From 74a748f36ea4f6a1f2b9d409fdab6540904e43d2 Mon Sep 17 00:00:00 2001 From: Georgina Kinge Date: Mon, 27 Jun 2022 10:21:24 +0100 Subject: [PATCH] CCv0: Refactor ccv0.sh to remove duplicate code Refactored ccv0.sh to remove rootfs code now in lib.sh Fixes: #4512 Co-authored-by: Megan Wright Megan.Wright@ibm.com Signed-off-by: Georgina Kinge --- docs/how-to/ccv0.sh | 24 +++++------------------ docs/how-to/how-to-build-and-test-ccv0.md | 2 +- 2 files changed, 6 insertions(+), 20 deletions(-) diff --git a/docs/how-to/ccv0.sh b/docs/how-to/ccv0.sh index 39f76cfdb2..c59122cb88 100755 --- a/docs/how-to/ccv0.sh +++ b/docs/how-to/ccv0.sh @@ -88,7 +88,7 @@ Commands: - build_qemu: Checkout, patch, build and install QEMU - configure: Configure Kata to use rootfs and enable debug - connect_to_ssh_demo_pod: Ssh into the ssh demo pod, showing that the decryption succeeded -- copy_files_to_guest Copies signature verification files to guest +- copy_signature_files_to_guest Copies signature verification files to guest - create_rootfs: Create a local rootfs - crictl_create_cc_container Use crictl to create a new busybox container in the kata cc pod - crictl_create_cc_pod Use crictl to create a new kata cc pod @@ -222,14 +222,6 @@ configure() { # Switch image offload to true in kata config switch_image_service_offload "on" - # Temp PoC verify code: Inject policy path config parameter - add_kernel_params "agent.container_policy_file=/etc/containers/quay_verification/quay_policy.json" - - # If using AA then need to add the agent_config - if [ "${AA_KBC:-}" == "offline_fs_kbc" ]; then - add_kernel_params "agent.config_file=/etc/agent-config.toml" - fi - configure_cc_containerd # From crictl v1.24.1 the default timoout leads to the pod creation failing, so update it sudo crictl config --set timeout=10 @@ -274,13 +266,6 @@ create_a_local_rootfs() { # During the ./rootfs.sh call the kata agent is built as root, so we need to update the permissions, so we can rebuild it sudo chown -R ${USER}:${USER} "${katacontainers_repo_dir}/src/agent/" - # If offline key broker set then include ssh-demo keys and config from - # https://github.com/confidential-containers/documentation/tree/main/demos/ssh-demo - if [ "${AA_KBC:-}" == "offline_fs_kbc" ]; then - local rootfs_agent_config="${ROOTFS_DIR}/etc/agent-config.toml" - sudo -E AA_KBC_PARAMS="offline_fs_kbc::null" envsubst < ${katacontainers_repo_dir}/docs/how-to/data/confidential-agent-config.toml.in | sudo tee ${rootfs_agent_config} - fi - popd } @@ -515,7 +500,8 @@ shim_pull_image() { ${ctr_shim_command} } -call_copy_files_to_guest() { +call_copy_signature_files_to_guest() { + add_kernel_params "agent.container_policy_file=/etc/containers/quay_verification/quay_policy.json" copy_files_to_guest } @@ -628,8 +614,8 @@ main() { agent_create_container) agent_create_container ;; - copy_files_to_guest) - call_copy_files_to_guest + copy_signature_files_to_guest) + call_copy_signature_files_to_guest ;; *) usage 1 diff --git a/docs/how-to/how-to-build-and-test-ccv0.md b/docs/how-to/how-to-build-and-test-ccv0.md index fe150cda3b..eeb5a5b246 100644 --- a/docs/how-to/how-to-build-and-test-ccv0.md +++ b/docs/how-to/how-to-build-and-test-ccv0.md @@ -339,7 +339,7 @@ image signature verification function. up to, and including, the `~/ccv0.sh crictl_create_cc_pod` command. - In order to enable the guest image, you will need to copy over the policy and signature files needed by running -`~/ccv0.sh copy_files_to_guest`and then re-running `~/ccv0.sh crictl_create_cc_pod` which will delete and recreate +`~/ccv0.sh copy_signature_files_to_guest`and then re-running `~/ccv0.sh crictl_create_cc_pod` which will delete and recreate your pod - adding in the new files. - To test the fallback behaviour works using an unsigned image from an *unprotected* registry we can pull the `busybox`