 tempfile = "3.19.1"
 test-utils = { path = "../test-utils" }

src/libs/kata-types/Cargo.toml

@@ -29,14 +29,12 @@ serde-enum-str = "0.4"
 sysinfo = "0.34.2"
 sha2 = "0.10.8"
 flate2 = "1.1"
-nix = "0.26.4"
+hex = "0.4"
+
 oci-spec = { version = "0.8.1", features = ["runtime"] }
 
 safe-path = { path = "../safe-path", optional = true }
 
-[target.'cfg(target_os = "macos")'.dependencies]
-sysctl = "0.7.1"
-
 [dev-dependencies]
 tempfile = "3.19.1"
 test-utils = { path = "../test-utils" }

src/libs/kata-types/src/config/hypervisor/mod.rs

@@ -26,6 +26,7 @@
 use super::{default, ConfigOps, ConfigPlugin, TomlConfig};
 use crate::annotations::KATA_ANNO_CFG_HYPERVISOR_PREFIX;
 use crate::{resolve_path, sl, validate_path};
+use byte_unit::{Byte, Unit};
 use lazy_static::lazy_static;
 use regex::RegexSet;
 use serde_enum_str::{Deserialize_enum_str, Serialize_enum_str};
@@ -33,6 +34,7 @@ use std::collections::HashMap;
 use std::io::{self, Result};
 use std::path::Path;
 use std::sync::{Arc, Mutex};
+use sysinfo::{MemoryRefreshKind, RefreshKind, System};
 
 mod dragonball;
 pub use self::dragonball::{DragonballConfig, HYPERVISOR_NAME_DRAGONBALL};
@@ -1005,57 +1007,6 @@ fn default_guest_swap_create_threshold_secs() -> u64 {
     60
 }
 
-/// Get host memory size in MiB.
-/// Retrieves the total physical memory of the host across different platforms.
-fn host_memory_mib() -> io::Result<u64> {
-    // Select a platform-specific implementation via a function pointer.
-    let get_memory: fn() -> io::Result<u64> = {
-        #[cfg(target_os = "linux")]
-        {
-            || {
-                let info = nix::sys::sysinfo::sysinfo().map_err(io::Error::other)?;
-                Ok(info.ram_total() / (1024 * 1024)) // MiB
-            }
-        }
-
-        #[cfg(target_os = "macos")]
-        {
-            || {
-                use sysctl::{Ctl, CtlValue, Sysctl};
-
-                let v = Ctl::new("hw.memsize")
-                    .map_err(io::Error::other)?
-                    .value()
-                    .map_err(io::Error::other)?;
-
-                let bytes = match v {
-                    CtlValue::S64(x) if x >= 0 => x as u64,
-                    other => {
-                        return Err(io::Error::new(
-                            io::ErrorKind::InvalidData,
-                            format!("unexpected sysctl hw.memsize value type: {:?}", other),
-                        ));
-                    }
-                };
-
-                Ok(bytes / (1024 * 1024)) // MiB
-            }
-        }
-
-        #[cfg(not(any(target_os = "linux", target_os = "macos")))]
-        {
-            || {
-                Err(io::Error::new(
-                    io::ErrorKind::Unsupported,
-                    "host memory query not implemented on this platform",
-                ))
-            }
-        }
-    };
-
-    get_memory()
-}
-
 impl MemoryInfo {
     /// Adjusts the configuration information after loading from a configuration file.
     ///
@@ -1067,15 +1018,13 @@ impl MemoryInfo {
             self.file_mem_backend,
             "Memory backend file {} is invalid: {}"
         )?;
-
-        let host_memory = host_memory_mib()?;
-
-        if u64::from(self.default_memory) > host_memory {
-            self.default_memory = host_memory as u32;
-        }
-
-        if self.default_maxmemory == 0 || u64::from(self.default_maxmemory) > host_memory {
-            self.default_maxmemory = host_memory as u32;
+        if self.default_maxmemory == 0 {
+            let s = System::new_with_specifics(
+                RefreshKind::nothing().with_memory(MemoryRefreshKind::everything()),
+            );
+            self.default_maxmemory = Byte::from_u64(s.total_memory())
+                .get_adjusted_unit(Unit::MiB)
+                .get_value() as u32;
         }
         Ok(())
     }
@@ -1218,29 +1167,6 @@ pub struct SecurityInfo {
     #[serde(default)]
     pub sev_snp_guest: bool,
 
-    /// SNP 'ID Block' and 'ID Authentication Information Structure'.
-    /// If one of snp_id_block or snp_id_auth is specified, the other must be specified, too.
-    /// Notice that the default SNP policy of QEMU (0x30000) is used by Kata, if not explicitly
-    /// set via 'snp_guest_policy' option. The IDBlock contains the guest policy as field, and
-    /// it must match the value from 'snp_guest_policy' or, if unset, the QEMU default policy.
-    /// 96-byte, base64-encoded blob to provide the 'ID Block' structure for the
-    /// SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
-    #[serde(default)]
-    pub snp_id_block: String,
-
-    /// 4096-byte, base64-encoded blob to provide the 'ID Authentication Information Structure'
-    /// for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
-    #[serde(default)]
-    pub snp_id_auth: String,
-
-    /// SNP Guest Policy, the 'POLICY' parameter to the SNP_LAUNCH_START command.
-    /// If unset, the QEMU default policy (0x30000) will be used.
-    /// Notice that the guest policy is enforced at VM launch, and your pod VMs
-    /// won't start at all if the policy denys it. This will be indicated by a
-    /// 'SNP_LAUNCH_START' error.
-    #[serde(default = "default_snp_guest_policy")]
-    pub snp_guest_policy: u32,
-
     /// Path to OCI hook binaries in the *guest rootfs*.
     ///
     /// This setting does not affect host-side hooks, which must instead be
@@ -1302,10 +1228,6 @@ fn default_qgs_port() -> u32 {
     4050
 }
 
-fn default_snp_guest_policy() -> u32 {
-    0x30000
-}
-
 impl SecurityInfo {
     /// Adjusts the security configuration information after loading from a configuration file.
     ///

src/libs/mem-agent/Cargo.toml

@@ -10,6 +10,7 @@ anyhow = "1.0"
 page_size = "0.6"
 chrono = "0.4"
 tokio = { version = "1.45.1", features = ["full"] }
+async-trait = "0.1"
 maplit = "1.0"
 nix = { version = "0.30.1", features = ["fs", "sched"] }
 

src/libs/runtime-spec/Cargo.toml

@@ -9,3 +9,4 @@ license = "Apache-2.0"
 serde = "1.0.131"
 serde_derive = "1.0.131"
 serde_json = "1.0.73"
+libc = "0.2.112"

src/runtime-rs/Cargo.toml

@@ -28,4 +28,5 @@ nix = { workspace = true }
 tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
 shim = { path = "crates/shim" }
 common = { workspace = true }
+logging = { workspace = true }
 runtimes = { workspace = true }

src/runtime-rs/crates/agent/Cargo.toml

@@ -5,9 +5,13 @@ authors = { workspace = true }
 edition = { workspace = true }
 license = { workspace = true }
 
+[dev-dependencies]
+futures = "0.1.27"
+
 [dependencies]
 anyhow = { workspace = true }
 async-trait = { workspace = true }
+log = { workspace = true }
 protobuf = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
@@ -27,6 +31,3 @@ protocols = { workspace = true, features = ["async"] }
 
 [features]
 default = []
-
-[package.metadata.cargo-machete]
-ignored = ["slog-scope"]

src/runtime-rs/crates/hypervisor/Cargo.toml

@@ -28,6 +28,8 @@ path-clean = "1.0.1"
 lazy_static = { workspace = true }
 tracing = { workspace = true }
 ttrpc = { workspace = true, features = ["async"] }
+protobuf = { workspace = true }
+oci-spec = { workspace = true }
 futures = "0.3.25"
 safe-path = "0.1.0"
 crossbeam-channel = "0.5.6"
@@ -42,6 +44,7 @@ kata-sys-util = { workspace = true }
 kata-types = { workspace = true }
 logging = { workspace = true }
 protocols = { workspace = true, features = ["async"] }
+shim-interface = { workspace = true }
 persist = { workspace = true }
 ch-config = { workspace = true, optional = true }
 tests_utils = { workspace = true }

src/runtime-rs/crates/hypervisor/ch-config/src/lib.rs

@@ -110,16 +110,6 @@ pub struct DeviceConfig {
     pub pci_segment: u16,
 }
 
-#[derive(Serialize, Deserialize, Clone, Copy, Debug, PartialEq, Eq, Default)]
-pub enum ImageType {
-    FixedVhd,
-    Qcow2,
-    Raw,
-    Vhdx,
-    #[default]
-    Unknown,
-}
-
 #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, Default)]
 pub struct DiskConfig {
     pub path: Option<PathBuf>,
@@ -145,8 +135,6 @@ pub struct DiskConfig {
     pub disable_io_uring: bool,
     #[serde(default)]
     pub pci_segment: u16,
-    #[serde(default)]
-    pub image_type: ImageType,
 }
 
 #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, Default)]

src/runtime-rs/crates/hypervisor/src/ch/inner_device.rs

@@ -27,7 +27,6 @@ use ch_config::ch_api::{
 };
 use ch_config::convert::DEFAULT_NUM_PCI_SEGMENTS;
 use ch_config::DiskConfig;
-use ch_config::ImageType;
 use ch_config::{net_util::MacAddr, DeviceConfig, FsConfig, NetConfig, VsockConfig};
 use kata_sys_util::netns::NetnsGuard;
 use kata_types::config::hypervisor::RateLimiterConfig;
@@ -551,7 +550,6 @@ impl TryFrom<BlockConfig> for DiskConfig {
             readonly: blkcfg.is_readonly,
             num_queues: blkcfg.num_queues,
             queue_size: blkcfg.queue_size as u16,
-            image_type: ImageType::Raw,
             ..Default::default()
         };
 

src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs

@@ -256,8 +256,29 @@ struct Memory {
 
 impl Memory {
     fn new(config: &HypervisorConfig) -> Memory {
-        let mem_size = config.memory_info.default_memory as u64;
-        let max_mem_size = config.memory_info.default_maxmemory as u64;
+        // Move this to QemuConfig::adjust_config()?
+
+        let mut mem_size = config.memory_info.default_memory as u64;
+        let mut max_mem_size = config.memory_info.default_maxmemory as u64;
+
+        if let Ok(sysinfo) = nix::sys::sysinfo::sysinfo() {
+            let host_memory = sysinfo.ram_total() >> 20;
+
+            if mem_size > host_memory {
+                info!(sl!(), "'default_memory' given in configuration.toml is greater than host memory, adjusting to host memory");
+                mem_size = host_memory
+            }
+
+            if max_mem_size == 0 || max_mem_size > host_memory {
+                max_mem_size = host_memory
+            }
+        } else {
+            warn!(sl!(), "Failed to get host memory size, cannot verify or adjust configuration.toml's 'default_maxmemory'");
+
+            if max_mem_size == 0 {
+                max_mem_size = mem_size;
+            };
+        }
 
         // Memory sizes are given in megabytes in configuration.toml so we
         // need to convert them to bytes for storage.
@@ -279,18 +300,6 @@ impl Memory {
         self.memory_backend_file = Some(mem_file.clone());
         self
     }
-
-    #[allow(dead_code)]
-    fn set_maxmem_size(&mut self, max_size: u64) -> &mut Self {
-        self.max_size = max_size;
-        self
-    }
-
-    #[allow(dead_code)]
-    fn set_num_slots(&mut self, num_slots: u32) -> &mut Self {
-        self.num_slots = num_slots;
-        self
-    }
 }
 
 #[async_trait]
@@ -1879,7 +1888,6 @@ struct ObjectSevSnpGuest {
     reduced_phys_bits: u32,
     kernel_hashes: bool,
     host_data: Option<String>,
-    policy: u32,
     is_snp: bool,
 }
 
@@ -1891,15 +1899,9 @@ impl ObjectSevSnpGuest {
             reduced_phys_bits,
             kernel_hashes: true,
             host_data,
-            policy: 0x30000,
             is_snp,
         }
     }
-
-    fn set_policy(&mut self, policy: u32) -> &mut Self {
-        self.policy = policy;
-        self
-    }
 }
 
 #[async_trait]
@@ -1922,7 +1924,6 @@ impl ToQemuParams for ObjectSevSnpGuest {
                 "kernel-hashes={}",
                 if self.kernel_hashes { "on" } else { "off" }
             ));
-            params.push(format!("policy=0x{:x}", self.policy));
             if let Some(host_data) = &self.host_data {
                 params.push(format!("host-data={host_data}"))
             }
@@ -2578,19 +2579,13 @@ impl<'a> QemuCmdLine<'a> {
         firmware: &str,
         host_data: &Option<String>,
     ) {
-        // For SEV-SNP, memory overcommit is not supported. we only set the memory size.
-        self.memory.set_maxmem_size(0).set_num_slots(0);
-
-        let mut sev_snp_object =
+        let sev_snp_object =
             ObjectSevSnpGuest::new(true, cbitpos, phys_addr_reduction, host_data.clone());
-        sev_snp_object.set_policy(self.config.security_info.snp_guest_policy);
-
         self.devices.push(Box::new(sev_snp_object));
 
         self.devices.push(Box::new(Bios::new(firmware.to_owned())));
 
         self.machine
-            .set_kernel_irqchip("split")
             .set_confidential_guest_support("snp")
             .set_nvdimm(false);
 

src/runtime-rs/crates/persist/Cargo.toml

@@ -8,10 +8,12 @@ license = { workspace = true }
 [dependencies]
 async-trait = { workspace = true }
 anyhow = { workspace = true }
+libc = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 
 # Local dependencies
 kata-sys-util = { workspace = true }
 kata-types = { workspace = true }
+shim-interface = { workspace = true }
 safe-path = { workspace = true }

src/runtime-rs/crates/resource/Cargo.toml

@@ -15,6 +15,7 @@ test-utils = { workspace = true }
 actix-rt = { workspace = true }
 anyhow = { workspace = true }
 async-trait = { workspace = true }
+bitflags = "2.9.0"
 byte-unit = "5.1.6"
 cgroups-rs = { version = "0.5.0", features = ["oci"] }
 futures = "0.3.11"
@@ -40,6 +41,7 @@ hex = "0.4"
 
 ## Dependencies from `rust-netlink`
 netlink-packet-route = "0.26"
+netlink-sys = "0.8"
 rtnetlink = "0.19"
 
 # Local dependencies
@@ -52,7 +54,3 @@ persist = { workspace = true }
 tests_utils = { workspace = true }
 
 [features]
-
-
-[package.metadata.cargo-machete]
-ignored = ["slog-scope"]

src/runtime-rs/crates/runtimes/Cargo.toml

@@ -26,6 +26,7 @@ opentelemetry-jaeger = { version = "0.17.0", features = [
 ] }
 tracing-subscriber = { version = "0.3", features = ["registry", "std"] }
 hyper = { workspace = true, features = ["stream", "server", "http1"] }
+hyperlocal = { workspace = true }
 serde_json = { workspace = true }
 nix = "0.25.0"
 url = { workspace = true }

src/runtime-rs/crates/runtimes/common/Cargo.toml

@@ -11,14 +11,20 @@ license = { workspace = true }
 anyhow = { workspace = true }
 async-trait = { workspace = true }
 containerd-shim-protos = { workspace = true, features = ["sandbox"] }
+lazy_static = { workspace = true }
 nix = { workspace = true }
 protobuf = { workspace = true }
+serde_json = { workspace = true }
+slog = { workspace = true }
+slog-scope = { workspace = true }
 strum = { workspace = true }
 thiserror = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread", "process", "fs"] }
+ttrpc = { workspace = true }
 oci-spec = { workspace = true }
 
 # Local dependencies
+persist = { workspace = true }
 agent = { workspace = true }
 kata-sys-util = { workspace = true }
 kata-types = { workspace = true }

src/runtime-rs/crates/runtimes/virt_container/Cargo.toml

@@ -10,6 +10,8 @@ anyhow = { workspace = true }
 async-trait = { workspace = true }
 awaitgroup = "0.6.0"
 containerd-shim-protos = { workspace = true }
+futures = "0.3.19"
+lazy_static = { workspace = true }
 libc = { workspace = true }
 nix = { workspace = true }
 protobuf = { workspace = true }
@@ -19,7 +21,9 @@ serde_json = { workspace = true }
 slog = { workspace = true }
 slog-scope = { workspace = true }
 tokio = { workspace = true }
+toml = "0.4.2"
 url = { workspace = true }
+async-std = "1.12.0"
 tracing = { workspace = true }
 oci-spec = { workspace = true }
 strum = { workspace = true }
@@ -44,7 +48,3 @@ cloud-hypervisor = ["hypervisor/cloud-hypervisor"]
 
