DO NOT MERGE: CI test

Test of the ci-devel pipeline

.github/actionlint.yaml

@@ -10,11 +10,6 @@ self-hosted-runner:
     - amd64-nvidia-a100
     - amd64-nvidia-h100-snp
     - arm64-k8s
-    - containerd-v1.7-overlayfs
-    - containerd-v2.0-overlayfs
-    - containerd-v2.1-overlayfs
-    - containerd-v2.2
-    - containerd-v2.2-overlayfs
     - garm-ubuntu-2004
     - garm-ubuntu-2004-smaller
     - garm-ubuntu-2204
@@ -25,6 +20,7 @@ self-hosted-runner:
     - ppc64le-k8s
     - ppc64le-small
     - ubuntu-24.04-ppc64le
+    - ubuntu-24.04-s390x
     - metrics
     - riscv-builder
     - sev-snp

.github/workflows/basic-ci-amd64.yaml

@@ -147,9 +147,18 @@ jobs:
           name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
           path: kata-artifacts
 
+      - name: get-kata-tools-tarball
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
       - name: Install kata
         run: bash tests/integration/nydus/gha-run.sh install-kata kata-artifacts
 
+      - name: Install kata-tools
+        run: bash tests/integration/nydus/gha-run.sh install-kata-tools kata-tools-artifacts
+
       - name: Run nydus tests
         timeout-minutes: 10
         run: bash tests/integration/nydus/gha-run.sh run
@@ -367,8 +376,16 @@ jobs:
           name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
           path: kata-artifacts
 
-      - name: Install kata
-        run: bash tests/functional/kata-agent-apis/gha-run.sh install-kata kata-artifacts
+      - name: get-kata-tools-tarball
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
+      - name: Install kata & kata-tools
+        run: | 
+          bash tests/functional/kata-agent-apis/gha-run.sh install-kata kata-artifacts
+          bash tests/functional/kata-agent-apis/gha-run.sh install-kata-tools kata-tools-artifacts
 
       - name: Run kata agent api tests with agent-ctl
         run: bash tests/functional/kata-agent-apis/gha-run.sh run

.github/workflows/build-checks.yaml

@@ -12,7 +12,12 @@ name: Build checks
 jobs:
   check:
     name: check
-    runs-on: ${{ matrix.runner || inputs.instance }}
+    runs-on: >-
+      ${{
+        ( contains(inputs.instance, 's390x') && matrix.component.name == 'runtime' ) && 's390x' ||
+        ( contains(inputs.instance, 'ppc64le') && (matrix.component.name == 'runtime' || matrix.component.name == 'agent') ) && 'ppc64le' ||
+        inputs.instance
+      }}
     strategy:
       fail-fast: false
       matrix:
@@ -70,36 +75,6 @@ jobs:
               - protobuf-compiler
         instance:
           - ${{ inputs.instance }} 
-        include:
-          - component:
-              name: runtime
-              path: src/runtime
-              needs:
-                - golang
-                - XDG_RUNTIME_DIR
-            instance: ubuntu-24.04-s390x
-            runner: s390x
-          - component:
-              name: runtime
-              path: src/runtime
-              needs:
-                - golang
-                - XDG_RUNTIME_DIR
-            instance: ubuntu-24.04-ppc64le
-            runner: ppc64le
-          - component:
-              name: agent
-              path: src/agent
-              needs:
-                - rust
-                - libdevmapper
-                - libseccomp
-                - protobuf-compiler
-                - clang
-            instance: ubuntu-24.04-ppc64le
-            runner: ppc64le
-
-             
 
     steps:
       - name: Adjust a permission for repo

.github/workflows/build-kata-static-tarball-amd64.yaml

@@ -41,16 +41,11 @@ jobs:
       matrix:
         asset:
           - agent
-          - agent-ctl
           - busybox
           - cloud-hypervisor
           - cloud-hypervisor-glibc
           - coco-guest-components
-          - csi-kata-directvolume
           - firecracker
-          - genpolicy
-          - kata-ctl
-          - kata-manager
           - kernel
           - kernel-confidential
           - kernel-dragonball-experimental
@@ -63,7 +58,6 @@ jobs:
           - qemu
           - qemu-snp-experimental
           - qemu-tdx-experimental
-          - trace-forwarder
           - virtiofsd
         stage:
           - ${{ inputs.stage }}
@@ -171,6 +165,8 @@ jobs:
           - rootfs-image
           - rootfs-image-confidential
           - rootfs-image-mariner
+          - rootfs-image-nvidia-gpu
+          - rootfs-image-nvidia-gpu-confidential
           - rootfs-initrd
           - rootfs-initrd-confidential
           - rootfs-initrd-nvidia-gpu
@@ -362,3 +358,104 @@ jobs:
           path: kata-static.tar.zst
           retention-days: 15
           if-no-files-found: error
+
+  build-tools-asset:
+    name: build-tools-asset
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        asset:
+          - agent-ctl
+          - csi-kata-directvolume
+          - genpolicy
+          - kata-ctl
+          - kata-manager
+          - trace-forwarder
+        stage:
+          - ${{ inputs.stage }}
+    steps:
+      - name: Login to Kata Containers quay.io
+        if: ${{ inputs.push-to-registry == 'yes' }}
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: quay.io
+          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
+          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0 # This is needed in order to keep the commit ids history
+          persist-credentials: false
+
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+
+      - name: Build ${{ matrix.asset }}
+        id: build
+        run: |
+          make "${KATA_ASSET}-tarball"
+          build_dir=$(readlink -f build)
+          # store-artifact does not work with symlink
+          mkdir -p kata-tools-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-tools-build/.
+        env:
+          KATA_ASSET: ${{ matrix.asset }}
+          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
+          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
+          ARTEFACT_REGISTRY: ghcr.io
+          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
+          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+
+      - name: store-artifact ${{ matrix.asset }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: kata-tools-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
+          path: kata-tools-build/kata-static-${{ matrix.asset }}.tar.zst
+          retention-days: 15
+          if-no-files-found: error
+
+  create-kata-tools-tarball:
+    name: create-kata-tools-tarball
+    runs-on: ubuntu-22.04
+    needs: [build-tools-asset]
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0
+          fetch-tags: true
+          persist-credentials: false
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+      - name: get-artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          pattern: kata-tools-artifacts-amd64-*${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+          merge-multiple: true
+      - name: merge-artifacts
+        run: |
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-tools-artifacts versions.yaml kata-tools-static.tar.zst
+        env:
+          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+      - name: store-artifacts
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-static.tar.zst
+          retention-days: 15
+          if-no-files-found: error

.github/workflows/build-kata-static-tarball-arm64.yaml

@@ -150,6 +150,7 @@ jobs:
       matrix:
         asset:
           - rootfs-image
+          - rootfs-image-nvidia-gpu
           - rootfs-initrd
           - rootfs-initrd-nvidia-gpu
     steps:

.github/workflows/build-kata-static-tarball-ppc64le.yaml

@@ -32,7 +32,7 @@ jobs:
     permissions:
       contents: read
       packages: write
-    runs-on: ppc64le-small
+    runs-on: ubuntu-24.04-ppc64le
     strategy:
       matrix:
         asset:
@@ -89,7 +89,7 @@ jobs:
 
   build-asset-rootfs:
     name: build-asset-rootfs
-    runs-on: ppc64le-small
+    runs-on: ubuntu-24.04-ppc64le
     needs: build-asset
     permissions:
       contents: read
@@ -170,7 +170,7 @@ jobs:
 
   build-asset-shim-v2:
     name: build-asset-shim-v2
-    runs-on: ppc64le-small
+    runs-on: ubuntu-24.04-ppc64le
     needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
     permissions:
       contents: read
@@ -230,7 +230,7 @@ jobs:
 
   create-kata-tarball:
     name: create-kata-tarball
-    runs-on: ppc64le-small
+    runs-on: ubuntu-24.04-ppc64le
     needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
     permissions:
       contents: read

.github/workflows/build-kata-static-tarball-s390x.yaml

@@ -32,7 +32,7 @@ permissions: {}
 jobs:
   build-asset:
     name: build-asset
-    runs-on: s390x
+    runs-on: ubuntu-24.04-s390x
     permissions:
       contents: read
       packages: write
@@ -257,7 +257,7 @@ jobs:
 
   build-asset-shim-v2:
     name: build-asset-shim-v2
-    runs-on: s390x
+    runs-on: ubuntu-24.04-s390x
     needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
     permissions:
       contents: read
@@ -319,7 +319,7 @@ jobs:
 
   create-kata-tarball:
     name: create-kata-tarball
-    runs-on: s390x
+    runs-on: ubuntu-24.04-s390x
     needs:
       - build-asset
       - build-asset-rootfs

.github/workflows/ci-nightly-rust.yaml

@@ -0,0 +1,36 @@
+name: Kata Containers Nightly CI (Rust)
+on:
+  schedule:
+    - cron: '0 1 * * *' # Run at 1 AM UTC (1 hour after script-based nightly)
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  kata-containers-ci-on-push-rust:
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
+    uses: ./.github/workflows/ci.yaml
+    with:
+      commit-hash: ${{ github.sha }}
+      pr-number: "nightly-rust"
+      tag: ${{ github.sha }}-nightly-rust
+      target-branch: ${{ github.ref_name }}
+      build-type: "rust" # Use Rust-based build
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+      AZ_APPID: ${{ secrets.AZ_APPID }}
+      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
+      ITA_KEY: ${{ secrets.ITA_KEY }}
+      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
+

.github/workflows/ci.yaml

@@ -19,6 +19,11 @@ on:
         required: false
         type: string
         default: no
+      build-type:
+        description: The build type for kata-deploy. Use 'rust' for Rust-based build, empty or omit for script-based (default).
+        required: false
+        type: string
+        default: ""
     secrets:
       AUTHENTICATED_IMAGE_PASSWORD:
         required: true
@@ -72,6 +77,7 @@ jobs:
       target-branch: ${{ inputs.target-branch }}
       runner: ubuntu-22.04
       arch: amd64
+      build-type: ${{ inputs.build-type }}
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
@@ -104,6 +110,7 @@ jobs:
       target-branch: ${{ inputs.target-branch }}
       runner: ubuntu-24.04-arm
       arch: arm64
+      build-type: ${{ inputs.build-type }}
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
@@ -147,8 +154,9 @@ jobs:
       tag: ${{ inputs.tag }}-s390x
       commit-hash: ${{ inputs.commit-hash }}
       target-branch: ${{ inputs.target-branch }}
-      runner: s390x
+      runner: ubuntu-24.04-s390x
       arch: s390x
+      build-type: ${{ inputs.build-type }}
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
@@ -165,8 +173,9 @@ jobs:
       tag: ${{ inputs.tag }}-ppc64le
       commit-hash: ${{ inputs.commit-hash }}
       target-branch: ${{ inputs.target-branch }}
-      runner: ppc64le-small
+      runner: ubuntu-24.04-ppc64le
       arch: ppc64le
+      build-type: ${{ inputs.build-type }}
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
@@ -233,14 +242,14 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: get-kata-tarball
+      - name: get-kata-tools-tarball
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
-          name: kata-static-tarball-amd64-${{ inputs.tag }}
-          path: kata-artifacts
+          name: kata-tools-static-tarball-amd64-${{ inputs.tag }}
+          path: kata-tools-artifacts
 
-      - name: Install tools
-        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
 
       - name: Copy binary into Docker context
         run: |
@@ -288,7 +297,7 @@ jobs:
       tarball-suffix: -${{ inputs.tag }}
       registry: ghcr.io
       repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
+      tag: ${{ inputs.tag }}-amd64${{ inputs.build-type == 'rust' && '-rust' || '' }}
       commit-hash: ${{ inputs.commit-hash }}
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
@@ -304,7 +313,7 @@ jobs:
     with:
       registry: ghcr.io
       repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-arm64
+      tag: ${{ inputs.tag }}-arm64${{ inputs.build-type == 'rust' && '-rust' || '' }}
       commit-hash: ${{ inputs.commit-hash }}
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
@@ -314,9 +323,10 @@ jobs:
     needs: publish-kata-deploy-payload-amd64
     uses: ./.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
     with:
+      tarball-suffix: -${{ inputs.tag }}
       registry: ghcr.io
       repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
+      tag: ${{ inputs.tag }}-amd64${{ inputs.build-type == 'rust' && '-rust' || '' }}
       commit-hash: ${{ inputs.commit-hash }}
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
@@ -338,7 +348,7 @@ jobs:
       tarball-suffix: -${{ inputs.tag }}
       registry: ghcr.io
       repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
+      tag: ${{ inputs.tag }}-amd64${{ inputs.build-type == 'rust' && '-rust' || '' }}
       commit-hash: ${{ inputs.commit-hash }}
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
@@ -356,7 +366,7 @@ jobs:
     with:
       registry: ghcr.io
       repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-s390x
+      tag: ${{ inputs.tag }}-s390x${{ inputs.build-type == 'rust' && '-rust' || '' }}
       commit-hash: ${{ inputs.commit-hash }}
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
@@ -370,7 +380,7 @@ jobs:
     with:
       registry: ghcr.io
       repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-ppc64le
+      tag: ${{ inputs.tag }}-ppc64le${{ inputs.build-type == 'rust' && '-rust' || '' }}
       commit-hash: ${{ inputs.commit-hash }}
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
@@ -382,7 +392,7 @@ jobs:
     with:
       registry: ghcr.io
       repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
+      tag: ${{ inputs.tag }}-amd64${{ inputs.build-type == 'rust' && '-rust' || '' }}
       commit-hash: ${{ inputs.commit-hash }}
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
@@ -473,7 +483,7 @@ jobs:
       vmm: ${{ matrix.params.vmm }}
 
   run-cri-containerd-tests-arm64:
-    if: ${{ inputs.skip-test != 'yes' }}
+    if: false
     needs: build-kata-static-tarball-arm64
     strategy:
       fail-fast: false

.github/workflows/gatekeeper.yaml

@@ -10,7 +10,9 @@ on:
       - opened
       - synchronize
       - reopened
+      - edited
       - labeled
+      - unlabeled
 
 permissions: {}
 

.github/workflows/kata-runtime-classes-sync.yaml

@@ -1,43 +0,0 @@
-name: kata-runtime-classes-sync
-
-on:
-  pull_request:
-    types:
-      - opened
-      - edited
-      - reopened
-      - synchronize
-
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  kata-deploy-runtime-classes-check:
-    name: kata-deploy-runtime-classes-check
-    runs-on: ubuntu-22.04
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        persist-credentials: false
-    - name: Ensure the split out runtime classes match the all-in-one file
-      run: |
-        pushd tools/packaging/kata-deploy/runtimeclasses/
-        echo "::group::Combine runtime classes"
-        for runtimeClass in $(find . -type f \( -name "*.yaml" -and -not -name "kata-runtimeClasses.yaml" \) | sort); do
-            echo "Adding ${runtimeClass} to the resultingRuntimeClasses.yaml"
-            cat "${runtimeClass}" >> resultingRuntimeClasses.yaml;
-        done
-        echo "::endgroup::"
-        echo "::group::Displaying the content of resultingRuntimeClasses.yaml"
-        cat resultingRuntimeClasses.yaml
-        echo "::endgroup::"
-        echo ""
-        echo "::group::Displaying the content of kata-runtimeClasses.yaml"
-        cat kata-runtimeClasses.yaml
-        echo "::endgroup::"
-        echo ""
-        diff resultingRuntimeClasses.yaml kata-runtimeClasses.yaml

.github/workflows/payload-after-push.yaml

@@ -82,6 +82,7 @@ jobs:
       target-branch: ${{ github.ref_name }}
       runner: ubuntu-22.04
       arch: amd64
+      build-type: "" # Use script-based build (default)
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
@@ -99,6 +100,7 @@ jobs:
       target-branch: ${{ github.ref_name }}
       runner: ubuntu-24.04-arm
       arch: arm64
+      build-type: "" # Use script-based build (default)
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
@@ -116,6 +118,7 @@ jobs:
       target-branch: ${{ github.ref_name }}
       runner: s390x
       arch: s390x
+      build-type: "" # Use script-based build (default)
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
@@ -133,6 +136,7 @@ jobs:
       target-branch: ${{ github.ref_name }}
       runner: ppc64le-small
       arch: ppc64le
+      build-type: "" # Use script-based build (default)
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 

.github/workflows/publish-kata-deploy-payload.yaml

@@ -30,6 +30,11 @@ on:
         description: The arch of the tarball.
         required: true
         type: string
+      build-type:
+        description: The build type for kata-deploy. Use 'rust' for Rust-based build, empty or omit for script-based (default).
+        required: false
+        type: string
+        default: ""
     secrets:
       QUAY_DEPLOYER_PASSWORD:
         required: true
@@ -50,6 +55,25 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
+      - name: Remove unnecessary directories to free up space
+        run: |
+          sudo rm -rf /usr/local/.ghcup
+          sudo rm -rf /opt/hostedtoolcache/CodeQL
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /opt/ghc
+          sudo rm -rf /usr/local/share/boost
+          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
+          sudo rm -rf /usr/lib/jvm
+          sudo rm -rf /usr/share/swift
+          sudo rm -rf /usr/local/share/powershell
+          sudo rm -rf /usr/local/julia*
+          sudo rm -rf /opt/az
+          sudo rm -rf /usr/local/share/chromium
+          sudo rm -rf /opt/microsoft
+          sudo rm -rf /opt/google
+          sudo rm -rf /usr/lib/firefox
+
       - name: Rebase atop of the latest target branch
         run: |
           ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
@@ -83,8 +107,10 @@ jobs:
           REGISTRY: ${{ inputs.registry }}
           REPO: ${{ inputs.repo }}
           TAG: ${{ inputs.tag }}
+          BUILD_TYPE: ${{ inputs.build-type }}
         run: |
           ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
           "$(pwd)/kata-static.tar.zst" \
           "${REGISTRY}/${REPO}" \
-          "${TAG}"
+          "${TAG}" \
+          "${BUILD_TYPE}"

