mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-05-18 13:46:06 +00:00
d3a9669be5
Add the core volume handler for block-encrypted emptyDir support in runtime-rs, bringing it to parity with the Go runtime (PR #10559). When emptydir_mode is set to "block-encrypted", host emptyDir bind mounts are intercepted and handled as follows: 1. A sparse disk image (disk.img) is created inside the emptyDir folder, sized to match the host filesystem capacity. 2. A mountInfo.json is written under the kata direct-volume root with volume_type "blk", fs_type "ext4", and metadata encryptionKey=ephemeral. 3. The disk image is plugged into the guest VM as a virtio-blk device via the hypervisor device manager. 4. An agent::Storage is built with driver_options containing encryption_key=ephemeral and shared=true, so the kata-agent delegates formatting and encryption to CDH using LUKS2. The volume is registered in the dispatch chain before the regular block-volume check, and ephemeral disk metadata is tracked for sandbox-level cleanup at teardown. Also re-exports EMPTYDIR_MODE_* constants from kata-types::config so downstream crates can reference them. Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com> Assisted-by: Cursor <cursoragent@cursor.com>
6.6 KiB
6.6 KiB