Merge pull request #10199 from BbolroC/make-cdh-api-timeout-configurable

agent/config: Make CDH_API_TIMEOUT configurable
2025-08-25 19:21:53 +00:00 · 2024-08-23 11:04:10 +02:00 · 2024-08-23 11:04:10 +02:00 · 45f69373a6
commit 45f69373a6
parent 4cd83d2b98 baa8af3f8e
14 changed files with 93 additions and 23 deletions
--- a/docs/how-to/how-to-set-sandbox-config-kata.md
+++ b/docs/how-to/how-to-set-sandbox-config-kata.md
@ -35,6 +35,7 @@ There are several kinds of Kata configurations and they are listed below.
 | `io.katacontainers.config.agent.enable_tracing` | `boolean` | enable tracing for the agent |
 | `io.katacontainers.config.agent.container_pipe_size` | uint32 | specify the size of the std(in/out) pipes created for containers |
 | `io.katacontainers.config.agent.kernel_modules` | string | the list of kernel modules and their parameters that will be loaded in the guest kernel. Semicolon separated list of kernel modules and their parameters. These modules will be loaded in the guest kernel using `modprobe`(8). E.g., `e1000e InterruptThrottleRate=3000,3000,3000 EEE=1; i915 enable_ppgtt=0` |
 | `io.katacontainers.config.agent.cdh_api_timeout` | uint32 | timeout in second for Confidential Data Hub (CDH) API service, default is `50` |
 ## Hypervisor Options
 | Key | Value Type | Comments |
--- a/src/agent/README.md
+++ b/src/agent/README.md
@ -128,6 +128,7 @@ The kata agent has the ability to configure agent options in guest kernel comman
 | `agent.guest_components_rest_api` | `api-server-rest` configuration | Select the features that the API Server Rest attestation component will run with. Valid values are `all`, `attestation`, `resource` | string | `resource` |
 | `agent.guest_components_procs` | guest-components processes | Attestation-related processes that should be spawned as children of the guest. Valid values are `none`, `attestation-agent`, `confidential-data-hub` (implies `attestation-agent`), `api-server-rest` (implies `attestation-agent` and `confidential-data-hub`) | string | `api-server-rest` |
 | `agent.hotplug_timeout` | Hotplug timeout | Allow to configure hotplug timeout(seconds) of block devices | integer | `3` |
 | `agent.cdh_api_timeout` | Confidential Data Hub (CDH) API timeout | Allow to configure CDH API timeout(seconds) | integer | `50` |
 | `agent.https_proxy` | HTTPS proxy | Allow to configure `https_proxy` in the guest | string | `""` |
 | `agent.image_registry_auth` | Image registry credential URI | The URI to where image-rs can find the credentials for pulling images from private registries e.g. `file:///root/.docker/config.json` to read from a file in the guest image, or `kbs:///default/credentials/test` to get the file from the KBS| string | `""` |
 | `agent.log` | Log level | Allow the agent log level to be changed (produces more or less output) | string | `"info"` |
@ -145,7 +146,7 @@ The kata agent has the ability to configure agent options in guest kernel comman
 >    The agent will fail to start if the configuration file is not present,
 >    or if it can't be parsed properly.
