mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-10-24 05:31:31 +00:00
config: Whitelist hypervisor annotations by name
Add a field "enable_annotations" to the runtime configuration that can be used to whitelist annotations using a list of regular expressions, which are used to match any part of the base annotation name, i.e. the part after "io.katacontainers.config.hypervisor." For example, the following configuraiton will match "virtio_fs_daemon", "initrd" and "jailer_path", but not "path" nor "firmware": enable_annotations = [ "virtio.*", "initrd", "_path" ] The default is an empty list of enabled annotations, which disables annotations entirely. If an anontation is rejected, the message is something like: annotation io.katacontainers.config.hypervisor.virtio_fs_daemon is not enabled Fixes: #901 Suggested-by: Peng Tao <tao.peng@linux.alibaba.com> Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
This commit is contained in:
@@ -167,6 +167,7 @@ DEFMEMSZ := 2048
|
|||||||
DEFMEMSLOTS := 10
|
DEFMEMSLOTS := 10
|
||||||
#Default number of bridges
|
#Default number of bridges
|
||||||
DEFBRIDGES := 1
|
DEFBRIDGES := 1
|
||||||
|
DEFENABLEANNOTATIONS := []
|
||||||
DEFDISABLEGUESTSECCOMP := true
|
DEFDISABLEGUESTSECCOMP := true
|
||||||
#Default experimental features enabled
|
#Default experimental features enabled
|
||||||
DEFAULTEXPFEATURES := []
|
DEFAULTEXPFEATURES := []
|
||||||
@@ -678,6 +679,7 @@ $(GENERATED_FILES): %: %.in $(MAKEFILE_LIST) VERSION .git-commit
|
|||||||
-e "s|@DEFNETWORKMODEL_CLH@|$(DEFNETWORKMODEL_CLH)|g" \
|
-e "s|@DEFNETWORKMODEL_CLH@|$(DEFNETWORKMODEL_CLH)|g" \
|
||||||
-e "s|@DEFNETWORKMODEL_FC@|$(DEFNETWORKMODEL_FC)|g" \
|
-e "s|@DEFNETWORKMODEL_FC@|$(DEFNETWORKMODEL_FC)|g" \
|
||||||
-e "s|@DEFNETWORKMODEL_QEMU@|$(DEFNETWORKMODEL_QEMU)|g" \
|
-e "s|@DEFNETWORKMODEL_QEMU@|$(DEFNETWORKMODEL_QEMU)|g" \
|
||||||
|
-e "s|@DEFENABLEANNOTATIONS@|$(DEFENABLEANNOTATIONS)|g" \
|
||||||
-e "s|@DEFDISABLEGUESTSECCOMP@|$(DEFDISABLEGUESTSECCOMP)|g" \
|
-e "s|@DEFDISABLEGUESTSECCOMP@|$(DEFDISABLEGUESTSECCOMP)|g" \
|
||||||
-e "s|@DEFAULTEXPFEATURES@|$(DEFAULTEXPFEATURES)|g" \
|
-e "s|@DEFAULTEXPFEATURES@|$(DEFAULTEXPFEATURES)|g" \
|
||||||
-e "s|@DEFDISABLEBLOCK@|$(DEFDISABLEBLOCK)|g" \
|
-e "s|@DEFDISABLEBLOCK@|$(DEFDISABLEBLOCK)|g" \
|
||||||
|
@@ -16,6 +16,11 @@ ctlpath = "@ACRNCTLPATH@"
|
|||||||
kernel = "@KERNELPATH_ACRN@"
|
kernel = "@KERNELPATH_ACRN@"
|
||||||
image = "@IMAGEPATH@"
|
image = "@IMAGEPATH@"