 # Enable the build-in VMM Dragtonball
 dragonball = ["hypervisor/dragonball"]
-
-
-[package.metadata.cargo-machete]
-ignored = ["slog-scope"]

src/runtime-rs/crates/service/Cargo.toml

@@ -11,6 +11,7 @@ async-trait = { workspace = true }
 slog = { workspace = true }
 slog-scope = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread"] }
+tracing = { workspace = true }
 ttrpc = { workspace = true }
 containerd-shim-protos = { workspace = true, features = ["async", "sandbox"] }
 containerd-shim = { workspace = true }
@@ -20,7 +21,4 @@ common = { workspace = true }
 logging = { workspace = true }
 kata-types = { workspace = true }
 runtimes = { workspace = true }
-
-
-[package.metadata.cargo-machete]
-ignored = ["slog-scope"]
+persist = { workspace = true }

src/runtime-rs/crates/shim-ctl/Cargo.toml

@@ -9,8 +9,9 @@ license = { workspace = true }
 
 [dependencies]
 anyhow = { workspace = true }
-tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
+tokio = { workspace = true, features = [ "rt", "rt-multi-thread" ] }
 
 # Local dependencies
 common = { workspace = true }
+logging = { workspace = true }
 runtimes = { workspace = true }

src/runtime-rs/crates/shim/Cargo.toml

@@ -36,6 +36,8 @@ slog-stdlog = "4.1.0"
 thiserror = { workspace = true }
 tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
 unix_socket2 = "0.5.4"
+tracing = { workspace = true }
+tracing-opentelemetry = { workspace = true }
 oci-spec = { workspace = true }
 
 # Local dependencies
@@ -44,7 +46,12 @@ kata-sys-util = { workspace = true }
 logging = { workspace = true }
 runtime-spec = { workspace = true }
 service = { workspace = true }
+runtimes = { workspace = true }
 
 [dev-dependencies]
 tempfile = { workspace = true }
+rand = { workspace = true }
 serial_test = "0.10.0"
+
+# Local dev-dependencies
+tests_utils = { workspace = true }

src/runtime/Makefile

@@ -272,7 +272,6 @@ DEFVIRTIOFSEXTRAARGS ?= [\"--thread-pool-size=1\", \"--announce-submounts\"]
 DEFENABLEIOTHREADS := false
 DEFINDEPIOTHREADS := 0
 DEFENABLEVHOSTUSERSTORE := false
-DEFENABLEVIRTIOMEM ?= false
 DEFVHOSTUSERSTOREPATH := $(PKGRUNDIR)/vhost-user
 DEFVALIDVHOSTUSERSTOREPATHS := [\"$(DEFVHOSTUSERSTOREPATH)\"]
 DEFFILEMEMBACKEND := ""
@@ -765,7 +764,6 @@ USER_VARS += DEFENABLEANNOTATIONS
 USER_VARS += DEFENABLEANNOTATIONS_COCO
 USER_VARS += DEFENABLEIOTHREADS
 USER_VARS += DEFINDEPIOTHREADS
-USER_VARS += DEFENABLEVIRTIOMEM
 USER_VARS += DEFSECCOMPSANDBOXPARAM
 USER_VARS += DEFENABLEVHOSTUSERSTORE
 USER_VARS += DEFVHOSTUSERSTOREPATH

src/runtime/arch/s390x-options.mk

@@ -18,6 +18,3 @@ ifneq (,$(NEEDS_CC_SETTING))
 	CC := gcc
 	export CC
 endif
-
-# Enable virtio-mem for s390x
-DEFENABLEVIRTIOMEM = true

src/runtime/cmd/kata-monitor/main.go

@@ -196,7 +196,7 @@ func indexPageText(w http.ResponseWriter, r *http.Request) {
 	formatter := fmt.Sprintf("%%-%ds: %%s\n", spacing)
 
 	for _, endpoint := range endpoints {
-		fmt.Fprintf(w, formatter, endpoint.path, endpoint.desc)
+		w.Write([]byte(fmt.Sprintf(formatter, endpoint.path, endpoint.desc)))
 	}
 }
 

src/runtime/cmd/kata-runtime/kata-check_amd64.go

@@ -63,7 +63,7 @@ func setCPUtype(hypervisorType vc.HypervisorType) error {
 	cpuType = getCPUtype()
 
 	if cpuType == cpuTypeUnknown {
-		return fmt.Errorf("Unknown CPU Type")
+		return fmt.Errorf("Unknow CPU Type")
 	} else if cpuType == cpuTypeIntel {
 		var kvmIntelParams map[string]string
 		onVMM, err := vc.RunningOnVMM(procCPUInfo)

src/runtime/cmd/kata-runtime/kata-check_amd64_test.go

@@ -55,17 +55,18 @@ func TestCCCheckCLIFunction(t *testing.T) {
 	var moduleData []testModuleData
 
 	cpuType = getCPUtype()
-	moduleData = []testModuleData{}
-
-	switch cpuType {
-	case cpuTypeIntel:
+	if cpuType == cpuTypeIntel {
 		cpuData = []testCPUData{
 			{archGenuineIntel, "lm vmx sse4_1", false},
 		}
-	case cpuTypeAMD:
+
+		moduleData = []testModuleData{}
+	} else if cpuType == cpuTypeAMD {
 		cpuData = []testCPUData{
 			{archAuthenticAMD, "lm svm sse4_1", false},
 		}
+
+		moduleData = []testModuleData{}
 	}
 
 	genericCheckCLIFunction(t, cpuData, moduleData)
@@ -275,8 +276,7 @@ func TestCheckHostIsVMContainerCapable(t *testing.T) {
 	var moduleData []testModuleData
 	cpuType = getCPUtype()
 
-	switch cpuType {
-	case cpuTypeIntel:
+	if cpuType == cpuTypeIntel {
 		cpuData = []testCPUData{
 			{"", "", true},
 			{"Intel", "", true},
@@ -292,7 +292,7 @@ func TestCheckHostIsVMContainerCapable(t *testing.T) {
 			{filepath.Join(sysModuleDir, "kvm_intel/parameters/nested"), "Y", false},
 			{filepath.Join(sysModuleDir, "kvm_intel/parameters/unrestricted_guest"), "Y", false},
 		}
-	case cpuTypeAMD:
+	} else if cpuType == cpuTypeAMD {
 		cpuData = []testCPUData{
 			{"", "", true},
 			{"AMD", "", true},
@@ -340,7 +340,7 @@ func TestCheckHostIsVMContainerCapable(t *testing.T) {
 		// Write the following into the denylist file
 		// blacklist <mod>
 		// install <mod> /bin/false
-		_, err = fmt.Fprintf(denylistFile, "blacklist %s\ninstall %s /bin/false\n", mod, mod)
+		_, err = denylistFile.WriteString(fmt.Sprintf("blacklist %s\ninstall %s /bin/false\n", mod, mod))
 		assert.Nil(err)
 	}
 	denylistFile.Close()
@@ -505,10 +505,9 @@ func TestSetCPUtype(t *testing.T) {
 	assert.NotEmpty(archRequiredKernelModules)
 
 	cpuType = getCPUtype()
-	switch cpuType {
-	case cpuTypeIntel:
+	if cpuType == cpuTypeIntel {
 		assert.Equal(archRequiredCPUFlags["vmx"], "Virtualization support")
-	case cpuTypeAMD:
+	} else if cpuType == cpuTypeAMD {
 		assert.Equal(archRequiredCPUFlags["svm"], "Virtualization support")
 	}
 

src/runtime/cmd/kata-runtime/kata-check_test.go

@@ -17,6 +17,7 @@ import (
 	"testing"
 
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katatestutils"
+	ktu "github.com/kata-containers/kata-containers/src/runtime/pkg/katatestutils"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils"
 	vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	"github.com/sirupsen/logrus"
@@ -508,7 +509,7 @@ func TestCheckCheckCPUAttribs(t *testing.T) {
 }
 
 func TestCheckHaveKernelModule(t *testing.T) {
-	if tc.NotValid(katatestutils.NeedRoot()) {
+	if tc.NotValid(ktu.NeedRoot()) {
 		t.Skip(testDisabledAsNonRoot)
 	}
 
@@ -637,8 +638,8 @@ func TestCheckCheckKernelModules(t *testing.T) {
 func TestCheckCheckKernelModulesUnreadableFile(t *testing.T) {
 	assert := assert.New(t)
 
-	if tc.NotValid(katatestutils.NeedNonRoot()) {
-		t.Skip(katatestutils.TestDisabledNeedNonRoot)
+	if tc.NotValid(ktu.NeedNonRoot()) {
+		t.Skip(ktu.TestDisabledNeedNonRoot)
 	}
 
 	dir := t.TempDir()

src/runtime/cmd/kata-runtime/kata-env_amd64_test.go

@@ -56,10 +56,9 @@ func TestEnvGetEnvInfoSetsCPUType(t *testing.T) {
 	assert.NotEmpty(archRequiredKernelModules)
 
 	cpuType = getCPUtype()
-	switch cpuType {
-	case cpuTypeIntel:
+	if cpuType == cpuTypeIntel {
 		assert.Equal(archRequiredCPUFlags["vmx"], "Virtualization support")
-	case cpuTypeAMD:
+	} else if cpuType == cpuTypeAMD {
 		assert.Equal(archRequiredCPUFlags["svm"], "Virtualization support")
 	}
 

src/runtime/cmd/kata-runtime/kata-env_test.go

@@ -14,6 +14,7 @@ import (
 	"path"
 	"path/filepath"
 	"runtime"
+	goruntime "runtime"
 	"strings"
 	"testing"
 
@@ -183,7 +184,7 @@ func genericGetExpectedHostDetails(tmpdir string, expectedVendor string, expecte
 	}
 
 	const expectedKernelVersion = "99.1"
-	const expectedArch = runtime.GOARCH
+	const expectedArch = goruntime.GOARCH
 
 	expectedDistro := DistroInfo{
 		Name:    "Foo",
@@ -253,7 +254,7 @@ VERSION_ID="%s"
 		}
 	}
 
-	if runtime.GOARCH == "arm64" {
+	if goruntime.GOARCH == "arm64" {
 		expectedHostDetails.CPU.Vendor = "ARM Limited"
 		expectedHostDetails.CPU.Model = "v8"
 	}

src/runtime/cmd/kata-runtime/kata-iptables.go

@@ -55,9 +55,9 @@ var getIPTablesCommand = cli.Command{
 			return err
 		}
 
-		url := containerdshim.IPTablesURL
+		url := containerdshim.IPTablesUrl
 		if isIPv6 {
-			url = containerdshim.IP6TablesURL
+			url = containerdshim.IP6TablesUrl
 		}
 		body, err := shimclient.DoGet(sandboxID, defaultTimeout, url)
 		if err != nil {
@@ -108,9 +108,9 @@ var setIPTablesCommand = cli.Command{
 			return err
 		}
 
-		url := containerdshim.IPTablesURL
+		url := containerdshim.IPTablesUrl
 		if isIPv6 {
-			url = containerdshim.IP6TablesURL
+			url = containerdshim.IP6TablesUrl
 		}
 
 		if err = shimclient.DoPut(sandboxID, defaultTimeout, url, "application/octet-stream", buf); err != nil {

src/runtime/cmd/kata-runtime/kata-policy.go

@@ -62,7 +62,7 @@ var setPolicyCommand = cli.Command{
 			return err
 		}
 
-		url := containerdshim.PolicyURL
+		url := containerdshim.PolicyUrl
 
 		if err = shimclient.DoPut(sandboxID, defaultTimeout, url, "application/octet-stream", buf); err != nil {
 			return fmt.Errorf("Error observed when making policy-set request(%s): %s", policyFile, err)

src/runtime/cmd/kata-runtime/kata-volume.go

@@ -126,7 +126,7 @@ var resizeCommand = cli.Command{
 
 // Stats retrieves the filesystem stats of the direct volume inside the guest.
 func Stats(volumePath string) ([]byte, error) {
-	sandboxID, err := volume.GetSandboxIDForVolume(volumePath)
+	sandboxId, err := volume.GetSandboxIdForVolume(volumePath)
 	if err != nil {
 		return nil, err
 	}
@@ -136,8 +136,8 @@ func Stats(volumePath string) ([]byte, error) {
 	}
 
 	urlSafeDevicePath := url.PathEscape(volumeMountInfo.Device)
-	body, err := shimclient.DoGet(sandboxID, defaultTimeout,
-		fmt.Sprintf("%s?%s=%s", containerdshim.DirectVolumeStatURL, containerdshim.DirectVolumePathKey, urlSafeDevicePath))
+	body, err := shimclient.DoGet(sandboxId, defaultTimeout,
+		fmt.Sprintf("%s?%s=%s", containerdshim.DirectVolumeStatUrl, containerdshim.DirectVolumePathKey, urlSafeDevicePath))
 	if err != nil {
 		return nil, err
 	}
@@ -146,7 +146,7 @@ func Stats(volumePath string) ([]byte, error) {
 
 // Resize resizes a direct volume inside the guest.
 func Resize(volumePath string, size uint64) error {
-	sandboxID, err := volume.GetSandboxIDForVolume(volumePath)
+	sandboxId, err := volume.GetSandboxIdForVolume(volumePath)
 	if err != nil {
 		return err
 	}
@@ -163,5 +163,5 @@ func Resize(volumePath string, size uint64) error {
 	if err != nil {
 		return err
 	}
-	return shimclient.DoPost(sandboxID, defaultTimeout, containerdshim.DirectVolumeResizeURL, "application/json", encoded)
+	return shimclient.DoPost(sandboxId, defaultTimeout, containerdshim.DirectVolumeResizeUrl, "application/json", encoded)
 }

src/runtime/cmd/kata-runtime/release.go

@@ -94,12 +94,11 @@ func releaseURLIsValid(url string) error {
 func getReleaseURL(currentVersion semver.Version) (url string, err error) {
 	major := currentVersion.Major
 
-	switch major {
-	case 0:
+	if major == 0 {
 		return "", fmt.Errorf("invalid current version: %v", currentVersion)
-	case 1:
+	} else if major == 1 {
 		url = kataLegacyReleaseURL
-	default:
+	} else {
 		url = kataReleaseURL
 	}
 

src/runtime/config/configuration-qemu.toml.in

@@ -142,7 +142,7 @@ memory_offset = 0
 # Please note that this option should be used with the command
 # "echo 1 > /proc/sys/vm/overcommit_memory".
 # Default false
-enable_virtio_mem = @DEFENABLEVIRTIOMEM@
+enable_virtio_mem = false
 
 # Disable hotplugging host block devices to guest VMs for container rootfs.
 # In case of a storage driver like devicemapper where a container's

src/runtime/go.mod

@@ -8,7 +8,7 @@ go 1.24.13
 
 require (
 	code.cloudfoundry.org/bytefmt v0.0.0-20211005130812-5bb3c17173e5
-	github.com/BurntSushi/toml v1.6.0
+	github.com/BurntSushi/toml v1.5.0
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/blang/semver/v4 v4.0.0
 	github.com/container-orchestrated-devices/container-device-interface v0.6.0

src/runtime/go.sum

@@ -8,9 +8,8 @@ github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h
 github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 h1:59MxjQVfjXsBpLy+dbd2/ELV5ofnUkUZBvWSC85sheA=
 github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0/go.mod h1:OahwfttHWG6eJ0clwcfBAHoDI6X/LV/15hx/wlMZSrU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
-github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
-github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=

src/runtime/pkg/containerd-shim-v2/create.go

@@ -40,6 +40,7 @@ import (
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils/katatrace"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/oci"
+	vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/compatoci"
 	"tags.cncf.io/container-device-interface/pkg/cdi"
 )
@@ -51,7 +52,7 @@ var defaultStartManagementServerFunc startManagementServerFunc = func(s *service
 	shimLog.Info("management server started")
 }
 
-func copyLayersToMounts(rootFs *virtcontainers.RootFs, spec *specs.Spec) error {
+func copyLayersToMounts(rootFs *vc.RootFs, spec *specs.Spec) error {
 	for _, o := range rootFs.Options {
 		if !strings.HasPrefix(o, annotations.FileSystemLayer) {
 			continue
@@ -74,7 +75,7 @@ func copyLayersToMounts(rootFs *virtcontainers.RootFs, spec *specs.Spec) error {
 }
 
 func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*container, error) {
-	rootFs := virtcontainers.RootFs{}
+	rootFs := vc.RootFs{}
 	if len(r.Rootfs) == 1 {
 		m := r.Rootfs[0]
 		rootFs.Source = m.Source
@@ -107,7 +108,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*con
 	}
 
 	switch containerType {
-	case virtcontainers.PodSandbox, virtcontainers.SingleContainer:
+	case vc.PodSandbox, vc.SingleContainer:
 		if s.sandbox != nil {
 			return nil, fmt.Errorf("cannot create another sandbox in sandbox: %s", s.sandbox.ID())
 		}
@@ -150,7 +151,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*con
 		//   2. If this is not a sandbox infrastructure container, but instead a standalone single container (analogous to "docker run..."),
 		//	then the container spec itself will contain appropriate sizing information for the entire sandbox (since it is
 		//	a single container.
-		if containerType == virtcontainers.PodSandbox {
+		if containerType == vc.PodSandbox {
 			s.config.SandboxCPUs, s.config.SandboxMemMB = oci.CalculateSandboxSizing(ociSpec)
 		} else {
 			s.config.SandboxCPUs, s.config.SandboxMemMB = oci.CalculateContainerSizing(ociSpec)
@@ -202,7 +203,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*con
 			defaultStartManagementServerFunc(s, ctx, ociSpec)
 		}
 