.github/workflows/release-ppc64le.yaml

@@ -31,7 +31,7 @@ jobs:
     permissions:
       contents: read
       packages: write
-    runs-on: ppc64le-small
+    runs-on: ubuntu-24.04-ppc64le
     steps:
       - name: Login to Kata Containers ghcr.io
         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0

.github/workflows/release-s390x.yaml

@@ -35,7 +35,7 @@ jobs:
     permissions:
       contents: read
       packages: write
-    runs-on: s390x
+    runs-on: ubuntu-24.04-s390x
     steps:
       - name: Login to Kata Containers ghcr.io
         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0

.github/workflows/release.yaml

@@ -181,6 +181,23 @@ jobs:
           GH_TOKEN: ${{ github.token }}
           ARCHITECTURE: ppc64le
 
+      - name: Set KATA_TOOLS_STATIC_TARBALL env var
+        run: |
+          tarball=$(pwd)/kata-tools-static.tar.zst
+          echo "KATA_TOOLS_STATIC_TARBALL=${tarball}" >> "$GITHUB_ENV"
+
+      - name: Download amd64 tools artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-amd64
+
+      - name: Upload amd64 static tarball tools to GitHub
+        run: |
+          ./tools/packaging/release/release.sh upload-kata-tools-static-tarball
+        env:
+          GH_TOKEN: ${{ github.token }}
+          ARCHITECTURE: amd64
+
   upload-versions-yaml:
     name: upload-versions-yaml
     needs: release

.github/workflows/run-containerd-guest-pull-stability-tests.yaml

@@ -1,167 +0,0 @@
-name: CI | Run containerd guest pull stability tests
-on:
-  schedule:
-    - cron: "0 */1 * * *" #run every hour
-
-permissions: {}
-
-# This job relies on k8s pre-installed using kubeadm
-jobs:
-  run-containerd-guest-pull-stability-tests:
-    name: run-containerd-guest-pull-stability-tests-${{ matrix.environment.test-type }}-${{ matrix.environment.containerd }}
-    strategy:
-      fail-fast: false
-      matrix:
-        environment: [
-          { test-type: multi-snapshotter, containerd: v2.2 },
-          { test-type: force-guest-pull, containerd: v1.7 },
-          { test-type: force-guest-pull, containerd: v2.0 },
-          { test-type: force-guest-pull, containerd: v2.1 },
-          { test-type: force-guest-pull, containerd: v2.2 },
-        ]
-    env:
-      # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here.
-      IMAGES_LIST: quay.io/mongodb/mongodb-community-server@sha256:8b73733842da21b6bbb6df4d7b2449229bb3135d2ec8c6880314d88205772a11 ghcr.io/edgelesssys/redis@sha256:ecb0a964c259a166a1eb62f0eb19621d42bd1cce0bc9bb0c71c828911d4ba93d
-    runs-on: containerd-${{ matrix.environment.test-type }}-${{ matrix.environment.containerd }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-
-      - name: Rotate the journal
-        run: sudo journalctl --rotate --vacuum-time 1s
-
-      - name: Pull the kata-deploy image to be used
-        run: sudo ctr -n k8s.io image pull quay.io/kata-containers/kata-deploy-ci:kata-containers-latest
-
-      - name: Deploy Kata Containers
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
-        env:
-          KATA_HYPERVISOR: qemu-coco-dev
-          KUBERNETES: vanilla
-          SNAPSHOTTER: ${{ matrix.environment.test-type == 'multi-snapshotter' && 'nydus' || '' }}
-          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ matrix.environment.test-type == 'multi-snapshotter' }}
-          EXPERIMENTAL_FORCE_GUEST_PULL: ${{ matrix.environment.test-type == 'force-guest-pull' && 'qemu-coco-dev' || '' }}
-
-      # This is needed as we may hit the createContainerTimeout
-      - name: Adjust Kata Containers' create_container_timeout
-        run: |
-          sudo sed -i -e 's/^\(create_container_timeout\).*=.*$/\1 = 600/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-          grep "create_container_timeout.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-
-      # This is needed in order to have enough tmpfs space inside the guest to pull the image
-      - name: Adjust Kata Containers' default_memory
-        run: |
-          sudo sed -i -e 's/^\(default_memory\).*=.*$/\1 = 4096/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-          grep "default_memory.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-
-      - name: Run a few containers using overlayfs
-        run: |
-          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
-          # shellcheck disable=SC2086
-          for img in ${IMAGES_LIST}; do
-            echo "overlayfs | Using on image: ${img}"
-            pod="$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
-            kubectl run "${pod}" \
-              -it --rm \
-              --restart=Never \
-              --image="${img}" \
-              --image-pull-policy=Always \
-              --pod-running-timeout=10m \
-              -- uname -r
-          done
-          
-      - name: Run a the same few containers using a different snapshotter
-        run: |
-          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
-          # shellcheck disable=SC2086
-          for img in ${IMAGES_LIST}; do
-            echo "nydus | Using on image: ${img}"
-            pod="kata-$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
-            kubectl run "${pod}" \
-              -it --rm \
-              --restart=Never \
-              --image="${img}" \
-              --image-pull-policy=Always \
-              --pod-running-timeout=10m \
-              --overrides='{
-                "spec": {
-                  "runtimeClassName": "kata-qemu-coco-dev"
-                }
-              }' \
-              -- uname -r
-          done
-
-      - name: Uninstall Kata Containers
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup
-        env:
-          KATA_HYPERVISOR: qemu-coco-dev
-          KUBERNETES: vanilla
-          SNAPSHOTTER: nydus
-          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true
-
-      - name: Run a few containers using overlayfs
-        run: |
-          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
-          # shellcheck disable=SC2086
-          for img in ${IMAGES_LIST}; do
-            echo "overlayfs | Using on image: ${img}"
-            pod="$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
-            kubectl run "${pod}" \
-              -it --rm \
-              --restart=Never \
-              --image=${img} \
-              --image-pull-policy=Always \
-              --pod-running-timeout=10m \
-              -- uname -r
-          done
-          
-      - name: Deploy Kata Containers
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
-        env:
-          KATA_HYPERVISOR: qemu-coco-dev
-          KUBERNETES: vanilla
-          SNAPSHOTTER: nydus
-          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true
-
-      # This is needed as we may hit the createContainerTimeout
-      - name: Adjust Kata Containers' create_container_timeout
-        run: |
-          sudo sed -i -e 's/^\(create_container_timeout\).*=.*$/\1 = 600/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-          grep "create_container_timeout.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-
-      # This is needed in order to have enough tmpfs space inside the guest to pull the image
-      - name: Adjust Kata Containers' default_memory
-        run: |
-          sudo sed -i -e 's/^\(default_memory\).*=.*$/\1 = 4096/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-          grep "default_memory.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-
-      - name: Run a the same few containers using a different snapshotter
-        run: |
-          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
-          # shellcheck disable=SC2086
-          for img in ${IMAGES_LIST}; do
-            echo "nydus | Using on image: ${img}"
-            pod="kata-$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
-            kubectl run "${pod}" \
-              -it --rm \
-              --restart=Never \
-              --image="${img}" \
-              --image-pull-policy=Always \
-              --pod-running-timeout=10m \
-              --overrides='{
-                "spec": {
-                  "runtimeClassName": "kata-qemu-coco-dev"
-                }
-              }' \
-              -- uname -r
-          done
-
-      - name: Uninstall Kata Containers
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup || true
-        if: always()
-        env:
-          KATA_HYPERVISOR: qemu-coco-dev
-          KUBERNETES: vanilla
-          SNAPSHOTTER: nydus
-          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true

.github/workflows/run-k8s-tests-on-aks.yaml

@@ -93,14 +93,14 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: get-kata-tarball
+      - name: get-kata-tools-tarball
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
 
-      - name: Install kata
-        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
 
       - name: Download Azure CLI
         uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
@@ -142,6 +142,10 @@ jobs:
         timeout-minutes: 60
         run: bash tests/integration/kubernetes/gha-run.sh run-tests
 
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
       - name: Refresh OIDC token in case access token expired
         if: always()
         uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0

.github/workflows/run-k8s-tests-on-arm64.yaml

@@ -68,6 +68,10 @@ jobs:
         timeout-minutes: 30
         run: bash tests/integration/kubernetes/gha-run.sh run-tests
 
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
       - name: Collect artifacts ${{ matrix.vmm }}
         if: always()
         run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts

.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml

@@ -2,6 +2,9 @@ name: CI | Run NVIDIA GPU kubernetes tests on amd64
 on:
   workflow_call:
     inputs:
+      tarball-suffix:
+        required: true
+        type: string
       registry:
         required: true
         type: string
@@ -45,6 +48,7 @@ jobs:
       GH_PR_NUMBER: ${{ inputs.pr-number }}
       KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
       KUBERNETES: kubeadm
+      KBS: ${{ matrix.environment.name == 'nvidia-gpu-snp' && 'true' || 'false' }}
       K8S_TEST_HOST_TYPE: baremetal
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -59,6 +63,15 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
+      - name: get-kata-tools-tarball
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
+
       - name: Uninstall previous `kbs-client`
         if: matrix.environment.name != 'nvidia-gpu'
         timeout-minutes: 10
@@ -89,6 +102,11 @@ jobs:
         run: bash tests/integration/kubernetes/gha-run.sh run-nv-tests
         env:
           NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
+
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
       - name: Collect artifacts ${{ matrix.environment.vmm }}
         if: always()
         run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts

.github/workflows/run-k8s-tests-on-ppc64le.yaml

@@ -75,3 +75,7 @@ jobs:
       - name: Run tests
         timeout-minutes: 30
         run: bash tests/integration/kubernetes/gha-run.sh run-tests
+
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests

.github/workflows/run-k8s-tests-on-zvsi.yaml

@@ -131,6 +131,10 @@ jobs:
         timeout-minutes: 60
         run: bash tests/integration/kubernetes/gha-run.sh run-tests
 
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
       - name: Delete kata-deploy
         if: always()
         run: bash tests/integration/kubernetes/gha-run.sh cleanup-zvsi

.github/workflows/run-kata-coco-stability-tests.yaml

@@ -84,14 +84,14 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: get-kata-tarball
+      - name: get-kata-tools-tarball
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
 
-      - name: Install kata
-        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
 
       - name: Log into the Azure account
         uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
@@ -140,6 +140,10 @@ jobs:
         timeout-minutes: 300
         run: bash tests/stability/gha-stability-run.sh run-tests
 
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
       - name: Refresh OIDC token in case access token expired
         if: always()
         uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0

.github/workflows/run-kata-coco-tests.yaml

@@ -79,6 +79,15 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
+      - name: get-kata-tools-tarball
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
+
       - name: Deploy Kata
         timeout-minutes: 20
         run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
@@ -178,14 +187,14 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: get-kata-tarball
+      - name: get-kata-tools-tarball
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
 
-      - name: Install kata
-        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
 
       - name: Log into the Azure account
         uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
@@ -301,6 +310,15 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
+      - name: get-kata-tools-tarball
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
+
       - name: Remove unnecessary directories to free up space
         run: |
           sudo rm -rf /usr/local/.ghcup

.github/workflows/run-kata-deploy-tests-on-aks.yaml

@@ -102,6 +102,10 @@ jobs:
       - name: Run tests
         run: bash tests/functional/kata-deploy/gha-run.sh run-tests
 
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
       - name: Refresh OIDC token in case access token expired
         if: always()
         uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0

.github/workflows/run-kata-deploy-tests.yaml

@@ -85,3 +85,7 @@ jobs:
 
       - name: Run tests
         run: bash tests/functional/kata-deploy/gha-run.sh run-tests
+
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests

.github/workflows/static-checks-self-hosted.yaml

@@ -29,7 +29,7 @@ jobs:
       matrix:
         instance:
           - "ubuntu-24.04-arm"
-          - "s390x"
+          - "ubuntu-24.04-s390x"
           - "ubuntu-24.04-ppc64le"
     uses: ./.github/workflows/build-checks.yaml
     with:

.gitignore

@@ -18,3 +18,4 @@ src/tools/log-parser/kata-log-parser
 tools/packaging/static-build/agent/install_libseccomp.sh
 .envrc
 .direnv
+**/.DS_Store

Cargo.toml

@@ -6,35 +6,49 @@ rust-version = "1.85.1"
 
 [workspace]
 members = [
-    # Dragonball
-    "src/dragonball",
-    "src/dragonball/dbs_acpi",
-    "src/dragonball/dbs_address_space",
-    "src/dragonball/dbs_allocator",
-    "src/dragonball/dbs_arch",
-    "src/dragonball/dbs_boot",
-    "src/dragonball/dbs_device",
-    "src/dragonball/dbs_interrupt",
-    "src/dragonball/dbs_legacy_devices",
-    "src/dragonball/dbs_pci",
-    "src/dragonball/dbs_tdx",
-    "src/dragonball/dbs_upcall",
-    "src/dragonball/dbs_utils",
-    "src/dragonball/dbs_virtio_devices",
+  # Dragonball
+  "src/dragonball",
+  "src/dragonball/dbs_acpi",
+  "src/dragonball/dbs_address_space",
+  "src/dragonball/dbs_allocator",
+  "src/dragonball/dbs_arch",
+  "src/dragonball/dbs_boot",
+  "src/dragonball/dbs_device",
+  "src/dragonball/dbs_interrupt",
+  "src/dragonball/dbs_legacy_devices",
+  "src/dragonball/dbs_pci",
+  "src/dragonball/dbs_tdx",
+  "src/dragonball/dbs_upcall",
+  "src/dragonball/dbs_utils",
+  "src/dragonball/dbs_virtio_devices",
+
+  # runtime-rs
+  "src/runtime-rs",
+  "src/runtime-rs/crates/agent",
+  "src/runtime-rs/crates/hypervisor",
+  "src/runtime-rs/crates/persist",
+  "src/runtime-rs/crates/resource",
+  "src/runtime-rs/crates/runtimes",
+  "src/runtime-rs/crates/service",
+  "src/runtime-rs/crates/shim",
+  "src/runtime-rs/crates/shim-ctl",
+  "src/runtime-rs/tests/utils",
 ]
 resolver = "2"
 
 # TODO: Add all excluded crates to root workspace
 exclude = [
-    "src/agent",
-    "src/tools",
-    "src/libs",
-    "src/runtime-rs",
+  "src/agent",
+  "src/tools",
+  "src/libs",
 
-    # We are cloning and building rust packages under
-    # "tools/packaging/kata-deploy/local-build/build" folder, which may mislead
-    # those packages to think they are part of the kata root workspace
-    "tools/packaging/kata-deploy/local-build/build",
+  # kata-deploy binary is standalone and has its own Cargo.toml for now
+  "tools/packaging/kata-deploy/binary",
+
+  # We are cloning and building rust packages under
+  # "tools/packaging/kata-deploy/local-build/build" folder, which may mislead
+  # those packages to think they are part of the kata root workspace
+  "tools/packaging/kata-deploy/local-build/build",
 ]
 
 [workspace.dependencies]
@@ -54,6 +68,7 @@ vm-superio = "0.5.0"
 vmm-sys-util = "0.11.0"
 
 # Local dependencies from Dragonball Sandbox crates
+dragonball = { path = "src/dragonball" }
 dbs-acpi = { path = "src/dragonball/dbs_acpi" }
 dbs-address-space = { path = "src/dragonball/dbs_address_space" }
 dbs-allocator = { path = "src/dragonball/dbs_allocator" }
@@ -68,5 +83,57 @@ dbs-upcall = { path = "src/dragonball/dbs_upcall" }
 dbs-utils = { path = "src/dragonball/dbs_utils" }
 dbs-virtio-devices = { path = "src/dragonball/dbs_virtio_devices" }
 
+# Local dependencies from runtime-rs
+agent = { path = "src/runtime-rs/crates/agent" }
+hypervisor = { path = "src/runtime-rs/crates/hypervisor" }
+persist = { path = "src/runtime-rs/crates/persist" }
+resource = { path = "src/runtime-rs/crates/resource" }
+runtimes = { path = "src/runtime-rs/crates/runtimes" }
+service = { path = "src/runtime-rs/crates/service" }
+tests_utils = { path = "src/runtime-rs/tests/utils" }
+ch-config = { path = "src/runtime-rs/crates/hypervisor/ch-config" }
+common = { path = "src/runtime-rs/crates/runtimes/common" }
+linux_container = { path = "src/runtime-rs/crates/runtimes/linux_container" }
+virt_container = { path = "src/runtime-rs/crates/runtimes/virt_container" }
+wasm_container = { path = "src/runtime-rs/crates/runtimes/wasm_container" }
+
 # Local dependencies from `src/lib`
+kata-sys-util = { path = "src/libs/kata-sys-util" }
+kata-types = { path = "src/libs/kata-types", features = ["safe-path"] }
+logging = { path = "src/libs/logging" }
+protocols = { path = "src/libs/protocols", features = ["async"] }
+runtime-spec = { path = "src/libs/runtime-spec" }
+safe-path = { path = "src/libs/safe-path" }
+shim-interface = { path = "src/libs/shim-interface" }
 test-utils = { path = "src/libs/test-utils" }
+
+# Outside dependencies
+actix-rt = "2.7.0"
+anyhow = "1.0"
+async-trait = "0.1.48"
+containerd-shim = { version = "0.10.0", features = ["async"] }
+containerd-shim-protos = { version = "0.10.0", features = ["async"] }
+go-flag = "0.1.0"
+hyper = "0.14.20"
+hyperlocal = "0.8.0"
+lazy_static = "1.4"
+libc = "0.2"
+log = "0.4.14"
+netns-rs = "0.1.0"
+# Note: nix needs to stay sync'd with libs versions
+nix = "0.26.4"
+oci-spec = { version = "0.8.1", features = ["runtime"] }
+protobuf = "3.7.2"
+rand = "0.8.4"
+serde = { version = "1.0.145", features = ["derive"] }
+serde_json = "1.0.91"
+slog = "2.5.2"
+slog-scope = "4.4.0"
+strum = { version = "0.24.0", features = ["derive"] }
+tempfile = "3.19.1"
+thiserror = "1.0"
+tokio = "1.46.1"
+tracing = "0.1.41"
+tracing-opentelemetry = "0.18.0"
+ttrpc = "0.8.4"
+url = "2.5.4"

