do-not-merge: tests/cri-containerd: temporarily use containerd fork with getRuncOptions fix

The cri-containerd integration tests fail with the shim sandboxer when
running non-runc runtimes (e.g. Kata). The root cause is a bug in
containerd's client/task.go: getRuncOptions() unconditionally tries to
unmarshal the container's stored runtimeOptions into containerd.runc.v1.Options,
but Kata containers store runtimeoptions.v1.Options. This causes:

  failed to create containerd task: failed to get runtime v2 options:
  can't unmarshal type "runtimeoptions.v1.Options" to output
  "containerd.runc.v1.Options"

A fix has been submitted upstream. Until it is merged and released,
clone containerd from the fork that carries the fix so that
`make cri-integration` (which builds and runs its own containerd daemon)
picks up the corrected binary.

TODO: revert once the fix is in an upstream containerd release and
versions.yaml is updated accordingly.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>

.github/actionlint.yaml

@@ -28,3 +28,9 @@ self-hosted-runner:
     - s390x-large
     - tdx
     - ubuntu-24.04-arm
+
+paths:
+  .github/workflows/**/*.{yml,yaml}:
+    ignore:
+      # We use if: false to "temporarily" skip jobs with issues
+      - 'constant expression "false" in condition'

.github/dependabot.yml

@@ -15,6 +15,8 @@ updates:
       - "/src/tools/trace-forwarder"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
     ignore:
     # rust-vmm repos might cause incompatibilities on patch versions, so
     # lets handle them manually for now.
@@ -85,8 +87,12 @@ updates:
       - "src/tools/csi-kata-directvolume"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7

.github/workflows/actionlint.yaml

@@ -13,18 +13,13 @@ concurrency:
 jobs:
   run-actionlint:
     name: run-actionlint
-    env:
-      GH_TOKEN: ${{ github.token }}
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout the code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: Install actionlint gh extension
-        run: gh extension install https://github.com/cschleiden/gh-actionlint
-
       - name: Run actionlint
-        run:  gh actionlint
+        uses: raven-actions/actionlint@e01d1ea33dd6a5ed517d95b4c0c357560ac6f518  # v2.1.1

.github/workflows/basic-ci-amd64.yaml

@@ -25,10 +25,9 @@ jobs:
       fail-fast: false
       matrix:
         containerd_version: ['active']
-        vmm: ['dragonball', 'cloud-hypervisor', 'qemu-runtime-rs']
-    # TODO: enable me when https://github.com/containerd/containerd/issues/11640 is fixed
-    if: false
-    runs-on: ubuntu-22.04
+        # vmm: ['dragonball', 'cloud-hypervisor', 'qemu-runtime-rs']
+        vmm: ['dragonball', 'qemu-runtime-rs']
+    runs-on: ubuntu-24.04
     env:
       CONTAINERD_VERSION: ${{ matrix.containerd_version }}
       GOPATH: ${{ github.workspace }}
@@ -47,6 +46,23 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
+      - name: Install yq
+        run: |
+          ./ci/install_yq.sh
+        env:
+          INSTALL_IN_GOPATH: false
+
+      - name: Read properties from versions.yaml
+        run: |
+          go_version="$(yq '.languages.golang.version' versions.yaml)"
+          [ -n "$go_version" ]
+          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+
+      - name: Setup Golang version ${{ env.GO_VERSION }}
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
       - name: Install dependencies
         run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
         env:

.github/workflows/basic-ci-s390x.yaml

@@ -47,8 +47,25 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
+      - name: Install yq
+        run: |
+          ./ci/install_yq.sh
+        env:
+          INSTALL_IN_GOPATH: false
+
+      - name: Read properties from versions.yaml
+        run: |
+          go_version="$(yq '.languages.golang.version' versions.yaml)"
+          [ -n "$go_version" ]
+          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+
+      - name: Setup Golang version ${{ env.GO_VERSION }}
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
       - name: Install dependencies
-        run: bash tests/integration/cri-containerd/gha-run.sh
+        run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
         env:
           GH_TOKEN: ${{ github.token }}
 

.github/workflows/build-checks-preview-riscv64.yaml

@@ -82,11 +82,17 @@ jobs:
           ./ci/install_yq.sh
         env:
           INSTALL_IN_GOPATH: false
-      - name: Install golang
+      - name: Read properties from versions.yaml
         if: contains(matrix.component.needs, 'golang')
         run: |
-          ./tests/install_go.sh -f -p
-          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
+          go_version="$(yq '.languages.golang.version' versions.yaml)"
+          [ -n "$go_version" ]
+          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+      - name: Setup Golang version ${{ env.GO_VERSION }}
+        if: contains(matrix.component.needs, 'golang')
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
       - name: Setup rust
         if: contains(matrix.component.needs, 'rust')
         run: |

.github/workflows/build-checks.yaml

@@ -94,11 +94,19 @@ jobs:
           ./ci/install_yq.sh
         env:
           INSTALL_IN_GOPATH: false
-      - name: Install golang
+      - name: Read properties from versions.yaml
         if: contains(matrix.component.needs, 'golang')
         run: |
-          ./tests/install_go.sh -f -p
-          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
+          go_version="$(yq '.languages.golang.version' versions.yaml)"
+          [ -n "$go_version" ]
+          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+      - name: Setup Golang version ${{ env.GO_VERSION }}
+        if: contains(matrix.component.needs, 'golang')
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          # Setup-go doesn't work properly with ppc64le: https://github.com/actions/setup-go/issues/648
+          architecture: ${{ contains(inputs.instance, 'ppc64le') && 'ppc64le' || '' }}
       - name: Setup rust
         if: contains(matrix.component.needs, 'rust')
         run: |

.github/workflows/build-kata-static-tarball-amd64.yaml

@@ -143,7 +143,7 @@ jobs:
           if-no-files-found: error
 
       - name: store-extratarballs-artifact ${{ matrix.asset }}
-        if: ${{ matrix.asset == 'kernel' || startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
+        if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: kata-artifacts-amd64-${{ matrix.asset }}-modules${{ inputs.tarball-suffix }}
@@ -235,7 +235,6 @@ jobs:
         asset:
           - busybox
           - coco-guest-components
-          - kernel-modules
           - kernel-nvidia-gpu-modules
           - pause-image
     steps:

.github/workflows/build-kata-static-tarball-s390x.yaml

@@ -120,15 +120,6 @@ jobs:
           retention-days: 15
           if-no-files-found: error
 
-      - name: store-extratarballs-artifact ${{ matrix.asset }}
-        if: ${{ matrix.asset == 'kernel' }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-artifacts-s390x-${{ matrix.asset }}-modules${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}-modules.tar.zst
-          retention-days: 15
-          if-no-files-found: error
-
   build-asset-rootfs:
     name: build-asset-rootfs
     runs-on: s390x

.github/workflows/ci-devel.yaml

@@ -17,6 +17,7 @@ jobs:
       pr-number: "dev"
       tag: ${{ github.sha }}-dev
       target-branch: ${{ github.ref_name }}
+      extensive-matrix-autogenerated-policy: "yes"
 
     secrets:
       AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}

.github/workflows/ci-nightly.yaml

@@ -22,6 +22,7 @@ jobs:
       pr-number: "nightly"
       tag: ${{ github.sha }}-nightly
       target-branch: ${{ github.ref_name }}
+      extensive-matrix-autogenerated-policy: "yes"
     secrets:
       AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
       AZ_APPID: ${{ secrets.AZ_APPID }}

.github/workflows/ci.yaml

@@ -19,6 +19,10 @@ on:
         required: false
         type: string
         default: no
+      extensive-matrix-autogenerated-policy:
+        required: false
+        type: string
+        default: no
     secrets:
       AUTHENTICATED_IMAGE_PASSWORD:
         required: true
@@ -358,6 +362,7 @@ jobs:
       commit-hash: ${{ inputs.commit-hash }}
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
+      extensive-matrix-autogenerated-policy: ${{ inputs.extensive-matrix-autogenerated-policy }}
     secrets:
       AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
       AZ_APPID: ${{ secrets.AZ_APPID }}

.github/workflows/codeql.yml

@@ -72,7 +72,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -95,6 +95,6 @@ jobs:
         make -C src/runtime
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/darwin-tests.yaml

@@ -31,10 +31,22 @@ jobs:
       with:
         persist-credentials: false
 
-    - name: Install golang
+    - name: Install yq
       run: |
-        ./tests/install_go.sh -f -p
-        echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
+        ./ci/install_yq.sh
+      env:
+        INSTALL_IN_GOPATH: false
+
+    - name: Read properties from versions.yaml
+      run: |
+        go_version="$(yq '.languages.golang.version' versions.yaml)"
+        [ -n "$go_version" ]
+        echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+
+    - name: Setup Golang version ${{ env.GO_VERSION }}
+      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      with:
+        go-version: ${{ env.GO_VERSION }}
 
     - name: Install Rust
       run: ./tests/install_rust.sh

.github/workflows/docs-url-alive-check.yaml

@@ -24,10 +24,22 @@ jobs:
         fetch-depth: 0
         persist-credentials: false
 
-    - name: Install golang
+    - name: Install yq
       run: |
-        ./tests/install_go.sh -f -p
-        echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
+        ./ci/install_yq.sh
+      env:
+        INSTALL_IN_GOPATH: false
+
+    - name: Read properties from versions.yaml
+      run: |
+        go_version="$(yq '.languages.golang.version' versions.yaml)"
+        [ -n "$go_version" ]
+        echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+
+    - name: Setup Golang version ${{ env.GO_VERSION }}
+      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      with:
+        go-version: ${{ env.GO_VERSION }}
 
     - name: Docs URL Alive Check
       run: |

.github/workflows/docs.yaml

@@ -16,17 +16,17 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/configure-pages@v5
-      - uses: actions/checkout@v5
+      - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           persist-credentials: false
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: 3.x
       - run: pip install zensical
       - run: zensical build --clean
-      - uses: actions/upload-pages-artifact@v4
+      - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
         with:
           path: site
-      - uses: actions/deploy-pages@v4
+      - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
         id: deployment

.github/workflows/govulncheck.yaml

@@ -27,10 +27,22 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: Install golang
+      - name: Install yq
         run: |
-          ./tests/install_go.sh -f -p
-          echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
+          ./ci/install_yq.sh
+        env:
+          INSTALL_IN_GOPATH: false
+
+      - name: Read properties from versions.yaml
+        run: |
+          go_version="$(yq '.languages.golang.version' versions.yaml)"
+          [ -n "$go_version" ]
+          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+
+      - name: Setup Golang version ${{ env.GO_VERSION }}
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
 
       - name: Install govulncheck
         run: |

.github/workflows/run-cri-containerd-tests.yaml

@@ -35,8 +35,6 @@ on:
 jobs:
   run-cri-containerd:
     name: run-cri-containerd-${{ inputs.arch }} (${{ inputs.containerd_version }}, ${{ inputs.vmm }})
-    strategy:
-      fail-fast: false
     runs-on: ${{ inputs.runner }}
     env:
       CONTAINERD_VERSION: ${{ inputs.containerd_version }}
@@ -55,6 +53,25 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
+      - name: Install yq
+        run: |
+          ./ci/install_yq.sh
+        env:
+          INSTALL_IN_GOPATH: false
+
+      - name: Read properties from versions.yaml
+        run: |
+          go_version="$(yq '.languages.golang.version' versions.yaml)"
+          [ -n "$go_version" ]
+          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+
+      - name: Setup Golang version ${{ env.GO_VERSION }}
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          # Setup-go doesn't work properly with ppc64le: https://github.com/actions/setup-go/issues/648
+          architecture: ${{ inputs.arch == 'ppc64le' && 'ppc64le' || '' }}
+
       - name: Install dependencies
         timeout-minutes: 15
         run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies

.github/workflows/run-k8s-tests-on-ppc64le.yaml

@@ -57,10 +57,24 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
-      - name: Install golang
+      - name: Install yq
         run: |
-          ./tests/install_go.sh -f -p
-          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
+          ./ci/install_yq.sh
+        env:
+          INSTALL_IN_GOPATH: false
+
+      - name: Read properties from versions.yaml
+        run: |
+          go_version="$(yq '.languages.golang.version' versions.yaml)"
+          [ -n "$go_version" ]
+          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+
+      - name: Setup Golang version ${{ env.GO_VERSION }}
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          # Setup-go doesn't work properly with ppc64le: https://github.com/actions/setup-go/issues/648
+          architecture: 'ppc64le'
 
       - name: Prepare the runner for k8s test suite
         run: bash "${HOME}/scripts/k8s_cluster_prepare.sh"

.github/workflows/run-kata-coco-tests.yaml

@@ -24,6 +24,10 @@ on:
         required: false
         type: string
         default: ""
+      extensive-matrix-autogenerated-policy:
+        required: false
+        type: string
+        default: no
     secrets:
       AUTHENTICATED_IMAGE_PASSWORD:
         required: true
@@ -258,6 +262,136 @@ jobs:
         timeout-minutes: 5
         run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
 
+  # Extensive matrix: autogenerated policy tests (nydus + experimental-force-guest-pull) on k0s, k3s, rke2, microk8s with qemu-coco-dev / qemu-coco-dev-runtime-rs
+  run-k8s-tests-coco-nontee-extensive-matrix:
+    if: ${{ inputs.extensive-matrix-autogenerated-policy == 'yes' }}
+    name: run-k8s-tests-coco-nontee-extensive-matrix
+    strategy:
+      fail-fast: false
+      matrix:
+        environment: [
+          { k8s: k0s, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
+          { k8s: k0s, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
+          { k8s: k0s, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
+          { k8s: k3s, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
+          { k8s: k3s, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
+          { k8s: k3s, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
+          { k8s: rke2, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
+          { k8s: rke2, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
+          { k8s: rke2, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
+          { k8s: microk8s, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
+          { k8s: microk8s, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
+          { k8s: microk8s, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
+        ]
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    environment: ci
+    env:
+      DOCKER_REGISTRY: ${{ inputs.registry }}
+      DOCKER_REPO: ${{ inputs.repo }}
+      DOCKER_TAG: ${{ inputs.tag }}
+      GH_PR_NUMBER: ${{ inputs.pr-number }}
+      KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
+      KBS: "true"
+      KBS_INGRESS: "nodeport"
+      KUBERNETES: ${{ matrix.environment.k8s }}
+      SNAPSHOTTER: ${{ matrix.environment.snapshotter }}
+      PULL_TYPE: ${{ matrix.environment.pull_type }}
+      EXPERIMENTAL_FORCE_GUEST_PULL: ${{ matrix.environment.pull_type == 'experimental-force-guest-pull' && matrix.environment.vmm || '' }}
+      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+      AUTO_GENERATE_POLICY: "yes"
+      K8S_TEST_HOST_TYPE: "all"
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+
+      - name: get-kata-tools-tarball
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
+
+      - name: Remove unnecessary directories to free up space
+        run: |
+          sudo rm -rf /usr/local/.ghcup
+          sudo rm -rf /opt/hostedtoolcache/CodeQL
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /opt/ghc
+          sudo rm -rf /usr/local/share/boost
+          sudo rm -rf /usr/lib/jvm
+          sudo rm -rf /usr/share/swift
+          sudo rm -rf /usr/local/share/powershell
+          sudo rm -rf /usr/local/julia*
+          sudo rm -rf /opt/az
+          sudo rm -rf /usr/local/share/chromium
+          sudo rm -rf /opt/microsoft
+          sudo rm -rf /opt/google
+          sudo rm -rf /usr/lib/firefox
+
+      - name: Deploy ${{ matrix.environment.k8s }}
+        timeout-minutes: 15
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
+
+      - name: Install `bats`
+        run: bash tests/integration/kubernetes/gha-run.sh install-bats
+
+      - name: Deploy Kata
+        timeout-minutes: 20
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
+        env:
+          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ matrix.environment.snapshotter == 'nydus' }}
+
+      - name: Deploy CoCo KBS
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
+
+      - name: Install `kbs-client`
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
+
+      - name: Deploy CSI driver
+        timeout-minutes: 5
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
+
+      - name: Run tests
+        timeout-minutes: 80
+        run: bash tests/integration/kubernetes/gha-run.sh run-tests
+
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
+      - name: Delete kata-deploy
+        if: always()
+        timeout-minutes: 15
+        run: bash tests/integration/kubernetes/gha-run.sh cleanup
+
+      - name: Delete CoCo KBS
+        if: always()
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
+
+      - name: Delete CSI driver
+        if: always()
+        timeout-minutes: 5
+        run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
+
   # Generate jobs for testing CoCo on non-TEE environments with erofs-snapshotter
   run-k8s-tests-coco-nontee-with-erofs-snapshotter:
     name: run-k8s-tests-coco-nontee-with-erofs-snapshotter

