From 6139e253a04bea8cfc5eb955d2cf98115123256c Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Thu, 22 Aug 2024 09:11:26 +0200 Subject: [PATCH 1/5] agent/config: Add cdh_api_timeout to AgentConfig To make the `cdh_api_timeout` variable configurable, it has been added to the `AgentConfig` structure. This change includes storing the variable as a `time::Duration` type and generalizing the existing `hotplug_timeout` code to handle both timeouts. Signed-off-by: Hyounggyu Choi --- src/agent/src/config.rs | 61 ++++++++++++++++++++++++++++------------- 1 file changed, 42 insertions(+), 19 deletions(-) diff --git a/src/agent/src/config.rs b/src/agent/src/config.rs index acb07dfacc..9ced9fc5a3 100644 --- a/src/agent/src/config.rs +++ b/src/agent/src/config.rs @@ -22,6 +22,7 @@ const LOG_LEVEL_OPTION: &str = "agent.log"; const SERVER_ADDR_OPTION: &str = "agent.server_addr"; const PASSFD_LISTENER_PORT: &str = "agent.passfd_listener_port"; const HOTPLUG_TIMOUT_OPTION: &str = "agent.hotplug_timeout"; +const CDH_API_TIMOUT_OPTION: &str = "agent.cdh_api_timeout"; const DEBUG_CONSOLE_VPORT_OPTION: &str = "agent.debug_console_vport"; const LOG_VPORT_OPTION: &str = "agent.log_vport"; const CONTAINER_PIPE_SIZE_OPTION: &str = "agent.container_pipe_size"; @@ -40,6 +41,7 @@ const NO_PROXY: &str = "agent.no_proxy"; const DEFAULT_LOG_LEVEL: slog::Level = slog::Level::Info; const DEFAULT_HOTPLUG_TIMEOUT: time::Duration = time::Duration::from_secs(3); +const DEFAULT_CDH_API_TIMEOUT: time::Duration = time::Duration::from_secs(50); const DEFAULT_CONTAINER_PIPE_SIZE: i32 = 0; const VSOCK_ADDR: &str = "vsock://-1"; @@ -54,9 +56,9 @@ const ERR_INVALID_GET_VALUE_PARAM: &str = "expected name=value"; const ERR_INVALID_GET_VALUE_NO_NAME: &str = "name=value parameter missing name"; const ERR_INVALID_GET_VALUE_NO_VALUE: &str = "name=value parameter missing value"; const ERR_INVALID_LOG_LEVEL_KEY: &str = "invalid log level key name"; -const ERR_INVALID_HOTPLUG_TIMEOUT: &str = "invalid hotplug timeout parameter"; -const ERR_INVALID_HOTPLUG_TIMEOUT_PARAM: &str = "unable to parse hotplug timeout"; -const ERR_INVALID_HOTPLUG_TIMEOUT_KEY: &str = "invalid hotplug timeout key name"; +const ERR_INVALID_TIMEOUT: &str = "invalid timeout parameter"; +const ERR_INVALID_TIMEOUT_PARAM: &str = "unable to parse timeout"; +const ERR_INVALID_TIMEOUT_KEY: &str = "invalid timeout key name"; const ERR_INVALID_CONTAINER_PIPE_SIZE: &str = "invalid container pipe size parameter"; const ERR_INVALID_CONTAINER_PIPE_SIZE_PARAM: &str = "unable to parse container pipe size"; @@ -97,6 +99,7 @@ pub struct AgentConfig { pub dev_mode: bool, pub log_level: slog::Level, pub hotplug_timeout: time::Duration, + pub cdh_api_timeout: time::Duration, pub debug_console_vport: i32, pub log_vport: i32, pub container_pipe_size: i32, @@ -120,6 +123,7 @@ pub struct AgentConfigBuilder { pub dev_mode: Option, pub log_level: Option, pub hotplug_timeout: Option, + pub cdh_api_timeout: Option, pub debug_console_vport: Option, pub log_vport: Option, pub container_pipe_size: Option, @@ -187,6 +191,7 @@ impl Default for AgentConfig { dev_mode: false, log_level: DEFAULT_LOG_LEVEL, hotplug_timeout: DEFAULT_HOTPLUG_TIMEOUT, + cdh_api_timeout: DEFAULT_CDH_API_TIMEOUT, debug_console_vport: 0, log_vport: 0, container_pipe_size: DEFAULT_CONTAINER_PIPE_SIZE, @@ -224,6 +229,7 @@ impl FromStr for AgentConfig { logrus_to_slog_level ); config_override!