[local] runtime-rs: port Go patches (CPU shares, block device annotation mounts)

CPU shares fallback: when no quota or cpuset is set, calculate vCPUs
from CPU shares (shares/1024) mirroring Go's CalculateCPUsF().

Block device annotation mounts: parse io.katacontainers.volume.block-mounts
annotation and convert matching volumeDevices into agent Storage objects.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: TheRayquaza

src/libs/kata-types/src/annotations/mod.rs

@@ -17,7 +17,9 @@ use crate::config::TomlConfig;
 use crate::initdata::add_hypervisor_initdata_overrides;
 use crate::sl;
 
-use self::cri_containerd::{SANDBOX_CPU_PERIOD_KEY, SANDBOX_CPU_QUOTA_KEY, SANDBOX_MEM_KEY};
+use self::cri_containerd::{
+    SANDBOX_CPU_PERIOD_KEY, SANDBOX_CPU_QUOTA_KEY, SANDBOX_CPU_SHARE_KEY, SANDBOX_MEM_KEY,
+};
 
 /// CRI-containerd specific annotations.
 pub mod cri_containerd;
@@ -443,6 +445,14 @@ impl Annotation {
         value.unwrap_or(0)
     }
 
+    /// Get the annotation of cpu shares for sandbox
+    pub fn get_sandbox_cpu_shares(&self) -> u64 {
+        let value = self
+            .get_value::<u64>(SANDBOX_CPU_SHARE_KEY)
+            .unwrap_or(Some(0));
+        value.unwrap_or(0)
+    }
+
     /// Get the annotation of memory for sandbox
     pub fn get_sandbox_mem(&self) -> i64 {
         let value = self.get_value::<i64>(SANDBOX_MEM_KEY).unwrap_or(Some(0));

src/runtime-rs/crates/resource/src/cpu_mem/cpu.rs

@@ -168,6 +168,24 @@ impl CpuResource {
             return Ok(cpuset_vcpu.len() as f32);
         }
 
+        // Fallback to CPU shares when quota and cpuset are both absent.
+        // This handles pods with no resource limits but with CPU shares set.
+        // Mirrors the Go runtime's CalculateCPUsF() fallback logic.
+        if total_quota == 0.0 && cpuset_vcpu.is_empty() {
+            let total_shares: u64 = resources
+                .values()
+                .map(|cpu_resource| cpu_resource.shares())
+                .sum();
+            if total_shares > 0 {
+                let shares_vcpu = total_shares as f32 / 1024.0;
+                info!(
+                    sl!(),
+                    "(from cpu_shares) get vcpus # {}", shares_vcpu
+                );
+                return Ok(shares_vcpu.max(1.0));
+            }
+        }
+
         // When quota is set: calculate vCPUs as quota/period after normalization
         if total_quota > 0.0 && max_period > 0.0 {
             let quota_vcpu = total_quota / max_period;

src/runtime-rs/crates/resource/src/cpu_mem/initial_size.rs

@@ -32,7 +32,7 @@ impl TryFrom<&HashMap<String, String>> for InitialSize {
 
         let annotation = Annotation::new(an.clone());
         let (period, quota, memory) =
-            get_sizing_info(annotation).context("failed to get sizing info")?;
+            get_sizing_info(annotation.clone()).context("failed to get sizing info")?;
         let mut cpu = oci::LinuxCpu::default();
         cpu.set_period(Some(period));
         cpu.set_quota(Some(quota));
@@ -42,6 +42,17 @@ impl TryFrom<&HashMap<String, String>> for InitialSize {
         if let Ok(cpu_resource) = LinuxContainerCpuResources::try_from(&cpu) {
             vcpu = get_nr_vcpu(&cpu_resource);
         }
+
+        // When neither quota/period nor cpuset constrain the CPU, fall back to
+        // the sandbox CPU-shares annotation (mirrors Go's CalculateSandboxSizing
+        // calling CalculateCPUsF(quota, period, shares)).
+        if vcpu == 0.0 {
+            let shares = annotation.get_sandbox_cpu_shares();
+            if shares > 0 {
+                vcpu = shares as f32 / 1024.0;
+            }
+        }
+
         let mem_mb = convert_memory_to_mb(memory);
 
