Skip to content

runtime-rs: parse block-mounts annotation for volumeDevice passthrough#57

Draft
TheRayquaza wants to merge 33 commits into
datadogfrom
mateo.lelong/runtime-rs-block-mounts
Draft

runtime-rs: parse block-mounts annotation for volumeDevice passthrough#57
TheRayquaza wants to merge 33 commits into
datadogfrom
mateo.lelong/runtime-rs-block-mounts

Conversation

@TheRayquaza
Copy link
Copy Markdown

@TheRayquaza TheRayquaza commented Apr 10, 2026
edited
Loading

Summary

Parse io.katacontainers.volume.block-mounts annotation and convert matching volumeDevices into agent Storage objects, enabling block device passthrough via annotation in the Rust shim, mirroring Go runtime behavior.

DO NOT MERGE, blockers:

Test plan

Test C1 - Block annotation mounts

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: kata-val-e1-pvc-2
  namespace: default
spec:
  accessModes: [ReadWriteOnce]
  volumeMode: Block
  storageClassName: ephemeral-premium-v2-lrs
  resources:
    requests:
      storage: 1Gi
---
apiVersion: v1
kind: Pod
metadata:
  name: kata-val-e1-2
  namespace: default
  annotations:
    io.katacontainers.volume.block-mounts: |
      {"/dev/block-vol": {"mount": "/data", "fstype": "ext4", "options": ["rw"]}}
spec:
  nodeName: us3-staging-dog-arbok-90eec5c94014646d000003
  runtimeClassName: kata-qemu-runtime-rs
  containers:
  - name: test
    image: registry.ddbuild.io/images/base/gbi-ubuntu_2204:release
    command: ["sleep", "3600"]
    volumeDevices:
    - name: block-storage
      devicePath: /dev/block-vol
  volumes:
  - name: block-storage
    persistentVolumeClaim:
      claimName: kata-val-e1-pvc-2

Pass signals:

  • Pod reaches Running
  • Can write to filesystem at the specified mount point

Test C2 - Invalid annotation JSON

apiVersion: v1
kind: Pod
metadata:
  name: kata-val-e3
  namespace: default
  annotations:
    io.katacontainers.volume.block-mounts: "not valid json {"
spec:
  nodeName: us3-staging-dog-arbok-90eec5c94014646d000003
  runtimeClassName: kata-qemu-runtime-rs
  containers:
  - name: test
    image: registry.ddbuild.io/images/base/gbi-ubuntu_2204:release
    command: ["sleep", "3600"]

Pass signals:

  • Warning logged: error parsing block mounts annotation
  • Pod start fails with a clean parse error (no panic)

@TheRayquaza TheRayquaza mentioned this pull request Apr 10, 2026
Closed
3 tasks
zaymat
zaymat reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown

@zaymat zaymat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at it again, I don't think this patch was ever merged into our main branch.

I think this is the PR but we never merged it: https://github.com/DataDog/kata-containers/pull/40/changes

Comment thread src/libs/kata-types/src/annotations/mod.rs Outdated
zaymat and others added 28 commits April 23, 2026 09:48
@zaymat
[local] Create CI for kata-containers
f0f89ba
@zaymat
[local] Add the dummy module to the kernel to support emissary
22ae378
@zaymat
[local] CI: build kernel 6.8
fc51eaf
@antoine-gaillard
[local] Generate sbom of the rootfs
f51c61e
@zaymat
[local] CI in Github actions
1109c43
@antoine-gaillard
[local] Switch back to ubuntu 22.04
fe8ae00
@zaymat
[local] Add the option to add new files in the created rootfs
887d214
@zaymat
[local] Change systemd's max process limit to 131072
a7efc27
@zaymat
[local] Specific OS_VERSION when building OS
9a58fb1
@zaymat
[local] Gzip SBOM file
a2c8157
@zaymat
Take CPU shares into account when computing the sandbox size
9d0d71e 
microVM sandbox resources are computed from pod sandbox annotations.
In particular, the number of vCPU is calculated by using CPU quota
divided by CPU period. However, on clusters where CFS quotas are disabled,
or if the pod doesn't specify any limit, the compute size is 0.
When using resource hot pluging, the value value will be the size of the
CPU set, which doesn't impact the performance of the microVM pod. But when
using static sandbox management, the computed value will be 0 and the
microVM will be dramatically undersized.

