github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-28 12:31:04 +00:00
Code Issues Projects Releases Wiki Activity

agent:cdh: switch to the new method for initializing cdh client

Browse Source 
Decouple the cdh client from AgentService and refactor cdh client usage and initialization.

Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
This commit is contained in:
ChengyuZhu6 2024-09-02 08:38:43 +08:00
parent bc8156c3ae
commit 07e0e843e8
2 changed files with 27 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
src/agent/src/main.rs
View File

@ -59,7 +59,6 @@ mod util;
mod version; mod version;
mod watcher; mod watcher;
use cdh::CDHClient;
use config::GuestComponentsProcs; use config::GuestComponentsProcs;
use mount::{cgroups_mount, general_mount}; use mount::{cgroups_mount, general_mount};
use sandbox::Sandbox; use sandbox::Sandbox;
@ -408,7 +407,6 @@ async fn start_sandbox(
let (tx, rx) = tokio::sync::oneshot::channel(); let (tx, rx) = tokio::sync::oneshot::channel();
sandbox.lock().await.sender = Some(tx); sandbox.lock().await.sender = Some(tx);
let mut cdh_client = None;
let gc_procs = config.guest_components_procs; let gc_procs = config.guest_components_procs;
if gc_procs != GuestComponentsProcs::None { if gc_procs != GuestComponentsProcs::None {
if !attestation_binaries_available(logger, &gc_procs) { if !attestation_binaries_available(logger, &gc_procs) {
@ -417,18 +415,12 @@ async fn start_sandbox(
"attestation binaries requested for launch not available" "attestation binaries requested for launch not available"
); );
} else { } else {
cdh_client = init_attestation_components(logger, config)?; init_attestation_components(logger, config).await?;
} }
} }
// vsock:///dev/vsock, port // vsock:///dev/vsock, port
let mut server = rpc::start( let mut server = rpc::start(sandbox.clone(), config.server_addr.as_str(), init_mode).await?;
sandbox.clone(),
config.server_addr.as_str(),
init_mode,
cdh_client,
)
.await?;
server.start().await?; server.start().await?;
@ -459,10 +451,10 @@ fn attestation_binaries_available(logger: &Logger, procs: &GuestComponentsProcs)
// and the corresponding procs are enabled in the agent configuration. the process will be // and the corresponding procs are enabled in the agent configuration. the process will be
// launched in the background and the function will return immediately. // launched in the background and the function will return immediately.
// If the CDH is started, a CDH client will be instantiated and returned. // If the CDH is started, a CDH client will be instantiated and returned.
fn init_attestation_components(logger: &Logger, config: &AgentConfig) -> Result<Option<CDHClient>> { async fn init_attestation_components(logger: &Logger, config: &AgentConfig) -> Result<()> {
// skip launch of any guest-component // skip launch of any guest-component
if config.guest_components_procs == GuestComponentsProcs::None { if config.guest_components_procs == GuestComponentsProcs::None {
return Ok(None); return Ok(());
} }
debug!(logger, "spawning attestation-agent process {}", AA_PATH); debug!(logger, "spawning attestation-agent process {}", AA_PATH);
@ -477,7 +469,7 @@ fn init_attestation_components(logger: &Logger, config: &AgentConfig) -> Result<
// skip launch of confidential-data-hub and api-server-rest // skip launch of confidential-data-hub and api-server-rest
if config.guest_components_procs == GuestComponentsProcs::AttestationAgent { if config.guest_components_procs == GuestComponentsProcs::AttestationAgent {
return Ok(None); return Ok(());
} }
let ocicrypt_config = serde_json::json!({ let ocicrypt_config = serde_json::json!({
@ -505,11 +497,12 @@ fn init_attestation_components(logger: &Logger, config: &AgentConfig) -> Result<
) )
.map_err(|e| anyhow!("launch_process {} failed: {:?}", CDH_PATH, e))?; .map_err(|e| anyhow!("launch_process {} failed: {:?}", CDH_PATH, e))?;
let cdh_client = CDHClient::new().context("Failed to create CDH Client")?; // initialize cdh client
cdh::init_cdh_client().await?;
// skip launch of api-server-rest // skip launch of api-server-rest
if config.guest_components_procs == GuestComponentsProcs::ConfidentialDataHub { if config.guest_components_procs == GuestComponentsProcs::ConfidentialDataHub {
return Ok(Some(cdh_client)); return Ok(());
} }
let features = config.guest_components_rest_api; let features = config.guest_components_rest_api;
@ -526,7 +519,7 @@ fn init_attestation_components(logger: &Logger, config: &AgentConfig) -> Result<
) )
.map_err(|e| anyhow!("launch_process {} failed: {:?}", API_SERVER_PATH, e))?; .map_err(|e| anyhow!("launch_process {} failed: {:?}", API_SERVER_PATH, e))?;
Ok(Some(cdh_client)) Ok(())
} }
fn wait_for_path_to_exist(logger: &Logger, path: &str, timeout_secs: i32) -> Result<()> { fn wait_for_path_to_exist(logger: &Logger, path: &str, timeout_secs: i32) -> Result<()> {

