relax bind mount regex

the source path can be cached from the first container now

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>

.github/workflows/build-kata-static-tarball-amd64.yaml

@@ -23,6 +23,8 @@ on:
     secrets:
       QUAY_DEPLOYER_PASSWORD:
         required: false
+      KBUILD_SIGN_PIN:
+        required: true
 
 permissions: {}
 
@@ -100,6 +102,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
 
       - name: Parse OCI image name and digest
         id: parse-oci-segments
@@ -212,6 +215,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
 
       - name: store-artifact ${{ matrix.asset }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

.github/workflows/build-kata-static-tarball-arm64.yaml

@@ -23,6 +23,8 @@ on:
     secrets:
       QUAY_DEPLOYER_PASSWORD:
         required: false
+      KBUILD_SIGN_PIN:
+        required: true
 
 permissions: {}
 
@@ -88,6 +90,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
 
       - name: Parse OCI image name and digest
         id: parse-oci-segments
@@ -194,6 +197,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
 
       - name: store-artifact ${{ matrix.asset }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

.github/workflows/build-kata-static-tarball-s390x.yaml

@@ -21,6 +21,8 @@ on:
         type: string
         default: ""
     secrets:
+      CI_HKD_PATH:
+        required: true
       QUAY_DEPLOYER_PASSWORD:
         required: true
 
@@ -195,11 +197,60 @@ jobs:
           retention-days: 15
           if-no-files-found: error
 
+  build-asset-boot-image-se:
+    name: build-asset-boot-image-se
+    runs-on: s390x
+    needs: [build-asset, build-asset-rootfs]
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+
+      - name: get-artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
+          path: kata-artifacts
+          merge-multiple: true
+
+      - name: Place a host key document
+        run: |
+          mkdir -p "host-key-document"
+          cp "${CI_HKD_PATH}" "host-key-document"
+        env:
+          CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
+
+      - name: Build boot-image-se
+        run: |
+          ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "boot-image-se"
+          make boot-image-se-tarball
+          build_dir=$(readlink -f build)
+          sudo cp -r "${build_dir}" "kata-build"
+          sudo chown -R "$(id -u)":"$(id -g)" "kata-build"
+        env:
+          HKD_PATH: "host-key-document"
+
+      - name: store-artifact boot-image-se
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: kata-artifacts-s390x${{ inputs.tarball-suffix }}
+          path: kata-build/kata-static-boot-image-se.tar.zst
+          retention-days: 1
+          if-no-files-found: error
+
   # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
   remove-rootfs-binary-artifacts:
     name: remove-rootfs-binary-artifacts
     runs-on: ubuntu-22.04
-    needs: [build-asset-rootfs]
+    needs: [build-asset-rootfs, build-asset-boot-image-se]
     strategy:
       matrix:
         asset:
@@ -280,6 +331,7 @@ jobs:
     needs:
       - build-asset
       - build-asset-rootfs
+      - build-asset-boot-image-se
       - build-asset-shim-v2
     permissions:
       contents: read

.github/workflows/ci-coco-stability.yaml

@@ -25,8 +25,9 @@ jobs:
       tag: ${{ github.sha }}-weekly
       target-branch: ${{ github.ref_name }}
     secrets:
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ vars.AUTHENTICATED_IMAGE_PASSWORD }}
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
       AZ_APPID: ${{ secrets.AZ_APPID }}
       AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
       AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

.github/workflows/ci-devel.yaml

@@ -19,13 +19,15 @@ jobs:
       target-branch: ${{ github.ref_name }}
 
     secrets:
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ vars.AUTHENTICATED_IMAGE_PASSWORD }}
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
       AZ_APPID: ${{ secrets.AZ_APPID }}
       AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
       AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
       ITA_KEY: ${{ secrets.ITA_KEY }}
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
       NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
 
   build-checks:
     uses: ./.github/workflows/build-checks.yaml

.github/workflows/ci-nightly.yaml

@@ -23,10 +23,12 @@ jobs:
       tag: ${{ github.sha }}-nightly
       target-branch: ${{ github.ref_name }}
     secrets:
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ vars.AUTHENTICATED_IMAGE_PASSWORD }}
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
       AZ_APPID: ${{ secrets.AZ_APPID }}
       AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
       AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
       ITA_KEY: ${{ secrets.ITA_KEY }}
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
       NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

.github/workflows/ci-on-push.yaml

@@ -43,10 +43,12 @@ jobs:
       target-branch: ${{ github.event.pull_request.base.ref }}
       skip-test: ${{ needs.skipper.outputs.skip_test }}
     secrets:
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ vars.AUTHENTICATED_IMAGE_PASSWORD }}
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
       AZ_APPID: ${{ secrets.AZ_APPID }}
       AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
       AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
       ITA_KEY: ${{ secrets.ITA_KEY }}
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
       NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

.github/workflows/ci-weekly.yaml

@@ -27,6 +27,8 @@ on:
         required: true
       QUAY_DEPLOYER_PASSWORD:
         required: true
+      KBUILD_SIGN_PIN:
+        required: true
 
 permissions: {}
 
@@ -42,6 +44,8 @@ jobs:
       tarball-suffix: -${{ inputs.tag }}
       commit-hash: ${{ inputs.commit-hash }}
       target-branch: ${{ inputs.target-branch }}
+    secrets:
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
 
   publish-kata-deploy-payload-amd64:
     needs: build-kata-static-tarball-amd64
@@ -115,7 +119,7 @@ jobs:
       target-branch: ${{ inputs.target-branch }}
       tarball-suffix: -${{ inputs.tag }}
     secrets:
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ vars.AUTHENTICATED_IMAGE_PASSWORD }}
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
       AZ_APPID: ${{ secrets.AZ_APPID }}
       AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
       AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}

.github/workflows/ci.yaml

@@ -29,12 +29,16 @@ on:
        required: true
       AZ_SUBSCRIPTION_ID:
         required: true
+      CI_HKD_PATH:
+        required: true
       ITA_KEY:
         required: true
       QUAY_DEPLOYER_PASSWORD:
         required: true
       NGC_API_KEY:
         required: true
+      KBUILD_SIGN_PIN:
+        required: true
 
 permissions: {}
 
@@ -50,6 +54,8 @@ jobs:
       tarball-suffix: -${{ inputs.tag }}
       commit-hash: ${{ inputs.commit-hash }}
       target-branch: ${{ inputs.target-branch }}
+    secrets:
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
 
   publish-kata-deploy-payload-amd64:
     needs: build-kata-static-tarball-amd64
@@ -80,6 +86,8 @@ jobs:
       tarball-suffix: -${{ inputs.tag }}
       commit-hash: ${{ inputs.commit-hash }}
       target-branch: ${{ inputs.target-branch }}
+    secrets:
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
 
   publish-kata-deploy-payload-arm64:
     needs: build-kata-static-tarball-arm64
@@ -111,6 +119,7 @@ jobs:
       commit-hash: ${{ inputs.commit-hash }}
       target-branch: ${{ inputs.target-branch }}
     secrets:
+      CI_HKD_PATH: ${{ secrets.ci_hkd_path }}
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
   build-kata-static-tarball-ppc64le:
@@ -335,7 +344,7 @@ jobs:
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
     secrets:
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ vars.AUTHENTICATED_IMAGE_PASSWORD }}
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
       AZ_APPID: ${{ secrets.AZ_APPID }}
       AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
       AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
@@ -353,7 +362,7 @@ jobs:
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
     secrets:
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ vars.AUTHENTICATED_IMAGE_PASSWORD }}
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
 
   run-k8s-tests-on-ppc64le:
     if: ${{ inputs.skip-test != 'yes' }}

.github/workflows/payload-after-push.yaml

@@ -24,6 +24,7 @@ jobs:
       target-branch: ${{ github.ref_name }}
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
 
   build-assets-arm64:
     permissions:
@@ -38,6 +39,7 @@ jobs:
       target-branch: ${{ github.ref_name }}
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
 
   build-assets-s390x:
     permissions:
@@ -51,6 +53,7 @@ jobs:
       push-to-registry: yes
       target-branch: ${{ github.ref_name }}
     secrets:
+      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
   build-assets-ppc64le:

