github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-31 16:36:38 +00:00
Code Issues Projects Releases Wiki Activity

build: Ensure the default rootfs is built with AGENT_POLICY=yes

Browse Source 
This is needed, as b1710ee2c0 made the
default agent shipped the one with policy support.  However, we simply
didn't update the rootfs to reflect that, causing then an issue to start
the agent as shown by the strace below:
```
open("/etc/kata-opa/default-policy.rego", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
futex(0x7f401eba0c28, FUTEX_WAKE_PRIVATE, 1) = 1
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
tkill(553681, SIGABRT)                  = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=553681, si_uid=1000} ---
+++ killed by SIGABRT (core dumped) +++
```

This happens as the default policy **must** be set when the agent is
built with policy support, but the code path that copies that into the
rootfs is only triggered if the rootfs itself is built with
AGENT_POLICY=yes, which we're now doing for both confidential and
non-confidential cases.

Sadly this was not caught by CI till we the cache was not used for
rootfs, which should be solved by the previous commit.

Fixes: #9630, #9631

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This commit is contained in:
Fabiano Fidêncio
2024-05-14 19:48:23 +02:00
parent 37060a7d2e
commit 75bd97e8df
1 changed files with 2 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
View File

@@ -326,13 +326,13 @@ install_image() {
fi
export AGENT_TARBALL=$(get_agent_tarball_path)
export AGENT_POLICY=yes
"${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}"
}
#Install guest image for confidential guests
install_image_confidential() {
export AGENT_POLICY=yes
export MEASURED_ROOTFS=yes
export PULL_TYPE=default
install_image "confidential"
@@ -396,13 +396,13 @@ install_initrd() {
fi
export AGENT_TARBALL=$(get_agent_tarball_path)
export AGENT_POLICY=yes
"${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}"
}
#Install guest initrd for confidential guests
install_initrd_confidential() {
export AGENT_POLICY=yes
export MEASURED_ROOTFS=yes
export PULL_TYPE=default
install_initrd "confidential"
@@ -410,7 +410,6 @@ install_initrd_confidential() {
#Install Mariner guest initrd
install_initrd_mariner() {
export AGENT_POLICY=yes
install_initrd "mariner"
}