(agent_config_builder, agent_config, hotplug_timeout); + config_override!(agent_config_builder, agent_config, cdh_api_timeout); config_override!(agent_config_builder, agent_config, debug_console_vport); config_override!(agent_config_builder, agent_config, log_vport); config_override!(agent_config_builder, agent_config, container_pipe_size); @@ -304,10 +310,19 @@ impl AgentConfig { param, HOTPLUG_TIMOUT_OPTION, config.hotplug_timeout, - get_hotplug_timeout, + get_timeout, |hotplug_timeout: time::Duration| hotplug_timeout.as_secs() > 0 ); + // ensure the timeout is a positive value + parse_cmdline_param!( + param, + CDH_API_TIMOUT_OPTION, + config.cdh_api_timeout, + get_timeout, + |cdh_api_timeout: time::Duration| cdh_api_timeout.as_secs() > 0 + ); + // vsock port should be positive values parse_cmdline_param!( param, @@ -447,17 +462,17 @@ fn get_log_level(param: &str) -> Result { } #[instrument] -fn get_hotplug_timeout(param: &str) -> Result { +fn get_timeout(param: &str) -> Result { let fields: Vec<&str> = param.split('=').collect(); - ensure!(fields.len() == 2, ERR_INVALID_HOTPLUG_TIMEOUT); + ensure!(fields.len() == 2, ERR_INVALID_TIMEOUT); ensure!( - fields[0] == HOTPLUG_TIMOUT_OPTION, - ERR_INVALID_HOTPLUG_TIMEOUT_KEY + matches!(fields[0], HOTPLUG_TIMOUT_OPTION | CDH_API_TIMOUT_OPTION), + ERR_INVALID_TIMEOUT_KEY ); let value = fields[1] .parse::() - .with_context(|| ERR_INVALID_HOTPLUG_TIMEOUT_PARAM)?; + .with_context(|| ERR_INVALID_TIMEOUT_PARAM)?; Ok(time::Duration::from_secs(value)) } @@ -1370,7 +1385,7 @@ mod tests { } #[test] - fn test_get_hotplug_timeout() { + fn test_get_timeout() { #[derive(Debug)] struct TestData<'a> { param: &'a str, @@ -1380,19 +1395,23 @@ mod tests { let tests = &[ TestData { param: "", - result: Err(anyhow!(ERR_INVALID_HOTPLUG_TIMEOUT)), + result: Err(anyhow!(ERR_INVALID_TIMEOUT)), }, TestData { param: "agent.hotplug_timeout", - result: Err(anyhow!(ERR_INVALID_HOTPLUG_TIMEOUT)), + result: Err(anyhow!(ERR_INVALID_TIMEOUT)), }, TestData { param: "foo=bar", - result: Err(anyhow!(ERR_INVALID_HOTPLUG_TIMEOUT_KEY)), + result: Err(anyhow!(ERR_INVALID_TIMEOUT_KEY)), }, TestData { param: "agent.hotplug_timeot=1", - result: Err(anyhow!(ERR_INVALID_HOTPLUG_TIMEOUT_KEY)), + result: Err(anyhow!(ERR_INVALID_TIMEOUT_KEY)), + }, + TestData { + param: "agent.chd_api_timeout=1", + result: Err(anyhow!(ERR_INVALID_TIMEOUT_KEY)), }, TestData { param: "agent.hotplug_timeout=1", @@ -1406,6 +1425,10 @@ mod tests { param: "agent.hotplug_timeout=3600", result: Ok(time::Duration::from_secs(3600)), }, + TestData { + param: "agent.cdh_api_timeout=600", + result: Ok(time::Duration::from_secs(600)), + }, TestData { param: "agent.hotplug_timeout=0", result: Ok(time::Duration::from_secs(0)), @@ -1413,7 +1436,7 @@ mod tests { TestData { param: "agent.hotplug_timeout=-1", result: Err(anyhow!( - "unable to parse hotplug timeout + "unable to parse timeout Caused by: invalid digit found in string" @@ -1422,7 +1445,7 @@ Caused by: TestData { param: "agent.hotplug_timeout=4jbsdja", result: Err(anyhow!( - "unable to parse hotplug timeout + "unable to parse timeout Caused by: invalid digit found in string" @@ -1431,7 +1454,7 @@ Caused by: TestData { param: "agent.hotplug_timeout=foo", result: Err(anyhow!