mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-07-01 14:38:33 +00:00
When a VF is cold-plugged in guest-kernel mode, mlx5_core binds to the
PCI device inside the VM and mlx5_ib creates IB character devices under
/dev/infiniband/ (uverbs*, rdma_cm, umad*). The container cannot reach
these devices unless they are explicitly added to its OCI spec.
Add expose_guest_infiniband_devices(), called from create_devices() when
the container carries at least one VFIO device entry. The function:
- Walks /dev/infiniband/ inside the guest VM.
- Appends each char device to spec.linux.devices.
- Inserts matching cgroup allow rules (rwm).
- Is a no-op if /dev/infiniband/ is absent or empty (no IB driver,
or VF not yet rebound), so non-RDMA pods are unaffected.
Gate the call on container_has_vfio_device() so unrelated containers
sharing the sandbox do not get IB device access widened.
Add is_vfio_device_type() and snapshot_infiniband() to
kata-sys-util/pcilibs. is_vfio_device_type() lets the agent check
device type strings against the VFIO driver name constants without
duplication. snapshot_infiniband() summarises /sys/class/infiniband,
/sys/class/infiniband_verbs, and /dev/infiniband as a single diagnostic
string for log context; it lives in pcilibs because it has no
agent-specific dependencies (pure sysfs/devfs reads).
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
Kata Containers Library Crates
The src/libs directory hosts library crates shared by multiple Kata Containers components. These libraries provide common utilities, data types, and protocol definitions to facilitate development and maintain consistency across the project.
Library Crates
| Library | Description |
|---|---|
| kata-types | Constants, data types, and configuration structures shared by Kata Containers components |
| kata-sys-util | System utilities: CPU, device, filesystem, hooks, K8s, mount, netns, NUMA, PCI, protection, spec validation |
| protocols | ttrpc protocol definitions for agent, health, remote, CSI, OCI, confidential data hub |
| runtime-spec | OCI runtime spec data structures and constants |
| shim-interface | Shim management interface with RESTful API over Unix domain socket |
| logging | Slog-based logging with JSON output and systemd journal support |
| safe-path | Safe path resolution to prevent symlink and TOCTOU attacks |
| mem-agent | Memory management agent: memcg, compact, PSI monitoring |
| test-utils | Test macros for root/non-root privileges and KVM accessibility |
Details
kata-types
Core types and configurations including:
- Annotations for CRI-containerd, CRI-O, dockershim
- Hypervisor configurations (QEMU, Cloud Hypervisor, Firecracker, Dragonball)
- Agent and runtime configurations
- Kubernetes-specific utilities
kata-sys-util
System-level utilities:
cpu: CPU information and affinitydevice: Device managementfs: Filesystem operationshooks: Hook executionk8s: Kubernetes utilitiesmount: Mount operationsnetns: Network namespace handlingnuma: NUMA topologypcilibs: PCI device accessprotection: Hardware protection featuresspec: OCI spec loadingvalidate: Input validation
protocols
Generated ttrpc protocol bindings:
agent: Kata agent APIhealth: Health check serviceremote: Remote hypervisor APIcsi: Container storage interfaceoci: OCI specificationsconfidential_data_hub: Confidential computing support
Features: async for async ttrpc, with-serde for serde support.
runtime-spec
OCI runtime specification types:
ContainerState: Creating, Created, Running, Stopped, PausedState: Container state with version, id, status, pid, bundle, annotations- Namespace constants: pid, network, mount, ipc, user, uts, cgroup
shim-interface
Shim management service interface:
- RESTful API over Unix domain socket (
/run/kata/<sid>/shim-monitor.sock) MgmtClientfor HTTP requests to shim management server- Sandbox ID resolution with prefix matching
logging
Slog-based logging framework:
- JSON output to file or stdout
- systemd journal support
- Runtime log level filtering per component/subsystem
- Async drain for thread safety
safe-path
Secure filesystem path handling:
scoped_join(): Safely join paths under a root directoryscoped_resolve(): Resolve paths constrained by rootPinnedPathBuf: TOCTOU-safe path referenceScopedDirBuilder: Safe directory creation
mem-agent
Memory management for containers:
memcg: Memory cgroup configuration and monitoringcompact: Memory compaction controlpsi: Pressure stall information monitoring- Async runtime with configurable policies
test-utils
Testing utilities:
skip_if_root!: Skip test if running as rootskip_if_not_root!: Skip test if not running as rootskip_if_kvm_unaccessable!: Skip test if KVM is unavailableassert_result!: Assert expected vs actual results
License
All crates are licensed under Apache-2.0.