.github/workflows/release-amd64.yaml

@@ -8,6 +8,8 @@ on:
     secrets:
       QUAY_DEPLOYER_PASSWORD:
         required: true
+      KBUILD_SIGN_PIN:
+        required: true
 
 permissions: {}
 
@@ -19,6 +21,7 @@ jobs:
       stage: release
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
     permissions:
       contents: read
       packages: write

.github/workflows/release-arm64.yaml

@@ -8,6 +8,8 @@ on:
     secrets:
       QUAY_DEPLOYER_PASSWORD:
         required: true
+      KBUILD_SIGN_PIN:
+        required: true
 
 permissions: {}
 
@@ -19,6 +21,7 @@ jobs:
       stage: release
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
     permissions:
       contents: read
       packages: write

.github/workflows/release-s390x.yaml

@@ -6,6 +6,8 @@ on:
         required: true
         type: string
     secrets:
+      CI_HKD_PATH:
+        required: true
       QUAY_DEPLOYER_PASSWORD:
         required: true
 
@@ -18,6 +20,7 @@ jobs:
       push-to-registry: yes
       stage: release
     secrets:
+      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
     permissions:
       contents: read

.github/workflows/release.yaml

@@ -35,6 +35,7 @@ jobs:
       target-arch: amd64
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
 
   build-and-push-assets-arm64:
     needs: release
@@ -48,6 +49,7 @@ jobs:
       target-arch: arm64
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
 
   build-and-push-assets-s390x:
     needs: release
@@ -60,6 +62,7 @@ jobs:
     with:
       target-arch: s390x
     secrets:
+      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
   build-and-push-assets-ppc64le:

.github/workflows/run-k8s-tests-on-zvsi.yaml

@@ -76,7 +76,7 @@ jobs:
       SNAPSHOTTER: ${{ matrix.snapshotter }}
       TARGET_ARCH: "s390x"
       AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ vars.AUTHENTICATED_IMAGE_PASSWORD }}
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

.github/workflows/run-kata-coco-stability-tests.yaml

@@ -69,7 +69,7 @@ jobs:
       KUBERNETES: "vanilla"
       PULL_TYPE: ${{ matrix.pull-type }}
       AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ vars.AUTHENTICATED_IMAGE_PASSWORD }}
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
       SNAPSHOTTER: ${{ matrix.snapshotter }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/run-kata-coco-tests.yaml

@@ -63,7 +63,7 @@ jobs:
       SNAPSHOTTER: "nydus"
       PULL_TYPE: "guest-pull"
       AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ vars.AUTHENTICATED_IMAGE_PASSWORD }}
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
       GH_ITA_KEY: ${{ secrets.ITA_KEY }}
       AUTO_GENERATE_POLICY: "yes"
     steps:
@@ -168,7 +168,7 @@ jobs:
       KUBERNETES: "vanilla"
       PULL_TYPE: ${{ matrix.pull-type }}
       AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ vars.AUTHENTICATED_IMAGE_PASSWORD }}
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
       SNAPSHOTTER: ${{ matrix.snapshotter }}
       EXPERIMENTAL_FORCE_GUEST_PULL: ${{ matrix.pull-type == 'experimental-force-guest-pull' && matrix.vmm || '' }}
       # Caution: current ingress controller used to expose the KBS service

Cargo.lock

@@ -3945,9 +3945,9 @@ dependencies = [
 
 [[package]]
 name = "rkyv"
-version = "0.7.46"
+version = "0.7.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2297bf9c81a3f0dc96bc9521370b88f054168c29826a75e89c55ff196e7ed6a1"
+checksum = "9008cd6385b9e161d8229e1f6549dd23c3d022f132a2ea37ac3a10ac4935779b"
 dependencies = [
  "bitvec",
  "bytecheck",
@@ -3963,9 +3963,9 @@ dependencies = [
 
 [[package]]
 name = "rkyv_derive"
-version = "0.7.46"
+version = "0.7.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "84d7b42d4b8d06048d3ac8db0eb31bcb942cbeb709f0b5f2b2ebde398d3038f5"
+checksum = "503d1d27590a2b0a3a4ca4c94755aa2875657196ecbf401a42eff41d7de532c0"
 dependencies = [
  "proc-macro2",
  "quote",

src/agent/Cargo.lock

@@ -3488,9 +3488,9 @@ dependencies = [
 
 [[package]]
 name = "rkyv"
-version = "0.7.46"
+version = "0.7.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2297bf9c81a3f0dc96bc9521370b88f054168c29826a75e89c55ff196e7ed6a1"
+checksum = "9008cd6385b9e161d8229e1f6549dd23c3d022f132a2ea37ac3a10ac4935779b"
 dependencies = [
  "bitvec",
  "bytecheck",
@@ -3506,9 +3506,9 @@ dependencies = [
 
 [[package]]
 name = "rkyv_derive"
-version = "0.7.46"
+version = "0.7.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "84d7b42d4b8d06048d3ac8db0eb31bcb942cbeb709f0b5f2b2ebde398d3038f5"
+checksum = "503d1d27590a2b0a3a4ca4c94755aa2875657196ecbf401a42eff41d7de532c0"
 dependencies = [
  "proc-macro2",
  "quote",

src/runtime-rs/Makefile

@@ -180,7 +180,7 @@ DEFNETQUEUES := 1
 DEFENABLEANNOTATIONS := [\"enable_iommu\", \"virtio_fs_extra_args\", \"kernel_params\", \"kernel_verity_params\", \"default_vcpus\", \"default_memory\"]
 DEFENABLEANNOTATIONS_COCO := [\"enable_iommu\", \"virtio_fs_extra_args\", \"kernel_params\", \"kernel_verity_params\", \"default_vcpus\", \"default_memory\", \"cc_init_data\"]
 DEFDISABLEGUESTSECCOMP := true
-DEFDISABLEGUESTEMPTYDIR := false
+DEFDISABLEGUESTEMPTYDIR := true
 ##VAR DEFAULTEXPFEATURES=[features] Default experimental features enabled
 DEFAULTEXPFEATURES := []
 DEFDISABLESELINUX := false

src/runtime/Makefile

@@ -220,7 +220,7 @@ DEFBRIDGES := 1
 DEFENABLEANNOTATIONS := [\"enable_iommu\", \"virtio_fs_extra_args\", \"kernel_params\", \"kernel_verity_params\"]
 DEFENABLEANNOTATIONS_COCO := [\"enable_iommu\", \"virtio_fs_extra_args\", \"kernel_params\", \"kernel_verity_params\", \"default_vcpus\", \"default_memory\", \"cc_init_data\"]
 DEFDISABLEGUESTSECCOMP := true
-DEFDISABLEGUESTEMPTYDIR := false
+DEFDISABLEGUESTEMPTYDIR := true
 #Default experimental features enabled
 DEFAULTEXPFEATURES := []
 

src/runtime/cmd/kata-runtime/kata-check_amd64_test.go

@@ -348,15 +348,6 @@ func TestCheckHostIsVMContainerCapable(t *testing.T) {
 
 	defer func() {
 		os.Remove(denylistModuleConf)
-		// reload removed modules
-		for mod := range archRequiredKernelModules {
-			cmd := exec.Command(modProbeCmd, mod)
-			if output, err := cmd.CombinedOutput(); err == nil {
-				kataLog.WithField("output", string(output)).Info("module loaded")
-			} else {
-				kataLog.WithField("output", string(output)).Warn("failed to load module")
-			}
-		}
 	}()
 