 >  - `agent.devmode`: true | false
->  - `agent.hotplug_timeout`: a whole number of seconds
+>  - `agent.hotplug_timeout` and `agent.cdh_api_timeout`: a whole number of seconds
 >  - `agent.log`:   "critical"("fatal" | "panic") | "error" | "warn"("warning") | "info" | "debug"
 >  - `agent.server_addr`: "{VSOCK_ADDR}:{VSOCK_PORT}"
 >  - `agent.trace`: true | false
--- a/src/agent/src/cdh.rs
+++ b/src/agent/src/cdh.rs
@ -14,10 +14,13 @@ use protocols::{
    confidential_data_hub_ttrpc_async::{SealedSecretServiceClient, SecureMountServiceClient},
 };
 use crate::AGENT_CONFIG;
 use crate::CDH_SOCKET_URI;
 // Nanoseconds
-const CDH_API_TIMEOUT: i64 = 50 * 1000 * 1000 * 1000;
+lazy_static! {
    static ref CDH_API_TIMEOUT: i64 = AGENT_CONFIG.cdh_api_timeout.as_nanos() as i64;
 }
 const SEALED_SECRET_PREFIX: &str = "sealed.";
 #[derive(Derivative)]
@ -48,7 +51,7 @@ impl CDHClient {
        let unsealed_secret = self
            .sealed_secret_client
-            .unseal_secret(ttrpc::context::with_timeout(CDH_API_TIMEOUT), &input)
+            .unseal_secret(ttrpc::context::with_timeout(*CDH_API_TIMEOUT), &input)
            .await?;
        Ok(unsealed_secret.plaintext)
    }
@ -81,7 +84,7 @@ impl CDHClient {
            ..Default::default()
        };
        self.secure_mount_client
-            .secure_mount(ttrpc::context::with_timeout(CDH_API_TIMEOUT), &req)
+            .secure_mount(ttrpc::context::with_timeout(*CDH_API_TIMEOUT), &req)
            .await?;
        Ok(())
    }
--- a/src/agent/src/config.rs
+++ b/src/agent/src/config.rs
@ -22,6 +22,7 @@ const LOG_LEVEL_OPTION: &str = "agent.log";
 const SERVER_ADDR_OPTION: &str = "agent.server_addr";
 const PASSFD_LISTENER_PORT: &str = "agent.passfd_listener_port";
 const HOTPLUG_TIMOUT_OPTION: &str = "agent.hotplug_timeout";
 const CDH_API_TIMOUT_OPTION: &str = "agent.cdh_api_timeout";
 const DEBUG_CONSOLE_VPORT_OPTION: &str = "agent.debug_console_vport";
 const LOG_VPORT_OPTION: &str = "agent.log_vport";
 const CONTAINER_PIPE_SIZE_OPTION: &str = "agent.container_pipe_size";
@ -40,6 +41,7 @@ const NO_PROXY: &str = "agent.no_proxy";
 const DEFAULT_LOG_LEVEL: slog::Level = slog::Level::Info;
 const DEFAULT_HOTPLUG_TIMEOUT: time::Duration = time::Duration::from_secs(3);
 const DEFAULT_CDH_API_TIMEOUT: time::Duration = time::Duration::from_secs(50);
 const DEFAULT_CONTAINER_PIPE_SIZE: i32 = 0;
 const VSOCK_ADDR: &str = "vsock://-1";
@ -54,9 +56,9 @@ const ERR_INVALID_GET_VALUE_PARAM: &str = "expected name=value";
 const ERR_INVALID_GET_VALUE_NO_NAME: &str = "name=value parameter missing name";
 const ERR_INVALID_GET_VALUE_NO_VALUE: &str = "name=value parameter missing value";
 const ERR_INVALID_LOG_LEVEL_KEY: &str = "invalid log level key name";
-const ERR_INVALID_HOTPLUG_TIMEOUT: &str = "invalid hotplug timeout parameter";
+const ERR_INVALID_TIMEOUT: &str = "invalid timeout parameter";
-const ERR_INVALID_HOTPLUG_TIMEOUT_PARAM: &str = "unable to parse hotplug timeout";
+const ERR_INVALID_TIMEOUT_PARAM: &str = "unable to parse timeout";
-const ERR_INVALID_HOTPLUG_TIMEOUT_KEY: &str = "invalid hotplug timeout key name";
+const ERR_INVALID_TIMEOUT_KEY: &str = "invalid timeout key name";
 const ERR_INVALID_CONTAINER_PIPE_SIZE: &str = "invalid container pipe size parameter";
 const ERR_INVALID_CONTAINER_PIPE_SIZE_PARAM: &str = "unable to parse container pipe size";
@ -97,6 +99,7 @@ pub struct AgentConfig {
    pub dev_mode: bool,
    pub log_level: slog::Level,
    pub hotplug_timeout: time::Duration,
    pub cdh_api_timeout: time::Duration,
    pub debug_console_vport: i32,
    pub log_vport: i32,
    pub container_pipe_size: i32,