.github/workflows/scorecard.yaml

@@ -55,6 +55,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
         with:
           sarif_file: results.sarif

.github/workflows/static-checks.yaml

@@ -126,11 +126,16 @@ jobs:
           ./ci/install_yq.sh
         env:
           INSTALL_IN_GOPATH: false
-      - name: Install golang
+      - name: Read properties from versions.yaml
         run: |
           cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
-          ./tests/install_go.sh -f -p
-          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
+          go_version="$(yq '.languages.golang.version' versions.yaml)"
+          [ -n "$go_version" ]
+          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+      - name: Setup Golang version ${{ env.GO_VERSION }}
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
       - name: Install system dependencies
         run: |
           sudo apt-get update && sudo apt-get -y install moreutils hunspell hunspell-en-gb hunspell-en-us pandoc

Cargo.lock

@@ -44,9 +44,7 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "async-trait",
- "futures 0.1.31",
  "kata-types",
- "log",
  "logging",
  "nix 0.26.4",
  "oci-spec 0.8.3",
@@ -141,23 +139,12 @@ version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "435a87a52755b8f27fcf321ac4f04b2802e337c8c4872923137471ec39c37532"
 dependencies = [
- "event-listener 5.4.1",
+ "event-listener",
  "event-listener-strategy",
  "futures-core",
  "pin-project-lite",
 ]
 
-[[package]]
-name = "async-channel"
-version = "1.9.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "81953c529336010edd6d8e358f886d9581267795c61b19475b71314bffa46d35"
-dependencies = [
- "concurrent-queue",
- "event-listener 2.5.3",
- "futures-core",
-]
-
 [[package]]
 name = "async-channel"
 version = "2.5.0"
@@ -184,21 +171,6 @@ dependencies = [
  "slab",
 ]
 
-[[package]]
-name = "async-global-executor"
-version = "2.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05b1b633a2115cd122d73b955eadd9916c18c8f510ec9cd1686404c60ad1c29c"
-dependencies = [
- "async-channel 2.5.0",
- "async-executor",
- "async-io",
- "async-lock",
- "blocking",
- "futures-lite",
- "once_cell",
-]
-
 [[package]]
 name = "async-io"
 version = "2.6.0"
@@ -223,7 +195,7 @@ version = "3.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5fd03604047cee9b6ce9de9f70c6cd540a0520c813cbd49bae61f33ab80ed1dc"
 dependencies = [
- "event-listener 5.4.1",
+ "event-listener",
  "event-listener-strategy",
  "pin-project-lite",
 ]
@@ -234,14 +206,14 @@ version = "2.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fc50921ec0055cdd8a16de48773bfeec5c972598674347252c0399676be7da75"
 dependencies = [
- "async-channel 2.5.0",
+ "async-channel",
  "async-io",
  "async-lock",
  "async-signal",
  "async-task",
  "blocking",
  "cfg-if 1.0.0",
- "event-listener 5.4.1",
+ "event-listener",
  "futures-lite",
  "rustix 1.1.2",
 ]
@@ -275,32 +247,6 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
-[[package]]
-name = "async-std"
-version = "1.13.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2c8e079a4ab67ae52b7403632e4618815d6db36d2a010cfe41b02c1b1578f93b"
-dependencies = [
- "async-channel 1.9.0",
- "async-global-executor",
- "async-io",
- "async-lock",
- "crossbeam-utils",
- "futures-channel",
- "futures-core",
- "futures-io",
- "futures-lite",
- "gloo-timers",
- "kv-log-macro",
- "log",
- "memchr",
- "once_cell",
- "pin-project-lite",
- "pin-utils",
- "slab",
- "wasm-bindgen-futures",
-]
-
 [[package]]
 name = "async-task"
 version = "4.7.1"
@@ -447,7 +393,7 @@ version = "1.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e83f8d02be6967315521be875afa792a316e28d57b5a2d401897e2a7921b7f21"
 dependencies = [
- "async-channel 2.5.0",
+ "async-channel",
  "async-task",
  "futures-io",
  "futures-lite",
@@ -644,29 +590,17 @@ dependencies = [
  "containerd-shim-protos",
  "kata-sys-util",
  "kata-types",
- "lazy_static",
  "nix 0.26.4",
  "oci-spec 0.8.3",
- "persist",
  "protobuf",
  "protocols",
  "resource",
  "runtime-spec",
- "serde_json",
- "slog",
- "slog-scope",
  "strum 0.24.1",
  "thiserror 1.0.48",
  "tokio",
- "ttrpc",
 ]
 
-[[package]]
-name = "common-path"
-version = "1.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2382f75942f4b3be3690fe4f86365e9c853c1587d6ee58212cebf6e2a9ccd101"
-
 [[package]]
 name = "concurrent-queue"
 version = "2.5.0"
@@ -711,7 +645,7 @@ dependencies = [
  "async-trait",
  "cgroups-rs 0.3.4",
  "containerd-shim-protos",
- "futures 0.3.28",
+ "futures",
  "go-flag",
  "lazy_static",
  "libc",
@@ -1044,7 +978,6 @@ dependencies = [
  "dbs-interrupt",
  "dbs-utils",
  "dbs-virtio-devices",
- "downcast-rs",
  "kvm-bindings",
  "kvm-ioctls",
  "libc",
@@ -1057,7 +990,6 @@ dependencies = [
  "vfio-ioctls",
  "virtio-queue",
  "vm-memory",
- "vmm-sys-util 0.11.1",
 ]
 
 [[package]]
@@ -1074,7 +1006,6 @@ dependencies = [
 name = "dbs-upcall"
 version = "0.3.0"
 dependencies = [
- "anyhow",
  "dbs-utils",
  "dbs-virtio-devices",
  "log",
@@ -1269,12 +1200,6 @@ version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1435fa1053d8b2fbbe9be7e97eca7f33d37b28409959813daefc1446a14247f1"
 
-[[package]]
-name = "downcast-rs"
-version = "1.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9ea835d29036a4087793836fa931b08837ad5e957da9e23886b29586fb9b6650"
-
 [[package]]
 name = "dragonball"
 version = "0.1.0"
@@ -1295,7 +1220,6 @@ dependencies = [
  "dbs-utils",
  "dbs-virtio-devices",
  "derivative",
- "fuse-backend-rs",
  "kvm-bindings",
  "kvm-ioctls",
  "lazy_static",
@@ -1350,6 +1274,18 @@ version = "1.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "66b7e2430c6dff6a955451e2cfc438f09cea1965a9d6f87f7e3b90decc014099"
 
+[[package]]
+name = "enum-as-inner"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1e6a265c649f3f5979b601d26f1d05ada116434c87741c9493cb56218f76cbc"
+dependencies = [
+ "heck 0.5.0",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
 [[package]]
 name = "enumflags2"
 version = "0.7.12"
@@ -1403,12 +1339,6 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
-[[package]]
-name = "event-listener"
-version = "2.5.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0206175f82b8d6bf6652ff7d71a1e27fd2e4efde587fd368662814d6ec1d9ce0"
-
 [[package]]
 name = "event-listener"
 version = "5.4.1"
@@ -1426,7 +1356,7 @@ version = "0.5.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8be9f3dfaaffdae2972880079a491a1a8bb7cbed0b8dd7a347f668b4150a3b93"
 dependencies = [
- "event-listener 5.4.1",
+ "event-listener",
  "pin-project-lite",
 ]
 
@@ -1554,12 +1484,6 @@ dependencies = [
  "vmm-sys-util 0.11.1",
 ]
 
-[[package]]
-name = "futures"
-version = "0.1.31"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3a471a38ef8ed83cd6e40aa59c1ffe17db6855c18e3604d9c4ed8c08ebc28678"
-
 [[package]]
 name = "futures"
 version = "0.3.28"
@@ -1719,18 +1643,6 @@ version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280"
 
-[[package]]
-name = "gloo-timers"
-version = "0.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bbb143cf96099802033e0d4f4963b19fd2e0b728bcf076cd9cf7f6634f092994"
-dependencies = [
- "futures-channel",
- "futures-core",
- "js-sys",
- "wasm-bindgen",
-]
-
 [[package]]
 name = "go-flag"
 version = "0.1.0"
@@ -1966,7 +1878,7 @@ dependencies = [
  "crossbeam-channel",
  "dbs-utils",
  "dragonball",
- "futures 0.3.28",
+ "futures",
  "go-flag",
  "hyper",
  "hyperlocal",
@@ -1977,10 +1889,8 @@ dependencies = [
  "libc",
  "logging",
  "nix 0.26.4",
- "oci-spec 0.8.3",
  "path-clean",
  "persist",
- "protobuf",
  "protocols",
  "qapi",
  "qapi-qmp",
@@ -1992,7 +1902,6 @@ dependencies = [
  "serde",
  "serde_json",
  "serial_test 2.0.0",
- "shim-interface",
  "slog",
  "slog-scope",
  "tempfile",
@@ -2269,8 +2178,6 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "byteorder",
- "chrono",
- "common-path",
  "fail",
  "hex",
  "kata-types",
@@ -2279,11 +2186,9 @@ dependencies = [
  "mockall",
  "nix 0.26.4",
  "oci-spec 0.8.3",
- "once_cell",
  "pci-ids",
  "rand 0.8.5",
  "runtime-spec",
- "safe-path 0.1.0",
  "serde",
  "serde_json",
  "slog",
@@ -2302,8 +2207,8 @@ dependencies = [
  "byte-unit",
  "flate2",
  "glob",
- "hex",
  "lazy_static",
+ "nix 0.26.4",
  "num_cpus",
  "oci-spec 0.8.3",
  "regex",
@@ -2314,18 +2219,10 @@ dependencies = [
  "sha2 0.10.9",
  "slog",
  "slog-scope",
+ "sysctl",
  "sysinfo",
  "thiserror 1.0.48",
- "toml 0.5.11",
-]
-
-[[package]]
-name = "kv-log-macro"
-version = "1.0.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0de8b303297635ad57c9f5059fd9cee7a47f8e8daa09df0fcd07dd39fb22977f"
-dependencies = [
- "log",
+ "toml",
 ]
 
 [[package]]
@@ -2646,7 +2543,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b65d130ee111430e47eed7896ea43ca693c387f097dd97376bffafbf25812128"
 dependencies = [
  "bytes",
- "futures 0.3.28",
+ "futures",
  "log",
  "netlink-packet-core",
  "netlink-sys",
@@ -2660,7 +2557,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "416060d346fbaf1f23f9512963e3e878f1a78e707cb699ba9215761754244307"
 dependencies = [
  "bytes",
- "futures 0.3.28",
+ "futures",
  "libc",
  "log",
  "tokio",
@@ -2817,7 +2714,7 @@ dependencies = [
  "log",
  "serde",
  "serde_json",
- "toml 0.5.11",
+ "toml",
 ]
 
 [[package]]
@@ -3044,7 +2941,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e785d273968748578931e4dc3b4f5ec86b26e09d9e0d66b55adda7fce742f7a"
 dependencies = [
  "async-trait",
- "futures 0.3.28",
+ "futures",
  "futures-executor",
  "headers",
  "http",
@@ -3212,11 +3109,9 @@ dependencies = [
  "async-trait",
  "kata-sys-util",
  "kata-types",
- "libc",
  "safe-path 0.1.0",
  "serde",
  "serde_json",
- "shim-interface",
 ]
 
 [[package]]
@@ -3626,7 +3521,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7b047adab56acc4948d4b9b58693c1f33fd13efef2d6bb5f0f66a47436ceada8"
 dependencies = [
  "bytes",
- "futures 0.3.28",
+ "futures",
  "log",
  "memchr",
  "qapi-qmp",
@@ -3908,11 +3803,10 @@ dependencies = [
  "agent",
  "anyhow",
  "async-trait",
- "bitflags 2.10.0",
  "byte-unit",
  "cgroups-rs 0.5.0",
  "flate2",
- "futures 0.3.28",
+ "futures",
  "hex",
  "hypervisor",
  "inotify",
@@ -3922,7 +3816,6 @@ dependencies = [
  "libc",
  "logging",
  "netlink-packet-route",
- "netlink-sys",
  "netns-rs",
  "nix 0.26.4",
  "oci-spec 0.8.3",
@@ -4007,7 +3900,6 @@ dependencies = [
  "common",
  "containerd-shim-protos",
  "go-flag",
- "logging",
  "nix 0.26.4",
  "runtimes",
  "shim",
@@ -4018,7 +3910,6 @@ dependencies = [
 name = "runtime-spec"
 version = "0.1.0"
 dependencies = [
- "libc",
  "serde",
  "serde_derive",
  "serde_json",
@@ -4031,8 +3922,8 @@ dependencies = [
  "agent",
  "anyhow",
  "common",
+ "containerd-shim-protos",
  "hyper",
- "hyperlocal",
  "hypervisor",
  "kata-sys-util",
  "kata-types",
@@ -4351,7 +4242,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1c789ec87f4687d022a2405cf46e0cd6284889f1839de292cadeb6c6019506f2"
 dependencies = [
  "dashmap",
- "futures 0.3.28",
+ "futures",
  "lazy_static",
  "log",
  "parking_lot",
@@ -4365,7 +4256,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0e56dd856803e253c8f298af3f4d7eb0ae5e23a737252cd90bb4f3b435033b2d"
 dependencies = [
  "dashmap",
- "futures 0.3.28",
+ "futures",
  "lazy_static",
  "log",
  "parking_lot",
@@ -4405,12 +4296,10 @@ dependencies = [
  "containerd-shim-protos",
  "kata-types",
  "logging",
- "persist",
  "runtimes",
  "slog",
  "slog-scope",
  "tokio",
- "tracing",
  "ttrpc",
 ]
 
