agent:cdh: switch to the new method for initializing cdh client

Decouple the cdh client from AgentService and refactor cdh client usage and initialization. Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
2025-08-28 12:31:04 +00:00 · 2024-09-02 08:38:43 +08:00 · 2024-09-02 08:38:43 +08:00 · 07e0e843e8
commit 07e0e843e8
parent bc8156c3ae
2 changed files with 27 additions and 48 deletions
--- a/src/agent/src/main.rs
+++ b/src/agent/src/main.rs
@ -59,7 +59,6 @@ mod util;
 mod version;
 mod watcher;

-use cdh::CDHClient;
 use config::GuestComponentsProcs;
 use mount::{cgroups_mount, general_mount};
 use sandbox::Sandbox;
@ -408,7 +407,6 @@ async fn start_sandbox(
    let (tx, rx) = tokio::sync::oneshot::channel();
    sandbox.lock().await.sender = Some(tx);

-    let mut cdh_client = None;
    let gc_procs = config.guest_components_procs;
    if gc_procs != GuestComponentsProcs::None {
        if !attestation_binaries_available(logger, &gc_procs) {
@ -417,18 +415,12 @@ async fn start_sandbox(
                "attestation binaries requested for launch not available"
            );
        } else {
-            cdh_client = init_attestation_components(logger, config)?;
+            init_attestation_components(logger, config).await?;
        }
    }

    // vsock:///dev/vsock, port
-    let mut server = rpc::start(
-        sandbox.clone(),
-        config.server_addr.as_str(),
-        init_mode,
-        cdh_client,
-    )
-    .await?;
+    let mut server = rpc::start(sandbox.clone(), config.server_addr.as_str(), init_mode).await?;

    server.start().await?;

@ -459,10 +451,10 @@ fn attestation_binaries_available(logger: &Logger, procs: &GuestComponentsProcs)
 // and the corresponding procs are enabled in the agent configuration. the process will be
 // launched in the background and the function will return immediately.
 // If the CDH is started, a CDH client will be instantiated and returned.
-fn init_attestation_components(logger: &Logger, config: &AgentConfig) -> Result<Option<CDHClient>> {
+async fn init_attestation_components(logger: &Logger, config: &AgentConfig) -> Result<()> {
    // skip launch of any guest-component
    if config.guest_components_procs == GuestComponentsProcs::None {
-        return Ok(None);
+        return Ok(());
    }

    debug!(logger, "spawning attestation-agent process {}", AA_PATH);
@ -477,7 +469,7 @@ fn init_attestation_components(logger: &Logger, config: &AgentConfig) -> Result<

    // skip launch of confidential-data-hub and api-server-rest
    if config.guest_components_procs == GuestComponentsProcs::AttestationAgent {
-        return Ok(None);
+        return Ok(());
    }

    let ocicrypt_config = serde_json::json!({
@ -505,11 +497,12 @@ fn init_attestation_components(logger: &Logger, config: &AgentConfig) -> Result<
    )
    .map_err(|e| anyhow!("launch_process {} failed: {:?}", CDH_PATH, e))?;

-    let cdh_client = CDHClient::new().context("Failed to create CDH Client")?;
+    // initialize cdh client
+    cdh::init_cdh_client().await?;

    // skip launch of api-server-rest
    if config.guest_components_procs == GuestComponentsProcs::ConfidentialDataHub {
-        return Ok(Some(cdh_client));
+        return Ok(());
    }

    let features = config.guest_components_rest_api;
@ -526,7 +519,7 @@ fn init_attestation_components(logger: &Logger, config: &AgentConfig) -> Result<
    )
    .map_err(|e| anyhow!("launch_process {} failed: {:?}", API_SERVER_PATH, e))?;

-    Ok(Some(cdh_client))
+    Ok(())
 }

 fn wait_for_path_to_exist(logger: &Logger, path: &str, timeout_secs: i32) -> Result<()> {
--- a/src/agent/src/rpc.rs
+++ b/src/agent/src/rpc.rs
@ -55,6 +55,7 @@ use nix::sys::{stat, statfs};
 use nix::unistd::{self, Pid};
 use rustjail::process::ProcessOperations;

