runtime-rs: parse block-mounts annotation for volumeDevice passthrough

.github/workflows/build-kata-os.yml

@@ -0,0 +1,86 @@
+name: Build Kata OS
+run-name: Build Kata OS
+on: [push]
+permissions:
+  contents: write
+jobs:
+  build:
+    strategy:
+      matrix:
+        runner: [ubuntu-22.04, arm-8core-linux]
+        include:
+          - runner: ubuntu-22.04
+            arch: amd64
+            kernel_version: 6.8
+          - runner: arm-8core-linux
+            arch: arm64
+            kernel_version: 6.8
+    runs-on: ${{ matrix.runner }}
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ">=1.24.0"
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install -y libelf-dev flex bison libssl-dev pahole
+      - name: Build Ubuntu image ${{ matrix.arch }}
+        run: cd tools/osbuilder && sudo make USE_DOCKER=true OS_VERSION=jammy image-ubuntu
+      - name: Build Kernel ${{ matrix.kernel_version }}
+        run: |
+          cd tools/packaging/kernel
+          sudo ./build-kernel.sh -v ${{ matrix.kernel_version }} setup
+          sudo ./build-kernel.sh -v ${{ matrix.kernel_version }} build
+      - name: Build containerd-shim-kata-v2
+        run: |
+          cd src/runtime
+          make -j$(nproc) containerd-shim-v2
+      - name: Bundle artifacts
+        run: |
+          if [[ "${{ matrix.arch }}" == "amd64" ]]
+          then
+            cp tools/packaging/kernel/kata-linux-*/arch/x86/boot/bzImage /tmp/vmlinux
+          else
+            cp tools/packaging/kernel/kata-linux-*/arch/arm64/boot/Image.gz /tmp/vmlinux
+          fi
+          cp tools/osbuilder/kata-containers-image-ubuntu.img /tmp/kata-containers-image-ubuntu.img
+          cp sbom.cdx.gz /tmp/sbom.cdx.gz
+          cp src/runtime/containerd-shim-kata-v2 /tmp/containerd-shim-kata-v2
+          mkdir -p /tmp/artifacts
+          zip -j /tmp/artifacts/artifacts-${{ matrix.arch }}.zip /tmp/vmlinux /tmp/kata-containers-image-ubuntu.img /tmp/sbom.cdx.gz /tmp/containerd-shim-kata-v2
+          cd /tmp/artifacts
+          sha256sum artifacts-${{ matrix.arch }}.zip > checksum-${{ matrix.arch }}.sha256
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: artifacts-${{ matrix.arch }}
+          path: /tmp/artifacts
+          retention-days: 1
+  release:
+    runs-on: ubuntu-22.04
+    needs: build
+    # Only create a release when a new tag is created
+    if: ${{ startsWith(github.ref, 'refs/tags/') }}
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - name: Download artifacts amd64
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts-amd64
+      - name: Download artifacts arm64
+        uses: actions/download-artifact@v4
+        with:
+          name: artifacts-arm64
+      - name: "Create New Release"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          RELEASE_VERSION=$(echo ${{ github.ref }} | sed 's/refs\/tags\///')
+          echo "Creating release $RELEASE_VERSION"
+          gh release create ${RELEASE_VERSION} -t ${RELEASE_VERSION} --draft
+          gh release upload "${RELEASE_VERSION}" artifacts-amd64.zip
+          gh release upload "${RELEASE_VERSION}" artifacts-arm64.zip
+          gh release upload "${RELEASE_VERSION}" checksum-amd64.sha256
+          gh release upload "${RELEASE_VERSION}" checksum-arm64.sha256
+          gh release edit ${RELEASE_VERSION} --verify-tag	--draft=false

