diff --git a/src/runtime-rs/crates/resource/src/manager.rs b/src/runtime-rs/crates/resource/src/manager.rs index f5db93a175..94cf3138f0 100644 --- a/src/runtime-rs/crates/resource/src/manager.rs +++ b/src/runtime-rs/crates/resource/src/manager.rs @@ -25,7 +25,7 @@ impl ResourceManager { sid: &str, agent: Arc, hypervisor: Arc, - toml_config: &TomlConfig, + toml_config: Arc, ) -> Result { Ok(Self { inner: Arc::new(RwLock::new(ResourceManagerInner::new( @@ -37,6 +37,11 @@ impl ResourceManager { }) } + pub async fn config(&self) -> Arc { + let inner = self.inner.read().await; + inner.config() + } + pub async fn prepare_before_start_vm(&self, device_configs: Vec) -> Result<()> { let mut inner = self.inner.write().await; inner.prepare_before_start_vm(device_configs).await diff --git a/src/runtime-rs/crates/resource/src/manager_inner.rs b/src/runtime-rs/crates/resource/src/manager_inner.rs index c254352429..fb90a25a60 100644 --- a/src/runtime-rs/crates/resource/src/manager_inner.rs +++ b/src/runtime-rs/crates/resource/src/manager_inner.rs @@ -24,6 +24,7 @@ use crate::{ pub(crate) struct ResourceManagerInner { sid: String, + toml_config: Arc, agent: Arc, hypervisor: Arc, network: Option>, @@ -39,20 +40,26 @@ impl ResourceManagerInner { sid: &str, agent: Arc, hypervisor: Arc, - toml_config: &TomlConfig, + toml_config: Arc, ) -> Result { + let cgroups_resource = CgroupsResource::new(sid, &toml_config)?; Ok(Self { sid: sid.to_string(), + toml_config, agent, hypervisor, network: None, share_fs: None, rootfs_resource: RootFsResource::new(), volume_resource: VolumeResource::new(), - cgroups_resource: CgroupsResource::new(sid, toml_config)?, + cgroups_resource, }) } + pub fn config(&self) -> Arc { + self.toml_config.clone() + } + pub async fn prepare_before_start_vm( &mut self, device_configs: Vec, diff --git a/src/runtime-rs/crates/runtimes/common/src/runtime_handler.rs b/src/runtime-rs/crates/runtimes/common/src/runtime_handler.rs index bf137f689f..c12df38b12 100644 --- a/src/runtime-rs/crates/runtimes/common/src/runtime_handler.rs +++ b/src/runtime-rs/crates/runtimes/common/src/runtime_handler.rs @@ -36,7 +36,7 @@ pub trait RuntimeHandler: Send + Sync { &self, sid: &str, msg_sender: Sender, - config: &TomlConfig, + config: Arc, ) -> Result; fn cleanup(&self, id: &str) -> Result<()>; diff --git a/src/runtime-rs/crates/runtimes/common/src/sandbox.rs b/src/runtime-rs/crates/runtimes/common/src/sandbox.rs index 1b175204c5..fbb5db53bc 100644 --- a/src/runtime-rs/crates/runtimes/common/src/sandbox.rs +++ b/src/runtime-rs/crates/runtimes/common/src/sandbox.rs @@ -7,11 +7,9 @@ use anyhow::Result; use async_trait::async_trait; -use kata_types::config::TomlConfig; - #[async_trait] pub trait Sandbox: Send + Sync { - async fn start(&self, netns: Option, config: &TomlConfig) -> Result<()>; + async fn start(&self, netns: Option) -> Result<()>; async fn stop(&self) -> Result<()>; async fn cleanup(&self, container_id: &str) -> Result<()>; async fn shutdown(&self) -> Result<()>; diff --git a/src/runtime-rs/crates/runtimes/linux_container/src/lib.rs b/src/runtime-rs/crates/runtimes/linux_container/src/lib.rs index 4a805e3fad..582b4e961f 100644 --- a/src/runtime-rs/crates/runtimes/linux_container/src/lib.rs +++ b/src/runtime-rs/crates/runtimes/linux_container/src/lib.rs @@ -33,7 +33,7 @@ impl RuntimeHandler for LinuxContainer { &self, _sid: &str, _msg_sender: Sender, - _config: &TomlConfig, + _config: Arc, ) -> Result { todo!() } diff --git a/src/runtime-rs/crates/runtimes/src/manager.rs b/src/runtime-rs/crates/runtimes/src/manager.rs index 131a276125..10a4a427bb 100644 --- a/src/runtime-rs/crates/runtimes/src/manager.rs +++ b/src/runtime-rs/crates/runtimes/src/manager.rs @@ -40,7 +40,7 @@ impl RuntimeHandlerManagerInner { async fn init_runtime_handler( &mut self, netns: Option, - config: &TomlConfig, + config: Arc, ) -> Result<()> { info!(sl!