diff --git a/docs/how-to/how-to-set-sandbox-config-kata.md b/docs/how-to/how-to-set-sandbox-config-kata.md index 4cdacae85b..97dff95f5c 100644 --- a/docs/how-to/how-to-set-sandbox-config-kata.md +++ b/docs/how-to/how-to-set-sandbox-config-kata.md @@ -35,6 +35,7 @@ There are several kinds of Kata configurations and they are listed below. | `io.katacontainers.config.agent.enable_tracing` | `boolean` | enable tracing for the agent | | `io.katacontainers.config.agent.container_pipe_size` | uint32 | specify the size of the std(in/out) pipes created for containers | | `io.katacontainers.config.agent.kernel_modules` | string | the list of kernel modules and their parameters that will be loaded in the guest kernel. Semicolon separated list of kernel modules and their parameters. These modules will be loaded in the guest kernel using `modprobe`(8). E.g., `e1000e InterruptThrottleRate=3000,3000,3000 EEE=1; i915 enable_ppgtt=0` | +| `io.katacontainers.config.agent.cdh_api_timeout` | uint32 | timeout in second for Confidential Data Hub (CDH) API service, default is `50` | ## Hypervisor Options | Key | Value Type | Comments | diff --git a/src/agent/README.md b/src/agent/README.md index a62e46123d..fbe4452240 100644 --- a/src/agent/README.md +++ b/src/agent/README.md @@ -128,6 +128,7 @@ The kata agent has the ability to configure agent options in guest kernel comman | `agent.guest_components_rest_api` | `api-server-rest` configuration | Select the features that the API Server Rest attestation component will run with. Valid values are `all`, `attestation`, `resource` | string | `resource` | | `agent.guest_components_procs` | guest-components processes | Attestation-related processes that should be spawned as children of the guest. Valid values are `none`, `attestation-agent`, `confidential-data-hub` (implies `attestation-agent`), `api-server-rest` (implies `attestation-agent` and `confidential-data-hub`) | string | `api-server-rest` | | `agent.hotplug_timeout` | Hotplug timeout | Allow to configure hotplug timeout(seconds) of block devices | integer | `3` | +| `agent.cdh_api_timeout` | Confidential Data Hub (CDH) API timeout | Allow to configure CDH API timeout(seconds) | integer | `50` | | `agent.https_proxy` | HTTPS proxy | Allow to configure `https_proxy` in the guest | string | `""` | | `agent.image_registry_auth` | Image registry credential URI | The URI to where image-rs can find the credentials for pulling images from private registries e.g. `file:///root/.docker/config.json` to read from a file in the guest image, or `kbs:///default/credentials/test` to get the file from the KBS| string | `""` | | `agent.log` | Log level | Allow the agent log level to be changed (produces more or less output) | string | `"info"` | @@ -145,7 +146,7 @@ The kata agent has the ability to configure agent options in guest kernel comman > The agent will fail to start if the configuration file is not present, > or if it can't be parsed properly. > - `agent.devmode`: true | false -> - `agent.hotplug_timeout`: a whole number of seconds +> - `agent.hotplug_timeout` and `agent.cdh_api_timeout`: a whole number of seconds > - `agent.log`: "critical"("fatal" | "panic") | "error" | "warn"("warning") | "info" | "debug" > - `agent.server_addr`: "{VSOCK_ADDR}:{VSOCK_PORT}" > - `agent.trace`: true | false diff --git a/src/agent/src/cdh.rs b/src/agent/src/cdh.rs index 1ebfac6aa6..ed07efef58 100644 --- a/src/agent/src/cdh.rs +++ b/src/agent/src/cdh.rs @@ -14,10 +14,13 @@ use protocols::{ confidential_data_hub_ttrpc_async::{SealedSecretServiceClient, SecureMountServiceClient}, }; +use crate::AGENT_CONFIG; use crate::CDH_SOCKET_URI; // Nanoseconds -const CDH_API_TIMEOUT: i64 = 50 * 1000 * 1000 * 1000; +lazy_static! { + static ref CDH_API_TIMEOUT: i64 = AGENT_CONFIG.cdh_api_timeout.as_nanos() as i64; +} const SEALED_SECRET_PREFIX: &str = "sealed."; #[derive(Derivative)] @@ -48,7 +51,7 @@ impl CDHClient { let unsealed_secret = self .sealed_secret_client - .unseal_secret(ttrpc::context::with_timeout(CDH_API_TIMEOUT), &input) + .unseal_secret(ttrpc::context::with_timeout(*CDH_API_TIMEOUT), &input) .await?; Ok(unsealed_secret.plaintext) } @@ -81,7 +84,7 @@ impl CDHClient { ..Default::default() }; self.secure_mount_client - .secure_mount(ttrpc::context::with_timeout(CDH_API_TIMEOUT), &req) + .secure_mount(ttrpc::context::with_timeout(*CDH_API_TIMEOUT), &req) .await?; Ok(()) } diff --git a/src/agent/src/config.rs b/src/agent/src/config.rs index acb07dfacc..9ced9fc5a3 100644 --- a/src/agent/src/config.rs +++ b/src/agent/src/config.rs @@ -22,6 +22,7 @@ const LOG_LEVEL_OPTION: &str = "agent.log"; const SERVER_ADDR_OPTION: &str = "agent.server_addr"; const PASSFD_LISTENER_PORT: &str = "agent.passfd_listener_port"; const HOTPLUG_TIMOUT_OPTION: &str = "agent.hotplug_timeout"; +const CDH_API_TIMOUT_OPTION: &str = "agent.cdh_api_timeout"; const DEBUG_CONSOLE_VPORT_OPTION: &str = "agent.debug_console_vport"; const LOG_VPORT_OPTION: &str = "agent.log_vport"; const CONTAINER_PIPE_SIZE_OPTION: &str = "agent.container_pipe_size"; @@ -40,6 +41,7 @@ const NO_PROXY: &str = "agent.no_proxy"; const DEFAULT_LOG_LEVEL: slog::Level = slog::Level::Info; const DEFAULT_HOTPLUG_TIMEOUT: time::Duration = time::Duration::from_secs(3); +const DEFAULT_CDH_API_TIMEOUT: time::Duration = time::Duration::from_secs(50); const DEFAULT_CONTAINER_PIPE_SIZE: i32 = 0; const VSOCK_ADDR: &str = "vsock://-1"; @@ -54,9 +56,9 @@ const ERR_INVALID_GET_VALUE_PARAM: &str = "expected name=value"; const ERR_INVALID_GET_VALUE_NO_NAME: &str = "name=value parameter missing name"; const ERR_INVALID_GET_VALUE_NO_VALUE: &str = "name=value parameter missing value"; const ERR_INVALID_LOG_LEVEL_KEY: &str = "invalid log level key name"; -const ERR_INVALID_HOTPLUG_TIMEOUT: &str = "invalid hotplug timeout parameter"; -const ERR_INVALID_HOTPLUG_TIMEOUT_PARAM: &str = "unable to parse hotplug timeout"; -const ERR_INVALID_HOTPLUG_TIMEOUT_KEY: &str = "invalid hotplug timeout key name"; +const ERR_INVALID_TIMEOUT: &str = "invalid timeout parameter"; +const ERR_INVALID_TIMEOUT_PARAM: &str = "unable to parse timeout"; +const ERR_INVALID_TIMEOUT_KEY: &str = "invalid timeout key name"; const ERR_INVALID_CONTAINER_PIPE_SIZE: &str = "invalid container pipe size parameter"; const ERR_INVALID_CONTAINER_PIPE_SIZE_PARAM: &str = "unable to parse container pipe size"; @@ -97,6 +99,7 @@ pub struct AgentConfig { pub dev_mode: bool, pub log_level: slog::Level, pub hotplug_timeout: time::Duration, + pub cdh_api_timeout: time::Duration, pub debug_console_vport: i32, pub log_vport: i32, pub container_pipe_size: i32, @@ -120,6 +123,7 @@ pub struct AgentConfigBuilder { pub dev_mode: Option, pub log_level: Option, pub hotplug_timeout: Option, + pub cdh_api_timeout: Option, pub debug_console_vport: Option, pub log_vport: Option, pub container_pipe_size: Option, @@ -187,6 +191,7 @@ impl Default for AgentConfig { dev_mode: false, log_level: DEFAULT_LOG_LEVEL, hotplug_timeout: DEFAULT_HOTPLUG_TIMEOUT, + cdh_api_timeout: DEFAULT_CDH_API_TIMEOUT, debug_console_vport: 0, log_vport: 0, container_pipe_size: DEFAULT_CONTAINER_PIPE_SIZE, @@ -224,6 +229,7 @@ impl FromStr for AgentConfig { logrus_to_slog_level ); config_override!