( - "unable to parse hotplug timeout + "unable to parse timeout Caused by: invalid digit found in string" @@ -1440,7 +1463,7 @@ Caused by: TestData { param: "agent.hotplug_timeout=j", result: Err(anyhow!( - "unable to parse hotplug timeout + "unable to parse timeout Caused by: invalid digit found in string" @@ -1451,7 +1474,7 @@ Caused by: for (i, d) in tests.iter().enumerate() { let msg = format!("test[{}]: {:?}", i, d); - let result = get_hotplug_timeout(d.param); + let result = get_timeout(d.param); let msg = format!("{}: result: {:?}", msg, result); From 2512ddeab2fc458d0318b733255d0261fe8deff7 Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Thu, 22 Aug 2024 09:21:48 +0200 Subject: [PATCH 2/5] agent/cdh: Use AGENT_CONFIG.cdh_api_timeout for CDH_API_TIMEOUT This commit updates CDH_API_TIMEOUT to use AGENT_CONFIG.cdh_api_timeout and changes it from a `const` to `lazy_static` to accommodate runtime-determined values. Signed-off-by: Hyounggyu Choi --- src/agent/src/cdh.rs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/agent/src/cdh.rs b/src/agent/src/cdh.rs index 1ebfac6aa6..ed07efef58 100644 --- a/src/agent/src/cdh.rs +++ b/src/agent/src/cdh.rs @@ -14,10 +14,13 @@ use protocols::{ confidential_data_hub_ttrpc_async::{SealedSecretServiceClient, SecureMountServiceClient}, }; +use crate::AGENT_CONFIG; use crate::CDH_SOCKET_URI; // Nanoseconds -const CDH_API_TIMEOUT: i64 = 50 * 1000 * 1000 * 1000; +lazy_static! { + static ref CDH_API_TIMEOUT: i64 = AGENT_CONFIG.cdh_api_timeout.as_nanos() as i64; +} const SEALED_SECRET_PREFIX: &str = "sealed."; #[derive(Derivative)] @@ -48,7 +51,7 @@ impl CDHClient { let unsealed_secret = self .sealed_secret_client - .unseal_secret(ttrpc::context::with_timeout(CDH_API_TIMEOUT), &input) + .unseal_secret(ttrpc::context::with_timeout(*CDH_API_TIMEOUT), &input) .await?; Ok(unsealed_secret.plaintext) } @@ -81,7 +84,7 @@ impl CDHClient { ..Default::default() }; self.secure_mount_client - .secure_mount(ttrpc::context::with_timeout(CDH_API_TIMEOUT), &req) + .secure_mount(ttrpc::context::with_timeout(*CDH_API_TIMEOUT), &req) .await?; Ok(()) } From 8615516823e042c72b8a05faf88f037108fd4e9e Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Thu, 22 Aug 2024 10:44:13 +0200 Subject: [PATCH 3/5] agent: Add agent.cdh_api_timeout to README This commit adds an explanation for `cdh_api_timeout` to the README file. Signed-off-by: Hyounggyu Choi --- src/agent/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/agent/README.md b/src/agent/README.md index a62e46123d..fbe4452240 100644 --- a/src/agent/README.md +++ b/src/agent/README.md @@ -128,6 +128,7 @@ The kata agent has the ability to configure agent options in guest kernel comman | `agent.guest_components_rest_api` | `api-server-rest` configuration | Select the features that the API Server Rest attestation component will run with. Valid values are `all`, `attestation`, `resource` | string | `resource` | | `agent.guest_components_procs` | guest-components processes | Attestation-related processes that should be spawned as children of the guest. Valid values are `none`, `attestation-agent`, `confidential-data-hub` (implies `attestation-agent`), `api-server-rest` (implies `attestation-agent` and `confidential-data-hub`) | string | `api-server-rest` | | `agent.hotplug_timeout` | Hotplug timeout | Allow to configure