|
||||||
|
|
||||||
|
# List of valid annotation names for the hypervisor
|
||||||
|
# Each member of the list is a regular expression, which is the base name
|
||||||
|
# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
|
||||||
|
enable_annotations = @DEFENABLEANNOTATIONS@
|
||||||
|
|
||||||
# List of valid annotations values for the hypervisor (default: empty)
|
# List of valid annotations values for the hypervisor (default: empty)
|
||||||
# Each member of the list is a path pattern as described by glob(3).
|
# Each member of the list is a path pattern as described by glob(3).
|
||||||
path_list = @ACRNPATHLIST@
|
path_list = @ACRNPATHLIST@
|
||||||
|
@@ -15,6 +15,11 @@ path = "@CLHPATH@"
|
|||||||
kernel = "@KERNELPATH_CLH@"
|
kernel = "@KERNELPATH_CLH@"
|
||||||
image = "@IMAGEPATH@"
|
image = "@IMAGEPATH@"
|
||||||
|
|
||||||
|
# List of valid annotation names for the hypervisor
|
||||||
|
# Each member of the list is a regular expression, which is the base name
|
||||||
|
# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
|
||||||
|
enable_annotations = @DEFENABLEANNOTATIONS@
|
||||||
|
|
||||||
# List of valid annotations values for the hypervisor (default: empty)
|
# List of valid annotations values for the hypervisor (default: empty)
|
||||||
# Each member of the list is a path pattern as described by glob(3).
|
# Each member of the list is a path pattern as described by glob(3).
|
||||||
path_list = @CLHPATHLIST@
|
path_list = @CLHPATHLIST@
|
||||||
|
@@ -15,6 +15,11 @@ path = "@FCPATH@"
|
|||||||
kernel = "@KERNELPATH_FC@"
|
kernel = "@KERNELPATH_FC@"
|
||||||
image = "@IMAGEPATH@"
|
image = "@IMAGEPATH@"
|
||||||
|
|
||||||
|
# List of valid annotation names for the hypervisor
|
||||||
|
# Each member of the list is a regular expression, which is the base name
|
||||||
|
# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
|
||||||
|
enable_annotations = @DEFENABLEANNOTATIONS@
|
||||||
|
|
||||||
# List of valid annotations values for the hypervisor (default: empty)
|
# List of valid annotations values for the hypervisor (default: empty)
|
||||||
# Each member of the list is a path pattern as described by glob(3).
|
# Each member of the list is a path pattern as described by glob(3).
|
||||||
path_list = @FCPATHLIST@
|
path_list = @FCPATHLIST@
|
||||||
|
@@ -16,6 +16,11 @@ kernel = "@KERNELVIRTIOFSPATH@"
|
|||||||
image = "@IMAGEPATH@"
|
image = "@IMAGEPATH@"
|
||||||
machine_type = "@MACHINETYPE@"
|
machine_type = "@MACHINETYPE@"
|
||||||
|
|
||||||
|
# List of valid annotation names for the hypervisor
|
||||||
|
# Each member of the list is a regular expression, which is the base name
|
||||||
|
# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
|
||||||
|
enable_annotations = @DEFENABLEANNOTATIONS@
|
||||||
|
|
||||||
# List of valid annotations values for the hypervisor (default: empty)
|
# List of valid annotations values for the hypervisor (default: empty)
|
||||||
# Each member of the list is a path pattern as described by glob(3).
|
# Each member of the list is a path pattern as described by glob(3).
|
||||||
path_list = @QEMUVIRTIOFSPATHLIST@
|
path_list = @QEMUVIRTIOFSPATHLIST@
|
||||||
|
@@ -16,6 +16,11 @@ kernel = "@KERNELPATH@"
|
|||||||
image = "@IMAGEPATH@"
|
image = "@IMAGEPATH@"
|
||||||
machine_type = "@MACHINETYPE@"
|
machine_type = "@MACHINETYPE@"
