build(deps): bump github.com/go-openapi/errors in /src/runtime

Bumps [github.com/go-openapi/errors](https://github.com/go-openapi/errors) from 0.22.1 to 0.22.6.
- [Release notes](https://github.com/go-openapi/errors/releases)
- [Commits](https://github.com/go-openapi/errors/compare/v0.22.1...v0.22.6)

---
updated-dependencies:
- dependency-name: github.com/go-openapi/errors
  dependency-version: 0.22.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/dependabot.yml

@@ -15,6 +15,8 @@ updates:
       - "/src/tools/trace-forwarder"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
     ignore:
     # rust-vmm repos might cause incompatibilities on patch versions, so
     # lets handle them manually for now.
@@ -85,8 +87,12 @@ updates:
       - "src/tools/csi-kata-directvolume"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7

.github/workflows/build-checks.yaml

@@ -94,11 +94,19 @@ jobs:
           ./ci/install_yq.sh
         env:
           INSTALL_IN_GOPATH: false
-      - name: Install golang
+      - name: Read properties from versions.yaml
         if: contains(matrix.component.needs, 'golang')
         run: |
-          ./tests/install_go.sh -f -p
-          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
+          go_version="$(yq '.languages.golang.version' versions.yaml)"
+          [ -n "$go_version" ]
+          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+      - name: Setup Golang version ${{ env.GO_VERSION }}
+        if: contains(matrix.component.needs, 'golang')
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          # Setup-go doesn't work properly with ppc64le: https://github.com/actions/setup-go/issues/648
+          architecture: ${{ contains(inputs.instance, 'ppc64le') && 'ppc64le' || '' }}
       - name: Setup rust
         if: contains(matrix.component.needs, 'rust')
         run: |

.github/workflows/codeql.yml

@@ -72,7 +72,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -95,6 +95,6 @@ jobs:
         make -C src/runtime
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/docs.yaml

@@ -16,17 +16,17 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/configure-pages@v5
-      - uses: actions/checkout@v5
+      - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           persist-credentials: false
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: 3.x
       - run: pip install zensical
       - run: zensical build --clean
-      - uses: actions/upload-pages-artifact@v4
+      - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
         with:
           path: site
-      - uses: actions/deploy-pages@v4
+      - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
         id: deployment

.github/workflows/run-cri-containerd-tests.yaml

@@ -35,8 +35,6 @@ on:
 jobs:
   run-cri-containerd:
     name: run-cri-containerd-${{ inputs.arch }} (${{ inputs.containerd_version }}, ${{ inputs.vmm }})
-    strategy:
-      fail-fast: false
     runs-on: ${{ inputs.runner }}
     env:
       CONTAINERD_VERSION: ${{ inputs.containerd_version }}

.github/workflows/scorecard.yaml

@@ -55,6 +55,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
         with:
           sarif_file: results.sarif

Cargo.lock

@@ -44,9 +44,7 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "async-trait",
- "futures 0.1.31",
  "kata-types",
- "log",
  "logging",
  "nix 0.26.4",
  "oci-spec 0.8.3",
@@ -141,23 +139,12 @@ version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "435a87a52755b8f27fcf321ac4f04b2802e337c8c4872923137471ec39c37532"
 dependencies = [
- "event-listener 5.4.1",
+ "event-listener",
  "event-listener-strategy",
  "futures-core",
  "pin-project-lite",
 ]
 
-[[package]]
-name = "async-channel"
-version = "1.9.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "81953c529336010edd6d8e358f886d9581267795c61b19475b71314bffa46d35"
-dependencies = [
- "concurrent-queue",
- "event-listener 2.5.3",
- "futures-core",
-]
-
 [[package]]
 name = "async-channel"
 version = "2.5.0"
@@ -184,21 +171,6 @@ dependencies = [
  "slab",
 ]
 
-[[package]]
-name = "async-global-executor"
-version = "2.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05b1b633a2115cd122d73b955eadd9916c18c8f510ec9cd1686404c60ad1c29c"
-dependencies = [
- "async-channel 2.5.0",
- "async-executor",
- "async-io",
- "async-lock",
- "blocking",
- "futures-lite",
- "once_cell",
-]
-
 [[package]]
 name = "async-io"
 version = "2.6.0"
@@ -223,7 +195,7 @@ version = "3.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5fd03604047cee9b6ce9de9f70c6cd540a0520c813cbd49bae61f33ab80ed1dc"
 dependencies = [
- "event-listener 5.4.1",
+ "event-listener",
  "event-listener-strategy",
  "pin-project-lite",
 ]
@@ -234,14 +206,14 @@ version = "2.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fc50921ec0055cdd8a16de48773bfeec5c972598674347252c0399676be7da75"
 dependencies = [
- "async-channel 2.5.0",
+ "async-channel",
  "async-io",
  "async-lock",
  "async-signal",
  "async-task",
  "blocking",
  "cfg-if 1.0.0",
- "event-listener 5.4.1",
+ "event-listener",
  "futures-lite",
  "rustix 1.1.2",
 ]
@@ -275,32 +247,6 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
-[[package]]
-name = "async-std"
-version = "1.13.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2c8e079a4ab67ae52b7403632e4618815d6db36d2a010cfe41b02c1b1578f93b"
-dependencies = [
- "async-channel 1.9.0",
- "async-global-executor",
- "async-io",
- "async-lock",
- "crossbeam-utils",
- "futures-channel",
- "futures-core",
- "futures-io",
- "futures-lite",
- "gloo-timers",
- "kv-log-macro",
- "log",
- "memchr",
- "once_cell",
- "pin-project-lite",
- "pin-utils",
- "slab",
- "wasm-bindgen-futures",
-]
-
 [[package]]
 name = "async-task"
 version = "4.7.1"
@@ -447,7 +393,7 @@ version = "1.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e83f8d02be6967315521be875afa792a316e28d57b5a2d401897e2a7921b7f21"
 dependencies = [
- "async-channel 2.5.0",
+ "async-channel",
  "async-task",
  "futures-io",
  "futures-lite",
@@ -644,29 +590,17 @@ dependencies = [
  "containerd-shim-protos",
  "kata-sys-util",
  "kata-types",
- "lazy_static",
  "nix 0.26.4",
  "oci-spec 0.8.3",
- "persist",
  "protobuf",
  "protocols",
  "resource",
  "runtime-spec",
- "serde_json",
- "slog",
- "slog-scope",
  "strum 0.24.1",
  "thiserror 1.0.48",
  "tokio",
- "ttrpc",
 ]
 
-[[package]]
-name = "common-path"
-version = "1.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2382f75942f4b3be3690fe4f86365e9c853c1587d6ee58212cebf6e2a9ccd101"
-
 [[package]]
 name = "concurrent-queue"
 version = "2.5.0"
@@ -711,7 +645,7 @@ dependencies = [
  "async-trait",
  "cgroups-rs 0.3.4",
  "containerd-shim-protos",
- "futures 0.3.28",
+ "futures",
  "go-flag",
  "lazy_static",
  "libc",
@@ -1044,7 +978,6 @@ dependencies = [
  "dbs-interrupt",
  "dbs-utils",
  "dbs-virtio-devices",
- "downcast-rs",
  "kvm-bindings",
  "kvm-ioctls",
  "libc",
@@ -1057,7 +990,6 @@ dependencies = [
  "vfio-ioctls",
  "virtio-queue",
  "vm-memory",
- "vmm-sys-util 0.11.1",
 ]
 
 [[package]]
@@ -1074,7 +1006,6 @@ dependencies = [
 name = "dbs-upcall"
 version = "0.3.0"
 dependencies = [
- "anyhow",
  "dbs-utils",
  "dbs-virtio-devices",
  "log",
@@ -1269,12 +1200,6 @@ version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1435fa1053d8b2fbbe9be7e97eca7f33d37b28409959813daefc1446a14247f1"
 
-[[package]]
-name = "downcast-rs"
-version = "1.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9ea835d29036a4087793836fa931b08837ad5e957da9e23886b29586fb9b6650"
-
 [[package]]
 name = "dragonball"
 version = "0.1.0"
@@ -1295,7 +1220,6 @@ dependencies = [
  "dbs-utils",
  "dbs-virtio-devices",
  "derivative",
- "fuse-backend-rs",
  "kvm-bindings",
  "kvm-ioctls",
  "lazy_static",
@@ -1350,6 +1274,18 @@ version = "1.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "66b7e2430c6dff6a955451e2cfc438f09cea1965a9d6f87f7e3b90decc014099"
 
+[[package]]
+name = "enum-as-inner"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1e6a265c649f3f5979b601d26f1d05ada116434c87741c9493cb56218f76cbc"
+dependencies = [
+ "heck 0.5.0",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
 [[package]]
 name = "enumflags2"
 version = "0.7.12"
@@ -1403,12 +1339,6 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
-[[package]]
-name = "event-listener"
-version = "2.5.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0206175f82b8d6bf6652ff7d71a1e27fd2e4efde587fd368662814d6ec1d9ce0"
-
 [[package]]
 name = "event-listener"
 version = "5.4.1"
@@ -1426,7 +1356,7 @@ version = "0.5.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8be9f3dfaaffdae2972880079a491a1a8bb7cbed0b8dd7a347f668b4150a3b93"
 dependencies = [
- "event-listener 5.4.1",
+ "event-listener",
  "pin-project-lite",
 ]
 
@@ -1554,12 +1484,6 @@ dependencies = [
  "vmm-sys-util 0.11.1",
 ]
 
-[[package]]
-name = "futures"
-version = "0.1.31"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3a471a38ef8ed83cd6e40aa59c1ffe17db6855c18e3604d9c4ed8c08ebc28678"
-
 [[package]]
 name = "futures"
 version = "0.3.28"
@@ -1719,18 +1643,6 @@ version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280"
 
-[[package]]
-name = "gloo-timers"
-version = "0.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bbb143cf96099802033e0d4f4963b19fd2e0b728bcf076cd9cf7f6634f092994"
-dependencies = [
- "futures-channel",
- "futures-core",
- "js-sys",
- "wasm-bindgen",
-]
-
 [[package]]
 name = "go-flag"
 version = "0.1.0"
@@ -1966,7 +1878,7 @@ dependencies = [
  "crossbeam-channel",
  "dbs-utils",
  "dragonball",
- "futures 0.3.28",
+ "futures",
  "go-flag",
  "hyper",
  "hyperlocal",
@@ -1977,10 +1889,8 @@ dependencies = [
  "libc",
  "logging",
  "nix 0.26.4",
- "oci-spec 0.8.3",
  "path-clean",
  "persist",
- "protobuf",
  "protocols",
  "qapi",
  "qapi-qmp",
@@ -1992,7 +1902,6 @@ dependencies = [
  "serde",
  "serde_json",
  "serial_test 2.0.0",
- "shim-interface",
  "slog",
  "slog-scope",
  "tempfile",
@@ -2269,8 +2178,6 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "byteorder",
- "chrono",
- "common-path",
  "fail",
  "hex",
  "kata-types",
@@ -2279,11 +2186,9 @@ dependencies = [
  "mockall",
  "nix 0.26.4",
  "oci-spec 0.8.3",
- "once_cell",
  "pci-ids",
  "rand 0.8.5",
  "runtime-spec",
- "safe-path 0.1.0",
  "serde",
  "serde_json",
  "slog",
@@ -2302,8 +2207,8 @@ dependencies = [
  "byte-unit",
  "flate2",
  "glob",
- "hex",
  "lazy_static",
+ "nix 0.26.4",
  "num_cpus",
  "oci-spec 0.8.3",
  "regex",
@@ -2314,18 +2219,10 @@ dependencies = [
  "sha2 0.10.9",
  "slog",
  "slog-scope",
+ "sysctl",
  "sysinfo",
  "thiserror 1.0.48",
- "toml 0.5.11",
-]
-
-[[package]]
-name = "kv-log-macro"
-version = "1.0.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0de8b303297635ad57c9f5059fd9cee7a47f8e8daa09df0fcd07dd39fb22977f"
-dependencies = [
- "log",
+ "toml",
 ]
 
 [[package]]
@@ -2646,7 +2543,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b65d130ee111430e47eed7896ea43ca693c387f097dd97376bffafbf25812128"
 dependencies = [
  "bytes",
- "futures 0.3.28",
+ "futures",
  "log",
  "netlink-packet-core",
  "netlink-sys",
@@ -2660,7 +2557,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "416060d346fbaf1f23f9512963e3e878f1a78e707cb699ba9215761754244307"
 dependencies = [
  "bytes",
- "futures 0.3.28",
+ "futures",
  "libc",
  "log",
  "tokio",
@@ -2817,7 +2714,7 @@ dependencies = [
  "log",
  "serde",
  "serde_json",
- "toml 0.5.11",
+ "toml",
 ]
 
 [[package]]
@@ -3044,7 +2941,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e785d273968748578931e4dc3b4f5ec86b26e09d9e0d66b55adda7fce742f7a"
 dependencies = [
  "async-trait",
- "futures 0.3.28",
+ "futures",
  "futures-executor",
  "headers",
  "http",
@@ -3212,11 +3109,9 @@ dependencies = [
  "async-trait",
  "kata-sys-util",
  "kata-types",
- "libc",
  "safe-path 0.1.0",
  "serde",
  "serde_json",
- "shim-interface",
 ]
 
 [[package]]
@@ -3626,7 +3521,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7b047adab56acc4948d4b9b58693c1f33fd13efef2d6bb5f0f66a47436ceada8"
 dependencies = [
  "bytes",
- "futures 0.3.28",
+ "futures",
  "log",
  "memchr",
  "qapi-qmp",
@@ -3908,11 +3803,10 @@ dependencies = [
  "agent",
  "anyhow",
  "async-trait",
- "bitflags 2.10.0",
  "byte-unit",
  "cgroups-rs 0.5.0",
  "flate2",
- "futures 0.3.28",
+ "futures",
  "hex",
  "hypervisor",
  "inotify",
@@ -3922,7 +3816,6 @@ dependencies = [
  "libc",
  "logging",
  "netlink-packet-route",
- "netlink-sys",
  "netns-rs",
  "nix 0.26.4",
  "oci-spec 0.8.3",
@@ -4007,7 +3900,6 @@ dependencies = [
  "common",
  "containerd-shim-protos",
  "go-flag",
- "logging",
  "nix 0.26.4",
  "runtimes",
  "shim",
@@ -4018,7 +3910,6 @@ dependencies = [
 name = "runtime-spec"
 version = "0.1.0"
 dependencies = [
- "libc",
  "serde",
  "serde_derive",
  "serde_json",
@@ -4032,7 +3923,6 @@ dependencies = [
  "anyhow",
  "common",
  "hyper",
- "hyperlocal",
  "hypervisor",
  "kata-sys-util",
  "kata-types",
@@ -4351,7 +4241,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1c789ec87f4687d022a2405cf46e0cd6284889f1839de292cadeb6c6019506f2"
 dependencies = [
  "dashmap",
- "futures 0.3.28",
+ "futures",
  "lazy_static",
  "log",
  "parking_lot",
@@ -4365,7 +4255,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0e56dd856803e253c8f298af3f4d7eb0ae5e23a737252cd90bb4f3b435033b2d"
 dependencies = [
  "dashmap",
- "futures 0.3.28",
+ "futures",
  "lazy_static",
  "log",
  "parking_lot",
@@ -4405,12 +4295,10 @@ dependencies = [
  "containerd-shim-protos",
  "kata-types",
  "logging",
- "persist",
  "runtimes",
  "slog",
  "slog-scope",
  "tokio",
- "tracing",
  "ttrpc",
 ]
 
@@ -4474,9 +4362,7 @@ dependencies = [
  "nix 0.26.4",
  "oci-spec 0.8.3",
  "protobuf",
- "rand 0.8.5",
  "runtime-spec",
- "runtimes",
  "serial_test 0.10.0",
  "service",
  "sha2 0.10.9",
@@ -4485,11 +4371,8 @@ dependencies = [
  "slog-scope",
  "slog-stdlog",
  "tempfile",
- "tests_utils",
  "thiserror 1.0.48",
  "tokio",
- "tracing",
- "tracing-opentelemetry",
  "unix_socket2",
 ]
 
@@ -4499,7 +4382,6 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "common",
- "logging",
  "runtimes",
  "tokio",
 ]
@@ -4793,6 +4675,20 @@ dependencies = [
  "syn 2.0.104",
 ]
 
+[[package]]
+name = "sysctl"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cca424247104946a59dacd27eaad296223b7feec3d168a6dd04585183091eb0b"
+dependencies = [
+ "bitflags 2.10.0",
+ "byteorder",
+ "enum-as-inner",
+ "libc",
+ "thiserror 2.0.12",
+ "walkdir",
+]
+
 [[package]]
 name = "sysinfo"
 version = "0.34.2"
@@ -5083,21 +4979,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "52a15c15b1bc91f90902347eff163b5b682643aff0c8e972912cca79bd9208dd"
 dependencies = [
  "bytes",
- "futures 0.3.28",
+ "futures",
  "libc",
  "tokio",
  "vsock",
 ]
 
-[[package]]
-name = "toml"
-version = "0.4.10"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "758664fc71a3a69038656bee8b6be6477d2a6c315a6b81f7081f591bffa4111f"
-dependencies = [
- "serde",
-]
-
 [[package]]
 name = "toml"
 version = "0.5.11"
@@ -5240,7 +5127,7 @@ dependencies = [
  "async-trait",
  "byteorder",
  "crossbeam",
- "futures 0.3.28",
+ "futures",
  "home",
  "libc",
  "log",
@@ -5442,16 +5329,13 @@ version = "0.1.0"
 dependencies = [
  "agent",
  "anyhow",
- "async-std",
  "async-trait",
  "awaitgroup",
  "common",
  "containerd-shim-protos",
- "futures 0.3.28",
  "hypervisor",
  "kata-sys-util",
  "kata-types",
- "lazy_static",
  "libc",
  "logging",
  "nix 0.26.4",
@@ -5467,7 +5351,6 @@ dependencies = [
  "slog-scope",
  "strum 0.24.1",
  "tokio",
- "toml 0.4.10",
  "tracing",
  "url",
  "uuid 1.18.1",
@@ -6100,7 +5983,7 @@ dependencies = [
  "async-trait",
  "blocking",
  "enumflags2",
- "event-listener 5.4.1",
+ "event-listener",
  "futures-core",
  "futures-lite",
  "hex",

src/agent/Cargo.lock

@@ -743,12 +743,6 @@ version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990"
 
-[[package]]
-name = "common-path"
-version = "1.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2382f75942f4b3be3690fe4f86365e9c853c1587d6ee58212cebf6e2a9ccd101"
-
 [[package]]
 name = "concurrent-queue"
 version = "2.5.0"
@@ -1098,6 +1092,18 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "enum-as-inner"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1e6a265c649f3f5979b601d26f1d05ada116434c87741c9493cb56218f76cbc"
+dependencies = [
+ "heck 0.5.0",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.101",
+]
+
 [[package]]
 name = "enumflags2"
 version = "0.7.11"
@@ -2102,8 +2108,6 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "byteorder",
- "chrono",
- "common-path",
  "fail",
  "hex",
  "kata-types",
@@ -2112,11 +2116,9 @@ dependencies = [
  "mockall",
  "nix 0.26.4",
  "oci-spec",
- "once_cell",
  "pci-ids",
  "rand",
  "runtime-spec",
- "safe-path",
  "serde",
  "serde_json",
  "slog",
@@ -2135,8 +2137,8 @@ dependencies = [
  "byte-unit",
  "flate2",
  "glob",
- "hex",
  "lazy_static",
+ "nix 0.26.4",
  "num_cpus",
  "oci-spec",
  "regex",
@@ -2147,6 +2149,7 @@ dependencies = [
  "sha2 0.10.9",
  "slog",
  "slog-scope",
+ "sysctl",
  "sysinfo",
  "thiserror 1.0.69",
  "toml",
@@ -2306,7 +2309,6 @@ name = "mem-agent"
 version = "0.2.0"
 dependencies = [
  "anyhow",
- "async-trait",
  "chrono",
  "maplit",
  "nix 0.30.1",
@@ -3575,7 +3577,6 @@ dependencies = [
 name = "runtime-spec"
 version = "0.1.0"
 dependencies = [
- "libc",
  "serde",
  "serde_derive",
  "serde_json",
@@ -4215,6 +4216,20 @@ dependencies = [
  "syn 2.0.101",
 ]
 
+[[package]]
+name = "sysctl"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cca424247104946a59dacd27eaad296223b7feec3d168a6dd04585183091eb0b"
+dependencies = [
+ "bitflags 2.9.0",
+ "byteorder",
+ "enum-as-inner",
+ "libc",
+ "thiserror 2.0.12",
+ "walkdir",
+]
+
 [[package]]
 name = "sysinfo"
 version = "0.34.2"

src/dragonball/Cargo.toml

@@ -48,7 +48,6 @@ vmm-sys-util = { workspace = true }
 virtio-queue = { workspace = true, optional = true }
 vm-memory = { workspace = true, features = ["backend-mmap"] }
 crossbeam-channel = "0.5.6"
-fuse-backend-rs = "0.10.5"
 vfio-bindings = { workspace = true, optional = true }
 vfio-ioctls = { workspace = true, optional = true }
 
@@ -86,3 +85,6 @@ host-device = ["dep:vfio-bindings", "dep:vfio-ioctls", "dep:dbs-pci"]
 unexpected_cfgs = { level = "warn", check-cfg = [
   'cfg(feature, values("test-mock"))',
 ] }
+
+[package.metadata.cargo-machete]
+ignored = ["vfio-bindings"]

src/dragonball/dbs_pci/Cargo.toml

@@ -23,24 +23,22 @@ dbs-interrupt = { workspace = true, features = [
     "kvm-legacy-irq",
     "kvm-msi-irq",
 ] }
-downcast-rs = "1.2.0"
 byteorder = "1.4.3"
 serde = "1.0.27"
 
-vm-memory = {workspace = true}
-kvm-ioctls = {workspace = true}
-kvm-bindings = {workspace = true}
-vfio-ioctls = {workspace = true}
-vfio-bindings = {workspace = true}
+vm-memory = { workspace = true }
+kvm-ioctls = { workspace = true }
+kvm-bindings = { workspace = true }
+vfio-ioctls = { workspace = true }
+vfio-bindings = { workspace = true }
 libc = "0.2.39"
-vmm-sys-util = {workspace = true}
-virtio-queue = {workspace = true}
-dbs-utils = {workspace = true}
+virtio-queue = { workspace = true }
+dbs-utils = { workspace = true }
 
 
 [dev-dependencies]
 dbs-arch = { workspace = true }
-kvm-ioctls = {workspace = true}
+kvm-ioctls = { workspace = true }
 test-utils = { workspace = true }
 nix = { workspace = true }
 

src/dragonball/dbs_upcall/Cargo.toml

@@ -11,7 +11,6 @@ keywords = ["dragonball", "secure-sandbox", "devices", "upcall", "virtio"]
 readme = "README.md"
 
 [dependencies]
-anyhow = "1"
 log = "0.4.14"
 thiserror = "1"
 timerfd = "1.2.0"

src/dragonball/dbs_virtio_devices/Cargo.toml

@@ -24,8 +24,8 @@ dbs-boot = { workspace = true }
 epoll = ">=4.3.1, <4.3.2"
 io-uring = "0.5.2"
 fuse-backend-rs = { version = "0.10.5", optional = true }
-kvm-bindings = { workspace = true}
-kvm-ioctls = {workspace = true}
+kvm-bindings = { workspace = true }
+kvm-ioctls = { workspace = true }
 libc = "0.2.119"
 log = "0.4.14"
 nix = "0.24.3"
@@ -37,19 +37,16 @@ serde = "1.0.27"
 serde_json = "1.0.9"
 thiserror = "1"
 threadpool = "1"
-virtio-bindings = {workspace = true}
-virtio-queue = {workspace = true}
-vmm-sys-util = {workspace = true}
+virtio-bindings = { workspace = true }
+virtio-queue = { workspace = true }
+vmm-sys-util = { workspace = true }
 vm-memory = { workspace = true, features = ["backend-mmap"] }
 sendfd = "0.4.3"
 vhost-rs = { version = "0.6.1", package = "vhost", optional = true }
 timerfd = "1.0"
 
 [dev-dependencies]
-vm-memory = { workspace = true, features = [
-    "backend-mmap",
-    "backend-atomic",
-] }
+vm-memory = { workspace = true, features = ["backend-mmap", "backend-atomic"] }
 test-utils = { workspace = true }
 
 [features]

src/dragonball/dbs_virtio_devices/src/lib.rs

@@ -439,19 +439,19 @@ pub mod tests {
             VirtqDesc { desc }
         }
 
-        pub fn addr(&self) -> VolatileRef<u64> {
+        pub fn addr(&self) -> VolatileRef<'_, u64> {
             self.desc.get_ref(offset_of!(DescriptorTmp, addr)).unwrap()
         }
 
-        pub fn len(&self) -> VolatileRef<u32> {
+        pub fn len(&self) -> VolatileRef<'_, u32> {
             self.desc.get_ref(offset_of!(DescriptorTmp, len)).unwrap()
         }
 
-        pub fn flags(&self) -> VolatileRef<u16> {
+        pub fn flags(&self) -> VolatileRef<'_, u16> {
             self.desc.get_ref(offset_of!(DescriptorTmp, flags)).unwrap()
         }
 
-        pub fn next(&self) -> VolatileRef<u16> {
+        pub fn next(&self) -> VolatileRef<'_, u16> {
             self.desc.get_ref(offset_of!(DescriptorTmp, next)).unwrap()
         }
 
@@ -513,11 +513,11 @@ pub mod tests {
             self.start.unchecked_add(self.ring.len() as GuestUsize)
         }
 
-        pub fn flags(&self) -> VolatileRef<u16> {
+        pub fn flags(&self) -> VolatileRef<'_, u16> {
             self.ring.get_ref(0).unwrap()
         }
 
