From 1f1ca6187dbef36e10569003865e7fa1ffc037a8 Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Tue, 21 Nov 2023 21:52:01 +0800 Subject: [PATCH 01/22] agent: Introduce ImageService Introduce structure ImageService, which will be used to pull images inside the guest. Fixes: #8103 Signed-off-by: ChengyuZhu6 co-authored-by: wllenyj co-authored-by: stevenhorsman --- src/agent/src/image.rs | 24 ++++++++++++++++++++++++ src/agent/src/main.rs | 1 + src/agent/src/rpc.rs | 1 + 3 files changed, 26 insertions(+) create mode 100644 src/agent/src/image.rs diff --git a/src/agent/src/image.rs b/src/agent/src/image.rs new file mode 100644 index 0000000000..151ab89433 --- /dev/null +++ b/src/agent/src/image.rs @@ -0,0 +1,24 @@ +// Copyright (c) 2021 Alibaba Cloud +// Copyright (c) 2021, 2023 IBM Corporation +// Copyright (c) 2022 Intel Corporation +// +// SPDX-License-Identifier: Apache-2.0 +// + +use std::sync::Arc; +use tokio::sync::Mutex; +use crate::sandbox::Sandbox; + +// Convenience function to obtain the scope logger. +fn sl() -> slog::Logger { + slog_scope::logger().new(o!("subsystem" => "image")) +} + +pub struct ImageService { + sandbox: Arc>, +} +impl ImageService { + pub fn new(sandbox: Arc>) -> Self { + Self { sandbox } + } +} diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs index 31482eb25b..8bb7fa0423 100644 --- a/src/agent/src/main.rs +++ b/src/agent/src/main.rs @@ -73,6 +73,7 @@ use tokio::{ task::JoinHandle, }; +mod image; mod rpc; mod tracer; diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs index bd760db941..56cff23edb 100644 --- a/src/agent/src/rpc.rs +++ b/src/agent/src/rpc.rs @@ -54,6 +54,7 @@ use rustjail::process::ProcessOperations; use crate::device::{add_devices, get_virtio_blk_pci_device_name, update_env_pci}; use crate::features::get_build_features; +use crate::image; use crate::linux_abi::*; use crate::metrics::get_metrics; use crate::mount::baremount; From 2b3a00f848a652bd1f725ec1074ebc046b1e3733 Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Tue, 21 Nov 2023 22:48:41 +0800 Subject: [PATCH 02/22] agent: export the image service singleton instance Export the image service singleton instance. Signed-off-by: ChengyuZhu6 Co-authored-by: Jiang Liu Co-authored-by: Xynnn007 Co-authored-by: stevenhorsman Co-authored-by: wllenyj --- src/agent/src/image.rs | 26 +++++++++++++++++++------- src/agent/src/main.rs | 2 +- src/agent/src/rpc.rs | 9 ++++++++- 3 files changed, 28 insertions(+), 9 deletions(-) diff --git a/src/agent/src/image.rs b/src/agent/src/image.rs index 151ab89433..66b9e195d4 100644 --- a/src/agent/src/image.rs +++ b/src/agent/src/image.rs @@ -5,20 +5,32 @@ // SPDX-License-Identifier: Apache-2.0 // -use std::sync::Arc; +use anyhow::{anyhow, Result}; use tokio::sync::Mutex; -use crate::sandbox::Sandbox; + +#[rustfmt::skip] +lazy_static! { + pub static ref IMAGE_SERVICE: Mutex> = Mutex::new(None); +} // Convenience function to obtain the scope logger. fn sl() -> slog::Logger { slog_scope::logger().new(o!("subsystem" => "image")) } -pub struct ImageService { - sandbox: Arc>, -} +#[derive(Clone)] +pub struct ImageService {} impl ImageService { - pub fn new(sandbox: Arc>) -> Self { - Self { sandbox } + pub fn new() -> Self { + Self {} + } + + /// Get the singleton instance of image service. + pub async fn singleton() -> Result { + IMAGE_SERVICE + .lock() + .await + .clone() + .ok_or_else(|| anyhow!("image service is uninitialized")) } } diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs index 8bb7fa0423..7e7979b10c 100644 --- a/src/agent/src/main.rs +++ b/src/agent/src/main.rs @@ -380,7 +380,7 @@ async fn start_sandbox( sandbox.lock().await.sender = Some(tx); // vsock:///dev/vsock, port - let mut server = rpc::start(sandbox.clone(), config.server_addr.as_str(), init_mode)?; + let mut server = rpc::start(sandbox.clone(), config.server_addr.as_str(), init_mode).await?; server.start().await?; rx.await?; diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs index 56cff23edb..1d5558fecd 100644 --- a/src/agent/src/rpc.rs +++ b/src/agent/src/rpc.rs @@ -1584,7 +1584,11 @@ async fn read_stream(reader: &Mutex>, l: usize) -> Result>, server_address: &str, init_mode: bool) -> Result { +pub async fn start( + s: Arc>, + server_address: &str, + init_mode: bool, +) -> Result { let agent_service = Box::new(AgentService { sandbox: s, init_mode, @@ -1594,6 +1598,9 @@ pub fn start(s: Arc>, server_address: &str, init_mode: bool) -> R let health_service = Box::new(HealthService {}) as Box; let hservice = health_ttrpc::create_health(Arc::new(health_service)); + let image_service = image::ImageService::new(); + *image::IMAGE_SERVICE.lock().await = Some(image_service.clone()); + let server = TtrpcServer::new() .bind(server_address)? .register_service(aservice) From 9cddd5813c83539ebeef482c6437f47c97a3e338 Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Wed, 22 Nov 2023 16:26:51 +0800 Subject: [PATCH 03/22] agent/image: Enable image-rs crate to pull image inside guest With image-rs pull_image API, the downloaded container image layers will store at IMAGE_RS_WORK_DIR, and generated bundle dir with rootfs and config.json will be saved under CONTAINER_BASE/cid directory. Signed-off-by: ChengyuZhu6 Co-authored-by: Arron Wang Co-authored-by: Jiang Liu Co-authored-by: stevenhorsman Co-authored-by: wllenyj --- src/agent/Cargo.lock | 2269 +++++++++++++++++++++++++++++++++++++--- src/agent/Cargo.toml | 7 +- src/agent/src/image.rs | 76 +- 3 files changed, 2208 insertions(+), 144 deletions(-) diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock index e7d9801d31..a1d4543d1d 100644 --- a/src/agent/Cargo.lock +++ b/src/agent/Cargo.lock @@ -2,12 +2,43 @@ # It is not intended for manual editing. version = 3 +[[package]] +name = "Inflector" +version = "0.11.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fe438c63458706e03479442743baae6c88256498e6431708f6dfc520a26515d3" +dependencies = [ + "lazy_static", + "regex", +] + [[package]] name = "adler" version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" +[[package]] +name = "aead" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d122413f284cf2d62fb1b7db97e02edb8cda96d769b16e443a4f6195e35662b0" +dependencies = [ + "crypto-common", + "generic-array", +] + +[[package]] +name = "aes" +version = "0.8.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b169f7a6d4742236a0a00c541b845991d0ac43e546831af1249753ab4c3aa3a0" +dependencies = [ + "cfg-if 1.0.0", + "cipher", + "cpufeatures", +] + [[package]] name = "ahash" version = "0.7.7" @@ -28,6 +59,12 @@ dependencies = [ "memchr", ] +[[package]] +name = "android-tzdata" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0" + [[package]] name = "android_system_properties" version = "0.1.5" @@ -85,6 +122,22 @@ dependencies = [ "futures-core", ] +[[package]] +name = "async-compression" +version = "0.4.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a116f46a969224200a0a97f29cfd4c50e7534e4b4826bd23ea2c3c533039c82c" +dependencies = [ + "flate2", + "futures-core", + "futures-io", + "memchr", + "pin-project-lite", + "tokio", + "zstd 0.13.0", + "zstd-safe 7.0.0", +] + [[package]] name = "async-executor" version = "1.5.1" @@ -125,7 +178,7 @@ dependencies = [ "log", "parking", "polling", - "rustix", + "rustix 0.37.3", "slab", "socket2", "waker-fn", @@ -153,7 +206,7 @@ dependencies = [ "cfg-if 1.0.0", "event-listener", "futures-lite", - "rustix", + "rustix 0.37.3", "signal-hook", "windows-sys 0.48.0", ] @@ -177,7 +230,7 @@ checksum = "5fd55a5ba1179988837d24ab4c7cc8ed6efdeff578ede0416b4225a5fca35bd0" dependencies = [ "proc-macro2", "quote", - "syn 2.0.16", + "syn 2.0.52", ] [[package]] @@ -188,13 +241,13 @@ checksum = "7a40729d2133846d9ed0ea60a8b9541bccddab49cd30f0715a1da672fe9a2524" [[package]] name = "async-trait" -version = "0.1.69" +version = "0.1.77" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b2d0f03b3640e3a630367e40c468cb7f309529c708ed1d88597047b0e7c6ef7" +checksum = "c980ee35e870bd1a4d2c8294d4c04d0499e67bca1e4b5cefcc693c2fa00caea9" dependencies = [ "proc-macro2", "quote", - "syn 2.0.16", + "syn 2.0.52", ] [[package]] @@ -226,6 +279,57 @@ version = "0.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cc17ab023b4091c10ff099f9deebaeeb59b5189df07e554c4fef042b70745d68" +[[package]] +name = "axum" +version = "0.6.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3b829e4e32b91e643de6eafe82b1d90675f5874230191a4ffbc1b336dec4d6bf" +dependencies = [ + "async-trait", + "axum-core", + "bitflags 1.3.2", + "bytes 1.5.0", + "futures-util", + "http", + "http-body", + "hyper", + "itoa", + "matchit", + "memchr", + "mime", + "percent-encoding", + "pin-project-lite", + "rustversion", + "serde", + "sync_wrapper", + "tower", + "tower-layer", + "tower-service", +] + +[[package]] +name = "axum-core" +version = "0.3.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "759fa577a247914fd3f7f76d62972792636412fbfd634cd452f6a385a74d2d2c" +dependencies = [ + "async-trait", + "bytes 1.5.0", + "futures-util", + "http", + "http-body", + "mime", + "rustversion", + "tower-layer", + "tower-service", +] + +[[package]] +name = "base16ct" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf" + [[package]] name = "base64" version = "0.13.0" @@ -234,9 +338,21 @@ checksum = "904dfeac50f3cdaba28fc6f57fdcddb75f49ed61346676a78c4ffe55877802fd" [[package]] name = "base64" -version = "0.21.2" +version = "0.21.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "604178f6c5c21f02dc555784810edfb88d34ac2c73b2eae109655649ee73ce3d" +checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567" + +[[package]] +name = "base64" +version = "0.22.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9475866fec1451be56a3c2400fd081ff546538961565ccb5b7142cbd22bc7a51" + +[[package]] +name = "base64ct" +version = "1.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8c3c1a368f70d6cf7302d78f8f7093da241fb8e8807c05cc9e51a125895a6d5b" [[package]] name = "bincode" @@ -247,6 +363,26 @@ dependencies = [ "serde", ] +[[package]] +name = "bindgen" +version = "0.63.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "36d860121800b2a9a94f9b5604b332d5cffb234ce17609ea479d723dbc9d3885" +dependencies = [ + "bitflags 1.3.2", + "cexpr", + "clang-sys", + "lazy_static", + "lazycell", + "peeking_take_while", + "proc-macro2", + "quote", + "regex", + "rustc-hash", + "shlex", + "syn 1.0.109", +] + [[package]] name = "bit-vec" version = "0.6.3" @@ -259,6 +395,12 @@ version = "1.3.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" +[[package]] +name = "bitflags" +version = "2.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" + [[package]] name = "bitmask-enum" version = "2.1.0" @@ -290,6 +432,15 @@ dependencies = [ "generic-array", ] +[[package]] +name = "block-padding" +version = "0.3.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a8894febbff9f758034a5b8e12d87918f56dfc64a8e1fe757d65e29041538d93" +dependencies = [ + "generic-array", +] + [[package]] name = "blocking" version = "1.3.1" @@ -312,7 +463,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4114279215a005bc675e386011e594e1d9b800918cea18fcadadcce864a2046b" dependencies = [ "borsh-derive", - "hashbrown", + "hashbrown 0.12.1", ] [[package]] @@ -423,7 +574,7 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "526c6a8746a7cfb052c15d20259c4f5c021966affdc7c960c71ca640f824c801" dependencies = [ - "bitflags", + "bitflags 1.3.2", "cfg-if 1.0.0", "libc", ] @@ -440,14 +591,39 @@ dependencies = [ ] [[package]] -name = "cc" -version = "1.0.81" +name = "cbc" +version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6c6b2562119bf28c3439f7f02db99faf0aa1a8cdfe5772a2ee155d32227239f0" +checksum = "26b52a9543ae338f279b96b0b9fed9c8093744685043739079ce85cd58f289a6" dependencies = [ + "cipher", +] + +[[package]] +name = "cc" +version = "1.0.90" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8cd6604a82acf3039f1144f54b8eb34e91ffba622051189e71b781822d5ee1f5" +dependencies = [ + "jobserver", "libc", ] +[[package]] +name = "cesu8" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6d43a04d8753f35258c91f8ec639f792891f748a1edbd759cf1dcea3382ad83c" + +[[package]] +name = "cexpr" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766" +dependencies = [ + "nom", +] + [[package]] name = "cfg-if" version = "0.1.10" @@ -475,17 +651,39 @@ dependencies = [ [[package]] name = "chrono" -version = "0.4.22" +version = "0.4.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bfd4d1b31faaa3a89d7934dbded3111da0d2ef28e3ebccdb4f0179f5929d1ef1" +checksum = "8eaf5903dcbc0a39312feb77df2ff4c76387d591b9fc7b04a238dcf8bb62639a" dependencies = [ + "android-tzdata", "iana-time-zone", "js-sys", - "num-integer", "num-traits", - "time 0.1.44", + "serde", "wasm-bindgen", - "winapi", + "windows-targets 0.52.4", +] + +[[package]] +name = "cipher" +version = "0.4.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad" +dependencies = [ + "crypto-common", + "inout", + "zeroize", +] + +[[package]] +name = "clang-sys" +version = "1.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "67523a3b4be3ce1989d607a828d036249522dd9c1c8de7f4dd2dae43a37369d1" +dependencies = [ + "glob", + "libc", + "libloading", ] [[package]] @@ -495,10 +693,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9f1fe12880bae935d142c8702d500c63a4e8634b6c3c57ad72bf978fc7b6249a" dependencies = [ "atty", - "bitflags", + "bitflags 1.3.2", "clap_derive", "clap_lex", - "indexmap", + "indexmap 1.9.1", "once_cell", "strsim", "termcolor", @@ -511,7 +709,7 @@ version = "3.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ed6db9e867166a43a53f7199b5e4d1f522a1e5bd626654be263c999ce59df39a" dependencies = [ - "heck 0.4.0", + "heck 0.4.1", "proc-macro-error", "proc-macro2", "quote", @@ -527,6 +725,16 @@ dependencies = [ "os_str_bytes", ] +[[package]] +name = "combine" +version = "4.6.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "35ed6e9d84f0b51a7f52daf1c7d71dd136fd7a3f41a8462b8cdb8c78d920fad4" +dependencies = [ + "bytes 1.5.0", + "memchr", +] + [[package]] name = "common-path" version = "1.0.0" @@ -551,6 +759,12 @@ dependencies = [ "crossbeam-utils", ] +[[package]] +name = "const-oid" +version = "0.9.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8" + [[package]] name = "core-foundation" version = "0.9.3" @@ -650,6 +864,18 @@ dependencies = [ "cfg-if 1.0.0", ] +[[package]] +name = "crypto-bigint" +version = "0.5.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76" +dependencies = [ + "generic-array", + "rand_core", + "subtle", + "zeroize", +] + [[package]] name = "crypto-common" version = "0.1.6" @@ -657,17 +883,71 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3" dependencies = [ "generic-array", + "rand_core", "typenum", ] +[[package]] +name = "crypto_secretbox" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b9d6cf87adf719ddf43a805e92c6870a531aedda35ff640442cbaf8674e141e1" +dependencies = [ + "aead", + "cipher", + "generic-array", + "poly1305", + "salsa20", + "subtle", + "zeroize", +] + +[[package]] +name = "curve25519-dalek" +version = "4.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0a677b8922c94e01bdbb12126b0bc852f00447528dee1782229af9c720c3f348" +dependencies = [ + "cfg-if 1.0.0", + "cpufeatures", + "curve25519-dalek-derive", + "digest", + "fiat-crypto", + "platforms", + "rustc_version", + "subtle", + "zeroize", +] + +[[package]] +name = "curve25519-dalek-derive" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.52", +] + [[package]] name = "darling" version = "0.14.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7b750cb3417fd1b327431a470f388520309479ab0bf5e323505daf0290cd3850" dependencies = [ - "darling_core", - "darling_macro", + "darling_core 0.14.4", + "darling_macro 0.14.4", +] + +[[package]] +name = "darling" +version = "0.20.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "54e36fcd13ed84ffdfda6f5be89b31287cbb80c439841fe69e04841435464391" +dependencies = [ + "darling_core 0.20.8", + "darling_macro 0.20.8", ] [[package]] @@ -683,17 +963,72 @@ dependencies = [ "syn 1.0.109", ] +[[package]] +name = "darling_core" +version = "0.20.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9c2cf1c23a687a1feeb728783b993c4e1ad83d99f351801977dd809b48d0a70f" +dependencies = [ + "fnv", + "ident_case", + "proc-macro2", + "quote", + "strsim", + "syn 2.0.52", +] + [[package]] name = "darling_macro" version = "0.14.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a4aab4dbc9f7611d8b55048a3a16d2d010c2c8334e46304b40ac1cc14bf3b48e" dependencies = [ - "darling_core", + "darling_core 0.14.4", "quote", "syn 1.0.109", ] +[[package]] +name = "darling_macro" +version = "0.20.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a668eda54683121533a393014d8692171709ff57a7d61f187b6e782719f8933f" +dependencies = [ + "darling_core 0.20.8", + "quote", + "syn 2.0.52", +] + +[[package]] +name = "decoded-char" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5440d1dc8ea7cae44cda3c64568db29bfa2434aba51ae66a50c00488841a65a3" + +[[package]] +name = "der" +version = "0.7.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fffa369a668c8af7dbf8b5e56c9f744fbd399949ed171606040001947de40b1c" +dependencies = [ + "const-oid", + "der_derive", + "flagset", + "pem-rfc7468", + "zeroize", +] + +[[package]] +name = "der_derive" +version = "0.7.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5fe87ce4529967e0ba1dcf8450bab64d97dfd5010a6256187ffe2e43e6f0e049" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.52", +] + [[package]] name = "derivative" version = "2.2.0" @@ -716,6 +1051,37 @@ dependencies = [ "syn 1.0.109", ] +[[package]] +name = "derive_builder" +version = "0.20.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0350b5cb0331628a5916d6c5c0b72e97393b8b6b03b47a9284f4e7f5a405ffd7" +dependencies = [ + "derive_builder_macro", +] + +[[package]] +name = "derive_builder_core" +version = "0.20.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d48cda787f839151732d396ac69e3473923d54312c070ee21e9effcaa8ca0b1d" +dependencies = [ + "darling 0.20.8", + "proc-macro2", + "quote", + "syn 2.0.52", +] + +[[package]] +name = "derive_builder_macro" +version = "0.20.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "206868b8242f27cecce124c19fd88157fbd0dd334df2587f36417bafbc85097b" +dependencies = [ + "derive_builder_core", + "syn 2.0.52", +] + [[package]] name = "digest" version = "0.10.7" @@ -723,7 +1089,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292" dependencies = [ "block-buffer", + "const-oid", "crypto-common", + "subtle", ] [[package]] @@ -747,12 +1115,72 @@ dependencies = [ "winapi", ] +[[package]] +name = "ecdsa" +version = "0.16.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca" +dependencies = [ + "der", + "digest", + "elliptic-curve", + "rfc6979", + "signature", + "spki", +] + +[[package]] +name = "ed25519" +version = "2.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53" +dependencies = [ + "pkcs8", + "signature", +] + +[[package]] +name = "ed25519-dalek" +version = "2.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4a3daa8e81a3963a60642bcc1f90a670680bd4a77535faa384e9d1c79d620871" +dependencies = [ + "curve25519-dalek", + "ed25519", + "rand_core", + "serde", + "sha2", + "subtle", + "zeroize", +] + [[package]] name = "either" version = "1.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457" +[[package]] +name = "elliptic-curve" +version = "0.13.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47" +dependencies = [ + "base16ct", + "crypto-bigint", + "digest", + "ff", + "generic-array", + "group", + "hkdf", + "pem-rfc7468", + "pkcs8", + "rand_core", + "sec1", + "subtle", + "zeroize", +] + [[package]] name = "encoding_rs" version = "0.8.32" @@ -780,9 +1208,15 @@ checksum = "5e9a1f9f7d83e59740248a6e14ecf93929ade55027844dfcea78beafccc15745" dependencies = [ "proc-macro2", "quote", - "syn 2.0.16", + "syn 2.0.52", ] +[[package]] +name = "equivalent" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" + [[package]] name = "errno" version = "0.2.8" @@ -796,13 +1230,12 @@ dependencies = [ [[package]] name = "errno" -version = "0.3.3" +version = "0.3.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "136526188508e25c6fef639d7927dfb3e0e3084488bf202267829cf7fc23dbdd" +checksum = "a258e46cdc063eb8519c00b9fc845fc47bcfca4130e2f08e88665ceda8474245" dependencies = [ - "errno-dragonfly", "libc", - "windows-sys 0.48.0", + "windows-sys 0.52.0", ] [[package]] @@ -841,12 +1274,52 @@ dependencies = [ "instant", ] +[[package]] +name = "ff" +version = "0.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ded41244b729663b1e574f1b4fb731469f69f79c17667b5d776b16cda0479449" +dependencies = [ + "rand_core", + "subtle", +] + +[[package]] +name = "fiat-crypto" +version = "0.2.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1676f435fc1dadde4d03e43f5d62b259e1ce5f40bd4ffb21db2b42ebe59c1382" + +[[package]] +name = "filetime" +version = "0.2.23" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1ee447700ac8aa0b2f2bd7bc4462ad686ba06baa6727ac149a2d6277f0d240fd" +dependencies = [ + "cfg-if 1.0.0", + "libc", + "redox_syscall 0.4.1", + "windows-sys 0.52.0", +] + [[package]] name = "fixedbitset" version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "37ab347416e802de484e4d03c7316c48f1ecb56574dfd4a46a80f173ce1de04d" +[[package]] +name = "fixedbitset" +version = "0.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80" + +[[package]] +name = "flagset" +version = "0.4.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cdeb3aa5e95cf9aabc17f060cfa0ced7b83f042390760ca53bf09df9968acaa1" + [[package]] name = "flate2" version = "1.0.24" @@ -896,9 +1369,9 @@ checksum = "e6d5a32815ae3f33302d95fdcb2ce17862f8c65363dcfd29360480ba1001fc9c" [[package]] name = "futures" -version = "0.3.21" +version = "0.3.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f73fe65f54d1e12b726f517d3e2135ca3125a437b6d998caf1962961f7172d9e" +checksum = "645c6916888f6cb6350d2550b80fb63e734897a8498abe35cfb732b6487804b0" dependencies = [ "futures-channel", "futures-core", @@ -911,9 +1384,9 @@ dependencies = [ [[package]] name = "futures-channel" -version = "0.3.28" +version = "0.3.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "955518d47e09b25bbebc7a18df10b81f0c766eaf4c4f1cccef2fca5f2a4fb5f2" +checksum = "eac8f7d7865dcb88bd4373ab671c8cf4508703796caa2b1985a9ca867b3fcb78" dependencies = [ "futures-core", "futures-sink", @@ -921,15 +1394,15 @@ dependencies = [ [[package]] name = "futures-core" -version = "0.3.28" +version = "0.3.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4bca583b7e26f571124fe5b7561d49cb2868d79116cfa0eefce955557c6fee8c" +checksum = "dfc6580bb841c5a68e9ef15c77ccc837b40a7504914d52e47b8b0e9bbda25a1d" [[package]] name = "futures-executor" -version = "0.3.21" +version = "0.3.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9420b90cfa29e327d0429f19be13e7ddb68fa1cccb09d65e5706b8c7a749b8a6" +checksum = "a576fc72ae164fca6b9db127eaa9a9dda0d61316034f33a0a0d4eda41f02b01d" dependencies = [ "futures-core", "futures-task", @@ -938,9 +1411,9 @@ dependencies = [ [[package]] name = "futures-io" -version = "0.3.28" +version = "0.3.