|
||||||
|
|
||||||
|
# List of valid annotation names for the hypervisor
|
||||||
|
# Each member of the list is a regular expression, which is the base name
|
||||||
|
# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
|
||||||
|
enable_annotations = @DEFENABLEANNOTATIONS@
|
||||||
|
|
||||||
# List of valid annotations values for the hypervisor (default: empty)
|
# List of valid annotations values for the hypervisor (default: empty)
|
||||||
# Each member of the list is a path pattern as described by glob(3).
|
# Each member of the list is a path pattern as described by glob(3).
|
||||||
path_list = @QEMUPATHLIST@
|
path_list = @QEMUPATHLIST@
|
||||||
|
@@ -124,6 +124,7 @@ type hypervisor struct {
|
|||||||
GuestHookPath string `toml:"guest_hook_path"`
|
GuestHookPath string `toml:"guest_hook_path"`
|
||||||
RxRateLimiterMaxRate uint64 `toml:"rx_rate_limiter_max_rate"`
|
RxRateLimiterMaxRate uint64 `toml:"rx_rate_limiter_max_rate"`
|
||||||
TxRateLimiterMaxRate uint64 `toml:"tx_rate_limiter_max_rate"`
|
TxRateLimiterMaxRate uint64 `toml:"tx_rate_limiter_max_rate"`
|
||||||
|
EnableAnnotations []string `toml:"enable_annotations"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type runtime struct {
|
type runtime struct {
|
||||||
@@ -558,6 +559,7 @@ func newFirecrackerHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
|
|||||||
GuestHookPath: h.guestHookPath(),
|
GuestHookPath: h.guestHookPath(),
|
||||||
RxRateLimiterMaxRate: rxRateLimiterMaxRate,
|
RxRateLimiterMaxRate: rxRateLimiterMaxRate,
|
||||||
TxRateLimiterMaxRate: txRateLimiterMaxRate,
|
TxRateLimiterMaxRate: txRateLimiterMaxRate,
|
||||||
|
EnableAnnotations: h.EnableAnnotations,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -685,6 +687,7 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
|
|||||||
GuestHookPath: h.guestHookPath(),
|
GuestHookPath: h.guestHookPath(),
|
||||||
RxRateLimiterMaxRate: rxRateLimiterMaxRate,
|
RxRateLimiterMaxRate: rxRateLimiterMaxRate,
|
||||||
TxRateLimiterMaxRate: txRateLimiterMaxRate,
|
TxRateLimiterMaxRate: txRateLimiterMaxRate,
|
||||||
|
EnableAnnotations: h.EnableAnnotations,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -748,6 +751,7 @@ func newAcrnHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
|
|||||||
BlockDeviceDriver: blockDriver,
|
BlockDeviceDriver: blockDriver,
|
||||||
DisableVhostNet: h.DisableVhostNet,
|
DisableVhostNet: h.DisableVhostNet,
|
||||||
GuestHookPath: h.guestHookPath(),
|
GuestHookPath: h.guestHookPath(),
|
||||||
|
EnableAnnotations: h.EnableAnnotations,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -840,6 +844,7 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
|
|||||||
DisableVhostNet: true,
|
DisableVhostNet: true,
|
||||||
VirtioFSExtraArgs: h.VirtioFSExtraArgs,
|
VirtioFSExtraArgs: h.VirtioFSExtraArgs,
|
||||||
SGXEPCSize: defaultSGXEPCSize,
|
SGXEPCSize: defaultSGXEPCSize,
|
||||||
|
EnableAnnotations: h.EnableAnnotations,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@@ -437,6 +437,9 @@ type HypervisorConfig struct {
|
|||||||
// SGXEPCSize specifies the size in bytes for the EPC Section.
|
// SGXEPCSize specifies the size in bytes for the EPC Section.
|
||||||
// Enable SGX. Hardware-based isolation and memory encryption.
|
// Enable SGX. Hardware-based isolation and memory encryption.
|
||||||
SGXEPCSize int64
|
SGXEPCSize int64
|
||||||
|
|
||||||
|
// Enable annotations by name
|
||||||
|
EnableAnnotations []string
|
||||||
}
|
}
|
||||||
|
|
||||||
// vcpu mapping from vcpu number to thread number
|
// vcpu mapping from vcpu number to thread number
|
||||||
|
@@ -254,6 +254,7 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) {
|
|||||||
RxRateLimiterMaxRate: sconfig.HypervisorConfig.RxRateLimiterMaxRate,
|
RxRateLimiterMaxRate: sconfig.HypervisorConfig.RxRateLimiterMaxRate,
|
||||||
TxRateLimiterMaxRate: sconfig.HypervisorConfig.TxRateLimiterMaxRate,
|
TxRateLimiterMaxRate: sconfig.HypervisorConfig.TxRateLimiterMaxRate,
|
||||||
SGXEPCSize: sconfig.HypervisorConfig.SGXEPCSize,
|
SGXEPCSize: sconfig.HypervisorConfig.SGXEPCSize,
|
||||||
|
EnableAnnotations: sconfig.HypervisorConfig.EnableAnnotations,
|
||||||
}
|
}
|
||||||
|
|
||||||
ss.Config.KataAgentConfig = &persistapi.KataAgentConfig{
|
ss.Config.KataAgentConfig = &persistapi.KataAgentConfig{
|
||||||
@@ -522,6 +523,7 @@ func loadSandboxConfig(id string) (*SandboxConfig, error) {
|
|||||||
RxRateLimiterMaxRate: hconf.RxRateLimiterMaxRate,
|
RxRateLimiterMaxRate: hconf.RxRateLimiterMaxRate,
|
||||||
TxRateLimiterMaxRate: hconf.TxRateLimiterMaxRate,
|
TxRateLimiterMaxRate: hconf.TxRateLimiterMaxRate,
|
||||||
SGXEPCSize: hconf.SGXEPCSize,
|
SGXEPCSize: hconf.SGXEPCSize,
|
||||||
|
EnableAnnotations: hconf.EnableAnnotations,
|
||||||
}
|
}
|
||||||
|
|
||||||
sconfig.AgentConfig = KataAgentConfig{
|
sconfig.AgentConfig = KataAgentConfig{
|
||||||
|
@@ -208,6 +208,9 @@ type HypervisorConfig struct {
|
|||||||
// SGXEPCSize specifies the size in bytes for the EPC Section.
