mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-07-02 07:02:16 +00:00
runtime-rs: skip local type conversion for block-encrypted emptyDirs
When emptydir_mode is "block-encrypted", host emptyDir paths must remain as "bind" mounts so the EncryptedEmptyDirVolume handler can intercept them in the volume dispatch chain. Previously, update_ephemeral_storage_type() would unconditionally convert them to "local" type, causing them to be handled as plain local volumes instead. Add the emptydir_mode parameter to update_ephemeral_storage_type() and its call chain (amend_spec in container.rs) and skip the host-emptyDir-to-local conversion when the mode is block-encrypted. Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com> Assisted-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
@@ -58,7 +58,13 @@ pub fn is_host_empty_dir(path: &str) -> bool {
|
||||
// For the given pod ephemeral volume is created only once
|
||||
// backed by tmpfs inside the VM. For successive containers
|
||||
// of the same pod the already existing volume is reused.
|
||||
pub fn update_ephemeral_storage_type(oci_spec: &mut Spec, disable_guest_empty_dir: bool) {
|
||||
pub fn update_ephemeral_storage_type(
|
||||
oci_spec: &mut Spec,
|
||||
disable_guest_empty_dir: bool,
|
||||
emptydir_mode: &str,
|
||||
) {
|
||||
use kata_types::config::EMPTYDIR_MODE_BLOCK_ENCRYPTED;
|
||||
|
||||
if let Some(mounts) = oci_spec.mounts_mut() {
|
||||
for m in mounts.iter_mut() {
|
||||
if let Some(typ) = &m.typ() {
|
||||
@@ -69,11 +75,16 @@ pub fn update_ephemeral_storage_type(oci_spec: &mut Spec, disable_guest_empty_di
|
||||
|
||||
if let Some(source) = &m.source() {
|
||||
let mnt_src = &source.display().to_string();
|
||||
// We only care about the "bind" mount volume here.
|
||||
if is_ephemeral_volume(m) {
|
||||
m.set_typ(Some(String::from(mount::KATA_EPHEMERAL_VOLUME_TYPE)));
|
||||
}
|
||||
if is_host_empty_dir(mnt_src) && !disable_guest_empty_dir {
|
||||
// When block-encrypted mode is active, host emptyDirs must
|
||||
// stay as "bind" so the EncryptedEmptyDirVolume handler can
|
||||
// intercept them in the volume dispatch chain.
|
||||
if is_host_empty_dir(mnt_src)
|
||||
&& !disable_guest_empty_dir
|
||||
&& emptydir_mode != EMPTYDIR_MODE_BLOCK_ENCRYPTED
|
||||
{
|
||||
m.set_typ(Some(mount::KATA_K8S_LOCAL_STORAGE_TYPE.to_string()));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -126,6 +126,7 @@ impl Container {
|
||||
toml_config.runtime.disable_guest_seccomp,
|
||||
disable_guest_selinux,
|
||||
toml_config.runtime.disable_guest_empty_dir,
|
||||
&toml_config.runtime.emptydir_mode,
|
||||
)
|
||||
.context("amend spec")?;
|
||||
|
||||
@@ -739,6 +740,7 @@ fn amend_spec(
|
||||
disable_guest_seccomp: bool,
|
||||
disable_guest_selinux: bool,
|
||||
disable_guest_empty_dir: bool,
|
||||
emptydir_mode: &str,
|
||||
) -> Result<()> {
|
||||
// Only the StartContainer hook needs to be reserved for execution in the guest
|
||||
if let Some(hooks) = spec.hooks().as_ref() {
|
||||
@@ -748,7 +750,7 @@ fn amend_spec(
|
||||
}
|
||||
|
||||
// special process K8s ephemeral volumes.
|
||||
update_ephemeral_storage_type(spec, disable_guest_empty_dir);
|
||||
update_ephemeral_storage_type(spec, disable_guest_empty_dir, emptydir_mode);
|
||||
|
||||
if let Some(linux) = &mut spec.linux_mut() {
|
||||
if disable_guest_seccomp {
|
||||
@@ -861,11 +863,11 @@ mod tests {
|
||||
assert!(spec.linux().as_ref().unwrap().seccomp().is_some());
|
||||
|
||||
// disable_guest_seccomp = false
|
||||
amend_spec(&mut spec, false, false, false).unwrap();
|
||||
amend_spec(&mut spec, false, false, false, "shared-fs").unwrap();
|
||||
assert!(spec.linux().as_ref().unwrap().seccomp().is_some());
|
||||
|
||||
// disable_guest_seccomp = true
|
||||
amend_spec(&mut spec, true, false, false).unwrap();
|
||||
amend_spec(&mut spec, true, false, false, "shared-fs").unwrap();
|
||||
assert!(spec.linux().as_ref().unwrap().seccomp().is_none());
|
||||
}
|
||||
|
||||
@@ -888,12 +890,12 @@ mod tests {
|
||||
.unwrap();
|
||||
|
||||
// disable_guest_selinux = false, selinux labels are left alone
|
||||
amend_spec(&mut spec, false, false, false).unwrap();
|
||||
amend_spec(&mut spec, false, false, false, "shared-fs").unwrap();
|
||||
assert!(spec.process().as_ref().unwrap().selinux_label() == &Some("xxx".to_owned()));
|
||||
assert!(spec.linux().as_ref().unwrap().mount_label() == &Some("yyy".to_owned()));
|
||||
|
||||
// disable_guest_selinux = true, selinux labels are reset
|
||||
amend_spec(&mut spec, false, true, false).unwrap();
|
||||
amend_spec(&mut spec, false, true, false, "shared-fs").unwrap();
|
||||
assert!(spec.process().as_ref().unwrap().selinux_label().is_none());
|
||||
assert!(spec.linux().as_ref().unwrap().mount_label().is_none());
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user