This change takes into account CPU shares while computing the number of vCPU,
and default the CPU Shares/1024 in case CPU quota and/or periods are zeros.
@zaymat @mvisonneau
Update src/runtime/virtcontainers/utils/utils.go
51e4469 
Co-authored-by: Maxime VISONNEAU <maxime.visonneau@gmail.com>
@antoine-gaillard @claude
Add OCI image build infrastructure
dac2986 
- Add scratch-based Dockerfile for kata data volume
- Move Dockerfile to docker/ subdir and fix config file handling
- Fix Dockerfile to extract only essential kata files
- Add containerd runtime dropin configuration files

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@antoine-gaillard
Fix after review
77d3239
@antoine-gaillard
Configuration files fixes
796de6f
@antoine-gaillard
Bump golang toolchain and set GOTOOLCHAIN to auto to avoid mismatch
ca1e7d5
@EricMountain @XT-Phate
runtime-go: fixes early closed stdout/err on exec w/o stdin option (#26)
0ee860c 
An early call to closing the stdin channel made the stdout & stderr also closed.
This waits for stdout & stderr to be properly finished by reading the whole buffer before closing everything.
On the other, this also fixes a race condition where it was impossible to run multiple execs until the other one was over.
This moves the lock only where it is necessary without locking exec processes.

Fixes kata-containers#10387

Signed-off-by: Maxime Bertin <mbertin@luccasoftware.com>
Co-authored-by: Maxime Bertin <mbertin@luccasoftware.com>
@EricMountain
Use GITHUB_TOKEN secret to upload release artefacts (#28)
cb350e4 
The WORKFLOW_TOKEN no longer exists, so artefact uploads fail. Use
the built-in token instead.
@zaymat
Harmonise sysctl between host and guest
780db93
@zaymat
New compression format for Kata starting 3.21.0
83c3406
@safchain
add eBPF support
96f8b11
@safchain
add btf
cac54c0
@zaymat
[local] Add libssl-dev to CI image
6648153
@safchain
make it work on arm
5585dc2
@safchain
add pahole
bbb93da
@zaymat
Bump ci image version
b3f50f1
@zaymat
Bump CI runner resources
e8fbf71
@zaymat
Use bootable image of the kernel instead of vmlinux
bf3cb3b
@HadrienPatte
kernel: Enable netkit device support
8edb6ba 
Signed-off-by: Hadrien Patte <hadrien.patte@datadoghq.com>
@HadrienPatte
runtime: Add support for netkit endpoints
0aef831 
Add support for [`netkit`](https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id=22360fad5889cbefe1eca695b0cc0273ab280b56) network devices similarly to how `veth` devices are currently handled.

Signed-off-by: Hadrien Patte <hadrien.patte@datadoghq.com>
@HadrienPatte
runtime: Reject netkit L3 devices with clear error
77e6f1b 
Netkit devices in L3 mode have no MAC address and require IP routing
instead of L2 bridging. Since L3 routing is not currently implemented,
reject these devices early with a clear error message directing users
to use netkit L2 mode or veth devices instead.

Signed-off-by: Hadrien Patte <hadrien.patte@datadoghq.com>
TheRayquaza and others added 2 commits April 28, 2026 18:24
@TheRayquaza @claude
runtime-rs: parse block-mounts annotation for volumeDevice passthrough
4a23400 
Parse io.katacontainers.volume.block-mounts annotation and convert
matching volumeDevices into agent Storage objects, enabling block device
annotation mounts in the Rust shim, mirroring the Go runtime behavior.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@TheRayquaza
revert cpu share change
f99038f
@TheRayquaza TheRayquaza force-pushed the mateo.lelong/runtime-rs-block-mounts branch from 0144e02 to f99038f Compare April 28, 2026 16:25
@TheRayquaza TheRayquaza marked this pull request as draft May 1, 2026 09:53
@TheRayquaza TheRayquaza force-pushed the datadog branch 2 times, most recently from 177fa81 to af4c8f5 Compare May 11, 2026 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zaymat zaymat zaymat left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@TheRayquaza @zaymat @antoine-gaillard @EricMountain @safchain @HadrienPatte