.gitlab-ci.yml

@@ -0,0 +1,115 @@
+include: https://gitlab-templates.ddbuild.io/compute-delivery/v2/compute-delivery.yml
+
+variables:
+  CI_IMAGE: 3
+  KERNEL_VERSION: 6.8
+  KUBERNETES_CPU_REQUEST: "10"
+  KUBERNETES_MEMORY_REQUEST: "20Gi"
+  KUBERNETES_MEMORY_LIMIT: "40Gi"
+
+stages:
+  - ci-image
+  - build
+  - publish
+  - notify
+
+ci-image:
+  stage: ci-image
+  extends: .build-docker-image
+  when: manual
+  only:
+    - branches
+  variables:
+    IMAGE_NAME: "$CI_PROJECT_NAME/ci"
+    IMAGE_TAG: $CI_IMAGE
+    CONTEXT_DIR: "./tools/packaging/kernel"
+    TARGET: "build"
+
+build-kernel-amd64:
+  image: registry.ddbuild.io/$CI_PROJECT_NAME/ci:$CI_IMAGE
+  stage: build
+  tags: [ "arch:amd64" ]
+  script:
+    - cd tools/packaging/kernel
+    - ./build-kernel.sh -v $KERNEL_VERSION setup
+    - ./build-kernel.sh -v $KERNEL_VERSION build
+    - cp kata-linux-*/arch/x86_64/boot/bzImage ./vmlinux-amd64
+  artifacts:
+    paths:
+      - tools/packaging/kernel/vmlinux-amd64
+    expire_in: 1 week
+
+build-kernel-arm64:
+  image: registry.ddbuild.io/$CI_PROJECT_NAME/ci:$CI_IMAGE
+  stage: build
+  tags: [ "arch:arm64" ]
+  script:
+    - cd tools/packaging/kernel
+    - ./build-kernel.sh -v $KERNEL_VERSION setup
+    - ./build-kernel.sh -v $KERNEL_VERSION build
+    - cp kata-linux-*/arch/arm64/boot/Image.gz ./vmlinux-arm64
+  artifacts:
+    paths:
+      - tools/packaging/kernel/vmlinux-arm64
+    expire_in: 1 week
+
+build-shim-amd64:
+  image: registry.ddbuild.io/images/mirror/library/golang:1.24.5
+  stage: build
+  tags: [ "arch:amd64" ]
+  variables:
+    GOTOOLCHAIN: auto
+  script:
+    - cd src/runtime
+    - make containerd-shim-v2
+    - mv containerd-shim-kata-v2 containerd-shim-kata-v2-amd64
+  artifacts:
+    paths:
+      - src/runtime/containerd-shim-kata-v2-amd64
+    expire_in: 1 week
+
+build-shim-arm64:
+  image: registry.ddbuild.io/images/mirror/library/golang:1.24.5
+  stage: build
+  tags: [ "arch:arm64" ]
+  variables:
+    GOTOOLCHAIN: auto
+  script:
+    - cd src/runtime
+    - make containerd-shim-v2
+    - mv containerd-shim-kata-v2 containerd-shim-kata-v2-arm64
+  artifacts:
+    paths:
+      - src/runtime/containerd-shim-kata-v2-arm64
+    expire_in: 1 week
+
+publish-artifacts:
+  image: registry.ddbuild.io/$CI_PROJECT_NAME/ci:$CI_IMAGE
+  stage: publish
+  only:
+    - tags
+  tags: [ "arch:amd64" ]
+  dependencies:
+    - "build-kernel-amd64"
+    - "build-kernel-arm64"
+  variables:
+    GIT_STRATEGY: none
+  script:
+    - aws s3 cp tools/packaging/kernel/vmlinux-amd64 s3://kata-containers-ci-artifacts/$CI_COMMIT_REF_NAME/amd64/vmlinux
+    - aws s3 cp tools/packaging/kernel/vmlinux-arm64 s3://kata-containers-ci-artifacts/$CI_COMMIT_REF_NAME/arm64/vmlinux
+    - echo $CI_COMMIT_REF_NAME > LATEST && aws s3 cp LATEST s3://kata-containers-ci-artifacts/LATEST
+
+publish-oci-image:
+  stage: publish
+  extends: .build-docker-image
+  dependencies:
+    - "build-kernel-amd64"
+    - "build-kernel-arm64"
+    - "build-shim-amd64"
+    - "build-shim-arm64"
+  variables:
+    EXTRA_ARGS: "-f docker/Dockerfile --build-arg CI_COMMIT_TAG=$CI_COMMIT_TAG"
+    IMAGE_TAG: "$CI_COMMIT_TAG"
+  only:
+    - tags
+

