Merge pull request #12640 from burgerdev/genpolicy-workspace

genpolicy: add to Cargo workspace
2026-03-17 10:12:24 +00:00 · 2026-03-11 09:02:39 -07:00
parent ba0f5b98fe cf7d4c33b3
commit 04f180434e
8 changed files with 1485 additions and 4166 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -22,6 +22,9 @@ members = [
  "src/dragonball/dbs_utils",
  "src/dragonball/dbs_virtio_devices",

+  # genpolicy
+  "src/tools/genpolicy",
+
  # runtime-rs
  "src/runtime-rs",
  "src/runtime-rs/crates/agent",
@@ -107,6 +110,9 @@ safe-path = { path = "src/libs/safe-path" }
 shim-interface = { path = "src/libs/shim-interface" }
 test-utils = { path = "src/libs/test-utils" }

+# Local dependencies from `src/agent`
+kata-agent-policy = { path = "src/agent/policy" }
+
 # Outside dependencies
 actix-rt = "2.7.0"
 anyhow = "1.0"
--- a/osv-scanner.toml
+++ b/osv-scanner.toml
@@ -0,0 +1,8 @@
+[[IgnoredVulns]]
+# yaml-rust is unmaintained.
+# We tried the most promising alternative in https://github.com/kata-containers/kata-containers/pull/12509,
+# but its literal quoting is not conformant.
+id = "RUSTSEC-2024-0320"
+ignoreUntil = 2026-10-01 # TODO(burgerdev): revisit yml library ecosystem
+reason = "No alternative currently supports 'yes' strings correctly; genpolicy processes only trusted input."
+
--- a/src/runtime-rs/Makefile
+++ b/src/runtime-rs/Makefile
@@ -15,6 +15,11 @@ PROJECT_URL = https://github.com/kata-containers
 PROJECT_COMPONENT = containerd-shim-kata-v2
 CONTAINERD_RUNTIME_NAME = io.containerd.kata.v2

+# This snippet finds all packages inside runtime-rs. Used for tessting.
+PACKAGES := $(shell cargo metadata --no-deps --format-version 1 | \
+                    jq -r '.packages[] | select(.manifest_path | contains("runtime-rs")) | .name')
+PACKAGE_FLAGS := $(patsubst %,-p %,$(PACKAGES))
+
 include ../../utils.mk

 ARCH_DIR = arch
@@ -45,9 +50,9 @@ test:
 else
 ##TARGET default: build code
 default: runtime show-header
-##TARGET test: run cargo tests
+##TARGET test: run cargo tests for runtime-rs and all its sub-crates.
 test: static-checks-build
-	@cargo test --all --target $(TRIPLE) $(EXTRA_RUSTFEATURES) -- --nocapture  --skip bindgen
+	@cargo test $(PACKAGE_FLAGS) --target $(TRIPLE) $(EXTRA_RUSTFEATURES) -- --nocapture  --skip bindgen
 install: install-runtime install-configs
 endif

@@ -733,7 +738,7 @@ static-checks-build: $(GENERATED_FILES)
 $(TARGET): $(GENERATED_FILES) $(TARGET_PATH)

 $(TARGET_PATH): $(SOURCES) | show-summary
-	@RUSTFLAGS="$(EXTRA_RUSTFLAGS) --deny warnings" cargo build --target $(TRIPLE) $(if $(findstring release,$(BUILD_TYPE)),--release) $(EXTRA_RUSTFEATURES)
+	@RUSTFLAGS="$(EXTRA_RUSTFLAGS) --deny warnings" cargo build -p runtime-rs --target $(TRIPLE) $(if $(findstring release,$(BUILD_TYPE)),--release) $(EXTRA_RUSTFEATURES)

 $(GENERATED_FILES): %: %.in
 	@sed \
@@ -769,7 +774,7 @@ endif

 ##TARGET run: build and run agent
 run:
-	@cargo run --target $(TRIPLE)
+	@cargo run -p runtime-rs --target $(TRIPLE)

 show-header:
 	@printf "%s - version %s (commit %s)\n\n" "$(TARGET)" "$(VERSION)" "$(COMMIT_MSG)"
--- a/src/tools/genpolicy/Cargo.lock
+++ b/src/tools/genpolicy/Cargo.lock
--- a/src/tools/genpolicy/Cargo.toml
+++ b/src/tools/genpolicy/Cargo.toml
@@ -6,21 +6,21 @@
 [package]
 name = "genpolicy"
 version = "0.1.0"
-authors = ["The Kata Containers community <kata-dev@lists.katacontainers.io>"]
+authors.workspace = true
 edition = "2021"
-license = "Apache-2.0"
+license.workspace = true

 [dependencies]
 # Logging.
 env_logger = "0.10.0"
-log = "0.4.17"
+log.workspace = true

