From 40618d7751ea7c6e47640b63e920369b0644ce67 Mon Sep 17 00:00:00 2001 From: "Wang, Arron" Date: Fri, 16 Sep 2022 16:35:33 +0800 Subject: [PATCH] release: Add trusted ephemeral storage description Signed-off-by: Wang, Arron --- releases/release_notes_09_2022.md | 95 +++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) diff --git a/releases/release_notes_09_2022.md b/releases/release_notes_09_2022.md index c30da3b..e58fd12 100644 --- a/releases/release_notes_09_2022.md +++ b/releases/release_notes_09_2022.md @@ -293,5 +293,100 @@ In case the user wants to run the workload on a TDX capable hardware, using QEMU * *TBD: instructions to build encrypted container image and other requirements (attestation, key etc)* * +# Experience Trusted Ephemeral Storage for container image and RW layer + +Container image in COCO is pulled inside guest VM, it will be save in CC HW protected guest memory by default. +Since memory is an expensive resource, COCO implemented [trusted ephemeral storage](https://github.com/confidential-containers/documentation/issues/39) for container image and RW layer. + +This solution is verified with Kubernetes CSI driver [open-local](https://github.com/alibaba/open-local). Please follow this [user guide](https://github.com/alibaba/open-local/blob/main/docs/user-guide/user-guide.md) to install open-local. + +We can use following example `trusted_store_cc.yaml` to have a try: +``` +apiVersion: v1 +kind: Pod +metadata: + name: trusted-lvm-block +spec: + runtimeClassName: kata-qemu-tdx + containers: + - name: sidecar-trusted-store + image: pause + volumeDevices: + - devicePath: "/dev/trusted_store" + name: trusted-store + - name: application + image: busybox + command: + - sh + - "-c" + - | + sleep 10000 + volumes: + - name: trusted-store + persistentVolumeClaim: + claimName: trusted-store-block-pvc +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: trusted-store-block-pvc +spec: + volumeMode: Block + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: open-local-lvm +``` +Before deploy the workload, we can follow this [documentation](https://github.com/kata-containers/kata-containers/blob/CCv0/docs/how-to/how-to-build-and-test-ccv0.md) and use [ccv0.sh](https://github.com/kata-containers/kata-containers/blob/CCv0/docs/how-to/ccv0.sh) to enable COCO console debug(optional, check whether working as expected). + +Create the workload: +``` +kubectl apply -f trusted_store_cc.yaml +``` + +Ensure the pod was created successfully (in running state): +``` +kubectl get pods +``` + +Output: +``` +NAME READY STATUS RESTARTS AGE +trusted-lvm-block 2/2 Running 0 31s +``` + +After we enable the debug option, we can login into the VM with `ccv0.sh` script: +``` +./ccv0.sh -d open_kata_shell +``` + +Check container image is saved in encrypted storage with following commands: +``` +root@localhost:/# lsblk --fs +NAME FSTYPE LABEL UUID FSAVAIL FSUSE% MOUNTPOINT +sda +└─ephemeral_image_encrypted_disk 906M 0% /run/image + +root@localhost:/# cryptsetup status ephemeral_image_encrypted_disk +/dev/mapper/ephemeral_image_encrypted_disk is active and is in use. + type: LUKS2 + cipher: aes-xts-plain64 + keysize: 512 bits + key location: dm-crypt + device: /dev/sda + sector size: 4096 + offset: 32768 sectors + size: 2064384 sectors + mode: read/write + +root@localhost:/# mount|grep image +/dev/mapper/ephemeral_image_encrypted_disk on /run/image type ext4 (rw,relatime) + +root@localhost:/# ls /run/image/ +layers lost+found overlay +``` + # Debugging problems * *TBD: describe tools to debug problems, logs etc…* *