@@ -4474,9 +4363,7 @@ dependencies = [
  "nix 0.26.4",
  "oci-spec 0.8.3",
  "protobuf",
- "rand 0.8.5",
  "runtime-spec",
- "runtimes",
  "serial_test 0.10.0",
  "service",
  "sha2 0.10.9",
@@ -4485,11 +4372,8 @@ dependencies = [
  "slog-scope",
  "slog-stdlog",
  "tempfile",
- "tests_utils",
  "thiserror 1.0.48",
  "tokio",
- "tracing",
- "tracing-opentelemetry",
  "unix_socket2",
 ]
 
@@ -4499,7 +4383,6 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "common",
- "logging",
  "runtimes",
  "tokio",
 ]
@@ -4793,6 +4676,20 @@ dependencies = [
  "syn 2.0.104",
 ]
 
+[[package]]
+name = "sysctl"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cca424247104946a59dacd27eaad296223b7feec3d168a6dd04585183091eb0b"
+dependencies = [
+ "bitflags 2.10.0",
+ "byteorder",
+ "enum-as-inner",
+ "libc",
+ "thiserror 2.0.12",
+ "walkdir",
+]
+
 [[package]]
 name = "sysinfo"
 version = "0.34.2"
@@ -5083,21 +4980,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "52a15c15b1bc91f90902347eff163b5b682643aff0c8e972912cca79bd9208dd"
 dependencies = [
  "bytes",
- "futures 0.3.28",
+ "futures",
  "libc",
  "tokio",
  "vsock",
 ]
 
-[[package]]
-name = "toml"
-version = "0.4.10"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "758664fc71a3a69038656bee8b6be6477d2a6c315a6b81f7081f591bffa4111f"
-dependencies = [
- "serde",
-]
-
 [[package]]
 name = "toml"
 version = "0.5.11"
@@ -5240,7 +5128,7 @@ dependencies = [
  "async-trait",
  "byteorder",
  "crossbeam",
- "futures 0.3.28",
+ "futures",
  "home",
  "libc",
  "log",
@@ -5442,16 +5330,13 @@ version = "0.1.0"
 dependencies = [
  "agent",
  "anyhow",
- "async-std",
  "async-trait",
  "awaitgroup",
  "common",
  "containerd-shim-protos",
- "futures 0.3.28",
  "hypervisor",
  "kata-sys-util",
  "kata-types",
- "lazy_static",
  "libc",
  "logging",
  "nix 0.26.4",
@@ -5467,7 +5352,6 @@ dependencies = [
  "slog-scope",
  "strum 0.24.1",
  "tokio",
- "toml 0.4.10",
  "tracing",
  "url",
  "uuid 1.18.1",
@@ -6100,7 +5984,7 @@ dependencies = [
  "async-trait",
  "blocking",
  "enumflags2",
- "event-listener 5.4.1",
+ "event-listener",
  "futures-core",
  "futures-lite",
  "hex",

docs/Limitations.md

@@ -187,9 +187,10 @@ different compared to `runc` containers:
 into the guest and exposes it directly to the container.
 
 **Mounting guest devices**: When the source path of a hostPath volume is
-under `/dev`, and the path either corresponds to a host device or is not
-accessible by the Kata shim, the Kata agent bind mounts the source path
-directly from the *guest* filesystem into the container.
+under `/dev` (or `/dev` itself), and the path corresponds to a
+non-regular file (i.e., a device, directory, or any other special file)
+or is not accessible by the Kata shim, the Kata agent bind mounts the
+source path directly from the *guest* filesystem into the container.
 
 [runtime-config]: /src/runtime/README.md#configuration
 [k8s-hostpath]: https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
@@ -226,6 +227,35 @@ Importantly, the default behavior to pass the host devices to a
 privileged container is not supported in Kata Containers and needs to be
 disabled, see [Privileged Kata Containers](how-to/privileged.md).
 
+## Guest pulled container images
+
+When using features like **nydus guest-pull**, set user/group IDs explicitly in the pod spec.
+If the ID values are omitted:
+
+- Your workload might be executed with unexpected user/group ID values, because image layers
+  may be unavailable to containerd, so image config (including user/group) is not applied.
+- If using policy or genpolicy, the generated policy may detect these unexpected values and
+  reject the creation of workload containers.
+
+Set `securityContext` explicitly. Use **pod-level** `spec.securityContext` (for Pods) or
+`spec.template.spec.securityContext` (for controllers like Deployments) and/or **container-level**
+`spec.containers[].securityContext`. Include at least:
+- `runAsUser` — primary user ID
+- `runAsGroup` — primary group ID
+- `fsGroup` — volume group ownership (often reflected as a supplemental group)
+- `supplementalGroups` — list of additional group IDs (if needed)
+
+Example:
+
+ ```yaml
+ # Explicit user/group/supplementary groups to support nydus guest-pull
+ securityContext:
+   runAsUser: 0
+   runAsGroup: 0
+   fsGroup: 0
+   supplementalGroups: [1, 2, 3, 4, 6, 10, 11, 20, 26, 27]
+ ```
+
 # Appendices
 
 ## The constraints challenge

docs/how-to/how-to-use-the-kata-agent-policy.md

@@ -99,6 +99,9 @@ The [`genpolicy`](../../src/tools/genpolicy/) application can be used to generat
 
 **Warning** Users should review carefully the automatically-generated Policy, and modify the Policy file if needed to match better their use case, before using this Policy.
 
+**Important — User / Group / Supplemental groups for Policy and genpolicy**
+When using features like **nydus guest-pull**, set user/group IDs explicitly in the pod spec, as described in [Limitations](../Limitations.md#guest-pulled-container-images).
+
 See the [`genpolicy` documentation](../../src/tools/genpolicy/README.md) and the [Policy contents examples](#policy-contents) for additional information.
 
 ## Policy contents

src/agent/Cargo.lock

@@ -743,12 +743,6 @@ version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990"
 
-[[package]]
-name = "common-path"
-version = "1.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2382f75942f4b3be3690fe4f86365e9c853c1587d6ee58212cebf6e2a9ccd101"
-
 [[package]]
 name = "concurrent-queue"
 version = "2.5.0"
@@ -1098,6 +1092,18 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "enum-as-inner"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1e6a265c649f3f5979b601d26f1d05ada116434c87741c9493cb56218f76cbc"
+dependencies = [
+ "heck 0.5.0",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.101",
+]
+
 [[package]]
 name = "enumflags2"
 version = "0.7.11"
@@ -2102,8 +2108,6 @@ version = "0.1.0"
 dependencies = [
  "anyhow",
  "byteorder",
- "chrono",
- "common-path",
  "fail",
  "hex",
  "kata-types",
@@ -2112,11 +2116,9 @@ dependencies = [
  "mockall",
  "nix 0.26.4",
  "oci-spec",
- "once_cell",
  "pci-ids",
  "rand",
  "runtime-spec",
- "safe-path",
  "serde",
  "serde_json",
  "slog",
@@ -2135,8 +2137,8 @@ dependencies = [
  "byte-unit",
  "flate2",
  "glob",
- "hex",
  "lazy_static",
+ "nix 0.26.4",
  "num_cpus",
  "oci-spec",
  "regex",
@@ -2147,6 +2149,7 @@ dependencies = [
  "sha2 0.10.9",
  "slog",
  "slog-scope",
+ "sysctl",
  "sysinfo",
  "thiserror 1.0.69",
  "toml",
@@ -2306,7 +2309,6 @@ name = "mem-agent"
 version = "0.2.0"
 dependencies = [
  "anyhow",
- "async-trait",
  "chrono",
  "maplit",
  "nix 0.30.1",
@@ -3575,7 +3577,6 @@ dependencies = [
 name = "runtime-spec"
 version = "0.1.0"
 dependencies = [
- "libc",
  "serde",
  "serde_derive",
  "serde_json",
@@ -4215,6 +4216,20 @@ dependencies = [
  "syn 2.0.101",
 ]
 
+[[package]]
+name = "sysctl"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cca424247104946a59dacd27eaad296223b7feec3d168a6dd04585183091eb0b"
+dependencies = [
+ "bitflags 2.9.0",
+ "byteorder",
+ "enum-as-inner",
+ "libc",
+ "thiserror 2.0.12",
+ "walkdir",
+]
+
 [[package]]
 name = "sysinfo"
 version = "0.34.2"

src/dragonball/Cargo.toml

@@ -48,7 +48,6 @@ vmm-sys-util = { workspace = true }
 virtio-queue = { workspace = true, optional = true }
 vm-memory = { workspace = true, features = ["backend-mmap"] }
 crossbeam-channel = "0.5.6"
-fuse-backend-rs = "0.10.5"
 vfio-bindings = { workspace = true, optional = true }
 vfio-ioctls = { workspace = true, optional = true }
 
@@ -86,3 +85,6 @@ host-device = ["dep:vfio-bindings", "dep:vfio-ioctls", "dep:dbs-pci"]
 unexpected_cfgs = { level = "warn", check-cfg = [
   'cfg(feature, values("test-mock"))',
 ] }
+
+[package.metadata.cargo-machete]
+ignored = ["vfio-bindings"]

src/dragonball/dbs_pci/Cargo.toml

@@ -23,24 +23,22 @@ dbs-interrupt = { workspace = true, features = [
     "kvm-legacy-irq",
     "kvm-msi-irq",
 ] }
-downcast-rs = "1.2.0"
 byteorder = "1.4.3"
 serde = "1.0.27"
 
-vm-memory = {workspace = true}
-kvm-ioctls = {workspace = true}
-kvm-bindings = {workspace = true}
-vfio-ioctls = {workspace = true}
-vfio-bindings = {workspace = true}
+vm-memory = { workspace = true }
+kvm-ioctls = { workspace = true }
+kvm-bindings = { workspace = true }
+vfio-ioctls = { workspace = true }
+vfio-bindings = { workspace = true }
 libc = "0.2.39"
-vmm-sys-util = {workspace = true}
-virtio-queue = {workspace = true}
-dbs-utils = {workspace = true}
+virtio-queue = { workspace = true }
+dbs-utils = { workspace = true }
 
 
 [dev-dependencies]
 dbs-arch = { workspace = true }
-kvm-ioctls = {workspace = true}
+kvm-ioctls = { workspace = true }
 test-utils = { workspace = true }
 nix = { workspace = true }
 

src/dragonball/dbs_upcall/Cargo.toml

@@ -11,7 +11,6 @@ keywords = ["dragonball", "secure-sandbox", "devices", "upcall", "virtio"]
 readme = "README.md"
 
 [dependencies]
-anyhow = "1"
 log = "0.4.14"
 thiserror = "1"
 timerfd = "1.2.0"

src/dragonball/dbs_virtio_devices/Cargo.toml

@@ -24,8 +24,8 @@ dbs-boot = { workspace = true }
 epoll = ">=4.3.1, <4.3.2"
 io-uring = "0.5.2"
 fuse-backend-rs = { version = "0.10.5", optional = true }
-kvm-bindings = { workspace = true}
-kvm-ioctls = {workspace = true}
+kvm-bindings = { workspace = true }
+kvm-ioctls = { workspace = true }
 libc = "0.2.119"
 log = "0.4.14"
 nix = "0.24.3"
@@ -37,19 +37,16 @@ serde = "1.0.27"
 serde_json = "1.0.9"
 thiserror = "1"
 threadpool = "1"
-virtio-bindings = {workspace = true}
-virtio-queue = {workspace = true}
-vmm-sys-util = {workspace = true}
+virtio-bindings = { workspace = true }
+virtio-queue = { workspace = true }
+vmm-sys-util = { workspace = true }
 vm-memory = { workspace = true, features = ["backend-mmap"] }
 sendfd = "0.4.3"
 vhost-rs = { version = "0.6.1", package = "vhost", optional = true }
 timerfd = "1.0"
 
 [dev-dependencies]
-vm-memory = { workspace = true, features = [
-    "backend-mmap",
-    "backend-atomic",
-] }
+vm-memory = { workspace = true, features = ["backend-mmap", "backend-atomic"] }
 test-utils = { workspace = true }
 
 [features]

src/dragonball/dbs_virtio_devices/src/lib.rs

@@ -439,19 +439,19 @@ pub mod tests {
             VirtqDesc { desc }
         }
 
-        pub fn addr(&self) -> VolatileRef<u64> {
+        pub fn addr(&self) -> VolatileRef<'_, u64> {
             self.desc.get_ref(offset_of!(DescriptorTmp, addr)).unwrap()
         }
 
-        pub fn len(&self) -> VolatileRef<u32> {
+        pub fn len(&self) -> VolatileRef<'_, u32> {
             self.desc.get_ref(offset_of!(DescriptorTmp, len)).unwrap()
         }
 
-        pub fn flags(&self) -> VolatileRef<u16> {
+        pub fn flags(&self) -> VolatileRef<'_, u16> {
             self.desc.get_ref(offset_of!(DescriptorTmp, flags)).unwrap()
         }
 
-        pub fn next(&self) -> VolatileRef<u16> {
+        pub fn next(&self) -> VolatileRef<'_, u16> {
             self.desc.get_ref(offset_of!(DescriptorTmp, next)).unwrap()
         }
 
@@ -513,11 +513,11 @@ pub mod tests {
             self.start.unchecked_add(self.ring.len() as GuestUsize)
         }
 
-        pub fn flags(&self) -> VolatileRef<u16> {
+        pub fn flags(&self) -> VolatileRef<'_, u16> {
             self.ring.get_ref(0).unwrap()
         }
 
-        pub fn idx(&self) -> VolatileRef<u16> {
+        pub fn idx(&self) -> VolatileRef<'_, u16> {
             self.ring.get_ref(2).unwrap()
         }
 
@@ -525,12 +525,12 @@ pub mod tests {
             4 + mem::size_of::<T>() * (i as usize)
         }
 
-        pub fn ring(&self, i: u16) -> VolatileRef<T> {
+        pub fn ring(&self, i: u16) -> VolatileRef<'_, T> {
             assert!(i < self.qsize);
             self.ring.get_ref(Self::ring_offset(i)).unwrap()
         }
 
-        pub fn event(&self) -> VolatileRef<u16> {
+        pub fn event(&self) -> VolatileRef<'_, u16> {
             self.ring.get_ref(Self::ring_offset(self.qsize)).unwrap()
         }
 
@@ -602,7 +602,7 @@ pub mod tests {
             (self.dtable.len() / VirtqDesc::dtable_len(1)) as u16
         }
 