-	case virtcontainers.PodContainer:
+	case vc.PodContainer:
 		span, ctx := katatrace.Trace(s.ctx, shimLog, "create", shimTracingTags)
 		defer span.End()
 
@@ -324,7 +325,7 @@ func checkAndMount(s *service, r *taskAPI.CreateTaskRequest) (bool, error) {
 			return false, nil
 		}
 
-		if virtcontainers.IsNydusRootFSType(m.Type) {
+		if vc.IsNydusRootFSType(m.Type) {
 			// if kata + nydus, do not mount
 			return false, nil
 		}
@@ -360,7 +361,7 @@ func doMount(mounts []*containerd_types.Mount, rootfs string) error {
 	return nil
 }
 
-func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxID string) error {
+func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxId string) error {
 	userName, err := utils.CreateVmmUser()
 	if err != nil {
 		return err
@@ -369,7 +370,7 @@ func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxID stri
 		if err != nil {
 			shimLog.WithFields(logrus.Fields{
 				"user_name":  userName,
-				"sandbox_id": sandboxID,
+				"sandbox_id": sandboxId,
 			}).WithError(err).Warn("configure non root hypervisor failed, delete the user")
 			if err2 := utils.RemoveVmmUser(userName); err2 != nil {
 				shimLog.WithField("userName", userName).WithError(err).Warn("failed to remove user")
@@ -397,7 +398,7 @@ func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxID stri
 		"user_name":  userName,
 		"uid":        uid,
 		"gid":        gid,
-		"sandbox_id": sandboxID,
+		"sandbox_id": sandboxId,
 	}).Debug("successfully created a non root user for the hypervisor")
 
 	userTmpDir := path.Join("/run/user/", fmt.Sprint(uid))
@@ -409,7 +410,7 @@ func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxID stri
 		}
 	}
 
-	if err = os.Mkdir(userTmpDir, virtcontainers.DirMode); err != nil {
+	if err = os.Mkdir(userTmpDir, vc.DirMode); err != nil {
 		return err
 	}
 	defer func() {

src/runtime/pkg/containerd-shim-v2/shim_management.go

@@ -34,13 +34,13 @@ import (
 
 const (
 	DirectVolumePathKey   = "path"
-	AgentURL              = "/agent-url"
-	DirectVolumeStatURL   = "/direct-volume/stats"
-	DirectVolumeResizeURL = "/direct-volume/resize"
-	IPTablesURL           = "/iptables"
-	PolicyURL             = "/policy"
-	IP6TablesURL          = "/ip6tables"
-	MetricsURL            = "/metrics"
+	AgentUrl              = "/agent-url"
+	DirectVolumeStatUrl   = "/direct-volume/stats"
+	DirectVolumeResizeUrl = "/direct-volume/resize"
+	IPTablesUrl           = "/iptables"
+	PolicyUrl             = "/policy"
+	IP6TablesUrl          = "/ip6tables"
+	MetricsUrl            = "/metrics"
 )
 
 var (
@@ -288,13 +288,13 @@ func (s *service) startManagementServer(ctx context.Context, ociSpec *specs.Spec
 
 	// bind handler
 	m := http.NewServeMux()
-	m.Handle(MetricsURL, http.HandlerFunc(s.serveMetrics))
-	m.Handle(AgentURL, http.HandlerFunc(s.agentURL))
-	m.Handle(DirectVolumeStatURL, http.HandlerFunc(s.serveVolumeStats))
-	m.Handle(DirectVolumeResizeURL, http.HandlerFunc(s.serveVolumeResize))
-	m.Handle(IPTablesURL, http.HandlerFunc(s.ipTablesHandler))
-	m.Handle(PolicyURL, http.HandlerFunc(s.policyHandler))
-	m.Handle(IP6TablesURL, http.HandlerFunc(s.ip6TablesHandler))
+	m.Handle(MetricsUrl, http.HandlerFunc(s.serveMetrics))
+	m.Handle(AgentUrl, http.HandlerFunc(s.agentURL))
+	m.Handle(DirectVolumeStatUrl, http.HandlerFunc(s.serveVolumeStats))
+	m.Handle(DirectVolumeResizeUrl, http.HandlerFunc(s.serveVolumeResize))
+	m.Handle(IPTablesUrl, http.HandlerFunc(s.ipTablesHandler))
+	m.Handle(PolicyUrl, http.HandlerFunc(s.policyHandler))
+	m.Handle(IP6TablesUrl, http.HandlerFunc(s.ip6TablesHandler))
 	s.mountPprofHandle(m, ociSpec)
 
 	// register shim metrics
@@ -373,7 +373,7 @@ func ClientSocketAddress(id string) (string, error) {
 	if _, err := os.Stat(socketPath); err != nil {
 		socketPath = SocketPathRust(id)
 		if _, err := os.Stat(socketPath); err != nil {
-			return "", fmt.Errorf("it fails to stat both %s and %s with error %v", SocketPathGo(id), SocketPathRust(id), err)
+			return "", fmt.Errorf("It fails to stat both %s and %s with error %v.", SocketPathGo(id), SocketPathRust(id), err)
 		}
 	}
 

src/runtime/pkg/device/drivers/vfio.go

@@ -139,7 +139,7 @@ func (device *VFIODevice) Detach(ctx context.Context, devReceiver api.DeviceRece
 		}
 	}()
 
-	if device.DeviceInfo.ColdPlug {
+	if device.GenericDevice.DeviceInfo.ColdPlug {
 		// nothing to detach, device was cold plugged
 		deviceLogger().WithFields(logrus.Fields{
 			"device-group": device.DeviceInfo.HostPath,
@@ -264,7 +264,7 @@ func GetVFIODetails(deviceFileName, iommuDevicesPath string) (deviceBDF, deviceS
 // getMediatedBDF returns the BDF of a VF
 // Expected input string format is /sys/devices/pci0000:d7/BDF0/BDF1/.../MDEVBDF/UUID
 func getMediatedBDF(deviceSysfsDev string) string {
-	tokens := strings.Split(deviceSysfsDev, "/")
+	tokens := strings.SplitN(deviceSysfsDev, "/", -1)
 	if len(tokens) < 4 {
 		return ""
 	}

src/runtime/pkg/device/manager/manager.go

@@ -59,11 +59,15 @@ func NewDeviceManager(blockDriver string, vhostUserStoreEnabled bool, vhostUserS
 		vhostUserReconnectTimeout: vhostUserReconnect,
 		devices:                   make(map[string]api.Device),
 	}
-
-	switch blockDriver {
-	case config.VirtioMmio, config.VirtioBlock, config.Nvdimm, config.VirtioBlockCCW:
-		dm.blockDriver = blockDriver
-	default:
+	if blockDriver == config.VirtioMmio {
+		dm.blockDriver = config.VirtioMmio
+	} else if blockDriver == config.VirtioBlock {
+		dm.blockDriver = config.VirtioBlock
+	} else if blockDriver == config.Nvdimm {
+		dm.blockDriver = config.Nvdimm
+	} else if blockDriver == config.VirtioBlockCCW {
+		dm.blockDriver = config.VirtioBlockCCW
+	} else {
 		dm.blockDriver = config.VirtioSCSI
 	}
 

src/runtime/pkg/direct-volume/utils.go

@@ -99,18 +99,18 @@ func VolumeMountInfo(volumePath string) (*MountInfo, error) {
 	return &mountInfo, nil
 }
 
-// RecordSandboxID associates a sandbox id with a direct volume.
-func RecordSandboxID(sandboxID string, volumePath string) error {
+// RecordSandboxId associates a sandbox id with a direct volume.
+func RecordSandboxId(sandboxId string, volumePath string) error {
 	encodedPath := b64.URLEncoding.EncodeToString([]byte(volumePath))
 	mountInfoFilePath := filepath.Join(kataDirectVolumeRootPath, encodedPath, mountInfoFileName)
 	if _, err := os.Stat(mountInfoFilePath); err != nil {
 		return err
 	}
 
-	return os.WriteFile(filepath.Join(kataDirectVolumeRootPath, encodedPath, sandboxID), []byte(""), 0600)
+	return os.WriteFile(filepath.Join(kataDirectVolumeRootPath, encodedPath, sandboxId), []byte(""), 0600)
 }
 
-func GetSandboxIDForVolume(volumePath string) (string, error) {
+func GetSandboxIdForVolume(volumePath string) (string, error) {
 	files, err := os.ReadDir(filepath.Join(kataDirectVolumeRootPath, b64.URLEncoding.EncodeToString([]byte(volumePath))))
 	if err != nil {
 		return "", err

src/runtime/pkg/direct-volume/utils_test.go

@@ -56,7 +56,7 @@ func TestAdd(t *testing.T) {
 	assert.Nil(t, err)
 }
 
-func TestRecordSandboxID(t *testing.T) {
+func TestRecordSandboxId(t *testing.T) {
 	var err error
 	kataDirectVolumeRootPath = t.TempDir()
 
@@ -73,22 +73,22 @@ func TestRecordSandboxID(t *testing.T) {
 	// Add the mount info
 	assert.Nil(t, Add(volumePath, string(buf)))
 
-	sandboxID := uuid.Generate().String()
-	err = RecordSandboxID(sandboxID, volumePath)
+	sandboxId := uuid.Generate().String()
+	err = RecordSandboxId(sandboxId, volumePath)
 	assert.Nil(t, err)
 
-	id, err := GetSandboxIDForVolume(volumePath)
+	id, err := GetSandboxIdForVolume(volumePath)
 	assert.Nil(t, err)
-	assert.Equal(t, sandboxID, id)
+	assert.Equal(t, sandboxId, id)
 }
 
-func TestRecordSandboxIDNoMountInfoFile(t *testing.T) {
+func TestRecordSandboxIdNoMountInfoFile(t *testing.T) {
 	var err error
 	kataDirectVolumeRootPath = t.TempDir()
 
 	var volumePath = "/a/b/c"
-	sandboxID := uuid.Generate().String()
-	err = RecordSandboxID(sandboxID, volumePath)
+	sandboxId := uuid.Generate().String()
+	err = RecordSandboxId(sandboxId, volumePath)
 	assert.Error(t, err)
 	assert.True(t, errors.Is(err, os.ErrNotExist))
 }

src/runtime/pkg/govmm/.github/workflows/main.yml

@@ -14,11 +14,11 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Install Go
-        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go-version }}
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
       - name: golangci-lint

src/runtime/pkg/govmm/qemu/qemu.go

@@ -496,8 +496,8 @@ type TdxQomObject struct {
 	Debug                 *bool         `json:"debug,omitempty"`
 }
 
-func (s *SocketAddress) String() string {
-	b, err := json.Marshal(*s)
+func (this *SocketAddress) String() string {
+	b, err := json.Marshal(*this)
 
 	if err != nil {
 		log.Fatalf("Unable to marshal SocketAddress object: %s", err.Error())
@@ -507,8 +507,8 @@ func (s *SocketAddress) String() string {
 	return string(b)
 }
 
-func (t *TdxQomObject) String() string {
-	b, err := json.Marshal(*t)
+func (this *TdxQomObject) String() string {
+	b, err := json.Marshal(*this)
 
 	if err != nil {
 		log.Fatalf("Unable to marshal TDX QOM object: %s", err.Error())

src/runtime/pkg/govmm/qemu/qmp.go

@@ -1446,18 +1446,11 @@ func (q *QMP) ExecMemdevAdd(ctx context.Context, qomtype, id, mempath string, si
 		"memdev": id,
 	}
 
-	var transport VirtioTransport
-	if transport.isVirtioCCW(nil) {
-		if addr != "" {
-			args["devno"] = addr
-		}
-	} else {
-		if bus != "" {
-			args["bus"] = bus
-		}
-		if addr != "" {
-			args["addr"] = addr
-		}
+	if bus != "" {
+		args["bus"] = bus
+	}
+	if addr != "" {
+		args["addr"] = addr
 	}
 
 	err = q.executeCommand(ctx, "device_add", args, nil)

src/runtime/pkg/kata-monitor/metrics.go

@@ -259,7 +259,7 @@ func (km *KataMonitor) aggregateSandboxMetrics(encoder expfmt.Encoder, filterFam
 }
 
 func getParsedMetrics(sandboxID string, sandboxMetadata sandboxCRIMetadata) ([]*dto.MetricFamily, error) {
-	body, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.MetricsURL)
+	body, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.MetricsUrl)
 	if err != nil {
 		return nil, err
 	}
@@ -269,7 +269,7 @@ func getParsedMetrics(sandboxID string, sandboxMetadata sandboxCRIMetadata) ([]*
 
 // GetSandboxMetrics will get sandbox's metrics from shim
 func GetSandboxMetrics(sandboxID string) (string, error) {
-	body, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.MetricsURL)
+	body, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.MetricsUrl)
 	if err != nil {
 		return "", err
 	}

src/runtime/pkg/kata-monitor/metrics_test.go

@@ -138,11 +138,9 @@ func TestEncodeMetricFamily(t *testing.T) {
 			continue
 		}
 		// only check kata_monitor_running_shim_count and kata_monitor_scrape_count
-		switch fields[0] {
-		case "kata_monitor_running_shim_count":
+		if fields[0] == "kata_monitor_running_shim_count" {
 			assert.Equal("11", fields[1], "kata_monitor_running_shim_count should be 11")
-
-		case "kata_monitor_scrape_count":
+		} else if fields[0] == "kata_monitor_scrape_count" {
 			assert.Equal("2", fields[1], "kata_monitor_scrape_count should be 2")
 		}
 	}

src/runtime/pkg/kata-monitor/monitor.go

@@ -184,7 +184,7 @@ func (km *KataMonitor) GetAgentURL(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	data, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.AgentURL)
+	data, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.AgentUrl)
 	if err != nil {
 		commonServeError(w, http.StatusBadRequest, err)
 		return
@@ -206,14 +206,14 @@ func (km *KataMonitor) ListSandboxes(w http.ResponseWriter, r *http.Request) {
 
 func listSandboxesText(sandboxes []string, w http.ResponseWriter) {
 	for _, s := range sandboxes {
-		fmt.Fprintf(w, "%s\n", s)
+		w.Write([]byte(fmt.Sprintf("%s\n", s)))
 	}
 }
 func listSandboxesHtml(sandboxes []string, w http.ResponseWriter) {
 	w.Write([]byte("<h1>Sandbox list</h1>\n"))
 	w.Write([]byte("<ul>\n"))
 	for _, s := range sandboxes {
-		fmt.Fprintf(w, "<li>%s: <a href='/debug/pprof/?sandbox=%s'>pprof</a>, <a href='/metrics?sandbox=%s'>metrics</a>, <a href='/agent-url?sandbox=%s'>agent-url</a></li>\n", s, s, s, s)
+		w.Write([]byte(fmt.Sprintf("<li>%s: <a href='/debug/pprof/?sandbox=%s'>pprof</a>, <a href='/metrics?sandbox=%s'>metrics</a>, <a href='/agent-url?sandbox=%s'>agent-url</a></li>\n", s, s, s, s)))
 	}
 	w.Write([]byte("</ul>\n"))
 }

src/runtime/pkg/kata-monitor/pprof.go

@@ -98,7 +98,7 @@ func (km *KataMonitor) ExpvarHandler(w http.ResponseWriter, r *http.Request) {
 // PprofIndex handles other `/debug/pprof/` requests
 func (km *KataMonitor) PprofIndex(w http.ResponseWriter, r *http.Request) {
 	if len(strings.TrimPrefix(r.URL.Path, "/debug/pprof/")) == 0 {
-		km.proxyRequest(w, r, copyResponseAddingSandboxIDToHref)
+		km.proxyRequest(w, r, copyResponseAddingSandboxIdToHref)
 	} else {
 		km.proxyRequest(w, r, nil)
 	}
@@ -132,7 +132,7 @@ func copyResponse(req *http.Request, w io.Writer, r io.Reader) error {
 	return err
 }
 