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4fff74096e71ed47f8e023204cfd0aa1289cd54ae5430a9523be060cdb849964" +checksum = "a44623e20b9681a318efdd71c299b6b222ed6f231972bfe2f224ebad6311f0c1" [[package]] name = "futures-lite" @@ -959,32 +1432,32 @@ dependencies = [ [[package]] name = "futures-macro" -version = "0.3.28" +version = "0.3.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "89ca545a94061b6365f2c7355b4b32bd20df3ff95f02da9329b34ccc3bd6ee72" +checksum = "87750cf4b7a4c0625b1529e4c543c2182106e4dedc60a2a6455e00d212c489ac" dependencies = [ "proc-macro2", "quote", - "syn 2.0.16", + "syn 2.0.52", ] [[package]] name = "futures-sink" -version = "0.3.28" +version = "0.3.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f43be4fe21a13b9781a69afa4985b0f6ee0e1afab2c6f454a8cf30e2b2237b6e" +checksum = "9fb8e00e87438d937621c1c6269e53f536c14d3fbd6a042bb24879e57d474fb5" [[package]] name = "futures-task" -version = "0.3.28" +version = "0.3.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "76d3d132be6c0e6aa1534069c705a74a5997a356c0dc2f86a47765e5617c5b65" +checksum = "38d84fa142264698cdce1a9f9172cf383a0c82de1bddcf3092901442c4097004" [[package]] name = "futures-util" -version = "0.3.28" +version = "0.3.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26b01e40b772d54cf6c6d721c1d1abd0647a0106a12ecaa1c186273392a69533" +checksum = "3d6401deb83407ab3da39eba7e33987a73c3df0c82b4bb5813ee871c19c41d48" dependencies = [ "futures-channel", "futures-core", @@ -1006,17 +1479,30 @@ checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a" dependencies = [ "typenum", "version_check", + "zeroize", ] [[package]] name = "getrandom" -version = "0.2.7" +version = "0.2.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4eb1a864a501629691edf6c15a593b7a51eebaa1e8468e9ddc623de7c9b58ec6" +checksum = "190092ea657667030ac6a35e305e62fc4dd69fd98ac98631e5d3a2b1575a12b5" dependencies = [ "cfg-if 1.0.0", "libc", - "wasi 0.11.0+wasi-snapshot-preview1", + "wasi", +] + +[[package]] +name = "getset" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e45727250e75cc04ff2846a66397da8ef2b3db8e40e0cef4df67950a07621eb9" +dependencies = [ + "proc-macro-error", + "proc-macro2", + "quote", + "syn 1.0.109", ] [[package]] @@ -1025,6 +1511,17 @@ version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9b919933a397b79c37e33b77bb2aa3dc8eb6e165ad809e58ff75bc7db2e34574" +[[package]] +name = "group" +version = "0.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63" +dependencies = [ + "ff", + "rand_core", + "subtle", +] + [[package]] name = "h2" version = "0.3.20" @@ -1037,10 +1534,10 @@ dependencies = [ "futures-sink", "futures-util", "http", - "indexmap", + "indexmap 1.9.1", "slab", "tokio", - "tokio-util 0.7.8", + "tokio-util 0.7.10", "tracing", ] @@ -1053,6 +1550,12 @@ dependencies = [ "ahash", ] +[[package]] +name = "hashbrown" +version = "0.14.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "290f1a1d9242c78d09ce40a5e87e7554ee637af1351968159f4952f028f75604" + [[package]] name = "heck" version = "0.3.3" @@ -1064,9 +1567,9 @@ dependencies = [ [[package]] name = "heck" -version = "0.4.0" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2540771e65fc8cb83cd6e8a237f70c319bd5c29f78ed1084ba5d50eeac86f7f9" +checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8" [[package]] name = "hermit-abi" @@ -1089,6 +1592,33 @@ version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" +[[package]] +name = "hkdf" +version = "0.12.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7b5f8eb2ad728638ea2c7d47a21db23b7b58a72ed6a38256b8a1849f15fbbdf7" +dependencies = [ + "hmac", +] + +[[package]] +name = "hmac" +version = "0.12.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e" +dependencies = [ + "digest", +] + +[[package]] +name = "home" +version = "0.5.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e3d1354bf6b7235cb4a0576c2619fd4ed18183f689b12b006a0ee7329eeff9a5" +dependencies = [ + "windows-sys 0.52.0", +] + [[package]] name = "http" version = "0.2.9" @@ -1100,6 +1630,15 @@ dependencies = [ "itoa", ] +[[package]] +name = "http-auth" +version = "0.1.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "643c9bbf6a4ea8a656d6b4cd53d34f79e3f841ad5203c1a55fb7d761923bc255" +dependencies = [ + "memchr", +] + [[package]] name = "http-body" version = "0.4.5" @@ -1147,6 +1686,32 @@ dependencies = [ "want", ] +[[package]] +name = "hyper-rustls" +version = "0.24.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ec3efd23720e2049821a693cbc7e65ea87c72f1c58ff2f9522ff332b1491e590" +dependencies = [ + "futures-util", + "http", + "hyper", + "rustls", + "tokio", + "tokio-rustls", +] + +[[package]] +name = "hyper-timeout" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bbb958482e8c7be4bc3cf272a766a2b0bf1a6755e7a6ae777f017a31d11b13b1" +dependencies = [ + "hyper", + "pin-project-lite", + "tokio", + "tokio-io-timeout", +] + [[package]] name = "hyper-tls" version = "0.5.0" @@ -1190,6 +1755,43 @@ dependencies = [ "unicode-normalization", ] +[[package]] +name = "image-rs" +version = "0.1.0" +source = "git+https://github.com/confidential-containers/guest-components?rev=ca6b438#ca6b43854ecfda2ab3e9c4fe4ef1fd95b5fa3c82" +dependencies = [ + "anyhow", + "async-compression", + "async-trait", + "base64 0.21.7", + "flate2", + "futures", + "futures-util", + "hex", + "libc", + "log", + "loopdev", + "nix 0.26.4", + "oci-distribution", + "oci-spec", + "ocicrypt-rs", + "prost 0.11.9", + "serde", + "serde_json", + "sha2", + "sigstore", + "strum", + "strum_macros", + "tar", + "tokio", + "tokio-util 0.7.10", + "tonic", + "tonic-build", + "url", + "walkdir", + "zstd 0.12.4", +] + [[package]] name = "indexmap" version = "1.9.1" @@ -1197,7 +1799,19 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "10a35a97730320ffe8e2d410b5d3b69279b98d2c14bdb8b70ea89ecf7888d41e" dependencies = [ "autocfg", - "hashbrown", + "hashbrown 0.12.1", + "serde", +] + +[[package]] +name = "indexmap" +version = "2.2.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7b0b929d511467233429c45a44ac1dcaa21ba0f5ba11e4879e6ed28ddb4f9df4" +dependencies = [ + "equivalent", + "hashbrown 0.14.3", + "serde", ] [[package]] @@ -1206,7 +1820,7 @@ version = "0.9.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f8069d3ec154eb856955c1c0fbffefbf5f3c40a104ec912d4797314c1801abff" dependencies = [ - "bitflags", + "bitflags 1.3.2", "futures-core", "inotify-sys", "libc", @@ -1222,6 +1836,16 @@ dependencies = [ "libc", ] +[[package]] +name = "inout" +version = "0.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a0c10553d664a4d0bcff9f4215d0aac67a639cc68ef660840afe309b807bc9f5" +dependencies = [ + "block-padding", + "generic-array", +] + [[package]] name = "instant" version = "0.1.12" @@ -1277,9 +1901,40 @@ dependencies = [ [[package]] name = "itoa" -version = "1.0.2" +version = "1.0.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "112c678d4050afce233f4f2852bb2eb519230b3cf12f33585275537d7e41578d" +checksum = "b1a46d1a171d865aa5f83f92695765caa047a9b4cbae2cbf37dbd613a793fd4c" + +[[package]] +name = "jni" +version = "0.21.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1a87aa2bb7d2af34197c04845522473242e1aa17c12f4935d5856491a7fb8c97" +dependencies = [ + "cesu8", + "cfg-if 1.0.0", + "combine", + "jni-sys", + "log", + "thiserror", + "walkdir", + "windows-sys 0.45.0", +] + +[[package]] +name = "jni-sys" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8eaf4bc02d17cbdd7ff4c7438cafcdf7fb9a4613313ad11b4f8fefe7d3fa0130" + +[[package]] +name = "jobserver" +version = "0.1.28" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ab46a6e9526ddef3ae7f787c06f0f2600639ba80ea3eade3d8e670a2230f51d6" +dependencies = [ + "libc", +] [[package]] name = "js-sys" @@ -1290,6 +1945,52 @@ dependencies = [ "wasm-bindgen", ] +[[package]] +name = "json-number" +version = "0.4.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4c54d19ae7e6fc83aafa649707655a9a0ac956a0f62793bde4cfd193b0693fdf" +dependencies = [ + "lexical", + "ryu-js", + "serde", + "smallvec", +] + +[[package]] +name = "json-syntax" +version = "0.12.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d735e0c2c8d15ba9501487f7ab6d65c7249ef12b7f1218b4c4cad6e21950a877" +dependencies = [ + "decoded-char", + "hashbrown 0.12.1", + "indexmap 1.9.1", + "json-number", + "locspan", + "locspan-derive", + "ryu-js", + "serde", + "smallstr", + "smallvec", + "utf8-decode", +] + +[[package]] +name = "jwt" +version = "0.16.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6204285f77fe7d9784db3fdc449ecce1a0114927a51d5a41c4c7a292011c015f" +dependencies = [ + "base64 0.13.0", + "crypto-common", + "digest", + "hmac", + "serde", + "serde_json", + "sha2", +] + [[package]] name = "kata-agent" version = "0.1.0" @@ -1303,6 +2004,7 @@ dependencies = [ "clap", "futures", "http", + "image-rs", "ipnetwork", "kata-sys-util", "kata-types", @@ -1314,6 +2016,7 @@ dependencies = [ "netlink-sys", "nix 0.24.2", "oci", + "oci-distribution", "openssl", "opentelemetry", "procfs", @@ -1324,6 +2027,7 @@ dependencies = [ "reqwest", "rtnetlink", "rustjail", + "safe-path", "scan_fmt", "scopeguard", "serde", @@ -1403,6 +2107,88 @@ name = "lazy_static" version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" +dependencies = [ + "spin 0.5.2", +] + +[[package]] +name = "lazycell" +version = "1.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" + +[[package]] +name = "lexical" +version = "6.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c7aefb36fd43fef7003334742cbf77b243fcd36418a1d1bdd480d613a67968f6" +dependencies = [ + "lexical-core", +] + +[[package]] +name = "lexical-core" +version = "0.8.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2cde5de06e8d4c2faabc400238f9ae1c74d5412d03a7bd067645ccbc47070e46" +dependencies = [ + "lexical-parse-float", + "lexical-parse-integer", + "lexical-util", + "lexical-write-float", + "lexical-write-integer", +] + +[[package]] +name = "lexical-parse-float" +version = "0.8.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "683b3a5ebd0130b8fb52ba0bdc718cc56815b6a097e28ae5a6997d0ad17dc05f" +dependencies = [ + "lexical-parse-integer", + "lexical-util", + "static_assertions", +] + +[[package]] +name = "lexical-parse-integer" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6d0994485ed0c312f6d965766754ea177d07f9c00c9b82a5ee62ed5b47945ee9" +dependencies = [ + "lexical-util", + "static_assertions", +] + +[[package]] +name = "lexical-util" +version = "0.8.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5255b9ff16ff898710eb9eb63cb39248ea8a5bb036bea8085b1a767ff6c4e3fc" +dependencies = [ + "static_assertions", +] + +[[package]] +name = "lexical-write-float" +version = "0.8.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "accabaa1c4581f05a3923d1b4cfd124c329352288b7b9da09e766b0668116862" +dependencies = [ + "lexical-util", + "lexical-write-integer", + "static_assertions", +] + +[[package]] +name = "lexical-write-integer" +version = "0.8.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e1b6f3d1f4422866b68192d62f77bc5c700bee84f3069f2469d7bc8c77852446" +dependencies = [ + "lexical-util", + "static_assertions", +] [[package]] name = "libc" @@ -1410,13 +2196,29 @@ version = "0.2.151" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "302d7ab3130588088d277783b1e2d2e10c9e9e4a16dd9050e6ec93fb3e7048f4" +[[package]] +name = "libloading" +version = "0.8.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0c2a198fb6b0eada2a8df47933734e6d35d350665a33a3593d7164fa52c75c19" +dependencies = [ + "cfg-if 1.0.0", + "windows-targets 0.48.0", +] + +[[package]] +name = "libm" +version = "0.2.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4ec2a862134d2a7d32d7983ddcdd1c4923530833c9f2ea1a44fc5fa473989058" + [[package]] name = "libseccomp" version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "21c57fd8981a80019807b7b68118618d29a87177c63d704fc96e6ecd003ae5b3" dependencies = [ - "bitflags", + "bitflags 1.3.2", "libc", "libseccomp-sys", "pkg-config", @@ -1434,6 +2236,12 @@ version = "0.3.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ef53942eb7bf7ff43a617b3e2c1c4a5ecf5944a7c1bc12d7ee39bbb15e5c1519" +[[package]] +name = "linux-raw-sys" +version = "0.4.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "01cda141df6706de531b6c46c3a33ecca755538219bd484262fa09410c13539c" + [[package]] name = "lock_api" version = "0.4.7" @@ -1444,6 +2252,24 @@ dependencies = [ "scopeguard", ] +[[package]] +name = "locspan" +version = "0.8.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "33890449fcfac88e94352092944bf321f55e5deb4e289a6f51c87c55731200a0" + +[[package]] +name = "locspan-derive" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e88991223b049a3d29ca1f60c05639581336a0f3ee4bf8a659dddecc11c4961a" +dependencies = [ + "proc-macro-error", + "proc-macro2", + "quote", + "syn 1.0.109", +] + [[package]] name = "log" version = "0.4.17" @@ -1467,6 +2293,25 @@ dependencies = [ "slog-term", ] +[[package]] +name = "loopdev" +version = "0.5.0" +source = "git+https://github.com/mdaffin/loopdev?rev=c9f91e8f0326ce8a3364ac911e81eb32328a5f27#c9f91e8f0326ce8a3364ac911e81eb32328a5f27" +dependencies = [ + "bindgen", + "errno 0.2.8", + "libc", +] + +[[package]] +name = "malloc_buf" +version = "0.0.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "62bb907fe88d54d8d9ce32a3cceab4218ed2f6b7d35617cafe9adf84e43919cb" +dependencies = [ + "libc", +] + [[package]] name = "matchers" version = "0.0.1" @@ -1482,6 +2327,12 @@ version = "0.1.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2532096657941c2fea9c289d370a250971c689d4f143798ff67113ec042024a5" +[[package]] +name = "matchit" +version = "0.7.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0e7465ac9959cc2b1404e8e2367b43684a6d13790fe23056cc8c6c5a6b7bcb94" + [[package]] name = "memchr" version = "2.5.0" @@ -1512,6 +2363,12 @@ version = "0.3.17" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a" +[[package]] +name = "minimal-lexical" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a" + [[package]] name = "miniz_oxide" version = "0.5.3" @@ -1529,7 +2386,7 @@ checksum = "57ee1c23c7c63b0c9250c339ffdc69255f110b298b901b9f6c82547b7b87caaf" dependencies = [ "libc", "log", - "wasi 0.11.0+wasi-snapshot-preview1", + "wasi", "windows-sys 0.36.1", ] @@ -1557,6 +2414,12 @@ dependencies = [ "tempfile", ] +[[package]] +name = "ndk-context" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "27b02d87554356db9e9a873add8782d4ea6e3e58ea071a9adb9a2e8ddb884a8b" + [[package]] name = "netlink-packet-core" version = "0.2.4" @@ -1576,7 +2439,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "76aed5d3b6e3929713bf1e1334a11fd65180b6d9f5d7c8572664c48b122604f8" dependencies = [ "anyhow", - "bitflags", + "bitflags 1.3.2", "byteorder", "libc", "netlink-packet-core", @@ -1628,7 +2491,7 @@ version = "0.22.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e4916f159ed8e5de0082076562152a76b7a1f64a01fd9d1e0fea002c37624faf" dependencies = [ - "bitflags", + "bitflags 1.3.2", "cc", "cfg-if 1.0.0", "libc", @@ -1641,7 +2504,7 @@ version = "0.23.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9f866317acbd3a240710c63f065ffb1e4fd466259045ccb504130b7f668f35c6" dependencies = [ - "bitflags", + "bitflags 1.3.2", "cc", "cfg-if 1.0.0", "libc", @@ -1654,7 +2517,7 @@ version = "0.24.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "195cdbc1741b8134346d515b3a56a1c94b0912758009cfd53f99ea0f57b065fc" dependencies = [ - "bitflags", + "bitflags 1.3.2", "cfg-if 1.0.0", "libc", "memoffset 0.6.5", @@ -1667,7 +2530,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f346ff70e7dbfd675fe90590b92d59ef2de15a8779ae305ebcbfd3f0caf59be4" dependencies = [ "autocfg", - "bitflags", + "bitflags 1.3.2", "cfg-if 1.0.0", "libc", ] @@ -1678,13 +2541,23 @@ version = "0.26.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "598beaf3cc6fdd9a5dfb1630c2800c7acd31df7aaf0f565796fba2b53ca1af1b" dependencies = [ - "bitflags", + "bitflags 1.3.2", "cfg-if 1.0.0", "libc", "memoffset 0.7.1", "pin-utils", ] +[[package]] +name = "nom" +version = "7.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a" +dependencies = [ + "memchr", + "minimal-lexical", +] + [[package]] name = "ntapi" version = "0.4.1" @@ -1694,6 +2567,23 @@ dependencies = [ "winapi", ] +[[package]] +name = "num-bigint-dig" +version = "0.8.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dc84195820f291c7697304f3cbdadd1cb7199c0efc917ff5eafd71225c136151" +dependencies = [ + "byteorder", + "lazy_static", + "libm", + "num-integer", + "num-iter", + "num-traits", + "rand", + "smallvec", + "zeroize", +] + [[package]] name = "num-integer" version = "0.1.45" @@ -1704,6 +2594,17 @@ dependencies = [ "num-traits", ] +[[package]] +name = "num-iter" +version = "0.1.44" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d869c01cc0c455284163fd0092f1f93835385ccab5a98a0dcc497b2f8bf055a9" +dependencies = [ + "autocfg", + "num-integer", + "num-traits", +] + [[package]] name = "num-traits" version = "0.2.15" @@ -1711,6 +2612,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd" dependencies = [ "autocfg", + "libm", ] [[package]] @@ -1732,6 +2634,15 @@ dependencies = [ "libc", ] +[[package]] +name = "objc" +version = "0.2.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "915b1b472bc21c53464d6c8461c9d3af805ba1ef837e1cac254428f4a77177b1" +dependencies = [ + "malloc_buf", +] + [[package]] name = "oci" version = "0.1.0" @@ -1742,19 +2653,90 @@ dependencies = [ "serde_json", ] +[[package]] +name = "oci-distribution" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2a635cabf7a6eb4e5f13e9e82bd9503b7c2461bf277132e38638a935ebd684b4" +dependencies = [ + "bytes 1.5.0", + "chrono", + "futures-util", + "http", + "http-auth", + "jwt", + "lazy_static", + "olpc-cjson", + "regex", + "reqwest", + "serde", + "serde_json", + "sha2", + "thiserror", + "tokio", + "tracing", + "unicase", +] + +[[package]] +name = "oci-spec" +version = "0.6.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e423c4f827362c0d8d8da4b1f571270f389ebde73bcd3240a3d23c6d6f61d0f0" +dependencies = [ + "derive_builder", + "getset", + "serde", + "serde_json", + "thiserror", +] + +[[package]] +name = "ocicrypt-rs" +version = "0.1.0" +source = "git+https://github.com/confidential-containers/guest-components?rev=ca6b438#ca6b43854ecfda2ab3e9c4fe4ef1fd95b5fa3c82" +dependencies = [ + "anyhow", + "base64 0.21.7", + "cfg-if 1.0.0", + "lazy_static", + "prost 0.11.9", + "serde", + "serde_json", + "tokio", + "tonic", +] + +[[package]] +name = "olpc-cjson" +version = "0.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d637c9c15b639ccff597da8f4fa968300651ad2f1e968aefc3b4927a6fb2027a" +dependencies = [ + "serde", + "serde_json", + "unicode-normalization", +] + [[package]] name = "once_cell" version = "1.15.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e82dad04139b71a90c080c8463fe0dc7902db5192d939bd0950f074d014339e1" +[[package]] +name = "opaque-debug" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381" + [[package]] name = "openssl" version = "0.10.55" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "345df152bc43501c5eb9e4654ff05f794effb78d4efe3d53abc158baddc0703d" dependencies = [ - "bitflags", + "bitflags 1.3.2", "cfg-if 1.0.0", "foreign-types", "libc", @@ -1771,7 +2753,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.16", + "syn 2.0.52", ] [[package]] @@ -1838,6 +2820,30 @@ version = "6.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "21326818e99cfe6ce1e524c2a805c189a99b5ae555a35d19f9a284b427d86afa" +[[package]] +name = "p256" +version = "0.13.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c9863ad85fa8f4460f9c48cb909d38a0d689dba1f6f6988a5e3e0d31071bcd4b" +dependencies = [ + "ecdsa", + "elliptic-curve", + "primeorder", + "sha2", +] + +[[package]] +name = "p384" +version = "0.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "70786f51bcc69f6a4c0360e063a4cac5419ef7c5cd5b3c99ad70f3be5ba79209" +dependencies = [ + "ecdsa", + "elliptic-curve", + "primeorder", + "sha2", +] + [[package]] name = "parking" version = "2.0.0" @@ -1874,7 +2880,7 @@ dependencies = [ "cfg-if 1.0.0", "instant", "libc", - "redox_syscall", + "redox_syscall 0.2.13", "smallvec", "winapi", ] @@ -1887,11 +2893,22 @@ checksum = "09a279cbf25cb0757810394fbc1e359949b59e348145c643a939a525692e6929" dependencies = [ "cfg-if 1.0.0", "libc", - "redox_syscall", + "redox_syscall 0.2.13", "smallvec", "windows-sys 0.36.1", ] +[[package]] +name = "password-hash" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "346f04948ba92c43e8469c1ee6736c7563d71012b17d40745260fe106aac2166" +dependencies = [ + "base64ct", + "rand_core", + "subtle", +] + [[package]] name = "paste" version = "1.0.7" @@ -1917,6 +2934,41 @@ dependencies = [ "lazy_static", ] +[[package]] +name = "pbkdf2" +version = "0.12.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8ed6a7761f76e3b9f92dfb0a60a6a6477c61024b775147ff0973a02653abaf2" +dependencies = [ + "digest", + "hmac", +] + +[[package]] +name = "peeking_take_while" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099" + +[[package]] +name = "pem" +version = "3.0.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1b8fcc794035347fb64beda2d3b462595dd2753e3f268d89c5aae77e8cf2c310" +dependencies = [ + "base64 0.21.7", + "serde", +] + +[[package]] +name = "pem-rfc7468" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412" +dependencies = [ + "base64ct", +] + [[package]] name = "percent-encoding" version = "2.1.0" @@ -1929,35 +2981,45 @@ version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "467d164a6de56270bd7c4d070df81d07beace25012d5103ced4e9ff08d6afdb7" dependencies = [ - "fixedbitset", - "indexmap", + "fixedbitset 0.2.0", + "indexmap 1.9.1", +] + +[[package]] +name = "petgraph" +version = "0.6.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e1d3afd2628e69da2be385eb6f2fd57c8ac7977ceeff6dc166ff1657b0e386a9" +dependencies = [ + "fixedbitset 0.4.2", + "indexmap 2.2.5", ] [[package]] name = "pin-project" -version = "1.0.10" +version = "1.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "58ad3879ad3baf4e44784bc6a718a8698867bb991f8ce24d1bcbe2cfb4c3a75e" +checksum = "b6bf43b791c5b9e34c3d182969b4abb522f9343702850a2e57f460d00d09b4b3" dependencies = [ "pin-project-internal", ] [[package]] name = "pin-project-internal" -version = "1.0.10" +version = "1.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "744b6f092ba29c3650faf274db506afd39944f48420f6c86b17cfe0ee1cb36bb" +checksum = "2f38a4412a78282e09a2cf38d195ea5420d15ba0602cb375210efbc877243965" dependencies = [ "proc-macro2", "quote", - "syn 1.0.109", + "syn 2.0.52", ] [[package]] name = "pin-project-lite" -version = "0.2.9" +version = "0.2.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e0a7ae3ac2f1173085d398531c705756c94a4c56843785df85a60c1a0afac116" +checksum = "8afb450f006bf6385ca15ef45d71d2288452bc3683ce2e2cacc0d18e4be60b58" [[package]] name = "pin-utils" @@ -1965,12 +3027,56 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" +[[package]] +name = "pkcs1" +version = "0.7.