VERSION

@@ -1 +1 @@
-3.23.0
+3.24.0

ci/install_libseccomp.sh

@@ -11,6 +11,10 @@ script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 source "${script_dir}/../tests/common.bash"
 
+# Path to the ORAS cache helper for downloading tarballs (sourced when needed)
+# Use ORAS_CACHE_HELPER env var (set by build.sh in Docker) or fallback to repo path
+oras_cache_helper="${ORAS_CACHE_HELPER:-${script_dir}/../tools/packaging/scripts/download-with-oras-cache.sh}"
+
 # The following variables if set on the environment will change the behavior
 # of gperf and libseccomp configure scripts, that may lead this script to
 # fail. So let's ensure they are unset here.
@@ -44,6 +48,9 @@ fi
 gperf_tarball="gperf-${gperf_version}.tar.gz"
 gperf_tarball_url="${gperf_url}/${gperf_tarball}"
 
+# Use ORAS cache for gperf downloads (gperf upstream can be unreliable)
+USE_ORAS_CACHE="${USE_ORAS_CACHE:-yes}"
+
 # We need to build the libseccomp library from sources to create a static
 # library for the musl libc.
 # However, ppc64le, riscv64 and s390x have no musl targets in Rust. Hence, we do
@@ -68,7 +75,23 @@ trap finish EXIT
 build_and_install_gperf() {
 	echo "Build and install gperf version ${gperf_version}"
 	mkdir -p "${gperf_install_dir}"
-	curl -sLO "${gperf_tarball_url}"
+
+	# Use ORAS cache if available and enabled
+	if [[ "${USE_ORAS_CACHE}" == "yes" ]] && [[ -f "${oras_cache_helper}" ]]; then
+		echo "Using ORAS cache for gperf download"
+		source "${oras_cache_helper}"
+		local cached_tarball
+		cached_tarball=$(download_component gperf "$(pwd)")
+		if [[ -f "${cached_tarball}" ]]; then
+			gperf_tarball="${cached_tarball}"
+		else
+			echo "ORAS cache download failed, falling back to direct download"
+			curl -sLO "${gperf_tarball_url}"
+		fi
+	else
+		curl -sLO "${gperf_tarball_url}"
+	fi
+
 	tar -xf "${gperf_tarball}"
 	pushd "gperf-${gperf_version}"
 	# Unset $CC for configure, we will always use native for gperf

docs/README.md

@@ -83,3 +83,7 @@ Documents that help to understand and contribute to Kata Containers.
 If you have a suggestion for how we can improve the
 [website](https://katacontainers.io), please raise an issue (or a PR) on
 [the repository that holds the source for the website](https://github.com/OpenStackweb/kata-netlify-refresh).
+
+### Toolchain Guidance
+
+* [Toolchain Guidance](./Toochain-Guidance.md)

docs/Toochain-Guidance.md

@@ -0,0 +1,39 @@
+# Toolchains
+
+As a community we want to strike a balance between having up-to-date toolchains, to receive the
+latest security fixes and to be able to benefit from new features and packages, whilst not being
+too bleeding edge and disrupting downstream and other consumers. As a result we have the following
+guidelines (note, not hard rules) for our go and rust toolchains that we are attempting to try out:
+
+## Go toolchain
+
+Go is released [every six months](https://go.dev/wiki/Go-Release-Cycle) with support for the
+[last two major release versions](https://go.dev/doc/devel/release#policy). We always want to
+ensure that we are on a supported version so we receive security fixes. To try and make
+things easier for some of our users, we aim to be using the older of the two supported major
+versions, unless there is a compelling reason to adopt the newer version.
+
+In practice this means that we bump our major version of the go toolchain every six months to
+version (1.x-1) in response to a new version (1.x) coming out, which makes our current version
+(1.x-2) no longer supported. We will bump the minor version whenever required to satisfy
+dependency updates, or security fixes.
+
+Our go toolchain version is recorded in [`versions.yaml`](../versions.yaml) under
+`.languages.golang.version` and should match with the version in our `go.mod` files.
+
+## Rust toolchain
+
+Rust has a [six week](https://doc.rust-lang.org/book/appendix-05-editions.html#:~:text=The%20Rust%20language%20and%20compiler,these%20tiny%20changes%20add%20up.)
+release cycle and they only support the latest stable release, so if we wanted to remain on a
+supported release we would only ever build with the latest stable and bump every 6 weeks.
+However feedback from our community has indicated that this is a challenge as downstream consumers
+often want to get rust from their distro, or downstream fork and these struggle to keep up with
+the six week release schedule. As a result the community has agreed to try out a policy of
+"stable-2", where we aim to build with a rust version that is two versions behind the latest stable
+version.
+
+In practice this should mean that we bump our rust toolchain every six weeks, to version
+1.x-2 when 1.x is released as stable and we should be picking up the latest point release
+of that version, if there were any.
+
+The rust-toolchain that we are using is recorded in [`rust-toolchain.toml`](../rust-toolchain.toml).

docs/how-to/how-to-set-sandbox-config-kata.md

@@ -97,6 +97,8 @@ There are several kinds of Kata configurations and they are listed below.
 | `io.katacontainers.config.hypervisor.use_legacy_serial` | `boolean` | uses legacy serial device for guest's console (QEMU) |
 | `io.katacontainers.config.hypervisor.default_gpus` | uint32 | the minimum number of GPUs required for the VM. Only used by remote hypervisor to help with instance selection |
 | `io.katacontainers.config.hypervisor.default_gpu_model` | string | the GPU model required for the VM. Only used by remote hypervisor to help with instance selection |
+| `io.katacontainers.config.hypervisor.block_device_num_queues` | `usize` | The number of queues to use for block devices (runtime-rs only) |
+| `io.katacontainers.config.hypervisor.block_device_queue_size` | uint32 | The size of the of the queue to use for block devices (runtime-rs only) |
 
 ## Container Options
 | Key | Value Type | Comments |

src/agent/Cargo.toml

@@ -186,7 +186,7 @@ base64 = "0.22"
 sha2 = "0.10.8"
 async-compression = { version = "0.4.22", features = ["tokio", "gzip"] }
 
-container-device-interface = "0.1.0"
+container-device-interface = "0.1.1"
 
 [target.'cfg(target_arch = "s390x")'.dependencies]
 pv_core = { git = "https://github.com/ibm-s390-linux/s390-tools", rev = "4942504a9a2977d49989a5e5b7c1c8e07dc0fa41", package = "s390_pv_core" }

src/agent/src/mount.rs

@@ -88,7 +88,7 @@ pub fn baremount(
 
     let destination_str = destination.to_string_lossy();
     if let Ok(m) = get_linux_mount_info(destination_str.deref()) {
-        if m.fs_type == fs_type {
+        if m.fs_type == fs_type && !flags.contains(MsFlags::MS_REMOUNT) {
             slog_info!(logger, "{source:?} is already mounted at {destination:?}");
             return Ok(());
         }

src/agent/src/netlink.rs

@@ -401,11 +401,10 @@ impl Handle {
                 }
 
                 if let RouteAttribute::Oif(index) = attribute {
-                    route.device = self
-                        .find_link(LinkFilter::Index(*index))
-                        .await
-                        .context(format!("error looking up device {index}"))?
-                        .name();
+                    route.device = match self.find_link(LinkFilter::Index(*index)).await {
+                        Ok(link) => link.name(),
+                        Err(_) => String::new(),
+                    };
                 }
             }
 
@@ -1005,10 +1004,6 @@ mod tests {
             .expect("Failed to list routes");
 
         assert_ne!(all.len(), 0);
-
-        for r in &all {
-            assert_ne!(r.device.len(), 0);
-        }
     }
 
     #[tokio::test]

src/agent/src/rpc.rs

@@ -72,7 +72,7 @@ use crate::network::setup_guest_dns;
 use crate::passfd_io;
 use crate::pci;
 use crate::random;
-use crate::sandbox::Sandbox;
+use crate::sandbox::{Sandbox, SandboxError};
 use crate::storage::{add_storages, update_ephemeral_mounts, STORAGE_HANDLERS};
 use crate::util;
 use crate::version::{AGENT_VERSION, API_VERSION};
@@ -141,6 +141,16 @@ pub fn ttrpc_error(code: ttrpc::Code, err: impl Debug) -> ttrpc::Error {
     get_rpc_status(code, format!("{:?}", err))
 }
 
+/// Convert SandboxError to ttrpc error with appropriate code.
+/// Process not found errors map to NOT_FOUND, others to INVALID_ARGUMENT.
+fn sandbox_err_to_ttrpc(err: SandboxError) -> ttrpc::Error {
+    let code = match &err {
+        SandboxError::InitProcessNotFound | SandboxError::InvalidExecId => ttrpc::Code::NOT_FOUND,
+        SandboxError::InvalidContainerId => ttrpc::Code::INVALID_ARGUMENT,
+    };
+    ttrpc_error(code, err)
+}
+
 #[cfg(not(feature = "agent-policy"))]
 async fn is_allowed(_req: &impl serde::Serialize) -> ttrpc::Result<()> {
     Ok(())
@@ -460,7 +470,9 @@ impl AgentService {
         let mut sig: libc::c_int = req.signal as libc::c_int;
         {
             let mut sandbox = self.sandbox.lock().await;
-            let p = sandbox.find_container_process(cid.as_str(), eid.as_str())?;
+            let p = sandbox
+                .find_container_process(cid.as_str(), eid.as_str())
+                .map_err(sandbox_err_to_ttrpc)?;
             // For container initProcess, if it hasn't installed handler for "SIGTERM" signal,
             // it will ignore the "SIGTERM" signal sent to it, thus send it "SIGKILL" signal
             // instead of "SIGTERM" to terminate it.
@@ -568,7 +580,9 @@ impl AgentService {
         let (exit_send, mut exit_recv) = tokio::sync::mpsc::channel(100);
         let exit_rx = {
             let mut sandbox = self.sandbox.lock().await;
-            let p = sandbox.find_container_process(cid.as_str(), eid.as_str())?;
+            let p = sandbox
+                .find_container_process(cid.as_str(), eid.as_str())
+                .map_err(sandbox_err_to_ttrpc)?;
 
             p.exit_watchers.push(exit_send);
             pid = p.pid;
@@ -665,7 +679,9 @@ impl AgentService {
         let term_exit_notifier;
         let reader = {
             let mut sandbox = self.sandbox.lock().await;
-            let p = sandbox.find_container_process(cid.as_str(), eid.as_str())?;
+            let p = sandbox
+                .find_container_process(cid.as_str(), eid.as_str())
+                .map_err(sandbox_err_to_ttrpc)?;
 
             term_exit_notifier = p.term_exit_notifier.clone();
 
@@ -947,12 +963,7 @@ impl agent_ttrpc::AgentService for AgentService {
 
         let p = sandbox
             .find_container_process(cid.as_str(), eid.as_str())
-            .map_err(|e| {
-                ttrpc_error(
-                    ttrpc::Code::INVALID_ARGUMENT,
-                    format!("invalid argument: {:?}", e),
-                )
-            })?;
+            .map_err(sandbox_err_to_ttrpc)?;
 
         p.close_stdin().await;
 
@@ -970,12 +981,7 @@ impl agent_ttrpc::AgentService for AgentService {
         let mut sandbox = self.sandbox.lock().await;
         let p = sandbox
             .find_container_process(req.container_id(), req.exec_id())
-            .map_err(|e| {
-                ttrpc_error(
-                    ttrpc::Code::UNAVAILABLE,
-                    format!("invalid argument: {:?}", e),
-                )
-            })?;
+            .map_err(sandbox_err_to_ttrpc)?;
 
         let fd = p
             .term_master
@@ -2629,12 +2635,12 @@ mod tests {
             },
             TestData {
                 create_container: false,
-                result: Err(anyhow!(crate::sandbox::ERR_INVALID_CONTAINER_ID)),
+                result: Err(anyhow!(crate::sandbox::SandboxError::InvalidContainerId)),
                 ..Default::default()
             },
             TestData {
                 container_id: "8181",
-                result: Err(anyhow!(crate::sandbox::ERR_INVALID_CONTAINER_ID)),
+                result: Err(anyhow!(crate::sandbox::SandboxError::InvalidContainerId)),
                 ..Default::default()
             },
             TestData {

src/agent/src/sandbox.rs

@@ -32,6 +32,7 @@ use rustjail::container::BaseContainer;
 use rustjail::container::LinuxContainer;
 use rustjail::process::Process;
 use slog::Logger;
+use thiserror::Error;
 use tokio::sync::mpsc::{channel, Receiver, Sender};
 use tokio::sync::oneshot;
 use tokio::sync::Mutex;
@@ -47,7 +48,16 @@ use crate::storage::StorageDeviceGeneric;
 use crate::uevent::{Uevent, UeventMatcher};
 use crate::watcher::BindWatcher;
 
-pub const ERR_INVALID_CONTAINER_ID: &str = "Invalid container id";
+/// Errors that can occur when looking up processes in the sandbox.
+#[derive(Debug, Error)]
+pub enum SandboxError {
+    #[error("Invalid container id")]
+    InvalidContainerId,
+    #[error("Process not found: init process missing")]
+    InitProcessNotFound,
+    #[error("Process not found: invalid exec id")]
+    InvalidExecId,
+}
 
 type UeventWatcher = (Box<dyn UeventMatcher>, oneshot::Sender<Uevent>);
 
@@ -282,10 +292,14 @@ impl Sandbox {
         None
     }
 
-    pub fn find_container_process(&mut self, cid: &str, eid: &str) -> Result<&mut Process> {
+    pub fn find_container_process(
+        &mut self,
+        cid: &str,
+        eid: &str,
+    ) -> Result<&mut Process, SandboxError> {
         let ctr = self
             .get_container(cid)
-            .ok_or_else(|| anyhow!(ERR_INVALID_CONTAINER_ID))?;
+            .ok_or(SandboxError::InvalidContainerId)?;
 
         if eid.is_empty() {
             let init_pid = ctr.init_process_pid;
@@ -293,10 +307,11 @@ impl Sandbox {
                 .processes
                 .values_mut()
                 .find(|p| p.pid == init_pid)
-                .ok_or_else(|| anyhow!("cannot find init process!"));
+                .ok_or(SandboxError::InitProcessNotFound);
         }
 
-        ctr.get_process(eid).map_err(|_| anyhow!("Invalid exec id"))
+        ctr.get_process(eid)
+            .map_err(|_| SandboxError::InvalidExecId)
     }
 
     #[instrument]

src/dragonball/dbs_arch/Cargo.toml

@@ -21,6 +21,8 @@ libc = ">=0.2.39"
 
 [dev-dependencies]
 vm-memory = { workspace = true, features = ["backend-mmap"] }
+test-utils = { workspace = true }
+nix = { workspace = true }
 
 [package.metadata.docs.rs]
 all-features = true

src/dragonball/dbs_arch/src/aarch64/gic/mod.rs

@@ -205,12 +205,12 @@ pub fn create_gic(vm: &VmFd, vcpu_count: u64) -> Result<Box<dyn GICDevice>> {
 
 #[cfg(test)]
 mod tests {
-
     use super::*;
     use kvm_ioctls::Kvm;
 
     #[test]
     fn test_create_gic() {
+        test_utils::skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         assert!(create_gic(&vm, 1).is_ok());

src/dragonball/dbs_arch/src/aarch64/pmu.rs

@@ -150,6 +150,7 @@ mod tests {
 
     #[test]
     fn test_create_pmu() {
+        test_utils::skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         let vcpu = vm.create_vcpu(0).unwrap();

src/dragonball/dbs_arch/src/aarch64/regs.rs

@@ -166,9 +166,11 @@ pub fn read_mpidr(vcpu: &VcpuFd) -> Result<u64> {
 mod tests {
     use super::*;
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
 
     #[test]
     fn test_setup_regs() {
+        skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         let vcpu = vm.create_vcpu(0).unwrap();
@@ -185,6 +187,7 @@ mod tests {
 
     #[test]
     fn test_read_mpidr() {
+        skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         let vcpu = vm.create_vcpu(0).unwrap();

src/dragonball/dbs_arch/src/x86_64/interrupts.rs

@@ -78,6 +78,7 @@ pub fn set_lint(vcpu: &VcpuFd) -> Result<()> {
 mod tests {
     use super::*;
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
 
     const KVM_APIC_REG_SIZE: usize = 0x400;
 