-func copyResponseAddingSandboxIDToHref(req *http.Request, w io.Writer, r io.Reader) error {
+func copyResponseAddingSandboxIdToHref(req *http.Request, w io.Writer, r io.Reader) error {
 	sb, err := getSandboxIDFromReq(req)
 	if err != nil {
 		monitorLog.WithError(err).Warning("missing sandbox query in pprof url")

src/runtime/pkg/kata-monitor/pprof_test.go

@@ -15,7 +15,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestCopyResponseAddingSandboxIDToHref(t *testing.T) {
+func TestCopyResponseAddingSandboxIdToHref(t *testing.T) {
 	assert := assert.New(t)
 
 	htmlIn := strings.NewReader(`
@@ -112,6 +112,6 @@ Profile Descriptions:
 
 	req := &http.Request{URL: &url.URL{RawQuery: "sandbox=1234567890"}}
 	buf := bytes.NewBuffer(nil)
-	copyResponseAddingSandboxIDToHref(req, buf, htmlIn)
+	copyResponseAddingSandboxIdToHref(req, buf, htmlIn)
 	assert.Equal(htmlExpected, buf)
 }

src/runtime/pkg/katatestutils/constraints.go

@@ -98,8 +98,8 @@ func getKernelVersion() (string, error) {
 // These kernel version can't be parsed by the current lib and lead to panic
 // therefore the '+' should be removed.
 func fixKernelVersion(version string) string {
-	version = strings.ReplaceAll(version, "_", "-")
-	return strings.ReplaceAll(version, "+", "")
+	version = strings.Replace(version, "_", "-", -1)
+	return strings.Replace(version, "+", "", -1)
 }
 
 // handleKernelVersion checks that the current kernel version is compatible with

src/runtime/pkg/katatestutils/utils.go

@@ -23,7 +23,7 @@ const (
 	testDirMode  = os.FileMode(0750)
 	testFileMode = os.FileMode(0640)
 
-	busyboxConfigJSON = `
+	busyboxConfigJson = `
 {
 	"ociVersion": "1.0.1-dev",
 	"process": {
@@ -359,7 +359,7 @@ func SetupOCIConfigFile(t *testing.T) (rootPath string, bundlePath, ociConfigFil
 	assert.NoError(err)
 
 	ociConfigFile = filepath.Join(bundlePath, "config.json")
-	err = os.WriteFile(ociConfigFile, []byte(busyboxConfigJSON), testFileMode)
+	err = os.WriteFile(ociConfigFile, []byte(busyboxConfigJson), testFileMode)
 	assert.NoError(err)
 
 	return tmpdir, bundlePath, ociConfigFile

src/runtime/pkg/katautils/config.go

@@ -22,6 +22,7 @@ import (
 	govmmQemu "github.com/kata-containers/kata-containers/src/runtime/pkg/govmm/qemu"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils/katatrace"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/oci"
+	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	exp "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/experimental"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/types"
@@ -1899,8 +1900,8 @@ func checkConfig(config oci.RuntimeConfig) error {
 // checkPCIeConfig ensures the PCIe configuration is valid.
 // Only allow one of the following settings for cold-plug:
 // no-port, root-port, switch-port
-func checkPCIeConfig(coldPlug config.PCIePort, hotPlug config.PCIePort, machineType string, hypervisorType vc.HypervisorType) error {
-	if hypervisorType != vc.QemuHypervisor && hypervisorType != vc.ClhHypervisor {
+func checkPCIeConfig(coldPlug config.PCIePort, hotPlug config.PCIePort, machineType string, hypervisorType virtcontainers.HypervisorType) error {
+	if hypervisorType != virtcontainers.QemuHypervisor && hypervisorType != virtcontainers.ClhHypervisor {
 		kataUtilsLogger.Warn("Advanced PCIe Topology only available for QEMU/CLH hypervisor, ignoring hot(cold)_vfio_port setting")
 		return nil
 	}
@@ -1916,7 +1917,7 @@ func checkPCIeConfig(coldPlug config.PCIePort, hotPlug config.PCIePort, machineT
 	if machineType != "q35" && machineType != "virt" {
 		return nil
 	}
-	if hypervisorType == vc.ClhHypervisor {
+	if hypervisorType == virtcontainers.ClhHypervisor {
 		if coldPlug != config.NoPort {
 			return fmt.Errorf("cold-plug not supported on CLH")
 		}

src/runtime/pkg/katautils/create_test.go

@@ -21,6 +21,7 @@ import (
 	config "github.com/kata-containers/kata-containers/src/runtime/pkg/device/config"
 	ktu "github.com/kata-containers/kata-containers/src/runtime/pkg/katatestutils"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/oci"
+	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/compatoci"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/vcmock"
@@ -426,7 +427,7 @@ func TestVfioChecksClh(t *testing.T) {
 
 	// Check valid CLH vfio configs
 	f := func(coldPlug, hotPlug config.PCIePort) error {
-		return checkPCIeConfig(coldPlug, hotPlug, defaultMachineType, vc.ClhHypervisor)
+		return checkPCIeConfig(coldPlug, hotPlug, defaultMachineType, virtcontainers.ClhHypervisor)
 	}
 	assert.NoError(f(config.NoPort, config.NoPort))
 	assert.NoError(f(config.NoPort, config.RootPort))
@@ -440,7 +441,7 @@ func TestVfioCheckQemu(t *testing.T) {
 
 	// Check valid Qemu vfio configs
 	f := func(coldPlug, hotPlug config.PCIePort) error {
-		return checkPCIeConfig(coldPlug, hotPlug, defaultMachineType, vc.QemuHypervisor)
+		return checkPCIeConfig(coldPlug, hotPlug, defaultMachineType, virtcontainers.QemuHypervisor)
 	}
 
 	assert.NoError(f(config.NoPort, config.NoPort))

src/runtime/pkg/katautils/logger_test.go

@@ -90,7 +90,7 @@ func TestNewSystemLogHook(t *testing.T) {
 
 	output := string(bytes)
 	output = strings.TrimSpace(output)
-	output = strings.ReplaceAll(output, `"`, "")
+	output = strings.Replace(output, `"`, "", -1)
 
 	fields := strings.Fields(output)
 

src/runtime/pkg/oci/utils_test.go

@@ -1143,7 +1143,7 @@ func TestParseAnnotationBoolConfiguration(t *testing.T) {
 			ocispec := specs.Spec{
 				Annotations: map[string]string{tc.annotationKey: annotaionValue},
 			}
-			val := false
+			var val bool = false
 
 			err := newAnnotationConfiguration(ocispec, tc.annotationKey).setBool(func(v bool) {
 				val = v

src/runtime/pkg/utils/shimclient/shim_management_client.go

@@ -47,8 +47,8 @@ func buildUnixSocketClient(socketAddr string, timeout time.Duration) (*http.Clie
 	return client, nil
 }
 
-func DoGet(sandboxID string, timeout time.Duration, urlPath string) ([]byte, error) {
-	client, err := BuildShimClient(sandboxID, timeout)
+func DoGet(sandboxID string, timeoutInSeconds time.Duration, urlPath string) ([]byte, error) {
+	client, err := BuildShimClient(sandboxID, timeoutInSeconds)
 	if err != nil {
 		return nil, err
 	}
@@ -71,8 +71,8 @@ func DoGet(sandboxID string, timeout time.Duration, urlPath string) ([]byte, err
 }
 
 // DoPut will make a PUT request to the shim endpoint that handles the given sandbox ID
-func DoPut(sandboxID string, timeout time.Duration, urlPath, contentType string, payload []byte) error {
-	client, err := BuildShimClient(sandboxID, timeout)
+func DoPut(sandboxID string, timeoutInSeconds time.Duration, urlPath, contentType string, payload []byte) error {
+	client, err := BuildShimClient(sandboxID, timeoutInSeconds)
 	if err != nil {
 		return err
 	}
@@ -103,8 +103,8 @@ func DoPut(sandboxID string, timeout time.Duration, urlPath, contentType string,
 }
 
 // DoPost will make a POST request to the shim endpoint that handles the given sandbox ID
-func DoPost(sandboxID string, timeout time.Duration, urlPath, contentType string, payload []byte) error {
-	client, err := BuildShimClient(sandboxID, timeout)
+func DoPost(sandboxID string, timeoutInSeconds time.Duration, urlPath, contentType string, payload []byte) error {
+	client, err := BuildShimClient(sandboxID, timeoutInSeconds)
 	if err != nil {
 		return err
 	}

src/runtime/vendor/github.com/BurntSushi/toml/README.md

@@ -1,7 +1,7 @@
 TOML stands for Tom's Obvious, Minimal Language. This Go package provides a
 reflection interface similar to Go's standard library `json` and `xml` packages.
 
-Compatible with TOML version [v1.1.0](https://toml.io/en/v1.1.0).
+Compatible with TOML version [v1.0.0](https://toml.io/en/v1.0.0).
 
 Documentation: https://pkg.go.dev/github.com/BurntSushi/toml
 

src/runtime/vendor/github.com/BurntSushi/toml/decode.go

@@ -206,13 +206,6 @@ func markDecodedRecursive(md *MetaData, tmap map[string]any) {
 			markDecodedRecursive(md, tmap)
 			md.context = md.context[0 : len(md.context)-1]
 		}
-		if tarr, ok := tmap[key].([]map[string]any); ok {
-			for _, elm := range tarr {
-				md.context = append(md.context, key)
-				markDecodedRecursive(md, elm)
-				md.context = md.context[0 : len(md.context)-1]
-			}
-		}
 	}
 }
 
@@ -430,7 +423,7 @@ func (md *MetaData) unifyString(data any, rv reflect.Value) error {
 		if i, ok := data.(int64); ok {
 			rv.SetString(strconv.FormatInt(i, 10))
 		} else if f, ok := data.(float64); ok {
-			rv.SetString(strconv.FormatFloat(f, 'g', -1, 64))
+			rv.SetString(strconv.FormatFloat(f, 'f', -1, 64))
 		} else {
 			return md.badtype("string", data)
 		}

src/runtime/vendor/github.com/BurntSushi/toml/encode.go

@@ -228,9 +228,9 @@ func (enc *Encoder) eElement(rv reflect.Value) {
 		}
 		switch v.Location() {
 		default:
-			enc.write(v.Format(format))
+			enc.wf(v.Format(format))
 		case internal.LocalDatetime, internal.LocalDate, internal.LocalTime:
-			enc.write(v.In(time.UTC).Format(format))
+			enc.wf(v.In(time.UTC).Format(format))
 		}
 		return
 	case Marshaler:
@@ -279,40 +279,40 @@ func (enc *Encoder) eElement(rv reflect.Value) {
 	case reflect.String:
 		enc.writeQuoted(rv.String())
 	case reflect.Bool:
-		enc.write(strconv.FormatBool(rv.Bool()))
+		enc.wf(strconv.FormatBool(rv.Bool()))
 	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
-		enc.write(strconv.FormatInt(rv.Int(), 10))
+		enc.wf(strconv.FormatInt(rv.Int(), 10))
 	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
-		enc.write(strconv.FormatUint(rv.Uint(), 10))
+		enc.wf(strconv.FormatUint(rv.Uint(), 10))
 	case reflect.Float32:
 		f := rv.Float()
 		if math.IsNaN(f) {
 			if math.Signbit(f) {
-				enc.write("-")
+				enc.wf("-")
 			}
-			enc.write("nan")
+			enc.wf("nan")
 		} else if math.IsInf(f, 0) {
 			if math.Signbit(f) {
-				enc.write("-")
+				enc.wf("-")
 			}
-			enc.write("inf")
+			enc.wf("inf")
 		} else {
-			enc.write(floatAddDecimal(strconv.FormatFloat(f, 'g', -1, 32)))
+			enc.wf(floatAddDecimal(strconv.FormatFloat(f, 'f', -1, 32)))
 		}
 	case reflect.Float64:
 		f := rv.Float()
 		if math.IsNaN(f) {
 			if math.Signbit(f) {
-				enc.write("-")
+				enc.wf("-")
 			}
-			enc.write("nan")
+			enc.wf("nan")
 		} else if math.IsInf(f, 0) {
 			if math.Signbit(f) {
-				enc.write("-")
+				enc.wf("-")
 			}
-			enc.write("inf")
+			enc.wf("inf")
 		} else {
-			enc.write(floatAddDecimal(strconv.FormatFloat(f, 'g', -1, 64)))
+			enc.wf(floatAddDecimal(strconv.FormatFloat(f, 'f', -1, 64)))
 		}
 	case reflect.Array, reflect.Slice:
 		enc.eArrayOrSliceElement(rv)
@@ -330,32 +330,27 @@ func (enc *Encoder) eElement(rv reflect.Value) {
 // By the TOML spec, all floats must have a decimal with at least one number on
 // either side.
 func floatAddDecimal(fstr string) string {
-	for _, c := range fstr {
-		if c == 'e' { // Exponent syntax
-			return fstr
-		}
-		if c == '.' {
-			return fstr
-		}
+	if !strings.Contains(fstr, ".") {
+		return fstr + ".0"
 	}
-	return fstr + ".0"
+	return fstr
 }
 
 func (enc *Encoder) writeQuoted(s string) {
-	enc.write(`"` + dblQuotedReplacer.Replace(s) + `"`)
+	enc.wf("\"%s\"", dblQuotedReplacer.Replace(s))
 }
 
 func (enc *Encoder) eArrayOrSliceElement(rv reflect.Value) {
 	length := rv.Len()
-	enc.write("[")
+	enc.wf("[")
 	for i := 0; i < length; i++ {
 		elem := eindirect(rv.Index(i))
 		enc.eElement(elem)
 		if i != length-1 {
-			enc.write(", ")
+			enc.wf(", ")
 		}
 	}
-	enc.write("]")
+	enc.wf("]")
 }
 
 func (enc *Encoder) eArrayOfTables(key Key, rv reflect.Value) {
@@ -368,7 +363,7 @@ func (enc *Encoder) eArrayOfTables(key Key, rv reflect.Value) {
 			continue
 		}
 		enc.newline()
-		enc.writef("%s[[%s]]", enc.indentStr(key), key)
+		enc.wf("%s[[%s]]", enc.indentStr(key), key)
 		enc.newline()
 		enc.eMapOrStruct(key, trv, false)
 	}
@@ -381,7 +376,7 @@ func (enc *Encoder) eTable(key Key, rv reflect.Value) {
 		enc.newline()
 	}
 	if len(key) > 0 {
-		enc.writef("%s[%s]", enc.indentStr(key), key)
+		enc.wf("%s[%s]", enc.indentStr(key), key)
 		enc.newline()
 	}
 	enc.eMapOrStruct(key, rv, false)
@@ -427,7 +422,7 @@ func (enc *Encoder) eMap(key Key, rv reflect.Value, inline bool) {
 			if inline {
 				enc.writeKeyValue(Key{mapKey.String()}, val, true)
 				if trailC || i != len(mapKeys)-1 {
-					enc.write(", ")
+					enc.wf(", ")
 				}
 			} else {
 				enc.encode(key.add(mapKey.String()), val)
@@ -436,12 +431,12 @@ func (enc *Encoder) eMap(key Key, rv reflect.Value, inline bool) {
 	}
 
 	if inline {
-		enc.write("{")
+		enc.wf("{")
 	}
 	writeMapKeys(mapKeysDirect, len(mapKeysSub) > 0)
 	writeMapKeys(mapKeysSub, false)
 	if inline {
-		enc.write("}")
+		enc.wf("}")
 	}
 }
 
@@ -539,7 +534,7 @@ func (enc *Encoder) eStruct(key Key, rv reflect.Value, inline bool) {
 			if inline {
 				enc.writeKeyValue(Key{keyName}, fieldVal, true)
 				if fieldIndex[0] != totalFields-1 {
-					enc.write(", ")
+					enc.wf(", ")
 				}
 			} else {
 				enc.encode(key.add(keyName), fieldVal)
@@ -548,14 +543,14 @@ func (enc *Encoder) eStruct(key Key, rv reflect.Value, inline bool) {
 	}
 
 	if inline {
-		enc.write("{")
+		enc.wf("{")
 	}
 
 	l := len(fieldsDirect) + len(fieldsSub)
 	writeFields(fieldsDirect, l)
 	writeFields(fieldsSub, l)
 	if inline {
-		enc.write("}")
+		enc.wf("}")
 	}
 }
 
@@ -705,7 +700,7 @@ func isEmpty(rv reflect.Value) bool {
 
 func (enc *Encoder) newline() {
 	if enc.hasWritten {
-		enc.write("\n")
+		enc.wf("\n")
 	}
 }
 
@@ -727,22 +722,14 @@ func (enc *Encoder) writeKeyValue(key Key, val reflect.Value, inline bool) {
 		enc.eElement(val)
 		return
 	}
-	enc.writef("%s%s = ", enc.indentStr(key), key.maybeQuoted(len(key)-1))
+	enc.wf("%s%s = ", enc.indentStr(key), key.maybeQuoted(len(key)-1))
 	enc.eElement(val)
 	if !inline {
 		enc.newline()
 	}
 }
 