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f" +dependencies = [ + "der", + "pkcs8", + "spki", +] + +[[package]] +name = "pkcs5" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e847e2c91a18bfa887dd028ec33f2fe6f25db77db3619024764914affe8b69a6" +dependencies = [ + "aes", + "cbc", + "der", + "pbkdf2", + "scrypt", + "sha2", + "spki", +] + +[[package]] +name = "pkcs8" +version = "0.10.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7" +dependencies = [ + "der", + "pkcs5", + "rand_core", + "spki", +] + [[package]] name = "pkg-config" version = "0.3.25" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1df8c4ec4b0627e53bdf214615ad287367e482558cf84b109250b37464dc03ae" +[[package]] +name = "platforms" +version = "3.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "626dec3cac7cc0e1577a2ec3fc496277ec2baa084bebad95bb6fdbfae235f84c" + [[package]] name = "polling" version = "2.4.0" @@ -1985,12 +3091,42 @@ dependencies = [ "winapi", ] +[[package]] +name = "poly1305" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8159bd90725d2df49889a078b54f4f79e87f1f8a8444194cdca81d38f5393abf" +dependencies = [ + "cpufeatures", + "opaque-debug", + "universal-hash", +] + [[package]] name = "ppv-lite86" version = "0.2.16" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "eb9f9e6e233e5c4a35559a617bf40a4ec447db2e84c20b55a6f83167b7e57872" +[[package]] +name = "prettyplease" +version = "0.1.25" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6c8646e95016a7a6c4adea95bafa8a16baab64b583356217f2c85db4a39d9a86" +dependencies = [ + "proc-macro2", + "syn 1.0.109", +] + +[[package]] +name = "primeorder" +version = "0.13.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "353e1ca18966c16d9deb1c69278edbc5f194139612772bd9537af60ac231e1e6" +dependencies = [ + "elliptic-curve", +] + [[package]] name = "proc-macro-crate" version = "0.1.5" @@ -2037,9 +3173,9 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.58" +version = "1.0.78" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fa1fb82fc0c281dd9671101b66b771ebbe1eaf967b96ac8740dcba4b70005ca8" +checksum = "e2422ad645d89c99f8f3e6b88a9fdeca7fabeac836b1002371c4367c8f984aae" dependencies = [ "unicode-ident", ] @@ -2050,7 +3186,7 @@ version = "0.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0941606b9934e2d98a3677759a971756eb821f75764d0e0d26946d08e74d9104" dependencies = [ - "bitflags", + "bitflags 1.3.2", "byteorder", "chrono", "flate2", @@ -2083,7 +3219,17 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "de5e2533f59d08fcf364fd374ebda0692a70bd6d7e66ef97f306f45c6c5d8020" dependencies = [ "bytes 1.5.0", - "prost-derive", + "prost-derive 0.8.0", +] + +[[package]] +name = "prost" +version = "0.11.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0b82eaa1d779e9a4bc1c3217db8ffbeabaae1dca241bf70183242128d48681cd" +dependencies = [ + "bytes 1.5.0", + "prost-derive 0.11.9", ] [[package]] @@ -2097,9 +3243,31 @@ dependencies = [ "itertools", "log", "multimap", - "petgraph", - "prost", - "prost-types", + "petgraph 0.5.1", + "prost 0.8.0", + "prost-types 0.8.0", + "tempfile", + "which", +] + +[[package]] +name = "prost-build" +version = "0.11.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "119533552c9a7ffacc21e099c24a0ac8bb19c2a2a3f363de84cd9b844feab270" +dependencies = [ + "bytes 1.5.0", + "heck 0.4.1", + "itertools", + "lazy_static", + "log", + "multimap", + "petgraph 0.6.4", + "prettyplease", + "prost 0.11.9", + "prost-types 0.11.9", + "regex", + "syn 1.0.109", "tempfile", "which", ] @@ -2117,6 +3285,19 @@ dependencies = [ "syn 1.0.109", ] +[[package]] +name = "prost-derive" +version = "0.11.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e5d2d8d10f3c6ded6da8b05b5fb3b8a5082514344d56c9f871412d29b4e075b4" +dependencies = [ + "anyhow", + "itertools", + "proc-macro2", + "quote", + "syn 1.0.109", +] + [[package]] name = "prost-types" version = "0.8.0" @@ -2124,7 +3305,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "603bbd6394701d13f3f25aada59c7de9d35a6a5887cfc156181234a44002771b" dependencies = [ "bytes 1.5.0", - "prost", + "prost 0.8.0", +] + +[[package]] +name = "prost-types" +version = "0.11.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "213622a1460818959ac1181aaeb2dc9c7f63df720db7d788b3e24eacd1983e13" +dependencies = [ + "prost 0.11.9", ] [[package]] @@ -2175,7 +3365,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9d39b14605eaa1f6a340aec7f320b34064feb26c93aec35d6a9a2272a8ddfa49" dependencies = [ "anyhow", - "indexmap", + "indexmap 1.9.1", "log", "protobuf 3.2.0", "protobuf-support", @@ -2228,9 +3418,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.27" +version = "1.0.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f4f29d145265ec1c483c7c654450edde0bfe043d3938d6972630663356d9500" +checksum = "291ec9ab5efd934aaf503a6466c5d5251535d108ee747472c3977cc5acc868ef" dependencies = [ "proc-macro2", ] @@ -2264,13 +3454,19 @@ dependencies = [ [[package]] name = "rand_core" -version = "0.6.3" +version = "0.6.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d34f1408f55294453790c48b2f1ebbb1c5b4b7563eb1f418bcfcfdbb06ebb4e7" +checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c" dependencies = [ "getrandom", ] +[[package]] +name = "raw-window-handle" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f2ff9a1f06a88b01621b7ae906ef0211290d1c8a168a15542486a8f61c0833b9" + [[package]] name = "rayon" version = "1.8.0" @@ -2297,7 +3493,16 @@ version = "0.2.13" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "62f25bc4c7e55e0b0b7a1d43fb893f4fa1361d0abe38b9ce4f323c2adfe6ef42" dependencies = [ - "bitflags", + "bitflags 1.3.2", +] + +[[package]] +name = "redox_syscall" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa" +dependencies = [ + "bitflags 1.3.2", ] [[package]] @@ -2307,7 +3512,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b033d837a7cf162d7993aded9304e30a83213c648b6e389db233191f891e5c2b" dependencies = [ "getrandom", - "redox_syscall", + "redox_syscall 0.2.13", "thiserror", ] @@ -2379,7 +3584,7 @@ version = "0.11.18" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cde824a14b7c14f85caff81225f411faacc04a2013f41670f41443742b1c1c55" dependencies = [ - "base64 0.21.2", + "base64 0.21.7", "bytes 1.5.0", "encoding_rs", "futures-core", @@ -2388,6 +3593,7 @@ dependencies = [ "http", "http-body", "hyper", + "hyper-rustls", "hyper-tls", "ipnet", "js-sys", @@ -2397,19 +3603,50 @@ dependencies = [ "once_cell", "percent-encoding", "pin-project-lite", + "rustls", + "rustls-pemfile", "serde", "serde_json", "serde_urlencoded", "tokio", "tokio-native-tls", + "tokio-rustls", + "tokio-util 0.7.10", "tower-service", "url", "wasm-bindgen", "wasm-bindgen-futures", + "wasm-streams", "web-sys", + "webpki-roots", "winreg", ] +[[package]] +name = "rfc6979" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2" +dependencies = [ + "hmac", + "subtle", +] + +[[package]] +name = "ring" +version = "0.17.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c17fa4cb658e3583423e915b9f3acc01cceaee1860e33d59ebae66adc3a2dc0d" +dependencies = [ + "cc", + "cfg-if 1.0.0", + "getrandom", + "libc", + "spin 0.9.8", + "untrusted", + "windows-sys 0.52.0", +] + [[package]] name = "rkyv" version = "0.7.42" @@ -2418,7 +3655,7 @@ checksum = "0200c8230b013893c0b2d6213d6ec64ed2b9be2e0e016682b7224ff82cff5c58" dependencies = [ "bitvec", "bytecheck", - "hashbrown", + "hashbrown 0.12.1", "ptr_meta", "rend", "rkyv_derive", @@ -2447,6 +3684,26 @@ dependencies = [ "libc", ] +[[package]] +name = "rsa" +version = "0.9.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5d0e5124fcb30e76a7e79bfee683a2746db83784b86289f6251b54b7950a0dfc" +dependencies = [ + "const-oid", + "digest", + "num-bigint-dig", + "num-integer", + "num-traits", + "pkcs1", + "pkcs8", + "rand_core", + "signature", + "spki", + "subtle", + "zeroize", +] + [[package]] name = "rtnetlink" version = "0.8.1" @@ -2478,20 +3735,48 @@ dependencies = [ "serde_json", ] +[[package]] +name = "rustc-hash" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2" + +[[package]] +name = "rustc_version" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bfa0f585226d2e68097d4f95d113b15b83a82e819ab25717ec0590d9584ef366" +dependencies = [ + "semver", +] + [[package]] name = "rustix" version = "0.37.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "62b24138615de35e32031d041a09032ef3487a616d901ca4db224e7d557efae2" dependencies = [ - "bitflags", - "errno 0.3.3", + "bitflags 1.3.2", + "errno 0.3.8", "io-lifetimes", "libc", - "linux-raw-sys", + "linux-raw-sys 0.3.8", "windows-sys 0.45.0", ] +[[package]] +name = "rustix" +version = "0.38.28" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "72e572a5e8ca657d7366229cdde4bd14c4eb5499a9573d4d366fe1b599daa316" +dependencies = [ + "bitflags 2.4.2", + "errno 0.3.8", + "libc", + "linux-raw-sys 0.4.13", + "windows-sys 0.52.0", +] + [[package]] name = "rustjail" version = "0.1.0" @@ -2529,10 +3814,58 @@ dependencies = [ "test-utils", "tokio", "tokio-vsock 0.3.1", - "xattr", + "xattr 0.2.3", "zbus", ] +[[package]] +name = "rustls" +version = "0.21.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba" +dependencies = [ + "log", + "ring", + "rustls-webpki 0.101.7", + "sct", +] + +[[package]] +name = "rustls-pemfile" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c" +dependencies = [ + "base64 0.21.7", +] + +[[package]] +name = "rustls-pki-types" +version = "1.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5ede67b28608b4c60685c7d54122d4400d90f62b40caee7700e700380a390fa8" + +[[package]] +name = "rustls-webpki" +version = "0.101.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" +dependencies = [ + "ring", + "untrusted", +] + +[[package]] +name = "rustls-webpki" +version = "0.102.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "faaa0a62740bedb9b2ef5afa303da42764c012f743917351dc9a237ea1663610" +dependencies = [ + "ring", + "rustls-pki-types", + "untrusted", +] + [[package]] name = "rustversion" version = "1.0.12" @@ -2545,6 +3878,12 @@ version = "1.0.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f3f6f92acf49d1b98f7a81226834412ada05458b7364277387724a237f062695" +[[package]] +name = "ryu-js" +version = "0.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6518fc26bced4d53678a22d6e423e9d8716377def84545fe328236e3af070e7f" + [[package]] name = "safe-path" version = "0.1.0" @@ -2552,6 +3891,24 @@ dependencies = [ "libc", ] +[[package]] +name = "salsa20" +version = "0.10.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "97a22f5af31f73a954c10289c93e8a50cc23d971e80ee446f1f6f7137a088213" +dependencies = [ + "cipher", +] + +[[package]] +name = "same-file" +version = "1.0.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502" +dependencies = [ + "winapi-util", +] + [[package]] name = "scan_fmt" version = "0.2.6" @@ -2570,25 +3927,104 @@ dependencies = [ "windows-sys 0.48.0", ] +[[package]] +name = "schemafy" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9725c16a64e85972fcb3630677be83fef699a1cd8e4bfbdcf3b3c6675f838a19" +dependencies = [ + "Inflector", + "schemafy_core", + "schemafy_lib", + "serde", + "serde_derive", + "serde_json", + "serde_repr", + "syn 1.0.109", +] + +[[package]] +name = "schemafy_core" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2bec29dddcfe60f92f3c0d422707b8b56473983ef0481df8d5236ed3ab8fdf24" +dependencies = [ + "serde", + "serde_json", +] + +[[package]] +name = "schemafy_lib" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "af3d87f1df246a9b7e2bfd1f4ee5f88e48b11ef9cfc62e63f0dead255b1a6f5f" +dependencies = [ + "Inflector", + "proc-macro2", + "quote", + "schemafy_core", + "serde", + "serde_derive", + "serde_json", + "syn 1.0.109", + "uriparse", +] + [[package]] name = "scopeguard" version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" +[[package]] +name = "scrypt" +version = "0.11.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0516a385866c09368f0b5bcd1caff3366aace790fcd46e2bb032697bb172fd1f" +dependencies = [ + "password-hash", + "pbkdf2", + "salsa20", + "sha2", +] + +[[package]] +name = "sct" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "seahash" version = "4.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1c107b6f4780854c8b126e228ea8869f4d7b71260f962fefb57b996b8959ba6b" +[[package]] +name = "sec1" +version = "0.7.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc" +dependencies = [ + "base16ct", + "der", + "generic-array", + "pkcs8", + "subtle", + "zeroize", +] + [[package]] name = "security-framework" version = "2.9.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "05b64fb303737d99b81884b2c63433e9ae28abebe5eb5045dcdd175dc2ecf4de" dependencies = [ - "bitflags", + "bitflags 1.3.2", "core-foundation", "core-foundation-sys", "libc", @@ -2605,6 +4041,12 @@ dependencies = [ "libc", ] +[[package]] +name = "semver" +version = "1.0.22" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92d43fe69e652f3df9bdc2b85b2854a0825b86e4fb76bc44d945137d053639ca" + [[package]] name = "serde" version = "1.0.164" @@ -2620,7 +4062,7 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6eb8ec7724e4e524b2492b510e66957fe1a2c76c26a6975ec80823f2439da685" dependencies = [ - "darling_core", + "darling_core 0.14.4", "serde-rename-rule", "syn 1.0.109", ] @@ -2631,7 +4073,7 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "26416dc95fcd46b0e4b12a3758043a229a6914050aaec2e8191949753ed4e9aa" dependencies = [ - "darling", + "darling 0.14.4", "proc-macro2", "quote", "serde-attributes", @@ -2652,7 +4094,7 @@ checksum = "d9735b638ccc51c28bf6914d90a2e9725b377144fc612c49a611fddd1b631d68" dependencies = [ "proc-macro2", "quote", - "syn 2.0.16", + "syn 2.0.52", ] [[package]] @@ -2668,13 +4110,13 @@ dependencies = [ [[package]] name = "serde_repr" -version = "0.1.9" +version = "0.1.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1fe39d9fbb0ebf5eb2c7cb7e2a47e4f462fad1379f1166b8ae49ad9eae89a7ca" +checksum = "0b2e6b945e9d3df726b65d6ee24060aff8e3533d431f677a9695db04eff9dfdb" dependencies = [ "proc-macro2", "quote", - "syn 1.0.109", + "syn 2.0.52", ] [[package]] @@ -2689,6 +4131,36 @@ dependencies = [ "serde", ] +[[package]] +name = "serde_with" +version = "3.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ee80b0e361bbf88fd2f6e242ccd19cfda072cb0faa6ae694ecee08199938569a" +dependencies = [ + "base64 0.21.7", + "chrono", + "hex", + "indexmap 1.9.1", + "indexmap 2.2.5", + "serde", + "serde_derive", + "serde_json", + "serde_with_macros", + "time", +] + +[[package]] +name = "serde_with_macros" +version = "3.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6561dc161a9224638a31d876ccdfefbc1df91d3f3a8342eddb35f055d48c7655" +dependencies = [ + "darling 0.20.8", + "proc-macro2", + "quote", + "syn 2.0.52", +] + [[package]] name = "serial_test" version = "0.5.1" @@ -2713,9 +4185,20 @@ dependencies = [ [[package]] name = "sha1" -version = "0.10.5" +version = "0.10.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f04293dc80c3993519f2d7f6f511707ee7094fe0c6d3406feb330cdb3540eba3" +checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba" +dependencies = [ + "cfg-if 1.0.0", + "cpufeatures", + "digest", +] + +[[package]] +name = "sha2" +version = "0.10.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8" dependencies = [ "cfg-if 1.0.0", "cpufeatures", @@ -2731,6 +4214,12 @@ dependencies = [ "lazy_static", ] +[[package]] +name = "shlex" +version = "1.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" + [[package]] name = "signal-hook" version = "0.3.17" @@ -2750,6 +4239,76 @@ dependencies = [ "libc", ] +[[package]] +name = "signature" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de" +dependencies = [ + "digest", + "rand_core", +] + +[[package]] +name = "sigstore" +version = "0.8.0" +source = "git+https://github.com/sigstore/sigstore-rs.git?rev=d5ba303#d5ba303182318495a081d1c4ad50d5c27be015cc" +dependencies = [ + "async-trait", + "base64 0.22.0", + "cfg-if 1.0.0", + "chrono", + "const-oid", + "crypto_secretbox", + "digest", + "ecdsa", + "ed25519", + "ed25519-dalek", + "elliptic-curve", + "getrandom", + "hex", + "json-syntax", + "lazy_static", + "oci-distribution", + "olpc-cjson", + "p256", + "p384", + "pem", + "pkcs1", + "pkcs8", + "rand", + "rsa", + "rustls-webpki 0.102.2", + "scrypt", + "serde", + "serde_json", + "serde_repr", + "serde_with", + "sha2", + "signature", + "sigstore_protobuf_specs", + "thiserror", + "tokio", + "tokio-util 0.7.10", + "tracing", + "url", + "webbrowser", + "x509-cert", + "zeroize", +] + +[[package]] +name = "sigstore_protobuf_specs" +version = "0.1.0-rc.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c54c3284a3ed53bd585dfbbe80b81142ad35128d7cba817623c4e066a4a95a2b" +dependencies = [ + "schemafy", + "schemafy_core", + "serde", + "serde_json", +] + [[package]] name = "simdutf8" version = "0.1.4" @@ -2795,7 +4354,7 @@ dependencies = [ "serde", "serde_json", "slog", - "time 0.3.11", + "time", ] [[package]] @@ -2830,14 +4389,24 @@ dependencies = [ "slog", "term", "thread_local", - "time 0.3.11", + "time", +] + +[[package]] +name = "smallstr" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "63b1aefdf380735ff8ded0b15f31aab05daf1f70216c01c02a12926badd1df9d" +dependencies = [ + "serde", + "smallvec", ] [[package]] name = "smallvec" -version = "1.8.0" +version = "1.13.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f2dd574626839106c320a323308629dcb1acfc96e32a8cba364ddc61ac23ee83" +checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" [[package]] name = "socket2" @@ -2849,6 +4418,28 @@ dependencies = [ "winapi", ] +[[package]] +name = "spin" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" + +[[package]] +name = "spin" +version = "0.9.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" + +[[package]] +name = "spki" +version = "0.7.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d" +dependencies = [ + "base64ct", + "der", +] + [[package]] name = "static_assertions" version = "1.1.0" @@ -2861,6 +4452,28 @@ version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623" +[[package]] +name = "strum" +version = "0.25.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "290d54ea6f91c969195bdbcd7442c8c2a2ba87da8bf60a7ee86a235d4bc1e125" +dependencies = [ + "strum_macros", +] + +[[package]] +name = "strum_macros" +version = "0.25.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "23dc1fa9ac9c169a78ba62f0b841814b7abae11bdd047b9c58f893439e309ea0" +dependencies = [ + "heck 0.4.1", + "proc-macro2", + "quote", + "rustversion", + "syn 2.0.52", +] + [[package]] name = "subprocess" version = "0.2.9" @@ -2871,6 +4484,12 @@ dependencies = [ "winapi", ] +[[package]] +name = "subtle" +version = "2.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc" + [[package]] name = "syn" version = "1.0.109" @@ -2884,15 +4503,21 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.16" +version = "2.0.52" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a6f671d4b5ffdb8eadec19c0ae67fe2639df8684bd7bc4b83d986b8db549cf01" +checksum = "b699d15b36d1f02c3e7c69f8ffef53de37aefae075d8488d4ba1a7788d574a07" dependencies = [ "proc-macro2", "quote", "unicode-ident", ] +[[package]] +name = "sync_wrapper" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2047c6ded9c721764247e62cd3b03c09ffc529b2ba5b10ec482ae507a4a70160" + [[package]] name = "sysinfo" version = "0.29.11" @@ -2920,6 +4545,17 @@ version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369" +[[package]] +name = "tar" +version = "0.4.40" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b16afcea1f22891c49a00c751c7b63b2233284064f11a200fc624137c51e2ddb" +dependencies = [ + "filetime", + "libc", + "xattr 1.2.0", +] + [[package]] name = "tempfile" version = "3.3.0" @@ -2929,7 +4565,7 @@ dependencies = [ "cfg-if 1.0.0", "fastrand", "libc", - "redox_syscall", + "redox_syscall 0.2.13", "remove_dir_all", "winapi", ] @@ -2996,17 +4632,6 @@ dependencies = [ "once_cell", ] -[[package]] -name = "time" -version = "0.1.44" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255" -dependencies = [ - "libc", - "wasi 0.10.0+wasi-snapshot-preview1", - "winapi", -] - [[package]] name = "time" version = "0.3.11" @@ -3016,6 +4641,7 @@ dependencies = [ "itoa", "libc", "num_threads", + "serde", "time-macros", ] @@ -3040,6 +4666,27 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" +[[package]] +name = "tls_codec" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b5e78c9c330f8c85b2bae7c8368f2739157db9991235123aa1b15ef9502bfb6a" +dependencies = [ + "tls_codec_derive", + "zeroize", +] + +[[package]] +name = "tls_codec_derive" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8d9ef545650e79f30233c0003bcc2504d7efac6dad25fca40744de773fe2049c" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.52", +] + [[package]] name = "tokio" version = "1.28.1" @@ -3059,6 +4706,16 @@ dependencies = [ "windows-sys 0.48.0", ] +[[package]] +name = "tokio-io-timeout" +version = "1.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "30b74022ada614a1b4834de765f9bb43877f910cc8ce4be40e89042c9223a8bf" +dependencies = [ + "pin-project-lite", + "tokio", +] + [[package]] name = "tokio-macros" version = "2.1.0" @@ -3067,7 +4724,7 @@ checksum = "630bdcf245f78637c13ec01ffae6187cca34625e8c63150d424b59e55af2675e" dependencies = [ "proc-macro2", "quote", - "syn 2.0.16", + "syn 2.0.52", ] [[package]] @@ -3080,6 +4737,16 @@ dependencies = [ "tokio", ] +[[package]] +name = "tokio-rustls" +version = "0.24.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" +dependencies = [ + "rustls", + "tokio", +] + [[package]] name = "tokio-stream" version = "0.1.9" @@ -3107,9 +4774,9 @@ dependencies = [ [[package]] name = "tokio-util" -version = "0.7.8" +version = "0.7.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "806fe8c2c87eccc8b3267cbae29ed3ab2d0bd37fca70ab622e46aaa9375ddb7d" +checksum = "5419f34732d9eb6ee4c3578b7989078579b7f039cbbb9ca2c4da015749371e15" dependencies = [ "bytes 1.5.0", "futures-core", @@ -3154,6 +4821,73 @@ dependencies = [ "serde", ] +[[package]] +name = "tonic" +version = "0.9.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3082666a3a6433f7f511c7192923fa1fe07c69332d3c6a2e6bb040b569199d5a" +dependencies = [ + "async-trait", + "axum", + "base64 0.21.7", + "bytes 1.5.0", + "futures-core", + "futures-util", + "h2", + "http", + "http-body", + "hyper", + "hyper-timeout", + "percent-encoding", + "pin-project", + "prost 0.11.9", + "tokio", + "tokio-stream", + "tower", + "tower-layer", + "tower-service", + "tracing", +] + +[[package]] +name = "tonic-build" +version = "0.9.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a6fdaae4c2c638bb70fe42803a26fbd6fc6ac8c72f5c59f67ecc2a2dcabf4b07" +dependencies = [ + "prettyplease", + "proc-macro2", + "prost-build 0.11.9", + "quote", + "syn 1.0.109", +] + +[[package]] +name = "tower" +version = "0.4.