(agent_config_builder, agent_config, hotplug_timeout); + config_override!(agent_config_builder, agent_config, cdh_api_timeout); config_override!(agent_config_builder, agent_config, debug_console_vport); config_override!(agent_config_builder, agent_config, log_vport); config_override!(agent_config_builder, agent_config, container_pipe_size); @@ -304,10 +310,19 @@ impl AgentConfig { param, HOTPLUG_TIMOUT_OPTION, config.hotplug_timeout, - get_hotplug_timeout, + get_timeout, |hotplug_timeout: time::Duration| hotplug_timeout.as_secs() > 0 ); + // ensure the timeout is a positive value + parse_cmdline_param!( + param, + CDH_API_TIMOUT_OPTION, + config.cdh_api_timeout, + get_timeout, + |cdh_api_timeout: time::Duration| cdh_api_timeout.as_secs() > 0 + ); + // vsock port should be positive values parse_cmdline_param!( param, @@ -447,17 +462,17 @@ fn get_log_level(param: &str) -> Result { } #[instrument] -fn get_hotplug_timeout(param: &str) -> Result { +fn get_timeout(param: &str) -> Result { let fields: Vec<&str> = param.split('=').collect(); - ensure!(fields.len() == 2, ERR_INVALID_HOTPLUG_TIMEOUT); + ensure!(fields.len() == 2, ERR_INVALID_TIMEOUT); ensure!( - fields[0] == HOTPLUG_TIMOUT_OPTION, - ERR_INVALID_HOTPLUG_TIMEOUT_KEY + matches!(fields[0], HOTPLUG_TIMOUT_OPTION | CDH_API_TIMOUT_OPTION), + ERR_INVALID_TIMEOUT_KEY ); let value = fields[1] .parse::() - .with_context(|| ERR_INVALID_HOTPLUG_TIMEOUT_PARAM)?; + .with_context(|| ERR_INVALID_TIMEOUT_PARAM)?; Ok(time::Duration::from_secs(value)) } @@ -1370,7 +1385,7 @@ mod tests { } #[test] - fn test_get_hotplug_timeout() { + fn test_get_timeout() { #[derive(Debug)] struct TestData<'a> { param: &'a str, @@ -1380,19 +1395,23 @@ mod tests { let tests = &[ TestData { param: "", - result: Err(anyhow!(ERR_INVALID_HOTPLUG_TIMEOUT)), + result: Err(anyhow!(ERR_INVALID_TIMEOUT)), }, TestData { param: "agent.hotplug_timeout", - result: Err(anyhow!(ERR_INVALID_HOTPLUG_TIMEOUT)), + result: Err(anyhow!(ERR_INVALID_TIMEOUT)), }, TestData { param: "foo=bar", - result: Err(anyhow!(ERR_INVALID_HOTPLUG_TIMEOUT_KEY)), + result: Err(anyhow!(ERR_INVALID_TIMEOUT_KEY)), }, TestData { param: "agent.hotplug_timeot=1", - result: Err(anyhow!(ERR_INVALID_HOTPLUG_TIMEOUT_KEY)), + result: Err(anyhow!(ERR_INVALID_TIMEOUT_KEY)), + }, + TestData { + param: "agent.chd_api_timeout=1", + result: Err(anyhow!(ERR_INVALID_TIMEOUT_KEY)), }, TestData { param: "agent.hotplug_timeout=1", @@ -1406,6 +1425,10 @@ mod tests { param: "agent.hotplug_timeout=3600", result: Ok(time::Duration::from_secs(3600)), }, + TestData { + param: "agent.cdh_api_timeout=600", + result: Ok(time::Duration::from_secs(600)), + }, TestData { param: "agent.hotplug_timeout=0", result: Ok(time::Duration::from_secs(0)), @@ -1413,7 +1436,7 @@ mod tests { TestData { param: "agent.hotplug_timeout=-1", result: Err(anyhow!( - "unable to parse hotplug timeout + "unable to parse timeout Caused by: invalid digit found in string" @@ -1422,7 +1445,7 @@ Caused by: TestData { param: "agent.hotplug_timeout=4jbsdja", result: Err(anyhow!