github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2026-02-21 22:34:29 +00:00
Code Issues Projects Releases Wiki Activity

genpolicy: update workaround for guest pull

Browse Source 
Don't skip anymore parsing the pause container image when using the
recently updated AKS pause container handling - i.e. when
pause_container_id_policy == "v2".

This was the easiest CI fix for guest pull + new AKS given the *current*
tests. When adding *new* UID/GID/AdditionalGids tests in the future,
these workarounds might need additional updates.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
This commit is contained in:
Dan Mihai
2025-11-12 22:36:42 +00:00
committed by Fabiano Fidêncio
parent 7bcb971398
commit 73ad83e1cc
4 changed files with 67 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/tools/genpolicy/src/pod.rs
View File

@@ -602,9 +602,11 @@ struct TopologySpreadConstraint {
}
impl Container {
pub async fn init(&mut self, config: &Config) {
pub async fn init(&mut self, config: &Config, is_pause_container: bool) {
// Load container image properties from the registry.
self.registry = registry::get_container(config, &self.image).await.unwrap();
self.registry = registry::get_container(config, &self.image, is_pause_container)
.await
.unwrap();
}
pub fn get_env_variables(
@@ -1103,7 +1105,8 @@ pub async fn add_pause_container(containers: &mut Vec<Container>, config: &Confi
}),
..Default::default()
};
pause_container.init(config).await;
let is_pause_container = true;
pause_container.init(config, is_pause_container).await;
containers.insert(0, pause_container);
debug!("pause container added.");
}

72
src/tools/genpolicy/src/registry.rs
View File

@@ -125,7 +125,7 @@ const GROUP_FILE_WHITEOUT_TAR_PATH: &str = "etc/.wh.group";
pub const WHITEOUT_MARKER: &str = "WHITEOUT";
impl Container {
pub async fn new(config: &Config, image: &str) -> Result<Self> {
pub async fn new(config: &Config, image: &str, is_pause_container: bool) -> Result<Self> {
info!("============================================");
info!("Pulling manifest and config for {image}");
let image_string = image.to_string();
@@ -168,41 +168,36 @@ impl Container {
// Nydus/guest_pull doesn't make available passwd/group files from layers properly.
// See issue https://github.com/kata-containers/kata-containers/issues/11162
if config.settings.cluster_config.guest_pull {
let v1_policy = config.settings.cluster_config.pause_container_id_policy == "v1";
if config.settings.cluster_config.guest_pull && (v1_policy || !is_pause_container) {
info!("Guest pull is enabled, skipping passwd/group file parsing");
return Ok(Container {
image: image_string,
config_layer,
passwd,
group,
});
}
} else {
let image_layers = get_image_layers(
&config.layers_cache,
&mut client,
&reference,
&manifest,
&config_layer,
)
.await
.unwrap();
let image_layers = get_image_layers(
&config.layers_cache,
&mut client,
&reference,
&manifest,
&config_layer,
)
.await
.unwrap();
// Find the last layer with an /etc/* file, respecting whiteouts.
info!("Parsing users and groups in image layers");
for layer in &image_layers {
if layer.passwd == WHITEOUT_MARKER {
passwd = String::new();
} else if !layer.passwd.is_empty() {
passwd = layer.passwd.clone();
debug!("Container:new: Found in image layer passwd = \n{passwd}");
}
// Find the last layer with an /etc/* file, respecting whiteouts.
info!("Parsing users and groups in image layers");
for layer in &image_layers {
if layer.passwd == WHITEOUT_MARKER {
passwd = String::new();
} else if !layer.passwd.is_empty() {
passwd = layer.passwd.clone();
debug!("Container:new: Found in image layer passwd = \n{passwd}");
}
if layer.group == WHITEOUT_MARKER {
group = String::new();
} else if !layer.group.is_empty() {
group = layer.group.clone();
debug!("Container:new: Found in image layer group = \n{group}");
if layer.group == WHITEOUT_MARKER {
group = String::new();
} else if !layer.group.is_empty() {
group = layer.group.clone();
debug!("Container:new: Found in image layer group = \n{group}");
}
}
}
@@ -657,11 +652,16 @@ pub fn get_users_from_decompressed_layer(path: &Path) -> Result<(String, String)
Ok((passwd, group))
}
pub async fn get_container(config: &Config, image: &str) -> Result<Container> {
pub async fn get_container(
config: &Config,
image: &str,
is_pause_container: bool,
) -> Result<Container> {
if let Some(socket_path) = &config.containerd_socket_path {
return Container::new_containerd_pull(config, image, socket_path).await;
return Container::new_containerd_pull(config, image, socket_path, is_pause_container)
.await;
}
Container::new(config, image).await
Container::new(config, image, is_pause_container).await
}
fn build_auth(reference: &Reference) -> RegistryAuth {