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b8fa9be0de6cf49e536ce1851f987bd21a43b771b09473c3549a6c853db37c1c" +dependencies = [ + "futures-core", + "futures-util", + "indexmap 1.9.1", + "pin-project", + "pin-project-lite", + "rand", + "slab", + "tokio", + "tokio-util 0.7.10", + "tower-layer", + "tower-service", + "tracing", +] + +[[package]] +name = "tower-layer" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c20c8dbed6283a09604c3e69b4b7eeb54e298b8a600d4d5ecb5ad39de609f1d0" + [[package]] name = "tower-service" version = "0.3.2" @@ -3167,6 +4901,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8ce8c33a8d48bd45d624a6e523445fd21ec13d3653cd51f681abf67418f54eb8" dependencies = [ "cfg-if 1.0.0", + "log", "pin-project-lite", "tracing-attributes", "tracing-core", @@ -3180,7 +4915,7 @@ checksum = "5f4f31f56159e98206da9efd823404b79b6ef3143b4a7ab76e67b1751b25a4ab" dependencies = [ "proc-macro2", "quote", - "syn 2.0.16", + "syn 2.0.52", ] [[package]] @@ -3295,9 +5030,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ec3cb5dbf1f0865a34fe3f722290fe776cacb16f50428610b779467b76ddf647" dependencies = [ "derive-new", - "prost", - "prost-build", - "prost-types", + "prost 0.8.0", + "prost-build 0.8.0", + "prost-types 0.8.0", "protobuf 2.27.1", "protobuf-codegen 2.27.1", "tempfile", @@ -3319,6 +5054,15 @@ dependencies = [ "winapi", ] +[[package]] +name = "unicase" +version = "2.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f7d2d4dafb69621809a81864c9c1b864479e1235c0dd4e199924b9742439ed89" +dependencies = [ + "version_check", +] + [[package]] name = "unicode-bidi" version = "0.3.13" @@ -3346,6 +5090,32 @@ version = "1.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7e8820f5d777f6224dc4be3632222971ac30164d4a258d595640799554ebfd99" +[[package]] +name = "universal-hash" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fc1de2c688dc15305988b563c3854064043356019f97a4b46276fe734c4f07ea" +dependencies = [ + "crypto-common", + "subtle", +] + +[[package]] +name = "untrusted" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" + +[[package]] +name = "uriparse" +version = "0.6.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0200d0fc04d809396c2ad43f3c95da3582a2556eba8d453c1087f4120ee352ff" +dependencies = [ + "fnv", + "lazy_static", +] + [[package]] name = "url" version = "2.3.0" @@ -3357,6 +5127,12 @@ dependencies = [ "percent-encoding", ] +[[package]] +name = "utf8-decode" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ca61eb27fa339aa08826a29f03e87b99b4d8f0fc2255306fd266bb1b6a9de498" + [[package]] name = "utf8-width" version = "0.1.7" @@ -3430,6 +5206,16 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9d5b2c62b4012a3e1eca5a7e077d13b3bf498c4073e33ccd58626607748ceeca" +[[package]] +name = "walkdir" +version = "2.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b" +dependencies = [ + "same-file", + "winapi-util", +] + [[package]] name = "want" version = "0.3.1" @@ -3439,12 +5225,6 @@ dependencies = [ "try-lock", ] -[[package]] -name = "wasi" -version = "0.10.0+wasi-snapshot-preview1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f" - [[package]] name = "wasi" version = "0.11.0+wasi-snapshot-preview1" @@ -3517,6 +5297,19 @@ version = "0.2.81" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6a89911bd99e5f3659ec4acf9c4d93b0a90fe4a2a11f15328472058edc5261be" +[[package]] +name = "wasm-streams" +version = "0.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6bbae3363c08332cadccd13b67db371814cd214c2524020932f0804b8cf7c078" +dependencies = [ + "futures-util", + "js-sys", + "wasm-bindgen", + "wasm-bindgen-futures", + "web-sys", +] + [[package]] name = "web-sys" version = "0.3.58" @@ -3527,6 +5320,42 @@ dependencies = [ "wasm-bindgen", ] +[[package]] +name = "webbrowser" +version = "0.8.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d1b04c569c83a9bb971dd47ec6fd48753315f4bf989b9b04a2e7ca4d7f0dc950" +dependencies = [ + "core-foundation", + "home", + "jni", + "log", + "ndk-context", + "objc", + "raw-window-handle", + "url", + "web-sys", +] + +[[package]] +name = "webpki" +version = "0.22.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ed63aea5ce73d0ff405984102c42de94fc55a6b75765d621c65262469b3c9b53" +dependencies = [ + "ring", + "untrusted", +] + +[[package]] +name = "webpki-roots" +version = "0.22.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6c71e40d7d2c34a5106301fb632274ca37242cd0c9d3e64dbece371a40a2d87" +dependencies = [ + "webpki", +] + [[package]] name = "wepoll-ffi" version = "0.1.2" @@ -3609,6 +5438,15 @@ dependencies = [ "windows-targets 0.48.0", ] +[[package]] +name = "windows-sys" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" +dependencies = [ + "windows-targets 0.52.4", +] + [[package]] name = "windows-targets" version = "0.42.2" @@ -3639,6 +5477,21 @@ dependencies = [ "windows_x86_64_msvc 0.48.0", ] +[[package]] +name = "windows-targets" +version = "0.52.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7dd37b7e5ab9018759f893a1952c9420d060016fc19a472b4bb20d1bdd694d1b" +dependencies = [ + "windows_aarch64_gnullvm 0.52.4", + "windows_aarch64_msvc 0.52.4", + "windows_i686_gnu 0.52.4", + "windows_i686_msvc 0.52.4", + "windows_x86_64_gnu 0.52.4", + "windows_x86_64_gnullvm 0.52.4", + "windows_x86_64_msvc 0.52.4", +] + [[package]] name = "windows_aarch64_gnullvm" version = "0.42.2" @@ -3651,6 +5504,12 @@ version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "91ae572e1b79dba883e0d315474df7305d12f569b400fcf90581b06062f7e1bc" +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.52.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bcf46cf4c365c6f2d1cc93ce535f2c8b244591df96ceee75d8e83deb70a9cac9" + [[package]] name = "windows_aarch64_msvc" version = "0.36.1" @@ -3669,6 +5528,12 @@ version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b2ef27e0d7bdfcfc7b868b317c1d32c641a6fe4629c171b8928c7b08d98d7cf3" +[[package]] +name = "windows_aarch64_msvc" +version = "0.52.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "da9f259dd3bcf6990b55bffd094c4f7235817ba4ceebde8e6d11cd0c5633b675" + [[package]] name = "windows_i686_gnu" version = "0.36.1" @@ -3687,6 +5552,12 @@ version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "622a1962a7db830d6fd0a69683c80a18fda201879f0f447f065a3b7467daa241" +[[package]] +name = "windows_i686_gnu" +version = "0.52.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b474d8268f99e0995f25b9f095bc7434632601028cf86590aea5c8a5cb7801d3" + [[package]] name = "windows_i686_msvc" version = "0.36.1" @@ -3705,6 +5576,12 @@ version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4542c6e364ce21bf45d69fdd2a8e455fa38d316158cfd43b3ac1c5b1b19f8e00" +[[package]] +name = "windows_i686_msvc" +version = "0.52.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1515e9a29e5bed743cb4415a9ecf5dfca648ce85ee42e15873c3cd8610ff8e02" + [[package]] name = "windows_x86_64_gnu" version = "0.36.1" @@ -3723,6 +5600,12 @@ version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ca2b8a661f7628cbd23440e50b05d705db3686f894fc9580820623656af974b1" +[[package]] +name = "windows_x86_64_gnu" +version = "0.52.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5eee091590e89cc02ad514ffe3ead9eb6b660aedca2183455434b93546371a03" + [[package]] name = "windows_x86_64_gnullvm" version = "0.42.2" @@ -3735,6 +5618,12 @@ version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7896dbc1f41e08872e9d5e8f8baa8fdd2677f29468c4e156210174edc7f7b953" +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.52.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "77ca79f2451b49fa9e2af39f0747fe999fcda4f5e241b2898624dca97a1f2177" + [[package]] name = "windows_x86_64_msvc" version = "0.36.1" @@ -3753,6 +5642,12 @@ version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1a515f5799fe4961cb532f983ce2b23082366b898e52ffbce459c86f67c8378a" +[[package]] +name = "windows_x86_64_msvc" +version = "0.52.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "32b752e52a2da0ddfbdbcc6fceadfeede4c939ed16d13e648833a61dfb611ed8" + [[package]] name = "winreg" version = "0.10.1" @@ -3771,6 +5666,20 @@ dependencies = [ "tap", ] +[[package]] +name = "x509-cert" +version = "0.2.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1301e935010a701ae5f8655edc0ad17c44bad3ac5ce8c39185f75453b720ae94" +dependencies = [ + "const-oid", + "der", + "sha1", + "signature", + "spki", + "tls_codec", +] + [[package]] name = "xattr" version = "0.2.3" @@ -3780,6 +5689,17 @@ dependencies = [ "libc", ] +[[package]] +name = "xattr" +version = "1.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "914566e6413e7fa959cc394fb30e563ba80f3541fbd40816d4c05a0fc3f2a0f1" +dependencies = [ + "libc", + "linux-raw-sys 0.4.13", + "rustix 0.38.28", +] + [[package]] name = "xdg-home" version = "1.0.0" @@ -3856,6 +5776,73 @@ dependencies = [ "zvariant", ] +[[package]] +name = "zeroize" +version = "1.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d" +dependencies = [ + "zeroize_derive", +] + +[[package]] +name = "zeroize_derive" +version = "1.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.52", +] + +[[package]] +name = "zstd" +version = "0.12.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1a27595e173641171fc74a1232b7b1c7a7cb6e18222c11e9dfb9888fa424c53c" +dependencies = [ + "zstd-safe 6.0.6", +] + +[[package]] +name = "zstd" +version = "0.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bffb3309596d527cfcba7dfc6ed6052f1d39dfbd7c867aa2e865e4a449c10110" +dependencies = [ + "zstd-safe 7.0.0", +] + +[[package]] +name = "zstd-safe" +version = "6.0.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ee98ffd0b48ee95e6c5168188e44a54550b1564d9d530ee21d5f0eaed1069581" +dependencies = [ + "libc", + "zstd-sys", +] + +[[package]] +name = "zstd-safe" +version = "7.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "43747c7422e2924c11144d5229878b98180ef8b06cca4ab5af37afc8a8d8ea3e" +dependencies = [ + "zstd-sys", +] + +[[package]] +name = "zstd-sys" +version = "2.0.9+zstd.1.5.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9e16efa8a874a0481a574084d34cc26fdb3b99627480f785888deb6386506656" +dependencies = [ + "cc", + "pkg-config", +] + [[package]] name = "zvariant" version = "3.15.0" diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml index eb51ee1bd7..bea479a38c 100644 --- a/src/agent/Cargo.toml +++ b/src/agent/Cargo.toml @@ -21,13 +21,15 @@ scopeguard = "1.0.0" thiserror = "1.0.26" regex = "1.5.6" serial_test = "0.5.1" +oci-distribution = "0.10.0" kata-sys-util = { path = "../libs/kata-sys-util" } kata-types = { path = "../libs/kata-types" } +safe-path = { path = "../libs/safe-path" } # Async helpers async-trait = "0.1.42" async-recursion = "0.3.2" -futures = "0.3.17" +futures = "0.3.30" # Async runtime tokio = { version = "1.28.1", features = ["full"] } @@ -73,6 +75,9 @@ reqwest = { version = "0.11.14", optional = true } # The "vendored" feature for openssl is required for musl build openssl = { version = "0.10.54", features = ["vendored"], optional = true } +# Image pull/decrypt +image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "ca6b438", default-features = true, optional = true } + [dev-dependencies] tempfile = "3.1.0" test-utils = { path = "../libs/test-utils" } diff --git a/src/agent/src/image.rs b/src/agent/src/image.rs index 66b9e195d4..6aa49ffe6b 100644 --- a/src/agent/src/image.rs +++ b/src/agent/src/image.rs @@ -5,9 +5,21 @@ // SPDX-License-Identifier: Apache-2.0 // +use safe_path::scoped_join; +use std::collections::HashMap; +use std::env; +use std::fs; +use std::sync::Arc; +use std::path::PathBuf; + use anyhow::{anyhow, Result}; +use image_rs::image::ImageClient; use tokio::sync::Mutex; +use crate::rpc::CONTAINER_BASE; + +const KATA_IMAGE_WORK_DIR: &str = "/run/kata-containers/image/"; + #[rustfmt::skip] lazy_static! { pub static ref IMAGE_SERVICE: Mutex> = Mutex::new(None); @@ -19,10 +31,19 @@ fn sl() -> slog::Logger { } #[derive(Clone)] -pub struct ImageService {} +pub struct ImageService { + image_client: Arc>, + images: Arc>>, +} + impl ImageService { pub fn new() -> Self { - Self {} + Self { + image_client: Arc::new(Mutex::new(ImageClient::new(PathBuf::from( + KATA_IMAGE_WORK_DIR, + )))), + images: Arc::new(Mutex::new(HashMap::new())), + } } /// Get the singleton instance of image service. @@ -33,4 +54,55 @@ impl ImageService { .clone() .ok_or_else(|| anyhow!("image service is uninitialized")) } + + async fn add_image(&self, image: String, cid: String) { + self.images.lock().await.insert(image, cid); + } + + /// pull_image is used for call image-rs to pull image in the guest. + /// # Parameters + /// - `image`: Image name (exp: quay.io/prometheus/busybox:latest) + /// - `cid`: Container id + /// - `image_metadata`: Annotations about the image (exp: "containerd.io/snapshot/cri.layer-digest": "sha256:24fb2886d6f6c5d16481dd7608b47e78a8e92a13d6e64d87d57cb16d5f766d63") + /// # Returns + /// - The image rootfs bundle path. (exp. /run/kata-containers/cb0b47276ea66ee9f44cc53afa94d7980b57a52c3f306f68cb034e58d9fbd3c6/images/rootfs) + pub async fn pull_image( + &self, + image: &str, + cid: &str, + image_metadata: &HashMap, + ) -> Result { + info!(sl(), "image metadata: {image_metadata:?}"); + let bundle_base_dir = scoped_join(CONTAINER_BASE, cid)?; + fs::create_dir_all(&bundle_base_dir)?; + let bundle_path = scoped_join(&bundle_base_dir, "images")?; + fs::create_dir_all(&bundle_path)?; + info!(sl(), "pull image {image:?}, bundle path {bundle_path:?}"); + + let res = self + .image_client + .lock() + .await + .pull_image(image, &bundle_path, &None, &None) + .await; + match res { + Ok(image) => { + info!( + sl(), + "pull and unpack image {image:?}, cid: {cid:?} succeeded." + ); + } + Err(e) => { + error!( + sl(), + "pull and unpack image {image:?}, cid: {cid:?} failed with {:?}.", + e.to_string() + ); + return Err(e); + } + }; + self.add_image(String::from(image), String::from(cid)).await; + let image_bundle_path = scoped_join(&bundle_path, "rootfs")?; + Ok(image_bundle_path.as_path().display().to_string()) + } } From cec19161965553d70114998130de590054f63d3a Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Wed, 22 Nov 2023 17:13:25 +0800 Subject: [PATCH 04/22] agent: Support https_proxy/no_proxy config for image download in guest Containerd can support set a proxy when downloading images with a environment variable. For CC stack, image download is offload to the kata agent, we need support similar feature. Current we add https_proxy and no_proxy, http_proxy is not added since it is insecure. Signed-off-by: ChengyuZhu6 Co-authored-by: Arron Wang --- src/agent/Cargo.lock | 25 ++++++++------------- src/agent/Cargo.toml | 1 + src/agent/src/config.rs | 48 +++++++++++++++++++++++++++++++++++++++++ src/agent/src/image.rs | 19 ++++++++++++++++ 4 files changed, 77 insertions(+), 16 deletions(-) diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock index a1d4543d1d..6ed81e7215 100644 --- a/src/agent/Cargo.lock +++ b/src/agent/Cargo.lock @@ -1353,11 +1353,10 @@ checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" [[package]] name = "form_urlencoded" -version = "1.0.1" +version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5fc25a87fa4fd2094bffb06925852034d90a17f0d1e05197d4956d3555752191" +checksum = "e13624c2627564efccf4934284bdd98cbaa14e79b0b5a141218e507b3a823456" dependencies = [ - "matches", "percent-encoding", ] @@ -1746,11 +1745,10 @@ checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39" [[package]] name = "idna" -version = "0.2.3" +version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "418a0a6fab821475f634efe3ccc45c013f742efe03d853e8d3355d5cb850ecf8" +checksum = "634d9b1461af396cad843f47fdba5597a4f9e6ddd4bfb6ff5d85028c25cb12f6" dependencies = [ - "matches", "unicode-bidi", "unicode-normalization", ] @@ -2047,6 +2045,7 @@ dependencies = [ "tracing-opentelemetry", "tracing-subscriber", "ttrpc", + "url", "vsock-exporter", "which", ] @@ -2321,12 +2320,6 @@ dependencies = [ "regex-automata 0.1.10", ] -[[package]] -name = "matches" -version = "0.1.10" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2532096657941c2fea9c289d370a250971c689d4f143798ff67113ec042024a5" - [[package]] name = "matchit" version = "0.7.3" @@ -2971,9 +2964,9 @@ dependencies = [ [[package]] name = "percent-encoding" -version = "2.1.0" +version = "2.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d4fd5641d01c8f18a23da7b6fe29298ff4b55afcccdf78973b24cf3175fee32e" +checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e" [[package]] name = "petgraph" @@ -5118,9 +5111,9 @@ dependencies = [ [[package]] name = "url" -version = "2.3.0" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22fe195a4f217c25b25cb5058ced57059824a678474874038dc88d211bf508d3" +checksum = "31e6302e3bb753d46e83516cae55ae196fc0c309407cf11ab35cc51a4c2a4633" dependencies = [ "form_urlencoded", "idna", diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml index bea479a38c..1919730d52 100644 --- a/src/agent/Cargo.toml +++ b/src/agent/Cargo.toml @@ -22,6 +22,7 @@ thiserror = "1.0.26" regex = "1.5.6" serial_test = "0.5.1" oci-distribution = "0.10.0" +url = "2.5.0" kata-sys-util = { path = "../libs/kata-sys-util" } kata-types = { path = "../libs/kata-types" } safe-path = { path = "../libs/safe-path" } diff --git a/src/agent/src/config.rs b/src/agent/src/config.rs index abb8be0241..e27d6fb2b6 100644 --- a/src/agent/src/config.rs +++ b/src/agent/src/config.rs @@ -10,6 +10,7 @@ use std::fs; use std::str::FromStr; use std::time; use tracing::instrument; +use url::Url; use kata_types::config::default::DEFAULT_AGENT_VSOCK_PORT; @@ -26,6 +27,11 @@ const CONTAINER_PIPE_SIZE_OPTION: &str = "agent.container_pipe_size"; const UNIFIED_CGROUP_HIERARCHY_OPTION: &str = "agent.unified_cgroup_hierarchy"; const CONFIG_FILE: &str = "agent.config_file"; +// Configure the proxy settings for HTTPS requests in the guest, +// to solve the problem of not being able to access the specified image in some cases. +const HTTPS_PROXY: &str = "agent.https_proxy"; +const NO_PROXY: &str = "agent.no_proxy"; + const DEFAULT_LOG_LEVEL: slog::Level = slog::Level::Info; const DEFAULT_HOTPLUG_TIMEOUT: time::Duration = time::Duration::from_secs(3); const DEFAULT_CONTAINER_PIPE_SIZE: i32 = 0; @@ -66,6 +72,8 @@ pub struct AgentConfig { pub unified_cgroup_hierarchy: bool, pub tracing: bool, pub supports_seccomp: bool, + pub https_proxy: String, + pub no_proxy: String, } #[derive(Debug, Deserialize)] @@ -81,6 +89,8 @@ pub struct AgentConfigBuilder { pub passfd_listener_port: Option, pub unified_cgroup_hierarchy: Option, pub tracing: Option, + pub https_proxy: Option, + pub no_proxy: Option, } macro_rules! config_override { @@ -142,6 +152,8 @@ impl Default for AgentConfig { unified_cgroup_hierarchy: false, tracing: false, supports_seccomp: rpc::have_seccomp(), + https_proxy: String::from(""), + no_proxy: String::from(""), } } } @@ -171,6 +183,8 @@ impl FromStr for AgentConfig { config_override!(agent_config_builder, agent_config, passfd_listener_port); config_override!(agent_config_builder, agent_config, unified_cgroup_hierarchy); config_override!(agent_config_builder, agent_config, tracing); + config_override!(agent_config_builder, agent_config, https_proxy); + config_override!(agent_config_builder, agent_config, no_proxy); Ok(agent_config) } @@ -270,6 +284,8 @@ impl AgentConfig { config.unified_cgroup_hierarchy, get_bool_value ); + parse_cmdline_param!(param, HTTPS_PROXY, config.https_proxy, get_url_value); + parse_cmdline_param!(param, NO_PROXY, config.no_proxy, get_string_value); } if let Ok(addr) = env::var(SERVER_ADDR_ENV_VAR) { @@ -417,6 +433,12 @@ fn get_container_pipe_size(param: &str) -> Result { Ok(value) } +#[instrument] +fn get_url_value(param: &str) -> Result { + let value = get_string_value(param)?; + Ok(Url::parse(&value)?.to_string()) +} + #[cfg(test)] mod tests { use test_utils::assert_result; @@ -453,6 +475,8 @@ mod tests { server_addr: &'a str, unified_cgroup_hierarchy: bool, tracing: bool, + https_proxy: &'a str, + no_proxy: &'a str, } impl Default for TestData<'_> { @@ -468,6 +492,8 @@ mod tests { server_addr: TEST_SERVER_ADDR, unified_cgroup_hierarchy: false, tracing: false, + https_proxy: "", + no_proxy: "", } } } @@ -837,6 +863,26 @@ mod tests { tracing: true, ..Default::default() }, + TestData { + contents: "agent.https_proxy=http://proxy.url.com:81/", + https_proxy: "http://proxy.url.com:81/", + ..Default::default() + }, + TestData { + contents: "agent.https_proxy=http://192.168.1.100:81/", + https_proxy: "http://192.168.1.100:81/", + ..Default::default() + }, + TestData { + contents: "agent.no_proxy=*.internal.url.com", + no_proxy: "*.internal.url.com", + ..Default::default() + }, + TestData { + contents: "agent.no_proxy=192.168.1.0/24,172.16.0.0/12", + no_proxy: "192.168.1.0/24,172.16.0.0/12", + ..Default::default() + }, ]; let dir = tempdir().expect("failed to create tmpdir"); @@ -884,6 +930,8 @@ mod tests { assert_eq!(d.container_pipe_size, config.container_pipe_size, "{}", msg); assert_eq!(d.server_addr, config.server_addr, "{}", msg); assert_eq!(d.tracing, config.tracing, "{}", msg); + assert_eq!(d.https_proxy, config.https_proxy, "{}", msg); + assert_eq!(d.no_proxy, config.no_proxy, "{}", msg); for v in vars_to_unset { env::remove_var(v); diff --git a/src/agent/src/image.rs b/src/agent/src/image.rs index 6aa49ffe6b..9dd78df8e9 100644 --- a/src/agent/src/image.rs +++ b/src/agent/src/image.rs @@ -17,6 +17,7 @@ use image_rs::image::ImageClient; use tokio::sync::Mutex; use crate::rpc::CONTAINER_BASE; +use crate::AGENT_CONFIG; const KATA_IMAGE_WORK_DIR: &str = "/run/kata-containers/image/"; @@ -59,6 +60,22 @@ impl ImageService { self.images.lock().await.insert(image, cid); } + /// Set proxy environment from AGENT_CONFIG + fn set_proxy_env_vars() { + if env::var("HTTPS_PROXY").is_err() { + let https_proxy = &AGENT_CONFIG.https_proxy; + if !https_proxy.is_empty() { + env::set_var("HTTPS_PROXY", https_proxy); + } + } + if env::var("NO_PROXY").is_err() { + let no_proxy = &AGENT_CONFIG.no_proxy; + if !no_proxy.is_empty() { + env::set_var("NO_PROXY", no_proxy); + } + } + } + /// pull_image is used for call image-rs to pull image in the guest. /// # Parameters /// - `image`: Image name (exp: quay.io/prometheus/busybox:latest) @@ -73,6 +90,8 @@ impl ImageService { image_metadata: &HashMap, ) -> Result { info!(sl(), "image metadata: {image_metadata:?}"); + Self::set_proxy_env_vars(); + let bundle_base_dir = scoped_join(CONTAINER_BASE, cid)?; fs::create_dir_all(&bundle_base_dir)?; let bundle_path = scoped_join(&bundle_base_dir, "images")?; From 462051b067a2c702bbd551ba45f05c54c8103c1f Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Wed, 22 Nov 2023 18:16:06 +0800 Subject: [PATCH 05/22] agent/image: merge container spec for images pulled inside guest When being passed an image name through a container annotation, merge its corresponding bundle OCI specification and process into the passed container creation one. Signed-off-by: ChengyuZhu6 Co-authored-by: Arron Wang Co-authored-by: Jiang Liu Co-authored-by: stevenhorsman Co-authored-by: wllenyj Co-authored-by: jordan9500 --- src/agent/Cargo.lock | 158 +++++++++++++++++++++++++++++++++++++++-- src/agent/Cargo.toml | 2 + src/agent/src/image.rs | 144 ++++++++++++++++++++++++++++++++++++- src/agent/src/rpc.rs | 5 ++ 4 files changed, 303 insertions(+), 6 deletions(-) diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock index 6ed81e7215..03a3ea2d72 100644 --- a/src/agent/Cargo.lock +++ b/src/agent/Cargo.lock @@ -101,6 +101,16 @@ version = "0.