-        pub fn dtable(&self, i: u16) -> VirtqDesc {
+        pub fn dtable(&self, i: u16) -> VirtqDesc<'_> {
             VirtqDesc::new(&self.dtable, i)
         }
 

src/dragonball/dbs_virtio_devices/src/vhost/vhost_user/fs.rs

@@ -865,11 +865,11 @@ mod tests {
             0
         );
         let config: [u8; 8] = [0; 8];
-        VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::write_config(
+        let _ = VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::write_config(
             &mut dev, 0, &config,
         );
         let mut data: [u8; 8] = [1; 8];
-        VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::read_config(
+        let _ = VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::read_config(
             &mut dev, 0, &mut data,
         );
         assert_eq!(config, data);

src/dragonball/dbs_virtio_devices/src/vsock/mod.rs

@@ -339,7 +339,7 @@ mod tests {
             }
         }
 
-        pub fn create_event_handler_context(&self) -> EventHandlerContext {
+        pub fn create_event_handler_context(&self) -> EventHandlerContext<'_> {
             const QSIZE: u16 = 256;
 
             let guest_rxvq = GuestQ::new(GuestAddress(0x0010_0000), &self.mem, QSIZE);

src/libs/kata-sys-util/Cargo.toml

@@ -13,13 +13,10 @@ edition = "2018"
 [dependencies]
 anyhow = "1.0.31"
 byteorder = "1.4.3"
-chrono = "0.4.0"
-common-path = "=1.0.0"
 fail = "0.5.0"
 lazy_static = "1.4.0"
 libc = "0.2.100"
 nix = "0.26.4"
-once_cell = "1.9.0"
 serde = { version = "1.0.138", features = ["derive"] }
 serde_json = "1.0.73"
 slog = "2.5.2"
@@ -34,10 +31,7 @@ mockall = "0.13.1"
 kata-types = { path = "../kata-types" }
 oci-spec = { version = "0.8.1", features = ["runtime"] }
 runtime-spec = { path = "../runtime-spec" }
-safe-path = { path = "../safe-path" }
 
 [dev-dependencies]
-num_cpus = "1.13.1"
-serial_test = "0.5.1"
 tempfile = "3.19.1"
 test-utils = { path = "../test-utils" }

src/libs/kata-types/Cargo.toml

@@ -29,12 +29,14 @@ serde-enum-str = "0.4"
 sysinfo = "0.34.2"
 sha2 = "0.10.8"
 flate2 = "1.1"
-hex = "0.4"
-
+nix = "0.26.4"
 oci-spec = { version = "0.8.1", features = ["runtime"] }
 
 safe-path = { path = "../safe-path", optional = true }
 
+[target.'cfg(target_os = "macos")'.dependencies]
+sysctl = "0.7.1"
+
 [dev-dependencies]
 tempfile = "3.19.1"
 test-utils = { path = "../test-utils" }

src/libs/kata-types/src/config/hypervisor/ch.rs

@@ -13,6 +13,7 @@ use super::{default, register_hypervisor_plugin};
 use crate::config::default::MAX_CH_VCPUS;
 use crate::config::default::MIN_CH_MEMORY_SIZE_MB;
 
+use crate::config::hypervisor::VIRTIO_BLK_MMIO;
 use crate::config::{ConfigPlugin, TomlConfig};
 use crate::{resolve_path, validate_path};
 
@@ -104,6 +105,16 @@ impl ConfigPlugin for CloudHypervisorConfig {
                 ));
             }
 
+            // CoCo guest hardening: virtio-mmio is not hardened for confidential computing.
+            if ch.security_info.confidential_guest
+                && ch.boot_info.vm_rootfs_driver == VIRTIO_BLK_MMIO
+            {
+                return Err(std::io::Error::other(
+                    "Confidential guests must not use virtio-blk-mmio (use virtio-blk-pci); \
+                     virtio-mmio is not hardened for CoCo",
+                ));
+            }
+
             if ch.boot_info.kernel.is_empty() {
                 return Err(std::io::Error::other("Guest kernel image for CH is empty"));
             }

src/libs/kata-types/src/config/hypervisor/mod.rs

@@ -26,7 +26,6 @@
 use super::{default, ConfigOps, ConfigPlugin, TomlConfig};
 use crate::annotations::KATA_ANNO_CFG_HYPERVISOR_PREFIX;
 use crate::{resolve_path, sl, validate_path};
-use byte_unit::{Byte, Unit};
 use lazy_static::lazy_static;
 use regex::RegexSet;
 use serde_enum_str::{Deserialize_enum_str, Serialize_enum_str};
@@ -34,7 +33,6 @@ use std::collections::HashMap;
 use std::io::{self, Result};
 use std::path::Path;
 use std::sync::{Arc, Mutex};
-use sysinfo::{MemoryRefreshKind, RefreshKind, System};
 
 mod dragonball;
 pub use self::dragonball::{DragonballConfig, HYPERVISOR_NAME_DRAGONBALL};
@@ -1007,6 +1005,57 @@ fn default_guest_swap_create_threshold_secs() -> u64 {
     60
 }
 
+/// Get host memory size in MiB.
+/// Retrieves the total physical memory of the host across different platforms.
+fn host_memory_mib() -> io::Result<u64> {
+    // Select a platform-specific implementation via a function pointer.
+    let get_memory: fn() -> io::Result<u64> = {
+        #[cfg(target_os = "linux")]
+        {
+            || {
+                let info = nix::sys::sysinfo::sysinfo().map_err(io::Error::other)?;
+                Ok(info.ram_total() / (1024 * 1024)) // MiB
+            }
+        }
+
+        #[cfg(target_os = "macos")]
+        {
+            || {
+                use sysctl::{Ctl, CtlValue, Sysctl};
+
+                let v = Ctl::new("hw.memsize")
+                    .map_err(io::Error::other)?
+                    .value()
+                    .map_err(io::Error::other)?;
+
+                let bytes = match v {
+                    CtlValue::S64(x) if x >= 0 => x as u64,
+                    other => {
+                        return Err(io::Error::new(
+                            io::ErrorKind::InvalidData,
+                            format!("unexpected sysctl hw.memsize value type: {:?}", other),
+                        ));
+                    }
+                };
+
+                Ok(bytes / (1024 * 1024)) // MiB
+            }
+        }
+
+        #[cfg(not(any(target_os = "linux", target_os = "macos")))]
+        {
+            || {
+                Err(io::Error::new(
+                    io::ErrorKind::Unsupported,
+                    "host memory query not implemented on this platform",
+                ))
+            }
+        }
+    };
+
+    get_memory()
+}
+
 impl MemoryInfo {
     /// Adjusts the configuration information after loading from a configuration file.
     ///
@@ -1018,13 +1067,15 @@ impl MemoryInfo {
             self.file_mem_backend,
             "Memory backend file {} is invalid: {}"
         )?;
-        if self.default_maxmemory == 0 {
-            let s = System::new_with_specifics(
-                RefreshKind::nothing().with_memory(MemoryRefreshKind::everything()),
-            );
-            self.default_maxmemory = Byte::from_u64(s.total_memory())
-                .get_adjusted_unit(Unit::MiB)
-                .get_value() as u32;
+
+        let host_memory = host_memory_mib()?;
+
+        if u64::from(self.default_memory) > host_memory {
+            self.default_memory = host_memory as u32;
+        }
+
+        if self.default_maxmemory == 0 || u64::from(self.default_maxmemory) > host_memory {
+            self.default_maxmemory = host_memory as u32;
         }
         Ok(())
     }
@@ -1167,6 +1218,29 @@ pub struct SecurityInfo {
     #[serde(default)]
     pub sev_snp_guest: bool,
 
+    /// SNP 'ID Block' and 'ID Authentication Information Structure'.
+    /// If one of snp_id_block or snp_id_auth is specified, the other must be specified, too.
+    /// Notice that the default SNP policy of QEMU (0x30000) is used by Kata, if not explicitly
+    /// set via 'snp_guest_policy' option. The IDBlock contains the guest policy as field, and
+    /// it must match the value from 'snp_guest_policy' or, if unset, the QEMU default policy.
+    /// 96-byte, base64-encoded blob to provide the 'ID Block' structure for the
+    /// SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
+    #[serde(default)]
+    pub snp_id_block: String,
+
+    /// 4096-byte, base64-encoded blob to provide the 'ID Authentication Information Structure'
+    /// for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
+    #[serde(default)]
+    pub snp_id_auth: String,
+
+    /// SNP Guest Policy, the 'POLICY' parameter to the SNP_LAUNCH_START command.
+    /// If unset, the QEMU default policy (0x30000) will be used.
+    /// Notice that the guest policy is enforced at VM launch, and your pod VMs
+    /// won't start at all if the policy denys it. This will be indicated by a
+    /// 'SNP_LAUNCH_START' error.
+    #[serde(default = "default_snp_guest_policy")]
+    pub snp_guest_policy: u32,
+
     /// Path to OCI hook binaries in the *guest rootfs*.
     ///
     /// This setting does not affect host-side hooks, which must instead be
@@ -1228,6 +1302,10 @@ fn default_qgs_port() -> u32 {
     4050
 }
 
+fn default_snp_guest_policy() -> u32 {
+    0x30000
+}
+
 impl SecurityInfo {
     /// Adjusts the security configuration information after loading from a configuration file.
     ///

src/libs/kata-types/src/config/hypervisor/qemu.rs

@@ -124,6 +124,17 @@ impl ConfigPlugin for QemuConfig {
                 ));
             }
 
+            // CoCo guest hardening: virtio-mmio transport is not hardened for confidential
+            // computing; only virtio-pci is. Ensure we never use virtio-blk-mmio for rootfs.
+            if qemu.security_info.confidential_guest
+                && qemu.boot_info.vm_rootfs_driver == VIRTIO_BLK_MMIO
+            {
+                return Err(std::io::Error::other(
+                    "Confidential guests must not use virtio-blk-mmio (use virtio-blk-pci); \
+                     virtio-mmio is not hardened for CoCo",
+                ));
+            }
+
             if qemu.boot_info.kernel.is_empty() {
                 return Err(std::io::Error::other(
                     "Guest kernel image for qemu is empty",

src/libs/mem-agent/Cargo.toml

@@ -10,7 +10,6 @@ anyhow = "1.0"
 page_size = "0.6"
 chrono = "0.4"
 tokio = { version = "1.45.1", features = ["full"] }
-async-trait = "0.1"
 maplit = "1.0"
 nix = { version = "0.30.1", features = ["fs", "sched"] }
 

src/libs/runtime-spec/Cargo.toml

@@ -9,4 +9,3 @@ license = "Apache-2.0"
 serde = "1.0.131"
 serde_derive = "1.0.131"
 serde_json = "1.0.73"
-libc = "0.2.112"

src/runtime-rs/Cargo.toml

@@ -28,5 +28,4 @@ nix = { workspace = true }
 tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
 shim = { path = "crates/shim" }
 common = { workspace = true }
-logging = { workspace = true }
 runtimes = { workspace = true }

src/runtime-rs/crates/agent/Cargo.toml

@@ -5,13 +5,9 @@ authors = { workspace = true }
 edition = { workspace = true }
 license = { workspace = true }
 
-[dev-dependencies]
-futures = "0.1.27"
-
 [dependencies]
 anyhow = { workspace = true }
 async-trait = { workspace = true }
-log = { workspace = true }
 protobuf = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
@@ -31,3 +27,6 @@ protocols = { workspace = true, features = ["async"] }
 
 [features]
 default = []
+
+[package.metadata.cargo-machete]
+ignored = ["slog-scope"]

src/runtime-rs/crates/hypervisor/Cargo.toml

@@ -28,8 +28,6 @@ path-clean = "1.0.1"
 lazy_static = { workspace = true }
 tracing = { workspace = true }
 ttrpc = { workspace = true, features = ["async"] }
-protobuf = { workspace = true }
-oci-spec = { workspace = true }
 futures = "0.3.25"
 safe-path = "0.1.0"
 crossbeam-channel = "0.5.6"
@@ -44,7 +42,6 @@ kata-sys-util = { workspace = true }
 kata-types = { workspace = true }
 logging = { workspace = true }
 protocols = { workspace = true, features = ["async"] }
-shim-interface = { workspace = true }
 persist = { workspace = true }
 ch-config = { workspace = true, optional = true }
 tests_utils = { workspace = true }

src/runtime-rs/crates/hypervisor/ch-config/src/lib.rs

@@ -110,6 +110,16 @@ pub struct DeviceConfig {
     pub pci_segment: u16,
 }
 
+#[derive(Serialize, Deserialize, Clone, Copy, Debug, PartialEq, Eq, Default)]
+pub enum ImageType {
+    FixedVhd,
+    Qcow2,
+    Raw,
+    Vhdx,
+    #[default]
+    Unknown,
+}
+
 #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, Default)]
 pub struct DiskConfig {
     pub path: Option<PathBuf>,
@@ -135,6 +145,8 @@ pub struct DiskConfig {
     pub disable_io_uring: bool,
     #[serde(default)]
     pub pci_segment: u16,
+    #[serde(default)]
+    pub image_type: ImageType,
 }
 
 #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, Default)]

src/runtime-rs/crates/hypervisor/src/ch/inner_device.rs

@@ -27,6 +27,7 @@ use ch_config::ch_api::{
 };
 use ch_config::convert::DEFAULT_NUM_PCI_SEGMENTS;
 use ch_config::DiskConfig;
+use ch_config::ImageType;
 use ch_config::{net_util::MacAddr, DeviceConfig, FsConfig, NetConfig, VsockConfig};
 use kata_sys_util::netns::NetnsGuard;
 use kata_types::config::hypervisor::RateLimiterConfig;
@@ -550,6 +551,7 @@ impl TryFrom<BlockConfig> for DiskConfig {
             readonly: blkcfg.is_readonly,
             num_queues: blkcfg.num_queues,
             queue_size: blkcfg.queue_size as u16,
+            image_type: ImageType::Raw,
             ..Default::default()
         };
 

src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs

@@ -256,29 +256,8 @@ struct Memory {
 
 impl Memory {
     fn new(config: &HypervisorConfig) -> Memory {
-        // Move this to QemuConfig::adjust_config()?
-
-        let mut mem_size = config.memory_info.default_memory as u64;
-        let mut max_mem_size = config.memory_info.default_maxmemory as u64;
-
-        if let Ok(sysinfo) = nix::sys::sysinfo::sysinfo() {
-            let host_memory = sysinfo.ram_total() >> 20;
-
-            if mem_size > host_memory {
-                info!(sl!(), "'default_memory' given in configuration.toml is greater than host memory, adjusting to host memory");
-                mem_size = host_memory
-            }
-
-            if max_mem_size == 0 || max_mem_size > host_memory {
-                max_mem_size = host_memory
-            }
-        } else {
-            warn!(sl!(), "Failed to get host memory size, cannot verify or adjust configuration.toml's 'default_maxmemory'");
-
-            if max_mem_size == 0 {
-                max_mem_size = mem_size;
-            };
-        }
+        let mem_size = config.memory_info.default_memory as u64;
+        let max_mem_size = config.memory_info.default_maxmemory as u64;
 
         // Memory sizes are given in megabytes in configuration.toml so we
         // need to convert them to bytes for storage.
@@ -300,6 +279,18 @@ impl Memory {
         self.memory_backend_file = Some(mem_file.clone());
         self
     }
+
+    #[allow(dead_code)]
+    fn set_maxmem_size(&mut self, max_size: u64) -> &mut Self {
+        self.max_size = max_size;
+        self
+    }
+
+    #[allow(dead_code)]
+    fn set_num_slots(&mut self, num_slots: u32) -> &mut Self {
+        self.num_slots = num_slots;
+        self
+    }
 }
 
 #[async_trait]
@@ -1888,6 +1879,7 @@ struct ObjectSevSnpGuest {
     reduced_phys_bits: u32,
     kernel_hashes: bool,
     host_data: Option<String>,
+    policy: u32,
     is_snp: bool,
 }
 
