github/confidential-containers
1
0
Fork 0
mirror of https://github.com/confidential-containers/confidential-containers.git synced 2025-10-21 23:48:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

release: Add trusted ephemeral storage description

Browse Source 
Signed-off-by: Wang, Arron <arron.wang@intel.com>
This commit is contained in:
Wang, Arron
2022-09-16 16:35:33 +08:00
committed by Samuel Ortiz
parent f60e8a2067
commit 40618d7751
1 changed files with 95 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
releases/release_notes_09_2022.md
View File

@@ -293,5 +293,100 @@ In case the user wants to run the workload on a TDX capable hardware, using QEMU
* *TBD: instructions to build encrypted container image and other requirements (attestation, key etc)* * * *TBD: instructions to build encrypted container image and other requirements (attestation, key etc)* *
# Experience Trusted Ephemeral Storage for container image and RW layer
Container image in COCO is pulled inside guest VM, it will be save in CC HW protected guest memory by default.
Since memory is an expensive resource, COCO implemented [trusted ephemeral storage](https://github.com/confidential-containers/documentation/issues/39) for container image and RW layer.
This solution is verified with Kubernetes CSI driver [open-local](https://github.com/alibaba/open-local). Please follow this [user guide](https://github.com/alibaba/open-local/blob/main/docs/user-guide/user-guide.md) to install open-local.
We can use following example `trusted_store_cc.yaml` to have a try:
```
apiVersion: v1
kind: Pod
metadata:
name: trusted-lvm-block
spec:
runtimeClassName: kata-qemu-tdx
containers:
- name: sidecar-trusted-store
image: pause
volumeDevices:
- devicePath: "/dev/trusted_store"
name: trusted-store
- name: application
image: busybox
command:
- sh
- "-c"
- |
sleep 10000
volumes:
- name: trusted-store
persistentVolumeClaim:
claimName: trusted-store-block-pvc
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: trusted-store-block-pvc
spec:
volumeMode: Block
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: open-local-lvm
```
Before deploy the workload, we can follow this [documentation](https://github.com/kata-containers/kata-containers/blob/CCv0/docs/how-to/how-to-build-and-test-ccv0.md) and use [ccv0.sh](https://github.com/kata-containers/kata-containers/blob/CCv0/docs/how-to/ccv0.sh) to enable COCO console debug(optional, check whether working as expected).
Create the workload:
```
kubectl apply -f trusted_store_cc.yaml
```
Ensure the pod was created successfully (in running state):
```
kubectl get pods
```
Output:
```
NAME READY STATUS RESTARTS AGE
trusted-lvm-block 2/2 Running 0 31s
```
After we enable the debug option, we can login into the VM with `ccv0.sh` script:
```
./ccv0.sh -d open_kata_shell
```
Check container image is saved in encrypted storage with following commands:
```
root@localhost:/# lsblk --fs
NAME FSTYPE LABEL UUID FSAVAIL FSUSE% MOUNTPOINT
sda
└─ephemeral_image_encrypted_disk 906M 0% /run/image
root@localhost:/# cryptsetup status ephemeral_image_encrypted_disk
/dev/mapper/ephemeral_image_encrypted_disk is active and is in use.
type: LUKS2
cipher: aes-xts-plain64
keysize: 512 bits
key location: dm-crypt
device: /dev/sda
sector size: 4096
offset: 32768 sectors
size: 2064384 sectors
mode: read/write
root@localhost:/# mount|grep image
/dev/mapper/ephemeral_image_encrypted_disk on /run/image type ext4 (rw,relatime)
root@localhost:/# ls /run/image/
layers lost+found overlay
```
# Debugging problems # Debugging problems
* *TBD: describe tools to debug problems, logs etc…* * * *TBD: describe tools to debug problems, logs etc…* *