-        pub fn idx(&self) -> VolatileRef<u16> {
+        pub fn idx(&self) -> VolatileRef<'_, u16> {
             self.ring.get_ref(2).unwrap()
         }
 
@@ -525,12 +525,12 @@ pub mod tests {
             4 + mem::size_of::<T>() * (i as usize)
         }
 
-        pub fn ring(&self, i: u16) -> VolatileRef<T> {
+        pub fn ring(&self, i: u16) -> VolatileRef<'_, T> {
             assert!(i < self.qsize);
             self.ring.get_ref(Self::ring_offset(i)).unwrap()
         }
 
-        pub fn event(&self) -> VolatileRef<u16> {
+        pub fn event(&self) -> VolatileRef<'_, u16> {
             self.ring.get_ref(Self::ring_offset(self.qsize)).unwrap()
         }
 
@@ -602,7 +602,7 @@ pub mod tests {
             (self.dtable.len() / VirtqDesc::dtable_len(1)) as u16
         }
 
-        pub fn dtable(&self, i: u16) -> VirtqDesc {
+        pub fn dtable(&self, i: u16) -> VirtqDesc<'_> {
             VirtqDesc::new(&self.dtable, i)
         }
 

src/dragonball/dbs_virtio_devices/src/vhost/vhost_user/fs.rs

@@ -865,11 +865,11 @@ mod tests {
             0
         );
         let config: [u8; 8] = [0; 8];
-        VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::write_config(
+        let _ = VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::write_config(
             &mut dev, 0, &config,
         );
         let mut data: [u8; 8] = [1; 8];
-        VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::read_config(
+        let _ = VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::read_config(
             &mut dev, 0, &mut data,
         );
         assert_eq!(config, data);

src/dragonball/dbs_virtio_devices/src/vsock/mod.rs

@@ -339,7 +339,7 @@ mod tests {
             }
         }
 
-        pub fn create_event_handler_context(&self) -> EventHandlerContext {
+        pub fn create_event_handler_context(&self) -> EventHandlerContext<'_> {
             const QSIZE: u16 = 256;
 
             let guest_rxvq = GuestQ::new(GuestAddress(0x0010_0000), &self.mem, QSIZE);

src/libs/kata-sys-util/Cargo.toml

@@ -13,13 +13,10 @@ edition = "2018"
 [dependencies]
 anyhow = "1.0.31"
 byteorder = "1.4.3"
-chrono = "0.4.0"
-common-path = "=1.0.0"
 fail = "0.5.0"
 lazy_static = "1.4.0"
 libc = "0.2.100"
 nix = "0.26.4"
-once_cell = "1.9.0"
 serde = { version = "1.0.138", features = ["derive"] }
 serde_json = "1.0.73"
 slog = "2.5.2"
@@ -34,10 +31,7 @@ mockall = "0.13.1"
 kata-types = { path = "../kata-types" }
 oci-spec = { version = "0.8.1", features = ["runtime"] }
 runtime-spec = { path = "../runtime-spec" }
-safe-path = { path = "../safe-path" }
 
 [dev-dependencies]
-num_cpus = "1.13.1"
-serial_test = "0.5.1"
 tempfile = "3.19.1"
 test-utils = { path = "../test-utils" }

src/libs/kata-types/Cargo.toml

@@ -29,12 +29,14 @@ serde-enum-str = "0.4"
 sysinfo = "0.34.2"
 sha2 = "0.10.8"
 flate2 = "1.1"
-hex = "0.4"
-
+nix = "0.26.4"
 oci-spec = { version = "0.8.1", features = ["runtime"] }
 
 safe-path = { path = "../safe-path", optional = true }
 
+[target.'cfg(target_os = "macos")'.dependencies]
+sysctl = "0.7.1"
+
 [dev-dependencies]
 tempfile = "3.19.1"
 test-utils = { path = "../test-utils" }

src/libs/kata-types/src/config/hypervisor/mod.rs

@@ -26,7 +26,6 @@
 use super::{default, ConfigOps, ConfigPlugin, TomlConfig};
 use crate::annotations::KATA_ANNO_CFG_HYPERVISOR_PREFIX;
 use crate::{resolve_path, sl, validate_path};
-use byte_unit::{Byte, Unit};
 use lazy_static::lazy_static;
 use regex::RegexSet;
 use serde_enum_str::{Deserialize_enum_str, Serialize_enum_str};
@@ -34,7 +33,6 @@ use std::collections::HashMap;
 use std::io::{self, Result};
 use std::path::Path;
 use std::sync::{Arc, Mutex};
-use sysinfo::{MemoryRefreshKind, RefreshKind, System};
 
 mod dragonball;
 pub use self::dragonball::{DragonballConfig, HYPERVISOR_NAME_DRAGONBALL};
@@ -1007,6 +1005,57 @@ fn default_guest_swap_create_threshold_secs() -> u64 {
     60
 }
 
+/// Get host memory size in MiB.
+/// Retrieves the total physical memory of the host across different platforms.
+fn host_memory_mib() -> io::Result<u64> {
+    // Select a platform-specific implementation via a function pointer.
+    let get_memory: fn() -> io::Result<u64> = {
+        #[cfg(target_os = "linux")]
+        {
+            || {
+                let info = nix::sys::sysinfo::sysinfo().map_err(io::Error::other)?;
+                Ok(info.ram_total() / (1024 * 1024)) // MiB
+            }
+        }
+
+        #[cfg(target_os = "macos")]
+        {
+            || {
+                use sysctl::{Ctl, CtlValue, Sysctl};
+
+                let v = Ctl::new("hw.memsize")
+                    .map_err(io::Error::other)?
+                    .value()
+                    .map_err(io::Error::other)?;
+
+                let bytes = match v {
+                    CtlValue::S64(x) if x >= 0 => x as u64,
+                    other => {
+                        return Err(io::Error::new(
+                            io::ErrorKind::InvalidData,
+                            format!("unexpected sysctl hw.memsize value type: {:?}", other),
+                        ));
+                    }
+                };
+
+                Ok(bytes / (1024 * 1024)) // MiB
+            }
+        }
+
+        #[cfg(not(any(target_os = "linux", target_os = "macos")))]
+        {
+            || {
+                Err(io::Error::new(
+                    io::ErrorKind::Unsupported,
+                    "host memory query not implemented on this platform",
+                ))
+            }
+        }
+    };
+
+    get_memory()
+}
+
 impl MemoryInfo {
     /// Adjusts the configuration information after loading from a configuration file.
     ///
@@ -1018,13 +1067,15 @@ impl MemoryInfo {
             self.file_mem_backend,
             "Memory backend file {} is invalid: {}"
         )?;
-        if self.default_maxmemory == 0 {
-            let s = System::new_with_specifics(
-                RefreshKind::nothing().with_memory(MemoryRefreshKind::everything()),
-            );
-            self.default_maxmemory = Byte::from_u64(s.total_memory())
-                .get_adjusted_unit(Unit::MiB)
-                .get_value() as u32;
+
+        let host_memory = host_memory_mib()?;
+
+        if u64::from(self.default_memory) > host_memory {
+            self.default_memory = host_memory as u32;
+        }
+
+        if self.default_maxmemory == 0 || u64::from(self.default_maxmemory) > host_memory {
+            self.default_maxmemory = host_memory as u32;
         }
         Ok(())
     }
@@ -1167,6 +1218,29 @@ pub struct SecurityInfo {
     #[serde(default)]
     pub sev_snp_guest: bool,
 
+    /// SNP 'ID Block' and 'ID Authentication Information Structure'.
+    /// If one of snp_id_block or snp_id_auth is specified, the other must be specified, too.
+    /// Notice that the default SNP policy of QEMU (0x30000) is used by Kata, if not explicitly
+    /// set via 'snp_guest_policy' option. The IDBlock contains the guest policy as field, and
+    /// it must match the value from 'snp_guest_policy' or, if unset, the QEMU default policy.
+    /// 96-byte, base64-encoded blob to provide the 'ID Block' structure for the
+    /// SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
+    #[serde(default)]
+    pub snp_id_block: String,
+
+    /// 4096-byte, base64-encoded blob to provide the 'ID Authentication Information Structure'
+    /// for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
+    #[serde(default)]
+    pub snp_id_auth: String,
+
+    /// SNP Guest Policy, the 'POLICY' parameter to the SNP_LAUNCH_START command.
+    /// If unset, the QEMU default policy (0x30000) will be used.
+    /// Notice that the guest policy is enforced at VM launch, and your pod VMs
+    /// won't start at all if the policy denys it. This will be indicated by a
+    /// 'SNP_LAUNCH_START' error.
+    #[serde(default = "default_snp_guest_policy")]
+    pub snp_guest_policy: u32,
+
     /// Path to OCI hook binaries in the *guest rootfs*.
     ///
     /// This setting does not affect host-side hooks, which must instead be
@@ -1228,6 +1302,10 @@ fn default_qgs_port() -> u32 {
     4050
 }
 
+fn default_snp_guest_policy() -> u32 {
+    0x30000
+}
+
 impl SecurityInfo {
     /// Adjusts the security configuration information after loading from a configuration file.
     ///

src/libs/mem-agent/Cargo.toml

@@ -10,7 +10,6 @@ anyhow = "1.0"
 page_size = "0.6"
 chrono = "0.4"
 tokio = { version = "1.45.1", features = ["full"] }
-async-trait = "0.1"
 maplit = "1.0"
 nix = { version = "0.30.1", features = ["fs", "sched"] }
 

src/libs/runtime-spec/Cargo.toml

@@ -9,4 +9,3 @@ license = "Apache-2.0"
 serde = "1.0.131"
 serde_derive = "1.0.131"
 serde_json = "1.0.73"
-libc = "0.2.112"

src/runtime-rs/Cargo.toml

@@ -28,5 +28,4 @@ nix = { workspace = true }
 tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
 shim = { path = "crates/shim" }
 common = { workspace = true }
-logging = { workspace = true }
 runtimes = { workspace = true }

src/runtime-rs/crates/agent/Cargo.toml

@@ -5,13 +5,9 @@ authors = { workspace = true }
 edition = { workspace = true }
 license = { workspace = true }
 
-[dev-dependencies]
-futures = "0.1.27"
-
 [dependencies]
 anyhow = { workspace = true }
 async-trait = { workspace = true }
-log = { workspace = true }
 protobuf = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
@@ -31,3 +27,6 @@ protocols = { workspace = true, features = ["async"] }
 
 [features]
 default = []
+
+[package.metadata.cargo-machete]
+ignored = ["slog-scope"]

src/runtime-rs/crates/hypervisor/Cargo.toml

@@ -28,8 +28,6 @@ path-clean = "1.0.1"
 lazy_static = { workspace = true }
 tracing = { workspace = true }
 ttrpc = { workspace = true, features = ["async"] }
-protobuf = { workspace = true }
-oci-spec = { workspace = true }
 futures = "0.3.25"
 safe-path = "0.1.0"
 crossbeam-channel = "0.5.6"
@@ -44,7 +42,6 @@ kata-sys-util = { workspace = true }
 kata-types = { workspace = true }
 logging = { workspace = true }
 protocols = { workspace = true, features = ["async"] }
-shim-interface = { workspace = true }
 persist = { workspace = true }
 ch-config = { workspace = true, optional = true }
 tests_utils = { workspace = true }

src/runtime-rs/crates/hypervisor/ch-config/src/lib.rs

@@ -110,6 +110,16 @@ pub struct DeviceConfig {
     pub pci_segment: u16,
 }
 
+#[derive(Serialize, Deserialize, Clone, Copy, Debug, PartialEq, Eq, Default)]
+pub enum ImageType {
+    FixedVhd,
+    Qcow2,
+    Raw,
+    Vhdx,
+    #[default]
+    Unknown,
+}
+
 #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, Default)]
 pub struct DiskConfig {
     pub path: Option<PathBuf>,
@@ -135,6 +145,8 @@ pub struct DiskConfig {
     pub disable_io_uring: bool,
     #[serde(default)]
     pub pci_segment: u16,
+    #[serde(default)]
+    pub image_type: ImageType,
 }
 
 #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, Default)]

src/runtime-rs/crates/hypervisor/src/ch/inner_device.rs

@@ -27,6 +27,7 @@ use ch_config::ch_api::{
 };
 use ch_config::convert::DEFAULT_NUM_PCI_SEGMENTS;
 use ch_config::DiskConfig;
+use ch_config::ImageType;
 use ch_config::{net_util::MacAddr, DeviceConfig, FsConfig, NetConfig, VsockConfig};
 use kata_sys_util::netns::NetnsGuard;
 use kata_types::config::hypervisor::RateLimiterConfig;
@@ -550,6 +551,7 @@ impl TryFrom<BlockConfig> for DiskConfig {
             readonly: blkcfg.is_readonly,
             num_queues: blkcfg.num_queues,
             queue_size: blkcfg.queue_size as u16,
+            image_type: ImageType::Raw,
             ..Default::default()
         };
 

src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs

@@ -256,29 +256,8 @@ struct Memory {
 
 impl Memory {
     fn new(config: &HypervisorConfig) -> Memory {
-        // Move this to QemuConfig::adjust_config()?
-
-        let mut mem_size = config.memory_info.default_memory as u64;
-        let mut max_mem_size = config.memory_info.default_maxmemory as u64;
-
-        if let Ok(sysinfo) = nix::sys::sysinfo::sysinfo() {
-            let host_memory = sysinfo.ram_total() >> 20;
-
-            if mem_size > host_memory {
-                info!(sl!(), "'default_memory' given in configuration.toml is greater than host memory, adjusting to host memory");
-                mem_size = host_memory
-            }
-
-            if max_mem_size == 0 || max_mem_size > host_memory {
-                max_mem_size = host_memory
-            }
-        } else {
-            warn!(sl!(), "Failed to get host memory size, cannot verify or adjust configuration.toml's 'default_maxmemory'");
-
-            if max_mem_size == 0 {
-                max_mem_size = mem_size;
-            };
-        }
+        let mem_size = config.memory_info.default_memory as u64;
+        let max_mem_size = config.memory_info.default_maxmemory as u64;
 
         // Memory sizes are given in megabytes in configuration.toml so we
         // need to convert them to bytes for storage.
@@ -300,6 +279,18 @@ impl Memory {
         self.memory_backend_file = Some(mem_file.clone());
         self
     }
+
+    #[allow(dead_code)]
+    fn set_maxmem_size(&mut self, max_size: u64) -> &mut Self {
+        self.max_size = max_size;
+        self
+    }
+
+    #[allow(dead_code)]
+    fn set_num_slots(&mut self, num_slots: u32) -> &mut Self {
+        self.num_slots = num_slots;
+        self
+    }
 }
 
 #[async_trait]
@@ -1888,6 +1879,7 @@ struct ObjectSevSnpGuest {
     reduced_phys_bits: u32,
     kernel_hashes: bool,
     host_data: Option<String>,
+    policy: u32,
     is_snp: bool,
 }
 
@@ -1899,9 +1891,15 @@ impl ObjectSevSnpGuest {
             reduced_phys_bits,
             kernel_hashes: true,
             host_data,
+            policy: 0x30000,
             is_snp,
         }
     }
+
+    fn set_policy(&mut self, policy: u32) -> &mut Self {
+        self.policy = policy;
+        self
+    }
 }
 
 #[async_trait]
@@ -1924,6 +1922,7 @@ impl ToQemuParams for ObjectSevSnpGuest {
                 "kernel-hashes={}",
                 if self.kernel_hashes { "on" } else { "off" }
             ));
+            params.push(format!("policy=0x{:x}", self.policy));
             if let Some(host_data) = &self.host_data {
                 params.push(format!("host-data={host_data}"))
             }
@@ -2579,13 +2578,19 @@ impl<'a> QemuCmdLine<'a> {
         firmware: &str,
         host_data: &Option<String>,
     ) {
-        let sev_snp_object =
+        // For SEV-SNP, memory overcommit is not supported. we only set the memory size.
+        self.memory.set_maxmem_size(0).set_num_slots(0);
+
+        let mut sev_snp_object =
             ObjectSevSnpGuest::new(true, cbitpos, phys_addr_reduction, host_data.clone());
+        sev_snp_object.set_policy(self.config.security_info.snp_guest_policy);
+
         self.devices.push(Box::new(sev_snp_object));
 
         self.devices.push(Box::new(Bios::new(firmware.to_owned())));
 
         self.machine
+            .set_kernel_irqchip("split")
             .set_confidential_guest_support("snp")
             .set_nvdimm(false);
 

src/runtime-rs/crates/persist/Cargo.toml

@@ -8,12 +8,10 @@ license = { workspace = true }
 [dependencies]
 async-trait = { workspace = true }
 anyhow = { workspace = true }
-libc = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 
 # Local dependencies
 kata-sys-util = { workspace = true }
 kata-types = { workspace = true }
-shim-interface = { workspace = true }
 safe-path = { workspace = true }

src/runtime-rs/crates/resource/Cargo.toml

@@ -15,7 +15,6 @@ test-utils = { workspace = true }
 actix-rt = { workspace = true }
 anyhow = { workspace = true }
 async-trait = { workspace = true }
-bitflags = "2.9.0"
 byte-unit = "5.1.6"
 cgroups-rs = { version = "0.5.0", features = ["oci"] }
 futures = "0.3.11"
@@ -41,7 +40,6 @@ hex = "0.4"
 
 ## Dependencies from `rust-netlink`
 netlink-packet-route = "0.26"
-netlink-sys = "0.8"
 rtnetlink = "0.19"
 
 # Local dependencies
@@ -54,3 +52,7 @@ persist = { workspace = true }
 tests_utils = { workspace = true }
 
 [features]
+
+
+[package.metadata.cargo-machete]
+ignored = ["slog-scope"]

src/runtime-rs/crates/runtimes/Cargo.toml

@@ -26,7 +26,6 @@ opentelemetry-jaeger = { version = "0.17.0", features = [
 ] }
 tracing-subscriber = { version = "0.3", features = ["registry", "std"] }
 hyper = { workspace = true, features = ["stream", "server", "http1"] }
-hyperlocal = { workspace = true }
 serde_json = { workspace = true }
 nix = "0.25.0"
 url = { workspace = true }

src/runtime-rs/crates/runtimes/common/Cargo.toml

@@ -11,20 +11,14 @@ license = { workspace = true }
 anyhow = { workspace = true }
 async-trait = { workspace = true }
 containerd-shim-protos = { workspace = true, features = ["sandbox"] }
-lazy_static = { workspace = true }
 nix = { workspace = true }
 protobuf = { workspace = true }
-serde_json = { workspace = true }
-slog = { workspace = true }
-slog-scope = { workspace = true }
 strum = { workspace = true }
 thiserror = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread", "process", "fs"] }
-ttrpc = { workspace = true }
 oci-spec = { workspace = true }
 
 # Local dependencies
-persist = { workspace = true }
 agent = { workspace = true }
 kata-sys-util = { workspace = true }
 kata-types = { workspace = true }

src/runtime-rs/crates/runtimes/virt_container/Cargo.toml

@@ -10,8 +10,6 @@ anyhow = { workspace = true }
 async-trait = { workspace = true }
 awaitgroup = "0.6.0"
 containerd-shim-protos = { workspace = true }
-futures = "0.3.19"
-lazy_static = { workspace = true }
 libc = { workspace = true }
 nix = { workspace = true }
 protobuf = { workspace = true }
@@ -21,9 +19,7 @@ serde_json = { workspace = true }
 slog = { workspace = true }
 slog-scope = { workspace = true }
 tokio = { workspace = true }
-toml = "0.4.2"
 url = { workspace = true }
-async-std = "1.12.0"
 tracing = { workspace = true }
 oci-spec = { workspace = true }
 strum = { workspace = true }
@@ -48,3 +44,7 @@ cloud-hypervisor = ["hypervisor/cloud-hypervisor"]
 
 # Enable the build-in VMM Dragtonball
 dragonball = ["hypervisor/dragonball"]
+
+
+[package.metadata.cargo-machete]
+ignored = ["slog-scope"]

src/runtime-rs/crates/service/Cargo.toml

@@ -11,7 +11,6 @@ async-trait = { workspace = true }
 slog = { workspace = true }
 slog-scope = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread"] }
-tracing = { workspace = true }
 ttrpc = { workspace = true }
 containerd-shim-protos = { workspace = true, features = ["async", "sandbox"] }
 containerd-shim = { workspace = true }
@@ -21,4 +20,7 @@ common = { workspace = true }
 logging = { workspace = true }
 kata-types = { workspace = true }
 runtimes = { workspace = true }
-persist = { workspace = true }
+
+
+[package.metadata.cargo-machete]
+ignored = ["slog-scope"]

src/runtime-rs/crates/shim-ctl/Cargo.toml

@@ -9,9 +9,8 @@ license = { workspace = true }
 
 [dependencies]
 anyhow = { workspace = true }
-tokio = { workspace = true, features = [ "rt", "rt-multi-thread" ] }
+tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
 
 # Local dependencies
 common = { workspace = true }
-logging = { workspace = true }
 runtimes = { workspace = true }

src/runtime-rs/crates/shim/Cargo.toml

@@ -36,8 +36,6 @@ slog-stdlog = "4.1.0"
 thiserror = { workspace = true }
 tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
 unix_socket2 = "0.5.4"
-tracing = { workspace = true }
-tracing-opentelemetry = { workspace = true }
 oci-spec = { workspace = true }
 
 # Local dependencies
@@ -46,12 +44,7 @@ kata-sys-util = { workspace = true }
 logging = { workspace = true }
 runtime-spec = { workspace = true }
 service = { workspace = true }
-runtimes = { workspace = true }
 
 [dev-dependencies]
 tempfile = { workspace = true }
-rand = { workspace = true }
 serial_test = "0.10.0"
-
-# Local dev-dependencies
-tests_utils = { workspace = true }

src/runtime/Makefile

@@ -272,6 +272,7 @@ DEFVIRTIOFSEXTRAARGS ?= [\"--thread-pool-size=1\", \"--announce-submounts\"]
 DEFENABLEIOTHREADS := false
 DEFINDEPIOTHREADS := 0
 DEFENABLEVHOSTUSERSTORE := false
+DEFENABLEVIRTIOMEM ?= false
 DEFVHOSTUSERSTOREPATH := $(PKGRUNDIR)/vhost-user
 DEFVALIDVHOSTUSERSTOREPATHS := [\"$(DEFVHOSTUSERSTOREPATH)\"]
 DEFFILEMEMBACKEND := ""
@@ -764,6 +765,7 @@ USER_VARS += DEFENABLEANNOTATIONS
 USER_VARS += DEFENABLEANNOTATIONS_COCO
 USER_VARS += DEFENABLEIOTHREADS
 USER_VARS += DEFINDEPIOTHREADS
+USER_VARS += DEFENABLEVIRTIOMEM
 USER_VARS += DEFSECCOMPSANDBOXPARAM
 USER_VARS += DEFENABLEVHOSTUSERSTORE
 USER_VARS += DEFVHOSTUSERSTOREPATH

src/runtime/arch/s390x-options.mk

@@ -18,3 +18,6 @@ ifneq (,$(NEEDS_CC_SETTING))
 	CC := gcc
 	export CC
 endif
+
+# Enable virtio-mem for s390x
+DEFENABLEVIRTIOMEM = true

src/runtime/cmd/kata-monitor/main.go

@@ -196,7 +196,7 @@ func indexPageText(w http.ResponseWriter, r *http.Request) {
 	formatter := fmt.Sprintf("%%-%ds: %%s\n", spacing)
 
 	for _, endpoint := range endpoints {
-		w.Write([]byte(fmt.Sprintf(formatter, endpoint.path, endpoint.desc)))
+		fmt.Fprintf(w, formatter, endpoint.path, endpoint.desc)
 	}
 }
 

src/runtime/cmd/kata-runtime/kata-check_amd64.go

@@ -63,7 +63,7 @@ func setCPUtype(hypervisorType vc.HypervisorType) error {
 	cpuType = getCPUtype()
 
 	if cpuType == cpuTypeUnknown {
-		return fmt.Errorf("Unknow CPU Type")
+		return fmt.Errorf("Unknown CPU Type")
 	} else if cpuType == cpuTypeIntel {
 		var kvmIntelParams map[string]string
 		onVMM, err := vc.RunningOnVMM(procCPUInfo)

src/runtime/cmd/kata-runtime/kata-check_amd64_test.go

@@ -55,18 +55,17 @@ func TestCCCheckCLIFunction(t *testing.T) {
 	var moduleData []testModuleData
 
 	cpuType = getCPUtype()
-	if cpuType == cpuTypeIntel {
+	moduleData = []testModuleData{}
+
+	switch cpuType {
+	case cpuTypeIntel:
 		cpuData = []testCPUData{
 			{archGenuineIntel, "lm vmx sse4_1", false},
 		}
-
-		moduleData = []testModuleData{}
-	} else if cpuType == cpuTypeAMD {
+	case cpuTypeAMD:
 		cpuData = []testCPUData{
 			{archAuthenticAMD, "lm svm sse4_1", false},
 		}
-
-		moduleData = []testModuleData{}
 	}
 
 	genericCheckCLIFunction(t, cpuData, moduleData)
@@ -276,7 +275,8 @@ func TestCheckHostIsVMContainerCapable(t *testing.T) {
 	var moduleData []testModuleData
 	cpuType = getCPUtype()
 