@@ -100,6 +101,7 @@ mod tests {
 
     #[test]
     fn test_setlint() {
+        skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         assert!(kvm.check_extension(kvm_ioctls::Cap::Irqchip));
         let vm = kvm.create_vm().unwrap();
@@ -126,6 +128,7 @@ mod tests {
 
     #[test]
     fn test_setlint_fails() {
+        skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         let vcpu = vm.create_vcpu(0).unwrap();

src/dragonball/dbs_arch/src/x86_64/regs.rs

@@ -271,6 +271,7 @@ mod tests {
     use super::*;
     use crate::x86_64::gdt::gdt_entry;
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use vm_memory::{Bytes, GuestAddress, GuestMemoryMmap};
 
     const BOOT_GDT_OFFSET: u64 = 0x500;
@@ -334,6 +335,7 @@ mod tests {
 
     #[test]
     fn test_setup_fpu() {
+        skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         let vcpu = vm.create_vcpu(0).unwrap();
@@ -356,6 +358,7 @@ mod tests {
     #[test]
     #[allow(clippy::cast_ptr_alignment)]
     fn test_setup_msrs() {
+        skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         let vcpu = vm.create_vcpu(0).unwrap();
@@ -384,6 +387,7 @@ mod tests {
 
     #[test]
     fn test_setup_regs() {
+        skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         let vcpu = vm.create_vcpu(0).unwrap();

src/dragonball/dbs_boot/Cargo.toml

@@ -24,3 +24,5 @@ vm-fdt = {workspace= true}
 vm-memory = { workspace = true, features = ["backend-mmap"] }
 device_tree = ">=1.1.0"
 dbs-device = { workspace = true }
+test-utils = { workspace = true }
+nix = { workspace = true }

src/dragonball/dbs_boot/src/aarch64/fdt.rs

@@ -399,6 +399,7 @@ mod tests {
     use device_tree::DeviceTree;
     use kvm_bindings::{kvm_vcpu_init, KVM_ARM_VCPU_PMU_V3, KVM_ARM_VCPU_PSCI_0_2};
     use kvm_ioctls::{Kvm, VcpuFd, VmFd};
+    use test_utils::skip_if_not_root;
     use vm_memory::GuestMemoryMmap;
 
     use super::super::tests::MMIODeviceInfo;
@@ -460,6 +461,7 @@ mod tests {
 
     #[test]
     fn test_create_fdt_with_devices() {
+        skip_if_not_root!();
         let regions = arch_memory_regions(FDT_MAX_SIZE + 0x1000);
         let mem = GuestMemoryMmap::<()>::from_ranges(&regions).expect("Cannot initialize memory");
         let dev_info: HashMap<(DeviceType, String), MMIODeviceInfo> = [
@@ -498,6 +500,7 @@ mod tests {
 
     #[test]
     fn test_create_fdt() {
+        skip_if_not_root!();
         let regions = arch_memory_regions(FDT_MAX_SIZE + 0x1000);
         let mem = GuestMemoryMmap::<()>::from_ranges(&regions).expect("Cannot initialize memory");
         let kvm = Kvm::new().unwrap();
@@ -532,6 +535,7 @@ mod tests {
 
     #[test]
     fn test_create_fdt_with_initrd() {
+        skip_if_not_root!();
         let regions = arch_memory_regions(FDT_MAX_SIZE + 0x1000);
         let mem = GuestMemoryMmap::<()>::from_ranges(&regions).expect("Cannot initialize memory");
         let kvm = Kvm::new().unwrap();
@@ -570,6 +574,7 @@ mod tests {
 
     #[test]
     fn test_create_fdt_with_pmu() {
+        skip_if_not_root!();
         let regions = arch_memory_regions(FDT_MAX_SIZE + 0x1000);
         let mem = GuestMemoryMmap::<()>::from_ranges(&regions).expect("Cannot initialize memory");
         let kvm = Kvm::new().unwrap();

src/dragonball/dbs_boot/src/aarch64/fdt_utils.rs

@@ -304,6 +304,7 @@ mod tests {
 
     #[test]
     fn test_fdtutils_fdt_device_info() {
+        test_utils::skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         let gic = create_gic(&vm, 0).unwrap();

src/dragonball/dbs_boot/src/aarch64/mod.rs

@@ -68,6 +68,7 @@ pub fn initrd_load_addr<M: GuestMemory>(guest_mem: &M, initrd_size: u64) -> supe
     }
 }
 
+#[allow(missing_docs)]
 #[cfg(test)]
 pub mod tests {
     use dbs_arch::{DeviceInfoForFDT, Error as ArchError};

src/dragonball/dbs_boot/src/x86_64/mod.rs

@@ -258,6 +258,7 @@ mod tests {
 
     #[test]
     fn test_setup_page_tables() {
+        test_utils::skip_if_not_root!();
         let kvm = Kvm::new().unwrap();
         let vm = kvm.create_vm().unwrap();
         let vcpu = vm.create_vcpu(0).unwrap();

src/dragonball/dbs_interrupt/Cargo.toml

@@ -18,6 +18,10 @@ kvm-ioctls = { workspace = true, optional = true }
 libc = "0.2"
 vmm-sys-util = {workspace = true}
 
+[dev-dependencies]
+test-utils = { workspace = true }
+nix = { workspace = true }
+
 [features]
 default = ["legacy-irq", "msi-irq"]
 

src/dragonball/dbs_interrupt/src/kvm/legacy_irq.rs

@@ -220,6 +220,7 @@ impl InterruptSourceGroup for LegacyIrq {
 mod test {
     use super::*;
     use crate::manager::tests::create_vm_fd;
+    use test_utils::skip_if_not_root;
 
     const MASTER_PIC: usize = 7;
     const SLAVE_PIC: usize = 8;
@@ -228,6 +229,7 @@ mod test {
     #[test]
     #[allow(unreachable_patterns)]
     fn test_legacy_interrupt_group() {
+        skip_if_not_root!();
         let vmfd = Arc::new(create_vm_fd());
         let rounting = Arc::new(KvmIrqRouting::new(vmfd.clone()));
         let base = 0;
@@ -263,6 +265,7 @@ mod test {
 
     #[test]
     fn test_irq_routing_initialize_legacy() {
+        skip_if_not_root!();
         let vmfd = Arc::new(create_vm_fd());
         let routing = KvmIrqRouting::new(vmfd.clone());
 
@@ -278,6 +281,7 @@ mod test {
 
     #[test]
     fn test_routing_opt() {
+        skip_if_not_root!();
         let vmfd = Arc::new(create_vm_fd());
         let routing = KvmIrqRouting::new(vmfd.clone());
 
@@ -309,6 +313,7 @@ mod test {
 
     #[test]
     fn test_routing_set_routing() {
+        skip_if_not_root!();
         let vmfd = Arc::new(create_vm_fd());
         let routing = KvmIrqRouting::new(vmfd.clone());
 

src/dragonball/dbs_interrupt/src/kvm/mod.rs

@@ -271,6 +271,7 @@ pub fn from_sys_util_errno(e: vmm_sys_util::errno::Error) -> std::io::Error {
 pub(crate) mod tests {
     use super::*;
     use crate::manager::tests::create_vm_fd;
+    use test_utils::skip_if_not_root;
 
     fn create_irq_group(
         manager: Arc<KvmIrqManager>,
@@ -306,11 +307,13 @@ pub(crate) mod tests {
 
     #[test]
     fn test_create_kvm_irq_manager() {
+        skip_if_not_root!();
         let _ = create_kvm_irq_manager();
     }
 
     #[test]
     fn test_kvm_irq_manager_opt() {
+        skip_if_not_root!();
         let vmfd = Arc::new(create_vm_fd());
         vmfd.create_irq_chip().unwrap();
         let manager = Arc::new(KvmIrqManager::new(vmfd.clone()));

src/dragonball/dbs_interrupt/src/kvm/msi_irq.rs

@@ -202,10 +202,12 @@ impl InterruptSourceGroup for MsiIrq {
 mod test {
     use super::*;
     use crate::manager::tests::create_vm_fd;
+    use test_utils::skip_if_not_root;
 
     #[test]
     #[allow(unreachable_patterns)]
     fn test_msi_interrupt_group() {
+        skip_if_not_root!();
         let vmfd = Arc::new(create_vm_fd());
         vmfd.create_irq_chip().unwrap();
 

src/dragonball/dbs_interrupt/src/manager.rs

@@ -451,6 +451,7 @@ pub(crate) mod tests {
 
     use dbs_device::resources::{DeviceResources, MsiIrqType, Resource};
     use kvm_ioctls::{Kvm, VmFd};
+    use test_utils::skip_if_not_root;
 
     use super::*;
     use crate::KvmIrqManager;
@@ -502,6 +503,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_create_device_interrupt_manager() {
+        skip_if_not_root!();
         let mut mgr = create_interrupt_manager();
 
         assert_eq!(mgr.mode, DeviceInterruptMode::Disabled);
@@ -537,6 +539,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_device_interrupt_manager_switch_mode() {
+        skip_if_not_root!();
         let mut mgr = create_interrupt_manager();
 
         // Can't switch working mode in enabled state.
@@ -621,6 +624,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_msi_config() {
+        skip_if_not_root!();
         let mut interrupt_manager = create_interrupt_manager();
 
         assert!(interrupt_manager.set_msi_data(512, 0).is_err());
@@ -638,6 +642,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_set_working_mode_after_activated() {
+        skip_if_not_root!();
         let mut interrupt_manager = create_interrupt_manager();
         interrupt_manager.activated = true;
         assert!(interrupt_manager
@@ -659,6 +664,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_disable2legacy() {
+        skip_if_not_root!();
         let mut interrupt_manager = create_interrupt_manager();
         interrupt_manager.activated = false;
         interrupt_manager.mode = DeviceInterruptMode::Disabled;
@@ -669,6 +675,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_disable2nonlegacy() {
+        skip_if_not_root!();
         let mut interrupt_manager = create_interrupt_manager();
         interrupt_manager.activated = false;
         interrupt_manager.mode = DeviceInterruptMode::Disabled;
@@ -679,6 +686,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_legacy2nonlegacy() {
+        skip_if_not_root!();
         let mut interrupt_manager = create_interrupt_manager();
         interrupt_manager.activated = false;
         interrupt_manager.mode = DeviceInterruptMode::Disabled;
@@ -692,6 +700,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_nonlegacy2legacy() {
+        skip_if_not_root!();
         let mut interrupt_manager = create_interrupt_manager();
         interrupt_manager.activated = false;
         interrupt_manager.mode = DeviceInterruptMode::Disabled;
@@ -705,6 +714,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_update() {
+        skip_if_not_root!();
         let mut interrupt_manager = create_interrupt_manager();
         interrupt_manager
             .set_working_mode(DeviceInterruptMode::GenericMsiIrq)
@@ -721,6 +731,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_get_configs() {
+        skip_if_not_root!();
         // legacy irq config
         {
             let interrupt_manager = create_interrupt_manager();
@@ -762,6 +773,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_reset_configs() {
+        skip_if_not_root!();
         let mut interrupt_manager = create_interrupt_manager();
 
         interrupt_manager.reset_configs(DeviceInterruptMode::LegacyIrq);

src/dragonball/dbs_interrupt/src/notifier.rs

@@ -235,6 +235,7 @@ mod tests {
     use super::*;
 
     use crate::{InterruptManager, InterruptSourceType};
+    use test_utils::skip_if_not_root;
 
     const VIRTIO_INTR_VRING: u32 = 0x01;
     const VIRTIO_INTR_CONFIG: u32 = 0x02;
@@ -250,6 +251,7 @@ mod tests {
     #[cfg(feature = "kvm-legacy-irq")]
     #[test]
     fn test_create_legacy_notifier() {
+        skip_if_not_root!();
         let (_vmfd, irq_manager) = crate::kvm::tests::create_kvm_irq_manager();
         let group = irq_manager
             .create_group(InterruptSourceType::LegacyIrq, 0, 1)
@@ -280,6 +282,7 @@ mod tests {
     #[cfg(feature = "kvm-msi-irq")]
     #[test]
     fn test_virtio_msi_notifier() {
+        skip_if_not_root!();
         let (_vmfd, irq_manager) = crate::kvm::tests::create_kvm_irq_manager();
         let group = irq_manager
             .create_group(InterruptSourceType::MsiIrq, 0, 3)

src/dragonball/dbs_pci/Cargo.toml

@@ -41,6 +41,8 @@ dbs-utils = {workspace = true}
 [dev-dependencies]
 dbs-arch = { workspace = true }
 kvm-ioctls = {workspace = true}
+test-utils = { workspace = true }
+nix = { workspace = true }
 
 [lints.rust]
 unexpected_cfgs = { level = "warn", check-cfg = [

src/dragonball/dbs_pci/src/msi.rs

@@ -654,6 +654,7 @@ mod tests {
     use dbs_device::resources::{DeviceResources, MsiIrqType, Resource};
     use dbs_interrupt::KvmIrqManager;
     use kvm_ioctls::{Kvm, VmFd};
+    use test_utils::skip_if_not_root;
 
     use super::*;
 
@@ -735,6 +736,7 @@ mod tests {
 
     #[test]
     fn test_msi_state_struct() {
+        skip_if_not_root!();
         let flags = MSI_CTL_ENABLE | MSI_CTL_64_BITS | MSI_CTL_PER_VECTOR | 0x6 | 0x20;
         let mut cap = MsiCap::new(0xa5, flags);
 

src/dragonball/dbs_pci/src/msix.rs

@@ -361,6 +361,7 @@ mod tests {
     use dbs_device::resources::{DeviceResources, MsiIrqType, Resource};
     use dbs_interrupt::KvmIrqManager;
     use kvm_ioctls::{Kvm, VmFd};
+    use test_utils::skip_if_not_root;
 
     use super::*;
 
@@ -422,6 +423,7 @@ mod tests {
 
     #[test]
     fn test_set_msg_ctl() {
+        skip_if_not_root!();
         let mut config = MsixState::new(0x10);
         let mut intr_mgr = create_interrupt_manager();
 
@@ -452,6 +454,7 @@ mod tests {
 
     #[test]
     fn test_read_write_table() {
+        skip_if_not_root!();
         let mut intr_mgr = create_interrupt_manager();
         let mut config = MsixState::new(0x10);
 

src/dragonball/dbs_pci/src/virtio_pci.rs

@@ -1159,11 +1159,12 @@ impl<
 #[cfg(test)]
 pub(crate) mod tests {
     #[cfg(target_arch = "aarch64")]
-    use arch::aarch64::gic::create_gic;
+    use dbs_arch::gic::create_gic;
     use dbs_device::resources::MsiIrqType;
     use dbs_interrupt::kvm::KvmIrqManager;
     use dbs_utils::epoll_manager::EpollManager;
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use virtio_queue::QueueSync;
     use vm_memory::{GuestMemoryMmap, GuestRegionMmap, GuestUsize, MmapRegion};
 
@@ -1496,6 +1497,7 @@ pub(crate) mod tests {
     #[cfg(any(target_arch = "x86", target_arch = "x86_64"))]
     #[test]
     fn test_virtio_pci_device_activate() {
+        skip_if_not_root!();
         let mut d: VirtioPciDevice<_, _, _> = get_pci_device();
         assert_eq!(d.state().queues.len(), 2);
         assert!(!d.state().check_queues_valid());
@@ -1554,6 +1556,7 @@ pub(crate) mod tests {
     #[cfg(any(target_arch = "x86", target_arch = "x86_64"))]
     #[test]
     fn test_bus_device_reset() {
+        skip_if_not_root!();
         let mut d: VirtioPciDevice<_, _, _> = get_pci_device();
 
         assert_eq!(d.state().queues.len(), 2);
@@ -1578,6 +1581,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_virtio_pci_device_resources() {
+        skip_if_not_root!();
         let d: VirtioPciDevice<_, _, _> = get_pci_device();
 
         let resources = d.get_assigned_resources();
@@ -1595,6 +1599,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_virtio_pci_register_ioevent() {
+        skip_if_not_root!();
         let d: VirtioPciDevice<_, _, _> = get_pci_device();
         d.register_ioevent().unwrap();
         assert!(d.ioevent_registered.load(Ordering::SeqCst));
@@ -1616,6 +1621,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_read_bar() {
+        skip_if_not_root!();
         let d: VirtioPciDevice<_, _, _> = get_pci_device();
         let origin_data = vec![1u8];
         // driver status

src/dragonball/dbs_utils/Cargo.toml

@@ -22,3 +22,5 @@ vmm-sys-util = {workspace = true}
 
 [dev-dependencies]
 serde_json = "1.0.9"
+test-utils = { workspace = true }
+nix = { workspace = true }

src/dragonball/dbs_utils/src/net/tap.rs

@@ -278,6 +278,7 @@ impl AsRawFd for Tap {
     }
 }
 
+#[cfg(test)]
 mod tests {
     #![allow(dead_code)]
 
@@ -285,6 +286,7 @@ mod tests {
     use std::net::Ipv4Addr;
     use std::str;
     use std::sync::atomic::{AtomicUsize, Ordering};
+    use test_utils::skip_if_not_root;
 
     use super::*;
 
@@ -388,6 +390,7 @@ mod tests {
 
     #[test]
     fn test_tap_name() {
+        skip_if_not_root!();
         // Sanity check that the assumed max iface name length is correct.
         assert_eq!(
             IFACE_NAME_MAX_LEN,
@@ -414,11 +417,13 @@ mod tests {
 
     #[test]
     fn test_tap_partial_eq() {
+        skip_if_not_root!();
         assert_ne!(Tap::new().unwrap(), Tap::new().unwrap());
     }
 