( - "unable to parse hotplug timeout + "unable to parse timeout Caused by: invalid digit found in string" @@ -1431,7 +1454,7 @@ Caused by: TestData { param: "agent.hotplug_timeout=foo", result: Err(anyhow!( - "unable to parse hotplug timeout + "unable to parse timeout Caused by: invalid digit found in string" @@ -1440,7 +1463,7 @@ Caused by: TestData { param: "agent.hotplug_timeout=j", result: Err(anyhow!( - "unable to parse hotplug timeout + "unable to parse timeout Caused by: invalid digit found in string" @@ -1451,7 +1474,7 @@ Caused by: for (i, d) in tests.iter().enumerate() { let msg = format!("test[{}]: {:?}", i, d); - let result = get_hotplug_timeout(d.param); + let result = get_timeout(d.param); let msg = format!("{}: result: {:?}", msg, result); diff --git a/src/runtime-rs/config/configuration-rs-fc.toml.in b/src/runtime-rs/config/configuration-rs-fc.toml.in index 2fbb4f26a9..09899dc4b4 100644 --- a/src/runtime-rs/config/configuration-rs-fc.toml.in +++ b/src/runtime-rs/config/configuration-rs-fc.toml.in @@ -282,6 +282,10 @@ kernel_modules=[] # (default: 45) dial_timeout = 45 +# Confidential Data Hub API timeout value in seconds +# (default: 50) +#cdh_api_timeout = 50 + [runtime] # If enabled, the runtime will log additional debug messages to the # system log diff --git a/src/runtime/config/configuration-acrn.toml.in b/src/runtime/config/configuration-acrn.toml.in index e8e933aec6..d70ac728ca 100644 --- a/src/runtime/config/configuration-acrn.toml.in +++ b/src/runtime/config/configuration-acrn.toml.in @@ -157,6 +157,10 @@ disable_selinux=@DEFDISABLESELINUX@ # (default: 45) dial_timeout = 45 +# Confidential Data Hub API timeout value in seconds +# (default: 50) +#cdh_api_timeout = 50 + [runtime] # If enabled, the runtime will log additional debug messages to the # system log diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in index f51246f9ca..efbb9bfac4 100644 --- a/src/runtime/config/configuration-clh.toml.in +++ b/src/runtime/config/configuration-clh.toml.in @@ -328,6 +328,10 @@ block_device_driver = "virtio-blk" # (default: 45) dial_timeout = 45 +# Confidential Data Hub API timeout value in seconds +# (default: 50) +#cdh_api_timeout = 50 + [runtime] # If enabled, the runtime will log additional debug messages to the # system log diff --git a/src/runtime/config/configuration-fc.toml.in b/src/runtime/config/configuration-fc.toml.in index 7c5f428801..64697a8a9d 100644 --- a/src/runtime/config/configuration-fc.toml.in +++ b/src/runtime/config/configuration-fc.toml.in @@ -282,6 +282,10 @@ kernel_modules=[] # (default: 45) dial_timeout = 45 +# Confidential Data Hub API timeout value in seconds +# (default: 50) +#cdh_api_timeout = 50 + [runtime] # If enabled, the runtime will log additional debug messages to the # system log diff --git a/src/runtime/config/configuration-qemu-coco-dev.toml.in b/src/runtime/config/configuration-qemu-coco-dev.toml.in index 699bf39c12..2373aabaa6 100644 --- a/src/runtime/config/configuration-qemu-coco-dev.toml.in +++ b/src/runtime/config/configuration-qemu-coco-dev.toml.in @@ -567,6 +567,10 @@ kernel_modules=[] # (default: 45) dial_timeout = 45 +# Confidential Data Hub API timeout value in seconds +# (default: 50) +#cdh_api_timeout = 50 + [runtime] # If enabled, the runtime will log additional debug messages to the # system log diff --git a/src/runtime/config/configuration-qemu.toml.in b/src/runtime/config/configuration-qemu.toml.in index 