-	if cpuType == cpuTypeIntel {
+	switch cpuType {
+	case cpuTypeIntel:
 		cpuData = []testCPUData{
 			{"", "", true},
 			{"Intel", "", true},
@@ -292,7 +292,7 @@ func TestCheckHostIsVMContainerCapable(t *testing.T) {
 			{filepath.Join(sysModuleDir, "kvm_intel/parameters/nested"), "Y", false},
 			{filepath.Join(sysModuleDir, "kvm_intel/parameters/unrestricted_guest"), "Y", false},
 		}
-	} else if cpuType == cpuTypeAMD {
+	case cpuTypeAMD:
 		cpuData = []testCPUData{
 			{"", "", true},
 			{"AMD", "", true},
@@ -340,7 +340,7 @@ func TestCheckHostIsVMContainerCapable(t *testing.T) {
 		// Write the following into the denylist file
 		// blacklist <mod>
 		// install <mod> /bin/false
-		_, err = denylistFile.WriteString(fmt.Sprintf("blacklist %s\ninstall %s /bin/false\n", mod, mod))
+		_, err = fmt.Fprintf(denylistFile, "blacklist %s\ninstall %s /bin/false\n", mod, mod)
 		assert.Nil(err)
 	}
 	denylistFile.Close()
@@ -505,9 +505,10 @@ func TestSetCPUtype(t *testing.T) {
 	assert.NotEmpty(archRequiredKernelModules)
 
 	cpuType = getCPUtype()
-	if cpuType == cpuTypeIntel {
+	switch cpuType {
+	case cpuTypeIntel:
 		assert.Equal(archRequiredCPUFlags["vmx"], "Virtualization support")
-	} else if cpuType == cpuTypeAMD {
+	case cpuTypeAMD:
 		assert.Equal(archRequiredCPUFlags["svm"], "Virtualization support")
 	}
 

src/runtime/cmd/kata-runtime/kata-check_test.go

@@ -17,7 +17,6 @@ import (
 	"testing"
 
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katatestutils"
-	ktu "github.com/kata-containers/kata-containers/src/runtime/pkg/katatestutils"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils"
 	vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	"github.com/sirupsen/logrus"
@@ -509,7 +508,7 @@ func TestCheckCheckCPUAttribs(t *testing.T) {
 }
 
 func TestCheckHaveKernelModule(t *testing.T) {
-	if tc.NotValid(ktu.NeedRoot()) {
+	if tc.NotValid(katatestutils.NeedRoot()) {
 		t.Skip(testDisabledAsNonRoot)
 	}
 
@@ -638,8 +637,8 @@ func TestCheckCheckKernelModules(t *testing.T) {
 func TestCheckCheckKernelModulesUnreadableFile(t *testing.T) {
 	assert := assert.New(t)
 
-	if tc.NotValid(ktu.NeedNonRoot()) {
-		t.Skip(ktu.TestDisabledNeedNonRoot)
+	if tc.NotValid(katatestutils.NeedNonRoot()) {
+		t.Skip(katatestutils.TestDisabledNeedNonRoot)
 	}
 
 	dir := t.TempDir()

src/runtime/cmd/kata-runtime/kata-env_amd64_test.go

@@ -56,9 +56,10 @@ func TestEnvGetEnvInfoSetsCPUType(t *testing.T) {
 	assert.NotEmpty(archRequiredKernelModules)
 
 	cpuType = getCPUtype()
-	if cpuType == cpuTypeIntel {
+	switch cpuType {
+	case cpuTypeIntel:
 		assert.Equal(archRequiredCPUFlags["vmx"], "Virtualization support")
-	} else if cpuType == cpuTypeAMD {
+	case cpuTypeAMD:
 		assert.Equal(archRequiredCPUFlags["svm"], "Virtualization support")
 	}
 

src/runtime/cmd/kata-runtime/kata-env_test.go

@@ -14,7 +14,6 @@ import (
 	"path"
 	"path/filepath"
 	"runtime"
-	goruntime "runtime"
 	"strings"
 	"testing"
 
@@ -184,7 +183,7 @@ func genericGetExpectedHostDetails(tmpdir string, expectedVendor string, expecte
 	}
 
 	const expectedKernelVersion = "99.1"
-	const expectedArch = goruntime.GOARCH
+	const expectedArch = runtime.GOARCH
 
 	expectedDistro := DistroInfo{
 		Name:    "Foo",
@@ -254,7 +253,7 @@ VERSION_ID="%s"
 		}
 	}
 
-	if goruntime.GOARCH == "arm64" {
+	if runtime.GOARCH == "arm64" {
 		expectedHostDetails.CPU.Vendor = "ARM Limited"
 		expectedHostDetails.CPU.Model = "v8"
 	}

src/runtime/cmd/kata-runtime/kata-iptables.go

@@ -55,9 +55,9 @@ var getIPTablesCommand = cli.Command{
 			return err
 		}
 
-		url := containerdshim.IPTablesUrl
+		url := containerdshim.IPTablesURL
 		if isIPv6 {
-			url = containerdshim.IP6TablesUrl
+			url = containerdshim.IP6TablesURL
 		}
 		body, err := shimclient.DoGet(sandboxID, defaultTimeout, url)
 		if err != nil {
@@ -108,9 +108,9 @@ var setIPTablesCommand = cli.Command{
 			return err
 		}
 
-		url := containerdshim.IPTablesUrl
+		url := containerdshim.IPTablesURL
 		if isIPv6 {
-			url = containerdshim.IP6TablesUrl
+			url = containerdshim.IP6TablesURL
 		}
 
 		if err = shimclient.DoPut(sandboxID, defaultTimeout, url, "application/octet-stream", buf); err != nil {

src/runtime/cmd/kata-runtime/kata-policy.go

@@ -62,7 +62,7 @@ var setPolicyCommand = cli.Command{
 			return err
 		}
 
-		url := containerdshim.PolicyUrl
+		url := containerdshim.PolicyURL
 
 		if err = shimclient.DoPut(sandboxID, defaultTimeout, url, "application/octet-stream", buf); err != nil {
 			return fmt.Errorf("Error observed when making policy-set request(%s): %s", policyFile, err)

src/runtime/cmd/kata-runtime/kata-volume.go

@@ -126,7 +126,7 @@ var resizeCommand = cli.Command{
 
 // Stats retrieves the filesystem stats of the direct volume inside the guest.
 func Stats(volumePath string) ([]byte, error) {
-	sandboxId, err := volume.GetSandboxIdForVolume(volumePath)
+	sandboxID, err := volume.GetSandboxIDForVolume(volumePath)
 	if err != nil {
 		return nil, err
 	}
@@ -136,8 +136,8 @@ func Stats(volumePath string) ([]byte, error) {
 	}
 
 	urlSafeDevicePath := url.PathEscape(volumeMountInfo.Device)
-	body, err := shimclient.DoGet(sandboxId, defaultTimeout,
-		fmt.Sprintf("%s?%s=%s", containerdshim.DirectVolumeStatUrl, containerdshim.DirectVolumePathKey, urlSafeDevicePath))
+	body, err := shimclient.DoGet(sandboxID, defaultTimeout,
+		fmt.Sprintf("%s?%s=%s", containerdshim.DirectVolumeStatURL, containerdshim.DirectVolumePathKey, urlSafeDevicePath))
 	if err != nil {
 		return nil, err
 	}
@@ -146,7 +146,7 @@ func Stats(volumePath string) ([]byte, error) {
 
 // Resize resizes a direct volume inside the guest.
 func Resize(volumePath string, size uint64) error {
-	sandboxId, err := volume.GetSandboxIdForVolume(volumePath)
+	sandboxID, err := volume.GetSandboxIDForVolume(volumePath)
 	if err != nil {
 		return err
 	}
@@ -163,5 +163,5 @@ func Resize(volumePath string, size uint64) error {
 	if err != nil {
 		return err
 	}
-	return shimclient.DoPost(sandboxId, defaultTimeout, containerdshim.DirectVolumeResizeUrl, "application/json", encoded)
+	return shimclient.DoPost(sandboxID, defaultTimeout, containerdshim.DirectVolumeResizeURL, "application/json", encoded)
 }

src/runtime/cmd/kata-runtime/release.go

@@ -94,11 +94,12 @@ func releaseURLIsValid(url string) error {
 func getReleaseURL(currentVersion semver.Version) (url string, err error) {
 	major := currentVersion.Major
 
-	if major == 0 {
+	switch major {
+	case 0:
 		return "", fmt.Errorf("invalid current version: %v", currentVersion)
-	} else if major == 1 {
+	case 1:
 		url = kataLegacyReleaseURL
-	} else {
+	default:
 		url = kataReleaseURL
 	}
 

src/runtime/config/configuration-qemu.toml.in

@@ -142,7 +142,7 @@ memory_offset = 0
 # Please note that this option should be used with the command
 # "echo 1 > /proc/sys/vm/overcommit_memory".
 # Default false
-enable_virtio_mem = false
+enable_virtio_mem = @DEFENABLEVIRTIOMEM@
 
 # Disable hotplugging host block devices to guest VMs for container rootfs.
 # In case of a storage driver like devicemapper where a container's

src/runtime/go.mod

@@ -8,7 +8,7 @@ go 1.24.13
 
 require (
 	code.cloudfoundry.org/bytefmt v0.0.0-20211005130812-5bb3c17173e5
-	github.com/BurntSushi/toml v1.5.0
+	github.com/BurntSushi/toml v1.6.0
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/blang/semver/v4 v4.0.0
 	github.com/container-orchestrated-devices/container-device-interface v0.6.0
@@ -26,7 +26,7 @@ require (
 	github.com/docker/go-units v0.5.0
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/go-ini/ini v1.67.0
-	github.com/go-openapi/errors v0.22.1
+	github.com/go-openapi/errors v0.22.6
 	github.com/go-openapi/runtime v0.28.0
 	github.com/go-openapi/strfmt v0.23.0
 	github.com/go-openapi/swag v0.23.1

src/runtime/go.sum

@@ -8,8 +8,9 @@ github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h
 github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 h1:59MxjQVfjXsBpLy+dbd2/ELV5ofnUkUZBvWSC85sheA=
 github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0/go.mod h1:OahwfttHWG6eJ0clwcfBAHoDI6X/LV/15hx/wlMZSrU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
+github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
@@ -106,8 +107,8 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC03zFCU=
 github.com/go-openapi/analysis v0.23.0/go.mod h1:9mz9ZWaSlV8TvjQHLl2mUW2PbZtemkE8yA5v22ohupo=
-github.com/go-openapi/errors v0.22.1 h1:kslMRRnK7NCb/CvR1q1VWuEQCEIsBGn5GgKD9e+HYhU=
-github.com/go-openapi/errors v0.22.1/go.mod h1:+n/5UdIqdVnLIJ6Q9Se8HNGUXYaY6CN8ImWzfi/Gzp0=
+github.com/go-openapi/errors v0.22.6 h1:eDxcf89O8odEnohIXwEjY1IB4ph5vmbUsBMsFNwXWPo=
+github.com/go-openapi/errors v0.22.6/go.mod h1:z9S8ASTUqx7+CP1Q8dD8ewGH/1JWFFLX/2PmAYNQLgk=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
 github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
@@ -122,6 +123,8 @@ github.com/go-openapi/strfmt v0.23.0 h1:nlUS6BCqcnAk0pyhi9Y+kdDVZdZMHfEKQiS4HaMg
 github.com/go-openapi/strfmt v0.23.0/go.mod h1:NrtIpfKtWIygRkKVsxh7XQMDQW5HKQl6S5ik2elW+K4=
 github.com/go-openapi/swag v0.23.1 h1:lpsStH0n2ittzTnbaSloVZLuB5+fvSY/+hnagBjSNZU=
 github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDqQnDHMef0=
+github.com/go-openapi/testify/v2 v2.0.2 h1:X999g3jeLcoY8qctY/c/Z8iBHTbwLz7R2WXd6Ub6wls=
+github.com/go-openapi/testify/v2 v2.0.2/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54=
 github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58=
 github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
 github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=

src/runtime/pkg/containerd-shim-v2/create.go

@@ -40,7 +40,6 @@ import (
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils/katatrace"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/oci"
-	vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/compatoci"
 	"tags.cncf.io/container-device-interface/pkg/cdi"
 )
@@ -52,7 +51,7 @@ var defaultStartManagementServerFunc startManagementServerFunc = func(s *service
 	shimLog.Info("management server started")
 }
 
-func copyLayersToMounts(rootFs *vc.RootFs, spec *specs.Spec) error {
+func copyLayersToMounts(rootFs *virtcontainers.RootFs, spec *specs.Spec) error {
 	for _, o := range rootFs.Options {
 		if !strings.HasPrefix(o, annotations.FileSystemLayer) {
 			continue
@@ -75,7 +74,7 @@ func copyLayersToMounts(rootFs *vc.RootFs, spec *specs.Spec) error {
 }
 
 func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*container, error) {
-	rootFs := vc.RootFs{}
+	rootFs := virtcontainers.RootFs{}
 	if len(r.Rootfs) == 1 {
 		m := r.Rootfs[0]
 		rootFs.Source = m.Source
@@ -108,7 +107,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*con
 	}
 
 	switch containerType {
-	case vc.PodSandbox, vc.SingleContainer:
+	case virtcontainers.PodSandbox, virtcontainers.SingleContainer:
 		if s.sandbox != nil {
 			return nil, fmt.Errorf("cannot create another sandbox in sandbox: %s", s.sandbox.ID())
 		}
@@ -151,7 +150,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*con
 		//   2. If this is not a sandbox infrastructure container, but instead a standalone single container (analogous to "docker run..."),
 		//	then the container spec itself will contain appropriate sizing information for the entire sandbox (since it is
 		//	a single container.
-		if containerType == vc.PodSandbox {
+		if containerType == virtcontainers.PodSandbox {
 			s.config.SandboxCPUs, s.config.SandboxMemMB = oci.CalculateSandboxSizing(ociSpec)
 		} else {
 			s.config.SandboxCPUs, s.config.SandboxMemMB = oci.CalculateContainerSizing(ociSpec)
@@ -203,7 +202,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*con
 			defaultStartManagementServerFunc(s, ctx, ociSpec)
 		}
 
-	case vc.PodContainer:
+	case virtcontainers.PodContainer:
 		span, ctx := katatrace.Trace(s.ctx, shimLog, "create", shimTracingTags)
 		defer span.End()
 
@@ -325,7 +324,7 @@ func checkAndMount(s *service, r *taskAPI.CreateTaskRequest) (bool, error) {
 			return false, nil
 		}
 
-		if vc.IsNydusRootFSType(m.Type) {
+		if virtcontainers.IsNydusRootFSType(m.Type) {
 			// if kata + nydus, do not mount
 			return false, nil
 		}
@@ -361,7 +360,7 @@ func doMount(mounts []*containerd_types.Mount, rootfs string) error {
 	return nil
 }
 
-func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxId string) error {
+func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxID string) error {
 	userName, err := utils.CreateVmmUser()
 	if err != nil {
 		return err
@@ -370,7 +369,7 @@ func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxId stri
 		if err != nil {
 			shimLog.WithFields(logrus.Fields{
 				"user_name":  userName,
-				"sandbox_id": sandboxId,
+				"sandbox_id": sandboxID,
 			}).WithError(err).Warn("configure non root hypervisor failed, delete the user")
 			if err2 := utils.RemoveVmmUser(userName); err2 != nil {
 				shimLog.WithField("userName", userName).WithError(err).Warn("failed to remove user")
@@ -398,7 +397,7 @@ func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxId stri
 		"user_name":  userName,
 		"uid":        uid,
 		"gid":        gid,
-		"sandbox_id": sandboxId,
+		"sandbox_id": sandboxID,
 	}).Debug("successfully created a non root user for the hypervisor")
 
 	userTmpDir := path.Join("/run/user/", fmt.Sprint(uid))
@@ -410,7 +409,7 @@ func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxId stri
 		}
 	}
 
-	if err = os.Mkdir(userTmpDir, vc.DirMode); err != nil {
+	if err = os.Mkdir(userTmpDir, virtcontainers.DirMode); err != nil {
 		return err
 	}
 	defer func() {

src/runtime/pkg/containerd-shim-v2/shim_management.go

@@ -34,13 +34,13 @@ import (
 
 const (
 	DirectVolumePathKey   = "path"
-	AgentUrl              = "/agent-url"
-	DirectVolumeStatUrl   = "/direct-volume/stats"
-	DirectVolumeResizeUrl = "/direct-volume/resize"
-	IPTablesUrl           = "/iptables"
-	PolicyUrl             = "/policy"
-	IP6TablesUrl          = "/ip6tables"
-	MetricsUrl            = "/metrics"
+	AgentURL              = "/agent-url"
+	DirectVolumeStatURL   = "/direct-volume/stats"
+	DirectVolumeResizeURL = "/direct-volume/resize"
+	IPTablesURL           = "/iptables"
+	PolicyURL             = "/policy"
+	IP6TablesURL          = "/ip6tables"
+	MetricsURL            = "/metrics"
 )
 
 var (
@@ -288,13 +288,13 @@ func (s *service) startManagementServer(ctx context.Context, ociSpec *specs.Spec
 
 	// bind handler
 	m := http.NewServeMux()
-	m.Handle(MetricsUrl, http.HandlerFunc(s.serveMetrics))
-	m.Handle(AgentUrl, http.HandlerFunc(s.agentURL))
-	m.Handle(DirectVolumeStatUrl, http.HandlerFunc(s.serveVolumeStats))
-	m.Handle(DirectVolumeResizeUrl, http.HandlerFunc(s.serveVolumeResize))
-	m.Handle(IPTablesUrl, http.HandlerFunc(s.ipTablesHandler))
-	m.Handle(PolicyUrl, http.HandlerFunc(s.policyHandler))
-	m.Handle(IP6TablesUrl, http.HandlerFunc(s.ip6TablesHandler))
+	m.Handle(MetricsURL, http.HandlerFunc(s.serveMetrics))
+	m.Handle(AgentURL, http.HandlerFunc(s.agentURL))
+	m.Handle(DirectVolumeStatURL, http.HandlerFunc(s.serveVolumeStats))
+	m.Handle(DirectVolumeResizeURL, http.HandlerFunc(s.serveVolumeResize))
+	m.Handle(IPTablesURL, http.HandlerFunc(s.ipTablesHandler))
+	m.Handle(PolicyURL, http.HandlerFunc(s.policyHandler))
+	m.Handle(IP6TablesURL, http.HandlerFunc(s.ip6TablesHandler))
 	s.mountPprofHandle(m, ociSpec)
 
 	// register shim metrics
@@ -373,7 +373,7 @@ func ClientSocketAddress(id string) (string, error) {
 	if _, err := os.Stat(socketPath); err != nil {
 		socketPath = SocketPathRust(id)
 		if _, err := os.Stat(socketPath); err != nil {
-			return "", fmt.Errorf("It fails to stat both %s and %s with error %v.", SocketPathGo(id), SocketPathRust(id), err)
+			return "", fmt.Errorf("it fails to stat both %s and %s with error %v", SocketPathGo(id), SocketPathRust(id), err)
 		}
 	}
 

src/runtime/pkg/device/drivers/vfio.go

@@ -139,7 +139,7 @@ func (device *VFIODevice) Detach(ctx context.Context, devReceiver api.DeviceRece
 		}
 	}()
 
-	if device.GenericDevice.DeviceInfo.ColdPlug {
+	if device.DeviceInfo.ColdPlug {
 		// nothing to detach, device was cold plugged
 		deviceLogger().WithFields(logrus.Fields{
 			"device-group": device.DeviceInfo.HostPath,
@@ -264,7 +264,7 @@ func GetVFIODetails(deviceFileName, iommuDevicesPath string) (deviceBDF, deviceS
 // getMediatedBDF returns the BDF of a VF
 // Expected input string format is /sys/devices/pci0000:d7/BDF0/BDF1/.../MDEVBDF/UUID
 func getMediatedBDF(deviceSysfsDev string) string {
-	tokens := strings.SplitN(deviceSysfsDev, "/", -1)
+	tokens := strings.Split(deviceSysfsDev, "/")
 	if len(tokens) < 4 {
 		return ""
 	}

src/runtime/pkg/device/manager/manager.go

@@ -59,15 +59,11 @@ func NewDeviceManager(blockDriver string, vhostUserStoreEnabled bool, vhostUserS
 		vhostUserReconnectTimeout: vhostUserReconnect,
 		devices:                   make(map[string]api.Device),
 	}
-	if blockDriver == config.VirtioMmio {
-		dm.blockDriver = config.VirtioMmio
-	} else if blockDriver == config.VirtioBlock {
-		dm.blockDriver = config.VirtioBlock
-	} else if blockDriver == config.Nvdimm {
-		dm.blockDriver = config.Nvdimm
-	} else if blockDriver == config.VirtioBlockCCW {
-		dm.blockDriver = config.VirtioBlockCCW
-	} else {
+
+	switch blockDriver {
+	case config.VirtioMmio, config.VirtioBlock, config.Nvdimm, config.VirtioBlockCCW:
+		dm.blockDriver = blockDriver
+	default:
 		dm.blockDriver = config.VirtioSCSI
 	}
 

src/runtime/pkg/direct-volume/utils.go

@@ -99,18 +99,18 @@ func VolumeMountInfo(volumePath string) (*MountInfo, error) {
 	return &mountInfo, nil
 }
 
-// RecordSandboxId associates a sandbox id with a direct volume.
-func RecordSandboxId(sandboxId string, volumePath string) error {
+// RecordSandboxID associates a sandbox id with a direct volume.
+func RecordSandboxID(sandboxID string, volumePath string) error {
 	encodedPath := b64.URLEncoding.EncodeToString([]byte(volumePath))
 	mountInfoFilePath := filepath.Join(kataDirectVolumeRootPath, encodedPath, mountInfoFileName)
 	if _, err := os.Stat(mountInfoFilePath); err != nil {
 		return err
 	}
 
-	return os.WriteFile(filepath.Join(kataDirectVolumeRootPath, encodedPath, sandboxId), []byte(""), 0600)
+	return os.WriteFile(filepath.Join(kataDirectVolumeRootPath, encodedPath, sandboxID), []byte(""), 0600)
 }
 
-func GetSandboxIdForVolume(volumePath string) (string, error) {
+func GetSandboxIDForVolume(volumePath string) (string, error) {
 	files, err := os.ReadDir(filepath.Join(kataDirectVolumeRootPath, b64.URLEncoding.EncodeToString([]byte(volumePath))))
 	if err != nil {
 		return "", err

src/runtime/pkg/direct-volume/utils_test.go

@@ -56,7 +56,7 @@ func TestAdd(t *testing.T) {
 	assert.Nil(t, err)
 }
 
-func TestRecordSandboxId(t *testing.T) {
+func TestRecordSandboxID(t *testing.T) {
 	var err error
 	kataDirectVolumeRootPath = t.TempDir()
 
@@ -73,22 +73,22 @@ func TestRecordSandboxId(t *testing.T) {
 	// Add the mount info
 	assert.Nil(t, Add(volumePath, string(buf)))
 
-	sandboxId := uuid.Generate().String()
-	err = RecordSandboxId(sandboxId, volumePath)
+	sandboxID := uuid.Generate().String()
+	err = RecordSandboxID(sandboxID, volumePath)
 	assert.Nil(t, err)
 
-	id, err := GetSandboxIdForVolume(volumePath)
+	id, err := GetSandboxIDForVolume(volumePath)
 	assert.Nil(t, err)
-	assert.Equal(t, sandboxId, id)
+	assert.Equal(t, sandboxID, id)
 }
 
-func TestRecordSandboxIdNoMountInfoFile(t *testing.T) {
+func TestRecordSandboxIDNoMountInfoFile(t *testing.T) {
 	var err error
 	kataDirectVolumeRootPath = t.TempDir()
 
 	var volumePath = "/a/b/c"
-	sandboxId := uuid.Generate().String()
-	err = RecordSandboxId(sandboxId, volumePath)
+	sandboxID := uuid.Generate().String()
+	err = RecordSandboxID(sandboxID, volumePath)
 	assert.Error(t, err)
 	assert.True(t, errors.Is(err, os.ErrNotExist))
 }

src/runtime/pkg/govmm/.github/workflows/main.yml

@@ -14,11 +14,11 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
         with:
           go-version: ${{ matrix.go-version }}
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
       - name: golangci-lint

src/runtime/pkg/govmm/qemu/qemu.go

@@ -496,8 +496,8 @@ type TdxQomObject struct {
 	Debug                 *bool         `json:"debug,omitempty"`
 }
 
-func (this *SocketAddress) String() string {
-	b, err := json.Marshal(*this)
+func (s *SocketAddress) String() string {
+	b, err := json.Marshal(*s)
 
 	if err != nil {
 		log.Fatalf("Unable to marshal SocketAddress object: %s", err.Error())
@@ -507,8 +507,8 @@ func (this *SocketAddress) String() string {
 	return string(b)
 }
 
-func (this *TdxQomObject) String() string {
-	b, err := json.Marshal(*this)
+func (t *TdxQomObject) String() string {
+	b, err := json.Marshal(*t)
 
 	if err != nil {
 		log.Fatalf("Unable to marshal TDX QOM object: %s", err.Error())

src/runtime/pkg/govmm/qemu/qmp.go

@@ -1446,11 +1446,18 @@ func (q *QMP) ExecMemdevAdd(ctx context.Context, qomtype, id, mempath string, si
 		"memdev": id,
 	}
 
-	if bus != "" {
-		args["bus"] = bus
-	}
-	if addr != "" {
-		args["addr"] = addr
+	var transport VirtioTransport
+	if transport.isVirtioCCW(nil) {
+		if addr != "" {
+			args["devno"] = addr
+		}
+	} else {
+		if bus != "" {
+			args["bus"] = bus
+		}
+		if addr != "" {
+			args["addr"] = addr
+		}
 	}
 
 	err = q.executeCommand(ctx, "device_add", args, nil)

src/runtime/pkg/kata-monitor/metrics.go

@@ -259,7 +259,7 @@ func (km *KataMonitor) aggregateSandboxMetrics(encoder expfmt.Encoder, filterFam
 }
 
 func getParsedMetrics(sandboxID string, sandboxMetadata sandboxCRIMetadata) ([]*dto.MetricFamily, error) {
-	body, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.MetricsUrl)
+	body, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.MetricsURL)
 	if err != nil {
 		return nil, err
 	}
@@ -269,7 +269,7 @@ func getParsedMetrics(sandboxID string, sandboxMetadata sandboxCRIMetadata) ([]*
 