     #[test]
     fn test_tap_configure() {
+        skip_if_not_root!();
         // `fetch_add` adds to the current value, returning the previous value.
         let next_ip = NEXT_IP.fetch_add(1, Ordering::SeqCst);
 
@@ -451,6 +456,7 @@ mod tests {
 
     #[test]
     fn test_tap_enable() {
+        skip_if_not_root!();
         let tap = Tap::new().unwrap();
         let ret = tap.enable();
         assert!(ret.is_ok());
@@ -458,6 +464,7 @@ mod tests {
 
     #[test]
     fn test_tap_get_ifreq() {
+        skip_if_not_root!();
         let tap = Tap::new().unwrap();
         let ret = tap.get_ifreq();
         assert_eq!(
@@ -468,6 +475,7 @@ mod tests {
 
     #[test]
     fn test_raw_fd() {
+        skip_if_not_root!();
         let tap = Tap::new().unwrap();
         assert_eq!(tap.as_raw_fd(), tap.tap_file.as_raw_fd());
     }

src/dragonball/dbs_virtio_devices/Cargo.toml

@@ -50,6 +50,7 @@ vm-memory = { workspace = true, features = [
     "backend-mmap",
     "backend-atomic",
 ] }
+test-utils = { workspace = true }
 
 [features]
 virtio-mmio = []

src/dragonball/dbs_virtio_devices/src/balloon.rs

@@ -748,6 +748,7 @@ pub(crate) mod tests {
     use dbs_device::resources::DeviceResources;
     use dbs_utils::epoll_manager::SubscriberOps;
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use vm_memory::GuestMemoryMmap;
     use vmm_sys_util::eventfd::EventFd;
 
@@ -803,6 +804,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_balloon_virtio_device_normal() {
+        skip_if_not_root!();
         let epoll_mgr = EpollManager::default();
         let config = BalloonConfig {
             f_deflate_on_oom: true,
@@ -857,6 +859,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_balloon_virtio_device_active() {
+        skip_if_not_root!();
         let epoll_mgr = EpollManager::default();
 
         // check queue sizes error
@@ -923,6 +926,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_balloon_set_size() {
+        skip_if_not_root!();
         let epoll_mgr = EpollManager::default();
         let config = BalloonConfig {
             f_deflate_on_oom: true,
@@ -936,6 +940,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_balloon_epoll_handler_handle_event() {
+        skip_if_not_root!();
         let handler = create_balloon_epoll_handler();
         let event_fd = EventFd::new(0).unwrap();
         let mgr = EpollManager::default();
@@ -968,6 +973,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_balloon_epoll_handler_process_report_queue() {
+        skip_if_not_root!();
         let mut handler = create_balloon_epoll_handler();
         let m = &handler.config.vm_as.clone();
 
@@ -997,6 +1003,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_balloon_epoll_handler_process_queue() {
+        skip_if_not_root!();
         let mut handler = create_balloon_epoll_handler();
         let m = &handler.config.vm_as.clone();
         // invalid idx

src/dragonball/dbs_virtio_devices/src/block/device.rs

@@ -376,6 +376,7 @@ mod tests {
     use dbs_interrupt::NoopNotifier;
     use dbs_utils::rate_limiter::{TokenBucket, TokenType};
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use virtio_queue::QueueSync;
     use vm_memory::{Bytes, GuestAddress, GuestMemoryMmap, GuestRegionMmap};
     use vmm_sys_util::eventfd::EventFd;
@@ -909,6 +910,7 @@ mod tests {
 
     #[test]
     fn test_block_virtio_device_active() {
+        skip_if_not_root!();
         let device_id = "dummy_device_id";
         let epoll_mgr = EpollManager::default();
 

src/dragonball/dbs_virtio_devices/src/device.rs

@@ -579,6 +579,7 @@ pub(crate) mod tests {
     };
     use dbs_utils::epoll_manager::{EventOps, Events, MutEventSubscriber};
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use virtio_queue::QueueSync;
     use vm_memory::{GuestMemoryAtomic, GuestMemoryMmap, GuestMemoryRegion, MmapRegion};
 
@@ -629,6 +630,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_create_virtio_queue_config() {
+        skip_if_not_root!();
         let (_vmfd, irq_manager) = crate::tests::create_vm_and_irq_manager();
         let group = irq_manager
             .create_group(InterruptSourceType::LegacyIrq, 0, 1)
@@ -660,6 +662,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_clone_virtio_queue_config() {
+        skip_if_not_root!();
         let (_vmfd, irq_manager) = crate::tests::create_vm_and_irq_manager();
         let group = irq_manager
             .create_group(InterruptSourceType::LegacyIrq, 0, 1)
@@ -698,6 +701,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_create_virtio_device_config() {
+        skip_if_not_root!();
         let mut device_config = create_virtio_device_config();
 
         device_config.notify_device_changes().unwrap();
@@ -783,6 +787,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_virtio_device() {
+        skip_if_not_root!();
         let epoll_mgr = EpollManager::default();
 
         let avail_features = 0x1234 << 32 | 0x4567;

src/dragonball/dbs_virtio_devices/src/fs/device.rs

@@ -962,6 +962,7 @@ pub mod tests {
     use std::io::Write;
     use std::path::PathBuf;
     use std::sync::Arc;
+    use test_utils::skip_if_not_root;
 
     use dbs_device::resources::DeviceResources;
     use dbs_interrupt::NoopNotifier;
@@ -1187,6 +1188,7 @@ pub mod tests {
 
     #[test]
     fn test_virtio_fs_device_active() {
+        skip_if_not_root!();
         let epoll_manager = EpollManager::default();
         {
             // config queue size is not 2
@@ -1675,6 +1677,7 @@ pub mod tests {
 
     #[test]
     fn test_register_mmap_region() {
+        skip_if_not_root!();
         let epoll_manager = EpollManager::default();
         let rate_limiter = RateLimiter::new(100, 0, 300, 10, 0, 300).unwrap();
         let mut fs: VirtioFs<Arc<GuestMemoryMmap>> = VirtioFs::new(
@@ -1717,6 +1720,7 @@ pub mod tests {
 
     #[test]
     fn test_get_resource_requirements() {
+        skip_if_not_root!();
         let epoll_manager = EpollManager::default();
         let rate_limiter = RateLimiter::new(100, 0, 300, 10, 0, 300).unwrap();
         let dax_on = 0x4000;
@@ -1761,6 +1765,7 @@ pub mod tests {
 
     #[test]
     fn test_set_resource() {
+        skip_if_not_root!();
         let epoll_manager = EpollManager::default();
         let rate_limiter = RateLimiter::new(100, 0, 300, 10, 0, 300).unwrap();
         let mut fs: VirtioFs<Arc<GuestMemoryMmap>> = VirtioFs::new(

src/dragonball/dbs_virtio_devices/src/fs/handler.rs

@@ -503,6 +503,7 @@ pub mod tests {
     use dbs_utils::epoll_manager::EpollManager;
     use dbs_utils::epoll_manager::SubscriberOps;
     use dbs_utils::rate_limiter::TokenBucket;
+    use test_utils::skip_if_not_root;
     use vm_memory::{GuestAddress, GuestMemoryMmap};
     use vmm_sys_util::tempfile::TempFile;
 
@@ -636,6 +637,7 @@ pub mod tests {
 
     #[test]
     fn test_fs_get_patch_rate_limiters() {
+        skip_if_not_root!();
         let mut handler = create_fs_epoll_handler(String::from("1"));
         let tokenbucket = TokenBucket::new(1, 1, 4);
 
@@ -705,6 +707,7 @@ pub mod tests {
 
     #[test]
     fn test_fs_epoll_handler_handle_event() {
+        skip_if_not_root!();
         let handler = create_fs_epoll_handler("test_1".to_string());
         let event_fd = EventFd::new(0).unwrap();
         let mgr = EpollManager::default();
@@ -740,6 +743,7 @@ pub mod tests {
 
     #[test]
     fn test_fs_epoll_handler_handle_unknown_event() {
+        skip_if_not_root!();
         let handler = create_fs_epoll_handler("test_1".to_string());
         let event_fd = EventFd::new(0).unwrap();
         let mgr = EpollManager::default();
@@ -756,6 +760,7 @@ pub mod tests {
 
     #[test]
     fn test_fs_epoll_handler_process_queue() {
+        skip_if_not_root!();
         {
             let mut handler = create_fs_epoll_handler("test_1".to_string());
 

src/dragonball/dbs_virtio_devices/src/mem.rs

@@ -1345,6 +1345,7 @@ pub(crate) mod tests {
     use std::ffi::CString;
     use std::fs::File;
     use std::os::unix::io::FromRawFd;
+    use test_utils::skip_if_not_root;
 
     use dbs_device::resources::DeviceResources;
     use dbs_interrupt::NoopNotifier;
@@ -1797,6 +1798,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_mem_virtio_device_set_resource() {
+        skip_if_not_root!();
         let epoll_mgr = EpollManager::default();
         let id = "mem0".to_string();
         let factory = Arc::new(Mutex::new(DummyMemRegionFactory {}));
@@ -1874,6 +1876,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_mem_virtio_device_activate() {
+        skip_if_not_root!();
         let epoll_mgr = EpollManager::default();
         let id = "mem0".to_string();
         let factory = Arc::new(Mutex::new(DummyMemRegionFactory {}));
@@ -1976,6 +1979,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_mem_virtio_device_remove() {
+        skip_if_not_root!();
         let epoll_mgr = EpollManager::default();
         let id = "mem0".to_string();
         let factory = Arc::new(Mutex::new(DummyMemRegionFactory {}));
@@ -2011,6 +2015,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_mem_epoll_handler_handle_event() {
+        skip_if_not_root!();
         let handler = create_mem_epoll_handler("test_1".to_string());
         let event_fd = EventFd::new(0).unwrap();
         let mgr = EpollManager::default();
@@ -2032,6 +2037,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_mem_epoll_handler_process_queue() {
+        skip_if_not_root!();
         let mut handler = create_mem_epoll_handler("test_1".to_string());
         let m = &handler.config.vm_as.clone();
         // fail to parse available descriptor chain

src/dragonball/dbs_virtio_devices/src/mmio/mmio_state.rs

@@ -609,6 +609,7 @@ where
 #[cfg(test)]
 pub(crate) mod tests {
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use virtio_queue::QueueSync;
     use vm_memory::{GuestAddress, GuestMemoryMmap, GuestRegionMmap};
 
@@ -652,6 +653,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_virtio_mmio_state_new() {
+        skip_if_not_root!();
         let mut state = get_mmio_state(false, false, 1);
 
         assert_eq!(state.queues.len(), 3);

src/dragonball/dbs_virtio_devices/src/mmio/mmio_v2.rs

@@ -494,6 +494,7 @@ where
 pub(crate) mod tests {
     use std::any::Any;
     use std::sync::Mutex;
+    use test_utils::skip_if_not_root;
 
     use byteorder::{ByteOrder, LittleEndian};
     use dbs_device::resources::{MsiIrqType, Resource, ResourceConstraint};
@@ -708,6 +709,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_virtio_mmio_v2_device_new() {
+        skip_if_not_root!();
         // test create error.
         let resources = DeviceResources::new();
         let mem = Arc::new(GuestMemoryMmap::from_ranges(&[(GuestAddress(0), 0x1000)]).unwrap());
@@ -769,6 +771,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_bus_device_read() {
+        skip_if_not_root!();
         let mut d = get_mmio_device();
 
         let mut buf = vec![0xff, 0, 0xfe, 0];
@@ -894,6 +897,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_bus_device_write() {
+        skip_if_not_root!();
         let mut d = get_mmio_device();
 
         let mut buf = vec![0; 5];
@@ -1023,6 +1027,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_bus_device_activate() {
+        skip_if_not_root!();
         // invalid state transition should failed
         let mut d = get_mmio_device();
 
@@ -1140,6 +1145,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_bus_device_reset() {
+        skip_if_not_root!();
         let resources = get_device_resource(false, false);
         let mut d = get_mmio_device_inner(true, 0, resources);
         let mut buf = vec![0; 4];
@@ -1169,6 +1175,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_mmiov2_device_resources() {
+        skip_if_not_root!();
         let d = get_mmio_device();
 
         let resources = d.get_assigned_resources();
@@ -1185,6 +1192,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_mmio_v2_device_msi() {
+        skip_if_not_root!();
         let resources = get_device_resource(true, false);
         let mut d = get_mmio_device_inner(true, 0, resources);
 
@@ -1227,6 +1235,7 @@ pub(crate) mod tests {
 
     #[test]
     fn test_mmio_shared_memory() {
+        skip_if_not_root!();
         let resources = get_device_resource(true, true);
         let d = get_mmio_device_inner(true, 0, resources);
 

src/dragonball/dbs_virtio_devices/src/net.rs

@@ -848,6 +848,7 @@ mod tests {
     use dbs_utils::epoll_manager::SubscriberOps;
     use dbs_utils::rate_limiter::TokenBucket;
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use vm_memory::{GuestAddress, GuestMemoryMmap};
 
     use super::*;
@@ -900,6 +901,7 @@ mod tests {
 
     #[test]
     fn test_net_virtio_device_normal() {
+        skip_if_not_root!();
         let next_ip = NEXT_IP.fetch_add(1, Ordering::SeqCst);
         let tap = Tap::open_named(&format!("tap{next_ip}"), false).unwrap();
         let epoll_mgr = EpollManager::default();
@@ -963,6 +965,7 @@ mod tests {
 
     #[test]
     fn test_net_virtio_device_active() {
+        skip_if_not_root!();
         let epoll_mgr = EpollManager::default();
         {
             // config queue size is not 2
@@ -1112,6 +1115,7 @@ mod tests {
 
     #[test]
     fn test_net_set_patch_rate_limiters() {
+        skip_if_not_root!();
         let next_ip = NEXT_IP.fetch_add(1, Ordering::SeqCst);
         let tap = Tap::open_named(&format!("tap{next_ip}"), false).unwrap();
         let epoll_mgr = EpollManager::default();
@@ -1150,6 +1154,7 @@ mod tests {
 
     #[test]
     fn test_net_get_patch_rate_limiters() {
+        skip_if_not_root!();
         let mut handler = create_net_epoll_handler("test_1".to_string());
         let tokenbucket = TokenBucket::new(1, 1, 4);
 
@@ -1174,6 +1179,7 @@ mod tests {
 
     #[test]
     fn test_net_epoll_handler_handle_event() {
+        skip_if_not_root!();
         let handler = create_net_epoll_handler("test_1".to_string());
         let event_fd = EventFd::new(0).unwrap();
         let mgr = EpollManager::default();
@@ -1212,6 +1218,7 @@ mod tests {
 
     #[test]
     fn test_net_epoll_handler_handle_unknown_event() {
+        skip_if_not_root!();
         let handler = create_net_epoll_handler("test_1".to_string());
         let event_fd = EventFd::new(0).unwrap();
         let mgr = EpollManager::default();
@@ -1228,6 +1235,7 @@ mod tests {
 
     #[test]
     fn test_net_epoll_handler_process_queue() {
+        skip_if_not_root!();
         {
             let mut handler = create_net_epoll_handler("test_1".to_string());
 
@@ -1253,6 +1261,7 @@ mod tests {
 
     #[test]
     fn test_net_bandwidth_rate_limiter() {
+        skip_if_not_root!();
         let handler = create_net_epoll_handler("test_1".to_string());
 
         let event_fd = EventFd::new(0).unwrap();
@@ -1330,6 +1339,7 @@ mod tests {
 
     #[test]
     fn test_net_ops_rate_limiter() {
+        skip_if_not_root!();
         let handler = create_net_epoll_handler("test_1".to_string());
 
         let event_fd = EventFd::new(0).unwrap();

src/dragonball/dbs_virtio_devices/src/notifier.rs

@@ -44,9 +44,11 @@ pub fn create_queue_notifier(
 mod tests {
     use super::*;
     use dbs_interrupt::InterruptManager;
+    use test_utils::skip_if_not_root;
 
     #[test]
     fn test_create_virtio_legacy_notifier() {
+        skip_if_not_root!();
         let (_vmfd, irq_manager) = crate::tests::create_vm_and_irq_manager();
         let group = irq_manager
             .create_group(InterruptSourceType::LegacyIrq, 0, 1)
@@ -68,6 +70,7 @@ mod tests {
 
     #[test]
     fn test_create_virtio_msi_notifier() {
+        skip_if_not_root!();
         let (_vmfd, irq_manager) = crate::tests::create_vm_and_irq_manager();
         let group = irq_manager
             .create_group(InterruptSourceType::MsiIrq, 0, 3)

src/dragonball/dbs_virtio_devices/src/vhost/vhost_kern/net.rs

@@ -682,6 +682,7 @@ mod tests {
     };
     use dbs_utils::epoll_manager::SubscriberOps;
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use virtio_queue::{Queue, QueueSync};
     use vm_memory::{GuestAddress, GuestMemoryMmap, GuestRegionMmap};
     use vmm_sys_util::eventfd::EventFd;
@@ -718,6 +719,7 @@ mod tests {
 
     #[test]
     fn test_vhost_kern_net_virtio_normal() {
+        skip_if_not_root!();
         let guest_mac_str = "11:22:33:44:55:66";
         let guest_mac = MacAddr::parse_str(guest_mac_str).unwrap();
         let queue_sizes = Arc::new(vec![128]);
@@ -757,6 +759,7 @@ mod tests {
 