hotplug timeout(seconds) of block devices | integer | `3` | +| `agent.cdh_api_timeout` | Confidential Data Hub (CDH) API timeout | Allow to configure CDH API timeout(seconds) | integer | `50` | | `agent.https_proxy` | HTTPS proxy | Allow to configure `https_proxy` in the guest | string | `""` | | `agent.image_registry_auth` | Image registry credential URI | The URI to where image-rs can find the credentials for pulling images from private registries e.g. `file:///root/.docker/config.json` to read from a file in the guest image, or `kbs:///default/credentials/test` to get the file from the KBS| string | `""` | | `agent.log` | Log level | Allow the agent log level to be changed (produces more or less output) | string | `"info"` | @@ -145,7 +146,7 @@ The kata agent has the ability to configure agent options in guest kernel comman > The agent will fail to start if the configuration file is not present, > or if it can't be parsed properly. > - `agent.devmode`: true | false -> - `agent.hotplug_timeout`: a whole number of seconds +> - `agent.hotplug_timeout` and `agent.cdh_api_timeout`: a whole number of seconds > - `agent.log`: "critical"("fatal" | "panic") | "error" | "warn"("warning") | "info" | "debug" > - `agent.server_addr`: "{VSOCK_ADDR}:{VSOCK_PORT}" > - `agent.trace`: true | false From 7d0aba1a2431855e4104e06471c9cbe6ef0ad98f Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Thu, 22 Aug 2024 13:22:25 +0200 Subject: [PATCH 4/5] runtime: Enable to get cdh_api_timeout from configuration file This commit allows `cdh_api_timeout` to be configured from the configuration file. The configuration is commented out with specifying a default value (50s) because the default value is configured in the agent. Signed-off-by: Hyounggyu Choi --- src/runtime-rs/config/configuration-rs-fc.toml.in | 4 ++++ src/runtime/config/configuration-acrn.toml.in | 4 ++++ src/runtime/config/configuration-clh.toml.in | 4 ++++ src/runtime/config/configuration-fc.toml.in | 4 ++++ src/runtime/config/configuration-qemu-coco-dev.toml.in | 4 ++++ src/runtime/config/configuration-qemu.toml.in | 4 ++++ src/runtime/config/configuration-stratovirt.toml.in | 4 ++++ src/runtime/pkg/katautils/config.go | 6 ++++++ src/runtime/virtcontainers/kata_agent.go | 6 ++++++ src/runtime/virtcontainers/pkg/annotations/annotations.go | 2 ++ 10 files changed, 42 insertions(+) diff --git a/src/runtime-rs/config/configuration-rs-fc.toml.in b/src/runtime-rs/config/configuration-rs-fc.toml.in index 2fbb4f26a9..09899dc4b4 100644 --- a/src/runtime-rs/config/configuration-rs-fc.toml.in +++ b/src/runtime-rs/config/configuration-rs-fc.toml.in @@ -282,6 +282,10 @@ kernel_modules=[] # (default: 45) dial_timeout = 45 +# Confidential Data Hub API timeout value in seconds +# (default: 50) +#cdh_api_timeout = 50 + [runtime] # If enabled, the runtime will log additional debug messages to the # system log diff --git a/src/runtime/config/configuration-acrn.toml.in b/src/runtime/config/configuration-acrn.toml.in index e8e933aec6..d70ac728ca 100644 --- a/src/runtime/config/configuration-acrn.toml.in +++ b/src/runtime/config/configuration-acrn.toml.in @@ -157,6 +157,10 @@ disable_selinux=@DEFDISABLESELINUX@ # (default: 45) dial_timeout = 45 +# Confidential Data Hub API timeout value in seconds +# (default: 50) +#cdh_api_timeout = 50 + [runtime] # If enabled, the