mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-04-27 19:35:32 +00:00
Merge pull request #10851 from fidencio/topic/bump-image-rs-to-bring-in-ttrpc-0.8.4
agent: Bump image-rs to 514c561d93
This commit is contained in:
Fabiano Fidêncio
GitHub
commit
64ceb0832a
328
src/agent/Cargo.lock
generated
328
src/agent/Cargo.lock
generated
File diff suppressed because it is too large
Load Diff
@ -78,7 +78,7 @@ strum = "0.26.2"
|
||||
strum_macros = "0.26.2"
|
||||
|
||||
# Image pull/decrypt
|
||||
image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "v0.10.0", default-features = false, optional = true }
|
||||
image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "514c561d933cb11a0f1628621a0b930157af76cd", default-features = false, optional = true }
|
||||
|
||||
# Agent Policy
|
||||
regorus = { version = "0.2.6", default-features = false, features = [
|
||||
|
||||
@ -9,10 +9,11 @@ use safe_path::scoped_join;
|
||||
use std::collections::HashMap;
|
||||
use std::env;
|
||||
use std::fs;
|
||||
use std::path::{Path, PathBuf};
|
||||
use std::path::Path;
|
||||
use std::sync::Arc;
|
||||
|
||||
use anyhow::{anyhow, bail, Context, Result};
|
||||
use image_rs::builder::ClientBuilder;
|
||||
use image_rs::image::ImageClient;
|
||||
use kata_sys_util::validate::verify_id;
|
||||
use oci_spec::runtime as oci;
|
||||
@ -57,15 +58,16 @@ pub struct ImageService {
|
||||
}
|
||||
|
||||
impl ImageService {
|
||||
pub fn new() -> Self {
|
||||
let mut image_client = ImageClient::new(PathBuf::from(KATA_IMAGE_WORK_DIR));
|
||||
pub async fn new() -> Result<Self> {
|
||||
let mut image_client_builder =
|
||||
ClientBuilder::default().work_dir(KATA_IMAGE_WORK_DIR.into());
|
||||
#[cfg(feature = "guest-pull")]
|
||||
{
|
||||
if !AGENT_CONFIG.image_registry_auth.is_empty() {
|
||||
let registry_auth = &AGENT_CONFIG.image_registry_auth;
|
||||
debug!(sl(), "Set registry auth file {:?}", registry_auth);
|
||||
image_client.config.file_paths.auth_file = registry_auth.clone();
|
||||
image_client.config.auth = true;
|
||||
image_client_builder = image_client_builder
|
||||
.authenticated_registry_credentials_uri(registry_auth.into());
|
||||
}
|
||||
|
||||
let enable_signature_verification = &AGENT_CONFIG.enable_signature_verification;
|
||||
@ -73,15 +75,15 @@ impl ImageService {
|
||||
sl(),
|
||||
"Enable image signature verification: {:?}", enable_signature_verification
|
||||
);
|
||||
image_client.config.security_validate = *enable_signature_verification;
|
||||
|
||||
if !AGENT_CONFIG.image_policy_file.is_empty() {
|
||||
if !AGENT_CONFIG.image_policy_file.is_empty() && *enable_signature_verification {
|
||||
let image_policy_file = &AGENT_CONFIG.image_policy_file;
|
||||
debug!(sl(), "Use imagepolicy file {:?}", image_policy_file);
|
||||
image_client.config.file_paths.policy_path = image_policy_file.clone();
|
||||
debug!(sl(), "Use image policy file {:?}", image_policy_file);
|
||||
image_client_builder =
|
||||
image_client_builder.image_security_policy_uri(image_policy_file.into());
|
||||
}
|
||||
}
|
||||
Self { image_client }
|
||||
let image_client = image_client_builder.build().await?;
|
||||
Ok(Self { image_client })
|
||||
}
|
||||
|
||||
/// get guest pause image process specification
|
||||
@ -276,9 +278,10 @@ pub async fn set_proxy_env_vars() {
|
||||
}
|
||||
|
||||
/// Init the image service
|
||||
pub async fn init_image_service() {
|
||||
let image_service = ImageService::new();
|
||||
pub async fn init_image_service() -> Result<()> {
|
||||
let image_service = ImageService::new().await?;
|
||||
*IMAGE_SERVICE.lock().await = Some(image_service);
|
||||
Ok(())
|
||||
}
|
||||
|
||||
pub async fn pull_image(
|
||||
|
||||
@ -1294,6 +1294,9 @@ impl agent_ttrpc::AgentService for AgentService {
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(feature = "guest-pull")]
|
||||
image::init_image_service().await.map_ttrpc_err(same)?;
|
||||
|
||||
Ok(Empty::new())
|
||||
}
|
||||
|
||||
@ -1748,9 +1751,6 @@ pub async fn start(
|
||||
let health_service = Box::new(HealthService {}) as Box<dyn health_ttrpc::Health + Send + Sync>;
|
||||
let hservice = health_ttrpc::create_health(Arc::new(health_service));
|
||||
|
||||
#[cfg(feature = "guest-pull")]
|
||||
image::init_image_service().await;
|
||||
|
||||
let server = TtrpcServer::new()
|
||||
.bind(server_address)?
|
||||
.register_service(aservice)
|
||||
|
||||
@ -97,7 +97,7 @@ EOF
|
||||
echo "Pod ${kata_pod}: $(cat ${kata_pod})"
|
||||
|
||||
assert_pod_fail "${kata_pod}"
|
||||
assert_logs_contain "${node}" kata "${node_start_time}" "Security validate failed: Validate image failed: Cannot pull manifest"
|
||||
assert_logs_contain "${node}" kata "${node_start_time}" "image security validation failed"
|
||||
}
|
||||
|
||||
@test "Create a pod from a signed image, on a 'restricted registry' is successful" {
|
||||
@ -123,7 +123,7 @@ EOF
|
||||
echo "Pod ${kata_pod}: $(cat ${kata_pod})"
|
||||
|
||||
assert_pod_fail "${kata_pod}"
|
||||
assert_logs_contain "${node}" kata "${node_start_time}" "Security validate failed: Validate image failed: \[PublicKeyVerifier"
|
||||
assert_logs_contain "${node}" kata "${node_start_time}" "image security validation failed"
|
||||
}
|
||||
|
||||
@test "Create a pod from an unsigned image, on a 'restricted registry' works if policy files isn't set" {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user