50
src/agent/src/rpc.rs
View File

@ -55,6 +55,7 @@ use nix::sys::{stat, statfs};
use nix::unistd::{self, Pid}; use nix::unistd::{self, Pid};
use rustjail::process::ProcessOperations; use rustjail::process::ProcessOperations;
use crate::cdh;
use crate::device::{ use crate::device::{
add_devices, get_virtio_blk_pci_device_name, update_env_pci, wait_for_net_interface, add_devices, get_virtio_blk_pci_device_name, update_env_pci, wait_for_net_interface,
}; };
@ -83,8 +84,6 @@ use crate::policy::{do_set_policy, is_allowed};
#[cfg(feature = "guest-pull")] #[cfg(feature = "guest-pull")]
use crate::image; use crate::image;
use crate::cdh::CDHClient;
use opentelemetry::global; use opentelemetry::global;
use tracing::span; use tracing::span;
use tracing_opentelemetry::OpenTelemetrySpanExt; use tracing_opentelemetry::OpenTelemetrySpanExt;
@ -180,7 +179,6 @@ impl<T> OptionToTtrpcResult<T> for Option<T> {
pub struct AgentService { pub struct AgentService {
sandbox: Arc<Mutex<Sandbox>>, sandbox: Arc<Mutex<Sandbox>>,
init_mode: bool, init_mode: bool,
cdh_client: Option<CDHClient>,
} }
impl AgentService { impl AgentService {
@ -226,19 +224,17 @@ impl AgentService {
// cannot predict everything from the caller. // cannot predict everything from the caller.
add_devices(&req.devices, &mut oci, &self.sandbox).await?; add_devices(&req.devices, &mut oci, &self.sandbox).await?;
if let Some(cdh) = self.cdh_client.as_ref() { let process = oci
let process = oci .process_mut()
.process_mut() .as_mut()
.as_mut() .ok_or_else(|| anyhow!("Spec didn't contain process field"))?;
.ok_or_else(|| anyhow!("Spec didn't contain process field"))?;
if let Some(envs) = process.env_mut().as_mut() { if let Some(envs) = process.env_mut().as_mut() {
for env in envs.iter_mut() { for env in envs.iter_mut() {
match cdh.unseal_env(env).await { match cdh::unseal_env(env).await {
Ok(unsealed_env) => *env = unsealed_env.to_string(), Ok(unsealed_env) => *env = unsealed_env.to_string(),
Err(e) => { Err(e) => {
warn!(sl(), "Failed to unseal secret: {}", e) warn!(sl(), "Failed to unseal secret: {}", e)
}
} }
} }
} }
@ -261,16 +257,13 @@ impl AgentService {
secure_storage_integrity secure_storage_integrity
); );
if let Some(cdh) = self.cdh_client.as_ref() { let options = std::collections::HashMap::from([
let options = std::collections::HashMap::from([ ("deviceId".to_string(), dev_major_minor),
("deviceId".to_string(), dev_major_minor), ("encryptType".to_string(), "LUKS".to_string()),
("encryptType".to_string(), "LUKS".to_string()), ("dataIntegrity".to_string(), secure_storage_integrity),
("dataIntegrity".to_string(), secure_storage_integrity), ]);