         Ok(Self {
@@ -259,6 +270,71 @@ mod tests {
         .to_vec()
     }
 
+    // Test that sandbox CPU-shares annotation is used as vcpu fallback when
+    // quota and period are absent. Mirrors Go's CalculateCPUsF(0, 0, shares).
+    #[test]
+    fn test_initial_size_sandbox_cpu_shares_fallback() {
+        let cases: &[(&str, u64, f32)] = &[
+            ("1024 shares = 1.0 vcpu", 1024, 1.0),
+            ("2048 shares = 2.0 vcpu", 2048, 2.0),
+            ("512 shares = 0.5 vcpu", 512, 0.5),
+            ("0 shares = 0.0 vcpu (no fallback)", 0, 0.0),
+        ];
+
+        for (desc, shares, expected_vcpu) in cases {
+            let annotations = HashMap::from([
+                (
+                    cri_containerd::CONTAINER_TYPE_LABEL_KEY.to_string(),
+                    cri_containerd::SANDBOX.to_string(),
+                ),
+                (
+                    cri_containerd::SANDBOX_CPU_SHARE_KEY.to_string(),
+                    format!("{}", shares),
+                ),
+            ]);
+
+            let initial_size = InitialSize::try_from(&annotations).unwrap();
+            assert_eq!(
+                initial_size.vcpu, *expected_vcpu,
+                "{}: got vcpu={}, expected {}",
+                desc, initial_size.vcpu, expected_vcpu
+            );
+        }
+    }
+
+    // Verify quota/period take precedence over shares when both are present.
+    #[test]
+    fn test_initial_size_sandbox_quota_wins_over_shares() {
+        let annotations = HashMap::from([
+            (
+                cri_containerd::CONTAINER_TYPE_LABEL_KEY.to_string(),
+                cri_containerd::SANDBOX.to_string(),
+            ),
+            (
+                cri_containerd::SANDBOX_CPU_PERIOD_KEY.to_string(),
+                "100000".to_string(),
+            ),
+            (
+                cri_containerd::SANDBOX_CPU_QUOTA_KEY.to_string(),
+                "220000".to_string(),
+            ),
+            // shares set too — quota should win
+            (
+                cri_containerd::SANDBOX_CPU_SHARE_KEY.to_string(),
+                "4096".to_string(), // would be 4.0 if shares were used
+            ),
+        ]);
+
+        let initial_size = InitialSize::try_from(&annotations).unwrap();
+        // 220_000/100_000 = 2.2 → ceil = 3.0, not 4.0 from shares
+        assert_eq!(
+            initial_size.vcpu.ceil(),
+            3.0,
+            "quota should take precedence over shares, got vcpu={}",
+            initial_size.vcpu
+        );
+    }
+
     #[test]
     fn test_initial_size_sandbox() {
         let tests = get_test_data();

src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs

@@ -7,7 +7,7 @@
 use std::collections::HashMap;
 use std::sync::Arc;
 
-use agent::Agent;
+use agent::{Agent, Storage};
 use anyhow::{anyhow, Context, Result};
 use common::{
     error::Error,
@@ -26,7 +26,8 @@ use oci_spec::runtime as oci;
 
 use oci::{LinuxResources, Process as OCIProcess};
 use resource::{
-    cdi_devices::container_device::annotate_container_devices, ResourceManager, ResourceUpdateOp,
+    cdi_devices::{container_device::annotate_container_devices, ContainerDevice},
+    ResourceManager, ResourceUpdateOp,
 };
 use tokio::sync::RwLock;
 
@@ -202,6 +203,15 @@ impl Container {
             .resource_manager
             .handler_devices(&config.container_id, linux)
             .await?;
+
+        // Handle annotation-based block device mounts.
+        // Devices listed in the annotation are mounted as filesystems by the agent
+        // rather than passed as raw block devices, so filter them out first.
+        let (container_devices, annotation_storages) =
+            handle_block_mount_annotation(&updated_annotations, container_devices, &mut spec)
+                .context("handle block mount annotation")?;
+        storages.extend(annotation_storages);
+
         let devices_agent = annotate_container_devices(&mut spec, container_devices)
             .context("annotate container devices failed")?;
 