 // GetSandboxMetrics will get sandbox's metrics from shim
 func GetSandboxMetrics(sandboxID string) (string, error) {
-	body, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.MetricsUrl)
+	body, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.MetricsURL)
 	if err != nil {
 		return "", err
 	}

src/runtime/pkg/kata-monitor/metrics_test.go

@@ -138,9 +138,11 @@ func TestEncodeMetricFamily(t *testing.T) {
 			continue
 		}
 		// only check kata_monitor_running_shim_count and kata_monitor_scrape_count
-		if fields[0] == "kata_monitor_running_shim_count" {
+		switch fields[0] {
+		case "kata_monitor_running_shim_count":
 			assert.Equal("11", fields[1], "kata_monitor_running_shim_count should be 11")
-		} else if fields[0] == "kata_monitor_scrape_count" {
+
+		case "kata_monitor_scrape_count":
 			assert.Equal("2", fields[1], "kata_monitor_scrape_count should be 2")
 		}
 	}

src/runtime/pkg/kata-monitor/monitor.go

@@ -184,7 +184,7 @@ func (km *KataMonitor) GetAgentURL(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	data, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.AgentUrl)
+	data, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.AgentURL)
 	if err != nil {
 		commonServeError(w, http.StatusBadRequest, err)
 		return
@@ -206,14 +206,14 @@ func (km *KataMonitor) ListSandboxes(w http.ResponseWriter, r *http.Request) {
 
 func listSandboxesText(sandboxes []string, w http.ResponseWriter) {
 	for _, s := range sandboxes {
-		w.Write([]byte(fmt.Sprintf("%s\n", s)))
+		fmt.Fprintf(w, "%s\n", s)
 	}
 }
 func listSandboxesHtml(sandboxes []string, w http.ResponseWriter) {
 	w.Write([]byte("<h1>Sandbox list</h1>\n"))
 	w.Write([]byte("<ul>\n"))
 	for _, s := range sandboxes {
-		w.Write([]byte(fmt.Sprintf("<li>%s: <a href='/debug/pprof/?sandbox=%s'>pprof</a>, <a href='/metrics?sandbox=%s'>metrics</a>, <a href='/agent-url?sandbox=%s'>agent-url</a></li>\n", s, s, s, s)))
+		fmt.Fprintf(w, "<li>%s: <a href='/debug/pprof/?sandbox=%s'>pprof</a>, <a href='/metrics?sandbox=%s'>metrics</a>, <a href='/agent-url?sandbox=%s'>agent-url</a></li>\n", s, s, s, s)
 	}
 	w.Write([]byte("</ul>\n"))
 }

src/runtime/pkg/kata-monitor/pprof.go

@@ -98,7 +98,7 @@ func (km *KataMonitor) ExpvarHandler(w http.ResponseWriter, r *http.Request) {
 // PprofIndex handles other `/debug/pprof/` requests
 func (km *KataMonitor) PprofIndex(w http.ResponseWriter, r *http.Request) {
 	if len(strings.TrimPrefix(r.URL.Path, "/debug/pprof/")) == 0 {
-		km.proxyRequest(w, r, copyResponseAddingSandboxIdToHref)
+		km.proxyRequest(w, r, copyResponseAddingSandboxIDToHref)
 	} else {
 		km.proxyRequest(w, r, nil)
 	}
@@ -132,7 +132,7 @@ func copyResponse(req *http.Request, w io.Writer, r io.Reader) error {
 	return err
 }
 
-func copyResponseAddingSandboxIdToHref(req *http.Request, w io.Writer, r io.Reader) error {
+func copyResponseAddingSandboxIDToHref(req *http.Request, w io.Writer, r io.Reader) error {
 	sb, err := getSandboxIDFromReq(req)
 	if err != nil {
 		monitorLog.WithError(err).Warning("missing sandbox query in pprof url")

src/runtime/pkg/kata-monitor/pprof_test.go

@@ -15,7 +15,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestCopyResponseAddingSandboxIdToHref(t *testing.T) {
+func TestCopyResponseAddingSandboxIDToHref(t *testing.T) {
 	assert := assert.New(t)
 
 	htmlIn := strings.NewReader(`
@@ -112,6 +112,6 @@ Profile Descriptions:
 
 	req := &http.Request{URL: &url.URL{RawQuery: "sandbox=1234567890"}}
 	buf := bytes.NewBuffer(nil)
-	copyResponseAddingSandboxIdToHref(req, buf, htmlIn)
+	copyResponseAddingSandboxIDToHref(req, buf, htmlIn)
 	assert.Equal(htmlExpected, buf)
 }

src/runtime/pkg/katatestutils/constraints.go

@@ -98,8 +98,8 @@ func getKernelVersion() (string, error) {
 // These kernel version can't be parsed by the current lib and lead to panic
 // therefore the '+' should be removed.
 func fixKernelVersion(version string) string {
-	version = strings.Replace(version, "_", "-", -1)
-	return strings.Replace(version, "+", "", -1)
+	version = strings.ReplaceAll(version, "_", "-")
+	return strings.ReplaceAll(version, "+", "")
 }
 
 // handleKernelVersion checks that the current kernel version is compatible with

src/runtime/pkg/katatestutils/utils.go

@@ -23,7 +23,7 @@ const (
 	testDirMode  = os.FileMode(0750)
 	testFileMode = os.FileMode(0640)
 
-	busyboxConfigJson = `
+	busyboxConfigJSON = `
 {
 	"ociVersion": "1.0.1-dev",
 	"process": {
@@ -359,7 +359,7 @@ func SetupOCIConfigFile(t *testing.T) (rootPath string, bundlePath, ociConfigFil
 	assert.NoError(err)
 
 	ociConfigFile = filepath.Join(bundlePath, "config.json")
-	err = os.WriteFile(ociConfigFile, []byte(busyboxConfigJson), testFileMode)
+	err = os.WriteFile(ociConfigFile, []byte(busyboxConfigJSON), testFileMode)
 	assert.NoError(err)
 
 	return tmpdir, bundlePath, ociConfigFile

src/runtime/pkg/katautils/config.go

@@ -22,7 +22,6 @@ import (
 	govmmQemu "github.com/kata-containers/kata-containers/src/runtime/pkg/govmm/qemu"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils/katatrace"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/oci"
-	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	exp "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/experimental"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/types"
@@ -1900,8 +1899,8 @@ func checkConfig(config oci.RuntimeConfig) error {
 // checkPCIeConfig ensures the PCIe configuration is valid.
 // Only allow one of the following settings for cold-plug:
 // no-port, root-port, switch-port
-func checkPCIeConfig(coldPlug config.PCIePort, hotPlug config.PCIePort, machineType string, hypervisorType virtcontainers.HypervisorType) error {
-	if hypervisorType != virtcontainers.QemuHypervisor && hypervisorType != virtcontainers.ClhHypervisor {
+func checkPCIeConfig(coldPlug config.PCIePort, hotPlug config.PCIePort, machineType string, hypervisorType vc.HypervisorType) error {
+	if hypervisorType != vc.QemuHypervisor && hypervisorType != vc.ClhHypervisor {
 		kataUtilsLogger.Warn("Advanced PCIe Topology only available for QEMU/CLH hypervisor, ignoring hot(cold)_vfio_port setting")
 		return nil
 	}
@@ -1917,7 +1916,7 @@ func checkPCIeConfig(coldPlug config.PCIePort, hotPlug config.PCIePort, machineT
 	if machineType != "q35" && machineType != "virt" {
 		return nil
 	}
-	if hypervisorType == virtcontainers.ClhHypervisor {
+	if hypervisorType == vc.ClhHypervisor {
 		if coldPlug != config.NoPort {
 			return fmt.Errorf("cold-plug not supported on CLH")
 		}

src/runtime/pkg/katautils/create_test.go

@@ -21,7 +21,6 @@ import (
 	config "github.com/kata-containers/kata-containers/src/runtime/pkg/device/config"
 	ktu "github.com/kata-containers/kata-containers/src/runtime/pkg/katatestutils"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/oci"
-	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/compatoci"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/vcmock"
@@ -427,7 +426,7 @@ func TestVfioChecksClh(t *testing.T) {
 
 	// Check valid CLH vfio configs
 	f := func(coldPlug, hotPlug config.PCIePort) error {
-		return checkPCIeConfig(coldPlug, hotPlug, defaultMachineType, virtcontainers.ClhHypervisor)
+		return checkPCIeConfig(coldPlug, hotPlug, defaultMachineType, vc.ClhHypervisor)
 	}
 	assert.NoError(f(config.NoPort, config.NoPort))
 	assert.NoError(f(config.NoPort, config.RootPort))
@@ -441,7 +440,7 @@ func TestVfioCheckQemu(t *testing.T) {
 
 	// Check valid Qemu vfio configs
 	f := func(coldPlug, hotPlug config.PCIePort) error {
-		return checkPCIeConfig(coldPlug, hotPlug, defaultMachineType, virtcontainers.QemuHypervisor)
+		return checkPCIeConfig(coldPlug, hotPlug, defaultMachineType, vc.QemuHypervisor)
 	}
 
 	assert.NoError(f(config.NoPort, config.NoPort))

src/runtime/pkg/katautils/logger_test.go

@@ -90,7 +90,7 @@ func TestNewSystemLogHook(t *testing.T) {
 
 	output := string(bytes)
 	output = strings.TrimSpace(output)
-	output = strings.Replace(output, `"`, "", -1)
+	output = strings.ReplaceAll(output, `"`, "")
 
 	fields := strings.Fields(output)
 

src/runtime/pkg/oci/utils_test.go

@@ -1143,7 +1143,7 @@ func TestParseAnnotationBoolConfiguration(t *testing.T) {
 			ocispec := specs.Spec{
 				Annotations: map[string]string{tc.annotationKey: annotaionValue},
 			}
-			var val bool = false
+			val := false
 
 			err := newAnnotationConfiguration(ocispec, tc.annotationKey).setBool(func(v bool) {
 				val = v

src/runtime/pkg/utils/shimclient/shim_management_client.go

@@ -47,8 +47,8 @@ func buildUnixSocketClient(socketAddr string, timeout time.Duration) (*http.Clie
 	return client, nil
 }
 
-func DoGet(sandboxID string, timeoutInSeconds time.Duration, urlPath string) ([]byte, error) {
-	client, err := BuildShimClient(sandboxID, timeoutInSeconds)
+func DoGet(sandboxID string, timeout time.Duration, urlPath string) ([]byte, error) {
+	client, err := BuildShimClient(sandboxID, timeout)
 	if err != nil {
 		return nil, err
 	}
@@ -71,8 +71,8 @@ func DoGet(sandboxID string, timeoutInSeconds time.Duration, urlPath string) ([]
 }
 
 // DoPut will make a PUT request to the shim endpoint that handles the given sandbox ID
-func DoPut(sandboxID string, timeoutInSeconds time.Duration, urlPath, contentType string, payload []byte) error {
-	client, err := BuildShimClient(sandboxID, timeoutInSeconds)
+func DoPut(sandboxID string, timeout time.Duration, urlPath, contentType string, payload []byte) error {
+	client, err := BuildShimClient(sandboxID, timeout)
 	if err != nil {
 		return err
 	}
@@ -103,8 +103,8 @@ func DoPut(sandboxID string, timeoutInSeconds time.Duration, urlPath, contentTyp
 }
 
 // DoPost will make a POST request to the shim endpoint that handles the given sandbox ID
-func DoPost(sandboxID string, timeoutInSeconds time.Duration, urlPath, contentType string, payload []byte) error {
-	client, err := BuildShimClient(sandboxID, timeoutInSeconds)
+func DoPost(sandboxID string, timeout time.Duration, urlPath, contentType string, payload []byte) error {
+	client, err := BuildShimClient(sandboxID, timeout)
 	if err != nil {
 		return err
 	}

src/runtime/vendor/github.com/BurntSushi/toml/README.md

@@ -1,7 +1,7 @@
 TOML stands for Tom's Obvious, Minimal Language. This Go package provides a
 reflection interface similar to Go's standard library `json` and `xml` packages.
 
-Compatible with TOML version [v1.0.0](https://toml.io/en/v1.0.0).
+Compatible with TOML version [v1.1.0](https://toml.io/en/v1.1.0).
 
 Documentation: https://pkg.go.dev/github.com/BurntSushi/toml
 

src/runtime/vendor/github.com/BurntSushi/toml/decode.go

@@ -206,6 +206,13 @@ func markDecodedRecursive(md *MetaData, tmap map[string]any) {
 			markDecodedRecursive(md, tmap)
 			md.context = md.context[0 : len(md.context)-1]
 		}
+		if tarr, ok := tmap[key].([]map[string]any); ok {
+			for _, elm := range tarr {
+				md.context = append(md.context, key)
+				markDecodedRecursive(md, elm)
+				md.context = md.context[0 : len(md.context)-1]
+			}
+		}
 	}
 }
 
@@ -423,7 +430,7 @@ func (md *MetaData) unifyString(data any, rv reflect.Value) error {
 		if i, ok := data.(int64); ok {
 			rv.SetString(strconv.FormatInt(i, 10))
 		} else if f, ok := data.(float64); ok {
-			rv.SetString(strconv.FormatFloat(f, 'f', -1, 64))
+			rv.SetString(strconv.FormatFloat(f, 'g', -1, 64))
 		} else {
 			return md.badtype("string", data)
 		}

src/runtime/vendor/github.com/BurntSushi/toml/encode.go

@@ -228,9 +228,9 @@ func (enc *Encoder) eElement(rv reflect.Value) {
 		}
 		switch v.Location() {
 		default:
-			enc.wf(v.Format(format))
+			enc.write(v.Format(format))
 		case internal.LocalDatetime, internal.LocalDate, internal.LocalTime:
-			enc.wf(v.In(time.UTC).Format(format))
+			enc.write(v.In(time.UTC).Format(format))
 		}
 		return
 	case Marshaler:
@@ -279,40 +279,40 @@ func (enc *Encoder) eElement(rv reflect.Value) {
 	case reflect.String:
 		enc.writeQuoted(rv.String())
 	case reflect.Bool:
-		enc.wf(strconv.FormatBool(rv.Bool()))
+		enc.write(strconv.FormatBool(rv.Bool()))
 	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
-		enc.wf(strconv.FormatInt(rv.Int(), 10))
+		enc.write(strconv.FormatInt(rv.Int(), 10))
 	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
-		enc.wf(strconv.FormatUint(rv.Uint(), 10))
+		enc.write(strconv.FormatUint(rv.Uint(), 10))
 	case reflect.Float32:
 		f := rv.Float()
 		if math.IsNaN(f) {
 			if math.Signbit(f) {
-				enc.wf("-")
+				enc.write("-")
 			}
-			enc.wf("nan")
+			enc.write("nan")
 		} else if math.IsInf(f, 0) {
 			if math.Signbit(f) {
-				enc.wf("-")
+				enc.write("-")
 			}
-			enc.wf("inf")
+			enc.write("inf")
 		} else {
-			enc.wf(floatAddDecimal(strconv.FormatFloat(f, 'f', -1, 32)))
+			enc.write(floatAddDecimal(strconv.FormatFloat(f, 'g', -1, 32)))
 		}
 	case reflect.Float64:
 		f := rv.Float()
 		if math.IsNaN(f) {
 			if math.Signbit(f) {
-				enc.wf("-")
+				enc.write("-")
 			}
-			enc.wf("nan")
+			enc.write("nan")
 		} else if math.IsInf(f, 0) {
 			if math.Signbit(f) {
-				enc.wf("-")
+				enc.write("-")
 			}
-			enc.wf("inf")
+			enc.write("inf")
 		} else {
-			enc.wf(floatAddDecimal(strconv.FormatFloat(f, 'f', -1, 64)))
+			enc.write(floatAddDecimal(strconv.FormatFloat(f, 'g', -1, 64)))
 		}
 	case reflect.Array, reflect.Slice:
 		enc.eArrayOrSliceElement(rv)
@@ -330,27 +330,32 @@ func (enc *Encoder) eElement(rv reflect.Value) {
 // By the TOML spec, all floats must have a decimal with at least one number on
 // either side.
 func floatAddDecimal(fstr string) string {
-	if !strings.Contains(fstr, ".") {
-		return fstr + ".0"
+	for _, c := range fstr {
+		if c == 'e' { // Exponent syntax
+			return fstr
+		}
+		if c == '.' {
+			return fstr
+		}
 	}
-	return fstr
+	return fstr + ".0"
 }
 
 func (enc *Encoder) writeQuoted(s string) {
-	enc.wf("\"%s\"", dblQuotedReplacer.Replace(s))
+	enc.write(`"` + dblQuotedReplacer.Replace(s) + `"`)
 }
 
 func (enc *Encoder) eArrayOrSliceElement(rv reflect.Value) {
 	length := rv.Len()
-	enc.wf("[")
+	enc.write("[")
 	for i := 0; i < length; i++ {
 		elem := eindirect(rv.Index(i))
 		enc.eElement(elem)
 		if i != length-1 {
-			enc.wf(", ")
+			enc.write(", ")
 		}
 	}
-	enc.wf("]")
+	enc.write("]")
 }
 
 func (enc *Encoder) eArrayOfTables(key Key, rv reflect.Value) {
@@ -363,7 +368,7 @@ func (enc *Encoder) eArrayOfTables(key Key, rv reflect.Value) {
 			continue
 		}
 		enc.newline()
-		enc.wf("%s[[%s]]", enc.indentStr(key), key)
+		enc.writef("%s[[%s]]", enc.indentStr(key), key)
 		enc.newline()
 		enc.eMapOrStruct(key, trv, false)
 	}
@@ -376,7 +381,7 @@ func (enc *Encoder) eTable(key Key, rv reflect.Value) {
 		enc.newline()
 	}
 	if len(key) > 0 {
-		enc.wf("%s[%s]", enc.indentStr(key), key)
+		enc.writef("%s[%s]", enc.indentStr(key), key)
 		enc.newline()
 	}
 	enc.eMapOrStruct(key, rv, false)
@@ -422,7 +427,7 @@ func (enc *Encoder) eMap(key Key, rv reflect.Value, inline bool) {
 			if inline {
 				enc.writeKeyValue(Key{mapKey.String()}, val, true)
 				if trailC || i != len(mapKeys)-1 {
-					enc.wf(", ")
+					enc.write(", ")
 				}
 			} else {
 				enc.encode(key.add(mapKey.String()), val)
@@ -431,12 +436,12 @@ func (enc *Encoder) eMap(key Key, rv reflect.Value, inline bool) {
 	}
 
 	if inline {
-		enc.wf("{")
+		enc.write("{")
 	}
 	writeMapKeys(mapKeysDirect, len(mapKeysSub) > 0)
 	writeMapKeys(mapKeysSub, false)
 	if inline {
-		enc.wf("}")
+		enc.write("}")
 	}
 }
 
@@ -534,7 +539,7 @@ func (enc *Encoder) eStruct(key Key, rv reflect.Value, inline bool) {
 			if inline {
 				enc.writeKeyValue(Key{keyName}, fieldVal, true)
 				if fieldIndex[0] != totalFields-1 {
-					enc.wf(", ")
+					enc.write(", ")
 				}
 			} else {
 				enc.encode(key.add(keyName), fieldVal)
@@ -543,14 +548,14 @@ func (enc *Encoder) eStruct(key Key, rv reflect.Value, inline bool) {
 	}
 
 	if inline {
-		enc.wf("{")
+		enc.write("{")
 	}
 
 	l := len(fieldsDirect) + len(fieldsSub)
 	writeFields(fieldsDirect, l)
 	writeFields(fieldsSub, l)
 	if inline {
-		enc.wf("}")
+		enc.write("}")
 	}
 }
 
@@ -700,7 +705,7 @@ func isEmpty(rv reflect.Value) bool {
 
 func (enc *Encoder) newline() {
 	if enc.hasWritten {
-		enc.wf("\n")
+		enc.write("\n")
 	}
 }
 
@@ -722,14 +727,22 @@ func (enc *Encoder) writeKeyValue(key Key, val reflect.Value, inline bool) {
 		enc.eElement(val)
 		return
 	}
-	enc.wf("%s%s = ", enc.indentStr(key), key.maybeQuoted(len(key)-1))
+	enc.writef("%s%s = ", enc.indentStr(key), key.maybeQuoted(len(key)-1))
 	enc.eElement(val)
 	if !inline {
 		enc.newline()
 	}
 }
 
-func (enc *Encoder) wf(format string, v ...any) {
+func (enc *Encoder) write(s string) {
+	_, err := enc.w.WriteString(s)
+	if err != nil {
+		encPanic(err)
+	}
+	enc.hasWritten = true
+}
+
+func (enc *Encoder) writef(format string, v ...any) {
 	_, err := fmt.Fprintf(enc.w, format, v...)
 	if err != nil {
 		encPanic(err)

src/runtime/vendor/github.com/BurntSushi/toml/lex.go

@@ -13,7 +13,6 @@ type itemType int
 
 const (
 	itemError itemType = iota
-	itemNIL            // used in the parser to indicate no type
 	itemEOF
 	itemText
 	itemString
@@ -47,14 +46,13 @@ func (p Position) String() string {
 }
 
 type lexer struct {
-	input    string
-	start    int
-	pos      int
-	line     int
-	state    stateFn
-	items    chan item
-	tomlNext bool
-	esc      bool
+	input string
+	start int
+	pos   int
+	line  int
+	state stateFn
+	items chan item
+	esc   bool
 
 	// Allow for backing up up to 4 runes. This is necessary because TOML
 	// contains 3-rune tokens (""" and ''').
@@ -90,14 +88,13 @@ func (lx *lexer) nextItem() item {
 	}
 }
 
-func lex(input string, tomlNext bool) *lexer {
+func lex(input string) *lexer {
 	lx := &lexer{
-		input:    input,
-		state:    lexTop,
-		items:    make(chan item, 10),
-		stack:    make([]stateFn, 0, 10),
-		line:     1,
-		tomlNext: tomlNext,
+		input: input,
+		state: lexTop,
+		items: make(chan item, 10),
+		stack: make([]stateFn, 0, 10),
+		line:  1,
 	}
 	return lx
 }
@@ -108,7 +105,7 @@ func (lx *lexer) push(state stateFn) {
 
 func (lx *lexer) pop() stateFn {
 	if len(lx.stack) == 0 {
-		return lx.errorf("BUG in lexer: no states to pop")
+		panic("BUG in lexer: no states to pop")
 	}
 	last := lx.stack[len(lx.stack)-1]
 	lx.stack = lx.stack[0 : len(lx.stack)-1]
@@ -305,6 +302,8 @@ func lexTop(lx *lexer) stateFn {
 		return lexTableStart
 	case eof:
 		if lx.pos > lx.start {
+			// TODO: never reached? I think this can only occur on a bug in the
+			// lexer(?)
 			return lx.errorf("unexpected EOF")
 		}
 		lx.emit(itemEOF)
@@ -392,8 +391,6 @@ func lexTableNameStart(lx *lexer) stateFn {
 func lexTableNameEnd(lx *lexer) stateFn {
 	lx.skip(isWhitespace)
 	switch r := lx.next(); {
-	case isWhitespace(r):
-		return lexTableNameEnd
 	case r == '.':
 		lx.ignore()
 		return lexTableNameStart
@@ -412,7 +409,7 @@ func lexTableNameEnd(lx *lexer) stateFn {
 // Lexes only one part, e.g. only 'a' inside 'a.b'.
 func lexBareName(lx *lexer) stateFn {
 	r := lx.next()
-	if isBareKeyChar(r, lx.tomlNext) {
+	if isBareKeyChar(r) {
 		return lexBareName
 	}
 	lx.backup()
@@ -420,23 +417,23 @@ func lexBareName(lx *lexer) stateFn {
 	return lx.pop()
 }
 
-// lexBareName lexes one part of a key or table.
-//
-// It assumes that at least one valid character for the table has already been
-// read.
+// lexQuotedName lexes one part of a quoted key or table name. It assumes that
+// it starts lexing at the quote itself (" or ').
 //
 // Lexes only one part, e.g. only '"a"' inside '"a".b'.
 func lexQuotedName(lx *lexer) stateFn {
 	r := lx.next()
 	switch {
-	case isWhitespace(r):
-		return lexSkip(lx, lexValue)
 	case r == '"':
 		lx.ignore() // ignore the '"'
 		return lexString
 	case r == '\'':
 		lx.ignore() // ignore the "'"
 		return lexRawString
+
+	// TODO: I don't think any of the below conditions can ever be reached?
+	case isWhitespace(r):
+		return lexSkip(lx, lexValue)
 	case r == eof:
 		return lx.errorf("unexpected EOF; expected value")
 	default:
@@ -464,17 +461,19 @@ func lexKeyStart(lx *lexer) stateFn {
 func lexKeyNameStart(lx *lexer) stateFn {
 	lx.skip(isWhitespace)
 	switch r := lx.peek(); {
-	case r == '=' || r == eof:
-		return lx.errorf("unexpected '='")
-	case r == '.':
-		return lx.errorf("unexpected '.'")
+	default:
+		lx.push(lexKeyEnd)
+		return lexBareName
 	case r == '"' || r == '\'':
 		lx.ignore()
 		lx.push(lexKeyEnd)
 		return lexQuotedName
-	default:
-		lx.push(lexKeyEnd)
-		return lexBareName
+
+	// TODO: I think these can never be reached?
+	case r == '=' || r == eof:
+		return lx.errorf("unexpected '='")
+	case r == '.':
+		return lx.errorf("unexpected '.'")
 	}
 }
 