     #[test]
     fn test_vhost_kern_net_virtio_activate() {
+        skip_if_not_root!();
         let guest_mac_str = "11:22:33:44:55:66";
         let guest_mac = MacAddr::parse_str(guest_mac_str).unwrap();
         // Invalid queue sizes
@@ -841,6 +844,7 @@ mod tests {
 
     #[test]
     fn test_vhost_kern_net_epoll_handler_handle_event() {
+        skip_if_not_root!();
         let handler = create_vhost_kern_net_epoll_handler("test_1".to_string());
         let event_fd = EventFd::new(0).unwrap();
         let mgr = EpollManager::default();

src/dragonball/dbs_virtio_devices/src/vhost/vhost_user/block.rs

@@ -631,7 +631,7 @@ mod tests {
 
     #[test]
     fn test_vhost_user_block_virtio_device_spdk() {
-        let socket_path = "/tmp/vhost.1";
+        let socket_path = concat!("vhost.", line!());
 
         let handler = thread::spawn(move || {
             let listener = Listener::new(socket_path, true).unwrap();
@@ -692,7 +692,7 @@ mod tests {
 
     #[test]
     fn test_vhost_user_block_virtio_device_activate_spdk() {
-        let socket_path = "/tmp/vhost.2";
+        let socket_path = concat!("vhost.", line!());
 
         let handler = thread::spawn(move || {
             // create vhost user block device

src/dragonball/dbs_virtio_devices/src/vhost/vhost_user/fs.rs

@@ -810,7 +810,7 @@ mod tests {
 
     #[test]
     fn test_vhost_user_fs_virtio_device_normal() {
-        let device_socket = "/tmp/vhost.1";
+        let device_socket = concat!("vhost.", line!());
         let tag = "test_fs";
 
         let handler = thread::spawn(move || {
@@ -879,7 +879,7 @@ mod tests {
 
     #[test]
     fn test_vhost_user_fs_virtio_device_activate() {
-        let device_socket = "/tmp/vhost.1";
+        let device_socket = concat!("vhost.", line!());
         let tag = "test_fs";
 
         let handler = thread::spawn(move || {

src/dragonball/dbs_virtio_devices/src/vhost/vhost_user/net.rs

@@ -604,6 +604,7 @@ mod tests {
     use dbs_interrupt::{InterruptManager, InterruptSourceType, MsiNotifier, NoopNotifier};
     use dbs_utils::epoll_manager::EpollManager;
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use vhost_rs::vhost_user::message::VhostUserU64;
     use vhost_rs::vhost_user::{VhostUserProtocolFeatures, VhostUserVirtioFeatures};
     use virtio_queue::QueueSync;
@@ -647,7 +648,7 @@ mod tests {
 
     #[test]
     fn test_vhost_user_net_virtio_device_normal() {
-        let device_socket = "/tmp/vhost.1";
+        let device_socket = concat!("vhost.", line!());
         let queue_sizes = Arc::new(vec![128]);
         let epoll_mgr = EpollManager::default();
         let handler = thread::spawn(move || {
@@ -697,7 +698,8 @@ mod tests {
 
     #[test]
     fn test_vhost_user_net_virtio_device_activate() {
-        let device_socket = "/tmp/vhost.1";
+        skip_if_not_root!();
+        let device_socket = concat!("vhost.", line!());
         let queue_sizes = Arc::new(vec![128]);
         let epoll_mgr = EpollManager::default();
         let handler = thread::spawn(move || {

src/dragonball/dbs_virtio_devices/src/vsock/device.rs

@@ -208,6 +208,7 @@ mod tests {
     use dbs_device::resources::DeviceResources;
     use dbs_interrupt::NoopNotifier;
     use kvm_ioctls::Kvm;
+    use test_utils::skip_if_not_root;
     use virtio_queue::QueueSync;
     use vm_memory::{GuestAddress, GuestMemoryMmap, GuestRegionMmap};
 
@@ -243,6 +244,7 @@ mod tests {
 
     #[test]
     fn test_virtio_device() {
+        skip_if_not_root!();
         let mut ctx = TestContext::new();
         let device_features = VSOCK_AVAIL_FEATURES;
         let driver_features: u64 = VSOCK_AVAIL_FEATURES | 1 | (1 << 32);

src/dragonball/dbs_virtio_devices/src/vsock/epoll_handler.rs

@@ -310,6 +310,7 @@ where
 
 #[cfg(test)]
 mod tests {
+    use test_utils::skip_if_not_root;
     use vm_memory::{Bytes, GuestAddress, GuestMemoryMmap};
     use vmm_sys_util::epoll::EventSet;
 
@@ -320,6 +321,7 @@ mod tests {
 
     #[test]
     fn test_irq() {
+        skip_if_not_root!();
         let test_ctx = TestContext::new();
         let mut ctx = test_ctx.create_event_handler_context();
         ctx.arti_activate(&test_ctx.mem);
@@ -329,6 +331,7 @@ mod tests {
 
     #[test]
     fn test_txq_event() {
+        skip_if_not_root!();
         // Test case:
         // - the driver has something to send (there's data in the TX queue);
         //   and
@@ -411,6 +414,7 @@ mod tests {
 
     #[test]
     fn test_rxq_event() {
+        skip_if_not_root!();
         // Test case:
         // - there is pending RX data in the backend; and
         // - the driver makes RX buffers available; and
@@ -468,6 +472,7 @@ mod tests {
 
     #[test]
     fn test_backend_event() {
+        skip_if_not_root!();
         // Test case:
         // - a backend event is received; and
         // - the backend has pending RX data.
@@ -567,6 +572,7 @@ mod tests {
 
     #[test]
     fn test_vsock_bof() {
+        skip_if_not_root!();
         const GAP_SIZE: usize = 768 << 20;
         const FIRST_AFTER_GAP: usize = 1 << 32;
         const GAP_START_ADDR: usize = FIRST_AFTER_GAP - GAP_SIZE;

src/dragonball/src/device_manager/balloon_dev_mgr.rs

@@ -298,6 +298,7 @@ mod tests {
     use super::*;
     use crate::device_manager::tests::create_address_space;
     use crate::test_utils::tests::create_vm_for_test;
+    use test_utils::skip_if_not_root;
 
     impl Default for BalloonDeviceConfigInfo {
         fn default() -> Self {
@@ -330,6 +331,7 @@ mod tests {
 
     #[test]
     fn test_balloon_insert_or_update_device() {
+        skip_if_not_root!();
         //Init vm for test.
         let mut vm = create_vm_for_test();
 
@@ -354,6 +356,7 @@ mod tests {
 
     #[test]
     fn test_balloon_attach_device() {
+        skip_if_not_root!();
         //Init vm and insert balloon config for test.
         let mut vm = create_vm_for_test();
         let device_op_ctx = DeviceOpContext::new(
@@ -393,6 +396,7 @@ mod tests {
 
     #[test]
     fn test_balloon_update_device() {
+        skip_if_not_root!();
         //Init vm for test.
         let mut vm = create_vm_for_test();
         let device_op_ctx = DeviceOpContext::new(

src/dragonball/src/device_manager/mem_dev_mgr.rs

@@ -618,6 +618,7 @@ impl MemRegionFactory for MemoryRegionFactory {
 
 #[cfg(test)]
 mod tests {
+    use test_utils::skip_if_not_root;
     use vm_memory::GuestMemoryRegion;
 
     use super::*;
@@ -656,6 +657,7 @@ mod tests {
 
     #[test]
     fn test_mem_insert_or_update_device() {
+        skip_if_not_root!();
         // Init vm for test.
         let mut vm = create_vm_for_test();
 
@@ -681,6 +683,7 @@ mod tests {
 
     #[test]
     fn test_mem_attach_device() {
+        skip_if_not_root!();
         // Init vm and insert mem config for test.
         let mut vm = create_vm_for_test();
         let dummy_mem_device = MemDeviceConfigInfo::default();
@@ -710,6 +713,7 @@ mod tests {
 
     #[test]
     fn test_mem_create_region() {
+        skip_if_not_root!();
         let vm = create_vm_for_test();
         let ctx = DeviceOpContext::new(
             Some(vm.epoll_manager().clone()),

src/dragonball/src/device_manager/vhost_net_dev_mgr.rs

@@ -277,6 +277,7 @@ impl Default for VhostNetDeviceMgr {
 mod tests {
     use dbs_utils::net::MacAddr;
     use dbs_virtio_devices::Error as VirtioError;
+    use test_utils::skip_if_not_root;
 
     use crate::{
         device_manager::{
@@ -289,6 +290,7 @@ mod tests {
 
     #[test]
     fn test_create_vhost_net_device() {
+        skip_if_not_root!();
         let vm = create_vm_for_test();
         let mgr = DeviceManager::new_test_mgr();
         let id_1 = String::from("id_1");
@@ -321,6 +323,7 @@ mod tests {
 
     #[test]
     fn test_attach_vhost_net_device() {
+        skip_if_not_root!();
         // Init vm for test.
         let mut vm = create_vm_for_test();
         let device_op_ctx = DeviceOpContext::new(
@@ -373,6 +376,7 @@ mod tests {
 
     #[test]
     fn test_insert_vhost_net_device() {
+        skip_if_not_root!();
         let vm = create_vm_for_test();
         let mut mgr = DeviceManager::new_test_mgr();
 
@@ -437,6 +441,7 @@ mod tests {
 
     #[test]
     fn test_vhost_net_insert_error_cases() {
+        skip_if_not_root!();
         let vm = create_vm_for_test();
         let mut mgr = DeviceManager::new_test_mgr();
 

src/dragonball/src/device_manager/vhost_user_net_dev_mgr.rs

@@ -219,9 +219,11 @@ impl Default for VhostUserNetDeviceMgr {
 mod tests {
     use super::*;
     use crate::test_utils::tests::create_vm_for_test;
+    use test_utils::skip_if_not_root;
 
     #[test]
     fn test_create_vhost_user_net_device() {
+        skip_if_not_root!();
         let vm = create_vm_for_test();
         let mgr = DeviceManager::new_test_mgr();
         let sock_1 = String::from("id_1");
@@ -249,6 +251,7 @@ mod tests {
 
     #[test]
     fn test_insert_vhost_user_net_device() {
+        skip_if_not_root!();
         let vm = create_vm_for_test();
         let mut mgr = DeviceManager::new_test_mgr();
         let sock_1 = String::from("id_1");
@@ -277,6 +280,7 @@ mod tests {
 
     #[test]
     fn test_vhost_user_net_insert_error_cases() {
+        skip_if_not_root!();
         let vm = create_vm_for_test();
         let mut mgr = DeviceManager::new_test_mgr();
         let sock_1 = String::from("id_1");

src/libs/kata-types/src/annotations/mod.rs

@@ -283,6 +283,13 @@ pub const KATA_ANNO_CFG_HYPERVISOR_DEFAULT_GPUS: &str =
 pub const KATA_ANNO_CFG_HYPERVISOR_DEFAULT_GPU_MODEL: &str =
     "io.katacontainers.config.hypervisor.default_gpu_model";
 
+/// Block device specific annotation for num_queues
+pub const KATA_ANNO_CFG_HYPERVISOR_BLOCK_DEV_NUM_QUEUES: &str =
+    "io.katacontainers.config.hypervisor.block_device_num_queues";
+/// Block device specific annotation for queue_size
+pub const KATA_ANNO_CFG_HYPERVISOR_BLOCK_DEV_QUEUE_SIZE: &str =
+    "io.katacontainers.config.hypervisor.block_device_queue_size";
+
 // Runtime related annotations
 /// Prefix for Runtime configurations.
 pub const KATA_ANNO_CFG_RUNTIME_PREFIX: &str = "io.katacontainers.config.runtime.";
@@ -503,6 +510,7 @@ impl Annotation {
         let u32_err = io::Error::new(io::ErrorKind::InvalidData, "parse u32 error".to_string());
         let u64_err = io::Error::new(io::ErrorKind::InvalidData, "parse u64 error".to_string());
         let i32_err = io::Error::new(io::ErrorKind::InvalidData, "parse i32 error".to_string());
+        let usize_err = io::Error::new(io::ErrorKind::InvalidData, "parse usize error".to_string());
         let hv = config.hypervisor.get_mut(hypervisor_name).ok_or_else(|| {
             io::Error::new(
                 io::ErrorKind::InvalidData,
@@ -960,7 +968,26 @@ impl Annotation {
                             return Err(u32_err);
                         }
                     },
-
+                    KATA_ANNO_CFG_HYPERVISOR_BLOCK_DEV_NUM_QUEUES => {
+                        match self.get_value::<usize>(key) {
+                            Ok(v) => {
+                                hv.blockdev_info.num_queues = v.unwrap_or_default();
+                            }
+                            Err(_e) => {
+                                return Err(usize_err);
+                            }
+                        }
+                    }
+                    KATA_ANNO_CFG_HYPERVISOR_BLOCK_DEV_QUEUE_SIZE => {
+                        match self.get_value::<u32>(key) {
+                            Ok(v) => {
+                                hv.blockdev_info.queue_size = v.unwrap_or_default();
+                            }
+                            Err(_e) => {
+                                return Err(u32_err);
+                            }
+                        }
+                    }
                     _ => {
                         return Err(io::Error::new(
                             io::ErrorKind::InvalidInput,

src/libs/kata-types/src/config/hypervisor/ch.rs

@@ -85,11 +85,6 @@ impl ConfigPlugin for CloudHypervisorConfig {
             if ch.memory_info.memory_slots == 0 {
                 ch.memory_info.memory_slots = default::DEFAULT_CH_MEMORY_SLOTS;
             }
-
-            // Apply factory defaults
-            if ch.factory.template_path.is_empty() {
-                ch.factory.template_path = default::DEFAULT_TEMPLATE_PATH.to_string();
-            }
         }
 
         Ok(())

src/libs/kata-types/src/config/hypervisor/dragonball.rs

@@ -79,11 +79,6 @@ impl ConfigPlugin for DragonballConfig {
             if db.memory_info.memory_slots == 0 {
                 db.memory_info.memory_slots = default::DEFAULT_DRAGONBALL_MEMORY_SLOTS;
             }
-
-            // Apply factory defaults
-            if db.factory.template_path.is_empty() {
-                db.factory.template_path = default::DEFAULT_TEMPLATE_PATH.to_string();
-            }
         }
         Ok(())
     }

src/libs/kata-types/src/config/hypervisor/firecracker.rs

@@ -69,11 +69,6 @@ impl ConfigPlugin for FirecrackerConfig {
                 firecracker.memory_info.default_memory =
                     default::DEFAULT_FIRECRACKER_MEMORY_SIZE_MB;
             }
-
-            // Apply factory defaults
-            if firecracker.factory.template_path.is_empty() {
-                firecracker.factory.template_path = default::DEFAULT_TEMPLATE_PATH.to_string();
-            }
         }
 
         Ok(())

src/libs/kata-types/src/config/hypervisor/qemu.rs

@@ -92,7 +92,6 @@ impl ConfigPlugin for QemuConfig {
                 qemu.memory_info.memory_slots = default::DEFAULT_QEMU_MEMORY_SLOTS;
             }
 
-            // Apply factory defaults
             if qemu.factory.template_path.is_empty() {
                 qemu.factory.template_path = default::DEFAULT_TEMPLATE_PATH.to_string();
             }

src/libs/kata-types/src/cpu.rs

@@ -25,6 +25,7 @@ pub enum Error {
 }
 
 /// Assigned CPU resources for a Linux container.
+/// Stores fractional vCPU allocation for more precise resource tracking.
 #[derive(Clone, Default, Debug)]
 pub struct LinuxContainerCpuResources {
     shares: u64,
@@ -32,7 +33,8 @@ pub struct LinuxContainerCpuResources {
     quota: i64,
     cpuset: CpuSet,
     nodeset: NumaNodeSet,
-    calculated_vcpu_time_ms: Option<u64>,
+    /// Calculated fractional vCPU allocation, e.g., 0.25 means 1/4 of a CPU.
+    calculated_vcpu: Option<f64>,
 }
 
 impl LinuxContainerCpuResources {
@@ -61,10 +63,10 @@ impl LinuxContainerCpuResources {
         &self.nodeset
     }
 
-    /// Get number of vCPUs to fulfill the CPU resource request, `None` means unconstrained.
-    pub fn get_vcpus(&self) -> Option<u64> {
-        self.calculated_vcpu_time_ms
-            .map(|v| v.saturating_add(999) / 1000)
+    /// Get the number of vCPUs assigned to the container as a fractional value.
+    /// Returns `None` if unconstrained (no limit).
+    pub fn get_vcpus(&self) -> Option<f64> {
+        self.calculated_vcpu
     }
 }
 
@@ -75,15 +77,18 @@ impl TryFrom<&oci::LinuxCpu> for LinuxContainerCpuResources {
     fn try_from(value: &oci::LinuxCpu) -> Result<Self, Self::Error> {
         let period = value.period().unwrap_or(0);
         let quota = value.quota().unwrap_or(-1);
-        let value_cpus = value.cpus().as_ref().map_or("", |cpus| cpus);
+        let value_cpus = value.cpus().as_deref().unwrap_or("");
         let cpuset = CpuSet::from_str(value_cpus).map_err(Error::InvalidCpuSet)?;
-        let value_mems = value.mems().as_ref().map_or("", |mems| mems);
+        let value_mems = value.mems().as_deref().unwrap_or("");
         let nodeset = NumaNodeSet::from_str(value_mems).map_err(Error::InvalidNodeSet)?;
 