 	// remove the modules to force a failure

src/runtime/pkg/resourcecontrol/cgroups.go

@@ -8,7 +8,6 @@
 package resourcecontrol
 
 import (
-	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -51,7 +50,7 @@ type LinuxCgroup struct {
 	sync.Mutex
 }
 
-func sandboxDevices() ([]specs.LinuxDeviceCgroup, error) {
+func sandboxDevices() []specs.LinuxDeviceCgroup {
 	devices := []specs.LinuxDeviceCgroup{}
 
 	defaultDevices := []string{
@@ -69,33 +68,14 @@ func sandboxDevices() ([]specs.LinuxDeviceCgroup, error) {
 	// In order to run Virtual Machines and create virtqueues, hypervisors
 	// need access to certain character devices in the host, like kvm and vhost-net.
 	hypervisorDevices := []string{
-		"/dev/kvm",  // To run virtual machines with KVM
-		"/dev/mshv", // To run virtual machines with Hyper-V
-	}
-	virtualDevices := []string{
+		"/dev/kvm",         // To run virtual machines with KVM
+		"/dev/mshv",        // To run virtual machines with Hyper-V
 		"/dev/vhost-net",   // To create virtqueues
 		"/dev/vfio/vfio",   // To access VFIO devices
 		"/dev/vhost-vsock", // To interact with vsock if
 	}
 
-	hypervisorDeviceAdded := false
-	for _, hypervisor := range hypervisorDevices {
-		hypervisorDevice, err := DeviceToLinuxDevice(hypervisor)
-		if err != nil {
-			if !os.IsNotExist(err) {
-				controllerLogger.WithField("source", "cgroups").Warnf("Failed to add %s to the devices cgroup: %v", hypervisor, err)
-			}
-			continue
-		}
-		devices = append(devices, hypervisorDevice)
-		hypervisorDeviceAdded = true
-		controllerLogger.WithField("source", "cgroups").Infof("Adding %s to the devices cgroup", hypervisor)
-		break
-	}
-	if !hypervisorDeviceAdded {
-		return []specs.LinuxDeviceCgroup{}, errors.New("failed to add any hypervisor device to devices cgroup")
-	}
-	defaultDevices = append(defaultDevices, virtualDevices...)
+	defaultDevices = append(defaultDevices, hypervisorDevices...)
 
 	for _, device := range defaultDevices {
 		ldevice, err := DeviceToLinuxDevice(device)
@@ -148,7 +128,7 @@ func sandboxDevices() ([]specs.LinuxDeviceCgroup, error) {
 
 	devices = append(devices, wildcardDevices...)
 
-	return devices, nil
+	return devices
 }
 
 func NewResourceController(path string, resources *specs.LinuxResources) (ResourceController, error) {
@@ -188,11 +168,7 @@ func NewResourceController(path string, resources *specs.LinuxResources) (Resour
 
 func NewSandboxResourceController(path string, resources *specs.LinuxResources, sandboxCgroupOnly bool) (ResourceController, error) {
 	sandboxResources := *resources
-	sandboxDevices, err := sandboxDevices()
-	if err != nil {
-		return nil, err
-	}
-	sandboxResources.Devices = append(sandboxResources.Devices, sandboxDevices...)
+	sandboxResources.Devices = append(sandboxResources.Devices, sandboxDevices()...)
 
 	// Currently we know to handle systemd cgroup path only when it's the only cgroup (no overhead group), hence,
 	// if sandboxCgroupOnly is not true we treat it as cgroupfs path as it used to be, although it may be incorrect.

src/runtime/virtcontainers/api_test.go

@@ -131,11 +131,6 @@ func newTestSandboxConfigKataAgent() SandboxConfig {
 }
 
 func TestCreateSandboxNoopAgentSuccessful(t *testing.T) {
-	// GITHUB_RUNNER_CI_NON_VIRT is set to true in .github/workflows/build-checks.yaml file for ARM64 runners because the self hosted runners do not support Virtualization
-	if os.Getenv("GITHUB_RUNNER_CI_NON_VIRT") == "true" {
-		t.Skip("Skipping the test as the GitHub self hosted runners for ARM64 do not support Virtualization")
-	}
-
 	assert := assert.New(t)
 	if tc.NotValid(ktu.NeedRoot()) {
 		t.Skip(testDisabledAsNonRoot)
@@ -164,11 +159,6 @@ func TestCreateSandboxNoopAgentSuccessful(t *testing.T) {
 }
 
 func TestCreateSandboxKataAgentSuccessful(t *testing.T) {
-	// GITHUB_RUNNER_CI_NON_VIRT is set to true in .github/workflows/build-checks.yaml file for ARM64 runners because the self hosted runners do not support Virtualization
-	if os.Getenv("GITHUB_RUNNER_CI_NON_VIRT") == "true" {
-		t.Skip("Skipping the test as the GitHub self hosted runners for ARM64 do not support Virtualization")
-	}
-
 	assert := assert.New(t)
 	if tc.NotValid(ktu.NeedRoot()) {
 		t.Skip(testDisabledAsNonRoot)
@@ -262,11 +252,6 @@ func createAndStartSandbox(ctx context.Context, config SandboxConfig) (sandbox V
 }
 
 func TestReleaseSandbox(t *testing.T) {
-	// GITHUB_RUNNER_CI_NON_VIRT is set to true in .github/workflows/build-checks.yaml file for ARM64 runners because the self hosted runners do not support Virtualization
-	if os.Getenv("GITHUB_RUNNER_CI_NON_VIRT") == "true" {
-		t.Skip("Skipping the test as the GitHub self hosted runners for ARM64 do not support Virtualization")
-	}
-
 	if tc.NotValid(ktu.NeedRoot()) {
 		t.Skip(testDisabledAsNonRoot)
 	}
@@ -284,11 +269,6 @@ func TestReleaseSandbox(t *testing.T) {
 }
 
 func TestCleanupContainer(t *testing.T) {
-	// GITHUB_RUNNER_CI_NON_VIRT is set to true in .github/workflows/build-checks.yaml file for ARM64 runners because the self hosted runners do not support Virtualization
-	if os.Getenv("GITHUB_RUNNER_CI_NON_VIRT") == "true" {
-		t.Skip("Skipping the test as the GitHub self hosted runners for ARM64 do not support Virtualization")
-	}
-
 	if tc.NotValid(ktu.NeedRoot()) {
 		t.Skip(testDisabledAsNonRoot)
 	}