@@ -1899,9 +1891,15 @@ impl ObjectSevSnpGuest {
             reduced_phys_bits,
             kernel_hashes: true,
             host_data,
+            policy: 0x30000,
             is_snp,
         }
     }
+
+    fn set_policy(&mut self, policy: u32) -> &mut Self {
+        self.policy = policy;
+        self
+    }
 }
 
 #[async_trait]
@@ -1924,6 +1922,7 @@ impl ToQemuParams for ObjectSevSnpGuest {
                 "kernel-hashes={}",
                 if self.kernel_hashes { "on" } else { "off" }
             ));
+            params.push(format!("policy=0x{:x}", self.policy));
             if let Some(host_data) = &self.host_data {
                 params.push(format!("host-data={host_data}"))
             }
@@ -2579,13 +2578,19 @@ impl<'a> QemuCmdLine<'a> {
         firmware: &str,
         host_data: &Option<String>,
     ) {
-        let sev_snp_object =
+        // For SEV-SNP, memory overcommit is not supported. we only set the memory size.
+        self.memory.set_maxmem_size(0).set_num_slots(0);
+
+        let mut sev_snp_object =
             ObjectSevSnpGuest::new(true, cbitpos, phys_addr_reduction, host_data.clone());
+        sev_snp_object.set_policy(self.config.security_info.snp_guest_policy);
+
         self.devices.push(Box::new(sev_snp_object));
 
         self.devices.push(Box::new(Bios::new(firmware.to_owned())));
 
         self.machine
+            .set_kernel_irqchip("split")
             .set_confidential_guest_support("snp")
             .set_nvdimm(false);
 

src/runtime-rs/crates/persist/Cargo.toml

@@ -8,12 +8,10 @@ license = { workspace = true }
 [dependencies]
 async-trait = { workspace = true }
 anyhow = { workspace = true }
-libc = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 
 # Local dependencies
 kata-sys-util = { workspace = true }
 kata-types = { workspace = true }
-shim-interface = { workspace = true }
 safe-path = { workspace = true }

src/runtime-rs/crates/resource/Cargo.toml

@@ -15,7 +15,6 @@ test-utils = { workspace = true }
 actix-rt = { workspace = true }
 anyhow = { workspace = true }
 async-trait = { workspace = true }
-bitflags = "2.9.0"
 byte-unit = "5.1.6"
 cgroups-rs = { version = "0.5.0", features = ["oci"] }
 futures = "0.3.11"
@@ -41,7 +40,6 @@ hex = "0.4"
 
 ## Dependencies from `rust-netlink`
 netlink-packet-route = "0.26"
-netlink-sys = "0.8"
 rtnetlink = "0.19"
 
 # Local dependencies
@@ -54,3 +52,7 @@ persist = { workspace = true }
 tests_utils = { workspace = true }
 
 [features]
+
+
+[package.metadata.cargo-machete]
+ignored = ["slog-scope"]

src/runtime-rs/crates/runtimes/Cargo.toml

@@ -11,6 +11,7 @@ lazy_static = { workspace = true }
 netns-rs = { workspace = true }
 slog = { workspace = true }
 slog-scope = { workspace = true }
+containerd-shim-protos = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread"] }
 tracing = { workspace = true }
 tracing-opentelemetry = { workspace = true }
@@ -26,7 +27,6 @@ opentelemetry-jaeger = { version = "0.17.0", features = [
 ] }
 tracing-subscriber = { version = "0.3", features = ["registry", "std"] }
 hyper = { workspace = true, features = ["stream", "server", "http1"] }
-hyperlocal = { workspace = true }
 serde_json = { workspace = true }
 nix = "0.25.0"
 url = { workspace = true }

src/runtime-rs/crates/runtimes/common/Cargo.toml

@@ -11,20 +11,14 @@ license = { workspace = true }
 anyhow = { workspace = true }
 async-trait = { workspace = true }
 containerd-shim-protos = { workspace = true, features = ["sandbox"] }
-lazy_static = { workspace = true }
 nix = { workspace = true }
 protobuf = { workspace = true }
-serde_json = { workspace = true }
-slog = { workspace = true }
-slog-scope = { workspace = true }
 strum = { workspace = true }
 thiserror = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread", "process", "fs"] }
-ttrpc = { workspace = true }
 oci-spec = { workspace = true }
 
 # Local dependencies
-persist = { workspace = true }
 agent = { workspace = true }
 kata-sys-util = { workspace = true }
 kata-types = { workspace = true }

src/runtime-rs/crates/runtimes/common/src/message.rs

@@ -6,7 +6,7 @@
 use std::sync::Arc;
 
 use anyhow::{Context, Result};
-use containerd_shim_protos::events::task::{TaskExit, TaskOOM};
+use containerd_shim_protos::events::task::{TaskCreate, TaskDelete, TaskExit, TaskOOM, TaskStart};
 use containerd_shim_protos::protobuf::Message as ProtobufMessage;
 use tokio::sync::mpsc::{channel, Receiver, Sender};
 
@@ -49,9 +49,15 @@ impl Message {
 
 const TASK_OOM_EVENT_TOPIC: &str = "/tasks/oom";
 const TASK_EXIT_EVENT_TOPIC: &str = "/tasks/exit";
+const TASK_START_EVENT_TOPIC: &str = "/tasks/start";
+const TASK_CREATE_EVENT_TOPIC: &str = "/tasks/create";
+const TASK_DELETE_EVENT_TOPIC: &str = "/tasks/delete";
 
 const TASK_OOM_EVENT_URL: &str = "containerd.events.TaskOOM";
 const TASK_EXIT_EVENT_URL: &str = "containerd.events.TaskExit";
+const TASK_START_EVENT_URL: &str = "containerd.events.TaskStart";
+const TASK_CREATE_EVENT_URL: &str = "containerd.events.TaskCreate";
+const TASK_DELETE_EVENT_URL: &str = "containerd.events.TaskDelete";
 
 pub trait Event: std::fmt::Debug + Send {
     fn r#type(&self) -> String;
@@ -86,3 +92,45 @@ impl Event for TaskExit {
         self.write_to_bytes().context("get exit value")
     }
 }
+
+impl Event for TaskStart {
+    fn r#type(&self) -> String {
+        TASK_START_EVENT_TOPIC.to_string()
+    }
+
+    fn type_url(&self) -> String {
+        TASK_START_EVENT_URL.to_string()
+    }
+
+    fn value(&self) -> Result<Vec<u8>> {
+        self.write_to_bytes().context("get start value")
+    }
+}
+
+impl Event for TaskCreate {
+    fn r#type(&self) -> String {
+        TASK_CREATE_EVENT_TOPIC.to_string()
+    }
+
+    fn type_url(&self) -> String {
+        TASK_CREATE_EVENT_URL.to_string()
+    }
+
+    fn value(&self) -> Result<Vec<u8>> {
+        self.write_to_bytes().context("get create value")
+    }
+}
+
+impl Event for TaskDelete {
+    fn r#type(&self) -> String {
+        TASK_DELETE_EVENT_TOPIC.to_string()
+    }
+
+    fn type_url(&self) -> String {
+        TASK_DELETE_EVENT_URL.to_string()
+    }
+
+    fn value(&self) -> Result<Vec<u8>> {
+        self.write_to_bytes().context("get delete value")
+    }
+}

src/runtime-rs/crates/runtimes/src/manager.rs

@@ -6,14 +6,16 @@
 
 use anyhow::{anyhow, Context, Result};
 use common::{
-    message::Message,
+    message::{Action, Message},
     types::{
-        ContainerProcess, PlatformInfo, SandboxConfig, SandboxRequest, SandboxResponse,
-        SandboxStatusInfo, StartSandboxInfo, TaskRequest, TaskResponse, DEFAULT_SHM_SIZE,
+        ContainerProcess, PlatformInfo, ProcessType, SandboxConfig, SandboxRequest,
+        SandboxResponse, SandboxStatusInfo, StartSandboxInfo, TaskRequest, TaskResponse,
+        DEFAULT_SHM_SIZE,
     },
     RuntimeHandler, RuntimeInstance, Sandbox, SandboxNetworkEnv,
 };
 
+use containerd_shim_protos::events::task::{TaskCreate, TaskDelete, TaskStart};
 use hypervisor::{
     utils::{create_dir_all_with_inherit_owner, create_vmm_user, remove_vmm_user},
     Param,
@@ -33,13 +35,13 @@ use netns_rs::{Env, NetNs};
 use nix::{sys::statfs, unistd::User};
 use oci_spec::runtime as oci;
 use persist::sandbox_persist::Persist;
+use protobuf::Message as ProtobufMessage;
 use resource::{
     cpu_mem::initial_size::InitialSizeManager,
     network::{dan_config_path, generate_netns_name},
 };
 use runtime_spec as spec;
 use shim_interface::shim_mgmt::ERR_NO_SHIM_SERVER;
-use protobuf::Message as ProtobufMessage;
 use std::{
     collections::HashMap,
     env,
@@ -480,6 +482,7 @@ impl RuntimeHandlerManager {
                 .await
                 .context("start sandbox in task handler")?;
 
+            let bundle = container_config.bundle.clone();
             let container_id = container_config.container_id.clone();
             let shim_pid = instance
                 .container_manager
@@ -501,6 +504,19 @@ impl RuntimeHandlerManager {
                 }
             });
 
+            let msg_sender = self.inner.read().await.msg_sender.clone();
+            let event = TaskCreate {
+                container_id,
+                bundle,
+                pid,
+                ..Default::default()
+            };
+            let msg = Message::new(Action::Event(Arc::new(event)));
+            msg_sender
+                .send(msg)
+                .await
+                .context("send task create event")?;
+
             Ok(TaskResponse::CreateContainer(shim_pid))
         } else {
             self.handler_task_request(req)
@@ -570,6 +586,7 @@ impl RuntimeHandlerManager {
             .context("get runtime instance")?;
         let sandbox = instance.sandbox.clone();
         let cm = instance.container_manager.clone();
+        let msg_sender = self.inner.read().await.msg_sender.clone();
 
         match req {
             TaskRequest::CreateContainer(req) => Err(anyhow!("Unreachable TaskRequest {:?}", req)),
@@ -579,6 +596,20 @@ impl RuntimeHandlerManager {
             }
             TaskRequest::DeleteProcess(process_id) => {
                 let resp = cm.delete_process(&process_id).await.context("do delete")?;
+                if process_id.process_type == ProcessType::Container {
+                    let event = TaskDelete {
+                        id: process_id.container_id().to_string(),
+                        pid: resp.pid.pid,
+                        exit_status: resp.exit_status as u32,
+                        ..Default::default()
+                    };
+                    let msg = Message::new(Action::Event(Arc::new(event)));
+                    msg_sender
+                        .send(msg)
+                        .await
+                        .context("send task delete event")?;
+                }
+
                 Ok(TaskResponse::DeleteProcess(resp))
             }
             TaskRequest::ExecProcess(req) => {
@@ -614,12 +645,28 @@ impl RuntimeHandlerManager {
                     .context("start process")?;
 
                 let pid = shim_pid.pid;
+                let process_type = process_id.process_type;
+                let container_id = process_id.container_id().to_string();
                 tokio::spawn(async move {
                     let result = sandbox.wait_process(cm, process_id, pid).await;
                     if let Err(e) = result {
                         error!(sl!(), "sandbox wait process error: {:?}", e);
                     }
                 });
+
+                if process_type == ProcessType::Container {
+                    let event = TaskStart {
+                        container_id,
+                        pid,
+                        ..Default::default()
+                    };
+                    let msg = Message::new(Action::Event(Arc::new(event)));
+                    msg_sender
+                        .send(msg)
+                        .await
+                        .context("send task start event")?;
+                }
+
                 Ok(TaskResponse::StartProcess(shim_pid))
             }
 

src/runtime-rs/crates/runtimes/virt_container/Cargo.toml

@@ -10,8 +10,6 @@ anyhow = { workspace = true }
 async-trait = { workspace = true }
 awaitgroup = "0.6.0"
 containerd-shim-protos = { workspace = true }
-futures = "0.3.19"
-lazy_static = { workspace = true }
 libc = { workspace = true }
 nix = { workspace = true }
 protobuf = { workspace = true }
@@ -21,9 +19,7 @@ serde_json = { workspace = true }
 slog = { workspace = true }
 slog-scope = { workspace = true }
 tokio = { workspace = true }
-toml = "0.4.2"
 url = { workspace = true }
-async-std = "1.12.0"
 tracing = { workspace = true }
 oci-spec = { workspace = true }
 strum = { workspace = true }
@@ -48,3 +44,7 @@ cloud-hypervisor = ["hypervisor/cloud-hypervisor"]
 
 # Enable the build-in VMM Dragtonball
 dragonball = ["hypervisor/dragonball"]
+
+
+[package.metadata.cargo-machete]
+ignored = ["slog-scope"]

src/runtime-rs/crates/service/Cargo.toml

@@ -11,7 +11,6 @@ async-trait = { workspace = true }
 slog = { workspace = true }
 slog-scope = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread"] }
-tracing = { workspace = true }
 ttrpc = { workspace = true }
 containerd-shim-protos = { workspace = true, features = ["async", "sandbox"] }
 containerd-shim = { workspace = true }
@@ -21,4 +20,7 @@ common = { workspace = true }
 logging = { workspace = true }
 kata-types = { workspace = true }
 runtimes = { workspace = true }
-persist = { workspace = true }
+
+
+[package.metadata.cargo-machete]
+ignored = ["slog-scope"]

src/runtime-rs/crates/shim-ctl/Cargo.toml

@@ -9,9 +9,8 @@ license = { workspace = true }
 
 [dependencies]
 anyhow = { workspace = true }
-tokio = { workspace = true, features = [ "rt", "rt-multi-thread" ] }
+tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
 
 # Local dependencies
 common = { workspace = true }
-logging = { workspace = true }
 runtimes = { workspace = true }

src/runtime-rs/crates/shim/Cargo.toml

@@ -36,8 +36,6 @@ slog-stdlog = "4.1.0"
 thiserror = { workspace = true }
 tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
 unix_socket2 = "0.5.4"
-tracing = { workspace = true }
-tracing-opentelemetry = { workspace = true }
 oci-spec = { workspace = true }
 
 # Local dependencies
@@ -46,12 +44,7 @@ kata-sys-util = { workspace = true }
 logging = { workspace = true }
 runtime-spec = { workspace = true }
 service = { workspace = true }
-runtimes = { workspace = true }
 
 [dev-dependencies]
 tempfile = { workspace = true }
-rand = { workspace = true }
 serial_test = "0.10.0"
-
-# Local dev-dependencies
-tests_utils = { workspace = true }

src/runtime/Makefile

@@ -147,10 +147,14 @@ DEFROOTFSTYPE := $(ROOTFSTYPE_EXT4)
 FIRMWAREPATH :=
 FIRMWAREVOLUMEPATH :=
 
+FIRMWAREPATH_NV = $(FIRMWAREPATH)
+
 FIRMWARETDVFPATH := $(PREFIXDEPS)/share/ovmf/OVMF.inteltdx.fd
+FIRMWARETDVFPATH_NV := $(FIRMWARETDVFPATH)
 FIRMWARETDVFVOLUMEPATH :=
 
 FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd
+FIRMWARESNPPATH_NV := $(FIRMWARESNPPATH)
 
 KERNELVERITYPARAMS ?= ""
 KERNELVERITYPARAMS_NV ?= ""
@@ -272,6 +276,7 @@ DEFVIRTIOFSEXTRAARGS ?= [\"--thread-pool-size=1\", \"--announce-submounts\"]
 DEFENABLEIOTHREADS := false
 DEFINDEPIOTHREADS := 0
 DEFENABLEVHOSTUSERSTORE := false
+DEFENABLEVIRTIOMEM ?= false
 DEFVHOSTUSERSTOREPATH := $(PKGRUNDIR)/vhost-user
 DEFVALIDVHOSTUSERSTOREPATHS := [\"$(DEFVHOSTUSERSTOREPATH)\"]
 DEFFILEMEMBACKEND := ""
@@ -300,9 +305,11 @@ DEFDANCONF := /run/kata-containers/dans
 
 DEFFORCEGUESTPULL := false
 
+DEFKUBELETROOTDIR := /var/lib/kubelet
+
 # Device cold plug
 DEFPODRESOURCEAPISOCK := ""
-DEFPODRESOURCEAPISOCK_NV := "/var/lib/kubelet/pod-resources/kubelet.sock"
+DEFPODRESOURCEAPISOCK_NV := "$(DEFKUBELETROOTDIR)/pod-resources/kubelet.sock"
 
 SED = sed
 
@@ -467,8 +474,8 @@ ifneq (,$(QEMUCMD))
     KERNELSEPATH = $(KERNELDIR)/$(KERNELSENAME)
 
     # NVIDIA GPU specific options (all should be suffixed by _NV)
-    # Normal: uncompressed (KERNELTYPE). Confidential: compressed (KERNELCONFIDENTIALTYPE).
-    KERNELNAME_NV = $(call MAKE_KERNEL_NAME_NV,$(KERNELTYPE))
+    KERNELTYPE_NV = compressed
+    KERNELNAME_NV = $(call MAKE_KERNEL_NAME_NV,$(KERNELTYPE_NV))
     KERNELPATH_NV = $(KERNELDIR)/$(KERNELNAME_NV)
     KERNELNAME_CONFIDENTIAL_NV = $(call MAKE_KERNEL_NAME_NV,$(KERNELCONFIDENTIALTYPE))
     KERNELPATH_CONFIDENTIAL_NV = $(KERNELDIR)/$(KERNELNAME_CONFIDENTIAL_NV)
@@ -484,6 +491,9 @@ ifneq (,$(QEMUCMD))
     # using an image and /dev is already mounted.
     KERNELPARAMS_NV = "cgroup_no_v1=all"
     KERNELPARAMS_NV += "devtmpfs.mount=0"
+    KERNELPARAMS_NV += "pci=realloc"
+    KERNELPARAMS_NV += "pci=nocrs"
+    KERNELPARAMS_NV += "pci=assign-busses"
 
     # Setting this to false can lead to cgroup leakages in the host
     # Best practice for production is to set this to true
@@ -680,10 +690,13 @@ USER_VARS += KERNELPATH_FC
 USER_VARS += KERNELPATH_STRATOVIRT
 USER_VARS += KERNELVIRTIOFSPATH
 USER_VARS += FIRMWAREPATH
+USER_VARS += FIRMWAREPATH_NV
 USER_VARS += FIRMWARETDVFPATH
 USER_VARS += FIRMWAREVOLUMEPATH
 USER_VARS += FIRMWARETDVFVOLUMEPATH
 USER_VARS += FIRMWARESNPPATH
+USER_VARS += FIRMWARETDVFPATH_NV
+USER_VARS += FIRMWARESNPPATH_NV
 USER_VARS += MACHINEACCELERATORS
 USER_VARS += CPUFEATURES
 USER_VARS += TDXCPUFEATURES
@@ -764,6 +777,7 @@ USER_VARS += DEFENABLEANNOTATIONS
 USER_VARS += DEFENABLEANNOTATIONS_COCO
 USER_VARS += DEFENABLEIOTHREADS
 USER_VARS += DEFINDEPIOTHREADS
+USER_VARS += DEFENABLEVIRTIOMEM
 USER_VARS += DEFSECCOMPSANDBOXPARAM
 USER_VARS += DEFENABLEVHOSTUSERSTORE
 USER_VARS += DEFVHOSTUSERSTOREPATH
@@ -783,6 +797,7 @@ USER_VARS += DEFSTATICRESOURCEMGMT_NV
 USER_VARS += DEFBINDMOUNTS
 USER_VARS += DEFCREATECONTAINERTIMEOUT
 USER_VARS += DEFDANCONF
+USER_VARS += DEFKUBELETROOTDIR
 USER_VARS += DEFFORCEGUESTPULL
 USER_VARS += DEFVFIOMODE
 USER_VARS += DEFVFIOMODE_SE

src/runtime/arch/s390x-options.mk

@@ -18,3 +18,6 @@ ifneq (,$(NEEDS_CC_SETTING))
 	CC := gcc
 	export CC
 endif
+
+# Enable virtio-mem for s390x
+DEFENABLEVIRTIOMEM = true

src/runtime/cmd/kata-monitor/main.go

@@ -196,7 +196,7 @@ func indexPageText(w http.ResponseWriter, r *http.Request) {
 	formatter := fmt.Sprintf("%%-%ds: %%s\n", spacing)
 
 	for _, endpoint := range endpoints {
-		w.Write([]byte(fmt.Sprintf(formatter, endpoint.path, endpoint.desc)))
+		fmt.Fprintf(w, formatter, endpoint.path, endpoint.desc)
 	}
 }
 

src/runtime/cmd/kata-runtime/kata-check_amd64.go

@@ -63,7 +63,7 @@ func setCPUtype(hypervisorType vc.HypervisorType) error {
 	cpuType = getCPUtype()
 
 	if cpuType == cpuTypeUnknown {
-		return fmt.Errorf("Unknow CPU Type")
+		return fmt.Errorf("Unknown CPU Type")
 	} else if cpuType == cpuTypeIntel {
 		var kvmIntelParams map[string]string
 		onVMM, err := vc.RunningOnVMM(procCPUInfo)

src/runtime/cmd/kata-runtime/kata-check_amd64_test.go

@@ -55,18 +55,17 @@ func TestCCCheckCLIFunction(t *testing.T) {
 	var moduleData []testModuleData
 
 	cpuType = getCPUtype()
-	if cpuType == cpuTypeIntel {
+	moduleData = []testModuleData{}
+
+	switch cpuType {
+	case cpuTypeIntel:
 		cpuData = []testCPUData{
 			{archGenuineIntel, "lm vmx sse4_1", false},
 		}
-
-		moduleData = []testModuleData{}
-	} else if cpuType == cpuTypeAMD {
+	case cpuTypeAMD:
 		cpuData = []testCPUData{
 			{archAuthenticAMD, "lm svm sse4_1", false},
 		}
-
-		moduleData = []testModuleData{}
 	}
 
 	genericCheckCLIFunction(t, cpuData, moduleData)
@@ -276,7 +275,8 @@ func TestCheckHostIsVMContainerCapable(t *testing.T) {
 	var moduleData []testModuleData
 	cpuType = getCPUtype()
 
-	if cpuType == cpuTypeIntel {
+	switch cpuType {
+	case cpuTypeIntel:
 		cpuData = []testCPUData{
 			{"", "", true},
 			{"Intel", "", true},
@@ -292,7 +292,7 @@ func TestCheckHostIsVMContainerCapable(t *testing.T) {
 			{filepath.Join(sysModuleDir, "kvm_intel/parameters/nested"), "Y", false},
 			{filepath.Join(sysModuleDir, "kvm_intel/parameters/unrestricted_guest"), "Y", false},
 		}
-	} else if cpuType == cpuTypeAMD {
+	case cpuTypeAMD:
 		cpuData = []testCPUData{
 			{"", "", true},
 			{"AMD", "", true},
@@ -340,7 +340,7 @@ func TestCheckHostIsVMContainerCapable(t *testing.T) {
 		// Write the following into the denylist file
 		// blacklist <mod>
 		// install <mod> /bin/false
-		_, err = denylistFile.WriteString(fmt.Sprintf("blacklist %s\ninstall %s /bin/false\n", mod, mod))
+		_, err = fmt.Fprintf(denylistFile, "blacklist %s\ninstall %s /bin/false\n", mod, mod)
 		assert.Nil(err)
 	}
 	denylistFile.Close()
@@ -505,9 +505,10 @@ func TestSetCPUtype(t *testing.T) {
 	assert.NotEmpty(archRequiredKernelModules)
 
 	cpuType = getCPUtype()
-	if cpuType == cpuTypeIntel {
+	switch cpuType {
+	case cpuTypeIntel:
 		assert.Equal(archRequiredCPUFlags["vmx"], "Virtualization support")
-	} else if cpuType == cpuTypeAMD {
+	case cpuTypeAMD:
 		assert.Equal(archRequiredCPUFlags["svm"], "Virtualization support")
 	}
 

src/runtime/cmd/kata-runtime/kata-check_test.go

@@ -17,7 +17,6 @@ import (
 	"testing"
 
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katatestutils"
-	ktu "github.com/kata-containers/kata-containers/src/runtime/pkg/katatestutils"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils"
 	vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	"github.com/sirupsen/logrus"
@@ -509,7 +508,7 @@ func TestCheckCheckCPUAttribs(t *testing.T) {
 }
 
 func TestCheckHaveKernelModule(t *testing.T) {
-	if tc.NotValid(ktu.NeedRoot()) {
+	if tc.NotValid(katatestutils.NeedRoot()) {
 		t.Skip(testDisabledAsNonRoot)
 	}
 
@@ -638,8 +637,8 @@ func TestCheckCheckKernelModules(t *testing.T) {
 func TestCheckCheckKernelModulesUnreadableFile(t *testing.T) {
 	assert := assert.New(t)
 
-	if tc.NotValid(ktu.NeedNonRoot()) {
-		t.Skip(ktu.TestDisabledNeedNonRoot)
+	if tc.NotValid(katatestutils.NeedNonRoot()) {
+		t.Skip(katatestutils.TestDisabledNeedNonRoot)
 	}
 
 	dir := t.TempDir()

src/runtime/cmd/kata-runtime/kata-env_amd64_test.go

@@ -56,9 +56,10 @@ func TestEnvGetEnvInfoSetsCPUType(t *testing.T) {
 	assert.NotEmpty(archRequiredKernelModules)
 
 	cpuType = getCPUtype()
-	if cpuType == cpuTypeIntel {
+	switch cpuType {
+	case cpuTypeIntel:
 		assert.Equal(archRequiredCPUFlags["vmx"], "Virtualization support")
-	} else if cpuType == cpuTypeAMD {
+	case cpuTypeAMD:
 		assert.Equal(archRequiredCPUFlags["svm"], "Virtualization support")
 	}
 

src/runtime/cmd/kata-runtime/kata-env_test.go

@@ -14,7 +14,6 @@ import (
 	"path"
 	"path/filepath"
 	"runtime"
-	goruntime "runtime"
 	"strings"
 	"testing"
 
@@ -184,7 +183,7 @@ func genericGetExpectedHostDetails(tmpdir string, expectedVendor string, expecte
 	}
 
 	const expectedKernelVersion = "99.1"
-	const expectedArch = goruntime.GOARCH
+	const expectedArch = runtime.GOARCH
 
 	expectedDistro := DistroInfo{
 		Name:    "Foo",
@@ -254,7 +253,7 @@ VERSION_ID="%s"
 		}
 	}
 
-	if goruntime.GOARCH == "arm64" {
+	if runtime.GOARCH == "arm64" {
 		expectedHostDetails.CPU.Vendor = "ARM Limited"
 		expectedHostDetails.CPU.Model = "v8"
 	}

src/runtime/cmd/kata-runtime/kata-iptables.go

@@ -55,9 +55,9 @@ var getIPTablesCommand = cli.Command{
 			return err
 		}
 
-		url := containerdshim.IPTablesUrl
+		url := containerdshim.IPTablesURL
 		if isIPv6 {
-			url = containerdshim.IP6TablesUrl
+			url = containerdshim.IP6TablesURL
 		}
 		body, err := shimclient.DoGet(sandboxID, defaultTimeout, url)
 		if err != nil {
@@ -108,9 +108,9 @@ var setIPTablesCommand = cli.Command{
 			return err
 		}
 
-		url := containerdshim.IPTablesUrl
+		url := containerdshim.IPTablesURL
 		if isIPv6 {
-			url = containerdshim.IP6TablesUrl
+			url = containerdshim.IP6TablesURL
 		}
 
 		if err = shimclient.DoPut(sandboxID, defaultTimeout, url, "application/octet-stream", buf); err != nil {

src/runtime/cmd/kata-runtime/kata-policy.go

@@ -62,7 +62,7 @@ var setPolicyCommand = cli.Command{
 			return err
 		}
 
-		url := containerdshim.PolicyUrl
+		url := containerdshim.PolicyURL
 
 		if err = shimclient.DoPut(sandboxID, defaultTimeout, url, "application/octet-stream", buf); err != nil {
 			return fmt.Errorf("Error observed when making policy-set request(%s): %s", policyFile, err)

src/runtime/cmd/kata-runtime/kata-volume.go

@@ -126,7 +126,7 @@ var resizeCommand = cli.Command{
 
 // Stats retrieves the filesystem stats of the direct volume inside the guest.
 func Stats(volumePath string) ([]byte, error) {
-	sandboxId, err := volume.GetSandboxIdForVolume(volumePath)
+	sandboxID, err := volume.GetSandboxIDForVolume(volumePath)
 	if err != nil {
 		return nil, err
 	}
@@ -136,8 +136,8 @@ func Stats(volumePath string) ([]byte, error) {
 	}
 
 	urlSafeDevicePath := url.PathEscape(volumeMountInfo.Device)
-	body, err := shimclient.DoGet(sandboxId, defaultTimeout,
-		fmt.Sprintf("%s?%s=%s", containerdshim.DirectVolumeStatUrl, containerdshim.DirectVolumePathKey, urlSafeDevicePath))
+	body, err := shimclient.DoGet(sandboxID, defaultTimeout,
+		fmt.Sprintf("%s?%s=%s", containerdshim.DirectVolumeStatURL, containerdshim.DirectVolumePathKey, urlSafeDevicePath))
 	if err != nil {
 		return nil, err
 	}
@@ -146,7 +146,7 @@ func Stats(volumePath string) ([]byte, error) {
 
 // Resize resizes a direct volume inside the guest.
 func Resize(volumePath string, size uint64) error {
-	sandboxId, err := volume.GetSandboxIdForVolume(volumePath)
+	sandboxID, err := volume.GetSandboxIDForVolume(volumePath)
 	if err != nil {
 		return err
 	}
@@ -163,5 +163,5 @@ func Resize(volumePath string, size uint64) error {
 	if err != nil {
 		return err
 	}
-	return shimclient.DoPost(sandboxId, defaultTimeout, containerdshim.DirectVolumeResizeUrl, "application/json", encoded)
+	return shimclient.DoPost(sandboxID, defaultTimeout, containerdshim.DirectVolumeResizeURL, "application/json", encoded)
 }

src/runtime/cmd/kata-runtime/release.go

@@ -94,11 +94,12 @@ func releaseURLIsValid(url string) error {
 func getReleaseURL(currentVersion semver.Version) (url string, err error) {
 	major := currentVersion.Major
 