@ -120,6 +123,7 @@ pub struct AgentConfigBuilder {
    pub dev_mode: Option<bool>,
    pub log_level: Option<String>,
    pub hotplug_timeout: Option<time::Duration>,
    pub cdh_api_timeout: Option<time::Duration>,
    pub debug_console_vport: Option<i32>,
    pub log_vport: Option<i32>,
    pub container_pipe_size: Option<i32>,
@ -187,6 +191,7 @@ impl Default for AgentConfig {
            dev_mode: false,
            log_level: DEFAULT_LOG_LEVEL,
            hotplug_timeout: DEFAULT_HOTPLUG_TIMEOUT,
            cdh_api_timeout: DEFAULT_CDH_API_TIMEOUT,
            debug_console_vport: 0,
            log_vport: 0,
            container_pipe_size: DEFAULT_CONTAINER_PIPE_SIZE,
@ -224,6 +229,7 @@ impl FromStr for AgentConfig {
            logrus_to_slog_level
        );
        config_override!(agent_config_builder, agent_config, hotplug_timeout);
        config_override!(agent_config_builder, agent_config, cdh_api_timeout);
        config_override!(agent_config_builder, agent_config, debug_console_vport);
        config_override!(agent_config_builder, agent_config, log_vport);
        config_override!(agent_config_builder, agent_config, container_pipe_size);
@ -304,10 +310,19 @@ impl AgentConfig {
                param,
                HOTPLUG_TIMOUT_OPTION,
                config.hotplug_timeout,
-                get_hotplug_timeout,
+                get_timeout,
                |hotplug_timeout: time::Duration| hotplug_timeout.as_secs() > 0
            );
            // ensure the timeout is a positive value
            parse_cmdline_param!(
                param,
                CDH_API_TIMOUT_OPTION,
                config.cdh_api_timeout,
                get_timeout,
                |cdh_api_timeout: time::Duration| cdh_api_timeout.as_secs() > 0
            );
            // vsock port should be positive values
            parse_cmdline_param!(
                param,
@ -447,17 +462,17 @@ fn get_log_level(param: &str) -> Result<slog::Level> {
 }
 #[instrument]
-fn get_hotplug_timeout(param: &str) -> Result<time::Duration> {
+fn get_timeout(param: &str) -> Result<time::Duration> {
    let fields: Vec<&str> = param.split('=').collect();
-    ensure!(fields.len() == 2, ERR_INVALID_HOTPLUG_TIMEOUT);
+    ensure!(fields.len() == 2, ERR_INVALID_TIMEOUT);
    ensure!(
-        fields[0] == HOTPLUG_TIMOUT_OPTION,
+        matches!(fields[0], HOTPLUG_TIMOUT_OPTION | CDH_API_TIMOUT_OPTION),
-        ERR_INVALID_HOTPLUG_TIMEOUT_KEY
+        ERR_INVALID_TIMEOUT_KEY
    );
    let value = fields[1]
        .parse::<u64>()
-        .with_context(|| ERR_INVALID_HOTPLUG_TIMEOUT_PARAM)?;
+        .with_context(|| ERR_INVALID_TIMEOUT_PARAM)?;
    Ok(time::Duration::from_secs(value))
 }
@ -1370,7 +1385,7 @@ mod tests {
    }
    #[test]
-    fn test_get_hotplug_timeout() {
+    fn test_get_timeout() {
        #[derive(Debug)]
        struct TestData<'a> {
            param: &'a str,
@ -1380,19 +1395,23 @@ mod tests {
        let tests = &[
            TestData {
                param: "",
-                result: Err(anyhow!(ERR_INVALID_HOTPLUG_TIMEOUT)),
+                result: Err(anyhow!(ERR_INVALID_TIMEOUT)),
            },
            TestData {
                param: "agent.hotplug_timeout",
-                result: Err(anyhow!(ERR_INVALID_HOTPLUG_TIMEOUT)),
+                result: Err(anyhow!(ERR_INVALID_TIMEOUT)),
            },
            TestData {
                param: "foo=bar",
-                result: Err(anyhow!(ERR_INVALID_HOTPLUG_TIMEOUT_KEY)),
+                result: Err(anyhow!(ERR_INVALID_TIMEOUT_KEY)),
            },
            TestData {