@@ -485,7 +484,7 @@ func lexKeyEnd(lx *lexer) stateFn {
 	switch r := lx.next(); {
 	case isWhitespace(r):
 		return lexSkip(lx, lexKeyEnd)
-	case r == eof:
+	case r == eof: // TODO: never reached
 		return lx.errorf("unexpected EOF; expected key separator '='")
 	case r == '.':
 		lx.ignore()
@@ -628,10 +627,7 @@ func lexInlineTableValue(lx *lexer) stateFn {
 	case isWhitespace(r):
 		return lexSkip(lx, lexInlineTableValue)
 	case isNL(r):
-		if lx.tomlNext {
-			return lexSkip(lx, lexInlineTableValue)
-		}
-		return lx.errorPrevLine(errLexInlineTableNL{})
+		return lexSkip(lx, lexInlineTableValue)
 	case r == '#':
 		lx.push(lexInlineTableValue)
 		return lexCommentStart
@@ -653,10 +649,7 @@ func lexInlineTableValueEnd(lx *lexer) stateFn {
 	case isWhitespace(r):
 		return lexSkip(lx, lexInlineTableValueEnd)
 	case isNL(r):
-		if lx.tomlNext {
-			return lexSkip(lx, lexInlineTableValueEnd)
-		}
-		return lx.errorPrevLine(errLexInlineTableNL{})
+		return lexSkip(lx, lexInlineTableValueEnd)
 	case r == '#':
 		lx.push(lexInlineTableValueEnd)
 		return lexCommentStart
@@ -664,10 +657,7 @@ func lexInlineTableValueEnd(lx *lexer) stateFn {
 		lx.ignore()
 		lx.skip(isWhitespace)
 		if lx.peek() == '}' {
-			if lx.tomlNext {
-				return lexInlineTableValueEnd
-			}
-			return lx.errorf("trailing comma not allowed in inline tables")
+			return lexInlineTableValueEnd
 		}
 		return lexInlineTableValue
 	case r == '}':
@@ -855,9 +845,6 @@ func lexStringEscape(lx *lexer) stateFn {
 	r := lx.next()
 	switch r {
 	case 'e':
-		if !lx.tomlNext {
-			return lx.error(errLexEscape{r})
-		}
 		fallthrough
 	case 'b':
 		fallthrough
@@ -878,9 +865,6 @@ func lexStringEscape(lx *lexer) stateFn {
 	case '\\':
 		return lx.pop()
 	case 'x':
-		if !lx.tomlNext {
-			return lx.error(errLexEscape{r})
-		}
 		return lexHexEscape
 	case 'u':
 		return lexShortUnicodeEscape
@@ -928,19 +912,9 @@ func lexLongUnicodeEscape(lx *lexer) stateFn {
 // lexBaseNumberOrDate can differentiate base prefixed integers from other
 // types.
 func lexNumberOrDateStart(lx *lexer) stateFn {
-	r := lx.next()
-	switch r {
-	case '0':
+	if lx.next() == '0' {
 		return lexBaseNumberOrDate
 	}
-
-	if !isDigit(r) {
-		// The only way to reach this state is if the value starts
-		// with a digit, so specifically treat anything else as an
-		// error.
-		return lx.errorf("expected a digit but got %q", r)
-	}
-
 	return lexNumberOrDate
 }
 
@@ -1196,13 +1170,13 @@ func lexSkip(lx *lexer, nextState stateFn) stateFn {
 }
 
 func (s stateFn) String() string {
+	if s == nil {
+		return "<nil>"
+	}
 	name := runtime.FuncForPC(reflect.ValueOf(s).Pointer()).Name()
 	if i := strings.LastIndexByte(name, '.'); i > -1 {
 		name = name[i+1:]
 	}
-	if s == nil {
-		name = "<nil>"
-	}
 	return name + "()"
 }
 
@@ -1210,8 +1184,6 @@ func (itype itemType) String() string {
 	switch itype {
 	case itemError:
 		return "Error"
-	case itemNIL:
-		return "NIL"
 	case itemEOF:
 		return "EOF"
 	case itemText:
@@ -1226,18 +1198,22 @@ func (itype itemType) String() string {
 		return "Float"
 	case itemDatetime:
 		return "DateTime"
-	case itemTableStart:
-		return "TableStart"
-	case itemTableEnd:
-		return "TableEnd"
-	case itemKeyStart:
-		return "KeyStart"
-	case itemKeyEnd:
-		return "KeyEnd"
 	case itemArray:
 		return "Array"
 	case itemArrayEnd:
 		return "ArrayEnd"
+	case itemTableStart:
+		return "TableStart"
+	case itemTableEnd:
+		return "TableEnd"
+	case itemArrayTableStart:
+		return "ArrayTableStart"
+	case itemArrayTableEnd:
+		return "ArrayTableEnd"
+	case itemKeyStart:
+		return "KeyStart"
+	case itemKeyEnd:
+		return "KeyEnd"
 	case itemCommentStart:
 		return "CommentStart"
 	case itemInlineTableStart:
@@ -1266,7 +1242,7 @@ func isDigit(r rune) bool  { return r >= '0' && r <= '9' }
 func isBinary(r rune) bool { return r == '0' || r == '1' }
 func isOctal(r rune) bool  { return r >= '0' && r <= '7' }
 func isHex(r rune) bool    { return (r >= '0' && r <= '9') || (r|0x20 >= 'a' && r|0x20 <= 'f') }
-func isBareKeyChar(r rune, tomlNext bool) bool {
+func isBareKeyChar(r rune) bool {
 	return (r >= 'A' && r <= 'Z') || (r >= 'a' && r <= 'z') ||
 		(r >= '0' && r <= '9') || r == '_' || r == '-'
 }

src/runtime/vendor/github.com/BurntSushi/toml/parse.go

@@ -3,7 +3,6 @@ package toml
 import (
 	"fmt"
 	"math"
-	"os"
 	"strconv"
 	"strings"
 	"time"
@@ -17,7 +16,6 @@ type parser struct {
 	context    Key      // Full key for the current hash in scope.
 	currentKey string   // Base key name for everything except hashes.
 	pos        Position // Current position in the TOML file.
-	tomlNext   bool
 
 	ordered []Key // List of keys in the order that they appear in the TOML data.
 
@@ -32,8 +30,6 @@ type keyInfo struct {
 }
 
 func parse(data string) (p *parser, err error) {
-	_, tomlNext := os.LookupEnv("BURNTSUSHI_TOML_110")
-
 	defer func() {
 		if r := recover(); r != nil {
 			if pErr, ok := r.(ParseError); ok {
@@ -73,10 +69,9 @@ func parse(data string) (p *parser, err error) {
 	p = &parser{
 		keyInfo:   make(map[string]keyInfo),
 		mapping:   make(map[string]any),
-		lx:        lex(data, tomlNext),
+		lx:        lex(data),
 		ordered:   make([]Key, 0),
 		implicits: make(map[string]struct{}),
-		tomlNext:  tomlNext,
 	}
 	for {
 		item := p.next()
@@ -350,17 +345,14 @@ func (p *parser) valueFloat(it item) (any, tomlType) {
 var dtTypes = []struct {
 	fmt  string
 	zone *time.Location
-	next bool
 }{
-	{time.RFC3339Nano, time.Local, false},
-	{"2006-01-02T15:04:05.999999999", internal.LocalDatetime, false},
-	{"2006-01-02", internal.LocalDate, false},
-	{"15:04:05.999999999", internal.LocalTime, false},
-
-	// tomlNext
-	{"2006-01-02T15:04Z07:00", time.Local, true},
-	{"2006-01-02T15:04", internal.LocalDatetime, true},
-	{"15:04", internal.LocalTime, true},
+	{time.RFC3339Nano, time.Local},
+	{"2006-01-02T15:04:05.999999999", internal.LocalDatetime},
+	{"2006-01-02", internal.LocalDate},
+	{"15:04:05.999999999", internal.LocalTime},
+	{"2006-01-02T15:04Z07:00", time.Local},
+	{"2006-01-02T15:04", internal.LocalDatetime},
+	{"15:04", internal.LocalTime},
 }
 
 func (p *parser) valueDatetime(it item) (any, tomlType) {
@@ -371,9 +363,6 @@ func (p *parser) valueDatetime(it item) (any, tomlType) {
 		err error
 	)
 	for _, dt := range dtTypes {
-		if dt.next && !p.tomlNext {
-			continue
-		}
 		t, err = time.ParseInLocation(dt.fmt, it.val, dt.zone)
 		if err == nil {
 			if missingLeadingZero(it.val, dt.fmt) {
@@ -644,6 +633,11 @@ func (p *parser) setValue(key string, value any) {
 		// Note that since it has already been defined (as a hash), we don't
 		// want to overwrite it. So our business is done.
 		if p.isArray(keyContext) {
+			if !p.isImplicit(keyContext) {
+				if _, ok := hash[key]; ok {
+					p.panicf("Key '%s' has already been defined.", keyContext)
+				}
+			}
 			p.removeImplicit(keyContext)
 			hash[key] = value
 			return
@@ -802,10 +796,8 @@ func (p *parser) replaceEscapes(it item, str string) string {
 			b.WriteByte(0x0d)
 			skip = 1
 		case 'e':
-			if p.tomlNext {
-				b.WriteByte(0x1b)
-				skip = 1
-			}
+			b.WriteByte(0x1b)
+			skip = 1
 		case '"':
 			b.WriteByte(0x22)
 			skip = 1
@@ -815,11 +807,9 @@ func (p *parser) replaceEscapes(it item, str string) string {
 		// The lexer guarantees the correct number of characters are present;
 		// don't need to check here.
 		case 'x':
-			if p.tomlNext {
-				escaped := p.asciiEscapeToUnicode(it, str[i+2:i+4])
-				b.WriteRune(escaped)
-				skip = 3
-			}
+			escaped := p.asciiEscapeToUnicode(it, str[i+2:i+4])
+			b.WriteRune(escaped)
+			skip = 3
 		case 'u':
 			escaped := p.asciiEscapeToUnicode(it, str[i+2:i+6])
 			b.WriteRune(escaped)

src/runtime/vendor/github.com/go-openapi/errors/.cliff.toml

@@ -0,0 +1,181 @@
+# git-cliff ~ configuration file
+# https://git-cliff.org/docs/configuration
+
+[changelog]
+header = """
+"""
+
+footer = """
+
+-----
+
+**[{{ remote.github.repo }}]({{ self::remote_url() }}) license terms**
+
+[![License][license-badge]][license-url]
+
+[license-badge]: http://img.shields.io/badge/license-Apache%20v2-orange.svg
+[license-url]: {{ self::remote_url() }}/?tab=Apache-2.0-1-ov-file#readme
+
+{%- macro remote_url() -%}
+  https://github.com/{{ remote.github.owner }}/{{ remote.github.repo }}
+{%- endmacro -%}
+"""
+
+body = """
+{%- if version %}
+## [{{ version | trim_start_matches(pat="v") }}]({{ self::remote_url() }}/tree/{{ version }}) - {{ timestamp | date(format="%Y-%m-%d") }}
+{%- else %}
+## [unreleased]
+{%- endif %}
+{%- if message %}
+  {%- raw %}\n{% endraw %}
+{{ message }}
+  {%- raw %}\n{% endraw %}
+{%- endif %}
+{%- if version %}
+  {%- if previous.version %}
+
+**Full Changelog**: <{{ self::remote_url() }}/compare/{{ previous.version }}...{{ version }}>
+  {%- endif %}
+{%- else %}
+  {%- raw %}\n{% endraw %}
+{%- endif %}
+
+{%- if statistics %}{% if statistics.commit_count %}
+  {%- raw %}\n{% endraw %}
+{{ statistics.commit_count }} commits in this release.
+  {%- raw %}\n{% endraw %}
+{%- endif %}{% endif %}
+-----
+
+{%- for group, commits in commits | group_by(attribute="group") %}
+  {%- raw %}\n{% endraw %}
+### {{ group | upper_first }}
+    {%- raw %}\n{% endraw %}
+    {%- for commit in commits %}
+      {%- if commit.remote.pr_title %}
+        {%- set commit_message = commit.remote.pr_title %}
+      {%- else %}
+        {%- set commit_message = commit.message %}
+      {%- endif %}
+* {{ commit_message | split(pat="\n") | first | trim }}
+      {%- if commit.remote.username %}
+{%- raw %} {% endraw %}by [@{{ commit.remote.username }}](https://github.com/{{ commit.remote.username }})
+      {%- endif %}
+      {%- if commit.remote.pr_number %}
+{%- raw %} {% endraw %}in [#{{ commit.remote.pr_number }}]({{ self::remote_url() }}/pull/{{ commit.remote.pr_number }})
+      {%- endif %}
+{%- raw %} {% endraw %}[...]({{ self::remote_url() }}/commit/{{ commit.id }})
+  {%- endfor %}
+{%- endfor %}
+
+{%- if github %}
+{%- raw %}\n{% endraw -%}
+  {%- set all_contributors = github.contributors | length %}
+  {%- if github.contributors | filter(attribute="username", value="dependabot[bot]") | length < all_contributors %}
+-----
+
+### People who contributed to this release
+  {% endif %}
+  {%- for contributor in github.contributors | filter(attribute="username") | sort(attribute="username") %}
+    {%- if contributor.username != "dependabot[bot]" and contributor.username != "github-actions[bot]" %}
+* [@{{ contributor.username }}](https://github.com/{{ contributor.username }})
+    {%- endif %}
+  {%- endfor %}
+
+  {% if github.contributors | filter(attribute="is_first_time", value=true) | length != 0 %}
+-----
+    {%- raw %}\n{% endraw %}
+
+### New Contributors
+  {%- endif %}
+
+  {%- for contributor in github.contributors | filter(attribute="is_first_time", value=true) %}
+    {%- if contributor.username != "dependabot[bot]" and contributor.username != "github-actions[bot]" %}
+* @{{ contributor.username }} made their first contribution
+      {%- if contributor.pr_number %}
+  in [#{{ contributor.pr_number }}]({{ self::remote_url() }}/pull/{{ contributor.pr_number }}) \
+      {%- endif %}
+    {%- endif %}
+  {%- endfor %}
+{%- endif %}
+
+{%- raw %}\n{% endraw %}
+
+{%- macro remote_url() -%}
+  https://github.com/{{ remote.github.owner }}/{{ remote.github.repo }}
+{%- endmacro -%}
+"""
+# Remove leading and trailing whitespaces from the changelog's body.
+trim = true
+# Render body even when there are no releases to process.
+render_always = true
+# An array of regex based postprocessors to modify the changelog.
+postprocessors = [
+    # Replace the placeholder <REPO> with a URL.
+    #{ pattern = '<REPO>', replace = "https://github.com/orhun/git-cliff" },
+]
+# output file path
+# output = "test.md"
+
+[git]
+# Parse commits according to the conventional commits specification.
+# See https://www.conventionalcommits.org
+conventional_commits = false
+# Exclude commits that do not match the conventional commits specification.
+filter_unconventional = false
+# Require all commits to be conventional.
+# Takes precedence over filter_unconventional.
+require_conventional = false
+# Split commits on newlines, treating each line as an individual commit.
+split_commits = false
+# An array of regex based parsers to modify commit messages prior to further processing.
+commit_preprocessors = [
+    # Replace issue numbers with link templates to be updated in `changelog.postprocessors`.
+    #{ pattern = '\((\w+\s)?#([0-9]+)\)', replace = "([#${2}](<REPO>/issues/${2}))"},
+    # Check spelling of the commit message using https://github.com/crate-ci/typos.
+    # If the spelling is incorrect, it will be fixed automatically.
+    #{ pattern = '.*', replace_command = 'typos --write-changes -' }
+]
+# Prevent commits that are breaking from being excluded by commit parsers.
+protect_breaking_commits = false
+# An array of regex based parsers for extracting data from the commit message.
+# Assigns commits to groups.
+# Optionally sets the commit's scope and can decide to exclude commits from further processing.
+commit_parsers = [
+    { message = "^[Cc]hore\\([Rr]elease\\): prepare for", skip = true },
+    { message = "(^[Mm]erge)|([Mm]erge conflict)", skip = true },
+    { field = "author.name", pattern = "dependabot*", group = "<!-- 0A -->Updates" },
+    { message = "([Ss]ecurity)|([Vv]uln)", group = "<!-- 08 -->Security" },
+    { body = "(.*[Ss]ecurity)|([Vv]uln)", group = "<!-- 08 -->Security" },
+    { message = "([Cc]hore\\(lint\\))|(style)|(lint)|(codeql)|(golangci)", group = "<!-- 05 -->Code quality" },
+    { message = "(^[Dd]oc)|((?i)readme)|(badge)|(typo)|(documentation)", group = "<!-- 03 -->Documentation" },
+    { message = "(^[Ff]eat)|(^[Ee]nhancement)", group = "<!-- 00 -->Implemented enhancements" },
+    { message = "(^ci)|(\\(ci\\))|(fixup\\s+ci)|(fix\\s+ci)|(license)|(example)", group = "<!-- 07 -->Miscellaneous tasks" },
+    { message = "^test", group = "<!-- 06 -->Testing" },
+    { message = "(^fix)|(panic)", group = "<!-- 01 -->Fixed bugs" },
+    { message = "(^refact)|(rework)", group = "<!-- 02 -->Refactor" },
+    { message = "(^[Pp]erf)|(performance)", group = "<!-- 04 -->Performance" },
+    { message = "(^[Cc]hore)", group = "<!-- 07 -->Miscellaneous tasks" },
+    { message = "^[Rr]evert", group = "<!-- 09 -->Reverted changes" },
+    { message = "(upgrade.*?go)|(go\\s+version)", group = "<!-- 0A -->Updates" },
+    { message = ".*", group = "<!-- 0B -->Other" },
+]
+# Exclude commits that are not matched by any commit parser.
+filter_commits = false
+# An array of link parsers for extracting external references, and turning them into URLs, using regex.
+link_parsers = []
+# Include only the tags that belong to the current branch.
+use_branch_tags = false
+# Order releases topologically instead of chronologically.
+topo_order = false
+# Order releases topologically instead of chronologically.
+topo_order_commits = true
+# Order of commits in each group/release within the changelog.
+# Allowed values: newest, oldest
+sort_commits = "newest"
+# Process submodules commits
+recurse_submodules = false
+
+#[remote.github]
+#owner = "go-openapi"

src/runtime/vendor/github.com/go-openapi/errors/.editorconfig

@@ -0,0 +1,26 @@
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+end_of_line = lf
+insert_final_newline = true
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = true
+
+# Set default charset
+[*.{js,py,go,scala,rb,java,html,css,less,sass,md}]
+charset = utf-8
+
+# Tab indentation (no size specified)
+[*.go]
+indent_style = tab
+
+[*.md]
+trim_trailing_whitespace = false
+
+# Matches the exact files either package.json or .travis.yml
+[{package.json,.travis.yml}]
+indent_style = space
+indent_size = 2

src/runtime/vendor/github.com/go-openapi/errors/.gitignore

@@ -1,2 +1,3 @@
 secrets.yml
-coverage.out
+*.out
+settings.local.json

src/runtime/vendor/github.com/go-openapi/errors/.golangci.yml

@@ -1,55 +1,66 @@
-linters-settings:
-  gocyclo:
-    min-complexity: 45
-  dupl:
-    threshold: 200
-  goconst:
-    min-len: 2
-    min-occurrences: 3
-
+version: "2"
 linters:
-  enable-all: true
+  default: all
   disable:
-    - unparam
-    - lll
-    - gochecknoinits
-    - gochecknoglobals
+    - depguard
     - funlen
     - godox
-    - gocognit
-    - whitespace
-    - wsl
-    - wrapcheck
-    - testpackage
-    - nlreturn
-    - errorlint
-    - nestif
-    - godot
-    - gofumpt
-    - paralleltest
-    - tparallel
-    - thelper
     - exhaustruct
-    - varnamelen
-    - gci
-    - depguard
-    - errchkjson
-    - inamedparam
+    - nlreturn
     - nonamedreturns
-    - musttag
-    - ireturn
-    - forcetypeassert
-    - cyclop
-    # deprecated linters
-    #- deadcode
-    #- interfacer
-    #- scopelint
-    #- varcheck
-    #- structcheck
-    #- golint
-    #- nosnakecase
-    #- maligned
-    #- goerr113
-    #- ifshort
-    #- gomnd
-    #- exhaustivestruct
+    - noinlineerr
+    - paralleltest
+    - recvcheck
+    - testpackage
+    - tparallel
+    - varnamelen
+    - whitespace
+    - wrapcheck
+    - wsl
+    - wsl_v5
+  settings:
+    dupl:
+      threshold: 200
+    goconst:
+      min-len: 2
+      min-occurrences: 3
+    cyclop:
+      max-complexity: 20
+    gocyclo:
+      min-complexity: 20
+    exhaustive:
+      default-signifies-exhaustive: true
+      default-case-required: true
+    lll:
+      line-length: 180
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - goimports
+    - gofumpt
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+issues:
+  # Maximum issues count per one linter.
+  # Set to 0 to disable.
+  # Default: 50
+  max-issues-per-linter: 0
+  # Maximum count of issues with the same text.
+  # Set to 0 to disable.
+  # Default: 3
+  max-same-issues: 0

src/runtime/vendor/github.com/go-openapi/errors/CONTRIBUTORS.md

@@ -0,0 +1,24 @@
+# Contributors
+
+- Repository: ['go-openapi/errors']
+
+| Total Contributors | Total Contributions |
+| --- | --- |
+| 12  | 105  |
+
+| Username | All Time Contribution Count | All Commits |
+| --- | --- | --- |
+| @casualjim | 58 | https://github.com/go-openapi/errors/commits?author=casualjim |
+| @fredbi | 32 | https://github.com/go-openapi/errors/commits?author=fredbi |
+| @youyuanwu | 5 | https://github.com/go-openapi/errors/commits?author=youyuanwu |
+| @alexandear | 2 | https://github.com/go-openapi/errors/commits?author=alexandear |
+| @fiorix | 1 | https://github.com/go-openapi/errors/commits?author=fiorix |
+| @ligustah | 1 | https://github.com/go-openapi/errors/commits?author=ligustah |
+| @artemseleznev | 1 | https://github.com/go-openapi/errors/commits?author=artemseleznev |
+| @gautierdelorme | 1 | https://github.com/go-openapi/errors/commits?author=gautierdelorme |
+| @guillemj | 1 | https://github.com/go-openapi/errors/commits?author=guillemj |
+| @maxatome | 1 | https://github.com/go-openapi/errors/commits?author=maxatome |
+| @Simon-Li | 1 | https://github.com/go-openapi/errors/commits?author=Simon-Li |
+| @ujjwalsh | 1 | https://github.com/go-openapi/errors/commits?author=ujjwalsh |
+
+ _this file was generated by the [Contributors GitHub Action](https://github.com/github/contributors)_

src/runtime/vendor/github.com/go-openapi/errors/README.md

@@ -1,8 +1,123 @@
-# OpenAPI errors [![Build Status](https://github.com/go-openapi/errors/actions/workflows/go-test.yml/badge.svg)](https://github.com/go-openapi/errors/actions?query=workflow%3A"go+test") [![codecov](https://codecov.io/gh/go-openapi/errors/branch/master/graph/badge.svg)](https://codecov.io/gh/go-openapi/errors)
+# errors
 
-[![Slack Status](https://slackin.goswagger.io/badge.svg)](https://slackin.goswagger.io)
-[![license](http://img.shields.io/badge/license-Apache%20v2-orange.svg)](https://raw.githubusercontent.com/go-openapi/errors/master/LICENSE)
-[![Go Reference](https://pkg.go.dev/badge/github.com/go-openapi/errors.svg)](https://pkg.go.dev/github.com/go-openapi/errors)
-[![Go Report Card](https://goreportcard.com/badge/github.com/go-openapi/errors)](https://goreportcard.com/report/github.com/go-openapi/errors)
+<!-- Badges: status  -->
+[![Tests][test-badge]][test-url] [![Coverage][cov-badge]][cov-url] [![CI vuln scan][vuln-scan-badge]][vuln-scan-url] [![CodeQL][codeql-badge]][codeql-url]
+<!-- Badges: release & docker images  -->
+<!-- Badges: code quality  -->
+<!-- Badges: license & compliance -->
+[![Release][release-badge]][release-url] [![Go Report Card][gocard-badge]][gocard-url] [![CodeFactor Grade][codefactor-badge]][codefactor-url] [![License][license-badge]][license-url]
+<!-- Badges: documentation & support -->
+<!-- Badges: others & stats -->
+[![GoDoc][godoc-badge]][godoc-url] [![Discord Channel][discord-badge]][discord-url] [![go version][goversion-badge]][goversion-url] ![Top language][top-badge] ![Commits since latest release][commits-badge]
+
+---
 