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "96d30a06541fbafbc7f82ed10c06164cfbd2c401138f6addd8404629c4b16711" +[[package]] +name = "async-attributes" +version = "1.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a3203e79f4dd9bdda415ed03cf14dae5a2bf775c683a00f94e9cd1faf0f596e5" +dependencies = [ + "quote", + "syn 1.0.109", +] + [[package]] name = "async-broadcast" version = "0.5.1" @@ -164,6 +174,21 @@ dependencies = [ "futures-lite", ] +[[package]] +name = "async-global-executor" +version = "2.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f1b6f5d7df27bd294849f8eec66ecfc63d11814df7a4f5d74168a2394467b776" +dependencies = [ + "async-channel", + "async-executor", + "async-io", + "async-lock", + "blocking", + "futures-lite", + "once_cell", +] + [[package]] name = "async-io" version = "1.13.0" @@ -233,6 +258,33 @@ dependencies = [ "syn 2.0.52", ] +[[package]] +name = "async-std" +version = "1.12.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "62565bb4402e926b29953c785397c6dc0391b7b446e45008b0049eb43cec6f5d" +dependencies = [ + "async-attributes", + "async-channel", + "async-global-executor", + "async-io", + "async-lock", + "crossbeam-utils", + "futures-channel", + "futures-core", + "futures-io", + "futures-lite", + "gloo-timers", + "kv-log-macro", + "log", + "memchr", + "once_cell", + "pin-project-lite", + "pin-utils", + "slab", + "wasm-bindgen-futures", +] + [[package]] name = "async-task" version = "4.3.0" @@ -902,6 +954,16 @@ dependencies = [ "zeroize", ] +[[package]] +name = "ctor" +version = "0.1.26" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6d2301688392eb071b0bf1a37be05c469d3cc4dbbd95df672fe28ab021e6a096" +dependencies = [ + "quote", + "syn 1.0.109", +] + [[package]] name = "curve25519-dalek" version = "4.1.2" @@ -1452,6 +1514,12 @@ version = "0.3.30" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "38d84fa142264698cdce1a9f9172cf383a0c82de1bddcf3092901442c4097004" +[[package]] +name = "futures-timer" +version = "3.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e64b03909df88034c26dc1547e8970b91f98bdb65165d6a4e9110d94263dbb2c" + [[package]] name = "futures-util" version = "0.3.30" @@ -1506,9 +1574,34 @@ dependencies = [ [[package]] name = "glob" -version = "0.3.0" +version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9b919933a397b79c37e33b77bb2aa3dc8eb6e165ad809e58ff75bc7db2e34574" +checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b" + +[[package]] +name = "globset" +version = "0.4.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "759c97c1e17c55525b57192c06a267cda0ac5210b222d6b82189a2338fa1c13d" +dependencies = [ + "aho-corasick", + "bstr", + "fnv", + "log", + "regex", +] + +[[package]] +name = "gloo-timers" +version = "0.2.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9b995a66bb87bebce9a0f4a95aed01daca4872c050bfcb21653361c03bc35e5c" +dependencies = [ + "futures-channel", + "futures-core", + "js-sys", + "wasm-bindgen", +] [[package]] name = "group" @@ -1995,6 +2088,7 @@ version = "0.1.0" dependencies = [ "anyhow", "async-recursion 0.3.2", + "async-std", "async-trait", "capctl", "cfg-if 1.0.0", @@ -2023,6 +2117,7 @@ dependencies = [ "protocols", "regex", "reqwest", + "rstest", "rtnetlink", "rustjail", "safe-path", @@ -2101,6 +2196,15 @@ dependencies = [ "toml", ] +[[package]] +name = "kv-log-macro" +version = "1.0.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0de8b303297635ad57c9f5059fd9cee7a47f8e8daa09df0fcd07dd39fb22977f" +dependencies = [ + "log", +] + [[package]] name = "lazy_static" version = "1.4.0" @@ -2276,6 +2380,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e" dependencies = [ "cfg-if 1.0.0", + "value-bag", ] [[package]] @@ -3553,6 +3658,12 @@ version = "0.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dbb5fb1acd8a1a18b3dd5be62d25485eb770e05afb408a9627d14d451bae12da" +[[package]] +name = "relative-path" +version = "1.9.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e898588f33fdd5b9420719948f9f2a32c922a246964576f71ba7f24f80610fbc" + [[package]] name = "remove_dir_all" version = "0.5.3" @@ -3697,6 +3808,35 @@ dependencies = [ "zeroize", ] +[[package]] +name = "rstest" +version = "0.18.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "97eeab2f3c0a199bc4be135c36c924b6590b88c377d416494288c14f2db30199" +dependencies = [ + "futures", + "futures-timer", + "rstest_macros", + "rustc_version", +] + +[[package]] +name = "rstest_macros" +version = "0.18.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d428f8247852f894ee1be110b375111b586d4fa431f6c46e64ba5a0dcccbe605" +dependencies = [ + "cfg-if 1.0.0", + "glob", + "proc-macro2", + "quote", + "regex", + "relative-path", + "rustc_version", + "syn 2.0.50", + "unicode-ident", +] + [[package]] name = "rtnetlink" version = "0.8.1" @@ -5064,9 +5204,9 @@ checksum = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460" [[package]] name = "unicode-ident" -version = "1.0.1" +version = "1.0.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5bd2fe26506023ed7b5e1e315add59d6f584c621d037f9368fea9cfb988f368c" +checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" [[package]] name = "unicode-normalization" @@ -5144,6 +5284,16 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d" +[[package]] +name = "value-bag" +version = "1.0.0-alpha.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2209b78d1249f7e6f3293657c9779fe31ced465df091bbd433a1cf88e916ec55" +dependencies = [ + "ctor", + "version_check", +] + [[package]] name = "vcpkg" version = "0.2.15" diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml index 1919730d52..3ee6ea8142 100644 --- a/src/agent/Cargo.toml +++ b/src/agent/Cargo.toml @@ -83,6 +83,8 @@ image-rs = { git = "https://github.com/confidential-containers/guest-components" tempfile = "3.1.0" test-utils = { path = "../libs/test-utils" } which = "4.3.0" +rstest = "0.18.0" +async-std = { version = "1.12.0", features = ["attributes"] } [workspace] members = [ diff --git a/src/agent/src/image.rs b/src/agent/src/image.rs index 9dd78df8e9..3ad89fa6a4 100644 --- a/src/agent/src/image.rs +++ b/src/agent/src/image.rs @@ -12,14 +12,17 @@ use std::fs; use std::sync::Arc; use std::path::PathBuf; -use anyhow::{anyhow, Result}; +use anyhow::{anyhow, Context, Result}; use image_rs::image::ImageClient; use tokio::sync::Mutex; use crate::rpc::CONTAINER_BASE; use crate::AGENT_CONFIG; +// A marker to merge container spec for images pulled inside guest. +const ANNO_K8S_IMAGE_NAME: &str = "io.kubernetes.cri.image-name"; const KATA_IMAGE_WORK_DIR: &str = "/run/kata-containers/image/"; +const CONFIG_JSON: &str = "config.json"; #[rustfmt::skip] lazy_static! { @@ -91,7 +94,7 @@ impl ImageService { ) -> Result { info!(sl(), "image metadata: {image_metadata:?}"); Self::set_proxy_env_vars(); - + let bundle_base_dir = scoped_join(CONTAINER_BASE, cid)?; fs::create_dir_all(&bundle_base_dir)?; let bundle_path = scoped_join(&bundle_base_dir, "images")?; @@ -124,4 +127,141 @@ impl ImageService { let image_bundle_path = scoped_join(&bundle_path, "rootfs")?; Ok(image_bundle_path.as_path().display().to_string()) } + + /// When being passed an image name through a container annotation, merge its + /// corresponding bundle OCI specification into the passed container creation one. + pub async fn merge_bundle_oci(&self, container_oci: &mut oci::Spec) -> Result<()> { + if let Some(image_name) = container_oci.annotations.get(ANNO_K8S_IMAGE_NAME) { + let images = self.images.lock().await; + if let Some(container_id) = images.get(image_name) { + let image_oci_config_path = Path::new(CONTAINER_BASE) + .join(container_id) + .join(CONFIG_JSON); + debug!( + sl(), + "Image bundle config path: {:?}", image_oci_config_path + ); + + let image_oci = + oci::Spec::load(image_oci_config_path.to_str().ok_or_else(|| { + anyhow!( + "Invalid container image OCI config path {:?}", + image_oci_config_path + ) + })?) + .context("load image bundle")?; + + if let (Some(container_root), Some(image_root)) = + (container_oci.root.as_mut(), image_oci.root.as_ref()) + { + let root_path = Path::new(CONTAINER_BASE) + .join(container_id) + .join(image_root.path.clone()); + container_root.path = String::from(root_path.to_str().ok_or_else(|| { + anyhow!("Invalid container image root path {:?}", root_path) + })?); + } + + if let (Some(container_process), Some(image_process)) = + (container_oci.process.as_mut(), image_oci.process.as_ref()) + { + self.merge_oci_process(container_process, image_process); + } + } + } + + Ok(()) + } + + /// Partially merge an OCI process specification into another one. + fn merge_oci_process(&self, target: &mut oci::Process, source: &oci::Process) { + // Override the target args only when the target args is empty and source.args is not empty + if target.args.is_empty() && !source.args.is_empty() { + target.args.append(&mut source.args.clone()); + } + + // Override the target cwd only when the target cwd is blank and source.cwd is not blank + if target.cwd == "/" && source.cwd != "/" { + target.cwd = String::from(&source.cwd); + } + + for source_env in &source.env { + if let Some((variable_name, variable_value)) = source_env.split_once('=') { + debug!( + sl(), + "source spec environment variable: {variable_name:?} : {variable_value:?}" + ); + if !target.env.iter().any(|i| i.contains(variable_name)) { + target.env.push(source_env.to_string()); + } + } + } + } +} +#[cfg(test)] +mod tests { + use super::ImageService; + use rstest::rstest; + + #[rstest] + // TODO - how can we tell the user didn't specifically set it to `/` vs not setting at all? Is that scenario valid? + #[case::image_cwd_should_override_blank_container_cwd("/", "/imageDir", "/imageDir")] + #[case::container_cwd_should_override_image_cwd("/containerDir", "/imageDir", "/containerDir")] + #[case::container_cwd_should_override_blank_image_cwd("/containerDir", "/", "/containerDir")] + async fn test_merge_cwd( + #[case] container_process_cwd: &str, + #[case] image_process_cwd: &str, + #[case] expected: &str, + ) { + let image_service = ImageService::new(); + let mut container_process = oci::Process { + cwd: container_process_cwd.to_string(), + ..Default::default() + }; + let image_process = oci::Process { + cwd: image_process_cwd.to_string(), + ..Default::default() + }; + image_service.merge_oci_process(&mut container_process, &image_process); + assert_eq!(expected, container_process.cwd); + } + + #[rstest] + #[case::pods_environment_overrides_images( + vec!["ISPRODUCTION=true".to_string()], + vec!["ISPRODUCTION=false".to_string()], + vec!["ISPRODUCTION=true".to_string()] + )] + #[case::multiple_environment_variables_can_be_overrided( + vec!["ISPRODUCTION=true".to_string(), "ISDEVELOPMENT=false".to_string()], + vec!["ISPRODUCTION=false".to_string(), "ISDEVELOPMENT=true".to_string()], + vec!["ISPRODUCTION=true".to_string(), "ISDEVELOPMENT=false".to_string()] + )] + #[case::not_override_them_when_none_of_variables_match( + vec!["ANOTHERENV=TEST".to_string()], + vec!["ISPRODUCTION=false".to_string(), "ISDEVELOPMENT=true".to_string()], + vec!["ANOTHERENV=TEST".to_string(), "ISPRODUCTION=false".to_string(), "ISDEVELOPMENT=true".to_string()] + )] + #[case::a_mix_of_both_overriding_and_not( + vec!["ANOTHERENV=TEST".to_string(), "ISPRODUCTION=true".to_string()], + vec!["ISPRODUCTION=false".to_string(), "ISDEVELOPMENT=true".to_string()], + vec!["ANOTHERENV=TEST".to_string(), "ISPRODUCTION=true".to_string(), "ISDEVELOPMENT=true".to_string()] + )] + async fn test_merge_env( + #[case] container_process_env: Vec, + #[case] image_process_env: Vec, + #[case] expected: Vec, + ) { + let image_service = ImageService::new(); + let mut container_process = oci::Process { + env: container_process_env, + ..Default::default() + }; + let image_process = oci::Process { + env: image_process_env, + ..Default::default() + }; + image_service.merge_oci_process(&mut container_process, &image_process); + assert_eq!(expected, container_process.env); + } } diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs index 1d5558fecd..d919df76d5 100644 --- a/src/agent/src/rpc.rs +++ b/src/agent/src/rpc.rs @@ -200,6 +200,11 @@ impl AgentService { "receive createcontainer, storages: {:?}", &req.storages ); + // In case of pulling image inside guest, we need to merge the image bundle OCI spec + // into the container creation request OCI spec. + let image_service = image::ImageService::singleton().await?; + image_service.merge_bundle_oci(&mut oci).await?; + // Some devices need some extra processing (the ones invoked with // --device for instance), and that's what this call is doing. It // updates the devices listed in the OCI spec, so that they actually From cfd14784a0a1c98ba442c79f6791c60a1fb893bd Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Wed, 22 Nov 2023 20:51:57 +0800 Subject: [PATCH 06/22] agent: Introduce ImagePullHandler to support IMAGE_GUEST_PULL volume As we do not employ a forked containerd in confidential-containers, we utilize the KataVirtualVolume which storing the image information as an integral part of `CreateContainer`. Within this process, we store the image information in rootfs.storage and pass this image url through `CreateContainerRequest`. This approach distinguishes itself from the use of `PullImageRequest`, as rootfs.storage is already set and initialized at this stage. To maintain clarity and avoid any need for modification to the `OverlayfsHandler`,we introduce the `ImagePullHandler`. This dedicated handler is responsible for orchestrating the image-pulling logic within the guest environment. This logic encompasses tasks such as calling the image-rs to download and unpack the image into `/run/kata-containers/{container_id}/images`, followed by a bind mount to `/run/kata-containers/{container_id}`. Signed-off-by: ChengyuZhu6 --- src/agent/src/storage/image_pull_handler.rs | 102 ++++++++++++++++++++ src/agent/src/storage/mod.rs | 8 +- 2 files changed, 109 insertions(+), 1 deletion(-) create mode 100644 src/agent/src/storage/image_pull_handler.rs diff --git a/src/agent/src/storage/image_pull_handler.rs b/src/agent/src/storage/image_pull_handler.rs new file mode 100644 index 0000000000..5f5c3d7147 --- /dev/null +++ b/src/agent/src/storage/image_pull_handler.rs @@ -0,0 +1,102 @@ +// Copyright (c) 2023 Intel Corporation +// +// SPDX-License-Identifier: Apache-2.0 +// + +use anyhow::{anyhow, Result}; +use kata_types::mount::KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL; +use kata_types::mount::{ImagePullVolume, StorageDevice}; +use protocols::agent::Storage; +use std::sync::Arc; +use tracing::instrument; + +use crate::image; +use crate::storage::{StorageContext, StorageHandler}; + +use super::{common_storage_handler, new_device}; + +#[derive(Debug)] +pub struct ImagePullHandler {} + +impl ImagePullHandler { + fn get_image_info(storage: &Storage) -> Result { + for option in storage.driver_options.iter() { + if let Some((key, value)) = option.split_once('=') { + if key == KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL { + let imagepull_volume: ImagePullVolume = serde_json::from_str(value)?; + return Ok(imagepull_volume); + } + } + } + Err(anyhow!("missing Image information for ImagePull volume")) + } +} + +#[async_trait::async_trait] +impl StorageHandler for ImagePullHandler { + #[instrument] + async fn create_device( + &self, + mut storage: Storage, + ctx: &mut StorageContext, + ) -> Result> { + //Currently the image metadata is not used to pulling image in the guest. + let image_pull_volume = Self::get_image_info(&storage)?; + debug!(ctx.logger, "image_pull_volume = {:?}", image_pull_volume); + let image_name = storage.source(); + debug!(ctx.logger, "image_name = {:?}", image_name); + + let cid = ctx + .cid + .clone() + .ok_or_else(|| anyhow!("failed to get container id"))?; + let image_service = image::ImageService::singleton().await?; + let bundle_path = image_service + .pull_image(image_name, &cid, &image_pull_volume.metadata) + .await?; + + storage.source = bundle_path; + storage.options = vec!["bind".to_string(), "ro".to_string()]; + + common_storage_handler(ctx.logger, &storage)?; + + new_device(storage.mount_point) + } +} + +#[cfg(test)] +mod tests { + use std::collections::HashMap; + + use kata_types::mount::{ImagePullVolume, KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL}; + use protocols::agent::Storage; + + use crate::storage::image_pull_handler::ImagePullHandler; + + #[test] + fn test_get_image_info() { + let mut res = HashMap::new(); + res.insert("key1".to_string(), "value1".to_string()); + res.insert("key2".to_string(), "value2".to_string()); + + let image_pull = ImagePullVolume { + metadata: res.clone(), + }; + + let image_pull_str = serde_json::to_string(&image_pull); + assert!(image_pull_str.is_ok()); + + let storage = Storage { + driver: KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL.to_string(), + driver_options: vec![format!("image_guest_pull={}", image_pull_str.ok().unwrap())], + ..Default::default() + }; + + match ImagePullHandler::get_image_info(&storage) { + Ok(image_info) => { + assert_eq!(image_info.metadata, res); + } + Err(e) => panic!("err = {}", e), + } + } +} diff --git a/src/agent/src/storage/mod.rs b/src/agent/src/storage/mod.rs index f312bbd83b..42ca1da0d3 100644 --- a/src/agent/src/storage/mod.rs +++ b/src/agent/src/storage/mod.rs @@ -12,7 +12,10 @@ use std::sync::Arc; use anyhow::{anyhow, Context, Result}; use kata_sys_util::mount::{create_mount_destination, parse_mount_options}; -use kata_types::mount::{StorageDevice, StorageHandlerManager, KATA_SHAREDFS_GUEST_PREMOUNT_TAG}; +use kata_types::mount::{ + StorageDevice, StorageHandlerManager, KATA_SHAREDFS_GUEST_PREMOUNT_TAG, + KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL, +}; use nix::unistd::{Gid, Uid}; use protocols::agent::Storage; use protocols::types::FSGroupChangePolicy; @@ -24,6 +27,7 @@ use self::bind_watcher_handler::BindWatcherHandler; use self::block_handler::{PmemHandler, ScsiHandler, VirtioBlkMmioHandler, VirtioBlkPciHandler}; use self::ephemeral_handler::EphemeralHandler; use self::fs_handler::{OverlayfsHandler, Virtio9pHandler, VirtioFsHandler}; +use self::image_pull_handler::ImagePullHandler; use self::local_handler::LocalHandler; use crate::device::{ DRIVER_9P_TYPE, DRIVER_BLK_MMIO_TYPE, DRIVER_BLK_PCI_TYPE, DRIVER_EPHEMERAL_TYPE, @@ -39,6 +43,7 @@ mod bind_watcher_handler; mod block_handler; mod ephemeral_handler; mod fs_handler; +mod image_pull_handler; mod local_handler; const RW_MASK: u32 = 0o660; @@ -145,6 +150,7 @@ lazy_static! { manager.add_handler(DRIVER_SCSI_TYPE, Arc::new(ScsiHandler{})).unwrap(); manager.add_handler(DRIVER_VIRTIOFS_TYPE, Arc::new(VirtioFsHandler{})).unwrap(); manager.add_handler(DRIVER_WATCHABLE_BIND_TYPE, Arc::new(BindWatcherHandler{})).unwrap(); + manager.add_handler(KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL, Arc::new(ImagePullHandler{})).unwrap(); manager }; } From 965da9bc9b9d3961b51b04673c35644425f33504 Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Fri, 24 Nov 2023 00:06:57 +0800 Subject: [PATCH 07/22] runtime: support to pass image information to guest by KataVirtualVolume support to pass image information to guest by KataVirtualVolumeImageGuestPullType in KataVirtualVolume, which will be used to pull image on the guest. Signed-off-by: ChengyuZhu6 --- src/runtime/virtcontainers/fs_share_linux.go | 8 ++-- src/runtime/virtcontainers/kata_agent.go | 43 +++++++++++++++++++- 2 files changed, 47 insertions(+), 4 deletions(-) diff --git a/src/runtime/virtcontainers/fs_share_linux.go b/src/runtime/virtcontainers/fs_share_linux.go index e80c9e8260..6d0518714d 100644 --- a/src/runtime/virtcontainers/fs_share_linux.go +++ b/src/runtime/virtcontainers/fs_share_linux.go @@ -486,9 +486,11 @@ func handleVirtualVolume(c *Container) ([]*grpc.Storage, string, error) { volumeType = virtVolume.VolumeType var vol *grpc.Storage - vol, err = handleVirtualVolumeStorageObject(c, "", virtVolume) - if err != nil { - return nil, "", err + if volumeType == types.KataVirtualVolumeImageGuestPullType { + vol, err = handleVirtualVolumeStorageObject(c, "", virtVolume) + if err != nil { + return nil, "", err + } } if vol != nil { diff --git a/src/runtime/virtcontainers/kata_agent.go b/src/runtime/virtcontainers/kata_agent.go index 476c6d1779..59e7bed65d 100644 --- a/src/runtime/virtcontainers/kata_agent.go +++ b/src/runtime/virtcontainers/kata_agent.go @@ -1580,9 +1580,50 @@ func handleBlockVolume(c *Container, device api.Device) (*grpc.Storage, error) { return vol, nil } +func handleImageGuestPullBlockVolume(c *Container, virtualVolumeInfo *types.KataVirtualVolume, vol *grpc.Storage) (*grpc.Storage, error) { + container_annotations := c.GetAnnotations() + container_type := container_annotations["io.kubernetes.cri.container-type"] + if virtualVolumeInfo.Source == "" { + var image_ref string + if container_type == "sandbox" { + image_ref = "pause" + } else { + image_ref = container_annotations["io.kubernetes.cri.image-name"] + if image_ref == "" { + return nil, fmt.Errorf("Failed to get image name from annotations") + } + } + virtualVolumeInfo.Source = image_ref + + //merge virtualVolumeInfo.ImagePull.Metadata and container_annotations + for k, v := range container_annotations { + virtualVolumeInfo.ImagePull.Metadata[k] = v + } + } + + no, err := json.Marshal(virtualVolumeInfo.ImagePull) + if err != nil { + return nil, err + } + vol.Driver = types.KataVirtualVolumeImageGuestPullType + vol.DriverOptions = append(vol.DriverOptions, types.KataVirtualVolumeImageGuestPullType+"="+string(no)) + vol.Source = virtualVolumeInfo.Source + vol.Fstype = typeOverlayFS + return vol, nil +} + // handleVirtualVolumeStorageObject handles KataVirtualVolume that is block device file. func handleVirtualVolumeStorageObject(c *Container, blockDeviceId string, virtVolume *types.KataVirtualVolume) (*grpc.Storage, error) { - var vol *grpc.Storage = &grpc.Storage{} + var vol *grpc.Storage + if virtVolume.VolumeType == types.KataVirtualVolumeImageGuestPullType { + var err error + vol = &grpc.Storage{} + vol, err = handleImageGuestPullBlockVolume(c, virtVolume, vol) + if err != nil { + return nil, err + } + vol.MountPoint = filepath.Join("/run/kata-containers/", c.id, c.rootfsSuffix) + } return vol, nil } From c269b9e8c6429da1660a57681b3a637520db19b6 Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Thu, 23 Nov 2023 22:12:53 +0800 Subject: [PATCH 08/22] agent: Add guest-pull feature for kata-agent Add "guest-pull" feature option to determine that the related dependencies would be compiled if the feature is enabled. By default, agent would be built with default-pull feature, which would support all pull types, including sharing images by virtio-fs and pulling images in the guest. Signed-off-by: ChengyuZhu6 --- src/agent/Cargo.lock | 15 +-------------- src/agent/Cargo.toml | 3 +++ src/agent/Makefile | 10 ++++++++++ src/agent/src/main.rs | 2 ++ src/agent/src/rpc.rs | 19 +++++++++++++------ src/agent/src/storage/image_pull_handler.rs | 5 ++--- src/agent/src/storage/mod.rs | 10 ++++++---- tools/osbuilder/rootfs-builder/rootfs.sh | 4 +++- 8 files changed, 40 insertions(+), 28 deletions(-) diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock index 03a3ea2d72..fe02bd72b4 100644 --- a/src/agent/Cargo.lock +++ b/src/agent/Cargo.lock @@ -1578,19 +1578,6 @@ version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b" -[[package]] -name = "globset" -version = "0.4.13" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "759c97c1e17c55525b57192c06a267cda0ac5210b222d6b82189a2338fa1c13d" -dependencies = [ - "aho-corasick", - "bstr", - "fnv", - "log", - "regex", -] - [[package]] name = "gloo-timers" version = "0.2.6" @@ -3833,7 +3820,7 @@ dependencies = [ "regex", "relative-path", "rustc_version", - "syn 2.0.50", + "syn 2.0.52", "unicode-ident", ] diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml index 3ee6ea8142..31092c0aa4 100644 --- a/src/agent/Cargo.toml +++ b/src/agent/Cargo.toml @@ -95,9 +95,12 @@ members = [ lto = true [features] +# The default-pull feature would support all pull types, including sharing images by virtio-fs and pulling images in the guest +default-pull = [ "guest-pull" ] seccomp = ["rustjail/seccomp"] standard-oci-runtime = ["rustjail/standard-oci-runtime"] agent-policy = ["http", "openssl", "reqwest"] +guest-pull = ["image-rs", "openssl"] [[bin]] name = "kata-agent" diff --git a/src/agent/Makefile b/src/agent/Makefile index 5b118beb9c..2f36e04852 100644 --- a/src/agent/Makefile +++ b/src/agent/Makefile @@ -41,6 +41,16 @@ ifeq ($(AGENT_POLICY),yes) override EXTRA_RUSTFEATURES += agent-policy endif +##VAR PULL_TYPE=default|guest-pull define if agent enables the guest pull image feature +PULL_TYPE ?