                param: "agent.hotplug_timeot=1",
-                result: Err(anyhow!(ERR_INVALID_HOTPLUG_TIMEOUT_KEY)),
+                result: Err(anyhow!(ERR_INVALID_TIMEOUT_KEY)),
            },
            TestData {
                param: "agent.chd_api_timeout=1",
                result: Err(anyhow!(ERR_INVALID_TIMEOUT_KEY)),
            },
            TestData {
                param: "agent.hotplug_timeout=1",
@ -1406,6 +1425,10 @@ mod tests {
                param: "agent.hotplug_timeout=3600",
                result: Ok(time::Duration::from_secs(3600)),
            },
            TestData {
                param: "agent.cdh_api_timeout=600",
                result: Ok(time::Duration::from_secs(600)),
            },
            TestData {
                param: "agent.hotplug_timeout=0",
                result: Ok(time::Duration::from_secs(0)),
@ -1413,7 +1436,7 @@ mod tests {
            TestData {
                param: "agent.hotplug_timeout=-1",
                result: Err(anyhow!(
-                    "unable to parse hotplug timeout
+                    "unable to parse timeout
 Caused by:
    invalid digit found in string"
@ -1422,7 +1445,7 @@ Caused by:
            TestData {
                param: "agent.hotplug_timeout=4jbsdja",
                result: Err(anyhow!(
-                    "unable to parse hotplug timeout
+                    "unable to parse timeout
 Caused by:
    invalid digit found in string"
@ -1431,7 +1454,7 @@ Caused by:
            TestData {
                param: "agent.hotplug_timeout=foo",
                result: Err(anyhow!(
-                    "unable to parse hotplug timeout
+                    "unable to parse timeout
 Caused by:
    invalid digit found in string"
@ -1440,7 +1463,7 @@ Caused by:
            TestData {
                param: "agent.hotplug_timeout=j",
                result: Err(anyhow!(
-                    "unable to parse hotplug timeout
+                    "unable to parse timeout
 Caused by:
    invalid digit found in string"
@ -1451,7 +1474,7 @@ Caused by:
        for (i, d) in tests.iter().enumerate() {
            let msg = format!("test[{}]: {:?}", i, d);
-            let result = get_hotplug_timeout(d.param);
+            let result = get_timeout(d.param);
            let msg = format!("{}: result: {:?}", msg, result);
--- a/src/runtime-rs/config/configuration-rs-fc.toml.in
+++ b/src/runtime-rs/config/configuration-rs-fc.toml.in
@ -282,6 +282,10 @@ kernel_modules=[]
 # (default: 45)
 dial_timeout = 45 
 # Confidential Data Hub API timeout value in seconds
 # (default: 50)
 #cdh_api_timeout = 50
 [runtime]
 # If enabled, the runtime will log additional debug messages to the
 # system log
--- a/src/runtime/config/configuration-acrn.toml.in
+++ b/src/runtime/config/configuration-acrn.toml.in
@ -157,6 +157,10 @@ disable_selinux=@DEFDISABLESELINUX@
 # (default: 45)
 dial_timeout = 45
 # Confidential Data Hub API timeout value in seconds
 # (default: 50)
 #cdh_api_timeout = 50
 [runtime]
 # If enabled, the runtime will log additional debug messages to the
 # system log
--- a/src/runtime/config/configuration-clh.toml.in
+++ b/src/runtime/config/configuration-clh.toml.in
@ -328,6 +328,10 @@ block_device_driver = "virtio-blk"
 # (default: 45)
 dial_timeout = 45
 # Confidential Data Hub API timeout value in seconds
 # (default: 50)
 #cdh_api_timeout = 50
 [runtime]
 # If enabled, the runtime will log additional debug messages to the
 # system log
--- a/src/runtime/config/configuration-fc.toml.in
+++ b/src/runtime/config/configuration-fc.toml.in
@ -282,6 +282,10 @@ kernel_modules=[]
