Upgrade the nix crate across the workspace to version 0.30.1 to address security vulnerabilities and adopt safer file descriptor handling patterns. ### Breaking Changes in nix 0.28.0 1. **File Descriptor Type Changes** - Functions now return `OwnedFd` instead of `RawFd` (i32) - Functions requiring file descriptors now expect types implementing `AsFd` trait - This provides RAII-based automatic cleanup and prevents fd leaks 2. **API Signature Changes** - `pipe()`, `pipe2()`, `openpty()` now return `OwnedFd` tuples - `socket()` returns `OwnedFd` instead of `RawFd` - `open()`, `memfd_create()` return `OwnedFd` - `setns()`, `write()`, `fcntl()` require `AsFd` trait - `madvise()` requires `NonNull<c_void>` instead of raw pointer - `bind()`, `listen()`, `connect()` require `AsFd` and `Backlog` type 3. **Module Feature Flags** - Modules now require explicit feature flags (mman, reboot, etc.) ### Additional Breaking Changes in nix 0.30.1 1. **symlinkat() API Change** - `dirfd` parameter now requires `AsFd` trait instead of `Option<RawFd>` - Use `BorrowedFd::borrow_raw(libc::AT_FDCWD)` for current directory 2. **Type Alias Deprecation** - `MemFdCreateFlag` renamed to `MFdFlags` for consistency ### Changes Made **Workspace Configuration (Cargo.toml)** - Updated nix to 0.30.1 with features: fs, mount, sched, process, ioctl, signal, socket, feature, user, hostname, term, event, mman, reboot **File Descriptor Handling Patterns** - Use `BorrowedFd::borrow_raw(raw_fd)` to wrap RawFd for AsFd requirements - Use `.as_fd().as_raw_fd()` to extract raw fd without ownership transfer - Use `.into_raw_fd()` only when ownership transfer is needed - Use `NonNull::new().unwrap()` for madvise pointer conversion **Deprecated API Replacements** - `eventfd()` → `EventFd::from_value_and_flags()` - `Errno::from_i32()` → `Errno::from_raw()` - `listen(fd, backlog)` → `listen(&fd, Backlog::new(backlog).unwrap())` - `MemFdCreateFlag` → `MFdFlags` Generated by: IBM Bob Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Introduction
Dragonball Sandbox is a light-weight virtual machine manager (VMM) based on Linux Kernel-based Virtual Machine (KVM),
which is optimized for container workloads with:
- container image management and acceleration service
- flexible and high-performance virtual device drivers
- low CPU and memory overhead
- minimal startup time
- optimized concurrent startup speed
Dragonball Sandbox aims to provide a simple solution for the Kata Containers community. It is integrated into Kata 3.0
runtime as a built-in VMM and gives users an out-of-the-box Kata Containers experience without complex environment setup
and configuration process.
Getting Started
Documentation
- Device: Device Document
- vCPU: vCPU Document
- API: API Document
Upcall:UpcallDocumentdbs_acpi:dbs_acpiDocumentdbs_address_space:dbs_address_spaceDocumentdbs_allocator:dbs_allocatorDocumentdbs_arch:dbs_archDocumentdbs_boot:dbs_bootDocumentdbs_device:dbs_deviceDocumentdbs_interrupt:dbs_interrputDocumentdbs_legacy_devices:dbs_legacy_devicesDocumentdbs_upcall:dbs_upcallDocumentdbs_utils:dbs_utilsDocumentdbs_virtio_devices:dbs_virtio_devicesDocumentdbs_pci:dbc_pciDocument
Currently, the documents are still actively adding. You could see the official documentation page for more details.
Supported Architectures
- x86-64
- aarch64
Supported Kernel
Acknowledgement
Part of the code is based on the Cloud Hypervisor project, crosvm project and Firecracker project. They are all rust written virtual machine managers with advantages on safety and security.
Dragonball sandbox is designed to be a VMM that is customized for Kata Containers and we will focus on optimizing container workloads for Kata ecosystem. The focus on the Kata community is what differentiates us from other rust written virtual machines.
License
Dragonball is licensed under Apache License, Version 2.0.