mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-08-22 01:43:04 +00:00
agent/image: syntax only change to image service implementation
Syntax only change to image service implementation. Signed-off-by: Jiang Liu <gerry@linux.alibaba.com>
This commit is contained in:
Jiang Liu
parent
2a084ecbef
commit
624d3c063a
@ -14,6 +14,7 @@ use std::sync::Arc;
|
|||||||
|
|
||||||
use anyhow::{anyhow, Result};
|
use anyhow::{anyhow, Result};
|
||||||
use async_trait::async_trait;
|
use async_trait::async_trait;
|
||||||
|
use image_rs::image::ImageClient;
|
||||||
use protocols::image;
|
use protocols::image;
|
||||||
use tokio::sync::Mutex;
|
use tokio::sync::Mutex;
|
||||||
use ttrpc::{self, error::get_rpc_status as ttrpc_error};
|
use ttrpc::{self, error::get_rpc_status as ttrpc_error};
|
||||||
@ -22,9 +23,6 @@ use crate::rpc::{verify_cid, CONTAINER_BASE};
|
|||||||
use crate::sandbox::Sandbox;
|
use crate::sandbox::Sandbox;
|
||||||
use crate::AGENT_CONFIG;
|
use crate::AGENT_CONFIG;
|
||||||
|
|
||||||
use image_rs::image::ImageClient;
|
|
||||||
use std::io::Write;
|
|
||||||
|
|
||||||
const AA_PATH: &str = "/usr/local/bin/attestation-agent";
|
const AA_PATH: &str = "/usr/local/bin/attestation-agent";
|
||||||
|
|
||||||
const AA_KEYPROVIDER_URI: &str =
|
const AA_KEYPROVIDER_URI: &str =
|
||||||
@ -51,23 +49,20 @@ pub struct ImageService {
|
|||||||
}
|
}
|
||||||
|
|
||||||
impl ImageService {
|
impl ImageService {
|
||||||
pub async fn new(sandbox: Arc<Mutex<Sandbox>>) -> Self {
|
pub fn new(sandbox: Arc<Mutex<Sandbox>>) -> Self {
|
||||||
env::set_var("CC_IMAGE_WORK_DIR", KATA_CC_IMAGE_WORK_DIR);
|
env::set_var("CC_IMAGE_WORK_DIR", KATA_CC_IMAGE_WORK_DIR);
|
||||||
|
|
||||||
let mut image_client = ImageClient::default();
|
let mut image_client = ImageClient::default();
|
||||||
|
if !AGENT_CONFIG.image_policy_file.is_empty() {
|
||||||
let image_policy_file = &AGENT_CONFIG.image_policy_file;
|
image_client.config.file_paths.sigstore_config = AGENT_CONFIG.image_policy_file.clone();
|
||||||
if !image_policy_file.is_empty() {
|
|
||||||
image_client.config.file_paths.sigstore_config = image_policy_file.clone();
|
|
||||||
}
|
}
|
||||||
|
if !AGENT_CONFIG.simple_signing_sigstore_config.is_empty() {
|
||||||
let simple_signing_sigstore_config = &AGENT_CONFIG.simple_signing_sigstore_config;
|
image_client.config.file_paths.sigstore_config =
|
||||||
if !simple_signing_sigstore_config.is_empty() {
|
AGENT_CONFIG.simple_signing_sigstore_config.clone();
|
||||||
image_client.config.file_paths.sigstore_config = simple_signing_sigstore_config.clone();
|
|
||||||
}
|
}
|
||||||
|
if !AGENT_CONFIG.image_registry_auth_file.is_empty() {
|
||||||
let image_registry_auth_file = &AGENT_CONFIG.image_registry_auth_file;
|
image_client.config.file_paths.auth_file =
|
||||||
if !image_registry_auth_file.is_empty() {
|
AGENT_CONFIG.image_registry_auth_file.clone();
|
||||||
image_client.config.file_paths.auth_file = image_registry_auth_file.clone();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
Self {
|
Self {
|
||||||
@ -119,8 +114,9 @@ impl ImageService {
|
|||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
let mut config_file = fs::File::create(config_path)?;
|
fs::write(config_path, ocicrypt_config.to_string().as_bytes())?;
|
||||||
config_file.write_all(ocicrypt_config.to_string().as_bytes())?;
|
|
||||||
|
env::set_var("OCICRYPT_KEYPROVIDER_CONFIG", config_path);
|
||||||
|
|
||||||
// The Attestation Agent will run for the duration of the guest.
|
// The Attestation Agent will run for the duration of the guest.