-func (enc *Encoder) write(s string) {
-	_, err := enc.w.WriteString(s)
-	if err != nil {
-		encPanic(err)
-	}
-	enc.hasWritten = true
-}
-
-func (enc *Encoder) writef(format string, v ...any) {
+func (enc *Encoder) wf(format string, v ...any) {
 	_, err := fmt.Fprintf(enc.w, format, v...)
 	if err != nil {
 		encPanic(err)

src/runtime/vendor/github.com/BurntSushi/toml/lex.go

@@ -13,6 +13,7 @@ type itemType int
 
 const (
 	itemError itemType = iota
+	itemNIL            // used in the parser to indicate no type
 	itemEOF
 	itemText
 	itemString
@@ -46,13 +47,14 @@ func (p Position) String() string {
 }
 
 type lexer struct {
-	input string
-	start int
-	pos   int
-	line  int
-	state stateFn
-	items chan item
-	esc   bool
+	input    string
+	start    int
+	pos      int
+	line     int
+	state    stateFn
+	items    chan item
+	tomlNext bool
+	esc      bool
 
 	// Allow for backing up up to 4 runes. This is necessary because TOML
 	// contains 3-rune tokens (""" and ''').
@@ -88,13 +90,14 @@ func (lx *lexer) nextItem() item {
 	}
 }
 
-func lex(input string) *lexer {
+func lex(input string, tomlNext bool) *lexer {
 	lx := &lexer{
-		input: input,
-		state: lexTop,
-		items: make(chan item, 10),
-		stack: make([]stateFn, 0, 10),
-		line:  1,
+		input:    input,
+		state:    lexTop,
+		items:    make(chan item, 10),
+		stack:    make([]stateFn, 0, 10),
+		line:     1,
+		tomlNext: tomlNext,
 	}
 	return lx
 }
@@ -105,7 +108,7 @@ func (lx *lexer) push(state stateFn) {
 
 func (lx *lexer) pop() stateFn {
 	if len(lx.stack) == 0 {
-		panic("BUG in lexer: no states to pop")
+		return lx.errorf("BUG in lexer: no states to pop")
 	}
 	last := lx.stack[len(lx.stack)-1]
 	lx.stack = lx.stack[0 : len(lx.stack)-1]
@@ -302,8 +305,6 @@ func lexTop(lx *lexer) stateFn {
 		return lexTableStart
 	case eof:
 		if lx.pos > lx.start {
-			// TODO: never reached? I think this can only occur on a bug in the
-			// lexer(?)
 			return lx.errorf("unexpected EOF")
 		}
 		lx.emit(itemEOF)
@@ -391,6 +392,8 @@ func lexTableNameStart(lx *lexer) stateFn {
 func lexTableNameEnd(lx *lexer) stateFn {
 	lx.skip(isWhitespace)
 	switch r := lx.next(); {
+	case isWhitespace(r):
+		return lexTableNameEnd
 	case r == '.':
 		lx.ignore()
 		return lexTableNameStart
@@ -409,7 +412,7 @@ func lexTableNameEnd(lx *lexer) stateFn {
 // Lexes only one part, e.g. only 'a' inside 'a.b'.
 func lexBareName(lx *lexer) stateFn {
 	r := lx.next()
-	if isBareKeyChar(r) {
+	if isBareKeyChar(r, lx.tomlNext) {
 		return lexBareName
 	}
 	lx.backup()
@@ -417,23 +420,23 @@ func lexBareName(lx *lexer) stateFn {
 	return lx.pop()
 }
 
-// lexQuotedName lexes one part of a quoted key or table name. It assumes that
-// it starts lexing at the quote itself (" or ').
+// lexBareName lexes one part of a key or table.
+//
+// It assumes that at least one valid character for the table has already been
+// read.
 //
 // Lexes only one part, e.g. only '"a"' inside '"a".b'.
 func lexQuotedName(lx *lexer) stateFn {
 	r := lx.next()
 	switch {
+	case isWhitespace(r):
+		return lexSkip(lx, lexValue)
 	case r == '"':
 		lx.ignore() // ignore the '"'
 		return lexString
 	case r == '\'':
 		lx.ignore() // ignore the "'"
 		return lexRawString
-
-	// TODO: I don't think any of the below conditions can ever be reached?
-	case isWhitespace(r):
-		return lexSkip(lx, lexValue)
 	case r == eof:
 		return lx.errorf("unexpected EOF; expected value")
 	default:
@@ -461,19 +464,17 @@ func lexKeyStart(lx *lexer) stateFn {
 func lexKeyNameStart(lx *lexer) stateFn {
 	lx.skip(isWhitespace)
 	switch r := lx.peek(); {
-	default:
-		lx.push(lexKeyEnd)
-		return lexBareName
-	case r == '"' || r == '\'':
-		lx.ignore()
-		lx.push(lexKeyEnd)
-		return lexQuotedName
-
-	// TODO: I think these can never be reached?
 	case r == '=' || r == eof:
 		return lx.errorf("unexpected '='")
 	case r == '.':
 		return lx.errorf("unexpected '.'")
+	case r == '"' || r == '\'':
+		lx.ignore()
+		lx.push(lexKeyEnd)
+		return lexQuotedName
+	default:
+		lx.push(lexKeyEnd)
+		return lexBareName
 	}
 }
 
@@ -484,7 +485,7 @@ func lexKeyEnd(lx *lexer) stateFn {
 	switch r := lx.next(); {
 	case isWhitespace(r):
 		return lexSkip(lx, lexKeyEnd)
-	case r == eof: // TODO: never reached
+	case r == eof:
 		return lx.errorf("unexpected EOF; expected key separator '='")
 	case r == '.':
 		lx.ignore()
@@ -627,7 +628,10 @@ func lexInlineTableValue(lx *lexer) stateFn {
 	case isWhitespace(r):
 		return lexSkip(lx, lexInlineTableValue)
 	case isNL(r):
-		return lexSkip(lx, lexInlineTableValue)
+		if lx.tomlNext {
+			return lexSkip(lx, lexInlineTableValue)
+		}
+		return lx.errorPrevLine(errLexInlineTableNL{})
 	case r == '#':
 		lx.push(lexInlineTableValue)
 		return lexCommentStart
@@ -649,7 +653,10 @@ func lexInlineTableValueEnd(lx *lexer) stateFn {
 	case isWhitespace(r):
 		return lexSkip(lx, lexInlineTableValueEnd)
 	case isNL(r):
-		return lexSkip(lx, lexInlineTableValueEnd)
+		if lx.tomlNext {
+			return lexSkip(lx, lexInlineTableValueEnd)
+		}
+		return lx.errorPrevLine(errLexInlineTableNL{})
 	case r == '#':
 		lx.push(lexInlineTableValueEnd)
 		return lexCommentStart
@@ -657,7 +664,10 @@ func lexInlineTableValueEnd(lx *lexer) stateFn {
 		lx.ignore()
 		lx.skip(isWhitespace)
 		if lx.peek() == '}' {
-			return lexInlineTableValueEnd
+			if lx.tomlNext {
+				return lexInlineTableValueEnd
+			}
+			return lx.errorf("trailing comma not allowed in inline tables")
 		}
 		return lexInlineTableValue
 	case r == '}':
@@ -845,6 +855,9 @@ func lexStringEscape(lx *lexer) stateFn {
 	r := lx.next()
 	switch r {
 	case 'e':
+		if !lx.tomlNext {
+			return lx.error(errLexEscape{r})
+		}
 		fallthrough
 	case 'b':
 		fallthrough
@@ -865,6 +878,9 @@ func lexStringEscape(lx *lexer) stateFn {
 	case '\\':
 		return lx.pop()
 	case 'x':
+		if !lx.tomlNext {
+			return lx.error(errLexEscape{r})
+		}
 		return lexHexEscape
 	case 'u':
 		return lexShortUnicodeEscape
@@ -912,9 +928,19 @@ func lexLongUnicodeEscape(lx *lexer) stateFn {
 // lexBaseNumberOrDate can differentiate base prefixed integers from other
 // types.
 func lexNumberOrDateStart(lx *lexer) stateFn {
-	if lx.next() == '0' {
+	r := lx.next()
+	switch r {
+	case '0':
 		return lexBaseNumberOrDate
 	}
+
+	if !isDigit(r) {
+		// The only way to reach this state is if the value starts
+		// with a digit, so specifically treat anything else as an
+		// error.
+		return lx.errorf("expected a digit but got %q", r)
+	}
+
 	return lexNumberOrDate
 }
 
@@ -1170,13 +1196,13 @@ func lexSkip(lx *lexer, nextState stateFn) stateFn {
 }
 
 func (s stateFn) String() string {
-	if s == nil {
-		return "<nil>"
-	}
 	name := runtime.FuncForPC(reflect.ValueOf(s).Pointer()).Name()
 	if i := strings.LastIndexByte(name, '.'); i > -1 {
 		name = name[i+1:]
 	}
+	if s == nil {
+		name = "<nil>"
+	}
 	return name + "()"
 }
 
@@ -1184,6 +1210,8 @@ func (itype itemType) String() string {
 	switch itype {
 	case itemError:
 		return "Error"
+	case itemNIL:
+		return "NIL"
 	case itemEOF:
 		return "EOF"
 	case itemText:
@@ -1198,22 +1226,18 @@ func (itype itemType) String() string {
 		return "Float"
 	case itemDatetime:
 		return "DateTime"
-	case itemArray:
-		return "Array"
-	case itemArrayEnd:
-		return "ArrayEnd"
 	case itemTableStart:
 		return "TableStart"
 	case itemTableEnd:
 		return "TableEnd"
-	case itemArrayTableStart:
-		return "ArrayTableStart"
-	case itemArrayTableEnd:
-		return "ArrayTableEnd"
 	case itemKeyStart:
 		return "KeyStart"
 	case itemKeyEnd:
 		return "KeyEnd"
+	case itemArray:
+		return "Array"
+	case itemArrayEnd:
+		return "ArrayEnd"
 	case itemCommentStart:
 		return "CommentStart"
 	case itemInlineTableStart:
@@ -1242,7 +1266,7 @@ func isDigit(r rune) bool  { return r >= '0' && r <= '9' }
 func isBinary(r rune) bool { return r == '0' || r == '1' }
 func isOctal(r rune) bool  { return r >= '0' && r <= '7' }
 func isHex(r rune) bool    { return (r >= '0' && r <= '9') || (r|0x20 >= 'a' && r|0x20 <= 'f') }
-func isBareKeyChar(r rune) bool {
+func isBareKeyChar(r rune, tomlNext bool) bool {
 	return (r >= 'A' && r <= 'Z') || (r >= 'a' && r <= 'z') ||
 		(r >= '0' && r <= '9') || r == '_' || r == '-'
 }

src/runtime/vendor/github.com/BurntSushi/toml/parse.go

@@ -3,6 +3,7 @@ package toml
 import (
 	"fmt"
 	"math"
+	"os"
 	"strconv"
 	"strings"
 	"time"
@@ -16,6 +17,7 @@ type parser struct {
 	context    Key      // Full key for the current hash in scope.
 	currentKey string   // Base key name for everything except hashes.
 	pos        Position // Current position in the TOML file.
+	tomlNext   bool
 
 	ordered []Key // List of keys in the order that they appear in the TOML data.
 
@@ -30,6 +32,8 @@ type keyInfo struct {
 }
 
 func parse(data string) (p *parser, err error) {
+	_, tomlNext := os.LookupEnv("BURNTSUSHI_TOML_110")
+
 	defer func() {
 		if r := recover(); r != nil {
 			if pErr, ok := r.(ParseError); ok {
@@ -69,9 +73,10 @@ func parse(data string) (p *parser, err error) {
 	p = &parser{
 		keyInfo:   make(map[string]keyInfo),
 		mapping:   make(map[string]any),
-		lx:        lex(data),
+		lx:        lex(data, tomlNext),
 		ordered:   make([]Key, 0),
 		implicits: make(map[string]struct{}),
+		tomlNext:  tomlNext,
 	}
 	for {
 		item := p.next()
@@ -345,14 +350,17 @@ func (p *parser) valueFloat(it item) (any, tomlType) {
 var dtTypes = []struct {
 	fmt  string
 	zone *time.Location
+	next bool
 }{
-	{time.RFC3339Nano, time.Local},
-	{"2006-01-02T15:04:05.999999999", internal.LocalDatetime},
-	{"2006-01-02", internal.LocalDate},
-	{"15:04:05.999999999", internal.LocalTime},
-	{"2006-01-02T15:04Z07:00", time.Local},
-	{"2006-01-02T15:04", internal.LocalDatetime},
-	{"15:04", internal.LocalTime},
+	{time.RFC3339Nano, time.Local, false},
+	{"2006-01-02T15:04:05.999999999", internal.LocalDatetime, false},
+	{"2006-01-02", internal.LocalDate, false},
+	{"15:04:05.999999999", internal.LocalTime, false},
+
+	// tomlNext
+	{"2006-01-02T15:04Z07:00", time.Local, true},
+	{"2006-01-02T15:04", internal.LocalDatetime, true},
+	{"15:04", internal.LocalTime, true},
 }
 
 func (p *parser) valueDatetime(it item) (any, tomlType) {
@@ -363,6 +371,9 @@ func (p *parser) valueDatetime(it item) (any, tomlType) {
 		err error
 	)
 	for _, dt := range dtTypes {
+		if dt.next && !p.tomlNext {
+			continue
+		}
 		t, err = time.ParseInLocation(dt.fmt, it.val, dt.zone)
 		if err == nil {
 			if missingLeadingZero(it.val, dt.fmt) {
@@ -633,11 +644,6 @@ func (p *parser) setValue(key string, value any) {
 		// Note that since it has already been defined (as a hash), we don't
 		// want to overwrite it. So our business is done.
 		if p.isArray(keyContext) {
-			if !p.isImplicit(keyContext) {
-				if _, ok := hash[key]; ok {
-					p.panicf("Key '%s' has already been defined.", keyContext)
-				}
-			}
 			p.removeImplicit(keyContext)
 			hash[key] = value
 			return
@@ -796,8 +802,10 @@ func (p *parser) replaceEscapes(it item, str string) string {
 			b.WriteByte(0x0d)
 			skip = 1
 		case 'e':
-			b.WriteByte(0x1b)
-			skip = 1
+			if p.tomlNext {
+				b.WriteByte(0x1b)
+				skip = 1
+			}
 		case '"':
 			b.WriteByte(0x22)
 			skip = 1
@@ -807,9 +815,11 @@ func (p *parser) replaceEscapes(it item, str string) string {
 		// The lexer guarantees the correct number of characters are present;
 		// don't need to check here.
 		case 'x':
-			escaped := p.asciiEscapeToUnicode(it, str[i+2:i+4])
-			b.WriteRune(escaped)
-			skip = 3
+			if p.tomlNext {
+				escaped := p.asciiEscapeToUnicode(it, str[i+2:i+4])
+				b.WriteRune(escaped)
+				skip = 3
+			}
 		case 'u':
 			escaped := p.asciiEscapeToUnicode(it, str[i+2:i+6])
 			b.WriteRune(escaped)

src/runtime/vendor/modules.txt

@@ -13,7 +13,7 @@ github.com/AdaLogics/go-fuzz-headers
 # github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0
 ## explicit; go 1.18
 github.com/AdamKorcz/go-118-fuzz-build/testing
-# github.com/BurntSushi/toml v1.6.0
+# github.com/BurntSushi/toml v1.5.0
 ## explicit; go 1.18
 github.com/BurntSushi/toml
 github.com/BurntSushi/toml/internal

src/runtime/virtcontainers/clh.go

@@ -587,11 +587,6 @@ func (clh *cloudHypervisor) CreateVM(ctx context.Context, id string, network Net
 	// Set initial amount of cpu's for the virtual machine
 	clh.vmconfig.Cpus = chclient.NewCpusConfig(int32(clh.config.NumVCPUs()), int32(clh.config.DefaultMaxVCPUs))
 
-	if pathExists("/dev/mshv") {
-		// The nested property is true by default, but is not supported yet on MSHV.
-		clh.vmconfig.Cpus.SetNested(false)
-	}
-
 	disableNvdimm := true
 	enableDax := false
 
@@ -618,7 +613,6 @@ func (clh *cloudHypervisor) CreateVM(ctx context.Context, id string, network Net
 		disk := chclient.NewDiskConfig()
 		disk.Path = &assetPath
 		disk.SetReadonly(true)
-		disk.SetImageType("Raw")
 
 		diskRateLimiterConfig := clh.getDiskRateLimiterConfig()
 		if diskRateLimiterConfig != nil {
@@ -908,7 +902,6 @@ func (clh *cloudHypervisor) addInitdataDisk(initdataImage string) {
 		disk.Direct = &clh.config.BlockDeviceCacheDirect
 	}
 	disk.SetIommu(clh.config.IOMMU)
-	disk.SetImageType("Raw")
 
 	if rl := clh.getDiskRateLimiterConfig(); rl != nil {
 		disk.SetRateLimiterConfig(*rl)
@@ -947,7 +940,6 @@ func (clh *cloudHypervisor) hotplugAddBlockDevice(drive *config.BlockDrive) erro
 	clhDisk := *chclient.NewDiskConfig()
 	clhDisk.Path = &drive.File
 	clhDisk.Readonly = &drive.ReadOnly
-	clhDisk.SetImageType("Raw")
 	clhDisk.VhostUser = func(b bool) *bool { return &b }(false)
 	if clh.config.BlockDeviceCacheSet {
 		clhDisk.Direct = &clh.config.BlockDeviceCacheDirect
@@ -1380,7 +1372,10 @@ func (clh *cloudHypervisor) terminate(ctx context.Context, waitOnly bool) (err e
 	defer span.End()
 
 	pid := clh.state.PID
-	pidRunning := pid != 0
+	pidRunning := true
+	if pid == 0 {
+		pidRunning = false
+	}
 
 	defer func() {
 		clh.Logger().Debug("Cleanup VM")
@@ -1766,10 +1761,10 @@ func (clh *cloudHypervisor) addNet(e Endpoint) error {
 		return errors.New("net Pair to be added is nil, needed to get TAP file descriptors")
 	}
 
