Files
kata-containers/src/libs
Fabiano Fidêncio 91df041803 agent: expose guest InfiniBand devices to VFIO containers
When a VF is cold-plugged in guest-kernel mode, mlx5_core binds to the
PCI device inside the VM and mlx5_ib creates IB character devices under
/dev/infiniband/ (uverbs*, rdma_cm, umad*). The container cannot reach
these devices unless they are explicitly added to its OCI spec.

Add expose_guest_infiniband_devices(), called from create_devices() when
the container carries at least one VFIO device entry. The function:

  - Walks /dev/infiniband/ inside the guest VM.
  - Appends each char device to spec.linux.devices.
  - Inserts matching cgroup allow rules (rwm).
  - Is a no-op if /dev/infiniband/ is absent or empty (no IB driver,
    or VF not yet rebound), so non-RDMA pods are unaffected.

Gate the call on container_has_vfio_device() so unrelated containers
sharing the sandbox do not get IB device access widened.

Add is_vfio_device_type() and snapshot_infiniband() to
kata-sys-util/pcilibs. is_vfio_device_type() lets the agent check
device type strings against the VFIO driver name constants without
duplication. snapshot_infiniband() summarises /sys/class/infiniband,
/sys/class/infiniband_verbs, and /dev/infiniband as a single diagnostic
string for log context; it lives in pcilibs because it has no
agent-specific dependencies (pure sysfs/devfs reads).

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
2026-05-29 13:07:45 +02:00
..
2025-12-22 19:49:45 +00:00
2026-04-11 08:46:32 +01:00
2026-02-26 09:37:46 +00:00
2026-01-21 08:52:48 +00:00

Kata Containers Library Crates

The src/libs directory hosts library crates shared by multiple Kata Containers components. These libraries provide common utilities, data types, and protocol definitions to facilitate development and maintain consistency across the project.

Library Crates

Library Description
kata-types Constants, data types, and configuration structures shared by Kata Containers components
kata-sys-util System utilities: CPU, device, filesystem, hooks, K8s, mount, netns, NUMA, PCI, protection, spec validation
protocols ttrpc protocol definitions for agent, health, remote, CSI, OCI, confidential data hub
runtime-spec OCI runtime spec data structures and constants
shim-interface Shim management interface with RESTful API over Unix domain socket
logging Slog-based logging with JSON output and systemd journal support
safe-path Safe path resolution to prevent symlink and TOCTOU attacks
mem-agent Memory management agent: memcg, compact, PSI monitoring
test-utils Test macros for root/non-root privileges and KVM accessibility

Details

kata-types

Core types and configurations including:

  • Annotations for CRI-containerd, CRI-O, dockershim
  • Hypervisor configurations (QEMU, Cloud Hypervisor, Firecracker, Dragonball)
  • Agent and runtime configurations
  • Kubernetes-specific utilities

kata-sys-util

System-level utilities:

  • cpu: CPU information and affinity
  • device: Device management
  • fs: Filesystem operations
  • hooks: Hook execution
  • k8s: Kubernetes utilities
  • mount: Mount operations
  • netns: Network namespace handling
  • numa: NUMA topology
  • pcilibs: PCI device access
  • protection: Hardware protection features
  • spec: OCI spec loading
  • validate: Input validation

protocols

Generated ttrpc protocol bindings:

  • agent: Kata agent API
  • health: Health check service
  • remote: Remote hypervisor API
  • csi: Container storage interface
  • oci: OCI specifications
  • confidential_data_hub: Confidential computing support

Features: async for async ttrpc, with-serde for serde support.

runtime-spec

OCI runtime specification types:

  • ContainerState: Creating, Created, Running, Stopped, Paused
  • State: Container state with version, id, status, pid, bundle, annotations
  • Namespace constants: pid, network, mount, ipc, user, uts, cgroup

shim-interface

Shim management service interface:

  • RESTful API over Unix domain socket (/run/kata/<sid>/shim-monitor.sock)
  • MgmtClient for HTTP requests to shim management server
  • Sandbox ID resolution with prefix matching

logging

Slog-based logging framework:

  • JSON output to file or stdout
  • systemd journal support
  • Runtime log level filtering per component/subsystem
  • Async drain for thread safety

safe-path

Secure filesystem path handling:

  • scoped_join(): Safely join paths under a root directory
  • scoped_resolve(): Resolve paths constrained by root
  • PinnedPathBuf: TOCTOU-safe path reference
  • ScopedDirBuilder: Safe directory creation

mem-agent

Memory management for containers:

  • memcg: Memory cgroup configuration and monitoring
  • compact: Memory compaction control
  • psi: Pressure stall information monitoring
  • Async runtime with configurable policies

test-utils

Testing utilities:

  • skip_if_root!: Skip test if running as root
  • skip_if_not_root!: Skip test if not running as root
  • skip_if_kvm_unaccessable!: Skip test if KVM is unavailable
  • assert_result!: Assert expected vs actual results

License

All crates are licensed under Apache-2.0.