]); cdh::secure_mount("BlockDevice", &options, vec![], KATA_IMAGE_WORK_DIR).await?;
cdh.secure_mount("BlockDevice", &options, vec![], KATA_IMAGE_WORK_DIR) break;
.await?;
break;
}
} }
} }
} }
@ -1681,12 +1674,10 @@ pub async fn start(
s: Arc<Mutex<Sandbox>>, s: Arc<Mutex<Sandbox>>,
server_address: &str, server_address: &str,
init_mode: bool, init_mode: bool,
cdh_client: Option<CDHClient>,
) -> Result<TtrpcServer> { ) -> Result<TtrpcServer> {
let agent_service = Box::new(AgentService { let agent_service = Box::new(AgentService {
sandbox: s, sandbox: s,
init_mode, init_mode,
cdh_client,
}) as Box<dyn agent_ttrpc::AgentService + Send + Sync>; }) as Box<dyn agent_ttrpc::AgentService + Send + Sync>;
let aservice = agent_ttrpc::create_agent_service(Arc::new(agent_service)); let aservice = agent_ttrpc::create_agent_service(Arc::new(agent_service));
@ -2245,7 +2236,6 @@ mod tests {
let agent_service = Box::new(AgentService { let agent_service = Box::new(AgentService {
sandbox: Arc::new(Mutex::new(sandbox)), sandbox: Arc::new(Mutex::new(sandbox)),
init_mode: true, init_mode: true,
cdh_client: None,
}); });
let req = protocols::agent::UpdateInterfaceRequest::default(); let req = protocols::agent::UpdateInterfaceRequest::default();
@ -2263,7 +2253,6 @@ mod tests {
let agent_service = Box::new(AgentService { let agent_service = Box::new(AgentService {
sandbox: Arc::new(Mutex::new(sandbox)), sandbox: Arc::new(Mutex::new(sandbox)),
init_mode: true, init_mode: true,
cdh_client: None,
}); });
let req = protocols::agent::UpdateRoutesRequest::default(); let req = protocols::agent::UpdateRoutesRequest::default();
@ -2281,7 +2270,6 @@ mod tests {
let agent_service = Box::new(AgentService { let agent_service = Box::new(AgentService {
sandbox: Arc::new(Mutex::new(sandbox)), sandbox: Arc::new(Mutex::new(sandbox)),
init_mode: true, init_mode: true,
cdh_client: None,
}); });
let req = protocols::agent::AddARPNeighborsRequest::default(); let req = protocols::agent::AddARPNeighborsRequest::default();
@ -2420,7 +2408,6 @@ mod tests {
let agent_service = Box::new(AgentService { let agent_service = Box::new(AgentService {
sandbox: Arc::new(Mutex::new(sandbox)), sandbox: Arc::new(Mutex::new(sandbox)),
init_mode: true, init_mode: true,
cdh_client: None,
}); });
let result = agent_service let result = agent_service
@ -2919,7 +2906,6 @@ OtherField:other
let agent_service = Box::new(AgentService { let agent_service = Box::new(AgentService {
sandbox: Arc::new(Mutex::new(sandbox)), sandbox: Arc::new(Mutex::new(sandbox)),
init_mode: true, init_mode: true,
cdh_client: None,
}); });
let ctx = mk_ttrpc_context(); let ctx = mk_ttrpc_context();