runtime will log additional debug messages to the # system log diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in index f51246f9ca..efbb9bfac4 100644 --- a/src/runtime/config/configuration-clh.toml.in +++ b/src/runtime/config/configuration-clh.toml.in @@ -328,6 +328,10 @@ block_device_driver = "virtio-blk" # (default: 45) dial_timeout = 45 +# Confidential Data Hub API timeout value in seconds +# (default: 50) +#cdh_api_timeout = 50 + [runtime] # If enabled, the runtime will log additional debug messages to the # system log diff --git a/src/runtime/config/configuration-fc.toml.in b/src/runtime/config/configuration-fc.toml.in index 7c5f428801..64697a8a9d 100644 --- a/src/runtime/config/configuration-fc.toml.in +++ b/src/runtime/config/configuration-fc.toml.in @@ -282,6 +282,10 @@ kernel_modules=[] # (default: 45) dial_timeout = 45 +# Confidential Data Hub API timeout value in seconds +# (default: 50) +#cdh_api_timeout = 50 + [runtime] # If enabled, the runtime will log additional debug messages to the # system log diff --git a/src/runtime/config/configuration-qemu-coco-dev.toml.in b/src/runtime/config/configuration-qemu-coco-dev.toml.in index 699bf39c12..2373aabaa6 100644 --- a/src/runtime/config/configuration-qemu-coco-dev.toml.in +++ b/src/runtime/config/configuration-qemu-coco-dev.toml.in @@ -567,6 +567,10 @@ kernel_modules=[] # (default: 45) dial_timeout = 45 +# Confidential Data Hub API timeout value in seconds +# (default: 50) +#cdh_api_timeout = 50 + [runtime] # If enabled, the runtime will log additional debug messages to the # system log diff --git a/src/runtime/config/configuration-qemu.toml.in b/src/runtime/config/configuration-qemu.toml.in index 9c09c887f8..d3aeefbc3a 100644 --- a/src/runtime/config/configuration-qemu.toml.in +++ b/src/runtime/config/configuration-qemu.toml.in @@ -566,6 +566,10 @@ kernel_modules=[] # (default: 45) dial_timeout = 45 +# Confidential Data Hub API timeout value in seconds +# (default: 50) +#cdh_api_timeout = 50 + [runtime] # If enabled, the runtime will log additional debug messages to the # system log diff --git a/src/runtime/config/configuration-stratovirt.toml.in b/src/runtime/config/configuration-stratovirt.toml.in index 9ef58ba507..ff821af539 100644 --- a/src/runtime/config/configuration-stratovirt.toml.in +++ b/src/runtime/config/configuration-stratovirt.toml.in @@ -294,6 +294,10 @@ kernel_modules = [] # (default: 45) dial_timeout = 45 +# Confidential Data Hub API timeout value in seconds +# (default: 50) +#cdh_api_timeout = 50 + [runtime] # If enabled, the runtime will log additional debug messages to the # system log diff --git a/src/runtime/pkg/katautils/config.go b/src/runtime/pkg/katautils/config.go index 0ca94f25c1..b4ba75b987 100644 --- a/src/runtime/pkg/katautils/config.go +++ b/src/runtime/pkg/katautils/config.go @@ -198,6 +198,7 @@ type agent struct { Tracing bool `toml:"enable_tracing"` DebugConsoleEnabled bool `toml:"debug_console_enabled"` DialTimeout uint32 `toml:"dial_timeout"` + CdhApiTimeout uint32 `toml:"cdh_api_timeout"` } func (orig *tomlConfig) Clone() tomlConfig { @@ -736,6 +737,10 @@ func (a agent) dialTimout() uint32 { return a.DialTimeout } +func (a agent) cdhApiTimout() uint32 { + return a.CdhApiTimeout +} + func (a agent) debug() bool { return a.Debug } @@ -1415,6 +1420,7 @@ func