-        // If quota is -1, it means the CPU resource request is unconstrained. In that case,
-        // we don't currently assign additional CPUs.
-        let milli_sec = if quota >= 0 && period != 0 {
-            Some((quota as u64).saturating_mul(1000) / period)
+        // Calculate fractional vCPUs:
+        // If quota >= 0 and period > 0, vCPUs = quota / period.
+        // Otherwise, if cpuset is non-empty, derive from cpuset length.
+        let vcpu_fraction = if quota >= 0 && period > 0 {
+            Some(quota as f64 / period as f64)
+        } else if !cpuset.is_empty() {
+            Some(cpuset.len() as f64)
         } else {
             None
         };
@@ -94,16 +99,18 @@ impl TryFrom<&oci::LinuxCpu> for LinuxContainerCpuResources {
             quota,
             cpuset,
             nodeset,
-            calculated_vcpu_time_ms: milli_sec,
+            calculated_vcpu: vcpu_fraction,
         })
     }
 }
 
-/// Assigned CPU resources for a Linux sandbox/pod.
+/// Aggregated CPU resources for a Linux sandbox/pod.
+/// Tracks cumulative fractional vCPU allocation across all containers in the pod.
 #[derive(Default, Debug)]
 pub struct LinuxSandboxCpuResources {
     shares: u64,
-    calculated_vcpu_time_ms: u64,
+    /// Total fractional vCPU allocation for the sandbox.
+    calculated_vcpu: f64,
     cpuset: CpuSet,
     nodeset: NumaNodeSet,
 }
@@ -122,9 +129,9 @@ impl LinuxSandboxCpuResources {
         self.shares
     }
 
-    /// Get assigned vCPU time in ms.
-    pub fn calculated_vcpu_time_ms(&self) -> u64 {
-        self.calculated_vcpu_time_ms
+    /// Return the cumulative fractional vCPU allocation for the sandbox.
+    pub fn calculated_vcpu(&self) -> f64 {
+        self.calculated_vcpu
     }
 
     /// Get the CPU set.
@@ -137,19 +144,23 @@ impl LinuxSandboxCpuResources {
         &self.nodeset
     }
 
-    /// Get number of vCPUs to fulfill the CPU resource request.
-    pub fn get_vcpus(&self) -> u64 {
-        if self.calculated_vcpu_time_ms == 0 && !self.cpuset.is_empty() {
-            self.cpuset.len() as u64
-        } else {
-            self.calculated_vcpu_time_ms.saturating_add(999) / 1000
+    /// Get the number of vCPUs for the sandbox as a fractional value.
+    /// If no quota and cpuset is defined, return cpuset length as float.
+    pub fn get_vcpus(&self) -> f64 {
+        if self.calculated_vcpu == 0.0 {
+            if !self.cpuset.is_empty() {
+                return self.cpuset.len() as f64;
+            }
+            return 0.0;
         }
+        self.calculated_vcpu
     }
 
-    /// Merge resources assigned to a container into the sandbox/pod resources.
+    /// Merge container CPU resources into this sandbox CPU resource object.
+    /// Aggregates fractional vCPU allocation and extends cpuset/nodeset.
     pub fn merge(&mut self, container_resource: &LinuxContainerCpuResources) -> &mut Self {
-        if let Some(v) = container_resource.calculated_vcpu_time_ms.as_ref() {
-            self.calculated_vcpu_time_ms += v;
+        if let Some(v) = container_resource.calculated_vcpu {
+            self.calculated_vcpu += v;
         }
         self.cpuset.extend(&container_resource.cpuset);
         self.nodeset.extend(&container_resource.nodeset);
@@ -160,16 +171,16 @@ impl LinuxSandboxCpuResources {
 #[cfg(test)]
 mod tests {
     use super::*;
+    const EPSILON: f64 = 0.0001;
 
     #[test]
     fn test_linux_container_cpu_resources() {
         let resources = LinuxContainerCpuResources::default();
 
         assert_eq!(resources.shares(), 0);
-        assert_eq!(resources.calculated_vcpu_time_ms, None);
         assert!(resources.cpuset.is_empty());
         assert!(resources.nodeset.is_empty());
-        assert!(resources.calculated_vcpu_time_ms.is_none());
+        assert!(resources.get_vcpus().is_none());
 
         let mut linux_cpu = oci::LinuxCpu::default();
         linux_cpu.set_shares(Some(2048));
@@ -182,11 +193,20 @@ mod tests {
         assert_eq!(resources.shares(), 2048);
         assert_eq!(resources.period(), 100);
         assert_eq!(resources.quota(), 1001);
-        assert_eq!(resources.calculated_vcpu_time_ms, Some(10010));
-        assert_eq!(resources.get_vcpus().unwrap(), 11);
+
+        // Expected fractional vCPUs = quota / period
+        let expected_vcpus = 1001.0 / 100.0;
+        assert!(
+            (resources.get_vcpus().unwrap() - expected_vcpus).abs() < EPSILON,
+            "got {}, expect {}",
+            resources.get_vcpus().unwrap(),
+            expected_vcpus
+        );
+
         assert_eq!(resources.cpuset().len(), 3);
         assert_eq!(resources.nodeset().len(), 1);
 
+        // Test cpuset-only path (no quota)
         let mut linux_cpu = oci::LinuxCpu::default();
         linux_cpu.set_shares(Some(2048));
         linux_cpu.set_cpus(Some("1".to_string()));
@@ -196,8 +216,10 @@ mod tests {
         assert_eq!(resources.shares(), 2048);
         assert_eq!(resources.period(), 0);
         assert_eq!(resources.quota(), -1);
-        assert_eq!(resources.calculated_vcpu_time_ms, None);
-        assert!(resources.get_vcpus().is_none());
+        assert!(
+            (resources.get_vcpus().unwrap() - 1.0).abs() < EPSILON,
+            "cpuset size vCPU mismatch"
+        );
         assert_eq!(resources.cpuset().len(), 1);
         assert_eq!(resources.nodeset().len(), 2);
     }
@@ -207,8 +229,7 @@ mod tests {
         let mut sandbox = LinuxSandboxCpuResources::new(1024);
 
         assert_eq!(sandbox.shares(), 1024);
-        assert_eq!(sandbox.get_vcpus(), 0);
-        assert_eq!(sandbox.calculated_vcpu_time_ms(), 0);
+        assert_eq!(sandbox.get_vcpus(), 0.0);
         assert!(sandbox.cpuset().is_empty());
         assert!(sandbox.nodeset().is_empty());
 
@@ -222,11 +243,20 @@ mod tests {
         let resources = LinuxContainerCpuResources::try_from(&linux_cpu).unwrap();
         sandbox.merge(&resources);
         assert_eq!(sandbox.shares(), 1024);
-        assert_eq!(sandbox.get_vcpus(), 11);
-        assert_eq!(sandbox.calculated_vcpu_time_ms(), 10010);
+
+        // vCPUs after merge = quota / period
+        let expected_vcpus = 1001.0 / 100.0;
+        assert!(
+            (sandbox.get_vcpus() - expected_vcpus).abs() < EPSILON,
+            "sandbox vCPU mismatch: got {}, expect {}",
+            sandbox.get_vcpus(),
+            expected_vcpus
+        );
+
         assert_eq!(sandbox.cpuset().len(), 3);
         assert_eq!(sandbox.nodeset().len(), 1);
 
+        // Merge cpuset-only container
         let mut linux_cpu = oci::LinuxCpu::default();
         linux_cpu.set_shares(Some(2048));
         linux_cpu.set_cpus(Some("1,4".to_string()));
@@ -236,8 +266,15 @@ mod tests {
         sandbox.merge(&resources);
 
         assert_eq!(sandbox.shares(), 1024);
-        assert_eq!(sandbox.get_vcpus(), 11);
-        assert_eq!(sandbox.calculated_vcpu_time_ms(), 10010);
+
+        // Expect quota-based + cpuset len (since cpuset is treated as allocation)
+        let expected_after_merge = expected_vcpus + resources.get_vcpus().unwrap();
+        assert!(
+            (sandbox.get_vcpus() - expected_after_merge).abs() < EPSILON,
+            "sandbox vCPU mismatch after cpuset merge: got {}, expect {}",
+            sandbox.get_vcpus(),
+            expected_after_merge
+        );
         assert_eq!(sandbox.cpuset().len(), 4);
         assert_eq!(sandbox.nodeset().len(), 2);
     }

src/runtime-rs/Cargo.toml

@@ -1,77 +1,31 @@
-[workspace]
-members = [
-    "crates/agent",
-    "crates/hypervisor",
-    "crates/persist",
-    "crates/resource",
-    "crates/runtimes",
-    "crates/service",
-    "crates/shim",
-    "crates/shim-ctl",
+[package]
+name = "runtime-rs"
+version = "0.1.0"
+authors = { workspace = true }
+description = "Containerd shim runtime for Kata Containers"
+keywords = ["kata-containers", "shim"]
+repository = "https://github.com/kata-containers/kata-containers.git"
+license = { workspace = true }
+edition = { workspace = true }
 
-    "tests/utils",
-]
+[[bin]]
+name = "containerd-shim-kata-v2"
+path = "crates/shim/src/bin/main.rs"
 
-[workspace.package]
-authors = ["The Kata Containers community <kata-dev@lists.katacontainers.io>"]
-edition = "2018"
-license = "Apache-2.0"
+[[bin]]
+name = "shim-ctl"
+path = "crates/shim-ctl/src/main.rs"
 
-[workspace.dependencies]
-agent = { path = "crates/agent" }
-hypervisor = { path = "crates/hypervisor" }
-persist = { path = "crates/persist" }
-resource = { path = "crates/resource" }
-runtimes = { path = "crates/runtimes" }
-service = { path = "crates/service" }
-tests_utils = { path = "tests/utils" }
+[features]
+dragonball = ["runtimes/dragonball"]
+cloud-hypervisor = ["runtimes/cloud-hypervisor"]
 
-ch-config = { path = "crates/hypervisor/ch-config" }
-common = { path = "crates/runtimes/common" }
-linux_container = { path = "crates/runtimes/linux_container" }
-virt_container = { path = "crates/runtimes/virt_container" }
-wasm_container = { path = "crates/runtimes/wasm_container" }
-
-# Local dependencies from `src/libs`
-kata-sys-util = { path = "../libs/kata-sys-util" }
-kata-types = { path = "../libs/kata-types", features = ["safe-path"] }
-logging = { path = "../libs/logging" }
-protocols = { path = "../libs/protocols", features = ["async"] }
-runtime-spec = { path = "../libs/runtime-spec" }
-safe-path = { path = "../libs/safe-path" }
-shim-interface = { path = "../libs/shim-interface" }
-test-utils = { path = "../libs/test-utils" }
-
-# Local dependencies from `src/dragonball`
-dragonball = { path = "../dragonball" }
-dbs-utils = { path = "../dragonball/dbs_utils" }
-
-actix-rt = "2.7.0"
-anyhow = "1.0"
-async-trait = "0.1.48"
-containerd-shim = { version = "0.10.0", features = ["async"] }
-containerd-shim-protos = { version = "0.10.0", features = ["async"] }
-go-flag = "0.1.0"
-hyper = "0.14.20"
-hyperlocal = "0.8.0"
-lazy_static = "1.4"
-libc = "0.2"
-log = "0.4.14"
-netns-rs = "0.1.0"
-# Note: nix needs to stay sync'd with libs versions
-nix = "0.26.4"
-oci-spec = { version = "0.8.1", features = ["runtime"] }
-protobuf = "3.7.2"
-rand = "0.8.4"
-serde = { version = "1.0.145", features = ["derive"] }
-serde_json = "1.0.91"
-slog = "2.5.2"
-slog-scope = "4.4.0"
-strum = { version = "0.24.0", features = ["derive"] }
-tempfile = "3.19.1"
-thiserror = "1.0"
-tokio = "1.46.1"
-tracing = "0.1.41"
-tracing-opentelemetry = "0.18.0"
-ttrpc = "0.8.4"
-url = "2.5.4"
+[dependencies]
+anyhow = { workspace = true }
+go-flag = { workspace = true }
+nix = { workspace = true }
+tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
+shim = { path = "crates/shim" }
+common = { workspace = true }
+logging = { workspace = true }
+runtimes = { workspace = true }

src/runtime-rs/Makefile

@@ -150,8 +150,8 @@ DEFMEMSLOTS := 10
 DEFMAXMEMSZ := 0
 ##VAR DEFBRIDGES=<number> Default number of bridges
 DEFBRIDGES := 0
-DEFENABLEANNOTATIONS := [\"kernel_params\"]
-DEFENABLEANNOTATIONS_COCO := [\"kernel_params\",\"cc_init_data\"]
+DEFENABLEANNOTATIONS := [\"enable_iommu\", \"virtio_fs_extra_args\", \"kernel_params\", \"default_vcpus\", \"default_memory\"]
+DEFENABLEANNOTATIONS_COCO := [\"enable_iommu\", \"virtio_fs_extra_args\", \"kernel_params\", \"default_vcpus\", \"default_memory\", \"cc_init_data\"]
 DEFDISABLEGUESTSECCOMP := true
 DEFDISABLEGUESTEMPTYDIR := false
 ##VAR DEFAULTEXPFEATURES=[features] Default experimental features enabled
@@ -328,7 +328,7 @@ ifneq (,$(QEMUCMD))
     KERNELPATH_COCO = $(KERNELDIR)/$(KERNEL_NAME_COCO)
 
     # overriding options
-    DEFSTATICRESOURCEMGMT_QEMU := true
+    DEFSTATICRESOURCEMGMT_QEMU := false
 
     # qemu-specific options
     DEFSANDBOXCGROUPONLY_QEMU := false
@@ -583,7 +583,7 @@ ifneq ($(EXTRA_RUSTFEATURES),)
 endif
 
 
-TARGET_PATH = target/$(TRIPLE)/$(BUILD_TYPE)/$(TARGET)
+TARGET_PATH = ../../target/$(TRIPLE)/$(BUILD_TYPE)/$(TARGET)
 
 ##VAR DESTDIR=<path> is a directory prepended to each installed target file
 DESTDIR ?= /

src/runtime-rs/config/configuration-rs-fc.toml.in

@@ -263,20 +263,6 @@ tx_rate_limiter_max_rate = 0
 # disable applying SELinux on the VMM process (default false)
 disable_selinux = @DEFDISABLESELINUX@
 
-[factory]
-# VM templating support. Once enabled, new VMs are created from template
-# using vm cloning. They will share the same initial kernel, initramfs and
-# agent memory by mapping it readonly. It helps speeding up new container
-# creation and saves a lot of memory if there are many kata containers running
-# on the same host.
-#
-# When disabled, new VMs are created from scratch.
-#
-# Note: Requires "initrd=" to be set ("image=" is not supported).
-#
-# Default false
-enable_template = false
-
 [agent.@PROJECT_TYPE@]
 # If enabled, make the agent display debug-level messages.
 # (default: disabled)

src/runtime-rs/crates/hypervisor/src/device/driver/vfio.rs

@@ -33,6 +33,7 @@ pub const SYS_KERN_IOMMU_GROUPS: &str = "/sys/kernel/iommu_groups";
 pub const VFIO_PCI_DRIVER: &str = "vfio-pci";
 pub const DRIVER_MMIO_BLK_TYPE: &str = "mmioblk";
 pub const DRIVER_VFIO_PCI_TYPE: &str = "vfio-pci";
+pub const DRIVER_VFIO_AP_TYPE: &str = "vfio-ap";
 pub const MAX_DEV_ID_SIZE: usize = 31;
 
 const VFIO_PCI_DRIVER_NEW_ID: &str = "/sys/bus/pci/drivers/vfio-pci/new_id";
@@ -75,6 +76,7 @@ pub enum VfioBusMode {
     #[default]
     MMIO,
     PCI,
+    CCW,
 }
 
 impl VfioBusMode {
@@ -94,8 +96,12 @@ impl VfioBusMode {
 
     // driver_type used for kata-agent
     // (1) vfio-pci for add device handler,
-    // (2) mmioblk for add storage handler,
-    pub fn driver_type(mode: &str) -> &str {
+    // (2) vfio-ap for add ccw device handler,
+    // (3) mmioblk for add storage handler,
+    pub fn driver_type(bus_type: &str, mode: &str) -> &'static str {
+        if bus_type == "ccw" {
+            return DRIVER_VFIO_AP_TYPE;
+        }
         match mode {
             "b" => DRIVER_MMIO_BLK_TYPE,
             _ => DRIVER_VFIO_PCI_TYPE,
@@ -103,7 +109,7 @@ impl VfioBusMode {
     }
 }
 
-#[derive(Clone, Debug, Default)]
+#[derive(Clone, Debug, Default, PartialEq)]
 pub enum VfioDeviceType {
     /// error type of VFIO device
     Error,
@@ -112,8 +118,11 @@ pub enum VfioDeviceType {
     #[default]
     Normal,
 
-    /// mediated VFIO device type
-    Mediated,
+    /// mediated VFIO-PCI device type
+    MediatedPci,
+
+    /// mediated VFIO-AP device type
+    MediatedAp,
 }
 
 // DeviceVendorClass represents a PCI device's deviceID, vendorID and classID
@@ -195,6 +204,9 @@ pub struct VfioConfig {
     /// device as block or char
     pub dev_type: String,
 
+    /// bus type: pci or ccw
+    pub bus_type: String,
+
     /// hostdev_prefix for devices, such as:
     /// (1) phisycial endpoint: "physical_nic_"
     /// (2) vfio mdev: "vfio_mdev_"
@@ -247,12 +259,19 @@ impl VfioDevice {
 