46
src/tools/genpolicy/src/registry_containerd.rs
View File

@@ -32,6 +32,7 @@ impl Container {
config: &Config,
image: &str,
containerd_socket_path: &str,
is_pause_container: bool,
) -> Result<Self> {
info!("============================================");
info!("Using containerd socket: {:?}", containerd_socket_path);
@@ -70,34 +71,29 @@ impl Container {
// Nydus/guest_pull doesn't make available passwd/group files from layers properly.
// See issue https://github.com/kata-containers/kata-containers/issues/11162
if config.settings.cluster_config.guest_pull {
let v1_policy = config.settings.cluster_config.pause_container_id_policy == "v1";
if config.settings.cluster_config.guest_pull && (v1_policy || !is_pause_container) {
info!("Guest pull is enabled, skipping passwd/group file parsing");
return Ok(Container {
image: image_str,
config_layer,
passwd,
group,
});
}
} else {
let image_layers =
get_image_layers(&config.layers_cache, &manifest, &config_layer, &ctrd_client)
.await
.unwrap();
let image_layers =
get_image_layers(&config.layers_cache, &manifest, &config_layer, &ctrd_client)
.await
.unwrap();
// Find the last layer with an /etc/* file, respecting whiteouts.
info!("Parsing users and groups in image layers");
for layer in &image_layers {
if layer.passwd == WHITEOUT_MARKER {
passwd = String::new();
} else if !layer.passwd.is_empty() {
passwd = layer.passwd.clone();
}
// Find the last layer with an /etc/* file, respecting whiteouts.
info!("Parsing users and groups in image layers");
for layer in &image_layers {
if layer.passwd == WHITEOUT_MARKER {
passwd = String::new();
} else if !layer.passwd.is_empty() {
passwd = layer.passwd.clone();
}
if layer.group == WHITEOUT_MARKER {
group = String::new();
} else if !layer.group.is_empty() {
group = layer.group.clone();
if layer.group == WHITEOUT_MARKER {
group = String::new();
} else if !layer.group.is_empty() {
group = layer.group.clone();
}
}
}

6
src/tools/genpolicy/src/yaml.rs
View File

@@ -271,7 +271,8 @@ pub fn get_yaml_header(yaml: &str) -> anyhow::Result<YamlHeader> {
pub async fn k8s_resource_init(spec: &mut pod::PodSpec, config: &Config) {
for container in &mut spec.containers {
container.init(config).await;
let is_pause_container = false;
container.init(config, is_pause_container).await;
}
pod::add_pause_container(&mut spec.containers, config).await;
@@ -279,7 +280,8 @@ pub async fn k8s_resource_init(spec: &mut pod::PodSpec, config: &Config) {
if let Some(init_containers) = &spec.initContainers {
for container in init_containers {
let mut new_container = container.clone();
new_container.init(config).await;
let is_pause_container = false;
new_container.init(config, is_pause_container).await;
spec.containers.insert(1, new_container);
}
}