updateRuntimeConfigAgent(configPath string, tomlConf tomlConfig, config *oc KernelModules: agent.kernelModules(), EnableDebugConsole: agent.debugConsoleEnabled(), DialTimeout: agent.dialTimout(), + CdhApiTimeout: agent.cdhApiTimout(), } } diff --git a/src/runtime/virtcontainers/kata_agent.go b/src/runtime/virtcontainers/kata_agent.go index 954d202189..02167f7c18 100644 --- a/src/runtime/virtcontainers/kata_agent.go +++ b/src/runtime/virtcontainers/kata_agent.go @@ -283,6 +283,7 @@ type KataAgentConfig struct { KernelModules []string ContainerPipeSize uint32 DialTimeout uint32 + CdhApiTimeout uint32 LongLiveConn bool Debug bool Trace bool @@ -348,6 +349,11 @@ func KataAgentKernelParams(config KataAgentConfig) []Param { params = append(params, Param{Key: kernelParamDebugConsoleVPort, Value: kernelParamDebugConsoleVPortValue}) } + if config.CdhApiTimeout > 0 { + cdhApiTimeout := strconv.FormatUint(uint64(config.CdhApiTimeout), 10) + params = append(params, Param{Key: vcAnnotations.CdhApiTimeoutKernelParam, Value: cdhApiTimeout}) + } + return params } diff --git a/src/runtime/virtcontainers/pkg/annotations/annotations.go b/src/runtime/virtcontainers/pkg/annotations/annotations.go index 8b6adc56fa..ad787b3d84 100644 --- a/src/runtime/virtcontainers/pkg/annotations/annotations.go +++ b/src/runtime/virtcontainers/pkg/annotations/annotations.go @@ -309,6 +309,8 @@ const ( AgentContainerPipeSize = kataAnnotAgentPrefix + ContainerPipeSizeOption ContainerPipeSizeOption = "container_pipe_size" ContainerPipeSizeKernelParam = "agent." + ContainerPipeSizeOption + CdhApiTimeoutOption = "cdh_api_timeout" + CdhApiTimeoutKernelParam = "agent." + CdhApiTimeoutOption // Policy is an annotation containing the contents of an agent policy file, base64 encoded. Policy = kataAnnotAgentPrefix + "policy" From baa8af3f8eee59eb4cd99eb05ed74218cb64bcd9 Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Thu, 22 Aug 2024 14:50:51 +0200 Subject: [PATCH 5/5] doc: Update how-to-set-sandbox-config-kata.md This commit add a row for `cdh_api_timeout` to the agent options in how-to-set-sandbox-config-kata.md. Signed-off-by: Hyounggyu Choi --- docs/how-to/how-to-set-sandbox-config-kata.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/how-to/how-to-set-sandbox-config-kata.md b/docs/how-to/how-to-set-sandbox-config-kata.md index 4cdacae85b..97dff95f5c 100644 --- a/docs/how-to/how-to-set-sandbox-config-kata.md +++ b/docs/how-to/how-to-set-sandbox-config-kata.md @@ -35,6 +35,7 @@ There are several kinds of Kata configurations and they are listed below. | `io.katacontainers.config.agent.enable_tracing` | `boolean` | enable tracing for the agent | | `io.katacontainers.config.agent.container_pipe_size` | uint32 | specify the size of the std(in/out) pipes created for containers | | `io.katacontainers.config.agent.kernel_modules` | string | the list of kernel modules and their parameters that will be loaded in the guest kernel. Semicolon separated list of kernel modules and their parameters. These modules will be loaded in the guest kernel using `modprobe`(8). E.g., `e1000e InterruptThrottleRate=3000,3000,3000 EEE=1; i915 enable_ppgtt=0` | +| `io.katacontainers.config.agent.cdh_api_timeout` | uint32 | timeout in second for Confidential Data Hub (CDH) API service, default is `50` | ## Hypervisor Options | Key | Value Type | Comments |