|
||||||
Command::new(AA_PATH)
|
Command::new(AA_PATH)
|
||||||
@ -129,6 +125,7 @@ impl ImageService {
|
|||||||
.arg("--getresource_sock")
|
.arg("--getresource_sock")
|
||||||
.arg(AA_GETRESOURCE_URI)
|
.arg(AA_GETRESOURCE_URI)
|
||||||
.spawn()?;
|
.spawn()?;
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -154,8 +151,6 @@ impl ImageService {
|
|||||||
}
|
}
|
||||||
|
|
||||||
async fn pull_image(&self, req: &image::PullImageRequest) -> Result<String> {
|
async fn pull_image(&self, req: &image::PullImageRequest) -> Result<String> {
|
||||||
env::set_var("OCICRYPT_KEYPROVIDER_CONFIG", OCICRYPT_CONFIG_PATH);
|
|
||||||
|
|
||||||
let https_proxy = &AGENT_CONFIG.https_proxy;
|
let https_proxy = &AGENT_CONFIG.https_proxy;
|
||||||
if !https_proxy.is_empty() {
|
if !https_proxy.is_empty() {
|
||||||
env::set_var("HTTPS_PROXY", https_proxy);
|
env::set_var("HTTPS_PROXY", https_proxy);
|
||||||
@ -195,6 +190,7 @@ impl ImageService {
|
|||||||
!aa_kbc_params.is_empty()
|
!aa_kbc_params.is_empty()
|
||||||
);
|
);
|
||||||
self.image_client.lock().await.config.auth = !aa_kbc_params.is_empty();
|
self.image_client.lock().await.config.auth = !aa_kbc_params.is_empty();
|
||||||
|
let decrypt_config = format!("provider:attestation-agent:{}", aa_kbc_params);
|
||||||
|
|
||||||
// Read enable signature verification from the agent config and set it in the image_client
|
// Read enable signature verification from the agent config and set it in the image_client
|
||||||
let enable_signature_verification = &AGENT_CONFIG.enable_signature_verification;
|
let enable_signature_verification = &AGENT_CONFIG.enable_signature_verification;
|
||||||
@ -209,8 +205,6 @@ impl ImageService {
|
|||||||
let bundle_path = Path::new(CONTAINER_BASE).join(&cid);
|
let bundle_path = Path::new(CONTAINER_BASE).join(&cid);
|
||||||
fs::create_dir_all(&bundle_path)?;
|
fs::create_dir_all(&bundle_path)?;
|
||||||
|
|
||||||
let decrypt_config = format!("provider:attestation-agent:{}", aa_kbc_params);
|
|
||||||
|
|
||||||
info!(sl(), "pull image {:?}, bundle path {:?}", cid, bundle_path);
|
info!(sl(), "pull image {:?}, bundle path {:?}", cid, bundle_path);
|
||||||
// Image layers will store at KATA_CC_IMAGE_WORK_DIR, generated bundles
|
// Image layers will store at KATA_CC_IMAGE_WORK_DIR, generated bundles
|
||||||
// with rootfs and config.json will store under CONTAINER_BASE/cid.
|
// with rootfs and config.json will store under CONTAINER_BASE/cid.
|
||||||
@ -347,7 +341,7 @@ mod tests {
|
|||||||
|
|
||||||
let logger = slog::Logger::root(slog::Discard, o!());
|
let logger = slog::Logger::root(slog::Discard, o!());
|
||||||
let s = Sandbox::new(&logger).unwrap();
|
let s = Sandbox::new(&logger).unwrap();
|
||||||
let image_service = ImageService::new(Arc::new(Mutex::new(s))).await;
|
let image_service = ImageService::new(Arc::new(Mutex::new(s)));
|
||||||
for case in &cases {
|
for case in &cases {
|
||||||
let mut req = image::PullImageRequest::new();
|
let mut req = image::PullImageRequest::new();
|
||||||
req.set_image(case.image.to_string());
|
req.set_image(case.image.to_string());
|
||||||
|
|||||||
@ -1773,8 +1773,8 @@ pub async fn start(
|
|||||||
let health_service = Box::new(HealthService {}) as Box<dyn health_ttrpc::Health + Send + Sync>;
|
let health_service = Box::new(HealthService {}) as Box<dyn health_ttrpc::Health + Send + Sync>;
|
||||||
let hservice = health_ttrpc::create_health(Arc::new(health_service));
|
let hservice = health_ttrpc::create_health(Arc::new(health_service));
|
||||||
|
|
||||||
let image_service = Box::new(image_rpc::ImageService::new(s).await)
|
let image_service =
|
||||||
as Box<dyn image_ttrpc::Image + Send + Sync>;
|
Box::new(image_rpc::ImageService::new(s)) as Box<dyn image_ttrpc::Image + Send + Sync>;
|
||||||
let iservice = image_ttrpc::create_image(Arc::new(image_service));
|
let iservice = image_ttrpc::create_image(Arc::new(image_service));
|
||||||
|
|
||||||
let server = TtrpcServer::new()
|
let server = TtrpcServer::new()
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user