= default +ifeq ($(PULL_TYPE),default) + override EXTRA_RUSTFEATURES += default-pull +# Enable guest pull image feature of rust build +else ifeq ($(PULL_TYPE),guest-pull) + override EXTRA_RUSTFEATURES += guest-pull +endif + + include ../../utils.mk ifeq ($(ARCH), ppc64le) diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs index 7e7979b10c..468efaa226 100644 --- a/src/agent/src/main.rs +++ b/src/agent/src/main.rs @@ -73,7 +73,9 @@ use tokio::{ task::JoinHandle, }; +#[cfg(feature = "guest-pull")] mod image; + mod rpc; mod tracer; diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs index d919df76d5..0cf1d45d86 100644 --- a/src/agent/src/rpc.rs +++ b/src/agent/src/rpc.rs @@ -54,7 +54,6 @@ use rustjail::process::ProcessOperations; use crate::device::{add_devices, get_virtio_blk_pci_device_name, update_env_pci}; use crate::features::get_build_features; -use crate::image; use crate::linux_abi::*; use crate::metrics::get_metrics; use crate::mount::baremount; @@ -74,6 +73,9 @@ use crate::tracer::extract_carrier_from_ttrpc; #[cfg(feature = "agent-policy")] use crate::policy::{do_set_policy, is_allowed}; +#[cfg(feature = "guest-pull")] +use crate::image; + use opentelemetry::global; use tracing::span; use tracing_opentelemetry::OpenTelemetrySpanExt; @@ -202,8 +204,11 @@ impl AgentService { // In case of pulling image inside guest, we need to merge the image bundle OCI spec // into the container creation request OCI spec. - let image_service = image::ImageService::singleton().await?; - image_service.merge_bundle_oci(&mut oci).await?; + #[cfg(feature = "guest-pull")] + { + let image_service = image::ImageService::singleton().await?; + image_service.merge_bundle_oci(&mut oci).await?; + } // Some devices need some extra processing (the ones invoked with // --device for instance), and that's what this call is doing. It @@ -1603,9 +1608,11 @@ pub async fn start( let health_service = Box::new(HealthService {}) as Box; let hservice = health_ttrpc::create_health(Arc::new(health_service)); - let image_service = image::ImageService::new(); - *image::IMAGE_SERVICE.lock().await = Some(image_service.clone()); - + #[cfg(feature = "guest-pull")] + { + let image_service = image::ImageService::new(); + *image::IMAGE_SERVICE.lock().await = Some(image_service.clone()); + } let server = TtrpcServer::new() .bind(server_address)? .register_service(aservice) diff --git a/src/agent/src/storage/image_pull_handler.rs b/src/agent/src/storage/image_pull_handler.rs index 5f5c3d7147..e713198975 100644 --- a/src/agent/src/storage/image_pull_handler.rs +++ b/src/agent/src/storage/image_pull_handler.rs @@ -3,6 +3,8 @@ // SPDX-License-Identifier: Apache-2.0 // +use crate::image; +use crate::storage::{StorageContext, StorageHandler}; use anyhow::{anyhow, Result}; use kata_types::mount::KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL; use kata_types::mount::{ImagePullVolume, StorageDevice}; @@ -10,9 +12,6 @@ use protocols::agent::Storage; use std::sync::Arc; use tracing::instrument; -use crate::image; -use crate::storage::{StorageContext, StorageHandler}; - use super::{common_storage_handler, new_device}; #[derive(Debug)] diff --git a/src/agent/src/storage/mod.rs b/src/agent/src/storage/mod.rs index 42ca1da0d3..93892af9dc 100644 --- a/src/agent/src/storage/mod.rs +++ b/src/agent/src/storage/mod.rs @@ -12,10 +12,9 @@ use std::sync::Arc; use anyhow::{anyhow, Context, Result}; use kata_sys_util::mount::{create_mount_destination, parse_mount_options}; -use kata_types::mount::{ - StorageDevice, StorageHandlerManager, KATA_SHAREDFS_GUEST_PREMOUNT_TAG, - KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL, -}; +#[cfg(feature = "guest-pull")] +use kata_types::mount::KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL; +use kata_types::mount::{StorageDevice, StorageHandlerManager, KATA_SHAREDFS_GUEST_PREMOUNT_TAG}; use nix::unistd::{Gid, Uid}; use protocols::agent::Storage; use protocols::types::FSGroupChangePolicy; @@ -27,6 +26,7 @@ use self::bind_watcher_handler::BindWatcherHandler; use self::block_handler::{PmemHandler, ScsiHandler, VirtioBlkMmioHandler, VirtioBlkPciHandler}; use self::ephemeral_handler::EphemeralHandler; use self::fs_handler::{OverlayfsHandler, Virtio9pHandler, VirtioFsHandler}; +#[cfg(feature = "guest-pull")] use self::image_pull_handler::ImagePullHandler; use self::local_handler::LocalHandler; use crate::device::{ @@ -43,6 +43,7 @@ mod bind_watcher_handler; mod block_handler; mod ephemeral_handler; mod fs_handler; +#[cfg(feature = "guest-pull")] mod image_pull_handler; mod local_handler; @@ -150,6 +151,7 @@ lazy_static! { manager.add_handler(DRIVER_SCSI_TYPE, Arc::new(ScsiHandler{})).unwrap(); manager.add_handler(DRIVER_VIRTIOFS_TYPE, Arc::new(VirtioFsHandler{})).unwrap(); manager.add_handler(DRIVER_WATCHABLE_BIND_TYPE, Arc::new(BindWatcherHandler{})).unwrap(); + #[cfg(feature = "guest-pull")] manager.add_handler(KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL, Arc::new(ImagePullHandler{})).unwrap(); manager }; diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index 8b4df39db5..5fed5a0b7e 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -17,6 +17,8 @@ RUST_VERSION="null" AGENT_BIN=${AGENT_BIN:-kata-agent} AGENT_INIT=${AGENT_INIT:-no} MEASURED_ROOTFS=${MEASURED_ROOTFS:-no} +# The kata agent enables guest-pull feature. +PULL_TYPE=${PULL_TYPE:-default} KERNEL_MODULES_DIR=${KERNEL_MODULES_DIR:-""} OSBUILDER_VERSION="unknown" DOCKER_RUNTIME=${DOCKER_RUNTIME:-runc} @@ -706,7 +708,7 @@ EOF git checkout "${AGENT_VERSION}" && OK "git checkout successful" || die "checkout agent ${AGENT_VERSION} failed!" fi make clean - make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP} AGENT_POLICY=${AGENT_POLICY} + make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP} AGENT_POLICY=${AGENT_POLICY} PULL_TYPE=${PULL_TYPE} make install DESTDIR="${ROOTFS_DIR}" LIBC=${LIBC} INIT=${AGENT_INIT} if [ "${SECCOMP}" == "yes" ]; then rm -rf "${libseccomp_install_dir}" "${gperf_install_dir}" From 874d83b5105206a6c18b4664a36f2329936044b7 Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Fri, 24 Nov 2023 12:01:45 +0800 Subject: [PATCH 09/22] agent/image: Use guest provided pause image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit By default the pause image and runtime config will provided by host side, this may have potential security risks when the host config a malicious pause image, then we will use the pause image packaged in the rootfs. Signed-off-by: ChengyuZhu6 Co-authored-by: Arron Wang Co-authored-by: Julien Ropé Co-authored-by: stevenhorsman --- src/agent/src/image.rs | 39 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/src/agent/src/image.rs b/src/agent/src/image.rs index 3ad89fa6a4..cc6952bbb5 100644 --- a/src/agent/src/image.rs +++ b/src/agent/src/image.rs @@ -9,11 +9,12 @@ use safe_path::scoped_join; use std::collections::HashMap; use std::env; use std::fs; +use std::path::{Path, PathBuf}; use std::sync::Arc; -use std::path::PathBuf; -use anyhow::{anyhow, Context, Result}; +use anyhow::{anyhow, bail, Context, Result}; use image_rs::image::ImageClient; +use kata_sys_util::validate::verify_id; use tokio::sync::Mutex; use crate::rpc::CONTAINER_BASE; @@ -23,6 +24,7 @@ use crate::AGENT_CONFIG; const ANNO_K8S_IMAGE_NAME: &str = "io.kubernetes.cri.image-name"; const KATA_IMAGE_WORK_DIR: &str = "/run/kata-containers/image/"; const CONFIG_JSON: &str = "config.json"; +const KATA_PAUSE_BUNDLE: &str = "/pause_bundle"; #[rustfmt::skip] lazy_static! { @@ -79,6 +81,39 @@ impl ImageService { } } + /// pause image is packaged in rootfs + fn unpack_pause_image(cid: &str, target_subpath: &str) -> Result { + verify_id(cid).context("The guest pause image cid contains invalid characters.")?; + + let guest_pause_bundle = Path::new(KATA_PAUSE_BUNDLE); + if !guest_pause_bundle.exists() { + bail!("Pause image not present in rootfs"); + } + + info!(sl(), "use guest pause image cid {:?}", cid); + let pause_bundle = Path::new(CONTAINER_BASE).join(cid).join(target_subpath); + let pause_rootfs = pause_bundle.join("rootfs"); + fs::create_dir_all(&pause_rootfs)?; + + let copy_if_not_exists = |src: &Path, dst: &Path| -> Result<()> { + if !dst.exists() { + info!(sl(), "copying file {src:?} to {dst:?}"); + fs::copy(src, dst)?; + } + Ok(()) + }; + copy_if_not_exists( + &guest_pause_bundle.join(CONFIG_JSON), + &pause_bundle.join(CONFIG_JSON), + )?; + copy_if_not_exists( + &guest_pause_bundle.join("rootfs/pause"), + &pause_rootfs.join("pause"), + )?; + + Ok(pause_rootfs.display().to_string()) + } + /// pull_image is used for call image-rs to pull image in the guest. /// # Parameters /// - `image`: Image name (exp: quay.io/prometheus/busybox:latest) From ba242b0198da4be4b5f53f996ba18e31685036cf Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Mon, 27 Nov 2023 13:48:00 +0800 Subject: [PATCH 10/22] runtime: support different cri container type check To support handle image-guest-pull block volume from different CRIs, including cri-o and containerd. Signed-off-by: ChengyuZhu6 --- src/agent/src/image.rs | 24 +++++++++++ src/runtime/virtcontainers/kata_agent.go | 55 +++++++++++++++++------- 2 files changed, 64 insertions(+), 15 deletions(-) diff --git a/src/agent/src/image.rs b/src/agent/src/image.rs index cc6952bbb5..a186f4b653 100644 --- a/src/agent/src/image.rs +++ b/src/agent/src/image.rs @@ -26,6 +26,11 @@ const KATA_IMAGE_WORK_DIR: &str = "/run/kata-containers/image/"; const CONFIG_JSON: &str = "config.json"; const KATA_PAUSE_BUNDLE: &str = "/pause_bundle"; +const K8S_CONTAINER_TYPE_KEYS: [&str; 2] = [ + "io.kubernetes.cri.container-type", + "io.kubernetes.cri-o.ContainerType", +]; + #[rustfmt::skip] lazy_static! { pub static ref IMAGE_SERVICE: Mutex> = Mutex::new(None); @@ -130,6 +135,25 @@ impl ImageService { info!(sl(), "image metadata: {image_metadata:?}"); Self::set_proxy_env_vars(); + //Check whether the image is for sandbox or for container. + let mut is_sandbox = false; + for key in K8S_CONTAINER_TYPE_KEYS.iter() { + if let Some(value) = image_metadata.get(key as &str) { + if value == "sandbox" { + is_sandbox = true; + break; + } + } + } + + if is_sandbox { + let mount_path = Self::unpack_pause_image(cid, "pause")?; + self.add_image(String::from(image), String::from(cid)).await; + return Ok(mount_path); + } + + // Image layers will store at KATA_IMAGE_WORK_DIR, generated bundles + // with rootfs and config.json will store under CONTAINER_BASE/cid/images. let bundle_base_dir = scoped_join(CONTAINER_BASE, cid)?; fs::create_dir_all(&bundle_base_dir)?; let bundle_path = scoped_join(&bundle_base_dir, "images")?; diff --git a/src/runtime/virtcontainers/kata_agent.go b/src/runtime/virtcontainers/kata_agent.go index 59e7bed65d..2de9297da9 100644 --- a/src/runtime/virtcontainers/kata_agent.go +++ b/src/runtime/virtcontainers/kata_agent.go @@ -36,6 +36,8 @@ import ( "context" + ctrAnnotations "github.com/containerd/containerd/pkg/cri/annotations" + podmanAnnotations "github.com/containers/podman/v4/pkg/annotations" "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux" "github.com/sirupsen/logrus" @@ -1580,25 +1582,48 @@ func handleBlockVolume(c *Container, device api.Device) (*grpc.Storage, error) { return vol, nil } +// getContainerTypeforCRI get container type from different CRI annotations +func getContainerTypeforCRI(c *Container) (string, string) { + + // CRIContainerTypeKeyList lists all the CRI keys that could define + // the container type from annotations in the config.json. + CRIContainerTypeKeyList := []string{ctrAnnotations.ContainerType, podmanAnnotations.ContainerType} + containerType := c.config.Annotations[vcAnnotations.ContainerTypeKey] + for _, key := range CRIContainerTypeKeyList { + _, ok := c.config.CustomSpec.Annotations[key] + if ok { + return containerType, key + } + } + return "", "" +} + func handleImageGuestPullBlockVolume(c *Container, virtualVolumeInfo *types.KataVirtualVolume, vol *grpc.Storage) (*grpc.Storage, error) { container_annotations := c.GetAnnotations() - container_type := container_annotations["io.kubernetes.cri.container-type"] - if virtualVolumeInfo.Source == "" { - var image_ref string - if container_type == "sandbox" { - image_ref = "pause" - } else { - image_ref = container_annotations["io.kubernetes.cri.image-name"] - if image_ref == "" { - return nil, fmt.Errorf("Failed to get image name from annotations") - } - } - virtualVolumeInfo.Source = image_ref + containerType, criContainerType := getContainerTypeforCRI(c) - //merge virtualVolumeInfo.ImagePull.Metadata and container_annotations - for k, v := range container_annotations { - virtualVolumeInfo.ImagePull.Metadata[k] = v + var image_ref string + if containerType == string(PodSandbox) { + image_ref = "pause" + } else { + switch criContainerType { + case ctrAnnotations.ContainerType: + image_ref = container_annotations["io.kubernetes.cri.image-name"] + case podmanAnnotations.ContainerType: + image_ref = container_annotations["io.kubernetes.cri-o.ImageName"] + default: + image_ref = "" } + + if image_ref == "" { + return nil, fmt.Errorf("Failed to get image name from annotations") + } + } + virtualVolumeInfo.Source = image_ref + + //merge virtualVolumeInfo.ImagePull.Metadata and container_annotations + for k, v := range container_annotations { + virtualVolumeInfo.ImagePull.Metadata[k] = v } no, err := json.Marshal(virtualVolumeInfo.ImagePull) From cd6a84cfc5fbfbe98dc7cc4b6aab9a3cd8cb8e4e Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Thu, 8 Feb 2024 16:17:56 +0800 Subject: [PATCH 11/22] kata-deploy: Setting up snapshotters per runtime handler Setting up snapshotters per runtime handler as the commit (https://github.com/kata-containers/kata-containers/pull/8655/commits/6cc6ca5a7fe1c6f074140295293e641a2dec7735) described. Signed-off-by: ChengyuZhu6 --- tests/integration/kubernetes/gha-run.sh | 4 ++++ tools/packaging/kata-deploy/scripts/kata-deploy.sh | 1 + 2 files changed, 5 insertions(+) diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh index 5d2afbb34e..864afbe799 100755 --- a/tests/integration/kubernetes/gha-run.sh +++ b/tests/integration/kubernetes/gha-run.sh @@ -147,6 +147,10 @@ function deploy_kata() { # Enable 'default_vcpus' hypervisor annotation yq write -i "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[6].value' "default_vcpus" + if [ -n "${SNAPSHOTTER}" ]; then + yq write -i "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[7].value' "${KATA_HYPERVISOR}:${SNAPSHOTTER}" + fi + if [ "${KATA_HOST_OS}" = "cbl-mariner" ]; then yq write -i "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[6].value' "initrd kernel default_vcpus" yq write -i "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[+].name' "HOST_OS" diff --git a/tools/packaging/kata-deploy/scripts/kata-deploy.sh b/tools/packaging/kata-deploy/scripts/kata-deploy.sh index 8253c00ae0..b208d0f577 100755 --- a/tools/packaging/kata-deploy/scripts/kata-deploy.sh +++ b/tools/packaging/kata-deploy/scripts/kata-deploy.sh @@ -501,6 +501,7 @@ function main() { echo "* CREATE_RUNTIMECLASSES: ${CREATE_RUNTIMECLASSES}" echo "* CREATE_DEFAULT_RUNTIMECLASS: ${CREATE_DEFAULT_RUNTIMECLASS}" echo "* ALLOWED_HYPERVISOR_ANNOTATIONS: ${ALLOWED_HYPERVISOR_ANNOTATIONS}" + echo "* SNAPSHOTTER_HANDLER_MAPPING: ${SNAPSHOTTER_HANDLER_MAPPING}" # script requires that user is root euid=$(id -u) From 8724d7deebaff6ba0ac137b06bdafdbb590934ac Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Sun, 4 Feb 2024 13:03:40 +0800 Subject: [PATCH 12/22] packaging: Enable to build agent with PULL_TYPE feature Enable to build kata-agent with PULL_TYPE feature. We build kata-agent with guest-pull feature by default, with PULL_TYPE set to default. This doesn't affect how kata shares images by virtio-fs. The snapshotter controls the image pulling in the guest. Only the nydus snapshotter with proxy mode can activate this feature. Signed-off-by: ChengyuZhu6 --- src/agent/Makefile | 2 +- tools/packaging/guest-image/build_image.sh | 2 ++ .../local-build/kata-deploy-binaries-in-docker.sh | 2 ++ .../kata-deploy/local-build/kata-deploy-binaries.sh | 5 ++++- tools/packaging/static-build/agent/Dockerfile | 3 ++- tools/packaging/static-build/agent/build-static-agent.sh | 4 ++-- tools/packaging/static-build/agent/build.sh | 1 + 7 files changed, 14 insertions(+), 5 deletions(-) diff --git a/src/agent/Makefile b/src/agent/Makefile index 2f36e04852..b122eb1d8b 100644 --- a/src/agent/Makefile +++ b/src/agent/Makefile @@ -44,7 +44,7 @@ endif ##VAR PULL_TYPE=default|guest-pull define if agent enables the guest pull image feature PULL_TYPE ?= default ifeq ($(PULL_TYPE),default) - override EXTRA_RUSTFEATURES += default-pull + override EXTRA_RUSTFEATURES += default-pull # Enable guest pull image feature of rust build else ifeq ($(PULL_TYPE),guest-pull) override EXTRA_RUSTFEATURES += guest-pull diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh index e0e02b9c0c..9ce5065c94 100755 --- a/tools/packaging/guest-image/build_image.sh +++ b/tools/packaging/guest-image/build_image.sh @@ -45,6 +45,7 @@ build_initrd() { AGENT_TARBALL="${AGENT_TARBALL}" \ AGENT_INIT="yes" \ AGENT_POLICY="${AGENT_POLICY:-}" \ + PULL_TYPE="${PULL_TYPE:-default}" \ COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}" \ PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" mv "kata-containers-initrd.img" "${install_dir}/${artifact_name}" @@ -66,6 +67,7 @@ build_image() { ROOTFS_BUILD_DEST="${builddir}/rootfs-image" \ AGENT_TARBALL="${AGENT_TARBALL}" \ AGENT_POLICY="${AGENT_POLICY:-}" \ + PULL_TYPE="${PULL_TYPE:-default}" \ COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}" \ PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" mv -f "kata-containers.img" "${install_dir}/${artifact_name}" diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index 5928921b6e..191f1cdee9 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -97,6 +97,7 @@ TDSHIM_CONTAINER_BUILDER="${TDSHIM_CONTAINER_BUILDER:-}" TOOLS_CONTAINER_BUILDER="${TOOLS_CONTAINER_BUILDER:-}" VIRTIOFSD_CONTAINER_BUILDER="${VIRTIOFSD_CONTAINER_BUILDER:-}" MEASURED_ROOTFS="${MEASURED_ROOTFS:-}" +PULL_TYPE="${PULL_TYPE:-default}" USE_CACHE="${USE_CACHE:-}" docker run \ @@ -123,6 +124,7 @@ docker run \ --env TOOLS_CONTAINER_BUILDER="${TOOLS_CONTAINER_BUILDER}" \ --env VIRTIOFSD_CONTAINER_BUILDER="${VIRTIOFSD_CONTAINER_BUILDER}" \ --env MEASURED_ROOTFS="${MEASURED_ROOTFS}" \ + --env PULL_TYPE="${PULL_TYPE}" \ --env USE_CACHE="${USE_CACHE}" \ --env AA_KBC="${AA_KBC:-}" \ --env HKD_PATH="$(realpath "${HKD_PATH:-}" 2> /dev/null || true)" \ diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 2ebfcc1971..d4bb8b6cd6 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -41,6 +41,7 @@ readonly se_image_builder="${repo_root_dir}/tools/packaging/guest-image/build_se ARCH=${ARCH:-$(uname -m)} MEASURED_ROOTFS=${MEASURED_ROOTFS:-no} +PULL_TYPE=${PULL_TYPE:-default} USE_CACHE="${USE_CACHE:-"yes"}" ARTEFACT_REGISTRY="${ARTEFACT_REGISTRY:-ghcr.io}" ARTEFACT_REGISTRY_USERNAME="${ARTEFACT_REGISTRY_USERNAME:-}" @@ -328,6 +329,7 @@ install_image() { install_image_confidential() { export AGENT_POLICY=yes export MEASURED_ROOTFS=yes + export PULL_TYPE=default install_image "confidential" } @@ -396,6 +398,7 @@ install_initrd() { install_initrd_confidential() { export AGENT_POLICY=yes export MEASURED_ROOTFS=yes + export PULL_TYPE=default install_initrd "confidential" } @@ -782,7 +785,7 @@ install_agent_helper() { export GPERF_URL="$(get_from_kata_deps "externals.gperf.url")" info "build static agent" - DESTDIR="${destdir}" AGENT_POLICY=${agent_policy} "${agent_builder}" + DESTDIR="${destdir}" AGENT_POLICY=${agent_policy} PULL_TYPE=${PULL_TYPE} "${agent_builder}" } install_agent() { diff --git a/tools/packaging/static-build/agent/Dockerfile b/tools/packaging/static-build/agent/Dockerfile index adeffc1455..5d7bbd3764 100644 --- a/tools/packaging/static-build/agent/Dockerfile +++ b/tools/packaging/static-build/agent/Dockerfile @@ -21,7 +21,8 @@ RUN apt-get update && \ musl-tools \ openssl \ perl \ - protobuf-compiler && \ + protobuf-compiler \ + clang && \ apt-get clean && rm -rf /var/lib/apt/lists/ && \ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN} diff --git a/tools/packaging/static-build/agent/build-static-agent.sh b/tools/packaging/static-build/agent/build-static-agent.sh index 2646cbb089..4fd8522801 100755 --- a/tools/packaging/static-build/agent/build-static-agent.sh +++ b/tools/packaging/static-build/agent/build-static-agent.sh @@ -49,8 +49,8 @@ build_agent_from_source() { /usr/bin/install_libseccomp.sh /usr /usr cd src/agent - DESTDIR=${DESTDIR} AGENT_POLICY=${AGENT_POLICY} make - DESTDIR=${DESTDIR} AGENT_POLICY=${AGENT_POLICY} make install + DESTDIR=${DESTDIR} AGENT_POLICY=${AGENT_POLICY} PULL_TYPE=${PULL_TYPE} make + DESTDIR=${DESTDIR} AGENT_POLICY=${AGENT_POLICY} PULL_TYPE=${PULL_TYPE} make install } build_agent_from_source $@ diff --git a/tools/packaging/static-build/agent/build.sh b/tools/packaging/static-build/agent/build.sh index 870c054e45..89ab314bc0 100755 --- a/tools/packaging/static-build/agent/build.sh +++ b/tools/packaging/static-build/agent/build.sh @@ -26,6 +26,7 @@ sudo docker pull ${container_image} || \ sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ --env DESTDIR=${DESTDIR} \ --env AGENT_POLICY=${AGENT_POLICY:-no} \ + --env PULL_TYPE=${PULL_TYPE:-default} \ --env LIBSECCOMP_VERSION=${LIBSECCOMP_VERSION} \ --env LIBSECCOMP_URL=${LIBSECCOMP_URL} \ --env GPERF_VERSION=${GPERF_VERSION} \ From 6e5e4e55d0b447bcc14f9583b3a49239a75d677e Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Thu, 29 Feb 2024 22:45:36 +0800 Subject: [PATCH 13/22] rootfs: add ca file to guest rootfs To access the URL, the component to pull image in the guest needs to send a request to the remote. Therefore, we need to add CA to the rootfs. Signed-off-by: ChengyuZhu6 --- tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh index 6ca31c1c63..0f4c3e792b 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh +++ b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh @@ -47,6 +47,10 @@ EOF ln -s /run "$rootfs_dir/var/run" cp --remove-destination /etc/resolv.conf "$rootfs_dir/etc" + local dir="$rootfs_dir/etc/ssl/certs" + mkdir -p "$dir" + cp --remove-destination /etc/ssl/certs/ca-certificates.crt "$dir" + # Reduce image size and memory footprint by removing unnecessary files and directories. rm -rf $rootfs_dir/usr/share/{bash-completion,bug,doc,info,lintian,locale,man,menu,misc,pixmaps,terminfo,zsh} From e8c4effc07d0921162b0e89801bd9d56bd77a396 Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Fri, 23 Feb 2024 15:18:10 +0800 Subject: [PATCH 14/22] tests: refactor the check for hypervisor to a function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Extract two reusable functions for confidential tests in confidential_common.sh - check_hypervisor_for_confidential_tests: verifies if the input hypervisor supports confidential tests. - confidential_setup: performs the common setup for confidential tests. Signed-off-by: ChengyuZhu6 Co-authored-by: stevenhorsman Co-authored-by: Fabiano Fidêncio Co-authored-by: Gabriela Cervantes --- .../kubernetes/confidential_common.sh | 26 +++++++++++++++++++ .../kubernetes/k8s-confidential.bats | 23 +++------------- 2 files changed, 30 insertions(+), 19 deletions(-) diff --git a/tests/integration/kubernetes/confidential_common.sh b/tests/integration/kubernetes/confidential_common.sh index 02337b0229..b46207ca66 100644 --- a/tests/integration/kubernetes/confidential_common.sh +++ b/tests/integration/kubernetes/confidential_common.sh @@ -7,6 +7,9 @@ source "${BATS_TEST_DIRNAME}/tests_common.sh" +SUPPORTED_TEE_HYPERVISORS=("qemu-sev" "qemu-snp" "qemu-tdx" "qemu-se") +SUPPORTED_NON_TEE_HYPERVISORS=("qemu") + function setup_unencrypted_confidential_pod() { get_pod_config_dir @@ -33,3 +36,26 @@ function get_remote_command_per_hypervisor() { echo "${REMOTE_COMMAND_PER_HYPERVISOR[${KATA_HYPERVISOR}]}" } + +# This function verifies whether the input hypervisor supports confidential tests and +# relies on `KATA_HYPERVISOR` being an environment variable +function check_hypervisor_for_confidential_tests() { + local kata_hypervisor="${1}" + # This check must be done with "${KATA_HYPERVISOR}" to avoid + # having substrings, like qemu, being matched with qemu-$something. + if [[ " ${SUPPORTED_TEE_HYPERVISORS[*]} " =~ " ${kata_hypervisor} " ]] ||\ + [[ " ${SUPPORTED_NON_TEE_HYPERVISORS[*]} " =~ " ${kata_hypervisor} " ]]; then + return 0 + else + return 1 + fi +} + +# Common setup for confidential tests. +function confidential_setup() { + if ! check_hypervisor_for_confidential_tests "${KATA_HYPERVISOR}"; then + return 1 + elif [[ " ${SUPPORTED_NON_TEE_HYPERVISORS[*]} " =~ " ${KATA_HYPERVISOR} " ]]; then + info "Need to apply image annotations" + fi +} diff --git a/tests/integration/kubernetes/k8s-confidential.bats b/tests/integration/kubernetes/k8s-confidential.bats index 29172a4b80..01abec96a0 100644 --- a/tests/integration/kubernetes/k8s-confidential.bats +++ b/tests/integration/kubernetes/k8s-confidential.bats @@ -10,21 +10,8 @@ load "${BATS_TEST_DIRNAME}/confidential_common.sh" load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { - SUPPORTED_TEE_HYPERVISORS=("qemu-sev" "qemu-snp" "qemu-tdx" "qemu-se") - SUPPORTED_NON_TEE_HYPERVISORS=("qemu") - - # This check must be done with "${KATA_HYPERVISOR}" to avoid - # having substrings, like qemu, being matched with qemu-$something. - if ! [[ " ${SUPPORTED_TEE_HYPERVISORS[@]} " =~ " ${KATA_HYPERVISOR} " ]] && ! [[ " ${SUPPORTED_NON_TEE_HYPERVISORS} " =~ " ${KATA_HYPERVISOR} " ]]; then - skip "Test not supported for ${KATA_HYPERVISOR}." - fi - - if [[ " ${SUPPORTED_NON_TEE_HYPERVISORS} " =~ " ${KATA_HYPERVISOR} " ]]; then - info "Need to apply image annotations" - else - get_pod_config_dir - setup_unencrypted_confidential_pod - fi + confidential_setup || skip "Test not supported for ${KATA_HYPERVISOR}." + setup_unencrypted_confidential_pod } @test "Test unencrypted confidential container launch success and verify that we are running in a secure enclave." { @@ -54,10 +41,8 @@ setup() { } teardown() { - if ! [[ " ${SUPPORTED_TEE_HYPERVISORS[@]} " =~ " ${KATA_HYPERVISOR} " ]] && ! [[ " ${SUPPORTED_NON_TEE_HYPERVISORS} " =~ " ${KATA_HYPERVISOR} " ]]; then - skip "Test not supported for ${KATA_HYPERVISOR}." - fi - + check_hypervisor_for_confidential_tests ${KATA_HYPERVISOR} || skip "Test not supported for ${KATA_HYPERVISOR}." + kubectl describe "pod/${pod_name}" || true kubectl delete -f "${pod_config_dir}/pod-confidential-unencrypted.yaml" || true } From c52b3564825011ce134ee45c74c5bd0e36426af2 Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Tue, 28 Nov 2023 22:15:05 +0800 Subject: [PATCH 15/22] tests: add guest pull image test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a test case of pulling image inside the guest for confidential containers. Signed-off-by: Da Li Liu Signed-off-by: ChengyuZhu6 Co-authored-by: Fabiano Fidêncio Co-authored-by: stevenhorsman Co-authored-by: Georgina Kinge Co-authored-by: Megan Wright --- .../kubernetes/k8s-guest-pull-image.bats | 175 ++++++++++++++++++ tests/integration/kubernetes/lib.sh | 91 ++++++++- .../kubernetes/run_kubernetes_tests.sh | 5 + 3 files changed, 268 insertions(+), 3 deletions(-) create mode 100644 tests/integration/kubernetes/k8s-guest-pull-image.bats diff --git a/tests/integration/kubernetes/k8s-guest-pull-image.bats b/tests/integration/kubernetes/k8s-guest-pull-image.bats new file mode 100644 index 0000000000..e6b9a85383 --- /dev/null +++ b/tests/integration/kubernetes/k8s-guest-pull-image.bats @@ -0,0 +1,175 @@ +#!/usr/bin/env bats +# Copyright (c) 2023 Intel Corporation +# Copyright (c) 2023 IBM Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# + +load "${BATS_TEST_DIRNAME}/lib.sh" +load "${BATS_TEST_DIRNAME}/confidential_common.sh" + +setup() { + confidential_setup || skip "Test not supported for ${KATA_HYPERVISOR}." + setup_common + unencrypted_image_1="quay.io/sjenning/nginx:1.15-alpine" + unencrypted_image_2="quay.io/prometheus/busybox:latest" +} + +@test "Test we can pull an unencrypted image outside the guest with runc and then inside the guest successfully" { + [[ " ${SUPPORTED_NON_TEE_HYPERVISORS} " =~ " ${KATA_HYPERVISOR} " ]] && skip "Test not supported for ${KATA_HYPERVISOR}." + # 1. Create one runc pod with the $unencrypted_image_1 image + # We want to have one runc pod, so we pass a fake runtimeclass "runc" and then delete the runtimeClassName, + # because the runtimeclass is not optional in new_pod_config function. + runc_pod_config="$(new_pod_config "$unencrypted_image_1" "runc")" + sed -i '/runtimeClassName:/d' $runc_pod_config + set_node "$runc_pod_config" "$node" + set_container_command "$runc_pod_config" "0" "sleep" "30" + + # For debug sake + echo "Pod $runc_pod_config file:" + cat $runc_pod_config + + k8s_create_pod "$runc_pod_config" + + echo "Runc pod test-e2e is running" + kubectl delete -f "$runc_pod_config" + + # 2. Create one kata pod with the $unencrypted_image_1 image and nydus annotation + kata_pod_with_nydus_config="$(new_pod_config "$unencrypted_image_1" "kata-${KATA_HYPERVISOR}")" + set_node "$kata_pod_with_nydus_config" "$node" + set_container_command "$kata_pod_with_nydus_config" "0" "sleep" "30" + + # Set annotation to pull image in guest + set_metadata_annotation "$kata_pod_with_nydus_config" \ + "io.containerd.cri.runtime-handler" \ + "kata-${KATA_HYPERVISOR}" + + # For debug sake + echo "Pod $kata_pod_with_nydus_config file:" + cat $kata_pod_with_nydus_config + + k8s_create_pod "$kata_pod_with_nydus_config" + echo "Kata pod test-e2e with nydus annotation is running" + + echo "Checking the image was pulled in the guest" + sandbox_id=$(get_node_kata_sandbox_id $node) + echo "sandbox_id is: $sandbox_id" + # With annotation for nydus, only rootfs for pause container can be found on host + assert_rootfs_count "$node" "$sandbox_id" "1" +} + +@test "Test we can pull an unencrypted image inside the guest twice in a row and then outside the guest successfully" { + [[ " ${SUPPORTED_NON_TEE_HYPERVISORS} " =~ " ${KATA_HYPERVISOR} " ]] && skip "Test not supported for ${KATA_HYPERVISOR}." + skip "Skip this test until we use containerd 2.0 with 'image pull per runtime class' feature: https://github.com/containerd/containerd/issues/9377" + # 1. Create one kata pod with the $unencrypted_image_1 image and nydus annotation twice + kata_pod_with_nydus_config="$(new_pod_config "$unencrypted_image_1" "kata-${KATA_HYPERVISOR}")" + set_node "$kata_pod_with_nydus_config" "$node" + set_container_command "$kata_pod_with_nydus_config" "0" "sleep" "30" + + # Set annotation to pull image in guest + set_metadata_annotation "$kata_pod_with_nydus_config" \ + "io.containerd.cri.runtime-handler" \ + "kata-${KATA_HYPERVISOR}" + + # For debug sake + echo "Pod $kata_pod_with_nydus_config file:" + cat $kata_pod_with_nydus_config + + k8s_create_pod "$kata_pod_with_nydus_config" + + echo "Kata pod test-e2e with nydus annotation is running" + echo "Checking the image was pulled in the guest" + + sandbox_id=$(get_node_kata_sandbox_id $node) + echo "sandbox_id is: $sandbox_id" + # With annotation for nydus, only rootfs for pause container can be found on host + assert_rootfs_count "$node" "$sandbox_id" "1" + + kubectl delete -f $kata_pod_with_nydus_config + + # 2. Create one kata pod with the $unencrypted_image_1 image and without nydus annotation + kata_pod_without_nydus_config="$(new_pod_config "$unencrypted_image_1" "kata-${KATA_HYPERVISOR}")" + set_node "$kata_pod_without_nydus_config" "$node" + set_container_command "$kata_pod_without_nydus_config" "0" "sleep" "30" + + # For debug sake + echo "Pod $kata_pod_without_nydus_config file:" + cat $kata_pod_without_nydus_config + + k8s_create_pod "$kata_pod_without_nydus_config" + + echo "Kata pod test-e2e without nydus annotation is running" + echo "Check the image was not pulled in the guest" + sandbox_id=$(get_node_kata_sandbox_id $node) + echo "sandbox_id is: $sandbox_id" + + # The assert_rootfs_count will be FAIL. + # The expect count of rootfs in host is "2" but the found count of rootfs in host is "1" + # As the the first time we pull the $unencrypted_image_1 image via nydus-snapshotter in the guest + # for all subsequent pulls still use nydus-snapshotter in the guest + # More details: https://github.com/kata-containers/kata-containers/issues/8337 + # The test case will be PASS after we use containerd 2.0 with 'image pull per runtime class' feature: + # https://github.com/containerd/containerd/issues/9377 + assert_rootfs_count "$node" "$sandbox_id" "2" +} + +@test "Test we can pull an other unencrypted image outside the guest and then inside the guest successfully" { + [[ " ${SUPPORTED_NON_TEE_HYPERVISORS} " =~ " ${KATA_HYPERVISOR} " ]] && skip "Test not supported for ${KATA_HYPERVISOR}." + skip "Skip this test until we use containerd 2.0 with 'image pull per runtime class' feature: https://github.com/containerd/containerd/issues/9377" + # 1. Create one kata pod with the $unencrypted_image_2 image and without nydus annotation + kata_pod_without_nydus_config="$(new_pod_config "$unencrypted_image_2" "kata-${KATA_HYPERVISOR}")" + set_node "$kata_pod_without_nydus_config" "$node" + set_container_command "$kata_pod_without_nydus_config" "0" "sleep" "30" + + # For debug sake + echo "Pod $kata_pod_without_nydus_config file:" + cat $kata_pod_without_nydus_config + + k8s_create_pod "$kata_pod_without_nydus_config" + + echo "Kata pod test-e2e without nydus annotation is running" + echo "Checking the image was pulled in the host" + + sandbox_id=$(get_node_kata_sandbox_id $node) + echo "sandbox_id is: $sandbox_id" + # Without annotation for nydus, both rootfs for pause and the test container can be found on host + assert_rootfs_count "$node" "$sandbox_id" "2" + + kubectl delete -f $kata_pod_without_nydus_config + + # 2. Create one kata pod with the $unencrypted_image_2 image and with nydus annotation + kata_pod_with_nydus_config="$(new_pod_config "$unencrypted_image_2" "kata-${KATA_HYPERVISOR}")" + set_node "$kata_pod_with_nydus_config" "$node" + set_container_command "$kata_pod_with_nydus_config" "0" "sleep" "30" + + # Set annotation to pull image in guest + set_metadata_annotation "$kata_pod_with_nydus_config" \ + "io.containerd.cri.runtime-handler" \ + "kata-${KATA_HYPERVISOR}" + + # For debug sake + echo "Pod $kata_pod_with_nydus_config file:" + cat $kata_pod_with_nydus_config + + k8s_create_pod "$kata_pod_with_nydus_config" + + echo "Kata pod test-e2e with nydus annotation is running" + echo "Checking the image was pulled in the guest" + sandbox_id=$(get_node_kata_sandbox_id $node) + echo "sandbox_id is: $sandbox_id" + + # The assert_rootfs_count will be FAIL. + # The expect count of rootfs in host is "1" but the found count of rootfs in host is "2" + # As the the first time we pull the $unencrypted_image_2 image via overlayfs-snapshotter in host + # for all subsequent pulls still use overlayfs-snapshotter in host. + # More details: https://github.com/kata-containers/kata-containers/issues/8337 + # The test case will be PASS after we use containerd 2.0 with 'image pull per runtime class' feature: + # https://github.com/containerd/containerd/issues/9377 + assert_rootfs_count "$node" "$sandbox_id" "1" +} + +teardown() { + check_hypervisor_for_confidential_tests ${KATA_HYPERVISOR} || skip "Test not supported for ${KATA_HYPERVISOR}." + kubectl describe pod "$pod_name" + k8s_delete_all_pods_if_any_exists || true +} diff --git a/tests/integration/kubernetes/lib.sh b/tests/integration/kubernetes/lib.sh index 9b101a904a..6aee780c79 100644 --- a/tests/integration/kubernetes/lib.sh +++ b/tests/integration/kubernetes/lib.sh @@ -8,6 +8,9 @@ # set -e +wait_time=60 +sleep_time=3 + # Delete all pods if any exist, otherwise just return # k8s_delete_all_pods_if_any_exists() { @@ -94,11 +97,49 @@ assert_pod_fail() { ! k8s_create_pod "$container_config" || /bin/false } + +# Check the pulled rootfs on host for given node and sandbox_id +# +# Parameters: +# $1 - the k8s worker node name +# $2 - the sandbox id for kata container +# $3 - the expected count of pulled rootfs +# +assert_rootfs_count() { + local node="$1" + local sandbox_id="$2" + local expect_count="$3" + local allrootfs="" + + # verify that the sandbox_id is not empty; + # otherwise, the command $(exec_host $node "find /run/kata-containers/shared/sandboxes/${sandbox_id} -name rootfs -type d") + # may yield an unexpected count of rootfs. + if [ -z "$sandbox_id" ]; then + return 1 + fi + + # Max loop 3 times to get all pulled rootfs for given sandbox_id + for _ in {1..3} + do + allrootfs=$(exec_host $node "find /run/kata-containers/shared/sandboxes/${sandbox_id} -name rootfs -type d") + if [ -n "$allrootfs" ]; then + break + else + sleep 1 + fi + done + echo "allrootfs is: $allrootfs" + count=$(echo $allrootfs | grep -o "rootfs" | wc -l) + echo "count of container rootfs in host is: $count, expect count is: $expect_count" + [ $expect_count -eq $count ] +} + # Create a pod configuration out of a template file. # # Parameters: # $1 - the container image. -# $2 - the runtimeclass +# $2 - the runtimeclass, is not optional. +# $3 - the specific node name, optional. # # Return: # the path to the configuration file. The caller should not care about @@ -116,6 +157,7 @@ new_pod_config() { new_config=$(mktemp "${BATS_FILE_TMPDIR}/$(basename "${base_config}").XXX") IMAGE="$image" RUNTIMECLASS="$runtimeclass" envsubst < "$base_config" > "$new_config" + echo "$new_config" } @@ -147,7 +189,23 @@ set_metadata_annotation() { echo "$annotation_key" # yq set annotations in yaml. Quoting the key because it can have # dots. - yq w -i --style=double "${yaml}" "${annotation_key}" "${value}" + yq write -i --style=double "${yaml}" "${annotation_key}" "${value}" +} + +# Set the command for container spec. +# +# Parameters: +# $1 - the yaml file +# $2 - the index of the container +# $N - the command values +# +set_container_command() { + local yaml="${1}" + local container_idx="${2}" + shift 2 + for command_value in "$@"; do + yq write -i "${yaml}" "spec.containers[${container_idx}].command[+]" --tag '!!str' "${command_value}" + done } # Set the node name on configuration spec. @@ -161,7 +219,7 @@ set_node() { local node="$2" [ -n "$node" ] || return 1 - yq w -i "${yaml}" "spec.nodeName" "$node" + yq write -i "${yaml}" "spec.nodeName" "$node" } # Get the systemd's journal from a worker node @@ -183,3 +241,30 @@ print_node_journal() { kubectl get pods -o name | grep "node-debugger-${node}" | \ xargs kubectl delete > /dev/null } + + +# Get the sandbox id for kata container from a worker node +# +# Parameters: +# $1 - the k8s worker node name +# +get_node_kata_sandbox_id() { + local node="$1" + local kata_sandbox_id="" + local local_wait_time="${wait_time}" + # Max loop 3 times to get kata_sandbox_id + while [ "$local_wait_time" -gt 0 ]; + do + kata_sandbox_id=$(exec_host $node "ps -ef |\ + grep containerd-shim-kata-v2" |\ + grep -oP '(?<=-id\s)[a-f0-9]+' |\ + tail -1) + if [ -n "$kata_sandbox_id" ]; then + break + else + sleep "${sleep_time}" + local_wait_time=$((local_wait_time-sleep_time)) + fi + done + echo $kata_sandbox_id +} diff --git a/tests/integration/kubernetes/run_kubernetes_tests.sh b/tests/integration/kubernetes/run_kubernetes_tests.sh index 6959f49621..a55d13e155 100755 --- a/tests/integration/kubernetes/run_kubernetes_tests.sh +++ b/tests/integration/kubernetes/run_kubernetes_tests.sh @@ -20,7 +20,12 @@ ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY:-$(base64 -w 0 runtimeclass_workloads_work/ if [ -n "${K8S_TEST_UNION:-}" ]; then K8S_TEST_UNION=($K8S_TEST_UNION) else + # Before we use containerd 2.0 with 'image pull per runtime class' feature + # we need run k8s-guest-pull-image.bats test first, otherwise the test result will be affected + # by other cases which are using 'alpine' and 'quay.io/prometheus/busybox:latest' image. + # more details https://github.com/kata-containers/kata-containers/issues/8337 K8S_TEST_SMALL_HOST_UNION=( \ + "k8s-guest-pull-image.bats" \ "k8s-confidential.bats" \ "k8s-attach-handlers.bats" \ "k8s-caps.bats" \ From 2c0bc8855b7693cc63d8b8366c90cea7c3e1a3a9 Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Mon, 4 Mar 2024 17:42:36 +0800 Subject: [PATCH 16/22] tests: Make sure to install yq before using it Make sure to install yq before using it to modify YAML files. Signed-off-by: ChengyuZhu6 --- tests/integration/kubernetes/confidential_common.sh | 2 ++ tests/integration/kubernetes/lib.sh | 1 + 2 files changed, 3 insertions(+) diff --git a/tests/integration/kubernetes/confidential_common.sh b/tests/integration/kubernetes/confidential_common.sh index b46207ca66..a97b863101 100644 --- a/tests/integration/kubernetes/confidential_common.sh +++ b/tests/integration/kubernetes/confidential_common.sh @@ -6,6 +6,7 @@ # source "${BATS_TEST_DIRNAME}/tests_common.sh" +source "${BATS_TEST_DIRNAME}/../../common.bash" SUPPORTED_TEE_HYPERVISORS=("qemu-sev" "qemu-snp" "qemu-tdx" "qemu-se") SUPPORTED_NON_TEE_HYPERVISORS=("qemu") @@ -53,6 +54,7 @@ function check_hypervisor_for_confidential_tests() { # Common setup for confidential tests. function confidential_setup() { + ensure_yq if ! check_hypervisor_for_confidential_tests "${KATA_HYPERVISOR}"; then return 1 elif [[ " ${SUPPORTED_NON_TEE_HYPERVISORS[*]} " =~ " ${KATA_HYPERVISOR} " ]]; then diff --git a/tests/integration/kubernetes/lib.sh b/tests/integration/kubernetes/lib.sh index 6aee780c79..5e498ab00e 100644 --- a/tests/integration/kubernetes/lib.sh +++ b/tests/integration/kubernetes/lib.sh @@ -203,6 +203,7 @@ set_container_command() { local yaml="${1}" local container_idx="${2}" shift 2 + for command_value in "$@"; do yq write -i "${yaml}" "spec.containers[${container_idx}].command[+]" --tag '!!str' "${command_value}" done From e23737a1039e088ead1ace1bb30626142c3fc8c4 Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Tue, 5 Mar 2024 10:34:51 +0800 Subject: [PATCH 17/22] gha: refactor code with yq for better clarity refactor code with yq for better clarity: Before: ```bash yq write -i "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[7].value' "${KATA_HYPERVISOR}:${SNAPSHOTTER}" ``` After: ```bash yq write -i \ "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ 'spec.template.spec.containers[0].env[7].value' \ "${KATA_HYPERVISOR}:${SNAPSHOTTER}" ``` Signed-off-by: ChengyuZhu6 --- tests/functional/kata-deploy/kata-deploy.bats | 55 ++++++++--- tests/integration/kubernetes/gha-run.sh | 95 +++++++++++++++---- tests/integration/kubernetes/lib.sh | 10 +- tests/integration/kubernetes/setup.sh | 10 +- 4 files changed, 136 insertions(+), 34 deletions(-) diff --git a/tests/functional/kata-deploy/kata-deploy.bats b/tests/functional/kata-deploy/kata-deploy.bats index 79ada144c3..b0b6ffc612 100644 --- a/tests/functional/kata-deploy/kata-deploy.bats +++ b/tests/functional/kata-deploy/kata-deploy.bats @@ -27,19 +27,40 @@ setup() { sed -i -e "s|quay.io/kata-containers/kata-deploy:latest|${DOCKER_REGISTRY}/${DOCKER_REPO}:${DOCKER_TAG}|g" "${repo_root_dir}/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" # Enable debug for Kata Containers - yq write -i "${repo_root_dir}/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[1].value' --tag '!!str' "true" + yq write -i \ + "${repo_root_dir}/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[1].value' \ + --tag '!!str' "true" # Create the runtime class only for the shim that's being tested - yq write -i "${repo_root_dir}/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[2].value' "${KATA_HYPERVISOR}" + yq write -i \ + "${repo_root_dir}/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[2].value' \ + "${KATA_HYPERVISOR}" # Set the tested hypervisor as the default `kata` shim - yq write -i "${repo_root_dir}/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[3].value' "${KATA_HYPERVISOR}" + yq write -i \ + "${repo_root_dir}/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[3].value' \ + "${KATA_HYPERVISOR}" # Let the `kata-deploy` script take care of the runtime class creation / removal - yq write -i "${repo_root_dir}/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[4].value' --tag '!!str' "true" + yq write -i \ + "${repo_root_dir}/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[4].value' \ + --tag '!!str' "true" # Let the `kata-deploy` create the default `kata` runtime class - yq write -i "${repo_root_dir}/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[5].value' --tag '!!str' "true" + yq write -i \ + "${repo_root_dir}/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[5].value' \ + --tag '!!str' "true" if [ "${KATA_HOST_OS}" = "cbl-mariner" ]; then - yq write -i "${repo_root_dir}/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[+].name' "HOST_OS" - yq write -i "${repo_root_dir}/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[-1].value' "${KATA_HOST_OS}" + yq write -i \ + "${repo_root_dir}/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[+].name' \ + "HOST_OS" + yq write -i \ + "${repo_root_dir}/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[-1].value' \ + "${KATA_HOST_OS}" fi echo "::group::Final kata-deploy.yaml that is used in the test" @@ -112,13 +133,25 @@ teardown() { kubectl -n kube-system wait --timeout=10m --for=delete -l name=kata-deploy pod # Let the `kata-deploy` script take care of the runtime class creation / removal - yq write -i "${repo_root_dir}/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml" 'spec.template.spec.containers[0].env[4].value' --tag '!!str' "true" + yq write -i \ + "${repo_root_dir}/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml" \ + 'spec.template.spec.containers[0].env[4].value' \ + --tag '!!str' "true" # Create the runtime class only for the shim that's being tested - yq write -i "${repo_root_dir}/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml" 'spec.template.spec.containers[0].env[2].value' "${KATA_HYPERVISOR}" + yq write -i \ + "${repo_root_dir}/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml" \ + 'spec.template.spec.containers[0].env[2].value' \ + "${KATA_HYPERVISOR}" # Set the tested hypervisor as the default `kata` shim - yq write -i "${repo_root_dir}/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml" 'spec.template.spec.containers[0].env[3].value' "${KATA_HYPERVISOR}" + yq write -i \ + "${repo_root_dir}/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml" \ + 'spec.template.spec.containers[0].env[3].value' \ + "${KATA_HYPERVISOR}" # Let the `kata-deploy` create the default `kata` runtime class - yq write -i "${repo_root_dir}/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[5].value' --tag '!!str' "true" + yq write -i \ + "${repo_root_dir}/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[5].value' \ + --tag '!!str' "true" sed -i -e "s|quay.io/kata-containers/kata-deploy:latest|${DOCKER_REGISTRY}/${DOCKER_REPO}:${DOCKER_TAG}|g" "${repo_root_dir}/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml" cat "${repo_root_dir}/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml" diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh index 864afbe799..251426285b 100755 --- a/tests/integration/kubernetes/gha-run.sh +++ b/tests/integration/kubernetes/gha-run.sh @@ -135,30 +135,63 @@ function deploy_kata() { sed -i -e "s|quay.io/kata-containers/kata-deploy:latest|${DOCKER_REGISTRY}/${DOCKER_REPO}:${DOCKER_TAG}|g" "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" # Enable debug for Kata Containers - yq write -i "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[1].value' --tag '!!str' "true" + yq write -i \ + "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[1].value' \ + --tag '!!str' "true" # Create the runtime class only for the shim that's being tested - yq write -i "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[2].value' "${KATA_HYPERVISOR}" + yq write -i \ + "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[2].value' \ + "${KATA_HYPERVISOR}" # Set the tested hypervisor as the default `kata` shim - yq write -i "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[3].value' "${KATA_HYPERVISOR}" + yq write -i \ + "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[3].value' \ + "${KATA_HYPERVISOR}" # Let the `kata-deploy` script take care of the runtime class creation / removal - yq write -i "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[4].value' --tag '!!str' "true" + yq write -i \ + "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[4].value' \ + --tag '!!str' "true" # Let the `kata-deploy` create the default `kata` runtime class - yq write -i "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[5].value' --tag '!!str' "true" + yq write -i \ + "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[5].value' \ + --tag '!!str' "true" # Enable 'default_vcpus' hypervisor annotation - yq write -i "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[6].value' "default_vcpus" + yq write -i \ + "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[6].value' \ + "default_vcpus" if [ -n "${SNAPSHOTTER}" ]; then - yq write -i "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[7].value' "${KATA_HYPERVISOR}:${SNAPSHOTTER}" + yq write -i \ + "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[7].value' \ + "${KATA_HYPERVISOR}:${SNAPSHOTTER}" fi if [ "${KATA_HOST_OS}" = "cbl-mariner" ]; then - yq write -i "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[6].value' "initrd kernel default_vcpus" - yq write -i "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[+].name' "HOST_OS" - yq write -i "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[-1].value' "${KATA_HOST_OS}" + yq write -i \ + "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[6].value' \ + "initrd kernel default_vcpus" + yq write -i \ + "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[+].name' \ + "HOST_OS" + yq write -i \ + "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[-1].value' \ + "${KATA_HOST_OS}" fi if [ "${KATA_HYPERVISOR}" = "qemu" ]; then - yq write -i "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[6].value' "image initrd kernel default_vcpus" + yq write -i \ + "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[6].value' \ + "image initrd kernel default_vcpus" fi echo "::group::Final kata-deploy.yaml that is used in the test" @@ -312,13 +345,25 @@ function cleanup_kata_deploy() { kubectl -n kube-system wait --timeout=10m --for=delete -l name=kata-deploy pod # Let the `kata-deploy` script take care of the runtime class creation / removal - yq write -i "${tools_dir}/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml" 'spec.template.spec.containers[0].env[4].value' --tag '!!str' "true" + yq write -i \ + "${tools_dir}/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml" \ + 'spec.template.spec.containers[0].env[4].value' \ + --tag '!!str' "true" # Create the runtime class only for the shim that's being tested - yq write -i "${tools_dir}/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml" 'spec.template.spec.containers[0].env[2].value' "${KATA_HYPERVISOR}" + yq write -i \ + "${tools_dir}/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml" \ + 'spec.template.spec.containers[0].env[2].value' \ + "${KATA_HYPERVISOR}" # Set the tested hypervisor as the default `kata` shim - yq write -i "${tools_dir}/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml" 'spec.template.spec.containers[0].env[3].value' "${KATA_HYPERVISOR}" + yq write -i \ + "${tools_dir}/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml" \ + 'spec.template.spec.containers[0].env[3].value' \ + "${KATA_HYPERVISOR}" # Let the `kata-deploy` create the default `kata` runtime class - yq write -i "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" 'spec.template.spec.containers[0].env[5].value' --tag '!!str' "true" + yq write -i \ + "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[5].value' \ + --tag '!!str' "true" sed -i -e "s|quay.io/kata-containers/kata-deploy:latest|${DOCKER_REGISTRY}/${DOCKER_REPO}:${DOCKER_TAG}|g" "${tools_dir}/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml" cat "${tools_dir}/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml" @@ -389,17 +434,29 @@ function deploy_nydus_snapshotter() { cleanup_nydus_snapshotter || true if [ "${PULL_TYPE}" == "guest-pull" ]; then # Enable guest pull feature in nydus snapshotter - yq write -i misc/snapshotter/base/nydus-snapshotter.yaml 'data.FS_DRIVER' "proxy" --style=double + yq write -i \ + misc/snapshotter/base/nydus-snapshotter.yaml \ + 'data.FS_DRIVER' \ + "proxy" --style=double else >&2 echo "Invalid pull type"; exit 2 fi # Disable to read snapshotter config from configmap - yq write -i misc/snapshotter/base/nydus-snapshotter.yaml 'data.ENABLE_CONFIG_FROM_VOLUME' "false" --style=double + yq write -i \ + misc/snapshotter/base/nydus-snapshotter.yaml \ + 'data.ENABLE_CONFIG_FROM_VOLUME' \ + "false" --style=double # Enable to run snapshotter as a systemd service - yq write -i misc/snapshotter/base/nydus-snapshotter.yaml 'data.ENABLE_SYSTEMD_SERVICE' "true" --style=double + yq write -i \ + misc/snapshotter/base/nydus-snapshotter.yaml \ + 'data.ENABLE_SYSTEMD_SERVICE' \ + "true" --style=double # Enable "runtime specific snapshotter" feature in containerd when configuring containerd for snapshotter - yq write -i misc/snapshotter/base/nydus-snapshotter.yaml 'data.ENABLE_RUNTIME_SPECIFIC_SNAPSHOTTER' "true" --style=double + yq write -i \ + misc/snapshotter/base/nydus-snapshotter.yaml \ + 'data.ENABLE_RUNTIME_SPECIFIC_SNAPSHOTTER' \ + "true" --style=double # Deploy nydus snapshotter as a daemonset kubectl create -f "misc/snapshotter/nydus-snapshotter-rbac.yaml" diff --git a/tests/integration/kubernetes/lib.sh b/tests/integration/kubernetes/lib.sh index 5e498ab00e..95eb161620 100644 --- a/tests/integration/kubernetes/lib.sh +++ b/tests/integration/kubernetes/lib.sh @@ -205,7 +205,10 @@ set_container_command() { shift 2 for command_value in "$@"; do - yq write -i "${yaml}" "spec.containers[${container_idx}].command[+]" --tag '!!str' "${command_value}" + yq write -i \ + "${yaml}" \ + "spec.containers[${container_idx}].command[+]" \ + --tag '!!str' "${command_value}" done } @@ -220,7 +223,10 @@ set_node() { local node="$2" [ -n "$node" ] || return 1 - yq write -i "${yaml}" "spec.nodeName" "$node" + yq write -i \ + "${yaml}" \ + "spec.nodeName" \ + "$node" } # Get the systemd's journal from a worker node diff --git a/tests/integration/kubernetes/setup.sh b/tests/integration/kubernetes/setup.sh index 0c24b90852..ad9f397594 100755 --- a/tests/integration/kubernetes/setup.sh +++ b/tests/integration/kubernetes/setup.sh @@ -54,12 +54,18 @@ add_annotations_to_yaml() { Pod) echo "Adding kernel and initrd annotations to ${resource_kind} from ${yaml_file}" - yq write -i "${K8S_TEST_YAML}" "metadata.annotations[${annotation_name}]" "${annotation_value}" + yq write -i \ + "${K8S_TEST_YAML}" \ + "metadata.annotations[${annotation_name}]" \ + "${annotation_value}" ;; Deployment|Job|ReplicationController) echo "Adding kernel and initrd annotations to ${resource_kind} from ${yaml_file}" - yq write -i "${K8S_TEST_YAML}" "spec.template.metadata.annotations[${annotation_name}]" "${annotation_value}" + yq write -i \ + "${K8S_TEST_YAML}" \ + "spec.template.metadata.annotations[${annotation_name}]" \ + "${annotation_value}" ;; List) From db9f18029c1140aebbcd28a5964d54c65c6a2771 Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Tue, 5 Mar 2024 14:45:04 +0800 Subject: [PATCH 18/22] README: Add https_proxy and no_proxy to agent README Add agent.https_proxy and agent.no_proxy to the table in the agent README. Signed-off-by: ChengyuZhu6 --- src/agent/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/agent/README.md b/src/agent/README.md index 7381672e55..622cdfdc87 100644 --- a/src/agent/README.md +++ b/src/agent/README.md @@ -126,8 +126,10 @@ The kata agent has the ability to configure agent options in guest kernel comman | `agent.debug_console_vport` | Debug console port | Allow to specify the `vsock` port to connect the debugging console | integer | `0` | | `agent.devmode` | Developer mode | Allow the agent process to coredump | boolean | `false` | | `agent.hotplug_timeout` | Hotplug timeout | Allow to configure hotplug timeout(seconds) of block devices | integer | `3` | +| `agent.https_proxy` | HTTPS proxy | Allow to configure `https_proxy` in the guest | string | `""` | | `agent.log` | Log level | Allow the agent log level to be changed (produces more or less output) | string | `"info"` | | `agent.log_vport` | Log port | Allow to specify the `vsock` port to read logs | integer | `0` | +| `agent.no_proxy` | NO proxy | Allow to configure `no_proxy` in the guest | string | `""` | | `agent.passfd_listener_port` | File descriptor passthrough IO listener port | Allow to set the file descriptor passthrough IO listener port | integer | `0` | | `agent.server_addr` | Server address | Allow the ttRPC server address to be specified | string | `"vsock://-1:1024"` | | `agent.trace` | Trace mode | Allow to static tracing | boolean | `false` | From 5bad18f9c96d2676a5f5353f699e752fbf4ef3b6 Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Mon, 18 Mar 2024 17:41:54 +0800 Subject: [PATCH 19/22] agent: set https_proxy/no_proxy before initializing agent policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When the https_proxy/no_proxy settings are configured alongside agent-policy enabled, the process of pulling image in the guest will hang. This issue could stem from the instantiation of `reqwest`’s HTTP client at the time of agent-policy initialization, potentially impacting the effectiveness of the proxy settings during image guest pulling. Given that both functionalities use `reqwest`, it is advisable to set https_proxy/no_proxy prior to the initialization of agent-policy. Fixes: #9212 Signed-off-by: ChengyuZhu6 --- src/agent/src/image.rs | 44 ++++++++++++++++++++++++++---------------- src/agent/src/main.rs | 3 +++ 2 files changed, 30 insertions(+), 17 deletions(-) diff --git a/src/agent/src/image.rs b/src/agent/src/image.rs index a186f4b653..4ca37af70c 100644 --- a/src/agent/src/image.rs +++ b/src/agent/src/image.rs @@ -70,22 +70,6 @@ impl ImageService { self.images.lock().await.insert(image, cid); } - /// Set proxy environment from AGENT_CONFIG - fn set_proxy_env_vars() { - if env::var("HTTPS_PROXY").is_err() { - let https_proxy = &AGENT_CONFIG.https_proxy; - if !https_proxy.is_empty() { - env::set_var("HTTPS_PROXY", https_proxy); - } - } - if env::var("NO_PROXY").is_err() { - let no_proxy = &AGENT_CONFIG.no_proxy; - if !no_proxy.is_empty() { - env::set_var("NO_PROXY", no_proxy); - } - } - } - /// pause image is packaged in rootfs fn unpack_pause_image(cid: &str, target_subpath: &str) -> Result { verify_id(cid).context("The guest pause image cid contains invalid characters.")?; @@ -133,7 +117,6 @@ impl ImageService { image_metadata: &HashMap, ) -> Result { info!(sl(), "image metadata: {image_metadata:?}"); - Self::set_proxy_env_vars(); //Check whether the image is for sandbox or for container. let mut is_sandbox = false; @@ -257,6 +240,33 @@ impl ImageService { } } } + +/// Set proxy environment from AGENT_CONFIG +pub async fn set_proxy_env_vars() { + if env::var("HTTPS_PROXY").is_err() { + let https_proxy = &AGENT_CONFIG.https_proxy; + if !https_proxy.is_empty() { + env::set_var("HTTPS_PROXY", https_proxy); + } + } + + match env::var("HTTPS_PROXY") { + Ok(val) => info!(sl(), "https_proxy is set to: {}", val), + Err(e) => info!(sl(), "https_proxy is not set ({})", e), + }; + + if env::var("NO_PROXY").is_err() { + let no_proxy = &AGENT_CONFIG.no_proxy; + if !no_proxy.is_empty() { + env::set_var("NO_PROXY", no_proxy); + } + } + match env::var("NO_PROXY") { + Ok(val) => info!(sl(), "no_proxy is set to: {}", val), + Err(e) => info!(sl(), "no_proxy is not set ({})", e), + }; +} + #[cfg(test)] mod tests { use super::ImageService; diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs index 468efaa226..e79ec6fb35 100644 --- a/src/agent/src/main.rs +++ b/src/agent/src/main.rs @@ -351,6 +351,9 @@ async fn start_sandbox( s.rtnl.handle_localhost().await?; } + #[cfg(feature = "guest-pull")] + image::set_proxy_env_vars().await; + // - When init_mode is true, enabling the localhost link during the // handle_localhost call above is required before starting OPA with the // initialize_policy call below. From 291b14bfb53431c6b96bc990e3fb31f78d2e7a0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 18 Mar 2024 16:39:32 +0100 Subject: [PATCH 20/22] kata-deploy: Add the ability to set {https,no}_proxy if needed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's make sure those two proxy settings are respected, as those will be widely used when pulling the image inside the guest on the Confidential Containers case. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy/kata-deploy/base/kata-deploy.yaml | 4 ++++ tools/packaging/kata-deploy/scripts/kata-deploy.sh | 14 ++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml b/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml index 0360847a59..5006b2c1b6 100644 --- a/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml +++ b/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml @@ -43,6 +43,10 @@ spec: value: "" - name: SNAPSHOTTER_HANDLER_MAPPING value: "" + - name: AGENT_HTTPS_PROXY + value: "" + - name: AGENT_NO_PROXY + value: "" securityContext: privileged: true volumeMounts: diff --git a/tools/packaging/kata-deploy/scripts/kata-deploy.sh b/tools/packaging/kata-deploy/scripts/kata-deploy.sh index b208d0f577..a5733af2f8 100755 --- a/tools/packaging/kata-deploy/scripts/kata-deploy.sh +++ b/tools/packaging/kata-deploy/scripts/kata-deploy.sh @@ -29,6 +29,9 @@ SNAPSHOTTER_HANDLER_MAPPING="${SNAPSHOTTER_HANDLER_MAPPING:-}" IFS=',' read -a snapshotters <<< "$SNAPSHOTTER_HANDLER_MAPPING" snapshotters_delimiter=':' +AGENT_HTTPS_PROXY="${AGENT_HTTPS_PROXY:-}" +AGENT_NO_PROXY="${AGENT_NO_PROXY:-}" + # If we fail for any reason a message will be displayed die() { msg="$*" @@ -159,6 +162,15 @@ function install_artifacts() { mkdir -p "$config_path" local kata_config_file="${config_path}/configuration-${shim}.toml" + # Properly set https_proxy and no_proxy for Kata Containers + if [ -n "${AGENT_HTTPS_PROXY}" ]; then + sed -i -e 's|^kernel_params = "\(.*\)"|kernel_params = "\1 agent.https_proxy='${AGENT_HTTPS_PROXY}'"|g' "${kata_config_file}" + fi + + if [ -n "${AGENT_NO_PROXY}" ]; then + sed -i -e 's|^kernel_params = "\(.*\)"|kernel_params = "\1 agent.no_proxy='${AGENT_NO_PROXY}'"|g' "${kata_config_file}" + fi + # Allow enabling debug for Kata Containers if [[ "${DEBUG}" == "true" ]]; then sed -i -e 's/^#\(enable_debug\).*=.*$/\1 = true/g' "${kata_config_file}" @@ -502,6 +514,8 @@ function main() { echo "* CREATE_DEFAULT_RUNTIMECLASS: ${CREATE_DEFAULT_RUNTIMECLASS}" echo "* ALLOWED_HYPERVISOR_ANNOTATIONS: ${ALLOWED_HYPERVISOR_ANNOTATIONS}" echo "* SNAPSHOTTER_HANDLER_MAPPING: ${SNAPSHOTTER_HANDLER_MAPPING}" + echo "* AGENT_HTTPS_PROXY: ${AGENT_HTTPS_PROXY}" + echo "* AGENT_NO_PROXY: ${AGENT_NO_PROXY}" # script requires that user is root euid=$(id -u) From d14e9802b66a2696885a142401fbb2af54f69674 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 18 Mar 2024 16:47:20 +0100 Subject: [PATCH 21/22] gha: k8s: Set {https,no}_proxy correctly for TDX MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is needed as the TDX machine is hosted inside Intel and relies on proxies in order to connect to the external world. Not having those set causes issues when pulling the image inside the guest. Signed-off-by: Fabiano Fidêncio --- tests/integration/kubernetes/gha-run.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh index 251426285b..4c9ad2a70c 100755 --- a/tests/integration/kubernetes/gha-run.sh +++ b/tests/integration/kubernetes/gha-run.sh @@ -29,6 +29,8 @@ KBS=${KBS:-false} KBS_INGRESS=${KBS_INGRESS:-} KUBERNETES="${KUBERNETES:-}" SNAPSHOTTER="${SNAPSHOTTER:-}" +HTTPS_PROXY="${HTTPS_PROXY:-${https_proxy:-}}" +NO_PROXY="${NO_PROXY:-${no_proxy:-}}" export AUTO_GENERATE_POLICY="${AUTO_GENERATE_POLICY:-no}" export TEST_CLUSTER_NAMESPACE="${TEST_CLUSTER_NAMESPACE:-kata-containers-k8s-tests}" @@ -194,6 +196,18 @@ function deploy_kata() { "image initrd kernel default_vcpus" fi + if [ "${KATA_HYPERVISOR}" = "qemu-tdx" ]; then + yq write -i \ + "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[8].value' \ + "${HTTPS_PROXY}" + + yq write -i \ + "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" \ + 'spec.template.spec.containers[0].env[9].value' \ + "${NO_PROXY}" + fi + echo "::group::Final kata-deploy.yaml that is used in the test" cat "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" grep "${DOCKER_REGISTRY}/${DOCKER_REPO}:${DOCKER_TAG}" "${tools_dir}/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml" || die "Failed to setup the tests image" From 8911d3565f8c2d116a6b4e15f254c0693171001f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 19 Mar 2024 11:21:29 +0100 Subject: [PATCH 22/22] gha: tests: Filter out confidential tests for aarch64 / ppc64le MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Those two architectures are not TEE capable, thus we can just skip running those tests there. Signed-off-by: Fabiano Fidêncio --- tests/integration/kubernetes/filter_out_per_arch/aarch64.yaml | 2 ++ tests/integration/kubernetes/filter_out_per_arch/ppc64le.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/tests/integration/kubernetes/filter_out_per_arch/aarch64.yaml b/tests/integration/kubernetes/filter_out_per_arch/aarch64.yaml index 8474a67fc3..2485b7cd3e 100644 --- a/tests/integration/kubernetes/filter_out_per_arch/aarch64.yaml +++ b/tests/integration/kubernetes/filter_out_per_arch/aarch64.yaml @@ -12,7 +12,9 @@ test: - cri-containerd kubernetes: + - k8s-confidential - k8s-cpu-ns + - k8s-guest-pull-image - k8s-limit-range - k8s-number-cpus - k8s-expose-ip diff --git a/tests/integration/kubernetes/filter_out_per_arch/ppc64le.yaml b/tests/integration/kubernetes/filter_out_per_arch/ppc64le.yaml index d8644e019b..3495ef5024 100644 --- a/tests/integration/kubernetes/filter_out_per_arch/ppc64le.yaml +++ b/tests/integration/kubernetes/filter_out_per_arch/ppc64le.yaml @@ -5,6 +5,8 @@ kubernetes: - k8s-block-volume + - k8s-confidential + - k8s-guest-pull-image - k8s-limit-range - k8s-number-cpus - k8s-oom