         // get bus mode and driver type based on the device type
         let dev_type = dev_info.dev_type.as_str();
-        let driver_type = VfioBusMode::driver_type(dev_type).to_owned();
+        let bus_type = dev_info.bus_type.as_str();
+        let driver_type = VfioBusMode::driver_type(bus_type, dev_type).to_owned();
+
+        let bus_mode = if bus_type == "ccw" {
+            VfioBusMode::CCW
+        } else {
+            VfioBusMode::PCI
+        };
 
         let mut vfio_device = Self {
             device_id,
             attach_count: 0,
-            bus_mode: VfioBusMode::PCI,
+            bus_mode,
             driver_type,
             config: dev_info.clone(),
             devices,
@@ -278,14 +297,22 @@ impl VfioDevice {
 
     // nornaml VFIO BDF: 0000:04:00.0
     // mediated VFIO BDF: 83b8f4f2-509f-382f-3c1e-e6bfe0fa1001
-    fn get_vfio_device_type(&self, device_sys_path: String) -> Result<VfioDeviceType> {
+    fn get_vfio_device_type(
+        &self,
+        device_sys_path: String,
+        iommu_dev_path: PathBuf,
+    ) -> Result<VfioDeviceType> {
         let mut tokens: Vec<&str> = device_sys_path.as_str().split(':').collect();
         let vfio_type = match tokens.len() {
             3 => VfioDeviceType::Normal,
             _ => {
                 tokens = device_sys_path.split('-').collect();
                 if tokens.len() == 5 {
-                    VfioDeviceType::Mediated
+                    if iommu_dev_path.to_string_lossy().contains("vfio_ap") {
+                        VfioDeviceType::MediatedAp
+                    } else {
+                        VfioDeviceType::MediatedPci
+                    }
                 } else {
                     VfioDeviceType::Error
                 }
@@ -329,20 +356,24 @@ impl VfioDevice {
         dev_file_name: String,
         iommu_dev_path: PathBuf,
     ) -> Result<(Option<String>, String, VfioDeviceType)> {
-        let vfio_type = self.get_vfio_device_type(dev_file_name.clone())?;
+        let vfio_type = self.get_vfio_device_type(dev_file_name.clone(), iommu_dev_path.clone())?;
         match vfio_type {
             VfioDeviceType::Normal => {
                 let dev_bdf = get_device_bdf(dev_file_name.clone());
                 let dev_sys = [SYS_BUS_PCI_DEVICES, dev_file_name.as_str()].join("/");
                 Ok((dev_bdf, dev_sys, vfio_type))
             }
-            VfioDeviceType::Mediated => {
+            VfioDeviceType::MediatedPci | VfioDeviceType::MediatedAp => {
                 // sysfsdev eg. /sys/devices/pci0000:00/0000:00:02.0/f79944e4-5a3d-11e8-99ce-479cbab002e4
                 let sysfs_dev = Path::new(&iommu_dev_path).join(dev_file_name);
                 let dev_sys = self
                     .get_sysfs_device(sysfs_dev)
                     .context("get sysfs device failed")?;
 
+                if vfio_type == VfioDeviceType::MediatedAp {
+                    return Ok((None, dev_sys, vfio_type));
+                }
+
                 let dev_bdf = if let Some(dev_s) = get_mediated_device_bdf(dev_sys.clone()) {
                     get_device_bdf(dev_s)
                 } else {
@@ -376,25 +407,31 @@ impl VfioDevice {
             .get_vfio_device_details(device_name.to_owned(), iommu_devs_path)
             .context("get vfio device details failed")?;
 
-        // It's safe as BDF really exists.
-        let dev_bdf = vfio_dev_details.0.unwrap();
-        let dev_vendor_class = self
-            .get_vfio_device_vendor_class(device_name)
-            .context("get property device and vendor failed")?;
+        // BDF exists only for PCI devices
+        // For AP devices, the BDF is not available.
+        if let Some(bdf) = vfio_dev_details.0 {
+            let dev_vendor_class = self
+                .get_vfio_device_vendor_class(device_name)
+                .context("get property device and vendor failed")?;
 
-        let parts: Vec<&str> = device_name.splitn(2, ':').collect();
-        let domain_part = parts.first().context("missing domain segment")?;
-
-        let vfio_dev = HostDevice {
-            domain: domain_part.to_string(),
-            bus_slot_func: dev_bdf.clone(),
-            device_vendor_class: Some(dev_vendor_class),
-            sysfs_path: vfio_dev_details.1,
-            vfio_type: vfio_dev_details.2,
-            ..Default::default()
-        };
-
-        Ok(vfio_dev)
+            let parts: Vec<&str> = device_name.splitn(2, ':').collect();
+            let domain_part = parts.first().context("missing domain segment")?;
+            let vfio_dev = HostDevice {
+                domain: domain_part.to_string(),
+                bus_slot_func: bdf.clone(),
+                device_vendor_class: Some(dev_vendor_class),
+                sysfs_path: vfio_dev_details.1,
+                vfio_type: vfio_dev_details.2,
+                ..Default::default()
+            };
+            Ok(vfio_dev)
+        } else {
+            Ok(HostDevice {
+                sysfs_path: vfio_dev_details.1,
+                vfio_type: vfio_dev_details.2,
+                ..Default::default()
+            })
+        }
     }
 
     // filter Host or PCI Bridges that are in the same IOMMU group as the
@@ -507,6 +544,7 @@ impl Device for VfioDevice {
                 Ok(())
             }
             Err(e) => {
+                error!(sl!(), "failed to attach vfio device: {:?}", e);
                 self.decrease_attach_count().await?;
                 unregister_pcie_device!(self, pcie_topo)?;
                 return Err(e);

src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs

@@ -6,7 +6,8 @@
 use crate::device::topology::{PCIePortBusPrefix, TopologyPortDevice, DEFAULT_PCIE_ROOT_BUS};
 use crate::qemu::qmp::get_qmp_socket_path;
 use crate::utils::{
-    chown_to_parent, clear_cloexec, create_vhost_net_fds, open_named_tuntap, SocketAddress,
+    chown_to_parent, clear_cloexec, create_vhost_net_fds, open_named_tuntap, uses_native_ccw_bus,
+    SocketAddress,
 };
 
 use crate::{kernel_param::KernelParams, Address, HypervisorConfig};
@@ -79,8 +80,8 @@ impl Display for VirtioBusType {
     }
 }
 
-fn bus_type(config: &HypervisorConfig) -> VirtioBusType {
-    if config.machine_info.machine_type.contains("-ccw-") {
+fn bus_type() -> VirtioBusType {
+    if uses_native_ccw_bus() {
         VirtioBusType::Ccw
     } else {
         VirtioBusType::Pci
@@ -2210,7 +2211,7 @@ pub struct QemuCmdLine<'a> {
 
 impl<'a> QemuCmdLine<'a> {
     pub fn new(id: &str, config: &'a HypervisorConfig) -> Result<QemuCmdLine<'a>> {
-        let ccw_subchannel = match bus_type(config) {
+        let ccw_subchannel = match bus_type() {
             VirtioBusType::Ccw => Some(CcwSubChannel::new()),
             _ => None,
         };
@@ -2242,11 +2243,11 @@ impl<'a> QemuCmdLine<'a> {
             qemu_cmd_line.add_template();
         }
 
-        if bus_type(config) != VirtioBusType::Ccw {
+        if bus_type() != VirtioBusType::Ccw {
             qemu_cmd_line.add_rng();
         }
 
-        if bus_type(config) != VirtioBusType::Ccw && config.device_info.default_bridges > 0 {
+        if bus_type() != VirtioBusType::Ccw && config.device_info.default_bridges > 0 {
             qemu_cmd_line.add_bridges(config.device_info.default_bridges);
         }
 
@@ -2314,16 +2315,10 @@ impl<'a> QemuCmdLine<'a> {
 
     fn add_scsi_controller(&mut self) {
         let devno = get_devno_ccw(&mut self.ccw_subchannel, "scsi0");
-        let mut virtio_scsi = DeviceVirtioScsi::new(
-            "scsi0",
-            should_disable_modern(),
-            bus_type(self.config),
-            devno,
-        );
+        let mut virtio_scsi =
+            DeviceVirtioScsi::new("scsi0", should_disable_modern(), bus_type(), devno);
 
-        if self.config.device_info.enable_iommu_platform
-            && bus_type(self.config) == VirtioBusType::Ccw
-        {
+        if self.config.device_info.enable_iommu_platform && bus_type() == VirtioBusType::Ccw {
             virtio_scsi.set_iommu_platform(true);
         }
 
@@ -2352,7 +2347,7 @@ impl<'a> QemuCmdLine<'a> {
 
         self.devices.push(Box::new(virtiofsd_socket_chardev));
 
-        let bus_type = bus_type(self.config);
+        let bus_type = bus_type();
         let devno = get_devno_ccw(&mut self.ccw_subchannel, chardev_name);
         let mut virtiofs_device = DeviceVhostUserFs::new(chardev_name, mount_tag, bus_type, devno);
         virtiofs_device.set_queue_size(queue_size);
@@ -2389,15 +2384,13 @@ impl<'a> QemuCmdLine<'a> {
         clear_cloexec(vhostfd.as_raw_fd()).context("clearing O_CLOEXEC failed on vsock fd")?;
 
         let devno = get_devno_ccw(&mut self.ccw_subchannel, "vsock-0");
-        let mut vhost_vsock_pci = VhostVsock::new(vhostfd, guest_cid, bus_type(self.config), devno);
+        let mut vhost_vsock_pci = VhostVsock::new(vhostfd, guest_cid, bus_type(), devno);
 
         if !self.config.disable_nesting_checks && should_disable_modern() {
             vhost_vsock_pci.set_disable_modern(true);
         }
 
-        if self.config.device_info.enable_iommu_platform
-            && bus_type(self.config) == VirtioBusType::Ccw
-        {
+        if self.config.device_info.enable_iommu_platform && bus_type() == VirtioBusType::Ccw {
             vhost_vsock_pci.set_iommu_platform(true);
         }
 
@@ -2449,11 +2442,8 @@ impl<'a> QemuCmdLine<'a> {
             self.devices
                 .push(Box::new(DeviceScsiHd::new(device_id, "scsi0.0", devno)));
         } else {
-            self.devices.push(Box::new(DeviceVirtioBlk::new(
-                device_id,
-                bus_type(self.config),
-                devno,
-            )));
+            self.devices
+                .push(Box::new(DeviceVirtioBlk::new(device_id, bus_type(), devno)));
         }
 
         Ok(())
@@ -2484,10 +2474,8 @@ impl<'a> QemuCmdLine<'a> {
 
     pub fn add_console(&mut self, console_socket_path: &str) {
         let devno = get_devno_ccw(&mut self.ccw_subchannel, "serial0");
-        let mut serial_dev = DeviceVirtioSerial::new("serial0", bus_type(self.config), devno);
-        if self.config.device_info.enable_iommu_platform
-            && bus_type(self.config) == VirtioBusType::Ccw
-        {
+        let mut serial_dev = DeviceVirtioSerial::new("serial0", bus_type(), devno);
+        if self.config.device_info.enable_iommu_platform && bus_type() == VirtioBusType::Ccw {
             serial_dev.set_iommu_platform(true);
         }
         self.devices.push(Box::new(serial_dev));
@@ -2777,13 +2765,12 @@ pub fn get_network_device(
     }
 
     let devno = get_devno_ccw(ccw_subchannel, &netdev.id);
-    let mut virtio_net_device =
-        DeviceVirtioNet::new(&netdev.id, guest_mac, bus_type(config), devno);
+    let mut virtio_net_device = DeviceVirtioNet::new(&netdev.id, guest_mac, bus_type(), devno);
 
     if should_disable_modern() {
         virtio_net_device.set_disable_modern(true);
     }
-    if config.device_info.enable_iommu_platform && bus_type(config) == VirtioBusType::Ccw {
+    if config.device_info.enable_iommu_platform && bus_type() == VirtioBusType::Ccw {
         virtio_net_device.set_iommu_platform(true);
     }
     if config.network_info.network_queues > 1 {

src/runtime-rs/crates/hypervisor/src/qemu/inner.rs

@@ -822,6 +822,7 @@ impl QemuInner {
 
                 primary_device.guest_pci_path = qmp.hotplug_vfio_device(
                     &primary_device.hostdev_id,
+                    &primary_device.sysfs_path,
                     &primary_device.bus_slot_func,
                     &vfiodev.driver_type,
                     &vfiodev.bus,

src/runtime-rs/crates/hypervisor/src/qemu/qmp.rs

@@ -719,25 +719,41 @@ impl Qmp {
     pub fn hotplug_vfio_device(
         &mut self,
         hostdev_id: &str,
+        sysfs_path: &str,
         bus_slot_func: &str,
         driver: &str,
         bus: &str,
     ) -> Result<Option<PciPath>> {
         let mut vfio_args = Dictionary::new();
-        let bdf = if !bus_slot_func.starts_with("0000") {
-            format!("0000:{}", bus_slot_func)
-        } else {
-            bus_slot_func.to_owned()
-        };
-        vfio_args.insert("addr".to_owned(), "0x0".into());
-        vfio_args.insert("host".to_owned(), bdf.into());
-        vfio_args.insert("multifunction".to_owned(), "off".into());
 
-        let vfio_device_add = qmp::device_add {
-            driver: driver.to_string(),
-            bus: Some(bus.to_string()),
-            id: Some(hostdev_id.to_string()),
-            arguments: vfio_args,
+        let (vfio_device_add, early_return) = match driver {
+            "vfio-ap" => {
+                vfio_args.insert("sysfsdev".to_owned(), sysfs_path.to_string().into());
+                let device_add = qmp::device_add {
+                    driver: driver.to_string(),
+                    bus: None,
+                    id: Some(hostdev_id.to_string()),
+                    arguments: vfio_args,
+                };
+                (device_add, Some(Ok(None)))
+            }
+            _ => {
+                let bdf = if !bus_slot_func.starts_with("0000") {
+                    format!("0000:{}", bus_slot_func)
+                } else {
+                    bus_slot_func.to_owned()
+                };
+                vfio_args.insert("addr".to_owned(), "0x0".into());
+                vfio_args.insert("host".to_owned(), bdf.into());
+                vfio_args.insert("multifunction".to_owned(), "off".into());
+                let device_add = qmp::device_add {
+                    driver: driver.to_string(),
+                    bus: Some(bus.to_string()),
+                    id: Some(hostdev_id.to_string()),
+                    arguments: vfio_args,
+                };
+                (device_add, None)
+            }
         };
         info!(sl!(), "vfio_device_add: {:?}", vfio_device_add.clone());
 
@@ -769,6 +785,11 @@ impl Qmp {
                 .set_read_timeout(Some(Duration::from_millis(DEFAULT_QMP_READ_TIMEOUT)))?;
         }
 
+        // For AP devices, we don't need to get the PCI path as it's not available.
+        if let Some(result) = early_return {
+            return result;
+        }
+
         let pci_path = self
             .get_device_by_qdev_id(hostdev_id)
             .context("get device by qdev_id failed")?;

src/runtime-rs/crates/hypervisor/src/utils.rs

@@ -21,6 +21,7 @@ use kata_types::{
     build_path,
     config::{Hypervisor, KATA_PATH},
 };
+use lazy_static::lazy_static;
 use nix::{
     fcntl,
     sched::{setns, CloneFlags},
@@ -369,6 +370,51 @@ pub fn get_cmd_output(cmd: &str, args: &[&str]) -> Result<String> {
     Ok(String::from_utf8(result.stdout)?)
 }
 
+// The presence of this sysfs directory is the fundamental architectural proof.
+const CCW_BUS_PATH: &str = "/sys/bus/ccw/devices";
+
+// These drivers are specific to traditional mainframe I/O and prove
+// native CCW support, even in virtualized environments.
+const NATIVE_CCW_DRIVERS: [&str; 3] = [
+    "3270",      // IBM 3270 Terminal Driver
+    "dasd-eckd", // Mainframe DASD (Disk) Driver
+    "zfcp",      // Fibre Channel Protocol Driver (FICON)
+];
+
+lazy_static! {
+    static ref NATIVE_CCW_BUS_CACHE: bool = {
+        if !Path::new(CCW_BUS_PATH).exists() {
+            false
+        } else {
+            let drivers_path = PathBuf::from("/sys/bus/ccw/drivers");
+            let mut native_driver_found = false;
+
+            for driver_name in NATIVE_CCW_DRIVERS.iter() {
+                let driver_path = drivers_path.join(driver_name);
+
+                if driver_path.exists() {
+                    native_driver_found = true;
+                    break;
+                }
+            }
+
+            native_driver_found
+        }
+    };
+}
+
+/// Detects if the system uses native CCW (Channel Command Word) bus.
+/// This function checks for the presence of CCW bus infrastructure in sysfs
+/// and verifies that native mainframe drivers are available.
+///
+/// The result is cached after the first call to avoid repeated IO operations.
+///
+/// # Returns
+/// `true` if native CCW bus is detected, `false` otherwise.
+pub fn uses_native_ccw_bus() -> bool {
+    *NATIVE_CCW_BUS_CACHE
+}
+
 #[cfg(test)]
 mod tests {
     use std::fs;

src/runtime-rs/crates/resource/Cargo.toml

@@ -40,9 +40,9 @@ tempfile = "3.19.1"
 hex = "0.4"
 
 ## Dependencies from `rust-netlink`
-netlink-packet-route = "0.22"
+netlink-packet-route = "0.26"
 netlink-sys = "0.8"
-rtnetlink = "0.16"
+rtnetlink = "0.19"
 
 # Local dependencies
 agent = { workspace = true }