 # Command line parsing.
 clap = { version = "4.5.40", features = ["derive"] }

 # YAML file serialization/deserialization.
 base64 = "0.21.0"
-serde = { version = "1.0.159", features = ["derive"] }
+serde.workspace = true
 regex = "1.10.5"

 # Newer serde_yaml versions are using unsafe-libyaml instead of yaml-rust,
@@ -37,25 +37,25 @@ regex = "1.10.5"
 serde_yaml = "0.8"

 # Container repository.
-anyhow = "1.0.32"
-async-trait = "0.1.68"
+anyhow.workspace = true
+async-trait.workspace = true
 docker_credential = "1.3.1"
 flate2 = "1.1.5"
 fs2 = "0.4.3"
-oci-client = { version = "0.12.0" }
+oci-client = { version = "0.16" }
 openssl = { version = "0.10.73", features = ["vendored"] }
 serde_ignored = "0.1.7"
-serde_json = "1.0.39"
+serde_json.workspace = true
 json-patch = "4.1"
-tempfile = "3.19.1"
-tokio = { version = "1.38.0", features = ["rt-multi-thread"] }
+tempfile.workspace = true
+tokio = { workspace = true, features = ["rt-multi-thread"] }

 # OCI container specs.
-oci-spec = { version = "0.8.1", features = ["runtime"] }
+oci-spec.workspace = true

 # Kata Agent protocol.
-protocols = { path = "../../libs/protocols", features = ["with-serde"] }
-protobuf = "3.2.0"
+protocols = { workspace = true, features = ["with-serde"] }
+protobuf.workspace = true

 # containerd image pull support
 k8s-cri = "0.7.0"
@@ -67,11 +67,11 @@ containerd-client = "0.4.0"
 tar = "0.4.41"

 # init data support
-kata-types = { path = "../../libs/kata-types" }
+kata-types = { path = "../../libs/kata-types" } # TODO(burgerdev): figure out how to use this from workspace without including safe-path.

 [dev-dependencies]
-kata-agent-policy = { path = "../../agent/policy" }
-slog = "2.5.2"
+kata-agent-policy.workspace = true
+slog.workspace = true
 assert_cmd = "2.0.14"

 [package.metadata.cargo-machete]
--- a/src/tools/genpolicy/Makefile
+++ b/src/tools/genpolicy/Makefile
@@ -37,7 +37,7 @@ vendor:
 	cargo vendor

 test: $(GENERATED_FILES)
-	@RUSTFLAGS="$(EXTRA_RUSTFLAGS) --deny warnings" cargo test --all-targets --all-features --target $(TRIPLE)
+	@RUSTFLAGS="$(EXTRA_RUSTFLAGS) --deny warnings" cargo test -p genpolicy --all-targets --all-features --target $(TRIPLE)

 install: $(GENERATED_FILES)
 	@RUSTFLAGS="$(EXTRA_RUSTFLAGS) --deny warnings" cargo install --locked --target $(TRIPLE) --path .
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -1207,11 +1207,14 @@ install_tools_helper() {
 	[ ${tool} = "agent-ctl" ] && tool_binary="kata-agent-ctl"
 	[ ${tool} = "csi-kata-directvolume" ] && tool_binary="directvolplugin"
 	[ ${tool} = "trace-forwarder" ] && tool_binary="kata-trace-forwarder"
-	binary=$(find ${repo_root_dir}/src/tools/${tool}/ -type f -name ${tool_binary})
+
+	local tool_build_dir="src/tools/${tool}"
+	[ ${tool} = "genpolicy" ] && tool_build_dir=target
+	binary=$(find "${repo_root_dir}/${tool_build_dir}" -type f -name "${tool_binary}")

 	binary_count=$(echo "${binary}" | grep -c '^' || echo "0")
-	if [[ "${binary_count}" -eq 0 ]]; then
-		die "No binary found for ${tool} (expected: ${tool_binary})."
+	if [[ "${binary}" = "" ]]; then
+		die "No binary found for ${tool} in ${repo_root_dir}/${tool_build_dir} (expected: ${tool_binary})."
 	elif [[ "${binary_count}" -gt 1 ]]; then
 		die "Multiple binaries found for ${tool} (expected single ${tool_binary}). Found:"$'\n'"${binary}"
 	fi
@@ -1246,7 +1249,7 @@ install_tools_helper() {
 	info "Install static ${tool_binary}"
 	mkdir -p "${destdir}/opt/kata/bin/"
 	[ ${tool} = "csi-kata-directvolume" ] && tool_binary="csi-kata-directvolume"
-	install -D --mode ${binary_permissions} ${binary} "${destdir}/opt/kata/bin/${tool_binary}"
+	install -D --mode "${binary_permissions}" "${binary}" "${destdir}/opt/kata/bin/${tool_binary}"
 }

 install_agent_ctl() {