-	if len(netPair.VMFds) == 0 {
+	if len(netPair.TapInterface.VMFds) == 0 {
 		return errors.New("The file descriptors for the network pair are not present")
 	}
-	clh.netDevicesFiles[mac] = netPair.VMFds
+	clh.netDevicesFiles[mac] = netPair.TapInterface.VMFds
 
 	netRateLimiterConfig := clh.getNetRateLimiterConfig()
 
@@ -1937,10 +1932,3 @@ func (clh *cloudHypervisor) vmInfo() (chclient.VmInfo, error) {
 func (clh *cloudHypervisor) IsRateLimiterBuiltin() bool {
 	return true
 }
-
-func pathExists(path string) bool {
-	if _, err := os.Stat(path); err != nil {
-		return false
-	}
-	return true
-}

src/runtime/virtcontainers/clh_test.go

@@ -148,7 +148,7 @@ func TestCloudHypervisorAddNetCheckNetConfigListValues(t *testing.T) {
 
 	e := &VethEndpoint{}
 	e.NetPair.TAPIface.HardAddr = macTest
-	e.NetPair.VMFds = vmFds
+	e.NetPair.TapInterface.VMFds = vmFds
 
 	err = clh.addNet(e)
 	assert.Nil(err)
@@ -183,7 +183,7 @@ func TestCloudHypervisorAddNetCheckEnpointTypes(t *testing.T) {
 
 	validVeth := &VethEndpoint{}
 	validVeth.NetPair.TAPIface.HardAddr = macTest
-	validVeth.NetPair.VMFds = vmFds
+	validVeth.NetPair.TapInterface.VMFds = vmFds
 
 	type args struct {
 		e Endpoint
@@ -224,7 +224,7 @@ func TestCloudHypervisorNetRateLimiter(t *testing.T) {
 	vmFds = append(vmFds, file)
 
 	validVeth := &VethEndpoint{}
-	validVeth.NetPair.VMFds = vmFds
+	validVeth.NetPair.TapInterface.VMFds = vmFds
 
 	type args struct {
 		bwMaxRate       int64

src/runtime/virtcontainers/container.go

@@ -20,6 +20,7 @@ import (
 
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/device/config"
 	deviceUtils "github.com/kata-containers/kata-containers/src/runtime/pkg/device/drivers"
+	"github.com/kata-containers/kata-containers/src/runtime/pkg/device/manager"
 	deviceManager "github.com/kata-containers/kata-containers/src/runtime/pkg/device/manager"
 	volume "github.com/kata-containers/kata-containers/src/runtime/pkg/direct-volume"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils/katatrace"
@@ -634,7 +635,7 @@ func (c *Container) createBlockDevices(ctx context.Context) error {
 
 		if mntInfo != nil {
 			// Write out sandbox info file on the mount source to allow CSI to communicate with the runtime
-			if err := volume.RecordSandboxID(c.sandboxID, c.mounts[i].Source); err != nil {
+			if err := volume.RecordSandboxId(c.sandboxID, c.mounts[i].Source); err != nil {
 				c.Logger().WithError(err).Error("error writing sandbox info")
 			}
 
@@ -1504,8 +1505,8 @@ func (c *Container) update(ctx context.Context, resources specs.LinuxResources)
 		return err
 	}
 
-	if state := c.state.State; state != types.StateRunning && state != types.StateReady {
-		return fmt.Errorf("container(%s) not running or ready, impossible to update", state)
+	if state := c.state.State; !(state == types.StateRunning || state == types.StateReady) {
+		return fmt.Errorf("Container(%s) not running or ready, impossible to update", state)
 	}
 
 	if c.config.Resources.CPU == nil {
@@ -1682,7 +1683,7 @@ func (c *Container) plugDevice(ctx context.Context, devicePath string) error {
 
 // isDriveUsed checks if a drive has been used for container rootfs
 func (c *Container) isDriveUsed() bool {
-	return c.state.Fstype != ""
+	return !(c.state.Fstype == "")
 }
 
 func (c *Container) removeDrive(ctx context.Context) (err error) {
@@ -1691,7 +1692,7 @@ func (c *Container) removeDrive(ctx context.Context) (err error) {
 
 		devID := c.state.BlockDeviceID
 		err := c.sandbox.devManager.DetachDevice(ctx, devID, c.sandbox)
-		if err != nil && err != deviceManager.ErrDeviceNotAttached {
+		if err != nil && err != manager.ErrDeviceNotAttached {
 			return err
 		}
 
@@ -1702,7 +1703,7 @@ func (c *Container) removeDrive(ctx context.Context) (err error) {
 			}).WithError(err).Error("remove device failed")
 
 			// ignore the device not exist error
-			if err != deviceManager.ErrDeviceNotExist {
+			if err != manager.ErrDeviceNotExist {
 				return err
 			}
 		}
@@ -1730,7 +1731,7 @@ func (c *Container) attachDevices(ctx context.Context) error {
 func (c *Container) detachDevices(ctx context.Context) error {
 	for _, dev := range c.devices {
 		err := c.sandbox.devManager.DetachDevice(ctx, dev.ID, c.sandbox)
-		if err != nil && err != deviceManager.ErrDeviceNotAttached {
+		if err != nil && err != manager.ErrDeviceNotAttached {
 			return err
 		}
 
@@ -1741,7 +1742,7 @@ func (c *Container) detachDevices(ctx context.Context) error {
 			}).WithError(err).Error("remove device failed")
 
 			// ignore the device not exist error
-			if err != deviceManager.ErrDeviceNotExist {
+			if err != manager.ErrDeviceNotExist {
 				return err
 			}
 		}

src/runtime/virtcontainers/endpoint_test.go

@@ -119,8 +119,8 @@ func TestSaveLoadIfPair(t *testing.T) {
 	// Since VMFds and VhostFds are't saved, netPair and loadedIfPair are not equal.
 	assert.False(t, reflect.DeepEqual(netPair, loadedIfPair))
 
-	netPair.VMFds = nil
-	netPair.VhostFds = nil
+	netPair.TapInterface.VMFds = nil
+	netPair.TapInterface.VhostFds = nil
 	// They are equal now.
 	assert.True(t, reflect.DeepEqual(netPair, loadedIfPair))
 }

src/runtime/virtcontainers/fc.go

@@ -937,7 +937,7 @@ func (fc *firecracker) fcAddNetDevice(ctx context.Context, endpoint Endpoint) {
 
 	// VMFds are not used by Firecracker, as it opens the tuntap
 	// device by its name.  Let's just close those.
-	for _, f := range endpoint.NetworkPair().VMFds {
+	for _, f := range endpoint.NetworkPair().TapInterface.VMFds {
 		f.Close()
 	}
 
@@ -987,7 +987,7 @@ func (fc *firecracker) fcAddNetDevice(ctx context.Context, endpoint Endpoint) {
 	ifaceCfg := &models.NetworkInterface{
 		GuestMac:      endpoint.HardwareAddr(),
 		IfaceID:       &ifaceID,
-		HostDevName:   &endpoint.NetworkPair().TAPIface.Name,
+		HostDevName:   &endpoint.NetworkPair().TapInterface.TAPIface.Name,
 		RxRateLimiter: &rxRateLimiter,
 		TxRateLimiter: &txRateLimiter,
 	}

src/runtime/virtcontainers/fs_share_linux.go

@@ -325,8 +325,7 @@ func (f *FilesystemShare) ShareFile(ctx context.Context, c *Container, m *Mount)
 				return err
 			}
 
-			mode := info.Mode()
-			if !mode.IsRegular() && !mode.IsDir() && mode&os.ModeSymlink != os.ModeSymlink {
+			if !(info.Mode().IsRegular() || info.Mode().IsDir() || (info.Mode()&os.ModeSymlink) == os.ModeSymlink) {
 				f.Logger().WithField("ignored-file", srcPath).Debug("Ignoring file as FS sharing not supported")
 				if srcPath == srcRoot {
 					// Ignore the mount if this is not a regular file (excludes socket, device, ...) as it cannot be handled by
@@ -694,17 +693,17 @@ func (f *FilesystemShare) ShareRootFilesystem(ctx context.Context, c *Container)
 			f.Logger().Error("malformed block drive")
 			return nil, fmt.Errorf("malformed block drive")
 		}
-		switch f.sandbox.config.HypervisorConfig.BlockDeviceDriver {
-		case config.VirtioMmio:
+		switch {
+		case f.sandbox.config.HypervisorConfig.BlockDeviceDriver == config.VirtioMmio:
 			rootfsStorage.Driver = kataMmioBlkDevType
 			rootfsStorage.Source = blockDrive.VirtPath
-		case config.VirtioBlockCCW:
+		case f.sandbox.config.HypervisorConfig.BlockDeviceDriver == config.VirtioBlockCCW:
 			rootfsStorage.Driver = kataBlkCCWDevType
 			rootfsStorage.Source = blockDrive.DevNo
-		case config.VirtioBlock:
+		case f.sandbox.config.HypervisorConfig.BlockDeviceDriver == config.VirtioBlock:
 			rootfsStorage.Driver = kataBlkDevType
 			rootfsStorage.Source = blockDrive.PCIPath.String()
-		case config.VirtioSCSI:
+		case f.sandbox.config.HypervisorConfig.BlockDeviceDriver == config.VirtioSCSI:
 			rootfsStorage.Driver = kataSCSIDevType
 			rootfsStorage.Source = blockDrive.SCSIAddr
 		default:

src/runtime/virtcontainers/hypervisor.go

@@ -92,10 +92,9 @@ const (
 )
 
 var (
-	hvLogger                        = logrus.WithField("source", "virtcontainers/hypervisor")
-	noGuestMemHotplugErr      error = errors.New("guest memory hotplug not supported")
-	s390xVirtioMemRequiredErr error = errors.New("memory hotplug on s390x requires virtio-mem to be enabled")
-	conflictingAssets         error = errors.New("cannot set both image and initrd at the same time")
+	hvLogger                   = logrus.WithField("source", "virtcontainers/hypervisor")
+	noGuestMemHotplugErr error = errors.New("guest memory hotplug not supported")
+	conflictingAssets    error = errors.New("cannot set both image and initrd at the same time")
 )
 
 // In some architectures the maximum number of vCPUs depends on the number of physical cores.

src/runtime/virtcontainers/kata_agent.go

@@ -46,6 +46,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 	grpcStatus "google.golang.org/grpc/status"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/proto"
@@ -360,11 +361,15 @@ func KataAgentKernelParams(config KataAgentConfig) []Param {
 }
 
 func (k *kataAgent) handleTraceSettings(config KataAgentConfig) bool {
-	// Agent tracing requires that the agent be able to shutdown
-	// cleanly. This is the only scenario where the agent is
-	// responsible for stopping the VM: normally this is handled
-	// by the runtime.
-	disableVMShutdown := config.Trace
+	disableVMShutdown := false
+
+	if config.Trace {
+		// Agent tracing requires that the agent be able to shutdown
+		// cleanly. This is the only scenario where the agent is
+		// responsible for stopping the VM: normally this is handled
+		// by the runtime.
+		disableVMShutdown = true
+	}
 
 	return disableVMShutdown
 }
@@ -581,7 +586,7 @@ func (k *kataAgent) exec(ctx context.Context, sandbox *Sandbox, c Container, cmd
 
 	if _, err := k.sendReq(ctx, req); err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "ExecProcessRequest timed out")
+			return nil, status.Errorf(codes.DeadlineExceeded, "ExecProcessRequest timed out")
 		}
 		return nil, err
 	}
@@ -625,7 +630,7 @@ func (k *kataAgent) updateInterface(ctx context.Context, ifc *pbTypes.Interface)
 			"resulting-interface": fmt.Sprintf("%+v", resultingInterface),
 		}).WithError(err).Error("update interface request failed")
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "UpdateInterfaceRequest timed out")
+			return nil, status.Errorf(codes.DeadlineExceeded, "UpdateInterfaceRequest timed out")
 		}
 	}
 	if resultInterface, ok := resultingInterface.(*pbTypes.Interface); ok {
@@ -657,7 +662,7 @@ func (k *kataAgent) updateRoutes(ctx context.Context, routes []*pbTypes.Route) (
 				"resulting-routes": fmt.Sprintf("%+v", resultingRoutes),
 			}).WithError(err).Error("update routes request failed")
 			if err.Error() == context.DeadlineExceeded.Error() {
-				return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "UpdateRoutesRequest timed out")
+				return nil, status.Errorf(codes.DeadlineExceeded, "UpdateRoutesRequest timed out")
 			}
 		}
 		resultRoutes, ok := resultingRoutes.(*grpc.Routes)
@@ -678,7 +683,7 @@ func (k *kataAgent) updateEphemeralMounts(ctx context.Context, storages []*grpc.
 		if _, err := k.sendReq(ctx, storagesReq); err != nil {
 			k.Logger().WithError(err).Error("update mounts request failed")
 			if err.Error() == context.DeadlineExceeded.Error() {
-				return grpcStatus.Errorf(codes.DeadlineExceeded, "UpdateEphemeralMountsRequest timed out")
+				return status.Errorf(codes.DeadlineExceeded, "UpdateEphemeralMountsRequest timed out")
 			}
 			return err
 		}
@@ -703,7 +708,7 @@ func (k *kataAgent) addARPNeighbors(ctx context.Context, neighs []*pbTypes.ARPNe
 				return nil
 			}
 			if err.Error() == context.DeadlineExceeded.Error() {
-				return grpcStatus.Errorf(codes.DeadlineExceeded, "AddARPNeighborsRequest timed out")
+				return status.Errorf(codes.DeadlineExceeded, "AddARPNeighborsRequest timed out")
 			}
 			k.Logger().WithFields(logrus.Fields{
 				"arpneighbors-requested": fmt.Sprintf("%+v", neighs),
@@ -719,7 +724,7 @@ func (k *kataAgent) listInterfaces(ctx context.Context) ([]*pbTypes.Interface, e
 	resultingInterfaces, err := k.sendReq(ctx, req)
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "ListInterfacesRequest timed out")
+			return nil, status.Errorf(codes.DeadlineExceeded, "ListInterfacesRequest timed out")
 		}
 		return nil, err
 	}
@@ -735,7 +740,7 @@ func (k *kataAgent) listRoutes(ctx context.Context) ([]*pbTypes.Route, error) {
 	resultingRoutes, err := k.sendReq(ctx, req)
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "ListRoutesRequest timed out")
+			return nil, status.Errorf(codes.DeadlineExceeded, "ListRoutesRequest timed out")
 		}
 		return nil, err
 	}
@@ -854,7 +859,7 @@ func (k *kataAgent) startSandbox(ctx context.Context, sandbox *Sandbox) error {
 	_, err = k.sendReq(ctx, req)
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return grpcStatus.Errorf(codes.DeadlineExceeded, "CreateSandboxRequest timed out")
+			return status.Errorf(codes.DeadlineExceeded, "CreateSandboxRequest timed out")
 		}
 		return err
 	}
@@ -961,7 +966,7 @@ func (k *kataAgent) stopSandbox(ctx context.Context, sandbox *Sandbox) error {
 
 	if _, err := k.sendReq(ctx, req); err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return grpcStatus.Errorf(codes.DeadlineExceeded, "DestroySandboxRequest timed out")
+			return status.Errorf(codes.DeadlineExceeded, "DestroySandboxRequest timed out")
 		}
 		return err
 	}
@@ -1494,7 +1499,7 @@ func (k *kataAgent) createContainer(ctx context.Context, sandbox *Sandbox, c *Co
 
 	if _, err = k.sendReq(ctx, req); err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "CreateContainerRequest timed out")
+			return nil, status.Errorf(codes.DeadlineExceeded, "CreateContainerRequest timed out")
 		}
 		return nil, err
 	}
@@ -1585,21 +1590,21 @@ func (k *kataAgent) handleEphemeralStorage(mounts []specs.Mount) ([]*grpc.Storag
 	var epheStorages []*grpc.Storage
 	for idx, mnt := range mounts {
 		if mnt.Type == KataEphemeralDevType {
-			originSrc := mounts[idx].Source
+			origin_src := mounts[idx].Source
 			stat := syscall.Stat_t{}
-			err := syscall.Stat(originSrc, &stat)
+			err := syscall.Stat(origin_src, &stat)
 			if err != nil {
-				k.Logger().WithError(err).Errorf("failed to stat %s", originSrc)
+				k.Logger().WithError(err).Errorf("failed to stat %s", origin_src)
 				return nil, err
 			}
 