-	if major == 0 {
+	switch major {
+	case 0:
 		return "", fmt.Errorf("invalid current version: %v", currentVersion)
-	} else if major == 1 {
+	case 1:
 		url = kataLegacyReleaseURL
-	} else {
+	default:
 		url = kataReleaseURL
 	}
 

src/runtime/config/configuration-clh.toml.in

@@ -491,6 +491,11 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
 
+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-fc.toml.in

@@ -382,6 +382,11 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
 
+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-cca.toml.in

@@ -670,6 +670,12 @@ dan_conf = "@DEFDANCONF@"
 # the container image should be pulled in the guest, without using an external snapshotter.
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
+
+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-coco-dev.toml.in

@@ -734,6 +734,11 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
 
+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in

@@ -99,7 +99,7 @@ kernel_verity_params = "@KERNELVERITYPARAMS_CONFIDENTIAL_NV@"
 
 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "@FIRMWARESNPPATH@"
+firmware = "@FIRMWARESNPPATH_NV@"
 
 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
@@ -750,6 +750,11 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
 
+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in

@@ -76,7 +76,7 @@ kernel_verity_params = "@KERNELVERITYPARAMS_CONFIDENTIAL_NV@"
 
 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "@FIRMWARETDVFPATH@"
+firmware = "@FIRMWARETDVFPATH_NV@"
 
 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
@@ -727,6 +727,11 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
 
+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-nvidia-gpu.toml.in

@@ -58,7 +58,7 @@ kernel_verity_params = "@KERNELVERITYPARAMS_NV@"
 
 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "@FIRMWAREPATH@"
+firmware = "@FIRMWAREPATH_NV@"
 
 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
@@ -724,6 +724,11 @@ create_container_timeout = @DEFAULTTIMEOUT_NV@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
 
+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-se.toml.in

@@ -712,6 +712,11 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
 
+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-snp.toml.in

@@ -737,6 +737,11 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
 
+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu-tdx.toml.in

@@ -719,6 +719,11 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
 
+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-qemu.toml.in

@@ -142,7 +142,7 @@ memory_offset = 0
 # Please note that this option should be used with the command
 # "echo 1 > /proc/sys/vm/overcommit_memory".
 # Default false
-enable_virtio_mem = false
+enable_virtio_mem = @DEFENABLEVIRTIOMEM@
 
 # Disable hotplugging host block devices to guest VMs for container rootfs.
 # In case of a storage driver like devicemapper where a container's
@@ -723,6 +723,11 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
 
+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-remote.toml.in

@@ -290,6 +290,11 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
 
+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/config/configuration-stratovirt.toml.in

@@ -425,6 +425,11 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
 
+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the

src/runtime/go.mod

@@ -1,14 +1,14 @@
 module github.com/kata-containers/kata-containers/src/runtime
 
 // Keep in sync with version in versions.yaml
-go 1.24.13
+go 1.25.7
 
 // WARNING: Do NOT use `replace` directives as those break dependabot:
 // https://github.com/kata-containers/kata-containers/issues/11020
 
 require (
 	code.cloudfoundry.org/bytefmt v0.0.0-20211005130812-5bb3c17173e5
-	github.com/BurntSushi/toml v1.5.0
+	github.com/BurntSushi/toml v1.6.0
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/blang/semver/v4 v4.0.0
 	github.com/container-orchestrated-devices/container-device-interface v0.6.0
@@ -52,11 +52,10 @@ require (
 	github.com/urfave/cli v1.22.17
 	github.com/vishvananda/netlink v1.3.1
 	github.com/vishvananda/netns v0.0.5
-	gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20220601114329-47893b162965
-	go.opentelemetry.io/otel v1.35.0
+	go.opentelemetry.io/otel v1.40.0
 	go.opentelemetry.io/otel/exporters/jaeger v1.0.0
-	go.opentelemetry.io/otel/sdk v1.35.0
-	go.opentelemetry.io/otel/trace v1.35.0
+	go.opentelemetry.io/otel/sdk v1.40.0
+	go.opentelemetry.io/otel/trace v1.40.0
 	golang.org/x/oauth2 v0.30.0
 	golang.org/x/sys v0.40.0
 	google.golang.org/grpc v1.72.0
@@ -127,9 +126,9 @@ require (
 	github.com/x448/float16 v0.8.4 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
+	go.opentelemetry.io/otel/metric v1.40.0 // indirect
 	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect
 	golang.org/x/mod v0.31.0 // indirect
 	golang.org/x/net v0.49.0 // indirect

src/runtime/go.sum

@@ -8,8 +8,9 @@ github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h
 github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 h1:59MxjQVfjXsBpLy+dbd2/ELV5ofnUkUZBvWSC85sheA=
 github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0/go.mod h1:OahwfttHWG6eJ0clwcfBAHoDI6X/LV/15hx/wlMZSrU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
+github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
@@ -265,8 +266,8 @@ github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ
 github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/safchain/ethtool v0.6.2 h1:O3ZPFAKEUEfbtE6J/feEe2Ft7dIJ2Sy8t4SdMRiIMHY=
@@ -308,31 +309,29 @@ github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20220601114329-47893b162965 h1:EXE1ZsUqiUWGV5Dw2oTYpXx24ffxj0//yhTB0Ppv+4s=
-gitlab.com/nvidia/cloud-native/go-nvlib v0.0.0-20220601114329-47893b162965/go.mod h1:TBB3sR7/jg4RCThC/cgT4fB8mAbbMO307TycfgeR59w=
 go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80=
 go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 h1:CV7UdSGJt/Ao6Gp4CXckLxVRRsRgDHoI8XjbL3PDl8s=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0/go.mod h1:FRmFuRJfag1IZ2dPkHnEoSFVgTVPUd2qf5Vi69hLb8I=
 go.opentelemetry.io/otel v1.0.0/go.mod h1:AjRVh9A5/5DE7S+mZtTR6t8vpKKryam+0lREnfmS4cg=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
+go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
 go.opentelemetry.io/otel/exporters/jaeger v1.0.0 h1:cLhx8llHw02h5JTqGqaRbYn+QVKHmrzD9vEbKnSPk5U=
 go.opentelemetry.io/otel/exporters/jaeger v1.0.0/go.mod h1:q10N1AolE1JjqKrFJK2tYw0iZpmX+HBaXBtuCzRnBGQ=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
+go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
+go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
 go.opentelemetry.io/otel/sdk v1.0.0/go.mod h1:PCrDHlSy5x1kjezSdL37PhbFUMjrsLRshJ2zCzeXwbM=
-go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
-go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
+go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
+go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
+go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
+go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
 go.opentelemetry.io/otel/trace v1.0.0/go.mod h1:PXTWqayeFUlJV1YDNhsJYB184+IvAH814St6o6ajzIs=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
+go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
 go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=

src/runtime/pkg/containerd-shim-v2/create.go

@@ -40,7 +40,6 @@ import (
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils/katatrace"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/oci"
-	vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/compatoci"
 	"tags.cncf.io/container-device-interface/pkg/cdi"
 )
@@ -52,7 +51,7 @@ var defaultStartManagementServerFunc startManagementServerFunc = func(s *service
 	shimLog.Info("management server started")
 }
 
-func copyLayersToMounts(rootFs *vc.RootFs, spec *specs.Spec) error {
+func copyLayersToMounts(rootFs *virtcontainers.RootFs, spec *specs.Spec) error {
 	for _, o := range rootFs.Options {
 		if !strings.HasPrefix(o, annotations.FileSystemLayer) {
 			continue
@@ -75,7 +74,7 @@ func copyLayersToMounts(rootFs *vc.RootFs, spec *specs.Spec) error {
 }
 
 func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*container, error) {
-	rootFs := vc.RootFs{}
+	rootFs := virtcontainers.RootFs{}
 	if len(r.Rootfs) == 1 {
 		m := r.Rootfs[0]
 		rootFs.Source = m.Source
@@ -108,7 +107,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*con
 	}
 
 	switch containerType {
-	case vc.PodSandbox, vc.SingleContainer:
+	case virtcontainers.PodSandbox, virtcontainers.SingleContainer:
 		if s.sandbox != nil {
 			return nil, fmt.Errorf("cannot create another sandbox in sandbox: %s", s.sandbox.ID())
 		}
@@ -151,7 +150,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*con
 		//   2. If this is not a sandbox infrastructure container, but instead a standalone single container (analogous to "docker run..."),
 		//	then the container spec itself will contain appropriate sizing information for the entire sandbox (since it is
 		//	a single container.
-		if containerType == vc.PodSandbox {
+		if containerType == virtcontainers.PodSandbox {
 			s.config.SandboxCPUs, s.config.SandboxMemMB = oci.CalculateSandboxSizing(ociSpec)
 		} else {
 			s.config.SandboxCPUs, s.config.SandboxMemMB = oci.CalculateContainerSizing(ociSpec)
@@ -203,7 +202,7 @@ func create(ctx context.Context, s *service, r *taskAPI.CreateTaskRequest) (*con
 			defaultStartManagementServerFunc(s, ctx, ociSpec)
 		}
 
-	case vc.PodContainer:
+	case virtcontainers.PodContainer:
 		span, ctx := katatrace.Trace(s.ctx, shimLog, "create", shimTracingTags)
 		defer span.End()
 
@@ -325,7 +324,7 @@ func checkAndMount(s *service, r *taskAPI.CreateTaskRequest) (bool, error) {
 			return false, nil
 		}
 
-		if vc.IsNydusRootFSType(m.Type) {
+		if virtcontainers.IsNydusRootFSType(m.Type) {
 			// if kata + nydus, do not mount
 			return false, nil
 		}
@@ -361,7 +360,7 @@ func doMount(mounts []*containerd_types.Mount, rootfs string) error {
 	return nil
 }
 
-func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxId string) error {
+func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxID string) error {
 	userName, err := utils.CreateVmmUser()
 	if err != nil {
 		return err
@@ -370,7 +369,7 @@ func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxId stri
 		if err != nil {
 			shimLog.WithFields(logrus.Fields{
 				"user_name":  userName,
-				"sandbox_id": sandboxId,
+				"sandbox_id": sandboxID,
 			}).WithError(err).Warn("configure non root hypervisor failed, delete the user")
 			if err2 := utils.RemoveVmmUser(userName); err2 != nil {
 				shimLog.WithField("userName", userName).WithError(err).Warn("failed to remove user")
@@ -398,7 +397,7 @@ func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxId stri
 		"user_name":  userName,
 		"uid":        uid,
 		"gid":        gid,
-		"sandbox_id": sandboxId,
+		"sandbox_id": sandboxID,
 	}).Debug("successfully created a non root user for the hypervisor")
 
 	userTmpDir := path.Join("/run/user/", fmt.Sprint(uid))
@@ -410,7 +409,7 @@ func configureNonRootHypervisor(runtimeConfig *oci.RuntimeConfig, sandboxId stri
 		}
 	}
 
-	if err = os.Mkdir(userTmpDir, vc.DirMode); err != nil {
+	if err = os.Mkdir(userTmpDir, virtcontainers.DirMode); err != nil {
 		return err
 	}
 	defer func() {

src/runtime/pkg/containerd-shim-v2/shim_management.go

@@ -34,13 +34,13 @@ import (
 
 const (
 	DirectVolumePathKey   = "path"
-	AgentUrl              = "/agent-url"
-	DirectVolumeStatUrl   = "/direct-volume/stats"
-	DirectVolumeResizeUrl = "/direct-volume/resize"
-	IPTablesUrl           = "/iptables"
-	PolicyUrl             = "/policy"
-	IP6TablesUrl          = "/ip6tables"
-	MetricsUrl            = "/metrics"
+	AgentURL              = "/agent-url"
+	DirectVolumeStatURL   = "/direct-volume/stats"
+	DirectVolumeResizeURL = "/direct-volume/resize"
+	IPTablesURL           = "/iptables"
+	PolicyURL             = "/policy"
+	IP6TablesURL          = "/ip6tables"
+	MetricsURL            = "/metrics"
 )
 
 var (
@@ -288,13 +288,13 @@ func (s *service) startManagementServer(ctx context.Context, ociSpec *specs.Spec
 
 	// bind handler
 	m := http.NewServeMux()
-	m.Handle(MetricsUrl, http.HandlerFunc(s.serveMetrics))
-	m.Handle(AgentUrl, http.HandlerFunc(s.agentURL))
-	m.Handle(DirectVolumeStatUrl, http.HandlerFunc(s.serveVolumeStats))
-	m.Handle(DirectVolumeResizeUrl, http.HandlerFunc(s.serveVolumeResize))
-	m.Handle(IPTablesUrl, http.HandlerFunc(s.ipTablesHandler))
-	m.Handle(PolicyUrl, http.HandlerFunc(s.policyHandler))
-	m.Handle(IP6TablesUrl, http.HandlerFunc(s.ip6TablesHandler))
+	m.Handle(MetricsURL, http.HandlerFunc(s.serveMetrics))
+	m.Handle(AgentURL, http.HandlerFunc(s.agentURL))
+	m.Handle(DirectVolumeStatURL, http.HandlerFunc(s.serveVolumeStats))
+	m.Handle(DirectVolumeResizeURL, http.HandlerFunc(s.serveVolumeResize))
+	m.Handle(IPTablesURL, http.HandlerFunc(s.ipTablesHandler))
+	m.Handle(PolicyURL, http.HandlerFunc(s.policyHandler))
+	m.Handle(IP6TablesURL, http.HandlerFunc(s.ip6TablesHandler))
 	s.mountPprofHandle(m, ociSpec)
 
 	// register shim metrics
@@ -373,7 +373,7 @@ func ClientSocketAddress(id string) (string, error) {
 	if _, err := os.Stat(socketPath); err != nil {
 		socketPath = SocketPathRust(id)
 		if _, err := os.Stat(socketPath); err != nil {
-			return "", fmt.Errorf("It fails to stat both %s and %s with error %v.", SocketPathGo(id), SocketPathRust(id), err)
+			return "", fmt.Errorf("it fails to stat both %s and %s with error %v", SocketPathGo(id), SocketPathRust(id), err)
 		}
 	}
 

src/runtime/pkg/device/drivers/vfio.go

@@ -139,7 +139,7 @@ func (device *VFIODevice) Detach(ctx context.Context, devReceiver api.DeviceRece
 		}
 	}()
 