(), "new runtime handler {}", &config.runtime.name); let runtime_handler = match config.runtime.name.as_str() { @@ -62,7 +62,7 @@ impl RuntimeHandlerManagerInner { // start sandbox runtime_instance .sandbox - .start(netns, config) + .start(netns) .await .context("start sandbox")?; self.runtime_instance = Some(Arc::new(runtime_instance)); @@ -100,7 +100,7 @@ impl RuntimeHandlerManagerInner { }; let config = load_config(spec).context("load config")?; - self.init_runtime_handler(netns, &config) + self.init_runtime_handler(netns, Arc::new(config)) .await .context("init runtime handler")?; diff --git a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs index d31ee42248..2e50b55e92 100644 --- a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs +++ b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs @@ -78,8 +78,9 @@ impl Container { pub async fn create(&self, mut spec: oci::Spec) -> Result<()> { // process oci spec let mut inner = self.inner.write().await; + let toml_config = self.resource_manager.config().await; let config = &self.config; - amend_spec(&mut spec).context("load spec")?; + amend_spec(&mut spec, toml_config.runtime.disable_guest_seccomp).context("load spec")?; // handler rootfs let rootfs = self @@ -372,12 +373,14 @@ impl Container { } } -fn amend_spec(spec: &mut oci::Spec) -> Result<()> { +fn amend_spec(spec: &mut oci::Spec, disable_guest_seccomp: bool) -> Result<()> { // hook should be done on host spec.hooks = None; if let Some(linux) = spec.linux.as_mut() { - linux.seccomp = None; + if disable_guest_seccomp { + linux.seccomp = None; + } if let Some(resource) = linux.resources.as_mut() { resource.devices = Vec::new(); @@ -400,3 +403,29 @@ fn amend_spec(spec: &mut oci::Spec) -> Result<()> { Ok(()) } + +#[cfg(test)] +mod tests { + use super::amend_spec; + + #[test] + fn test_amend_spec_disable_guest_seccomp() { + let mut spec = oci::Spec { + linux: Some(oci::Linux { + seccomp: Some(oci::LinuxSeccomp::default()), + ..Default::default() + }), + ..Default::default() + }; + + assert!(spec.linux.as_ref().unwrap().seccomp.is_some()); + + // disable_guest_seccomp = false + amend_spec(&mut spec, false).unwrap(); + assert!(spec.linux.as_ref().unwrap().seccomp.is_some()); + + // disable_guest_seccomp = true + amend_spec(&mut spec, true).unwrap(); + assert!(spec.linux.as_ref().unwrap().seccomp.is_none()); + } +} diff --git a/src/runtime-rs/crates/runtimes/virt_container/src/lib.rs b/src/runtime-rs/crates/runtimes/virt_container/src/lib.rs index 737b1a18f4..8869c03c07 100644 --- a/src/runtime-rs/crates/runtimes/virt_container/src/lib.rs +++ b/src/runtime-rs/crates/runtimes/virt_container/src/lib.rs @@ -51,9 +51,9 @@ impl RuntimeHandler for VirtContainer { &self, sid: &str, msg_sender: Sender, - config: &TomlConfig, + config: Arc, ) -> Result { - let hypervisor = new_hypervisor(config).await.context("new hypervisor")?; + let hypervisor = new_hypervisor(&config).await.context("new hypervisor")?; // get uds from hypervisor and get config from toml_config let agent = Arc::new(KataAgent::new(kata_types::config::Agent { diff --git a/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs b/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs index 470663bcb5..6bcf3d2dfc 100644 --- a/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs +++ b/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs @@ -15,7 +15,6 @@ use common::{ }; use containerd_shim_protos::events::task::TaskOOM; use hypervisor::Hypervisor; -use kata_types::config::TomlConfig; use resource::{ network::{NetworkConfig, NetworkWithNetNsConfig}, ResourceConfig, ResourceManager, @@ -79,10 +78,10 @@ impl VirtSandbox { &self, _id: &str, netns: Option, - config: &TomlConfig, ) -> Result> { let mut resource_configs = vec![]; + let config = self.resource_manager.config().await; if let Some(netns_path) = netns { let network_config = ResourceConfig::Network(NetworkConfig::NetworkResourceWithNetNs( NetworkWithNetNsConfig { @@ -109,7 +108,7 @@ impl VirtSandbox { #[async_trait] impl Sandbox for VirtSandbox { - async fn start(&self, netns: Option, config: &TomlConfig) -> Result<()> { + async fn start(&self, netns: Option) -> Result<()> { let id = &self.sid; // if sandbox running, return @@ -127,7 +126,7 @@ impl Sandbox for VirtSandbox { // generate device and setup before start vm // should after hypervisor.prepare_vm - let resources = self.prepare_for_start_sandbox(id, netns, config).await?; + let resources = self.prepare_for_start_sandbox(id, netns).await?; self.resource_manager .prepare_before_start_vm(resources) .await diff --git a/src/runtime-rs/crates/runtimes/wasm_container/src/lib.rs b/src/runtime-rs/crates/runtimes/wasm_container/src/lib.rs index 28a81fc49d..c687274670 100644 --- a/src/runtime-rs/crates/runtimes/wasm_container/src/lib.rs +++ b/src/runtime-rs/crates/runtimes/wasm_container/src/lib.rs @@ -32,7 +32,7 @@ impl RuntimeHandler for WasmContainer { &self, _sid: &str, _msg_sender: Sender, - _config: &TomlConfig, + _config: Arc, ) -> Result { todo!() }