-			var dirOptions []string
+			var dir_options []string
 
 			// if volume's gid isn't root group(default group), this means there's
 			// an specific fsGroup is set on this local volume, then it should pass
 			// to guest.
 			if stat.Gid != 0 {
-				dirOptions = append(dirOptions, fmt.Sprintf("%s=%d", fsGid, stat.Gid))
+				dir_options = append(dir_options, fmt.Sprintf("%s=%d", fsGid, stat.Gid))
 			}
 
 			// Set the mount source path to a path that resides inside the VM
@@ -1614,7 +1619,7 @@ func (k *kataAgent) handleEphemeralStorage(mounts []specs.Mount) ([]*grpc.Storag
 				Source:     "tmpfs",
 				Fstype:     "tmpfs",
 				MountPoint: mounts[idx].Source,
-				Options:    dirOptions,
+				Options:    dir_options,
 			}
 			epheStorages = append(epheStorages, epheStorage)
 		}
@@ -1628,21 +1633,21 @@ func (k *kataAgent) handleLocalStorage(mounts []specs.Mount, sandboxID string, r
 	var localStorages []*grpc.Storage
 	for idx, mnt := range mounts {
 		if mnt.Type == KataLocalDevType {
-			originSrc := mounts[idx].Source
+			origin_src := mounts[idx].Source
 			stat := syscall.Stat_t{}
-			err := syscall.Stat(originSrc, &stat)
+			err := syscall.Stat(origin_src, &stat)
 			if err != nil {
-				k.Logger().WithError(err).Errorf("failed to stat %s", originSrc)
+				k.Logger().WithError(err).Errorf("failed to stat %s", origin_src)
 				return nil, err
 			}
 
-			dirOptions := localDirOptions
+			dir_options := localDirOptions
 
 			// if volume's gid isn't root group(default group), this means there's
 			// an specific fsGroup is set on this local volume, then it should pass
 			// to guest.
 			if stat.Gid != 0 {
-				dirOptions = append(dirOptions, fmt.Sprintf("%s=%d", fsGid, stat.Gid))
+				dir_options = append(dir_options, fmt.Sprintf("%s=%d", fsGid, stat.Gid))
 			}
 
 			// Set the mount source path to a the desired directory point in the VM.
@@ -1659,7 +1664,7 @@ func (k *kataAgent) handleLocalStorage(mounts []specs.Mount, sandboxID string, r
 				Source:     KataLocalDevType,
 				Fstype:     KataLocalDevType,
 				MountPoint: mounts[idx].Source,
-				Options:    dirOptions,
+				Options:    dir_options,
 			}
 			localStorages = append(localStorages, localStorage)
 		}
@@ -1716,21 +1721,21 @@ func getContainerTypeforCRI(c *Container) (string, string) {
 }
 
 func handleImageGuestPullBlockVolume(c *Container, virtualVolumeInfo *types.KataVirtualVolume, vol *grpc.Storage) (*grpc.Storage, error) {
-	containerAnnotations := c.GetAnnotations()
+	container_annotations := c.GetAnnotations()
 	containerType, criContainerType := getContainerTypeforCRI(c)
 
-	var imageRef string
+	var image_ref string
 	if containerType == string(PodSandbox) {
-		imageRef = "pause"
+		image_ref = "pause"
 	} else {
 		const kubernetesCRIImageName = "io.kubernetes.cri.image-name"
 		const kubernetesCRIOImageName = "io.kubernetes.cri-o.ImageName"
 
 		switch criContainerType {
 		case ctrAnnotations.ContainerType:
-			imageRef = containerAnnotations[kubernetesCRIImageName]
+			image_ref = container_annotations[kubernetesCRIImageName]
 		case crioAnnotations.ContainerType:
-			imageRef = containerAnnotations[kubernetesCRIOImageName]
+			image_ref = container_annotations[kubernetesCRIOImageName]
 		default:
 			// There are cases, like when using nerdctl, where the criContainerType
 			// will never be set, leading to this code path.
@@ -1741,17 +1746,17 @@ func handleImageGuestPullBlockVolume(c *Container, virtualVolumeInfo *types.Kata
 			//
 			// With this in mind, let's "fallback" to the default k8s cri image-name
 			// annotation, as documented on our image-pull documentation.
-			imageRef = containerAnnotations[kubernetesCRIImageName]
+			image_ref = container_annotations[kubernetesCRIImageName]
 		}
 
-		if imageRef == "" {
+		if image_ref == "" {
 			return nil, fmt.Errorf("Failed to get image name from annotations")
 		}
 	}
-	virtualVolumeInfo.Source = imageRef
+	virtualVolumeInfo.Source = image_ref
 
 	//merge virtualVolumeInfo.ImagePull.Metadata and container_annotations
-	for k, v := range containerAnnotations {
+	for k, v := range container_annotations {
 		virtualVolumeInfo.ImagePull.Metadata[k] = v
 	}
 
@@ -1970,7 +1975,7 @@ func (k *kataAgent) startContainer(ctx context.Context, sandbox *Sandbox, c *Con
 
 	_, err := k.sendReq(ctx, req)
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return grpcStatus.Errorf(codes.DeadlineExceeded, "StartContainerRequest timed out")
+		return status.Errorf(codes.DeadlineExceeded, "StartContainerRequest timed out")
 	}
 	return err
 }
@@ -1981,7 +1986,7 @@ func (k *kataAgent) stopContainer(ctx context.Context, sandbox *Sandbox, c Conta
 
 	_, err := k.sendReq(ctx, &grpc.RemoveContainerRequest{ContainerId: c.id})
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return grpcStatus.Errorf(codes.DeadlineExceeded, "RemoveContainerRequest timed out")
+		return status.Errorf(codes.DeadlineExceeded, "RemoveContainerRequest timed out")
 	}
 	return err
 }
@@ -2000,7 +2005,7 @@ func (k *kataAgent) signalProcess(ctx context.Context, c *Container, processID s
 
 	_, err := k.sendReq(ctx, req)
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return grpcStatus.Errorf(codes.DeadlineExceeded, "SignalProcessRequest timed out")
+		return status.Errorf(codes.DeadlineExceeded, "SignalProcessRequest timed out")
 	}
 	return err
 }
@@ -2015,7 +2020,7 @@ func (k *kataAgent) winsizeProcess(ctx context.Context, c *Container, processID
 
 	_, err := k.sendReq(ctx, req)
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return grpcStatus.Errorf(codes.DeadlineExceeded, "TtyWinResizeRequest timed out")
+		return status.Errorf(codes.DeadlineExceeded, "TtyWinResizeRequest timed out")
 	}
 	return err
 }
@@ -2033,7 +2038,7 @@ func (k *kataAgent) updateContainer(ctx context.Context, sandbox *Sandbox, c Con
 
 	_, err = k.sendReq(ctx, req)
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return grpcStatus.Errorf(codes.DeadlineExceeded, "UpdateContainerRequest timed out")
+		return status.Errorf(codes.DeadlineExceeded, "UpdateContainerRequest timed out")
 	}
 	return err
 }
@@ -2045,7 +2050,7 @@ func (k *kataAgent) pauseContainer(ctx context.Context, sandbox *Sandbox, c Cont
 
 	_, err := k.sendReq(ctx, req)
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return grpcStatus.Errorf(codes.DeadlineExceeded, "PauseContainerRequest timed out")
+		return status.Errorf(codes.DeadlineExceeded, "PauseContainerRequest timed out")
 	}
 	return err
 }
@@ -2057,7 +2062,7 @@ func (k *kataAgent) resumeContainer(ctx context.Context, sandbox *Sandbox, c Con
 
 	_, err := k.sendReq(ctx, req)
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return grpcStatus.Errorf(codes.DeadlineExceeded, "ResumeContainerRequest timed out")
+		return status.Errorf(codes.DeadlineExceeded, "ResumeContainerRequest timed out")
 	}
 	return err
 }
@@ -2084,7 +2089,7 @@ func (k *kataAgent) memHotplugByProbe(ctx context.Context, addr uint64, sizeMB u
 
 	_, err := k.sendReq(ctx, req)
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return grpcStatus.Errorf(codes.DeadlineExceeded, "MemHotplugByProbeRequest timed out")
+		return status.Errorf(codes.DeadlineExceeded, "MemHotplugByProbeRequest timed out")
 	}
 	return err
 }
@@ -2098,7 +2103,7 @@ func (k *kataAgent) onlineCPUMem(ctx context.Context, cpus uint32, cpuOnly bool)
 
 	_, err := k.sendReq(ctx, req)
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return grpcStatus.Errorf(codes.DeadlineExceeded, "OnlineCPUMemRequest timed out")
+		return status.Errorf(codes.DeadlineExceeded, "OnlineCPUMemRequest timed out")
 	}
 	return err
 }
@@ -2112,7 +2117,7 @@ func (k *kataAgent) statsContainer(ctx context.Context, sandbox *Sandbox, c Cont
 
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "StatsContainerRequest timed out")
+			return nil, status.Errorf(codes.DeadlineExceeded, "StatsContainerRequest timed out")
 		}
 		return nil, err
 	}
@@ -2196,7 +2201,7 @@ func (k *kataAgent) check(ctx context.Context) error {
 	_, err := k.sendReq(ctx, &grpc.CheckRequest{})
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return grpcStatus.Errorf(codes.DeadlineExceeded, "CheckRequest timed out")
+			return status.Errorf(codes.DeadlineExceeded, "CheckRequest timed out")
 		}
 		err = fmt.Errorf("Failed to Check if grpc server is working: %s", err)
 	}
@@ -2213,7 +2218,7 @@ func (k *kataAgent) waitProcess(ctx context.Context, c *Container, processID str
 	})
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return 0, grpcStatus.Errorf(codes.DeadlineExceeded, "WaitProcessRequest timed out")
+			return 0, status.Errorf(codes.DeadlineExceeded, "WaitProcessRequest timed out")
 		}
 		return 0, err
 	}
@@ -2230,7 +2235,7 @@ func (k *kataAgent) writeProcessStdin(ctx context.Context, c *Container, Process
 
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return 0, grpcStatus.Errorf(codes.DeadlineExceeded, "WriteStreamRequest timed out")
+			return 0, status.Errorf(codes.DeadlineExceeded, "WriteStreamRequest timed out")
 		}
 		return 0, err
 	}
@@ -2244,7 +2249,7 @@ func (k *kataAgent) closeProcessStdin(ctx context.Context, c *Container, Process
 		ExecId:      ProcessID,
 	})
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return grpcStatus.Errorf(codes.DeadlineExceeded, "CloseStdinRequest timed out")
+		return status.Errorf(codes.DeadlineExceeded, "CloseStdinRequest timed out")
 	}
 	return err
 }
@@ -2254,7 +2259,7 @@ func (k *kataAgent) reseedRNG(ctx context.Context, data []byte) error {
 		Data: data,
 	})
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return grpcStatus.Errorf(codes.DeadlineExceeded, "ReseedRandomDevRequest timed out")
+		return status.Errorf(codes.DeadlineExceeded, "ReseedRandomDevRequest timed out")
 	}
 	return err
 }
@@ -2262,7 +2267,7 @@ func (k *kataAgent) reseedRNG(ctx context.Context, data []byte) error {
 func (k *kataAgent) removeStaleVirtiofsShareMounts(ctx context.Context) error {
 	_, err := k.sendReq(ctx, &grpc.RemoveStaleVirtiofsShareMountsRequest{})
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return grpcStatus.Errorf(codes.DeadlineExceeded, "removeStaleVirtiofsShareMounts timed out")
+		return status.Errorf(codes.DeadlineExceeded, "removeStaleVirtiofsShareMounts timed out")
 	}
 	return err
 }
@@ -2497,7 +2502,7 @@ func (k *kataAgent) getGuestDetails(ctx context.Context, req *grpc.GuestDetailsR
 	resp, err := k.sendReq(ctx, req)
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "GuestDetailsRequest request timed out")
+			return nil, status.Errorf(codes.DeadlineExceeded, "GuestDetailsRequest request timed out")
 		}
 		return nil, err
 	}
@@ -2511,7 +2516,7 @@ func (k *kataAgent) setGuestDateTime(ctx context.Context, tv time.Time) error {
 		Usec: int64(tv.Nanosecond() / 1e3),
 	})
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return grpcStatus.Errorf(codes.DeadlineExceeded, "SetGuestDateTimeRequest request timed out")
+		return status.Errorf(codes.DeadlineExceeded, "SetGuestDateTimeRequest request timed out")
 	}
 	return err
 }
@@ -2566,7 +2571,7 @@ func (k *kataAgent) copyFile(ctx context.Context, src, dst string) error {
 	if cpReq.FileSize == 0 {
 		_, err := k.sendReq(ctx, cpReq)
 		if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-			return grpcStatus.Errorf(codes.DeadlineExceeded, "CopyFileRequest timed out")
+			return status.Errorf(codes.DeadlineExceeded, "CopyFileRequest timed out")
 		}
 		return err
 	}
@@ -2585,7 +2590,7 @@ func (k *kataAgent) copyFile(ctx context.Context, src, dst string) error {
 
 		if _, err = k.sendReq(ctx, cpReq); err != nil {
 			if err.Error() == context.DeadlineExceeded.Error() {
-				return grpcStatus.Errorf(codes.DeadlineExceeded, "CopyFileRequest timed out")
+				return status.Errorf(codes.DeadlineExceeded, "CopyFileRequest timed out")
 			}
 			return fmt.Errorf("Could not send CopyFile request: %v", err)
 		}
@@ -2604,7 +2609,7 @@ func (k *kataAgent) addSwap(ctx context.Context, PCIPath types.PciPath) error {
 
 	_, err := k.sendReq(ctx, &grpc.AddSwapRequest{PCIPath: PCIPath.ToArray()})
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return grpcStatus.Errorf(codes.DeadlineExceeded, "AddSwapRequest timed out")
+		return status.Errorf(codes.DeadlineExceeded, "AddSwapRequest timed out")
 	}
 	return err
 }
@@ -2633,7 +2638,7 @@ func (k *kataAgent) getOOMEvent(ctx context.Context) (string, error) {
 	result, err := k.sendReq(ctx, req)
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return "", grpcStatus.Errorf(codes.DeadlineExceeded, "GetOOMEventRequest timed out")
+			return "", status.Errorf(codes.DeadlineExceeded, "GetOOMEventRequest timed out")
 		}
 		return "", err
 	}
@@ -2647,7 +2652,7 @@ func (k *kataAgent) getAgentMetrics(ctx context.Context, req *grpc.GetMetricsReq
 	resp, err := k.sendReq(ctx, req)
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "GetMetricsRequest timed out")
+			return nil, status.Errorf(codes.DeadlineExceeded, "GetMetricsRequest timed out")
 		}
 		return nil, err
 	}
@@ -2659,7 +2664,7 @@ func (k *kataAgent) getIPTables(ctx context.Context, isIPv6 bool) ([]byte, error
 	resp, err := k.sendReq(ctx, &grpc.GetIPTablesRequest{IsIpv6: isIPv6})
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "GetIPTablesRequest timed out")
+			return nil, status.Errorf(codes.DeadlineExceeded, "GetIPTablesRequest timed out")
 		}
 		return nil, err
 	}
@@ -2674,7 +2679,7 @@ func (k *kataAgent) setIPTables(ctx context.Context, isIPv6 bool, data []byte) e
 	if err != nil {
 		k.Logger().WithError(err).Errorf("setIPTables request to agent failed")
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return grpcStatus.Errorf(codes.DeadlineExceeded, "SetIPTablesRequest timed out")
+			return status.Errorf(codes.DeadlineExceeded, "SetIPTablesRequest timed out")
 		}
 	}
 
@@ -2685,7 +2690,7 @@ func (k *kataAgent) getGuestVolumeStats(ctx context.Context, volumeGuestPath str
 	result, err := k.sendReq(ctx, &grpc.VolumeStatsRequest{VolumeGuestPath: volumeGuestPath})
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "VolumeStatsRequest timed out")
+			return nil, status.Errorf(codes.DeadlineExceeded, "VolumeStatsRequest timed out")
 		}
 		return nil, err
 	}
@@ -2701,7 +2706,7 @@ func (k *kataAgent) getGuestVolumeStats(ctx context.Context, volumeGuestPath str
 func (k *kataAgent) resizeGuestVolume(ctx context.Context, volumeGuestPath string, size uint64) error {
 	_, err := k.sendReq(ctx, &grpc.ResizeVolumeRequest{VolumeGuestPath: volumeGuestPath, Size: size})
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return grpcStatus.Errorf(codes.DeadlineExceeded, "ResizeVolumeRequest timed out")
+		return status.Errorf(codes.DeadlineExceeded, "ResizeVolumeRequest timed out")
 	}
 	return err
 }
@@ -2709,7 +2714,7 @@ func (k *kataAgent) resizeGuestVolume(ctx context.Context, volumeGuestPath strin
 func (k *kataAgent) setPolicy(ctx context.Context, policy string) error {
 	_, err := k.sendReq(ctx, &grpc.SetPolicyRequest{Policy: policy})
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return grpcStatus.Errorf(codes.DeadlineExceeded, "SetPolicyRequest timed out")
+		return status.Errorf(codes.DeadlineExceeded, "SetPolicyRequest timed out")
 	}
 	return err
 }

src/runtime/virtcontainers/mock_agent.go

@@ -10,7 +10,6 @@ import (
 	"time"
 