9c09c887f8..d3aeefbc3a 100644 --- a/src/runtime/config/configuration-qemu.toml.in +++ b/src/runtime/config/configuration-qemu.toml.in @@ -566,6 +566,10 @@ kernel_modules=[] # (default: 45) dial_timeout = 45 +# Confidential Data Hub API timeout value in seconds +# (default: 50) +#cdh_api_timeout = 50 + [runtime] # If enabled, the runtime will log additional debug messages to the # system log diff --git a/src/runtime/config/configuration-stratovirt.toml.in b/src/runtime/config/configuration-stratovirt.toml.in index 9ef58ba507..ff821af539 100644 --- a/src/runtime/config/configuration-stratovirt.toml.in +++ b/src/runtime/config/configuration-stratovirt.toml.in @@ -294,6 +294,10 @@ kernel_modules = [] # (default: 45) dial_timeout = 45 +# Confidential Data Hub API timeout value in seconds +# (default: 50) +#cdh_api_timeout = 50 + [runtime] # If enabled, the runtime will log additional debug messages to the # system log diff --git a/src/runtime/pkg/katautils/config.go b/src/runtime/pkg/katautils/config.go index 0ca94f25c1..b4ba75b987 100644 --- a/src/runtime/pkg/katautils/config.go +++ b/src/runtime/pkg/katautils/config.go @@ -198,6 +198,7 @@ type agent struct { Tracing bool `toml:"enable_tracing"` DebugConsoleEnabled bool `toml:"debug_console_enabled"` DialTimeout uint32 `toml:"dial_timeout"` + CdhApiTimeout uint32 `toml:"cdh_api_timeout"` } func (orig *tomlConfig) Clone() tomlConfig { @@ -736,6 +737,10 @@ func (a agent) dialTimout() uint32 { return a.DialTimeout } +func (a agent) cdhApiTimout() uint32 { + return a.CdhApiTimeout +} + func (a agent) debug() bool { return a.Debug } @@ -1415,6 +1420,7 @@ func updateRuntimeConfigAgent(configPath string, tomlConf tomlConfig, config *oc KernelModules: agent.kernelModules(), EnableDebugConsole: agent.debugConsoleEnabled(), DialTimeout: agent.dialTimout(), + CdhApiTimeout: agent.cdhApiTimout(), } } diff --git a/src/runtime/virtcontainers/kata_agent.go b/src/runtime/virtcontainers/kata_agent.go index 954d202189..02167f7c18 100644 --- a/src/runtime/virtcontainers/kata_agent.go +++ b/src/runtime/virtcontainers/kata_agent.go @@ -283,6 +283,7 @@ type KataAgentConfig struct { KernelModules []string ContainerPipeSize uint32 DialTimeout uint32 + CdhApiTimeout uint32 LongLiveConn bool Debug bool Trace bool @@ -348,6 +349,11 @@ func KataAgentKernelParams(config KataAgentConfig) []Param { params = append(params, Param{Key: kernelParamDebugConsoleVPort, Value: kernelParamDebugConsoleVPortValue}) } + if config.CdhApiTimeout > 0 { + cdhApiTimeout := strconv.FormatUint(uint64(config.CdhApiTimeout), 10) + params = append(params, Param{Key: vcAnnotations.CdhApiTimeoutKernelParam, Value: cdhApiTimeout}) + } + return params } diff --git a/src/runtime/virtcontainers/pkg/annotations/annotations.go b/src/runtime/virtcontainers/pkg/annotations/annotations.go index 8b6adc56fa..ad787b3d84 100644 --- a/src/runtime/virtcontainers/pkg/annotations/annotations.go +++ b/src/runtime/virtcontainers/pkg/annotations/annotations.go @@ -309,6 +309,8 @@ const ( AgentContainerPipeSize = kataAnnotAgentPrefix + ContainerPipeSizeOption ContainerPipeSizeOption = "container_pipe_size" ContainerPipeSizeKernelParam = "agent." + ContainerPipeSizeOption + CdhApiTimeoutOption = "cdh_api_timeout" + CdhApiTimeoutKernelParam = "agent." + CdhApiTimeoutOption // Policy is an annotation containing the contents of an agent policy file, base64 encoded. Policy = kataAnnotAgentPrefix + "policy"