 Shared errors and error interface used throughout the various libraries found in the go-openapi toolkit.
+
+## Announcements
+
+* **2025-12-19** : new community chat on discord
+  * a new discord community channel is available to be notified of changes and support users
+  * our venerable Slack channel remains open, and will be eventually discontinued on **2026-03-31**
+
+You may join the discord community by clicking the invite link on the discord badge (also above). [![Discord Channel][discord-badge]][discord-url]
+
+Or join our Slack channel: [![Slack Channel][slack-logo]![slack-badge]][slack-url]
+
+## Status
+
+API is stable.
+
+## Import this library in your project
+
+```cmd
+go get github.com/go-openapi/errors
+```
+
+## Basic usage
+
+```go
+const url = "https://www.example.com/#"
+
+errGeneric := New(401,"onvalid argument: %s", url)
+
+errNotFound := NotFound("resource not found: %s", url)
+
+errNotImplemented := NotImplemented("method: %s", url)
+```
+
+## Change log
+
+See <https://github.com/go-openapi/errors/releases>
+
+<!--
+## References
+-->
+
+## Licensing
+
+This library ships under the [SPDX-License-Identifier: Apache-2.0](./LICENSE).
+
+<!--
+See the license [NOTICE](./NOTICE), which recalls the licensing terms of all the pieces of software
+on top of which it has been built.
+-->
+
+<!--
+## Limitations
+-->
+
+## Other documentation
+
+* [All-time contributors](./CONTRIBUTORS.md)
+* [Contributing guidelines](.github/CONTRIBUTING.md)
+* [Maintainers documentation](docs/MAINTAINERS.md)
+* [Code style](docs/STYLE.md)
+
+## Cutting a new release
+
+Maintainers can cut a new release by either:
+
+* running [this workflow](https://github.com/go-openapi/errors/actions/workflows/bump-release.yml)
+* or pushing a semver tag
+  * signed tags are preferred
+  * The tag message is prepended to release notes
+
+<!-- Badges: status  -->
+[test-badge]: https://github.com/go-openapi/errors/actions/workflows/go-test.yml/badge.svg
+[test-url]: https://github.com/go-openapi/errors/actions/workflows/go-test.yml
+[cov-badge]: https://codecov.io/gh/go-openapi/errors/branch/master/graph/badge.svg
+[cov-url]: https://codecov.io/gh/go-openapi/errors
+[vuln-scan-badge]: https://github.com/go-openapi/errors/actions/workflows/scanner.yml/badge.svg
+[vuln-scan-url]: https://github.com/go-openapi/errors/actions/workflows/scanner.yml
+[codeql-badge]: https://github.com/go-openapi/errors/actions/workflows/codeql.yml/badge.svg
+[codeql-url]: https://github.com/go-openapi/errors/actions/workflows/codeql.yml
+<!-- Badges: release & docker images  -->
+[release-badge]: https://badge.fury.io/gh/go-openapi%2Ferrors.svg
+[release-url]: https://badge.fury.io/gh/go-openapi%2Ferrors
+[gomod-badge]: https://badge.fury.io/go/github.com%2Fgo-openapi%2Ferrors.svg
+[gomod-url]: https://badge.fury.io/go/github.com%2Fgo-openapi%2Ferrors
+<!-- Badges: code quality  -->
+[gocard-badge]: https://goreportcard.com/badge/github.com/go-openapi/errors
+[gocard-url]: https://goreportcard.com/report/github.com/go-openapi/errors
+[codefactor-badge]: https://img.shields.io/codefactor/grade/github/go-openapi/errors
+[codefactor-url]: https://www.codefactor.io/repository/github/go-openapi/errors
+<!-- Badges: documentation & support -->
+[doc-badge]: https://img.shields.io/badge/doc-site-blue?link=https%3A%2F%2Fgoswagger.io%2Fgo-openapi%2F
+[doc-url]: https://goswagger.io/go-openapi
+[godoc-badge]: https://pkg.go.dev/badge/github.com/go-openapi/errors
+[godoc-url]: http://pkg.go.dev/github.com/go-openapi/errors
+[slack-logo]: https://a.slack-edge.com/e6a93c1/img/icons/favicon-32.png
+[slack-badge]: https://img.shields.io/badge/slack-blue?link=https%3A%2F%2Fgoswagger.slack.com%2Farchives%2FC04R30YM
+[slack-url]: https://goswagger.slack.com/archives/C04R30YMU
+[discord-badge]: https://img.shields.io/discord/1446918742398341256?logo=discord&label=discord&color=blue
+[discord-url]: https://discord.gg/DrafRmZx
+
+<!-- Badges: license & compliance -->
+[license-badge]: http://img.shields.io/badge/license-Apache%20v2-orange.svg
+[license-url]: https://github.com/go-openapi/errors/?tab=Apache-2.0-1-ov-file#readme
+<!-- Badges: others & stats -->
+[goversion-badge]: https://img.shields.io/github/go-mod/go-version/go-openapi/errors
+[goversion-url]: https://github.com/go-openapi/errors/blob/master/go.mod
+[top-badge]: https://img.shields.io/github/languages/top/go-openapi/errors
+[commits-badge]: https://img.shields.io/github/commits-since/go-openapi/errors/latest

src/runtime/vendor/github.com/go-openapi/errors/SECURITY.md

@@ -0,0 +1,19 @@
+# Security Policy
+
+This policy outlines the commitment and practices of the go-openapi maintainers regarding security.
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.22.x  | :white_check_mark: |
+
+## Reporting a vulnerability
+
+If you become aware of a security vulnerability that affects the current repository,
+please report it privately to the maintainers.
+
+Please follow the instructions provided by github to
+[Privately report a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
+
+TL;DR: on Github, navigate to the project's "Security" tab then click on "Report a vulnerability".

src/runtime/vendor/github.com/go-openapi/errors/api.go

@@ -1,21 +1,11 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
 
 package errors
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"reflect"
@@ -23,9 +13,11 @@ import (
 )
 
 // DefaultHTTPCode is used when the error Code cannot be used as an HTTP code.
+//
+//nolint:gochecknoglobals // it should have been a constant in the first place, but now it is mutable so we have to leave it here or introduce a breaking change.
 var DefaultHTTPCode = http.StatusUnprocessableEntity
 
-// Error represents a error interface all swagger framework errors implement
+// Error represents a error interface all swagger framework errors implement.
 type Error interface {
 	error
 	Code() int32
@@ -36,24 +28,26 @@ type apiError struct {
 	message string
 }
 
+// Error implements the standard error interface.
 func (a *apiError) Error() string {
 	return a.message
 }
 
+// Code returns the HTTP status code associated with this error.
 func (a *apiError) Code() int32 {
 	return a.code
 }
 
-// MarshalJSON implements the JSON encoding interface
+// MarshalJSON implements the JSON encoding interface.
 func (a apiError) MarshalJSON() ([]byte, error) {
-	return json.Marshal(map[string]interface{}{
+	return json.Marshal(map[string]any{
 		"code":    a.code,
 		"message": a.message,
 	})
 }
 
-// New creates a new API error with a code and a message
-func New(code int32, message string, args ...interface{}) Error {
+// New creates a new API error with a code and a message.
+func New(code int32, message string, args ...any) Error {
 	if len(args) > 0 {
 		return &apiError{
 			code:    code,
@@ -66,38 +60,39 @@ func New(code int32, message string, args ...interface{}) Error {
 	}
 }
 
-// NotFound creates a new not found error
-func NotFound(message string, args ...interface{}) Error {
+// NotFound creates a new not found error.
+func NotFound(message string, args ...any) Error {
 	if message == "" {
 		message = "Not found"
 	}
-	return New(http.StatusNotFound, fmt.Sprintf(message, args...))
+	return New(http.StatusNotFound, message, args...)
 }
 
-// NotImplemented creates a new not implemented error
+// NotImplemented creates a new not implemented error.
 func NotImplemented(message string) Error {
-	return New(http.StatusNotImplemented, message)
+	return New(http.StatusNotImplemented, "%s", message)
 }
 
-// MethodNotAllowedError represents an error for when the path matches but the method doesn't
+// MethodNotAllowedError represents an error for when the path matches but the method doesn't.
 type MethodNotAllowedError struct {
 	code    int32
 	Allowed []string
 	message string
 }
 
+// Error implements the standard error interface.
 func (m *MethodNotAllowedError) Error() string {
 	return m.message
 }
 
-// Code the error code
+// Code returns 405 (Method Not Allowed) as the HTTP status code.
 func (m *MethodNotAllowedError) Code() int32 {
 	return m.code
 }
 
-// MarshalJSON implements the JSON encoding interface
+// MarshalJSON implements the JSON encoding interface.
 func (m MethodNotAllowedError) MarshalJSON() ([]byte, error) {
-	return json.Marshal(map[string]interface{}{
+	return json.Marshal(map[string]any{
 		"code":    m.code,
 		"message": m.message,
 		"allowed": m.Allowed,
@@ -115,25 +110,33 @@ func errorAsJSON(err Error) []byte {
 
 func flattenComposite(errs *CompositeError) *CompositeError {
 	var res []error
-	for _, er := range errs.Errors {
-		switch e := er.(type) {
-		case *CompositeError:
-			if e != nil && len(e.Errors) > 0 {
-				flat := flattenComposite(e)
-				if len(flat.Errors) > 0 {
-					res = append(res, flat.Errors...)
-				}
-			}
-		default:
-			if e != nil {
-				res = append(res, e)
-			}
+
+	for _, err := range errs.Errors {
+		if err == nil {
+			continue
 		}
+
+		e := &CompositeError{}
+		if !errors.As(err, &e) {
+			res = append(res, err)
+
+			continue
+		}
+
+		if len(e.Errors) == 0 {
+			res = append(res, e)
+
+			continue
+		}
+
+		flat := flattenComposite(e)
+		res = append(res, flat.Errors...)
 	}
+
 	return CompositeValidationError(res...)
 }
 
-// MethodNotAllowed creates a new method not allowed error
+// MethodNotAllowed creates a new method not allowed error.
 func MethodNotAllowed(requested string, allow []string) Error {
 	msg := fmt.Sprintf("method %s is not allowed, but [%s] are", requested, strings.Join(allow, ","))
 	return &MethodNotAllowedError{
@@ -143,43 +146,59 @@ func MethodNotAllowed(requested string, allow []string) Error {
 	}
 }
 
-// ServeError implements the http error handler interface
+// ServeError implements the http error handler interface.
 func ServeError(rw http.ResponseWriter, r *http.Request, err error) {
 	rw.Header().Set("Content-Type", "application/json")
-	switch e := err.(type) {
-	case *CompositeError:
-		er := flattenComposite(e)
+
+	if err == nil {
+		rw.WriteHeader(http.StatusInternalServerError)
+		_, _ = rw.Write(errorAsJSON(New(http.StatusInternalServerError, "Unknown error")))
+
+		return
+	}
+
+	errComposite := &CompositeError{}
+	errMethodNotAllowed := &MethodNotAllowedError{}
+	var errError Error
+
+	switch {
+	case errors.As(err, &errComposite):
+		er := flattenComposite(errComposite)
 		// strips composite errors to first element only
 		if len(er.Errors) > 0 {
 			ServeError(rw, r, er.Errors[0])
-		} else {
-			// guard against empty CompositeError (invalid construct)
-			ServeError(rw, r, nil)
+
+			return
 		}
-	case *MethodNotAllowedError:
-		rw.Header().Add("Allow", strings.Join(e.Allowed, ","))
-		rw.WriteHeader(asHTTPCode(int(e.Code())))
+
+		// guard against empty CompositeError (invalid construct)
+		ServeError(rw, r, nil)
+
+	case errors.As(err, &errMethodNotAllowed):
+		rw.Header().Add("Allow", strings.Join(errMethodNotAllowed.Allowed, ","))
+		rw.WriteHeader(asHTTPCode(int(errMethodNotAllowed.Code())))
 		if r == nil || r.Method != http.MethodHead {
-			_, _ = rw.Write(errorAsJSON(e))
+			_, _ = rw.Write(errorAsJSON(errMethodNotAllowed))
 		}
-	case Error:
-		value := reflect.ValueOf(e)
+
+	case errors.As(err, &errError):
+		value := reflect.ValueOf(errError)
 		if value.Kind() == reflect.Ptr && value.IsNil() {
 			rw.WriteHeader(http.StatusInternalServerError)
 			_, _ = rw.Write(errorAsJSON(New(http.StatusInternalServerError, "Unknown error")))
+
 			return
 		}
-		rw.WriteHeader(asHTTPCode(int(e.Code())))
+
+		rw.WriteHeader(asHTTPCode(int(errError.Code())))
 		if r == nil || r.Method != http.MethodHead {
-			_, _ = rw.Write(errorAsJSON(e))
+			_, _ = rw.Write(errorAsJSON(errError))
 		}
-	case nil:
-		rw.WriteHeader(http.StatusInternalServerError)
-		_, _ = rw.Write(errorAsJSON(New(http.StatusInternalServerError, "Unknown error")))
+
 	default:
 		rw.WriteHeader(http.StatusInternalServerError)
 		if r == nil || r.Method != http.MethodHead {
-			_, _ = rw.Write(errorAsJSON(New(http.StatusInternalServerError, err.Error())))
+			_, _ = rw.Write(errorAsJSON(New(http.StatusInternalServerError, "%v", err)))
 		}
 	}
 }

src/runtime/vendor/github.com/go-openapi/errors/auth.go

@@ -1,22 +1,11 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
 
 package errors
 
 import "net/http"
 
-// Unauthenticated returns an unauthenticated error
+// Unauthenticated returns an unauthenticated error.
 func Unauthenticated(scheme string) Error {
 	return New(http.StatusUnauthorized, "unauthenticated for %s", scheme)
 }

src/runtime/vendor/github.com/go-openapi/errors/doc.go

@@ -1,16 +1,5 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
 
 /*
 Package errors provides an Error interface and several concrete types

src/runtime/vendor/github.com/go-openapi/errors/headers.go

@@ -1,16 +1,5 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
 
 package errors
 
@@ -20,28 +9,30 @@ import (
 	"net/http"
 )
 
-// Validation represents a failure of a precondition
-type Validation struct { //nolint: errname
+// Validation represents a failure of a precondition.
+type Validation struct { //nolint: errname // changing the name to abide by the naming rule would bring a breaking change.
 	code    int32
 	Name    string
 	In      string
-	Value   interface{}
+	Value   any
 	message string
-	Values  []interface{}
+	Values  []any
 }
 
+// Error implements the standard error interface.
 func (e *Validation) Error() string {
 	return e.message
 }
 
-// Code the error code
+// Code returns the HTTP status code for this validation error.
+// Returns 422 (Unprocessable Entity) by default.
 func (e *Validation) Code() int32 {
 	return e.code
 }
 
-// MarshalJSON implements the JSON encoding interface
+// MarshalJSON implements the JSON encoding interface.
 func (e Validation) MarshalJSON() ([]byte, error) {
-	return json.Marshal(map[string]interface{}{
+	return json.Marshal(map[string]any{
 		"code":    e.code,
 		"message": e.message,
 		"in":      e.In,
@@ -51,7 +42,7 @@ func (e Validation) MarshalJSON() ([]byte, error) {
 	})
 }
 
-// ValidateName sets the name for a validation or updates it for a nested property
+// ValidateName sets the name for a validation or updates it for a nested property.
 func (e *Validation) ValidateName(name string) *Validation {
 	if name != "" {
 		if e.Name == "" {
@@ -70,9 +61,9 @@ const (
 	responseFormatFail = `unsupported media type requested, only %v are available`
 )
 
-// InvalidContentType error for an invalid content type
+// InvalidContentType error for an invalid content type.
 func InvalidContentType(value string, allowed []string) *Validation {
-	values := make([]interface{}, 0, len(allowed))
+	values := make([]any, 0, len(allowed))
 	for _, v := range allowed {
 		values = append(values, v)
 	}
@@ -86,9 +77,9 @@ func InvalidContentType(value string, allowed []string) *Validation {
 	}
 }
 
-// InvalidResponseFormat error for an unacceptable response format request
+// InvalidResponseFormat error for an unacceptable response format request.
 func InvalidResponseFormat(value string, allowed []string) *Validation {
-	values := make([]interface{}, 0, len(allowed))
+	values := make([]any, 0, len(allowed))
 	for _, v := range allowed {
 		values = append(values, v)
 	}

src/runtime/vendor/github.com/go-openapi/errors/middleware.go

@@ -1,16 +1,5 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
 
 package errors
 
@@ -21,13 +10,14 @@ import (
 )
 
 // APIVerificationFailed is an error that contains all the missing info for a mismatched section
-// between the api registrations and the api spec
+// between the api registrations and the api spec.
 type APIVerificationFailed struct { //nolint: errname
 	Section              string   `json:"section,omitempty"`
 	MissingSpecification []string `json:"missingSpecification,omitempty"`
 	MissingRegistration  []string `json:"missingRegistration,omitempty"`
 }
 
+// Error implements the standard error interface.
 func (v *APIVerificationFailed) Error() string {
 	buf := bytes.NewBuffer(nil)
 
@@ -35,7 +25,7 @@ func (v *APIVerificationFailed) Error() string {
 	hasSpecMissing := len(v.MissingSpecification) > 0
 
 	if hasRegMissing {
-		buf.WriteString(fmt.Sprintf("missing [%s] %s registrations", strings.Join(v.MissingRegistration, ", "), v.Section))
+		fmt.Fprintf(buf, "missing [%s] %s registrations", strings.Join(v.MissingRegistration, ", "), v.Section)
 	}
 
 	if hasRegMissing && hasSpecMissing {
@@ -43,7 +33,7 @@ func (v *APIVerificationFailed) Error() string {
 	}
 
 	if hasSpecMissing {
-		buf.WriteString(fmt.Sprintf("missing from spec file [%s] %s", strings.Join(v.MissingSpecification, ", "), v.Section))
+		fmt.Fprintf(buf, "missing from spec file [%s] %s", strings.Join(v.MissingSpecification, ", "), v.Section)
 	}
 
 	return buf.String()

src/runtime/vendor/github.com/go-openapi/errors/parsing.go

@@ -1,16 +1,5 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
 
 package errors
 
@@ -20,7 +9,7 @@ import (
 	"net/http"
 )
 
-// ParseError represents a parsing error
+// ParseError represents a parsing error.
 type ParseError struct {
 	code    int32
 	Name    string
@@ -30,37 +19,7 @@ type ParseError struct {
 	message string
 }
 
-func (e *ParseError) Error() string {
-	return e.message
-}
-
-// Code returns the http status code for this error
-func (e *ParseError) Code() int32 {
-	return e.code
-}
-
-// MarshalJSON implements the JSON encoding interface
-func (e ParseError) MarshalJSON() ([]byte, error) {
-	var reason string
-	if e.Reason != nil {
-		reason = e.Reason.Error()
-	}
-	return json.Marshal(map[string]interface{}{
-		"code":    e.code,
-		"message": e.message,
-		"in":      e.In,
-		"name":    e.Name,
-		"value":   e.Value,
-		"reason":  reason,
-	})
-}
-
-const (
-	parseErrorTemplContent     = `parsing %s %s from %q failed, because %s`
-	parseErrorTemplContentNoIn = `parsing %s from %q failed, because %s`
-)
-
-// NewParseError creates a new parse error
+// NewParseError creates a new parse error.
 func NewParseError(name, in, value string, reason error) *ParseError {
 	var msg string
 	if in == "" {
@@ -77,3 +36,34 @@ func NewParseError(name, in, value string, reason error) *ParseError {
 		message: msg,
 	}
 }
+
+// Error implements the standard error interface.
+func (e *ParseError) Error() string {
+	return e.message
+}
+
+// Code returns 400 (Bad Request) as the HTTP status code for parsing errors.
+func (e *ParseError) Code() int32 {
+	return e.code
+}
+
+// MarshalJSON implements the JSON encoding interface.
+func (e ParseError) MarshalJSON() ([]byte, error) {
+	var reason string
+	if e.Reason != nil {
+		reason = e.Reason.Error()
+	}
+	return json.Marshal(map[string]any{
+		"code":    e.code,
+		"message": e.message,
+		"in":      e.In,
+		"name":    e.Name,
+		"value":   e.Value,
+		"reason":  reason,
+	})
+}
+
+const (
+	parseErrorTemplContent     = `parsing %s %s from %q failed, because %s`
+	parseErrorTemplContentNoIn = `parsing %s from %q failed, because %s`
+)

src/runtime/vendor/github.com/go-openapi/errors/schema.go

@@ -1,21 +1,11 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
 
 package errors
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"strings"
@@ -73,14 +63,15 @@ const (
 const maximumValidHTTPCode = 600
 
 // All code responses can be used to differentiate errors for different handling
-// by the consuming program
+// by the consuming program.
 const (
 	// CompositeErrorCode remains 422 for backwards-compatibility
-	// and to separate it from validation errors with cause
+	// and to separate it from validation errors with cause.
 	CompositeErrorCode = http.StatusUnprocessableEntity
 
-	// InvalidTypeCode is used for any subclass of invalid types
+	// InvalidTypeCode is used for any subclass of invalid types.
 	InvalidTypeCode = maximumValidHTTPCode + iota
+	// RequiredFailCode indicates a required field is missing.
 	RequiredFailCode
 	TooLongFailCode
 	TooShortFailCode
@@ -101,22 +92,26 @@ const (
 	ReadOnlyFailCode
 )
 
-// CompositeError is an error that groups several errors together
+// CompositeError is an error that groups several errors together.
 type CompositeError struct {
 	Errors  []error
 	code    int32
 	message string
 }
 
-// Code for this error
+// Code returns the HTTP status code for this composite error.
 func (c *CompositeError) Code() int32 {
 	return c.code
 }
 
+// Error implements the standard error interface.
 func (c *CompositeError) Error() string {
 	if len(c.Errors) > 0 {
 		msgs := []string{c.message + ":"}
 		for _, e := range c.Errors {
+			if e == nil {
+				continue
+			}
 			msgs = append(msgs, e.Error())
 		}
 		return strings.Join(msgs, "\n")
@@ -124,20 +119,21 @@ func (c *CompositeError) Error() string {
 	return c.message
 }
 
+// Unwrap implements the [errors.Unwrap] interface.
 func (c *CompositeError) Unwrap() []error {
 	return c.Errors
 }
 
-// MarshalJSON implements the JSON encoding interface
+// MarshalJSON implements the JSON encoding interface.
 func (c CompositeError) MarshalJSON() ([]byte, error) {
-	return json.Marshal(map[string]interface{}{
+	return json.Marshal(map[string]any{
 		"code":    c.code,
 		"message": c.message,
 		"errors":  c.Errors,
 	})
 }
 
-// CompositeValidationError an error to wrap a bunch of other errors
+// CompositeValidationError an error to wrap a bunch of other errors.
 func CompositeValidationError(errors ...error) *CompositeError {
 	return &CompositeError{
 		code:    CompositeErrorCode,
@@ -146,20 +142,33 @@ func CompositeValidationError(errors ...error) *CompositeError {
 	}
 }
 
-// ValidateName recursively sets the name for all validations or updates them for nested properties
+// ValidateName recursively sets the name for all validations or updates them for nested properties.
 func (c *CompositeError) ValidateName(name string) *CompositeError {
 	for i, e := range c.Errors {
-		if ve, ok := e.(*Validation); ok {
-			c.Errors[i] = ve.ValidateName(name)
-		} else if ce, ok := e.(*CompositeError); ok {
-			c.Errors[i] = ce.ValidateName(name)
+		if e == nil {
+			continue
 		}
+
+		ce := &CompositeError{}
+		if errors.As(e, &ce) {
+			c.Errors[i] = ce.ValidateName(name)
+
+			continue
+		}
+
+		ve := &Validation{}
+		if errors.As(e, &ve) {
+			c.Errors[i] = ve.ValidateName(name)
+
+			continue
+		}
+
 	}
 
 	return c
 }
 
-// FailedAllPatternProperties an error for when the property doesn't match a pattern
+// FailedAllPatternProperties an error for when the property doesn't match a pattern.
 func FailedAllPatternProperties(name, in, key string) *Validation {
 	msg := fmt.Sprintf(failedAllPatternProps, name, key, in)
 	if in == "" {
@@ -174,7 +183,7 @@ func FailedAllPatternProperties(name, in, key string) *Validation {
 	}
 }
 
-// PropertyNotAllowed an error for when the property doesn't match a pattern
+// PropertyNotAllowed an error for when the property doesn't match a pattern.
 func PropertyNotAllowed(name, in, key string) *Validation {
 	msg := fmt.Sprintf(unallowedProperty, name, key, in)
 	if in == "" {
@@ -189,7 +198,7 @@ func PropertyNotAllowed(name, in, key string) *Validation {
 	}
 }
 
-// TooFewProperties an error for an object with too few properties
+// TooFewProperties an error for an object with too few properties.
 func TooFewProperties(name, in string, n int64) *Validation {
 	msg := fmt.Sprintf(tooFewProperties, name, in, n)
 	if in == "" {
@@ -204,7 +213,7 @@ func TooFewProperties(name, in string, n int64) *Validation {
 	}
 }
 
-// TooManyProperties an error for an object with too many properties
+// TooManyProperties an error for an object with too many properties.
 func TooManyProperties(name, in string, n int64) *Validation {
 	msg := fmt.Sprintf(tooManyProperties, name, in, n)
 	if in == "" {
@@ -219,7 +228,7 @@ func TooManyProperties(name, in string, n int64) *Validation {
 	}
 }
 
-// AdditionalItemsNotAllowed an error for invalid additional items
+// AdditionalItemsNotAllowed an error for invalid additional items.
 func AdditionalItemsNotAllowed(name, in string) *Validation {
 	msg := fmt.Sprintf(noAdditionalItems, name, in)
 	if in == "" {
@@ -233,7 +242,7 @@ func AdditionalItemsNotAllowed(name, in string) *Validation {
 	}
 }
 
-// InvalidCollectionFormat another flavor of invalid type error
+// InvalidCollectionFormat another flavor of invalid type error.
 func InvalidCollectionFormat(name, in, format string) *Validation {
 	return &Validation{
 		code:    InvalidTypeCode,
@@ -244,7 +253,7 @@ func InvalidCollectionFormat(name, in, format string) *Validation {
 	}
 }
 
-// InvalidTypeName an error for when the type is invalid
+// InvalidTypeName an error for when the type is invalid.
 func InvalidTypeName(typeName string) *Validation {
 	return &Validation{
 		code:    InvalidTypeCode,
@@ -253,8 +262,8 @@ func InvalidTypeName(typeName string) *Validation {
 	}
 }
 
-// InvalidType creates an error for when the type is invalid
-func InvalidType(name, in, typeName string, value interface{}) *Validation {
+// InvalidType creates an error for when the type is invalid.
+func InvalidType(name, in, typeName string, value any) *Validation {
 	var message string
 
 	if in != "" {
@@ -284,10 +293,9 @@ func InvalidType(name, in, typeName string, value interface{}) *Validation {
 		Value:   value,
 		message: message,
 	}
-
 }
 