src/runtime/virtcontainers/fs_share_linux.go

@@ -83,9 +83,13 @@ type FilesystemShare struct {
 	configVolRegex *regexp.Regexp
 	// Regex to match only the timestamped directory inside the k8's volume mount
 	timestampDirRegex *regexp.Regexp
-	// The same volume mount can be shared by multiple containers in the same sandbox (pod)
-	srcDstMap            map[string][]string
-	srcDstMapLock        sync.Mutex
+	// srcDstMap tracks file-level source to destination mappings for configmap/secret watching
+	srcDstMap     map[string][]string
+	srcDstMapLock sync.Mutex
+	// srcGuestMap caches volume source path to guest path, enabling multiple containers
+	// in the same pod to share the same volume mount
+	srcGuestMap          map[string]string
+	srcGuestMapLock      sync.Mutex
 	eventLoopStarted     bool
 	eventLoopStartedLock sync.Mutex
 	watcherDoneChannel   chan bool
@@ -108,6 +112,7 @@ func NewFilesystemShare(s *Sandbox) (*FilesystemShare, error) {
 		sandbox:            s,
 		watcherDoneChannel: make(chan bool),
 		srcDstMap:          make(map[string][]string),
+		srcGuestMap:        make(map[string]string),
 		watcher:            watcher,
 		configVolRegex:     configVolRegex,
 		timestampDirRegex:  timestampDirRegex,
@@ -309,6 +314,13 @@ func (f *FilesystemShare) ShareFile(ctx context.Context, c *Container, m *Mount)
 	// bind mount it in the shared directory.
 	caps := f.sandbox.hypervisor.Capabilities(ctx)
 	if !caps.IsFsSharingSupported() {
+		f.srcGuestMapLock.Lock()
+		if guestPath, ok := f.srcGuestMap[m.Source]; ok {
+			f.srcGuestMapLock.Unlock()
+			return &SharedFile{guestPath: guestPath}, nil
+		}
+		f.srcGuestMapLock.Unlock()
+
 		f.Logger().Debug("filesystem sharing is not supported, files will be copied")
 
 		var ignored bool
@@ -418,6 +430,11 @@ func (f *FilesystemShare) ShareFile(ctx context.Context, c *Container, m *Mount)
 		m.HostPath = mountDest
 	}
 
+	// Cache the guestPath for this volume source so other containers can share it
+	f.srcGuestMapLock.Lock()
+	defer f.srcGuestMapLock.Unlock()
+	f.srcGuestMap[m.Source] = guestPath
+
 	return &SharedFile{
 		guestPath: guestPath,
 	}, nil
@@ -442,6 +459,10 @@ func (f *FilesystemShare) UnshareFile(ctx context.Context, c *Container, m *Moun
 		}
 	}
 
+	f.srcGuestMapLock.Lock()
+	delete(f.srcGuestMap, m.Source)
+	f.srcGuestMapLock.Unlock()
+
 	return nil
 }
 

src/runtime/virtcontainers/sandbox_test.go

@@ -50,11 +50,6 @@ func testCreateSandbox(t *testing.T, id string,
 	nconfig NetworkConfig, containers []ContainerConfig,
 	volumes []types.Volume) (*Sandbox, error) {
 
-	// GITHUB_RUNNER_CI_NON_VIRT is set to true in .github/workflows/build-checks.yaml file for ARM64 runners because the self hosted runners do not support Virtualization
-	if os.Getenv("GITHUB_RUNNER_CI_NON_VIRT") == "true" {
-		t.Skip("Skipping the test as the GitHub self hosted runners for ARM64 do not support Virtualization")
-	}
-
 	if tc.NotValid(ktu.NeedRoot()) {
 		t.Skip(testDisabledAsNonRoot)
 	}
@@ -1312,10 +1307,6 @@ func checkSandboxRemains() error {
 }
 
 func TestSandboxCreationFromConfigRollbackFromCreateSandbox(t *testing.T) {
-	// GITHUB_RUNNER_CI_NON_VIRT is set to true in .github/workflows/build-checks.yaml file for ARM64 runners because the self hosted runners do not support Virtualization
-	if os.Getenv("GITHUB_RUNNER_CI_NON_VIRT") == "true" {
-		t.Skip("Skipping the test as the GitHub self hosted runners for ARM64 do not support Virtualization")
-	}
 	defer cleanUp()
 	assert := assert.New(t)
 	ctx := context.Background()
@@ -1407,10 +1398,6 @@ func TestSandboxExperimentalFeature(t *testing.T) {
 }
 
 func TestSandbox_Cgroups(t *testing.T) {
-	// GITHUB_RUNNER_CI_NON_VIRT is set to true in .github/workflows/build-checks.yaml file for ARM64 runners because the self hosted runners do not support Virtualization
-	if os.Getenv("GITHUB_RUNNER_CI_NON_VIRT") == "true" {
-		t.Skip("Skipping the test as the GitHub self hosted runners for ARM64 do not support Virtualization")
-	}
 	sandboxContainer := ContainerConfig{}
 	sandboxContainer.Annotations = make(map[string]string)
 	sandboxContainer.Annotations[annotations.ContainerTypeKey] = string(PodSandbox)

src/tools/agent-ctl/Cargo.lock

@@ -4544,9 +4544,9 @@ dependencies = [
 
 [[package]]
 name = "rkyv"
-version = "0.7.46"
+version = "0.7.43"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2297bf9c81a3f0dc96bc9521370b88f054168c29826a75e89c55ff196e7ed6a1"
+checksum = "527a97cdfef66f65998b5f3b637c26f5a5ec09cc52a3f9932313ac645f4190f5"
 dependencies = [
  "bitvec",
  "bytecheck",
@@ -4562,9 +4562,9 @@ dependencies = [
 
 [[package]]
 name = "rkyv_derive"
-version = "0.7.46"
+version = "0.7.43"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "84d7b42d4b8d06048d3ac8db0eb31bcb942cbeb709f0b5f2b2ebde398d3038f5"
+checksum = "b5c462a1328c8e67e4d6dbad1eb0355dd43e8ab432c6e227a43657f16ade5033"
 dependencies = [
  "proc-macro2",
  "quote",

src/tools/genpolicy/Cargo.lock

@@ -2449,9 +2449,9 @@ dependencies = [
 
 [[package]]
 name = "rkyv"
-version = "0.7.46"
+version = "0.7.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2297bf9c81a3f0dc96bc9521370b88f054168c29826a75e89c55ff196e7ed6a1"
+checksum = "9008cd6385b9e161d8229e1f6549dd23c3d022f132a2ea37ac3a10ac4935779b"
 dependencies = [
  "bitvec",
  "bytecheck",
@@ -2467,9 +2467,9 @@ dependencies = [
 