 # (default: 45)
 dial_timeout = 45
 # Confidential Data Hub API timeout value in seconds
 # (default: 50)
 #cdh_api_timeout = 50
 [runtime]
 # If enabled, the runtime will log additional debug messages to the
 # system log
--- a/src/runtime/config/configuration-qemu-coco-dev.toml.in
+++ b/src/runtime/config/configuration-qemu-coco-dev.toml.in
@ -567,6 +567,10 @@ kernel_modules=[]
 # (default: 45)
 dial_timeout = 45
 # Confidential Data Hub API timeout value in seconds
 # (default: 50)
 #cdh_api_timeout = 50
 [runtime]
 # If enabled, the runtime will log additional debug messages to the
 # system log
--- a/src/runtime/config/configuration-qemu.toml.in
+++ b/src/runtime/config/configuration-qemu.toml.in
@ -566,6 +566,10 @@ kernel_modules=[]
 # (default: 45)
 dial_timeout = 45
 # Confidential Data Hub API timeout value in seconds
 # (default: 50)
 #cdh_api_timeout = 50
 [runtime]
 # If enabled, the runtime will log additional debug messages to the
 # system log
--- a/src/runtime/config/configuration-stratovirt.toml.in
+++ b/src/runtime/config/configuration-stratovirt.toml.in
@ -294,6 +294,10 @@ kernel_modules = []
 # (default: 45)
 dial_timeout = 45
 # Confidential Data Hub API timeout value in seconds
 # (default: 50)
 #cdh_api_timeout = 50
 [runtime]
 # If enabled, the runtime will log additional debug messages to the
 # system log
--- a/src/runtime/pkg/katautils/config.go
+++ b/src/runtime/pkg/katautils/config.go
@ -198,6 +198,7 @@ type agent struct {
 	Tracing             bool     `toml:"enable_tracing"`
 	DebugConsoleEnabled bool     `toml:"debug_console_enabled"`
 	DialTimeout         uint32   `toml:"dial_timeout"`
 	CdhApiTimeout       uint32   `toml:"cdh_api_timeout"`
 }
 func (orig *tomlConfig) Clone() tomlConfig {
@ -736,6 +737,10 @@ func (a agent) dialTimout() uint32 {
 	return a.DialTimeout
 }
 func (a agent) cdhApiTimout() uint32 {
 	return a.CdhApiTimeout
 }
 func (a agent) debug() bool {
 	return a.Debug
 }
@ -1415,6 +1420,7 @@ func updateRuntimeConfigAgent(configPath string, tomlConf tomlConfig, config *oc
 			KernelModules:      agent.kernelModules(),
 			EnableDebugConsole: agent.debugConsoleEnabled(),
 			DialTimeout:        agent.dialTimout(),
 			CdhApiTimeout:      agent.cdhApiTimout(),
 		}
 	}
--- a/src/runtime/virtcontainers/kata_agent.go
+++ b/src/runtime/virtcontainers/kata_agent.go
@ -283,6 +283,7 @@ type KataAgentConfig struct {
 	KernelModules      []string
 	ContainerPipeSize  uint32
 	DialTimeout        uint32
 	CdhApiTimeout      uint32
 	LongLiveConn       bool
 	Debug              bool
 	Trace              bool
@ -348,6 +349,11 @@ func KataAgentKernelParams(config KataAgentConfig) []Param {
 		params = append(params, Param{Key: kernelParamDebugConsoleVPort, Value: kernelParamDebugConsoleVPortValue})
 	}
 	if config.CdhApiTimeout > 0 {
 		cdhApiTimeout := strconv.FormatUint(uint64(config.CdhApiTimeout), 10)
 		params = append(params, Param{Key: vcAnnotations.CdhApiTimeoutKernelParam, Value: cdhApiTimeout})
 	}
 	return params
 }
--- a/src/runtime/virtcontainers/pkg/annotations/annotations.go
+++ b/src/runtime/virtcontainers/pkg/annotations/annotations.go
@ -309,6 +309,8 @@ const (
 	AgentContainerPipeSize       = kataAnnotAgentPrefix + ContainerPipeSizeOption
 	ContainerPipeSizeOption      = "container_pipe_size"
 	ContainerPipeSizeKernelParam = "agent." + ContainerPipeSizeOption
 	CdhApiTimeoutOption          = "cdh_api_timeout"
 	CdhApiTimeoutKernelParam     = "agent." + CdhApiTimeoutOption
 	// Policy is an annotation containing the contents of an agent policy file, base64 encoded.
 	Policy = kataAnnotAgentPrefix + "policy"