-// DuplicateItems error for when an array contains duplicates
+// DuplicateItems error for when an array contains duplicates.
 func DuplicateItems(name, in string) *Validation {
 	msg := fmt.Sprintf(uniqueFail, name, in)
 	if in == "" {
@@ -301,8 +309,8 @@ func DuplicateItems(name, in string) *Validation {
 	}
 }
 
-// TooManyItems error for when an array contains too many items
-func TooManyItems(name, in string, maximum int64, value interface{}) *Validation {
+// TooManyItems error for when an array contains too many items.
+func TooManyItems(name, in string, maximum int64, value any) *Validation {
 	msg := fmt.Sprintf(maximumItemsFail, name, in, maximum)
 	if in == "" {
 		msg = fmt.Sprintf(maximumItemsFailNoIn, name, maximum)
@@ -317,8 +325,8 @@ func TooManyItems(name, in string, maximum int64, value interface{}) *Validation
 	}
 }
 
-// TooFewItems error for when an array contains too few items
-func TooFewItems(name, in string, minimum int64, value interface{}) *Validation {
+// TooFewItems error for when an array contains too few items.
+func TooFewItems(name, in string, minimum int64, value any) *Validation {
 	msg := fmt.Sprintf(minItemsFail, name, in, minimum)
 	if in == "" {
 		msg = fmt.Sprintf(minItemsFailNoIn, name, minimum)
@@ -332,8 +340,8 @@ func TooFewItems(name, in string, minimum int64, value interface{}) *Validation
 	}
 }
 
-// ExceedsMaximumInt error for when maximumimum validation fails
-func ExceedsMaximumInt(name, in string, maximum int64, exclusive bool, value interface{}) *Validation {
+// ExceedsMaximumInt error for when maximum validation fails.
+func ExceedsMaximumInt(name, in string, maximum int64, exclusive bool, value any) *Validation {
 	var message string
 	if in == "" {
 		m := maximumIncFailNoIn
@@ -357,8 +365,8 @@ func ExceedsMaximumInt(name, in string, maximum int64, exclusive bool, value int
 	}
 }
 
-// ExceedsMaximumUint error for when maximumimum validation fails
-func ExceedsMaximumUint(name, in string, maximum uint64, exclusive bool, value interface{}) *Validation {
+// ExceedsMaximumUint error for when maximum validation fails.
+func ExceedsMaximumUint(name, in string, maximum uint64, exclusive bool, value any) *Validation {
 	var message string
 	if in == "" {
 		m := maximumIncFailNoIn
@@ -382,8 +390,8 @@ func ExceedsMaximumUint(name, in string, maximum uint64, exclusive bool, value i
 	}
 }
 
-// ExceedsMaximum error for when maximumimum validation fails
-func ExceedsMaximum(name, in string, maximum float64, exclusive bool, value interface{}) *Validation {
+// ExceedsMaximum error for when maximum validation fails.
+func ExceedsMaximum(name, in string, maximum float64, exclusive bool, value any) *Validation {
 	var message string
 	if in == "" {
 		m := maximumIncFailNoIn
@@ -407,8 +415,8 @@ func ExceedsMaximum(name, in string, maximum float64, exclusive bool, value inte
 	}
 }
 
-// ExceedsMinimumInt error for when minimum validation fails
-func ExceedsMinimumInt(name, in string, minimum int64, exclusive bool, value interface{}) *Validation {
+// ExceedsMinimumInt error for when minimum validation fails.
+func ExceedsMinimumInt(name, in string, minimum int64, exclusive bool, value any) *Validation {
 	var message string
 	if in == "" {
 		m := minIncFailNoIn
@@ -432,8 +440,8 @@ func ExceedsMinimumInt(name, in string, minimum int64, exclusive bool, value int
 	}
 }
 
-// ExceedsMinimumUint error for when minimum validation fails
-func ExceedsMinimumUint(name, in string, minimum uint64, exclusive bool, value interface{}) *Validation {
+// ExceedsMinimumUint error for when minimum validation fails.
+func ExceedsMinimumUint(name, in string, minimum uint64, exclusive bool, value any) *Validation {
 	var message string
 	if in == "" {
 		m := minIncFailNoIn
@@ -457,8 +465,8 @@ func ExceedsMinimumUint(name, in string, minimum uint64, exclusive bool, value i
 	}
 }
 
-// ExceedsMinimum error for when minimum validation fails
-func ExceedsMinimum(name, in string, minimum float64, exclusive bool, value interface{}) *Validation {
+// ExceedsMinimum error for when minimum validation fails.
+func ExceedsMinimum(name, in string, minimum float64, exclusive bool, value any) *Validation {
 	var message string
 	if in == "" {
 		m := minIncFailNoIn
@@ -482,8 +490,8 @@ func ExceedsMinimum(name, in string, minimum float64, exclusive bool, value inte
 	}
 }
 
-// NotMultipleOf error for when multiple of validation fails
-func NotMultipleOf(name, in string, multiple, value interface{}) *Validation {
+// NotMultipleOf error for when multiple of validation fails.
+func NotMultipleOf(name, in string, multiple, value any) *Validation {
 	var msg string
 	if in == "" {
 		msg = fmt.Sprintf(multipleOfFailNoIn, name, multiple)
@@ -499,8 +507,8 @@ func NotMultipleOf(name, in string, multiple, value interface{}) *Validation {
 	}
 }
 
-// EnumFail error for when an enum validation fails
-func EnumFail(name, in string, value interface{}, values []interface{}) *Validation {
+// EnumFail error for when an enum validation fails.
+func EnumFail(name, in string, value any, values []any) *Validation {
 	var msg string
 	if in == "" {
 		msg = fmt.Sprintf(enumFailNoIn, name, values)
@@ -518,8 +526,8 @@ func EnumFail(name, in string, value interface{}, values []interface{}) *Validat
 	}
 }
 
-// Required error for when a value is missing
-func Required(name, in string, value interface{}) *Validation {
+// Required error for when a value is missing.
+func Required(name, in string, value any) *Validation {
 	var msg string
 	if in == "" {
 		msg = fmt.Sprintf(requiredFailNoIn, name)
@@ -535,8 +543,8 @@ func Required(name, in string, value interface{}) *Validation {
 	}
 }
 
-// ReadOnly error for when a value is present in request
-func ReadOnly(name, in string, value interface{}) *Validation {
+// ReadOnly error for when a value is present in request.
+func ReadOnly(name, in string, value any) *Validation {
 	var msg string
 	if in == "" {
 		msg = fmt.Sprintf(readOnlyFailNoIn, name)
@@ -552,8 +560,8 @@ func ReadOnly(name, in string, value interface{}) *Validation {
 	}
 }
 
-// TooLong error for when a string is too long
-func TooLong(name, in string, maximum int64, value interface{}) *Validation {
+// TooLong error for when a string is too long.
+func TooLong(name, in string, maximum int64, value any) *Validation {
 	var msg string
 	if in == "" {
 		msg = fmt.Sprintf(tooLongMessageNoIn, name, maximum)
@@ -569,8 +577,8 @@ func TooLong(name, in string, maximum int64, value interface{}) *Validation {
 	}
 }
 
-// TooShort error for when a string is too short
-func TooShort(name, in string, minimum int64, value interface{}) *Validation {
+// TooShort error for when a string is too short.
+func TooShort(name, in string, minimum int64, value any) *Validation {
 	var msg string
 	if in == "" {
 		msg = fmt.Sprintf(tooShortMessageNoIn, name, minimum)
@@ -589,7 +597,7 @@ func TooShort(name, in string, minimum int64, value interface{}) *Validation {
 
 // FailedPattern error for when a string fails a regex pattern match
 // the pattern that is returned is the ECMA syntax version of the pattern not the golang version.
-func FailedPattern(name, in, pattern string, value interface{}) *Validation {
+func FailedPattern(name, in, pattern string, value any) *Validation {
 	var msg string
 	if in == "" {
 		msg = fmt.Sprintf(patternFailNoIn, name, pattern)
@@ -607,8 +615,8 @@ func FailedPattern(name, in, pattern string, value interface{}) *Validation {
 }
 
 // MultipleOfMustBePositive error for when a
-// multipleOf factor is negative
-func MultipleOfMustBePositive(name, in string, factor interface{}) *Validation {
+// multipleOf factor is negative.
+func MultipleOfMustBePositive(name, in string, factor any) *Validation {
 	return &Validation{
 		code:    MultipleOfMustBePositiveCode,
 		Name:    name,

src/runtime/vendor/modules.txt

@@ -13,7 +13,7 @@ github.com/AdaLogics/go-fuzz-headers
 # github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0
 ## explicit; go 1.18
 github.com/AdamKorcz/go-118-fuzz-build/testing
-# github.com/BurntSushi/toml v1.5.0
+# github.com/BurntSushi/toml v1.6.0
 ## explicit; go 1.18
 github.com/BurntSushi/toml
 github.com/BurntSushi/toml/internal
@@ -318,8 +318,8 @@ github.com/go-openapi/analysis/internal/flatten/operations
 github.com/go-openapi/analysis/internal/flatten/replace
 github.com/go-openapi/analysis/internal/flatten/schutils
 github.com/go-openapi/analysis/internal/flatten/sortref
-# github.com/go-openapi/errors v0.22.1
-## explicit; go 1.20
+# github.com/go-openapi/errors v0.22.6
+## explicit; go 1.24.0
 github.com/go-openapi/errors
 # github.com/go-openapi/jsonpointer v0.21.0
 ## explicit; go 1.20

src/runtime/virtcontainers/clh.go

@@ -587,6 +587,11 @@ func (clh *cloudHypervisor) CreateVM(ctx context.Context, id string, network Net
 	// Set initial amount of cpu's for the virtual machine
 	clh.vmconfig.Cpus = chclient.NewCpusConfig(int32(clh.config.NumVCPUs()), int32(clh.config.DefaultMaxVCPUs))
 
+	if pathExists("/dev/mshv") {
+		// The nested property is true by default, but is not supported yet on MSHV.
+		clh.vmconfig.Cpus.SetNested(false)
+	}
+
 	disableNvdimm := true
 	enableDax := false
 
@@ -613,6 +618,7 @@ func (clh *cloudHypervisor) CreateVM(ctx context.Context, id string, network Net
 		disk := chclient.NewDiskConfig()
 		disk.Path = &assetPath
 		disk.SetReadonly(true)
+		disk.SetImageType("Raw")
 
 		diskRateLimiterConfig := clh.getDiskRateLimiterConfig()
 		if diskRateLimiterConfig != nil {
@@ -902,6 +908,7 @@ func (clh *cloudHypervisor) addInitdataDisk(initdataImage string) {
 		disk.Direct = &clh.config.BlockDeviceCacheDirect
 	}
 	disk.SetIommu(clh.config.IOMMU)
+	disk.SetImageType("Raw")
 
 	if rl := clh.getDiskRateLimiterConfig(); rl != nil {
 		disk.SetRateLimiterConfig(*rl)
@@ -940,6 +947,7 @@ func (clh *cloudHypervisor) hotplugAddBlockDevice(drive *config.BlockDrive) erro
 	clhDisk := *chclient.NewDiskConfig()
 	clhDisk.Path = &drive.File
 	clhDisk.Readonly = &drive.ReadOnly
+	clhDisk.SetImageType("Raw")
 	clhDisk.VhostUser = func(b bool) *bool { return &b }(false)
 	if clh.config.BlockDeviceCacheSet {
 		clhDisk.Direct = &clh.config.BlockDeviceCacheDirect
@@ -1372,10 +1380,7 @@ func (clh *cloudHypervisor) terminate(ctx context.Context, waitOnly bool) (err e
 	defer span.End()
 
 	pid := clh.state.PID
-	pidRunning := true
-	if pid == 0 {
-		pidRunning = false
-	}
+	pidRunning := pid != 0
 
 	defer func() {
 		clh.Logger().Debug("Cleanup VM")
@@ -1761,10 +1766,10 @@ func (clh *cloudHypervisor) addNet(e Endpoint) error {
 		return errors.New("net Pair to be added is nil, needed to get TAP file descriptors")
 	}
 
-	if len(netPair.TapInterface.VMFds) == 0 {
+	if len(netPair.VMFds) == 0 {
 		return errors.New("The file descriptors for the network pair are not present")
 	}
-	clh.netDevicesFiles[mac] = netPair.TapInterface.VMFds
+	clh.netDevicesFiles[mac] = netPair.VMFds
 
 	netRateLimiterConfig := clh.getNetRateLimiterConfig()
 
@@ -1932,3 +1937,10 @@ func (clh *cloudHypervisor) vmInfo() (chclient.VmInfo, error) {
 func (clh *cloudHypervisor) IsRateLimiterBuiltin() bool {
 	return true
 }
+
+func pathExists(path string) bool {
+	if _, err := os.Stat(path); err != nil {
+		return false
+	}
+	return true
+}

src/runtime/virtcontainers/clh_test.go

@@ -148,7 +148,7 @@ func TestCloudHypervisorAddNetCheckNetConfigListValues(t *testing.T) {
 
 	e := &VethEndpoint{}
 	e.NetPair.TAPIface.HardAddr = macTest
-	e.NetPair.TapInterface.VMFds = vmFds
+	e.NetPair.VMFds = vmFds
 
 	err = clh.addNet(e)
 	assert.Nil(err)
@@ -183,7 +183,7 @@ func TestCloudHypervisorAddNetCheckEnpointTypes(t *testing.T) {
 
 	validVeth := &VethEndpoint{}
 	validVeth.NetPair.TAPIface.HardAddr = macTest
-	validVeth.NetPair.TapInterface.VMFds = vmFds
+	validVeth.NetPair.VMFds = vmFds
 
 	type args struct {
 		e Endpoint
@@ -224,7 +224,7 @@ func TestCloudHypervisorNetRateLimiter(t *testing.T) {
 	vmFds = append(vmFds, file)
 
 	validVeth := &VethEndpoint{}
-	validVeth.NetPair.TapInterface.VMFds = vmFds
+	validVeth.NetPair.VMFds = vmFds
 
 	type args struct {
 		bwMaxRate       int64

src/runtime/virtcontainers/container.go

@@ -20,7 +20,6 @@ import (
 
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/device/config"
 	deviceUtils "github.com/kata-containers/kata-containers/src/runtime/pkg/device/drivers"
-	"github.com/kata-containers/kata-containers/src/runtime/pkg/device/manager"
 	deviceManager "github.com/kata-containers/kata-containers/src/runtime/pkg/device/manager"
 	volume "github.com/kata-containers/kata-containers/src/runtime/pkg/direct-volume"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils/katatrace"
@@ -635,7 +634,7 @@ func (c *Container) createBlockDevices(ctx context.Context) error {
 
 		if mntInfo != nil {
 			// Write out sandbox info file on the mount source to allow CSI to communicate with the runtime
-			if err := volume.RecordSandboxId(c.sandboxID, c.mounts[i].Source); err != nil {
+			if err := volume.RecordSandboxID(c.sandboxID, c.mounts[i].Source); err != nil {
 				c.Logger().WithError(err).Error("error writing sandbox info")
 			}
 
@@ -1505,8 +1504,8 @@ func (c *Container) update(ctx context.Context, resources specs.LinuxResources)
 		return err
 	}
 
-	if state := c.state.State; !(state == types.StateRunning || state == types.StateReady) {
-		return fmt.Errorf("Container(%s) not running or ready, impossible to update", state)
+	if state := c.state.State; state != types.StateRunning && state != types.StateReady {
+		return fmt.Errorf("container(%s) not running or ready, impossible to update", state)
 	}
 
 	if c.config.Resources.CPU == nil {
@@ -1683,7 +1682,7 @@ func (c *Container) plugDevice(ctx context.Context, devicePath string) error {
 
 // isDriveUsed checks if a drive has been used for container rootfs
 func (c *Container) isDriveUsed() bool {
-	return !(c.state.Fstype == "")
+	return c.state.Fstype != ""
 }
 
 func (c *Container) removeDrive(ctx context.Context) (err error) {
@@ -1692,7 +1691,7 @@ func (c *Container) removeDrive(ctx context.Context) (err error) {
 
 		devID := c.state.BlockDeviceID
 		err := c.sandbox.devManager.DetachDevice(ctx, devID, c.sandbox)
-		if err != nil && err != manager.ErrDeviceNotAttached {
+		if err != nil && err != deviceManager.ErrDeviceNotAttached {
 			return err
 		}
 
@@ -1703,7 +1702,7 @@ func (c *Container) removeDrive(ctx context.Context) (err error) {
 			}).WithError(err).Error("remove device failed")
 
 			// ignore the device not exist error
-			if err != manager.ErrDeviceNotExist {
+			if err != deviceManager.ErrDeviceNotExist {
 				return err
 			}
 		}
@@ -1731,7 +1730,7 @@ func (c *Container) attachDevices(ctx context.Context) error {
 func (c *Container) detachDevices(ctx context.Context) error {
 	for _, dev := range c.devices {
 		err := c.sandbox.devManager.DetachDevice(ctx, dev.ID, c.sandbox)
-		if err != nil && err != manager.ErrDeviceNotAttached {
+		if err != nil && err != deviceManager.ErrDeviceNotAttached {
 			return err
 		}
 
@@ -1742,7 +1741,7 @@ func (c *Container) detachDevices(ctx context.Context) error {
 			}).WithError(err).Error("remove device failed")
 
 			// ignore the device not exist error
-			if err != manager.ErrDeviceNotExist {
+			if err != deviceManager.ErrDeviceNotExist {
 				return err
 			}
 		}

src/runtime/virtcontainers/endpoint_test.go

@@ -119,8 +119,8 @@ func TestSaveLoadIfPair(t *testing.T) {
 	// Since VMFds and VhostFds are't saved, netPair and loadedIfPair are not equal.
 	assert.False(t, reflect.DeepEqual(netPair, loadedIfPair))
 
-	netPair.TapInterface.VMFds = nil
-	netPair.TapInterface.VhostFds = nil
+	netPair.VMFds = nil
+	netPair.VhostFds = nil
 	// They are equal now.
 	assert.True(t, reflect.DeepEqual(netPair, loadedIfPair))
 }

src/runtime/virtcontainers/fc.go

@@ -937,7 +937,7 @@ func (fc *firecracker) fcAddNetDevice(ctx context.Context, endpoint Endpoint) {
 
 	// VMFds are not used by Firecracker, as it opens the tuntap
 	// device by its name.  Let's just close those.
-	for _, f := range endpoint.NetworkPair().TapInterface.VMFds {
+	for _, f := range endpoint.NetworkPair().VMFds {
 		f.Close()
 	}
 
@@ -987,7 +987,7 @@ func (fc *firecracker) fcAddNetDevice(ctx context.Context, endpoint Endpoint) {
 	ifaceCfg := &models.NetworkInterface{
 		GuestMac:      endpoint.HardwareAddr(),
 		IfaceID:       &ifaceID,
-		HostDevName:   &endpoint.NetworkPair().TapInterface.TAPIface.Name,
+		HostDevName:   &endpoint.NetworkPair().TAPIface.Name,
 		RxRateLimiter: &rxRateLimiter,
 		TxRateLimiter: &txRateLimiter,
 	}

src/runtime/virtcontainers/fs_share_linux.go

@@ -325,7 +325,8 @@ func (f *FilesystemShare) ShareFile(ctx context.Context, c *Container, m *Mount)
 				return err
 			}
 
-			if !(info.Mode().IsRegular() || info.Mode().IsDir() || (info.Mode()&os.ModeSymlink) == os.ModeSymlink) {
+			mode := info.Mode()
+			if !mode.IsRegular() && !mode.IsDir() && mode&os.ModeSymlink != os.ModeSymlink {
 				f.Logger().WithField("ignored-file", srcPath).Debug("Ignoring file as FS sharing not supported")
 				if srcPath == srcRoot {
 					// Ignore the mount if this is not a regular file (excludes socket, device, ...) as it cannot be handled by
@@ -693,17 +694,17 @@ func (f *FilesystemShare) ShareRootFilesystem(ctx context.Context, c *Container)
 			f.Logger().Error("malformed block drive")
 			return nil, fmt.Errorf("malformed block drive")
 		}
-		switch {
-		case f.sandbox.config.HypervisorConfig.BlockDeviceDriver == config.VirtioMmio:
+		switch f.sandbox.config.HypervisorConfig.BlockDeviceDriver {
+		case config.VirtioMmio:
 			rootfsStorage.Driver = kataMmioBlkDevType
 			rootfsStorage.Source = blockDrive.VirtPath
-		case f.sandbox.config.HypervisorConfig.BlockDeviceDriver == config.VirtioBlockCCW:
+		case config.VirtioBlockCCW:
 			rootfsStorage.Driver = kataBlkCCWDevType
 			rootfsStorage.Source = blockDrive.DevNo
-		case f.sandbox.config.HypervisorConfig.BlockDeviceDriver == config.VirtioBlock:
+		case config.VirtioBlock:
 			rootfsStorage.Driver = kataBlkDevType
 			rootfsStorage.Source = blockDrive.PCIPath.String()
-		case f.sandbox.config.HypervisorConfig.BlockDeviceDriver == config.VirtioSCSI:
+		case config.VirtioSCSI:
 			rootfsStorage.Driver = kataSCSIDevType
 			rootfsStorage.Source = blockDrive.SCSIAddr
 		default:

src/runtime/virtcontainers/hypervisor.go

@@ -92,9 +92,10 @@ const (
 )
 
 var (
-	hvLogger                   = logrus.WithField("source", "virtcontainers/hypervisor")
-	noGuestMemHotplugErr error = errors.New("guest memory hotplug not supported")
-	conflictingAssets    error = errors.New("cannot set both image and initrd at the same time")
+	hvLogger                        = logrus.WithField("source", "virtcontainers/hypervisor")
+	noGuestMemHotplugErr      error = errors.New("guest memory hotplug not supported")
+	s390xVirtioMemRequiredErr error = errors.New("memory hotplug on s390x requires virtio-mem to be enabled")
+	conflictingAssets         error = errors.New("cannot set both image and initrd at the same time")
 )
 
 // In some architectures the maximum number of vCPUs depends on the number of physical cores.

src/runtime/virtcontainers/kata_agent.go

@@ -46,7 +46,6 @@ import (
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
 	grpcStatus "google.golang.org/grpc/status"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/proto"
@@ -361,15 +360,11 @@ func KataAgentKernelParams(config KataAgentConfig) []Param {
 }
 
 func (k *kataAgent) handleTraceSettings(config KataAgentConfig) bool {
-	disableVMShutdown := false
-
-	if config.Trace {
-		// Agent tracing requires that the agent be able to shutdown
-		// cleanly. This is the only scenario where the agent is
-		// responsible for stopping the VM: normally this is handled
-		// by the runtime.
-		disableVMShutdown = true
-	}
+	// Agent tracing requires that the agent be able to shutdown
+	// cleanly. This is the only scenario where the agent is
+	// responsible for stopping the VM: normally this is handled
+	// by the runtime.
+	disableVMShutdown := config.Trace
 
 	return disableVMShutdown
 }
@@ -586,7 +581,7 @@ func (k *kataAgent) exec(ctx context.Context, sandbox *Sandbox, c Container, cmd
 
 	if _, err := k.sendReq(ctx, req); err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, status.Errorf(codes.DeadlineExceeded, "ExecProcessRequest timed out")
+			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "ExecProcessRequest timed out")
 		}
 		return nil, err
 	}
@@ -630,7 +625,7 @@ func (k *kataAgent) updateInterface(ctx context.Context, ifc *pbTypes.Interface)
 			"resulting-interface": fmt.Sprintf("%+v", resultingInterface),
 		}).WithError(err).Error("update interface request failed")
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, status.Errorf(codes.DeadlineExceeded, "UpdateInterfaceRequest timed out")
+			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "UpdateInterfaceRequest timed out")
 		}
 	}
 	if resultInterface, ok := resultingInterface.(*pbTypes.Interface); ok {
@@ -662,7 +657,7 @@ func (k *kataAgent) updateRoutes(ctx context.Context, routes []*pbTypes.Route) (
 				"resulting-routes": fmt.Sprintf("%+v", resultingRoutes),
 			}).WithError(err).Error("update routes request failed")
 			if err.Error() == context.DeadlineExceeded.Error() {
-				return nil, status.Errorf(codes.DeadlineExceeded, "UpdateRoutesRequest timed out")
+				return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "UpdateRoutesRequest timed out")
 			}
 		}
 		resultRoutes, ok := resultingRoutes.(*grpc.Routes)
@@ -683,7 +678,7 @@ func (k *kataAgent) updateEphemeralMounts(ctx context.Context, storages []*grpc.
 		if _, err := k.sendReq(ctx, storagesReq); err != nil {
 			k.Logger().WithError(err).Error("update mounts request failed")
 			if err.Error() == context.DeadlineExceeded.Error() {
-				return status.Errorf(codes.DeadlineExceeded, "UpdateEphemeralMountsRequest timed out")
+				return grpcStatus.Errorf(codes.DeadlineExceeded, "UpdateEphemeralMountsRequest timed out")
 			}
 			return err
 		}
@@ -708,7 +703,7 @@ func (k *kataAgent) addARPNeighbors(ctx context.Context, neighs []*pbTypes.ARPNe
 				return nil
 			}
 			if err.Error() == context.DeadlineExceeded.Error() {
-				return status.Errorf(codes.DeadlineExceeded, "AddARPNeighborsRequest timed out")
+				return grpcStatus.Errorf(codes.DeadlineExceeded, "AddARPNeighborsRequest timed out")
 			}
 			k.Logger().WithFields(logrus.Fields{
 				"arpneighbors-requested": fmt.Sprintf("%+v", neighs),
@@ -724,7 +719,7 @@ func (k *kataAgent) listInterfaces(ctx context.Context) ([]*pbTypes.Interface, e
 	resultingInterfaces, err := k.sendReq(ctx, req)
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, status.Errorf(codes.DeadlineExceeded, "ListInterfacesRequest timed out")
+			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "ListInterfacesRequest timed out")
 		}
 		return nil, err
 	}
@@ -740,7 +735,7 @@ func (k *kataAgent) listRoutes(ctx context.Context) ([]*pbTypes.Route, error) {
 	resultingRoutes, err := k.sendReq(ctx, req)
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, status.Errorf(codes.DeadlineExceeded, "ListRoutesRequest timed out")
+			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "ListRoutesRequest timed out")
 		}
 		return nil, err
 	}
@@ -859,7 +854,7 @@ func (k *kataAgent) startSandbox(ctx context.Context, sandbox *Sandbox) error {
 	_, err = k.sendReq(ctx, req)
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return status.Errorf(codes.DeadlineExceeded, "CreateSandboxRequest timed out")
+			return grpcStatus.Errorf(codes.DeadlineExceeded, "CreateSandboxRequest timed out")
 		}
 		return err
 	}
@@ -966,7 +961,7 @@ func (k *kataAgent) stopSandbox(ctx context.Context, sandbox *Sandbox) error {
 
 	if _, err := k.sendReq(ctx, req); err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return status.Errorf(codes.DeadlineExceeded, "DestroySandboxRequest timed out")
+			return grpcStatus.Errorf(codes.DeadlineExceeded, "DestroySandboxRequest timed out")
 		}
 		return err
 	}
@@ -1499,7 +1494,7 @@ func (k *kataAgent) createContainer(ctx context.Context, sandbox *Sandbox, c *Co
 
 	if _, err = k.sendReq(ctx, req); err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, status.Errorf(codes.DeadlineExceeded, "CreateContainerRequest timed out")
+			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "CreateContainerRequest timed out")
 		}
 		return nil, err
 	}
@@ -1590,21 +1585,21 @@ func (k *kataAgent) handleEphemeralStorage(mounts []specs.Mount) ([]*grpc.Storag
 	var epheStorages []*grpc.Storage
 	for idx, mnt := range mounts {
 		if mnt.Type == KataEphemeralDevType {
-			origin_src := mounts[idx].Source
+			originSrc := mounts[idx].Source
 			stat := syscall.Stat_t{}
-			err := syscall.Stat(origin_src, &stat)
+			err := syscall.Stat(originSrc, &stat)
 			if err != nil {
-				k.Logger().WithError(err).Errorf("failed to stat %s", origin_src)
+				k.Logger().WithError(err).Errorf("failed to stat %s", originSrc)
 				return nil, err
 			}
 