 	"context"
-
 	persistapi "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/persist/api"
 	pbTypes "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/agent/protocols"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/agent/protocols/grpc"
@@ -261,14 +260,14 @@ func (n *mockAgent) resizeGuestVolume(ctx context.Context, volumeGuestPath strin
 	return nil
 }
 
-func (n *mockAgent) getIPTables(ctx context.Context, isIPv6 bool) ([]byte, error) {
+func (k *mockAgent) getIPTables(ctx context.Context, isIPv6 bool) ([]byte, error) {
 	return nil, nil
 }
 
-func (n *mockAgent) setIPTables(ctx context.Context, isIPv6 bool, data []byte) error {
+func (k *mockAgent) setIPTables(ctx context.Context, isIPv6 bool, data []byte) error {
 	return nil
 }
 
-func (n *mockAgent) setPolicy(ctx context.Context, policy string) error {
+func (k *mockAgent) setPolicy(ctx context.Context, policy string) error {
 	return nil
 }

src/runtime/virtcontainers/network_linux.go

@@ -240,7 +240,7 @@ func (n *LinuxNetwork) addSingleEndpoint(ctx context.Context, s *Sandbox, netInf
 }
 
 func (n *LinuxNetwork) removeSingleEndpoint(ctx context.Context, s *Sandbox, endpoint Endpoint, hotplug bool) error {
-	idx := len(n.eps)
+	var idx int = len(n.eps)
 	for i, val := range n.eps {
 		if val.HardwareAddr() == endpoint.HardwareAddr() {
 			idx = i
@@ -293,7 +293,7 @@ func (n *LinuxNetwork) endpointAlreadyAdded(netInfo *NetworkInfo) bool {
 		}
 		pair := ep.NetworkPair()
 		// Existing virtual endpoints
-		if pair != nil && (pair.Name == netInfo.Iface.Name || pair.TAPIface.Name == netInfo.Iface.Name || pair.VirtIface.Name == netInfo.Iface.Name) {
+		if pair != nil && (pair.TapInterface.Name == netInfo.Iface.Name || pair.TapInterface.TAPIface.Name == netInfo.Iface.Name || pair.VirtIface.Name == netInfo.Iface.Name) {
 			return true
 		}
 	}
@@ -1299,7 +1299,7 @@ func addRxRateLimiter(endpoint Endpoint, maxRate uint64) error {
 	switch ep := endpoint.(type) {
 	case *VethEndpoint, *IPVlanEndpoint, *TuntapEndpoint, *MacvlanEndpoint:
 		netPair := endpoint.NetworkPair()
-		linkName = netPair.TAPIface.Name
+		linkName = netPair.TapInterface.TAPIface.Name
 	case *MacvtapEndpoint, *TapEndpoint:
 		linkName = endpoint.Name()
 	default:
@@ -1467,7 +1467,7 @@ func addTxRateLimiter(endpoint Endpoint, maxRate uint64) error {
 			}
 			return addHTBQdisc(link.Attrs().Index, maxRate)
 		case NetXConnectMacVtapModel, NetXConnectNoneModel:
-			linkName = netPair.TAPIface.Name
+			linkName = netPair.TapInterface.TAPIface.Name
 		default:
 			return fmt.Errorf("Unsupported inter-networking model %v for adding tx rate limiter", netPair.NetInterworkingModel)
 		}
@@ -1502,7 +1502,7 @@ func addTxRateLimiter(endpoint Endpoint, maxRate uint64) error {
 func removeHTBQdisc(linkName string) error {
 	link, err := netlink.LinkByName(linkName)
 	if err != nil {
-		return fmt.Errorf("get link %s by name failed: %v", linkName, err)
+		return fmt.Errorf("Get link %s by name failed: %v", linkName, err)
 	}
 
 	qdiscs, err := netlink.QdiscList(link)
@@ -1529,7 +1529,7 @@ func removeRxRateLimiter(endpoint Endpoint, networkNSPath string) error {
 	switch ep := endpoint.(type) {
 	case *VethEndpoint, *IPVlanEndpoint, *TuntapEndpoint, *MacvlanEndpoint:
 		netPair := endpoint.NetworkPair()
-		linkName = netPair.TAPIface.Name
+		linkName = netPair.TapInterface.TAPIface.Name
 	case *MacvtapEndpoint, *TapEndpoint:
 		linkName = endpoint.Name()
 	default:
@@ -1560,7 +1560,7 @@ func removeTxRateLimiter(endpoint Endpoint, networkNSPath string) error {
 			}
 			return nil
 		case NetXConnectMacVtapModel, NetXConnectNoneModel:
-			linkName = netPair.TAPIface.Name
+			linkName = netPair.TapInterface.TAPIface.Name
 		}
 	case *MacvtapEndpoint, *TapEndpoint:
 		linkName = endpoint.Name()
@@ -1571,7 +1571,7 @@ func removeTxRateLimiter(endpoint Endpoint, networkNSPath string) error {
 	if err := doNetNS(networkNSPath, func(_ ns.NetNS) error {
 		link, err := netlink.LinkByName(linkName)
 		if err != nil {
-			return fmt.Errorf("get link %s by name failed: %v", linkName, err)
+			return fmt.Errorf("Get link %s by name failed: %v", linkName, err)
 		}
 
 		if err := removeRedirectTCFilter(link); err != nil {
@@ -1591,7 +1591,7 @@ func removeTxRateLimiter(endpoint Endpoint, networkNSPath string) error {
 		// remove ifb interface
 		ifbLink, err := netlink.LinkByName("ifb0")
 		if err != nil {
-			return fmt.Errorf("get link %s by name failed: %v", linkName, err)
+			return fmt.Errorf("Get link %s by name failed: %v", linkName, err)
 		}
 
 		if err := netHandle.LinkSetDown(ifbLink); err != nil {

src/runtime/virtcontainers/nydusd.go

@@ -38,14 +38,14 @@ const (
 
 	nydusdStopTimeoutSecs = 5
 
-	defaultHttpClientTimeout = 30 * time.Second
-	contentType              = "application/json"
+	defaultHttpClientTimeoutSecs = 30 * time.Second
+	contentType                  = "application/json"
 
-	maxIdleConns          = 10
-	idleConnTimeout       = 10 * time.Second
-	dialTimout            = 5 * time.Second
-	keepAlive             = 5 * time.Second
-	expectContinueTimeout = 1 * time.Second
+	maxIdleConns              = 10
+	idleConnTimeoutSecs       = 10 * time.Second
+	dialTimoutSecs            = 5 * time.Second
+	keepAliveSecs             = 5 * time.Second
+	expectContinueTimeoutSecs = 1 * time.Second
 
 	// Registry Acceleration File System which is nydus provide to accelerate image load
 	nydusRafs = "rafs"
@@ -345,7 +345,7 @@ func NewNydusClient(sock string) (Interface, error) {
 	}
 	return &NydusClient{
 		httpClient: &http.Client{
-			Timeout:   defaultHttpClientTimeout,
+			Timeout:   defaultHttpClientTimeoutSecs,
 			Transport: transport,
 		},
 	}, nil
@@ -370,12 +370,12 @@ func buildTransport(sock string) (http.RoundTripper, error) {
 	}
 	return &http.Transport{
 		MaxIdleConns:          maxIdleConns,
-		IdleConnTimeout:       idleConnTimeout,
-		ExpectContinueTimeout: expectContinueTimeout,
+		IdleConnTimeout:       idleConnTimeoutSecs,
+		ExpectContinueTimeout: expectContinueTimeoutSecs,
 		DialContext: func(ctx context.Context, _, _ string) (net.Conn, error) {
 			dialer := &net.Dialer{
-				Timeout:   dialTimout,
-				KeepAlive: keepAlive,
+				Timeout:   dialTimoutSecs,
+				KeepAlive: keepAliveSecs,
 			}
 			return dialer.DialContext(ctx, "unix", sock)
 		},

src/runtime/virtcontainers/pkg/agent/protocols/client/client.go

@@ -24,6 +24,7 @@ import (
 	otelLabel "go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/trace"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 	grpcStatus "google.golang.org/grpc/status"
 
 	"github.com/containerd/ttrpc"
@@ -131,7 +132,7 @@ func TraceUnaryClientInterceptor() ttrpc.UnaryClientInterceptor {
 			span.SetAttributes(otelLabel.Key("RPC_ERROR").Bool(true))
 		}
 		// err can be nil, that will return an OK response code
-		if status, _ := grpcStatus.FromError(err); status != nil {
+		if status, _ := status.FromError(err); status != nil {
 			span.SetAttributes(otelLabel.Key("RPC_CODE").Int((int)(status.Code())))
 			span.SetAttributes(otelLabel.Key("RPC_MESSAGE").String(status.Message()))
 		}
@@ -399,7 +400,7 @@ func HybridVSockDialer(sock string, timeout time.Duration) (net.Conn, error) {
 		// Once the connection is opened, the following command MUST BE sent,
 		// the hypervisor needs to know the port number where the agent is listening in order to
 		// create the connection
-		if _, err = fmt.Fprintf(conn, "CONNECT %d\n", port); err != nil {
+		if _, err = conn.Write([]byte(fmt.Sprintf("CONNECT %d\n", port))); err != nil {
 			conn.Close()
 			return nil, err
 		}
@@ -456,7 +457,7 @@ func HybridVSockDialer(sock string, timeout time.Duration) (net.Conn, error) {
 func RemoteSockDialer(sock string, timeout time.Duration) (net.Conn, error) {
 
 	s := strings.Split(sock, ":")
-	if len(s) != 2 || s[0] != RemoteSockScheme {
+	if !(len(s) == 2 && s[0] == RemoteSockScheme) {
 		return nil, fmt.Errorf("failed to parse remote sock: %q", sock)
 	}
 	socketPath := s[1]

src/runtime/virtcontainers/pkg/cloud-hypervisor/client/README.md

@@ -16,7 +16,6 @@ Install the following dependencies:
 ```shell
 go get github.com/stretchr/testify/assert
 go get golang.org/x/oauth2
-go get golang.org/x/net/context
 ```
 
 Put the package under your project folder and add the following in import:
@@ -179,6 +178,3 @@ Each of these functions takes a value of the given basic type and returns a poin
 * `PtrTime`
 
 ## Author
-
-
-

src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml

@@ -526,7 +526,6 @@ components:
             rate_limit_group: rate_limit_group
             queue_size: 6
             direct: false
-            backing_files: false
             rate_limiter_config:
               ops:
                 size: 0
@@ -551,15 +550,12 @@ components:
             iommu: false
             vhost_socket: vhost_socket
             serial: serial
-            sparse: true
             vhost_user: false
             id: id
-            image_type: FixedVhd
           - num_queues: 9
             rate_limit_group: rate_limit_group
             queue_size: 6
             direct: false
-            backing_files: false
             rate_limiter_config:
               ops:
                 size: 0
@@ -584,10 +580,8 @@ components:
             iommu: false
             vhost_socket: vhost_socket
             serial: serial
-            sparse: true
             vhost_user: false
             id: id
-            image_type: FixedVhd
           fs:
           - pci_segment: 6
             num_queues: 6
@@ -741,7 +735,6 @@ components:
             max_phys_bits: 7
             boot_vcpus: 1
             max_vcpus: 1
-            nested: true
             affinity:
             - vcpu: 9
               host_cpus:
@@ -782,7 +775,6 @@ components:
             pci_segments:
             - 5
             - 5
-            device_id: device_id
             cpus:
             - 3
             - 3
@@ -798,7 +790,6 @@ components:
             pci_segments:
             - 5
             - 5
-            device_id: device_id
             cpus:
             - 3
             - 3
@@ -971,7 +962,6 @@ components:
           rate_limit_group: rate_limit_group
           queue_size: 6
           direct: false
-          backing_files: false
           rate_limiter_config:
             ops:
               size: 0
@@ -996,15 +986,12 @@ components:
           iommu: false
           vhost_socket: vhost_socket
           serial: serial
-          sparse: true
           vhost_user: false
           id: id
-          image_type: FixedVhd
         - num_queues: 9
           rate_limit_group: rate_limit_group
           queue_size: 6
           direct: false
-          backing_files: false
           rate_limiter_config:
             ops:
               size: 0
@@ -1029,10 +1016,8 @@ components:
           iommu: false
           vhost_socket: vhost_socket
           serial: serial
-          sparse: true
           vhost_user: false
           id: id
-          image_type: FixedVhd
         fs:
         - pci_segment: 6
           num_queues: 6
@@ -1186,7 +1171,6 @@ components:
           max_phys_bits: 7
           boot_vcpus: 1
           max_vcpus: 1
-          nested: true
           affinity:
           - vcpu: 9
             host_cpus:
@@ -1227,7 +1211,6 @@ components:
           pci_segments:
           - 5
           - 5
-          device_id: device_id
           cpus:
           - 3
           - 3
@@ -1243,7 +1226,6 @@ components:
           pci_segments:
           - 5
           - 5
-          device_id: device_id
           cpus:
           - 3
           - 3
@@ -1406,7 +1388,6 @@ components:
         max_phys_bits: 7
         boot_vcpus: 1
         max_vcpus: 1
-        nested: true
         affinity:
         - vcpu: 9
           host_cpus:
@@ -1430,9 +1411,6 @@ components:
           type: boolean
         max_phys_bits:
           type: integer
-        nested:
-          default: true
-          type: boolean
         affinity:
           items:
             $ref: '#/components/schemas/CpuAffinity'
@@ -1720,7 +1698,6 @@ components:
         rate_limit_group: rate_limit_group
         queue_size: 6
         direct: false
-        backing_files: false
         rate_limiter_config:
           ops:
             size: 0
@@ -1745,10 +1722,8 @@ components:
         iommu: false
         vhost_socket: vhost_socket
         serial: serial
-        sparse: true
         vhost_user: false
         id: id
-        image_type: FixedVhd
       properties:
         path:
           type: string
@@ -1787,20 +1762,6 @@ components:
           items:
             $ref: '#/components/schemas/VirtQueueAffinity'
           type: array
-        backing_files:
-          default: false
-          type: boolean
-        sparse:
-          default: true
-          type: boolean
-        image_type:
-          enum:
-          - FixedVhd
-          - Qcow2
-          - Raw
-          - Vhdx
-          - Unknown
-          type: string
       type: object
     NetConfig:
       example:
@@ -2131,7 +2092,6 @@ components:
         pci_segments:
         - 5
         - 5
-        device_id: device_id
         cpus:
         - 3
         - 3
@@ -2161,8 +2121,6 @@ components:
             format: int32
             type: integer
           type: array
-        device_id:
-          type: string
       required:
       - guest_numa_id
       type: object

src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/CpusConfig.md

@@ -9,7 +9,6 @@ Name | Type | Description | Notes
 **Topology** | Pointer to [**CpuTopology**](CpuTopology.md) |  | [optional] 
 **KvmHyperv** | Pointer to **bool** |  | [optional] [default to false]
 **MaxPhysBits** | Pointer to **int32** |  | [optional] 
-**Nested** | Pointer to **bool** |  | [optional] [default to true]
 **Affinity** | Pointer to [**[]CpuAffinity**](CpuAffinity.md) |  | [optional] 
 **Features** | Pointer to [**CpuFeatures**](CpuFeatures.md) |  | [optional] 
 
@@ -147,31 +146,6 @@ SetMaxPhysBits sets MaxPhysBits field to given value.
 
 HasMaxPhysBits returns a boolean if a field has been set.
 
-### GetNested
-
-`func (o *CpusConfig) GetNested() bool`
-
-GetNested returns the Nested field if non-nil, zero value otherwise.
-
-### GetNestedOk
-
-`func (o *CpusConfig) GetNestedOk() (*bool, bool)`
-
-GetNestedOk returns a tuple with the Nested field if it's non-nil, zero value otherwise
-and a boolean to check if the value has been set.
-
-### SetNested
-
-`func (o *CpusConfig) SetNested(v bool)`
-
-SetNested sets Nested field to given value.
-
-### HasNested
-
-`func (o *CpusConfig) HasNested() bool`
-
-HasNested returns a boolean if a field has been set.
-
 ### GetAffinity
 
 `func (o *CpusConfig) GetAffinity() []CpuAffinity`