+use crate::cdh;
 use crate::device::{
    add_devices, get_virtio_blk_pci_device_name, update_env_pci, wait_for_net_interface,
 };
@ -83,8 +84,6 @@ use crate::policy::{do_set_policy, is_allowed};
 #[cfg(feature = "guest-pull")]
 use crate::image;

-use crate::cdh::CDHClient;
-
 use opentelemetry::global;
 use tracing::span;
 use tracing_opentelemetry::OpenTelemetrySpanExt;
@ -180,7 +179,6 @@ impl<T> OptionToTtrpcResult<T> for Option<T> {
 pub struct AgentService {
    sandbox: Arc<Mutex<Sandbox>>,
    init_mode: bool,
-    cdh_client: Option<CDHClient>,
 }

 impl AgentService {
@ -226,7 +224,6 @@ impl AgentService {
        // cannot predict everything from the caller.
        add_devices(&req.devices, &mut oci, &self.sandbox).await?;

-        if let Some(cdh) = self.cdh_client.as_ref() {
        let process = oci
            .process_mut()
            .as_mut()
@ -234,7 +231,7 @@ impl AgentService {

        if let Some(envs) = process.env_mut().as_mut() {
            for env in envs.iter_mut() {
-                    match cdh.unseal_env(env).await {
+                match cdh::unseal_env(env).await {
                    Ok(unsealed_env) => *env = unsealed_env.to_string(),
                    Err(e) => {
                        warn!(sl(), "Failed to unseal secret: {}", e)
@ -242,7 +239,6 @@ impl AgentService {
                }
            }
        }
-        }

        let linux = oci
            .linux()
@ -261,19 +257,16 @@ impl AgentService {
                        secure_storage_integrity
                    );

-                    if let Some(cdh) = self.cdh_client.as_ref() {
                    let options = std::collections::HashMap::from([
                        ("deviceId".to_string(), dev_major_minor),
                        ("encryptType".to_string(), "LUKS".to_string()),
                        ("dataIntegrity".to_string(), secure_storage_integrity),
                    ]);
-                        cdh.secure_mount("BlockDevice", &options, vec![], KATA_IMAGE_WORK_DIR)
-                            .await?;
+                    cdh::secure_mount("BlockDevice", &options, vec![], KATA_IMAGE_WORK_DIR).await?;
                    break;
                }
            }
        }
-        }

        // Both rootfs and volumes (invoked with --volume for instance) will
        // be processed the same way. The idea is to always mount any provided
@ -1681,12 +1674,10 @@ pub async fn start(
    s: Arc<Mutex<Sandbox>>,
    server_address: &str,
    init_mode: bool,
-    cdh_client: Option<CDHClient>,
 ) -> Result<TtrpcServer> {
    let agent_service = Box::new(AgentService {
        sandbox: s,
        init_mode,
-        cdh_client,
    }) as Box<dyn agent_ttrpc::AgentService + Send + Sync>;
    let aservice = agent_ttrpc::create_agent_service(Arc::new(agent_service));

@ -2245,7 +2236,6 @@ mod tests {
        let agent_service = Box::new(AgentService {
            sandbox: Arc::new(Mutex::new(sandbox)),
            init_mode: true,
-            cdh_client: None,
        });

        let req = protocols::agent::UpdateInterfaceRequest::default();
@ -2263,7 +2253,6 @@ mod tests {
        let agent_service = Box::new(AgentService {
            sandbox: Arc::new(Mutex::new(sandbox)),
            init_mode: true,
-            cdh_client: None,
        });

        let req = protocols::agent::UpdateRoutesRequest::default();
@ -2281,7 +2270,6 @@ mod tests {
        let agent_service = Box::new(AgentService {
            sandbox: Arc::new(Mutex::new(sandbox)),
            init_mode: true,
-            cdh_client: None,
        });

        let req = protocols::agent::AddARPNeighborsRequest::default();
@ -2420,7 +2408,6 @@ mod tests {
            let agent_service = Box::new(AgentService {
                sandbox: Arc::new(Mutex::new(sandbox)),
                init_mode: true,
-                cdh_client: None,
            });

            let result = agent_service
@ -2919,7 +2906,6 @@ OtherField:other
        let agent_service = Box::new(AgentService {
            sandbox: Arc::new(Mutex::new(sandbox)),
            init_mode: true,
-            cdh_client: None,
        });

        let ctx = mk_ttrpc_context();