 [[package]]
 name = "rkyv_derive"
-version = "0.7.46"
+version = "0.7.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "84d7b42d4b8d06048d3ac8db0eb31bcb942cbeb709f0b5f2b2ebde398d3038f5"
+checksum = "503d1d27590a2b0a3a4ca4c94755aa2875657196ecbf401a42eff41d7de532c0"
 dependencies = [
  "proc-macro2",
  "quote",

src/tools/genpolicy/genpolicy-settings.json

@@ -152,17 +152,6 @@
         }
     },
     "volumes": {
-        "emptyDir": {
-            "mount_type": "local",
-            "mount_source": "^$(cpath)/$(sandbox-id)/rootfs/local/",
-            "mount_point": "^$(cpath)/$(sandbox-id)/rootfs/local/",
-            "driver": "local",
-            "source": "local",
-            "fstype": "local",
-            "options": [
-                "mode=0777"
-            ]
-        },
         "emptyDir_memory": {
             "mount_type": "bind",
             "mount_source": "^/run/kata-containers/sandbox/ephemeral/",

src/tools/genpolicy/rules.rego

@@ -1160,7 +1160,7 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) if {
     regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
     print("mount_source_allows 2: regex3 =", regex3)
 
-    regex4 := replace(regex3, "$(sandbox-id)", sandbox_id)
+    regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}")
     print("mount_source_allows 2: regex4 =", regex4)
     regex.match(regex4, i_mount.source)
 

src/tools/genpolicy/src/mount_and_storage.rs

@@ -105,7 +105,6 @@ pub fn get_mount_and_storage(
     storages: &mut Vec<agent::Storage>,
     yaml_volume: &volume::Volume,
     yaml_mount: &pod::VolumeMount,
-    pod_security_context: &Option<pod::PodSecurityContext>,
 ) {
     debug!(
         "get_mount_and_storage: adding mount and storage for: {:?}",
@@ -113,27 +112,18 @@ pub fn get_mount_and_storage(
     );
 
     if let Some(emptyDir) = &yaml_volume.emptyDir {
-        let settings_volumes = &settings.volumes;
-        let mut volume: Option<&settings::EmptyDirVolume> = None;
-
-        if let Some(medium) = &emptyDir.medium {
-            if medium == "Memory" {
-                volume = Some(&settings_volumes.emptyDir_memory);
-            }
+        let is_tmpfs = emptyDir.medium.as_ref().is_some_and(|m| m == "Memory");
+        if is_tmpfs {
+            get_memory_empty_dir_mount_and_storage(settings, p_mounts, storages, yaml_mount);
+        } else {
+            let access = if yaml_mount.readOnly == Some(true) {
+                debug!("setting read only access for emptyDir mount");
+                "ro"
+            } else {
+                "rw"
+            };
+            get_shared_bind_mount(yaml_mount, p_mounts, "rprivate", access);
         }
-
-        if volume.is_none() {
-            volume = Some(&settings_volumes.emptyDir);
-        }
-
-        get_empty_dir_mount_and_storage(
-            settings,
-            p_mounts,
-            storages,
-            yaml_mount,
-            volume.unwrap(),
-            pod_security_context,
-        );
     } else if yaml_volume.persistentVolumeClaim.is_some() || yaml_volume.azureFile.is_some() {
         get_shared_bind_mount(yaml_mount, p_mounts, "rprivate", "rw");
     } else if yaml_volume.hostPath.is_some() {
@@ -149,50 +139,25 @@ pub fn get_mount_and_storage(
     }
 }
 
-fn get_empty_dir_mount_and_storage(
+fn get_memory_empty_dir_mount_and_storage(
     settings: &settings::Settings,
     p_mounts: &mut Vec<policy::KataMount>,
     storages: &mut Vec<agent::Storage>,
     yaml_mount: &pod::VolumeMount,
-    settings_empty_dir: &settings::EmptyDirVolume,
-    pod_security_context: &Option<pod::PodSecurityContext>,
 ) {
-    debug!("Settings emptyDir: {:?}", settings_empty_dir);
+    let settings_empty_dir = &settings.volumes.emptyDir_memory;
+    debug!("Settings emptyDir_memory: {:?}", settings_empty_dir);
 
-    if yaml_mount.subPathExpr.is_none() {
-        let mut options = settings_empty_dir.options.clone();
-        if let Some(gid) = pod_security_context.as_ref().and_then(|sc| sc.fsGroup) {
-            // This matches the runtime behavior of only setting the fsgid if the mountpoint GID is not 0.
-            // https://github.com/kata-containers/kata-containers/blob/b69da5f3ba8385c5833b31db41a846a203812675/src/runtime/virtcontainers/kata_agent.go#L1602-L1607
-            if gid != 0 {
-                options.push(format!("fsgid={gid}"));
-            }
-        }
-        storages.push(agent::Storage {
-            driver: settings_empty_dir.driver.clone(),
-            driver_options: Vec::new(),
-            source: settings_empty_dir.source.clone(),
-            fstype: settings_empty_dir.fstype.clone(),
-            options,
-            mount_point: format!("{}{}$", &settings_empty_dir.mount_point, &yaml_mount.name),
-            fs_group: protobuf::MessageField::none(),
-            special_fields: ::protobuf::SpecialFields::new(),
-        });
-    }
-
-    let source = if yaml_mount.subPathExpr.is_some() {
-        let file_name = Path::new(&yaml_mount.mountPath).file_name().unwrap();
-        let name = OsString::from(file_name).into_string().unwrap();
-        format!("{}{name}$", &settings.volumes.configMap.mount_source)
-    } else {
-        format!("{}{}$", &settings_empty_dir.mount_source, &yaml_mount.name)
-    };
-
-    let mount_type = if yaml_mount.subPathExpr.is_some() {
-        "bind"
-    } else {
-        &settings_empty_dir.mount_type
-    };
+    storages.push(agent::Storage {
+        driver: settings_empty_dir.driver.clone(),
+        driver_options: Vec::new(),
+        source: settings_empty_dir.source.clone(),
+        fstype: settings_empty_dir.fstype.clone(),
+        options: settings_empty_dir.options.clone(),
+        mount_point: format!("{}{}$", &settings_empty_dir.mount_point, &yaml_mount.name),
+        fs_group: protobuf::MessageField::none(),
+        special_fields: ::protobuf::SpecialFields::new(),
+    });
 
     let access = match yaml_mount.readOnly {
         Some(true) => {
@@ -204,8 +169,8 @@ fn get_empty_dir_mount_and_storage(
 
     p_mounts.push(policy::KataMount {
         destination: yaml_mount.mountPath.to_string(),
-        type_: mount_type.to_string(),
-        source,
+        type_: settings_empty_dir.mount_type.clone(),
+        source: format!("{}{}$", &settings_empty_dir.mount_source, &yaml_mount.name),
         options: vec![
             "rbind".to_string(),
             "rprivate".to_string(),
@@ -318,13 +283,7 @@ fn get_shared_bind_mount(
     propagation: &str,
     access: &str,
 ) {
-    // The Kata Shim filepath.Base() to extract the last element of this path, in
-    // https://github.com/kata-containers/kata-containers/blob/5e46f814dd79ab6b34588a83825260413839735a/src/runtime/virtcontainers/fs_share_linux.go#L305
-    // In Rust, Path::file_name() has a similar behavior.
-    let path = Path::new(&yaml_mount.mountPath);
-    let mount_path = path.file_name().unwrap().to_str().unwrap();
-
-    let source = format!("$(sfprefix){mount_path}$");
+    let source = "$(sfprefix)[a-zA-Z0-9_.-]+$".to_string();
 
     let dest = yaml_mount.mountPath.clone();
     let type_ = "bind".to_string();