-	if device.GenericDevice.DeviceInfo.ColdPlug {
+	if device.DeviceInfo.ColdPlug {
 		// nothing to detach, device was cold plugged
 		deviceLogger().WithFields(logrus.Fields{
 			"device-group": device.DeviceInfo.HostPath,
@@ -264,7 +264,7 @@ func GetVFIODetails(deviceFileName, iommuDevicesPath string) (deviceBDF, deviceS
 // getMediatedBDF returns the BDF of a VF
 // Expected input string format is /sys/devices/pci0000:d7/BDF0/BDF1/.../MDEVBDF/UUID
 func getMediatedBDF(deviceSysfsDev string) string {
-	tokens := strings.SplitN(deviceSysfsDev, "/", -1)
+	tokens := strings.Split(deviceSysfsDev, "/")
 	if len(tokens) < 4 {
 		return ""
 	}

src/runtime/pkg/device/manager/manager.go

@@ -59,15 +59,11 @@ func NewDeviceManager(blockDriver string, vhostUserStoreEnabled bool, vhostUserS
 		vhostUserReconnectTimeout: vhostUserReconnect,
 		devices:                   make(map[string]api.Device),
 	}
-	if blockDriver == config.VirtioMmio {
-		dm.blockDriver = config.VirtioMmio
-	} else if blockDriver == config.VirtioBlock {
-		dm.blockDriver = config.VirtioBlock
-	} else if blockDriver == config.Nvdimm {
-		dm.blockDriver = config.Nvdimm
-	} else if blockDriver == config.VirtioBlockCCW {
-		dm.blockDriver = config.VirtioBlockCCW
-	} else {
+
+	switch blockDriver {
+	case config.VirtioMmio, config.VirtioBlock, config.Nvdimm, config.VirtioBlockCCW:
+		dm.blockDriver = blockDriver
+	default:
 		dm.blockDriver = config.VirtioSCSI
 	}
 

src/runtime/pkg/direct-volume/utils.go

@@ -99,18 +99,18 @@ func VolumeMountInfo(volumePath string) (*MountInfo, error) {
 	return &mountInfo, nil
 }
 
-// RecordSandboxId associates a sandbox id with a direct volume.
-func RecordSandboxId(sandboxId string, volumePath string) error {
+// RecordSandboxID associates a sandbox id with a direct volume.
+func RecordSandboxID(sandboxID string, volumePath string) error {
 	encodedPath := b64.URLEncoding.EncodeToString([]byte(volumePath))
 	mountInfoFilePath := filepath.Join(kataDirectVolumeRootPath, encodedPath, mountInfoFileName)
 	if _, err := os.Stat(mountInfoFilePath); err != nil {
 		return err
 	}
 
-	return os.WriteFile(filepath.Join(kataDirectVolumeRootPath, encodedPath, sandboxId), []byte(""), 0600)
+	return os.WriteFile(filepath.Join(kataDirectVolumeRootPath, encodedPath, sandboxID), []byte(""), 0600)
 }
 
-func GetSandboxIdForVolume(volumePath string) (string, error) {
+func GetSandboxIDForVolume(volumePath string) (string, error) {
 	files, err := os.ReadDir(filepath.Join(kataDirectVolumeRootPath, b64.URLEncoding.EncodeToString([]byte(volumePath))))
 	if err != nil {
 		return "", err

src/runtime/pkg/direct-volume/utils_test.go

@@ -56,7 +56,7 @@ func TestAdd(t *testing.T) {
 	assert.Nil(t, err)
 }
 
-func TestRecordSandboxId(t *testing.T) {
+func TestRecordSandboxID(t *testing.T) {
 	var err error
 	kataDirectVolumeRootPath = t.TempDir()
 
@@ -73,22 +73,22 @@ func TestRecordSandboxId(t *testing.T) {
 	// Add the mount info
 	assert.Nil(t, Add(volumePath, string(buf)))
 
-	sandboxId := uuid.Generate().String()
-	err = RecordSandboxId(sandboxId, volumePath)
+	sandboxID := uuid.Generate().String()
+	err = RecordSandboxID(sandboxID, volumePath)
 	assert.Nil(t, err)
 
-	id, err := GetSandboxIdForVolume(volumePath)
+	id, err := GetSandboxIDForVolume(volumePath)
 	assert.Nil(t, err)
-	assert.Equal(t, sandboxId, id)
+	assert.Equal(t, sandboxID, id)
 }
 
-func TestRecordSandboxIdNoMountInfoFile(t *testing.T) {
+func TestRecordSandboxIDNoMountInfoFile(t *testing.T) {
 	var err error
 	kataDirectVolumeRootPath = t.TempDir()
 
 	var volumePath = "/a/b/c"
-	sandboxId := uuid.Generate().String()
-	err = RecordSandboxId(sandboxId, volumePath)
+	sandboxID := uuid.Generate().String()
+	err = RecordSandboxID(sandboxID, volumePath)
 	assert.Error(t, err)
 	assert.True(t, errors.Is(err, os.ErrNotExist))
 }

src/runtime/pkg/govmm/.github/workflows/main.yml

@@ -14,11 +14,11 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
         with:
           go-version: ${{ matrix.go-version }}
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
       - name: golangci-lint

src/runtime/pkg/govmm/qemu/qemu.go

@@ -496,8 +496,8 @@ type TdxQomObject struct {
 	Debug                 *bool         `json:"debug,omitempty"`
 }
 
-func (this *SocketAddress) String() string {
-	b, err := json.Marshal(*this)
+func (s *SocketAddress) String() string {
+	b, err := json.Marshal(*s)
 
 	if err != nil {
 		log.Fatalf("Unable to marshal SocketAddress object: %s", err.Error())
@@ -507,8 +507,8 @@ func (this *SocketAddress) String() string {
 	return string(b)
 }
 
-func (this *TdxQomObject) String() string {
-	b, err := json.Marshal(*this)
+func (t *TdxQomObject) String() string {
+	b, err := json.Marshal(*t)
 
 	if err != nil {
 		log.Fatalf("Unable to marshal TDX QOM object: %s", err.Error())

src/runtime/pkg/govmm/qemu/qmp.go

@@ -1446,11 +1446,18 @@ func (q *QMP) ExecMemdevAdd(ctx context.Context, qomtype, id, mempath string, si
 		"memdev": id,
 	}
 
-	if bus != "" {
-		args["bus"] = bus
-	}
-	if addr != "" {
-		args["addr"] = addr
+	var transport VirtioTransport
+	if transport.isVirtioCCW(nil) {
+		if addr != "" {
+			args["devno"] = addr
+		}
+	} else {
+		if bus != "" {
+			args["bus"] = bus
+		}
+		if addr != "" {
+			args["addr"] = addr
+		}
 	}
 
 	err = q.executeCommand(ctx, "device_add", args, nil)

src/runtime/pkg/kata-monitor/metrics.go

@@ -259,7 +259,7 @@ func (km *KataMonitor) aggregateSandboxMetrics(encoder expfmt.Encoder, filterFam
 }
 
 func getParsedMetrics(sandboxID string, sandboxMetadata sandboxCRIMetadata) ([]*dto.MetricFamily, error) {
-	body, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.MetricsUrl)
+	body, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.MetricsURL)
 	if err != nil {
 		return nil, err
 	}
@@ -269,7 +269,7 @@ func getParsedMetrics(sandboxID string, sandboxMetadata sandboxCRIMetadata) ([]*
 
 // GetSandboxMetrics will get sandbox's metrics from shim
 func GetSandboxMetrics(sandboxID string) (string, error) {
-	body, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.MetricsUrl)
+	body, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.MetricsURL)
 	if err != nil {
 		return "", err
 	}

src/runtime/pkg/kata-monitor/metrics_test.go

@@ -138,9 +138,11 @@ func TestEncodeMetricFamily(t *testing.T) {
 			continue
 		}
 		// only check kata_monitor_running_shim_count and kata_monitor_scrape_count
-		if fields[0] == "kata_monitor_running_shim_count" {
+		switch fields[0] {
+		case "kata_monitor_running_shim_count":
 			assert.Equal("11", fields[1], "kata_monitor_running_shim_count should be 11")
-		} else if fields[0] == "kata_monitor_scrape_count" {
+
+		case "kata_monitor_scrape_count":
 			assert.Equal("2", fields[1], "kata_monitor_scrape_count should be 2")
 		}
 	}

src/runtime/pkg/kata-monitor/monitor.go

@@ -184,7 +184,7 @@ func (km *KataMonitor) GetAgentURL(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	data, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.AgentUrl)
+	data, err := shimclient.DoGet(sandboxID, defaultTimeout, containerdshim.AgentURL)
 	if err != nil {
 		commonServeError(w, http.StatusBadRequest, err)
 		return
@@ -206,14 +206,14 @@ func (km *KataMonitor) ListSandboxes(w http.ResponseWriter, r *http.Request) {
 
 func listSandboxesText(sandboxes []string, w http.ResponseWriter) {
 	for _, s := range sandboxes {
-		w.Write([]byte(fmt.Sprintf("%s\n", s)))
+		fmt.Fprintf(w, "%s\n", s)
 	}
 }
 func listSandboxesHtml(sandboxes []string, w http.ResponseWriter) {
 	w.Write([]byte("<h1>Sandbox list</h1>\n"))
 	w.Write([]byte("<ul>\n"))
 	for _, s := range sandboxes {
-		w.Write([]byte(fmt.Sprintf("<li>%s: <a href='/debug/pprof/?sandbox=%s'>pprof</a>, <a href='/metrics?sandbox=%s'>metrics</a>, <a href='/agent-url?sandbox=%s'>agent-url</a></li>\n", s, s, s, s)))
+		fmt.Fprintf(w, "<li>%s: <a href='/debug/pprof/?sandbox=%s'>pprof</a>, <a href='/metrics?sandbox=%s'>metrics</a>, <a href='/agent-url?sandbox=%s'>agent-url</a></li>\n", s, s, s, s)
 	}
 	w.Write([]byte("</ul>\n"))
 }

src/runtime/pkg/kata-monitor/pprof.go

@@ -98,7 +98,7 @@ func (km *KataMonitor) ExpvarHandler(w http.ResponseWriter, r *http.Request) {
 // PprofIndex handles other `/debug/pprof/` requests
 func (km *KataMonitor) PprofIndex(w http.ResponseWriter, r *http.Request) {
 	if len(strings.TrimPrefix(r.URL.Path, "/debug/pprof/")) == 0 {
-		km.proxyRequest(w, r, copyResponseAddingSandboxIdToHref)
+		km.proxyRequest(w, r, copyResponseAddingSandboxIDToHref)
 	} else {
 		km.proxyRequest(w, r, nil)
 	}
@@ -132,7 +132,7 @@ func copyResponse(req *http.Request, w io.Writer, r io.Reader) error {
 	return err
 }
 
-func copyResponseAddingSandboxIdToHref(req *http.Request, w io.Writer, r io.Reader) error {
+func copyResponseAddingSandboxIDToHref(req *http.Request, w io.Writer, r io.Reader) error {
 	sb, err := getSandboxIDFromReq(req)
 	if err != nil {
 		monitorLog.WithError(err).Warning("missing sandbox query in pprof url")

src/runtime/pkg/kata-monitor/pprof_test.go

@@ -15,7 +15,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestCopyResponseAddingSandboxIdToHref(t *testing.T) {
+func TestCopyResponseAddingSandboxIDToHref(t *testing.T) {
 	assert := assert.New(t)
 
 	htmlIn := strings.NewReader(`
@@ -112,6 +112,6 @@ Profile Descriptions:
 
 	req := &http.Request{URL: &url.URL{RawQuery: "sandbox=1234567890"}}
 	buf := bytes.NewBuffer(nil)
-	copyResponseAddingSandboxIdToHref(req, buf, htmlIn)
+	copyResponseAddingSandboxIDToHref(req, buf, htmlIn)
 	assert.Equal(htmlExpected, buf)
 }

src/runtime/pkg/katatestutils/constraints.go

@@ -98,8 +98,8 @@ func getKernelVersion() (string, error) {
 // These kernel version can't be parsed by the current lib and lead to panic
 // therefore the '+' should be removed.
 func fixKernelVersion(version string) string {
-	version = strings.Replace(version, "_", "-", -1)
-	return strings.Replace(version, "+", "", -1)
+	version = strings.ReplaceAll(version, "_", "-")
+	return strings.ReplaceAll(version, "+", "")
 }
 
 // handleKernelVersion checks that the current kernel version is compatible with

src/runtime/pkg/katatestutils/utils.go

@@ -23,7 +23,7 @@ const (
 	testDirMode  = os.FileMode(0750)
 	testFileMode = os.FileMode(0640)
 
-	busyboxConfigJson = `
+	busyboxConfigJSON = `
 {
 	"ociVersion": "1.0.1-dev",
 	"process": {
@@ -359,7 +359,7 @@ func SetupOCIConfigFile(t *testing.T) (rootPath string, bundlePath, ociConfigFil
 	assert.NoError(err)
 
 	ociConfigFile = filepath.Join(bundlePath, "config.json")
-	err = os.WriteFile(ociConfigFile, []byte(busyboxConfigJson), testFileMode)
+	err = os.WriteFile(ociConfigFile, []byte(busyboxConfigJSON), testFileMode)
 	assert.NoError(err)
 
 	return tmpdir, bundlePath, ociConfigFile

src/runtime/pkg/katautils/config.go

@@ -22,7 +22,6 @@ import (
 	govmmQemu "github.com/kata-containers/kata-containers/src/runtime/pkg/govmm/qemu"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils/katatrace"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/oci"
-	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	exp "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/experimental"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/types"
@@ -202,6 +201,7 @@ type runtime struct {
 	DanConf                   string   `toml:"dan_conf"`
 	ForceGuestPull            bool     `toml:"experimental_force_guest_pull"`
 	PodResourceAPISock        string   `toml:"pod_resource_api_sock"`
+	KubeletRootDir            string   `toml:"kubelet_root_dir"`
 }
 
 type agent struct {
@@ -1643,6 +1643,7 @@ func LoadConfiguration(configPath string, ignoreLogging bool) (resolvedConfigPat
 
 	config.ForceGuestPull = tomlConf.Runtime.ForceGuestPull
 	config.PodResourceAPISock = tomlConf.Runtime.PodResourceAPISock
+	config.KubeletRootDir = tomlConf.Runtime.KubeletRootDir
 
 	return resolved, config, nil
 }
@@ -1900,8 +1901,8 @@ func checkConfig(config oci.RuntimeConfig) error {
 // checkPCIeConfig ensures the PCIe configuration is valid.
 // Only allow one of the following settings for cold-plug:
 // no-port, root-port, switch-port
-func checkPCIeConfig(coldPlug config.PCIePort, hotPlug config.PCIePort, machineType string, hypervisorType virtcontainers.HypervisorType) error {
-	if hypervisorType != virtcontainers.QemuHypervisor && hypervisorType != virtcontainers.ClhHypervisor {
+func checkPCIeConfig(coldPlug config.PCIePort, hotPlug config.PCIePort, machineType string, hypervisorType vc.HypervisorType) error {
+	if hypervisorType != vc.QemuHypervisor && hypervisorType != vc.ClhHypervisor {
 		kataUtilsLogger.Warn("Advanced PCIe Topology only available for QEMU/CLH hypervisor, ignoring hot(cold)_vfio_port setting")
 		return nil
 	}
@@ -1917,7 +1918,7 @@ func checkPCIeConfig(coldPlug config.PCIePort, hotPlug config.PCIePort, machineT
 	if machineType != "q35" && machineType != "virt" {
 		return nil
 	}
-	if hypervisorType == virtcontainers.ClhHypervisor {
+	if hypervisorType == vc.ClhHypervisor {
 		if coldPlug != config.NoPort {
 			return fmt.Errorf("cold-plug not supported on CLH")
 		}