@@ -643,6 +653,115 @@ impl Container {
     }
 }
 
+const BLOCK_DEVICE_MOUNTS_ANNOTATION: &str = "io.katacontainers.volume.block-mounts";
+
+#[derive(Debug, serde::Deserialize)]
+struct BlockMountConfig {
+    mount: String,
+    #[serde(default)]
+    fstype: String,
+    #[serde(default)]
+    options: Vec<String>,
+}
+
+// Parses the block mount annotation and processes any matching container devices.
+//
+// Devices listed in the annotation are meant to be mounted as filesystems by the agent
+// (not passed as raw block devices). This function:
+//   1. Splits container_devices into annotated and remaining sets.
+//   2. Creates a Storage object for each annotated device.
+//   3. Adds a bind mount in the OCI spec from the guest storage path to the destination.
+//   4. Removes matching devices from spec.linux.devices.
+//
+// Returns (remaining_devices, new_storages).
+fn handle_block_mount_annotation(
+    annotations: &HashMap<String, String>,
+    container_devices: Vec<ContainerDevice>,
+    spec: &mut oci::Spec,
+) -> Result<(Vec<ContainerDevice>, Vec<Storage>)> {
+    let raw = match annotations.get(BLOCK_DEVICE_MOUNTS_ANNOTATION) {
+        Some(v) if !v.is_empty() => v.as_str(),
+        _ => return Ok((container_devices, vec![])),
+    };
+
+    let block_mounts: HashMap<String, BlockMountConfig> =
+        serde_json::from_str(raw).context("failed to parse block mount annotation")?;
+
+    if block_mounts.is_empty() {
+        return Ok((container_devices, vec![]));
+    }
+
+    let mut storages = Vec::new();
+    let mut mounted_paths: HashMap<String, bool> = HashMap::new();
+
+    let (annotated, remaining): (Vec<_>, Vec<_>) = container_devices
+        .into_iter()
+        .partition(|cd| block_mounts.contains_key(&cd.device.container_path));
+
+    for cd in annotated {
+        let config = block_mounts
+            .get(&cd.device.container_path)
+            .expect("partition guarantees key exists");
+
+        let source = cd.device.id.clone();
+        let driver = cd.device.field_type.clone();
+        let fstype = if config.fstype.is_empty() {
+            "ext4".to_string()
+        } else {
+            config.fstype.clone()
+        };
+        let options = if config.options.is_empty() {
+            vec!["rw".to_string()]
+        } else {
+            config.options.clone()
+        };
+
+        // Build a unique, valid path component from the PCI source string.
+        let sanitized: String = source
+            .chars()
+            .map(|c| if c.is_alphanumeric() || c == '-' { c } else { '_' })
+            .collect();
+        let guest_mount_point = format!("/run/kata-containers/storage/{}", sanitized);
+
+        storages.push(Storage {
+            driver,
+            source,
+            fs_type: fstype,
+            options,
+            mount_point: guest_mount_point.clone(),
+            ..Default::default()
+        });
+
+        // Add bind mount: agent mounts the block device at guest_mount_point, then
+        // the bind mount exposes it at the container destination path.
+        let mut bind_mount = oci::Mount::default();
+        bind_mount.set_destination(std::path::PathBuf::from(&config.mount));
+        bind_mount.set_typ(Some("bind".to_string()));
+        bind_mount.set_source(Some(std::path::PathBuf::from(&guest_mount_point)));
+        bind_mount.set_options(Some(vec!["bind".to_string()]));
+
+        let mut mounts = spec.mounts().clone().unwrap_or_default();
+        mounts.push(bind_mount);
+        spec.set_mounts(Some(mounts));
+
+        mounted_paths.insert(cd.device.container_path, true);
+    }
+
+    // Remove matched devices from spec.linux.devices so the agent doesn't
+    // see them as character/block devices in the container namespace.
+    if !mounted_paths.is_empty() {
+        if let Some(linux) = spec.linux_mut() {
+            if let Some(devices) = linux.devices_mut() {
+                devices.retain(|d| {
+                    !mounted_paths.contains_key(&d.path().display().to_string())
+                });
+            }
+        }
+    }
+
+    Ok((remaining, storages))
+}
+
 fn amend_spec(
     spec: &mut oci::Spec,
     disable_guest_seccomp: bool,