-			var dir_options []string
+			var dirOptions []string
 
 			// if volume's gid isn't root group(default group), this means there's
 			// an specific fsGroup is set on this local volume, then it should pass
 			// to guest.
 			if stat.Gid != 0 {
-				dir_options = append(dir_options, fmt.Sprintf("%s=%d", fsGid, stat.Gid))
+				dirOptions = append(dirOptions, fmt.Sprintf("%s=%d", fsGid, stat.Gid))
 			}
 
 			// Set the mount source path to a path that resides inside the VM
@@ -1619,7 +1614,7 @@ func (k *kataAgent) handleEphemeralStorage(mounts []specs.Mount) ([]*grpc.Storag
 				Source:     "tmpfs",
 				Fstype:     "tmpfs",
 				MountPoint: mounts[idx].Source,
-				Options:    dir_options,
+				Options:    dirOptions,
 			}
 			epheStorages = append(epheStorages, epheStorage)
 		}
@@ -1633,21 +1628,21 @@ func (k *kataAgent) handleLocalStorage(mounts []specs.Mount, sandboxID string, r
 	var localStorages []*grpc.Storage
 	for idx, mnt := range mounts {
 		if mnt.Type == KataLocalDevType {
-			origin_src := mounts[idx].Source
+			originSrc := mounts[idx].Source
 			stat := syscall.Stat_t{}
-			err := syscall.Stat(origin_src, &stat)
+			err := syscall.Stat(originSrc, &stat)
 			if err != nil {
-				k.Logger().WithError(err).Errorf("failed to stat %s", origin_src)
+				k.Logger().WithError(err).Errorf("failed to stat %s", originSrc)
 				return nil, err
 			}
 
-			dir_options := localDirOptions
+			dirOptions := localDirOptions
 
 			// if volume's gid isn't root group(default group), this means there's
 			// an specific fsGroup is set on this local volume, then it should pass
 			// to guest.
 			if stat.Gid != 0 {
-				dir_options = append(dir_options, fmt.Sprintf("%s=%d", fsGid, stat.Gid))
+				dirOptions = append(dirOptions, fmt.Sprintf("%s=%d", fsGid, stat.Gid))
 			}
 
 			// Set the mount source path to a the desired directory point in the VM.
@@ -1664,7 +1659,7 @@ func (k *kataAgent) handleLocalStorage(mounts []specs.Mount, sandboxID string, r
 				Source:     KataLocalDevType,
 				Fstype:     KataLocalDevType,
 				MountPoint: mounts[idx].Source,
-				Options:    dir_options,
+				Options:    dirOptions,
 			}
 			localStorages = append(localStorages, localStorage)
 		}
@@ -1721,21 +1716,21 @@ func getContainerTypeforCRI(c *Container) (string, string) {
 }
 
 func handleImageGuestPullBlockVolume(c *Container, virtualVolumeInfo *types.KataVirtualVolume, vol *grpc.Storage) (*grpc.Storage, error) {
-	container_annotations := c.GetAnnotations()
+	containerAnnotations := c.GetAnnotations()
 	containerType, criContainerType := getContainerTypeforCRI(c)
 
-	var image_ref string
+	var imageRef string
 	if containerType == string(PodSandbox) {
-		image_ref = "pause"
+		imageRef = "pause"
 	} else {
 		const kubernetesCRIImageName = "io.kubernetes.cri.image-name"
 		const kubernetesCRIOImageName = "io.kubernetes.cri-o.ImageName"
 
 		switch criContainerType {
 		case ctrAnnotations.ContainerType:
-			image_ref = container_annotations[kubernetesCRIImageName]
+			imageRef = containerAnnotations[kubernetesCRIImageName]
 		case crioAnnotations.ContainerType:
-			image_ref = container_annotations[kubernetesCRIOImageName]
+			imageRef = containerAnnotations[kubernetesCRIOImageName]
 		default:
 			// There are cases, like when using nerdctl, where the criContainerType
 			// will never be set, leading to this code path.
@@ -1746,17 +1741,17 @@ func handleImageGuestPullBlockVolume(c *Container, virtualVolumeInfo *types.Kata
 			//
 			// With this in mind, let's "fallback" to the default k8s cri image-name
 			// annotation, as documented on our image-pull documentation.
-			image_ref = container_annotations[kubernetesCRIImageName]
+			imageRef = containerAnnotations[kubernetesCRIImageName]
 		}
 
-		if image_ref == "" {
+		if imageRef == "" {
 			return nil, fmt.Errorf("Failed to get image name from annotations")
 		}
 	}
-	virtualVolumeInfo.Source = image_ref
+	virtualVolumeInfo.Source = imageRef
 
 	//merge virtualVolumeInfo.ImagePull.Metadata and container_annotations
-	for k, v := range container_annotations {
+	for k, v := range containerAnnotations {
 		virtualVolumeInfo.ImagePull.Metadata[k] = v
 	}
 
@@ -1975,7 +1970,7 @@ func (k *kataAgent) startContainer(ctx context.Context, sandbox *Sandbox, c *Con
 
 	_, err := k.sendReq(ctx, req)
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return status.Errorf(codes.DeadlineExceeded, "StartContainerRequest timed out")
+		return grpcStatus.Errorf(codes.DeadlineExceeded, "StartContainerRequest timed out")
 	}
 	return err
 }
@@ -1986,7 +1981,7 @@ func (k *kataAgent) stopContainer(ctx context.Context, sandbox *Sandbox, c Conta
 
 	_, err := k.sendReq(ctx, &grpc.RemoveContainerRequest{ContainerId: c.id})
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return status.Errorf(codes.DeadlineExceeded, "RemoveContainerRequest timed out")
+		return grpcStatus.Errorf(codes.DeadlineExceeded, "RemoveContainerRequest timed out")
 	}
 	return err
 }
@@ -2005,7 +2000,7 @@ func (k *kataAgent) signalProcess(ctx context.Context, c *Container, processID s
 
 	_, err := k.sendReq(ctx, req)
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return status.Errorf(codes.DeadlineExceeded, "SignalProcessRequest timed out")
+		return grpcStatus.Errorf(codes.DeadlineExceeded, "SignalProcessRequest timed out")
 	}
 	return err
 }
@@ -2020,7 +2015,7 @@ func (k *kataAgent) winsizeProcess(ctx context.Context, c *Container, processID
 
 	_, err := k.sendReq(ctx, req)
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return status.Errorf(codes.DeadlineExceeded, "TtyWinResizeRequest timed out")
+		return grpcStatus.Errorf(codes.DeadlineExceeded, "TtyWinResizeRequest timed out")
 	}
 	return err
 }
@@ -2038,7 +2033,7 @@ func (k *kataAgent) updateContainer(ctx context.Context, sandbox *Sandbox, c Con
 
 	_, err = k.sendReq(ctx, req)
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return status.Errorf(codes.DeadlineExceeded, "UpdateContainerRequest timed out")
+		return grpcStatus.Errorf(codes.DeadlineExceeded, "UpdateContainerRequest timed out")
 	}
 	return err
 }
@@ -2050,7 +2045,7 @@ func (k *kataAgent) pauseContainer(ctx context.Context, sandbox *Sandbox, c Cont
 
 	_, err := k.sendReq(ctx, req)
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return status.Errorf(codes.DeadlineExceeded, "PauseContainerRequest timed out")
+		return grpcStatus.Errorf(codes.DeadlineExceeded, "PauseContainerRequest timed out")
 	}
 	return err
 }
@@ -2062,7 +2057,7 @@ func (k *kataAgent) resumeContainer(ctx context.Context, sandbox *Sandbox, c Con
 
 	_, err := k.sendReq(ctx, req)
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return status.Errorf(codes.DeadlineExceeded, "ResumeContainerRequest timed out")
+		return grpcStatus.Errorf(codes.DeadlineExceeded, "ResumeContainerRequest timed out")
 	}
 	return err
 }
@@ -2089,7 +2084,7 @@ func (k *kataAgent) memHotplugByProbe(ctx context.Context, addr uint64, sizeMB u
 
 	_, err := k.sendReq(ctx, req)
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return status.Errorf(codes.DeadlineExceeded, "MemHotplugByProbeRequest timed out")
+		return grpcStatus.Errorf(codes.DeadlineExceeded, "MemHotplugByProbeRequest timed out")
 	}
 	return err
 }
@@ -2103,7 +2098,7 @@ func (k *kataAgent) onlineCPUMem(ctx context.Context, cpus uint32, cpuOnly bool)
 
 	_, err := k.sendReq(ctx, req)
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return status.Errorf(codes.DeadlineExceeded, "OnlineCPUMemRequest timed out")
+		return grpcStatus.Errorf(codes.DeadlineExceeded, "OnlineCPUMemRequest timed out")
 	}
 	return err
 }
@@ -2117,7 +2112,7 @@ func (k *kataAgent) statsContainer(ctx context.Context, sandbox *Sandbox, c Cont
 
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, status.Errorf(codes.DeadlineExceeded, "StatsContainerRequest timed out")
+			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "StatsContainerRequest timed out")
 		}
 		return nil, err
 	}
@@ -2201,7 +2196,7 @@ func (k *kataAgent) check(ctx context.Context) error {
 	_, err := k.sendReq(ctx, &grpc.CheckRequest{})
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return status.Errorf(codes.DeadlineExceeded, "CheckRequest timed out")
+			return grpcStatus.Errorf(codes.DeadlineExceeded, "CheckRequest timed out")
 		}
 		err = fmt.Errorf("Failed to Check if grpc server is working: %s", err)
 	}
@@ -2218,7 +2213,7 @@ func (k *kataAgent) waitProcess(ctx context.Context, c *Container, processID str
 	})
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return 0, status.Errorf(codes.DeadlineExceeded, "WaitProcessRequest timed out")
+			return 0, grpcStatus.Errorf(codes.DeadlineExceeded, "WaitProcessRequest timed out")
 		}
 		return 0, err
 	}
@@ -2235,7 +2230,7 @@ func (k *kataAgent) writeProcessStdin(ctx context.Context, c *Container, Process
 
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return 0, status.Errorf(codes.DeadlineExceeded, "WriteStreamRequest timed out")
+			return 0, grpcStatus.Errorf(codes.DeadlineExceeded, "WriteStreamRequest timed out")
 		}
 		return 0, err
 	}
@@ -2249,7 +2244,7 @@ func (k *kataAgent) closeProcessStdin(ctx context.Context, c *Container, Process
 		ExecId:      ProcessID,
 	})
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return status.Errorf(codes.DeadlineExceeded, "CloseStdinRequest timed out")
+		return grpcStatus.Errorf(codes.DeadlineExceeded, "CloseStdinRequest timed out")
 	}
 	return err
 }
@@ -2259,7 +2254,7 @@ func (k *kataAgent) reseedRNG(ctx context.Context, data []byte) error {
 		Data: data,
 	})
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return status.Errorf(codes.DeadlineExceeded, "ReseedRandomDevRequest timed out")
+		return grpcStatus.Errorf(codes.DeadlineExceeded, "ReseedRandomDevRequest timed out")
 	}
 	return err
 }
@@ -2267,7 +2262,7 @@ func (k *kataAgent) reseedRNG(ctx context.Context, data []byte) error {
 func (k *kataAgent) removeStaleVirtiofsShareMounts(ctx context.Context) error {
 	_, err := k.sendReq(ctx, &grpc.RemoveStaleVirtiofsShareMountsRequest{})
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return status.Errorf(codes.DeadlineExceeded, "removeStaleVirtiofsShareMounts timed out")
+		return grpcStatus.Errorf(codes.DeadlineExceeded, "removeStaleVirtiofsShareMounts timed out")
 	}
 	return err
 }
@@ -2502,7 +2497,7 @@ func (k *kataAgent) getGuestDetails(ctx context.Context, req *grpc.GuestDetailsR
 	resp, err := k.sendReq(ctx, req)
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, status.Errorf(codes.DeadlineExceeded, "GuestDetailsRequest request timed out")
+			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "GuestDetailsRequest request timed out")
 		}
 		return nil, err
 	}
@@ -2516,7 +2511,7 @@ func (k *kataAgent) setGuestDateTime(ctx context.Context, tv time.Time) error {
 		Usec: int64(tv.Nanosecond() / 1e3),
 	})
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return status.Errorf(codes.DeadlineExceeded, "SetGuestDateTimeRequest request timed out")
+		return grpcStatus.Errorf(codes.DeadlineExceeded, "SetGuestDateTimeRequest request timed out")
 	}
 	return err
 }
@@ -2571,7 +2566,7 @@ func (k *kataAgent) copyFile(ctx context.Context, src, dst string) error {
 	if cpReq.FileSize == 0 {
 		_, err := k.sendReq(ctx, cpReq)
 		if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-			return status.Errorf(codes.DeadlineExceeded, "CopyFileRequest timed out")
+			return grpcStatus.Errorf(codes.DeadlineExceeded, "CopyFileRequest timed out")
 		}
 		return err
 	}
@@ -2590,7 +2585,7 @@ func (k *kataAgent) copyFile(ctx context.Context, src, dst string) error {
 
 		if _, err = k.sendReq(ctx, cpReq); err != nil {
 			if err.Error() == context.DeadlineExceeded.Error() {
-				return status.Errorf(codes.DeadlineExceeded, "CopyFileRequest timed out")
+				return grpcStatus.Errorf(codes.DeadlineExceeded, "CopyFileRequest timed out")
 			}
 			return fmt.Errorf("Could not send CopyFile request: %v", err)
 		}
@@ -2609,7 +2604,7 @@ func (k *kataAgent) addSwap(ctx context.Context, PCIPath types.PciPath) error {
 
 	_, err := k.sendReq(ctx, &grpc.AddSwapRequest{PCIPath: PCIPath.ToArray()})
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return status.Errorf(codes.DeadlineExceeded, "AddSwapRequest timed out")
+		return grpcStatus.Errorf(codes.DeadlineExceeded, "AddSwapRequest timed out")
 	}
 	return err
 }
@@ -2638,7 +2633,7 @@ func (k *kataAgent) getOOMEvent(ctx context.Context) (string, error) {
 	result, err := k.sendReq(ctx, req)
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return "", status.Errorf(codes.DeadlineExceeded, "GetOOMEventRequest timed out")
+			return "", grpcStatus.Errorf(codes.DeadlineExceeded, "GetOOMEventRequest timed out")
 		}
 		return "", err
 	}
@@ -2652,7 +2647,7 @@ func (k *kataAgent) getAgentMetrics(ctx context.Context, req *grpc.GetMetricsReq
 	resp, err := k.sendReq(ctx, req)
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, status.Errorf(codes.DeadlineExceeded, "GetMetricsRequest timed out")
+			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "GetMetricsRequest timed out")
 		}
 		return nil, err
 	}
@@ -2664,7 +2659,7 @@ func (k *kataAgent) getIPTables(ctx context.Context, isIPv6 bool) ([]byte, error
 	resp, err := k.sendReq(ctx, &grpc.GetIPTablesRequest{IsIpv6: isIPv6})
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, status.Errorf(codes.DeadlineExceeded, "GetIPTablesRequest timed out")
+			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "GetIPTablesRequest timed out")
 		}
 		return nil, err
 	}
@@ -2679,7 +2674,7 @@ func (k *kataAgent) setIPTables(ctx context.Context, isIPv6 bool, data []byte) e
 	if err != nil {
 		k.Logger().WithError(err).Errorf("setIPTables request to agent failed")
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return status.Errorf(codes.DeadlineExceeded, "SetIPTablesRequest timed out")
+			return grpcStatus.Errorf(codes.DeadlineExceeded, "SetIPTablesRequest timed out")
 		}
 	}
 
@@ -2690,7 +2685,7 @@ func (k *kataAgent) getGuestVolumeStats(ctx context.Context, volumeGuestPath str
 	result, err := k.sendReq(ctx, &grpc.VolumeStatsRequest{VolumeGuestPath: volumeGuestPath})
 	if err != nil {
 		if err.Error() == context.DeadlineExceeded.Error() {
-			return nil, status.Errorf(codes.DeadlineExceeded, "VolumeStatsRequest timed out")
+			return nil, grpcStatus.Errorf(codes.DeadlineExceeded, "VolumeStatsRequest timed out")
 		}
 		return nil, err
 	}
@@ -2706,7 +2701,7 @@ func (k *kataAgent) getGuestVolumeStats(ctx context.Context, volumeGuestPath str
 func (k *kataAgent) resizeGuestVolume(ctx context.Context, volumeGuestPath string, size uint64) error {
 	_, err := k.sendReq(ctx, &grpc.ResizeVolumeRequest{VolumeGuestPath: volumeGuestPath, Size: size})
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return status.Errorf(codes.DeadlineExceeded, "ResizeVolumeRequest timed out")
+		return grpcStatus.Errorf(codes.DeadlineExceeded, "ResizeVolumeRequest timed out")
 	}
 	return err
 }
@@ -2714,7 +2709,7 @@ func (k *kataAgent) resizeGuestVolume(ctx context.Context, volumeGuestPath strin
 func (k *kataAgent) setPolicy(ctx context.Context, policy string) error {
 	_, err := k.sendReq(ctx, &grpc.SetPolicyRequest{Policy: policy})
 	if err != nil && err.Error() == context.DeadlineExceeded.Error() {
-		return status.Errorf(codes.DeadlineExceeded, "SetPolicyRequest timed out")
+		return grpcStatus.Errorf(codes.DeadlineExceeded, "SetPolicyRequest timed out")
 	}
 	return err
 }

src/runtime/virtcontainers/mock_agent.go

@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"context"
+
 	persistapi "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/persist/api"
 	pbTypes "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/agent/protocols"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/agent/protocols/grpc"
@@ -260,14 +261,14 @@ func (n *mockAgent) resizeGuestVolume(ctx context.Context, volumeGuestPath strin
 	return nil
 }
 
-func (k *mockAgent) getIPTables(ctx context.Context, isIPv6 bool) ([]byte, error) {
+func (n *mockAgent) getIPTables(ctx context.Context, isIPv6 bool) ([]byte, error) {
 	return nil, nil
 }
 
-func (k *mockAgent) setIPTables(ctx context.Context, isIPv6 bool, data []byte) error {
+func (n *mockAgent) setIPTables(ctx context.Context, isIPv6 bool, data []byte) error {
 	return nil
 }
 
-func (k *mockAgent) setPolicy(ctx context.Context, policy string) error {
+func (n *mockAgent) setPolicy(ctx context.Context, policy string) error {
 	return nil
 }

src/runtime/virtcontainers/network_linux.go

@@ -240,7 +240,7 @@ func (n *LinuxNetwork) addSingleEndpoint(ctx context.Context, s *Sandbox, netInf
 }
 
 func (n *LinuxNetwork) removeSingleEndpoint(ctx context.Context, s *Sandbox, endpoint Endpoint, hotplug bool) error {
-	var idx int = len(n.eps)
+	idx := len(n.eps)
 	for i, val := range n.eps {
 		if val.HardwareAddr() == endpoint.HardwareAddr() {
 			idx = i
@@ -293,7 +293,7 @@ func (n *LinuxNetwork) endpointAlreadyAdded(netInfo *NetworkInfo) bool {
 		}
 		pair := ep.NetworkPair()
 		// Existing virtual endpoints
-		if pair != nil && (pair.TapInterface.Name == netInfo.Iface.Name || pair.TapInterface.TAPIface.Name == netInfo.Iface.Name || pair.VirtIface.Name == netInfo.Iface.Name) {
+		if pair != nil && (pair.Name == netInfo.Iface.Name || pair.TAPIface.Name == netInfo.Iface.Name || pair.VirtIface.Name == netInfo.Iface.Name) {
 			return true
 		}
 	}
@@ -1299,7 +1299,7 @@ func addRxRateLimiter(endpoint Endpoint, maxRate uint64) error {
 	switch ep := endpoint.(type) {
 	case *VethEndpoint, *IPVlanEndpoint, *TuntapEndpoint, *MacvlanEndpoint:
 		netPair := endpoint.NetworkPair()
-		linkName = netPair.TapInterface.TAPIface.Name
+		linkName = netPair.TAPIface.Name
 	case *MacvtapEndpoint, *TapEndpoint:
 		linkName = endpoint.Name()
 	default:
@@ -1467,7 +1467,7 @@ func addTxRateLimiter(endpoint Endpoint, maxRate uint64) error {
 			}
 			return addHTBQdisc(link.Attrs().Index, maxRate)
 		case NetXConnectMacVtapModel, NetXConnectNoneModel:
-			linkName = netPair.TapInterface.TAPIface.Name
+			linkName = netPair.TAPIface.Name
 		default:
 			return fmt.Errorf("Unsupported inter-networking model %v for adding tx rate limiter", netPair.NetInterworkingModel)
 		}
@@ -1502,7 +1502,7 @@ func addTxRateLimiter(endpoint Endpoint, maxRate uint64) error {
 func removeHTBQdisc(linkName string) error {
 	link, err := netlink.LinkByName(linkName)
 	if err != nil {
-		return fmt.Errorf("Get link %s by name failed: %v", linkName, err)
+		return fmt.Errorf("get link %s by name failed: %v", linkName, err)
 	}
 
 	qdiscs, err := netlink.QdiscList(link)
@@ -1529,7 +1529,7 @@ func removeRxRateLimiter(endpoint Endpoint, networkNSPath string) error {
 	switch ep := endpoint.(type) {
 	case *VethEndpoint, *IPVlanEndpoint, *TuntapEndpoint, *MacvlanEndpoint:
 		netPair := endpoint.NetworkPair()
-		linkName = netPair.TapInterface.TAPIface.Name
+		linkName = netPair.TAPIface.Name
 	case *MacvtapEndpoint, *TapEndpoint:
 		linkName = endpoint.Name()
 	default:
@@ -1560,7 +1560,7 @@ func removeTxRateLimiter(endpoint Endpoint, networkNSPath string) error {
 			}
 			return nil
 		case NetXConnectMacVtapModel, NetXConnectNoneModel:
-			linkName = netPair.TapInterface.TAPIface.Name
+			linkName = netPair.TAPIface.Name
 		}
 	case *MacvtapEndpoint, *TapEndpoint:
 		linkName = endpoint.Name()
@@ -1571,7 +1571,7 @@ func removeTxRateLimiter(endpoint Endpoint, networkNSPath string) error {
 	if err := doNetNS(networkNSPath, func(_ ns.NetNS) error {
 		link, err := netlink.LinkByName(linkName)
 		if err != nil {
-			return fmt.Errorf("Get link %s by name failed: %v", linkName, err)
+			return fmt.Errorf("get link %s by name failed: %v", linkName, err)
 		}
 
 		if err := removeRedirectTCFilter(link); err != nil {
@@ -1591,7 +1591,7 @@ func removeTxRateLimiter(endpoint Endpoint, networkNSPath string) error {
 		// remove ifb interface
 		ifbLink, err := netlink.LinkByName("ifb0")
 		if err != nil {
-			return fmt.Errorf("Get link %s by name failed: %v", linkName, err)
+			return fmt.Errorf("get link %s by name failed: %v", linkName, err)
 		}
 
 		if err := netHandle.LinkSetDown(ifbLink); err != nil {