From f0256fded58a0d4c8b54a0747b206112163625dd Mon Sep 17 00:00:00 2001 From: Pavel Mores Date: Thu, 1 Feb 2024 11:30:05 +0100 Subject: [PATCH 1/2] runtime-rs: remove validation of shim v2 -address value It appears that under the shim v2 protocol, a shim has no use of its own for the -address value, it just passes it back to container runtime's (mostly containerd or cri-o) event-publishing binary. Since the -address value only flows through the shim, being passed to the shim by a container runtime and then essentially passed back by shim to the container runtime, it seems inappropriate for a shim to validate the value that is fully owned and only used by the container runtime. This commit removes such validation from runtime-rs. Doing so, it solves (part of) an interoperability problem between runtime-rs and cri-o. cri-o seems to intentionally choose not to implement the event-publishing part of the shim v2 protocol and thus it has no value it could pass to runtime-rs for -address. As a result, it sends an empty string which has been failing the excessive validation performed by runtime-rs so far. Signed-off-by: Pavel Mores --- src/runtime-rs/crates/shim/src/args.rs | 44 ++------------------ src/runtime-rs/crates/shim/src/shim_start.rs | 1 - 2 files changed, 3 insertions(+), 42 deletions(-) diff --git a/src/runtime-rs/crates/shim/src/args.rs b/src/runtime-rs/crates/shim/src/args.rs index 1ab5b8afab..9027678a0e 100644 --- a/src/runtime-rs/crates/shim/src/args.rs +++ b/src/runtime-rs/crates/shim/src/args.rs @@ -4,7 +4,7 @@ // SPDX-License-Identifier: Apache-2.0 // -use std::{os::unix::fs::FileTypeExt, path::PathBuf}; +use std::path::PathBuf; use anyhow::{anyhow, Context, Result}; use kata_sys_util::validate; @@ -38,11 +38,7 @@ impl Args { /// The id, namespace, address and publish_binary are mandatory for START, RUN and DELETE. /// And bundle is mandatory for DELETE. pub fn validate(&mut self, should_check_bundle: bool) -> Result<()> { - if self.id.is_empty() - || self.namespace.is_empty() - || self.address.is_empty() - || self.publish_binary.is_empty() - { + if self.id.is_empty() || self.namespace.is_empty() || self.publish_binary.is_empty() { return Err(anyhow!(Error::ArgumentIsEmpty(format!( "id: {} namespace: {} address: {} publish_binary: {}", &self.id, &self.namespace, &self.address, &self.publish_binary @@ -52,21 +48,6 @@ impl Args { validate::verify_id(&self.id).context("verify container id")?; validate::verify_id(&self.namespace).context("verify namespace")?; - // Ensure `address` is a valid path. - let path = PathBuf::from(self.address.clone()) - .canonicalize() - .context(Error::InvalidPath(self.address.clone()))?; - let md = path - .metadata() - .context(Error::FileGetMetadata(format!("{:?}", path)))?; - if !md.file_type().is_socket() { - return Err(Error::InvalidArgument).context("address is not socket"); - } - self.address = path - .to_str() - .map(|v| v.to_owned()) - .ok_or(Error::InvalidArgument)?; - // Ensure `bundle` is a valid path. if should_check_bundle { if self.bundle.is_empty() { @@ -182,10 +163,7 @@ mod tests { arg.clone() }, should_check_bundle: false, - result: Err(anyhow!(Error::ArgumentIsEmpty(format!( - "id: {} namespace: {} address: {} publish_binary: {}", - &arg.id, &arg.namespace, &arg.address, &arg.publish_binary - )))), + result: Ok(()), }, TestData { arg: { @@ -276,22 +254,6 @@ mod tests { should_check_bundle: true, result: Ok(()), }, - TestData { - arg: { - arg.address = default_address.clone() + "/.."; - arg.clone() - }, - should_check_bundle: true, - result: Err(anyhow!(Error::InvalidPath(arg.address.clone()))), - }, - TestData { - arg: { - arg.address = default_address.clone() + "/.."; - arg.clone() - }, - should_check_bundle: true, - result: Err(anyhow!(Error::InvalidPath(arg.address.clone()))), - }, TestData { arg: { arg.address = default_address; diff --git a/src/runtime-rs/crates/shim/src/shim_start.rs b/src/runtime-rs/crates/shim/src/shim_start.rs index 06a7f3ae5f..72e4870661 100644 --- a/src/runtime-rs/crates/shim/src/shim_start.rs +++ b/src/runtime-rs/crates/shim/src/shim_start.rs @@ -61,7 +61,6 @@ impl ShimExecutor { fn new_command(&self) -> Result { if self.args.id.is_empty() || self.args.namespace.is_empty() - || self.args.address.is_empty() || self.args.publish_binary.is_empty() { return Err(anyhow!("invalid param")); From 6346e04cf7d7e9c26844d624cc3e5fb3c3b25178 Mon Sep 17 00:00:00 2001 From: Pavel Mores Date: Thu, 1 Feb 2024 12:01:35 +0100 Subject: [PATCH 2/2] runtime-rs: fix handling of TTRCP_ADDRESS Since cri-o doesn't seem to use address for event publishing as mentioned in the previous commit it will not send it. However, the exact way of not sending it is unfortunately different from what is assumed by runtime-rs. Due to an implementation detail of cri-o which uses containerd libraries for some low-level tasks, TTRPC_ADDRESS will not be missing from environment as assumed, instead it will be present with an empty value. This commit contains a small adjustment to account for that and use LogForwarder even if TTRPC_ADDRESS is present, but with an empty value. Fixes #8985 Signed-off-by: Pavel Mores --- src/runtime-rs/crates/service/src/event.rs | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/runtime-rs/crates/service/src/event.rs b/src/runtime-rs/crates/service/src/event.rs index 79cf711027..fc5868f3a8 100644 --- a/src/runtime-rs/crates/service/src/event.rs +++ b/src/runtime-rs/crates/service/src/event.rs @@ -38,12 +38,14 @@ pub(crate) trait Forwarder { /// `TTRPC_ADDRESS` existing. Otherwise, fall back to `LogForwarder`. pub(crate) async fn new_event_publisher(namespace: &str) -> Result> { let fwd: Box = match env::var(TTRPC_ADDRESS_ENV) { - Ok(address) => Box::new( + Ok(address) if !address.is_empty() => Box::new( ContainerdForwarder::new(namespace, &address) .await .context("new containerd forwarder")?, ), - Err(_) => Box::new( + // an empty address doesn't match the arm above so catch it here + // and handle it the same way as if it's missing altogether + Ok(_) | Err(_) => Box::new( LogForwarder::new(namespace) .await .context("new log forwarder")?,