src/tools/genpolicy/src/settings.rs

@@ -31,7 +31,6 @@ pub struct Settings {
 /// Volume settings loaded from genpolicy-settings.json.
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct Volumes {
-    pub emptyDir: EmptyDirVolume,
     pub emptyDir_memory: EmptyDirVolume,
     pub configMap: ConfigMapVolume,
     pub image_volume: ImageVolume,

src/tools/genpolicy/src/yaml.rs

@@ -304,7 +304,6 @@ pub fn get_container_mounts_and_storages(
                             storages,
                             volume,
                             volume_mount,
-                            &podSpec.securityContext,
                         );
                     }
                 }

src/tools/kata-ctl/Cargo.lock

@@ -3349,9 +3349,9 @@ dependencies = [
 
 [[package]]
 name = "rkyv"
-version = "0.7.46"
+version = "0.7.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2297bf9c81a3f0dc96bc9521370b88f054168c29826a75e89c55ff196e7ed6a1"
+checksum = "5cba464629b3394fc4dbc6f940ff8f5b4ff5c7aef40f29166fd4ad12acbc99c0"
 dependencies = [
  "bitvec",
  "bytecheck",
@@ -3367,9 +3367,9 @@ dependencies = [
 
 [[package]]
 name = "rkyv_derive"
-version = "0.7.46"
+version = "0.7.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "84d7b42d4b8d06048d3ac8db0eb31bcb942cbeb709f0b5f2b2ebde398d3038f5"
+checksum = "a7dddfff8de25e6f62b9d64e6e432bf1c6736c57d20323e15ee10435fbda7c65"
 dependencies = [
  "proc-macro2",
  "quote",

tests/gha-run-k8s-common.sh

@@ -9,6 +9,8 @@ source "${tests_dir}/common.bash"
 kubernetes_dir="${tests_dir}/integration/kubernetes"
 helm_chart_dir="${repo_root_dir}/tools/packaging/kata-deploy/helm-chart/kata-deploy"
 
+AZ_REGION="${AZ_REGION:-eastus}"
+AZ_NODEPOOL_TAGS="${AZ_NODEPOOL_TAGS:-}"
 GENPOLICY_PULL_METHOD="${GENPOLICY_PULL_METHOD:-oci-distribution}"
 GH_PR_NUMBER="${GH_PR_NUMBER:-}"
 HELM_DEFAULT_INSTALLATION="${HELM_DEFAULT_INSTALLATION:-false}"
@@ -111,7 +113,7 @@ function create_cluster() {
 		"GENPOLICY_PULL_METHOD=${GENPOLICY_PULL_METHOD:0:1}")
 
 	az group create \
-		-l eastus \
+		-l "${AZ_REGION}" \
 		-n "${rg}"
 
 	# Required by e.g. AKS App Routing for KBS installation.
@@ -129,7 +131,8 @@ function create_cluster() {
 		--node-count 1 \
 		--generate-ssh-keys \
 		--tags "${tags[@]}" \
-		$([[ "${KATA_HOST_OS}" = "cbl-mariner" ]] && echo "--os-sku AzureLinux --workload-runtime KataVmIsolation")
+		$([[ "${KATA_HOST_OS}" = "cbl-mariner" ]] && echo "--os-sku AzureLinux --workload-runtime KataVmIsolation") \
+		$([ -n "${AZ_NODEPOOL_TAGS}" ] && echo "--nodepool-tags "${AZ_NODEPOOL_TAGS}"")
 }
 
 function install_bats() {

tests/integration/kubernetes/k8s-sandbox-vcpus-allocation.bats

@@ -12,7 +12,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
 setup() {
 	[ "$(uname -m)" == "aarch64" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/10928"
 	[[ "${KATA_HYPERVISOR}" == qemu-coco-dev* ]] && skip "Requires CPU hotplug which disabled by static_sandbox_resource_mgmt"
-	[[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && skip "See: https://github.com/kata-containers/kata-containers/issues/12492"
+	[[ "${KATA_HYPERVISOR}" == qemu-tdx ]] && skip "See: https://github.com/kata-containers/kata-containers/issues/12492"
 
 	setup_common || die "setup_common failed"
 
@@ -53,7 +53,6 @@ setup() {
 teardown() {
 	[ "$(uname -m)" == "aarch64" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/10928"
 	[[ "${KATA_HYPERVISOR}" == qemu-coco-dev* ]] && skip "Requires CPU hotplug which disabled by static_sandbox_resource_mgmt"
-	[[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && skip "See: https://github.com/kata-containers/kata-containers/issues/12492"
 
 	for pod in "${pods[@]}"; do
 		kubectl logs ${pod}

tests/integration/kubernetes/tests_common.sh

@@ -37,6 +37,8 @@ K8S_TEST_DIR="${kubernetes_dir:-"${BATS_TEST_DIRNAME}"}"
 
 AUTO_GENERATE_POLICY="${AUTO_GENERATE_POLICY:-}"
 GENPOLICY_PULL_METHOD="${GENPOLICY_PULL_METHOD:-}"
+GENPOLICY_BINARY="${GENPOLICY_BINARY:-"/opt/kata/bin/genpolicy"}"
+GENPOLICY_SETTINGS_DIR="${GENPOLICY_SETTINGS_DIR:-"/opt/kata/share/defaults/kata-containers"}"
 KATA_HYPERVISOR="${KATA_HYPERVISOR:-}"
 KATA_HOST_OS="${KATA_HOST_OS:-}"
 
@@ -191,12 +193,11 @@ adapt_common_policy_settings() {
 # and change these settings to use Kata CI cluster's default namespace.
 create_common_genpolicy_settings() {
 	declare -r genpolicy_settings_dir="$1"
-	declare -r default_genpolicy_settings_dir="/opt/kata/share/defaults/kata-containers"
 
 	auto_generate_policy_enabled || return 0
 
-	cp "${default_genpolicy_settings_dir}/genpolicy-settings.json" "${genpolicy_settings_dir}"
-	cp "${default_genpolicy_settings_dir}/rules.rego" "${genpolicy_settings_dir}"
+	cp "${GENPOLICY_SETTINGS_DIR}/genpolicy-settings.json" "${genpolicy_settings_dir}"
+	cp "${GENPOLICY_SETTINGS_DIR}/rules.rego" "${genpolicy_settings_dir}"
 
 	adapt_common_policy_settings "${genpolicy_settings_dir}"
 }
@@ -247,7 +248,7 @@ auto_generate_policy_no_added_flags() {
 	declare -r additional_flags="${4:-""}"
 
 	auto_generate_policy_enabled || return 0
-	local genpolicy_command="RUST_LOG=info /opt/kata/bin/genpolicy -u -y ${yaml_file}"
+	local genpolicy_command="RUST_LOG=info ${GENPOLICY_BINARY} -u -y ${yaml_file}"
 	genpolicy_command+=" -p ${settings_dir}/rules.rego"
 	genpolicy_command+=" -j ${settings_dir}/genpolicy-settings.json"
 

tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh

@@ -20,6 +20,7 @@ readonly BUILD_DIR="/kata-containers/tools/packaging/kata-deploy/local-build/bui
 script_dir="$(dirname "$(readlink -f "$0")")"
 readonly SCRIPT_DIR="${script_dir}/nvidia"
 