docker/Dockerfile

@@ -0,0 +1,83 @@
+# Builder stage
+FROM ubuntu:22.04 AS builder
+
+# CI_COMMIT_TAG will be passed as build arg (e.g., 3.18.0-dd.202526)
+ARG CI_COMMIT_TAG
+
+# Install packages
+RUN apt-get update && \
+    apt-get install -y curl wget unzip xz-utils zstd ca-certificates && \
+    rm -rf /var/lib/apt/lists/*
+
+# Create directory structure
+RUN mkdir -p /kata-build/opt/kata/bin \
+             /kata-build/opt/kata/conf/qemu/config.d \
+             /kata-build/opt/kata/libexec \
+             /kata-build/opt/kata/share/kata-containers \
+             /kata-build/etc/containerd/config.d
+
+# Download and extract kata package
+# Extract version from tag and construct URL
+ARG TARGETARCH
+RUN KATA_VERSION=${CI_COMMIT_TAG%%-dd.*} && \
+    echo "Downloading kata ${KATA_VERSION} from tag ${CI_COMMIT_TAG}" && \
+    wget -q "https://github.com/kata-containers/kata-containers/releases/download/${KATA_VERSION}/kata-static-${KATA_VERSION}-${TARGETARCH}.tar.zst" -O /tmp/kata.tar.zst && \
+    tar --zstd -xf /tmp/kata.tar.zst -C /kata-build --wildcards \
+        './opt/kata/bin/qemu-system-*' \
+        './opt/kata/libexec/virtiofsd' \
+        './opt/kata/lib/kata-qemu/libfdt.a' \
+        './opt/kata/lib/kata-qemu/pkgconfig/libfdt.pc' \
+        './opt/kata/include/fdt.h' \
+        './opt/kata/include/libfdt.h' \
+        './opt/kata/include/libfdt_env.h' \
+        './opt/kata/share/kata-qemu/qemu/bios-256k.bin' \
+        './opt/kata/share/kata-qemu/qemu/bios-microvm.bin' \
+        './opt/kata/share/kata-qemu/qemu/bios.bin' \
+        './opt/kata/share/kata-qemu/qemu/edk2-i386-code.fd' \
+        './opt/kata/share/kata-qemu/qemu/edk2-i386-secure-code.fd' \
+        './opt/kata/share/kata-qemu/qemu/edk2-i386-vars.fd' \
+        './opt/kata/share/kata-qemu/qemu/edk2-x86_64-code.fd' \
+        './opt/kata/share/kata-qemu/qemu/edk2-x86_64-secure-code.fd' \
+        './opt/kata/share/kata-qemu/qemu/edk2-licenses.txt' \
+        './opt/kata/share/kata-qemu/qemu/efi-virtio.rom' \
+        './opt/kata/share/kata-qemu/qemu/firmware/50-edk2-i386-secure.json' \
+        './opt/kata/share/kata-qemu/qemu/firmware/50-edk2-x86_64-secure.json' \
+        './opt/kata/share/kata-qemu/qemu/firmware/60-edk2-i386.json' \
+        './opt/kata/share/kata-qemu/qemu/firmware/60-edk2-x86_64.json' \
+        './opt/kata/share/kata-qemu/qemu/kvmvapic.bin' \
+        './opt/kata/share/kata-qemu/qemu/linuxboot.bin' \
+        './opt/kata/share/kata-qemu/qemu/linuxboot_dma.bin' \
+        './opt/kata/share/kata-qemu/qemu/multiboot_dma.bin' \
+        './opt/kata/share/kata-qemu/qemu/pvh.bin' \
+        './opt/kata/share/kata-qemu/qemu/qboot.rom' \
+        './opt/kata/share/kata-qemu/qemu/qemu-nsis.bmp' \
+        './opt/kata/share/defaults/kata-containers/configuration-qemu.toml' \
+        './opt/kata/share/kata-containers/kata-ubuntu-noble.image' && \
+    mv /kata-build/opt/kata/share/kata-containers/kata-ubuntu-noble.image /kata-build/opt/kata/share/kata-containers/kata-containers-datadog.img && \
+    rm -f /tmp/kata.tar.xz
+
+# Copy CI-built kernel for the target architecture and rename to datadog convention
+COPY tools/packaging/kernel/vmlinux-${TARGETARCH} /kata-build/opt/kata/share/kata-containers/vmlinux-datadog
+
+# Copy CI-built shim binary
+# This should be built by the CI pipeline and placed in the expected location
+COPY src/runtime/containerd-shim-kata-v2-${TARGETARCH} /kata-build/opt/kata/bin/containerd-shim-kata-v2
+RUN chmod +x /kata-build/opt/kata/bin/containerd-shim-kata-v2
+
+# Create symlinks for kata-containers.img and vmlinux.container
+RUN ln -s /opt/kata/share/kata-containers/kata-containers-datadog.img /kata-build/opt/kata/share/kata-containers/kata-containers.img && \
+    ln -s /opt/kata/share/kata-containers/vmlinux-datadog /kata-build/opt/kata/share/kata-containers/vmlinux.container
+
+# Link configuration
+RUN ln /kata-build/opt/kata/share/defaults/kata-containers/configuration-qemu.toml /kata-build/opt/kata/conf/qemu/configuration-qemu.toml
+
+# Copy override configuration
+COPY docker/qemu/config.d/10-override.toml /kata-build/opt/kata/conf/qemu/config.d/10-override.toml
+
+# Copy containerd runtime dropin
+COPY docker/containerd/config.d/20-kata-runtime.toml /kata-build/etc/containerd/config.d/20-kata-runtime.toml
+
+# Final scratch-based data volume
+FROM scratch
+COPY --from=builder /kata-build/opt/kata /opt/kata
+COPY --from=builder /kata-build/etc/containerd /etc/containerd

docker/containerd/config.d/20-kata-runtime.toml

@@ -0,0 +1,10 @@
+# Kata Containers runtime configuration dropin for containerd
+[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.kata-qemu]
+  runtime_type = 'io.containerd.kata.v2'
+  runtime_path = '/opt/kata/bin/containerd-shim-kata-v2'
+  pod_annotations = ['io.katacontainers.*']
+  privileged_without_host_devices = true
+  sandboxer = ''
+
+  [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.kata-qemu.options]
+    ConfigPath = '/opt/kata/conf/qemu/configuration-qemu.toml'

docker/qemu/config.d/10-override.toml

@@ -0,0 +1,9 @@
+[hypervisor.qemu]
+kernel_params = "systemd.unified_cgroup_hierarchy=1"
+enable_annotations = ["enable_iommu", "virtio_fs_extra_args", "kernel_params", "default_memory"]
+
+[agent.kata]
+debug_console_enabled = false
+
+[runtime]
+static_sandbox_resource_mgmt=true