+KBUILD_SIGN_PIN=${KBUILD_SIGN_PIN:-}
 AGENT_POLICY="${AGENT_POLICY:-no}"
 
 NVIDIA_GPU_STACK=${NVIDIA_GPU_STACK:?NVIDIA_GPU_STACK must be set}

tools/osbuilder/rootfs-builder/rootfs.sh

@@ -58,6 +58,7 @@ REPO_URL=${REPO_URL:-""}
 REPO_URL_X86_64=${REPO_URL_X86_64:-""}
 REPO_COMPONENTS=${REPO_COMPONENTS:-""}
 
+KBUILD_SIGN_PIN=${KBUILD_SIGN_PIN:-""}
 NVIDIA_GPU_STACK=${NVIDIA_GPU_STACK:-""}
 BUILD_VARIANT=${BUILD_VARIANT:-""}
 
@@ -581,6 +582,7 @@ build_rootfs_distro()
 			--env AGENT_POLICY="${AGENT_POLICY}" \
 			--env CONFIDENTIAL_GUEST="${CONFIDENTIAL_GUEST}" \
 			--env NVIDIA_GPU_STACK="${NVIDIA_GPU_STACK}" \
+			--env KBUILD_SIGN_PIN="${KBUILD_SIGN_PIN}" \
 			-v "${repo_dir}":"/kata-containers" \
 			-v "${ROOTFS_DIR}":"/rootfs" \
 			-v "${script_dir}/../scripts":"/scripts" \

tools/packaging/kata-deploy/binary/src/runtime/containerd.rs

@@ -25,33 +25,19 @@ struct ContainerdRuntimeParams {
     snapshotter: Option<String>,
 }
 
-/// Plugin ID for CRI runtime in containerd config v3 (version = 3).
-const CONTAINERD_V3_RUNTIME_PLUGIN_ID: &str = "\"io.containerd.cri.v1.runtime\"";
-/// Plugin ID for CRI in containerd config v2 (version = 2).
-const CONTAINERD_V2_CRI_PLUGIN_ID: &str = "\"io.containerd.grpc.v1.cri\"";
-/// Legacy plugin key when config has no version (pre-v2).
-const CONTAINERD_LEGACY_CRI_PLUGIN_ID: &str = "cri";
-/// Plugin ID for CRI images in containerd config v3 (version = 3).
-const CONTAINERD_CRI_IMAGES_PLUGIN_ID: &str = "\"io.containerd.cri.v1.images\"";
-
 fn get_containerd_pluginid(config_file: &str) -> Result<&'static str> {
     let content = fs::read_to_string(config_file)
         .with_context(|| format!("Failed to read containerd config file: {}", config_file))?;
 
     if content.contains("version = 3") {
-        Ok(CONTAINERD_V3_RUNTIME_PLUGIN_ID)
+        Ok("\"io.containerd.cri.v1.runtime\"")
     } else if content.contains("version = 2") {
-        Ok(CONTAINERD_V2_CRI_PLUGIN_ID)
+        Ok("\"io.containerd.grpc.v1.cri\"")
     } else {
-        Ok(CONTAINERD_LEGACY_CRI_PLUGIN_ID)
+        Ok("cri")
     }
 }
 
-/// True when the containerd config is v3 (version = 3), i.e. we use the split CRI plugins.
-fn is_containerd_v3_config(pluginid: &str) -> bool {
-    pluginid == CONTAINERD_V3_RUNTIME_PLUGIN_ID
-}
-
 fn get_containerd_output_path(paths: &ContainerdPaths) -> PathBuf {
     if paths.use_drop_in {
         if paths.drop_in_file.starts_with("/etc/containerd/") {
@@ -109,26 +95,6 @@ fn write_containerd_runtime_config(
             &format!("{runtime_table}.snapshotter"),
             snapshotter,
         )?;
-        // In containerd config v3 the CRI plugin is split into runtime and images,
-        // and setting the snapshotter only on the runtime plugin is not enough for image
-        // pull/prepare.
-        //
-        // The images plugin must have runtime_platform.<runtime>.snapshotter so it
-        // uses the correct snapshotter per runtime (e.g. nydus, erofs).
-        //
-        // A PR on the containerd side is open so we can rely on the runtime plugin
-        // snapshotter alone: https://github.com/containerd/containerd/pull/12836
-        if is_containerd_v3_config(pluginid) {
-            toml_utils::set_toml_value(
-                config_file,
-                &format!(
-                    ".plugins.{}.runtime_platform.\"{}\".snapshotter",
-                    CONTAINERD_CRI_IMAGES_PLUGIN_ID,
-                    params.runtime_name
-                ),
-                snapshotter,
-            )?;
-        }
     }
 
     Ok(())
@@ -266,7 +232,6 @@ pub async fn configure_custom_containerd_runtime(
     };
 
     write_containerd_runtime_config(&configuration_file, pluginid, &params)?;
-
     Ok(())
 }
 

tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml

@@ -117,9 +117,8 @@ shims:
     runtimeClass:
       # This label is automatically added by gpu-operator. Override it
       # if you want to use a different label.
-      # Uncomment once GPU Operator v26.3 is out
-      # nodeSelector:
-        # nvidia.com/cc.ready.state: "false"
+      nodeSelector:
+        nvidia.com/cc.ready.state: "false"
 
   qemu-nvidia-gpu-snp:
     enabled: ~
@@ -140,8 +139,7 @@ shims:
       # If you don't have NFD, you need to add the snp label by other
       # means to your SNP nodes.
       nodeSelector:
-        # Uncomment once GPU Operator v26.3 is out
-        # nvidia.com/cc.ready.state: "true"
+        nvidia.com/cc.ready.state: "true"
         amd.feature.node.kubernetes.io/snp: "true"
 
   qemu-nvidia-gpu-tdx:
@@ -163,8 +161,7 @@ shims:
       # If you don't have NFD, you need to add the tdx label by other
       # means to your TDX nodes.
       nodeSelector:
-        # Uncomment once GPU Operator v26.3 is out
-        # nvidia.com/cc.ready.state: "true"
+        nvidia.com/cc.ready.state: "true"
         intel.feature.node.kubernetes.io/tdx: "true"
 
   qemu-snp:

tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh

@@ -103,6 +103,7 @@ MEASURED_ROOTFS="${MEASURED_ROOTFS:-no}"
 USE_CACHE="${USE_CACHE:-}"
 BUSYBOX_CONF_FILE=${BUSYBOX_CONF_FILE:-}
 NVIDIA_GPU_STACK="${NVIDIA_GPU_STACK:-}"
+KBUILD_SIGN_PIN=${KBUILD_SIGN_PIN:-}
 GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME:-}"
 EXTRA_PKGS="${EXTRA_PKGS:-}"
 REPO_URL="${REPO_URL:-}"
@@ -143,6 +144,7 @@ docker run \
 	--env USE_CACHE="${USE_CACHE}" \
 	--env BUSYBOX_CONF_FILE="${BUSYBOX_CONF_FILE}" \
 	--env NVIDIA_GPU_STACK="${NVIDIA_GPU_STACK}" \
+	--env KBUILD_SIGN_PIN="${KBUILD_SIGN_PIN}" \
 	--env GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME}" \
 	--env EXTRA_PKGS="${EXTRA_PKGS}" \
 	--env REPO_URL="${REPO_URL}" \

tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh

@@ -57,6 +57,7 @@ AGENT_POLICY="${AGENT_POLICY:-yes}"
 TARGET_BRANCH="${TARGET_BRANCH:-main}"
 PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-}"
 RELEASE="${RELEASE:-"no"}"
+KBUILD_SIGN_PIN="${KBUILD_SIGN_PIN:-}"
 RUNTIME_CHOICE="${RUNTIME_CHOICE:-both}"
 KERNEL_DEBUG_ENABLED=${KERNEL_DEBUG_ENABLED:-"no"}
 INIT_DATA="${INIT_DATA:-yes}"

tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh

@@ -23,21 +23,23 @@ pushd ${KATA_DEPLOY_DIR}
 
 arch=$(uname -m)
 [ "$arch" = "x86_64" ] && arch="amd64"
-# Single platform so each job pushes one architecture; attestations (provenance/SBOM)
-# are kept by default, making the tag an image index (manifest list).
-PLATFORM="linux/${arch}"
 IMAGE_TAG="${REGISTRY}:kata-containers-$(git rev-parse HEAD)-${arch}"
 
-echo "Building the image (with provenance and SBOM attestations)"
-docker buildx build --platform "${PLATFORM}" \
-	--tag "${IMAGE_TAG}" --push .
+echo "Building the image"
+docker build --tag ${IMAGE_TAG} .
+
+echo "Pushing the image to the registry"
+docker push ${IMAGE_TAG}
 
 if [ -n "${TAG}" ]; then
 	ADDITIONAL_TAG="${REGISTRY}:${TAG}"
 
 	echo "Building the ${ADDITIONAL_TAG} image"
-	docker buildx build --platform "${PLATFORM}" \
-		--tag "${ADDITIONAL_TAG}" --push .
+
+	docker build --tag ${ADDITIONAL_TAG} .
+
+	echo "Pushing the image ${ADDITIONAL_TAG} to the registry"
+	docker push ${ADDITIONAL_TAG}
 fi
 
 popd

tools/packaging/kernel/build-kernel.sh

@@ -31,6 +31,7 @@ readonly default_config_whitelist="${script_dir}/configs/fragments/whitelist.con
 # xPU vendor
 readonly VENDOR_INTEL="intel"
 readonly VENDOR_NVIDIA="nvidia"
+readonly KBUILD_SIGN_PIN=${KBUILD_SIGN_PIN:-""}
 readonly KERNEL_DEBUG_ENABLED=${KERNEL_DEBUG_ENABLED:-"no"}
 
 #Path to kernel directory
@@ -312,6 +313,13 @@ get_kernel_frag_path() {
 		all_configs="${all_configs} ${tmpfs_configs}"
 	fi
 
+	if [[ "${KBUILD_SIGN_PIN}" != "" ]]; then
+		info "Enabling config for module signing"
+		local sign_configs
+		sign_configs="$(ls ${common_path}/signing/module_signing.conf)"
+		all_configs="${all_configs} ${sign_configs}"
+	fi
+
 	if [[ ${KERNEL_DEBUG_ENABLED} == "yes" ]]; then
 		info "Enable kernel debug"
 		local debug_configs="$(ls ${common_path}/common/debug.conf)"
@@ -534,6 +542,16 @@ build_kernel_headers() {
 	if [ "$linux_headers" == "rpm" ]; then
 		make -j $(nproc) rpm-pkg ARCH="${arch_target}"
 	fi
+	# If we encrypt the key earlier it will break the kernel_headers build.
+	# At this stage the kernel has created the certs/signing_key.pem
+	# encrypt it for later usage in another job or out-of-tree build
+	# only encrypt if we have KBUILD_SIGN_PIN set
+	local key="certs/signing_key.pem"
+	if [ -n "${KBUILD_SIGN_PIN}" ]; then
+		[ -e "${key}" ] || die "${key} missing but KBUILD_SIGN_PIN is set"
+		openssl rsa -aes256 -in ${key} -out ${key} -passout env:KBUILD_SIGN_PIN
+	fi
+
 	popd >>/dev/null
 }
 

tools/packaging/kernel/kata_config_version

@@ -1 +1 @@
-181
+180

tools/packaging/release/release.sh

@@ -144,16 +144,15 @@ function _publish_multiarch_manifest()
 	_check_required_env_var "KATA_DEPLOY_IMAGE_TAGS"
 	_check_required_env_var "KATA_DEPLOY_REGISTRIES"
 
-	# Per-arch tags may be image indexes (image + attestations). Use buildx imagetools create
-	# so we can merge them; legacy "docker manifest create" rejects manifest list sources.
-	# imagetools create pushes the new manifest list to --tag by default (no separate push).
 	for registry in "${REGISTRIES[@]}"; do
 		for tag in "${IMAGE_TAGS[@]}"; do
-			docker buildx imagetools create --tag "${registry}:${tag}" \
-				"${registry}:${tag}-amd64" \
-				"${registry}:${tag}-arm64" \
-				"${registry}:${tag}-s390x" \
-				"${registry}:${tag}-ppc64le"
+			docker manifest create ${registry}:${tag} \
+				--amend ${registry}:${tag}-amd64 \
+				--amend ${registry}:${tag}-arm64 \
+				--amend ${registry}:${tag}-s390x \
+				--amend ${registry}:${tag}-ppc64le
+
+			docker manifest push ${registry}:${tag}
 		done
 	done
 }

tools/packaging/static-build/agent/Dockerfile

@@ -30,7 +30,6 @@ RUN apt-get update && \
 		curl \
 		g++ \
 		gcc \
-		gnupg \
 		libprotobuf-dev \
 		libssl-dev \
 		make \

tools/packaging/static-build/kernel/build.sh

@@ -26,6 +26,7 @@ DESTDIR=${DESTDIR:-${PWD}}
 PREFIX=${PREFIX:-/opt/kata}
 container_image="${KERNEL_CONTAINER_BUILDER:-$(get_kernel_image_name)}"
 MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
+KBUILD_SIGN_PIN="${KBUILD_SIGN_PIN:-}"
 kernel_builder_args="-a ${ARCH:-} $*"
 KERNEL_DEBUG_ENABLED=${KERNEL_DEBUG_ENABLED:-"no"}
 
@@ -68,6 +69,7 @@ container_build+=" --build-arg ARCH=${ARCH:-}"
 "${container_engine}" run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
 	-w "${PWD}" \
 	--env KERNEL_DEBUG_ENABLED="${KERNEL_DEBUG_ENABLED}" \
+	--env KBUILD_SIGN_PIN="${KBUILD_SIGN_PIN}" \
 	--user "$(id -u)":"$(id -g)" \
 	"${container_image}" \
 	bash -c "${kernel_builder} ${kernel_builder_args} setup"
@@ -89,6 +91,7 @@ container_build+=" --build-arg ARCH=${ARCH:-}"
 	-w "${PWD}" \
 	--env DESTDIR="${DESTDIR}" --env PREFIX="${PREFIX}" \
 	--env USER="${USER}" \
+	--env KBUILD_SIGN_PIN="${KBUILD_SIGN_PIN}" \
 	--user "$(id -u)":"$(id -g)" \
 	"${container_image}" \
 	bash -c "${kernel_builder} ${kernel_builder_args} build-headers"