|
// SGXEPCSize specifies the size in bytes for the EPC Section.
|
||||||
// Enable SGX. Hardware-based isolation and memory encryption.
|
// Enable SGX. Hardware-based isolation and memory encryption.
|
||||||
SGXEPCSize int64
|
SGXEPCSize int64
|
||||||
|
|
||||||
|
// Enable annotations by name
|
||||||
|
EnableAnnotations []string
|
||||||
}
|
}
|
||||||
|
|
||||||
// KataAgentConfig is a structure storing information needed
|
// KataAgentConfig is a structure storing information needed
|
||||||
|
@@ -28,6 +28,7 @@ const (
|
|||||||
//
|
//
|
||||||
// Assets
|
// Assets
|
||||||
//
|
//
|
||||||
|
KataAnnotationHypervisorPrefix = kataAnnotHypervisorPrefix
|
||||||
|
|
||||||
// KernelPath is a sandbox annotation for passing a per container path pointing at the kernel needed to boot the container VM.
|
// KernelPath is a sandbox annotation for passing a per container path pointing at the kernel needed to boot the container VM.
|
||||||
KernelPath = kataAnnotHypervisorPrefix + "kernel"
|
KernelPath = kataAnnotHypervisorPrefix + "kernel"
|
||||||
|
@@ -213,6 +213,14 @@ func checkPathIsInGlobList(list []string, path string) bool {
|
|||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check if an annotation name either belongs to another prefix, matches regexp list
|
||||||
|
func checkAnnotationNameIsValid(list []string, name string, prefix string) bool {
|
||||||
|
if strings.HasPrefix(name, prefix) {
|
||||||
|
return regexpContains(list, strings.TrimPrefix(name, prefix))
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
func newLinuxDeviceInfo(d specs.LinuxDevice) (*config.DeviceInfo, error) {
|
func newLinuxDeviceInfo(d specs.LinuxDevice) (*config.DeviceInfo, error) {
|
||||||
allowedDeviceTypes := []string{"c", "b", "u", "p"}
|
allowedDeviceTypes := []string{"c", "b", "u", "p"}
|
||||||
|
|
||||||
@@ -346,6 +354,11 @@ func SandboxID(spec specs.Spec) (string, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func addAnnotations(ocispec specs.Spec, config *vc.SandboxConfig, runtime RuntimeConfig) error {
|
func addAnnotations(ocispec specs.Spec, config *vc.SandboxConfig, runtime RuntimeConfig) error {
|
||||||
|
for key := range ocispec.Annotations {
|
||||||
|
if !checkAnnotationNameIsValid(runtime.HypervisorConfig.EnableAnnotations, key, vcAnnotations.KataAnnotationHypervisorPrefix) {
|
||||||
|
return fmt.Errorf("annotation %v is not enabled", key)
|
||||||
|
}
|
||||||
|
}
|
||||||
addAssetAnnotations(ocispec, config)
|
addAssetAnnotations(ocispec, config)
|
||||||
if err := addHypervisorConfigOverrides(ocispec, config, runtime); err != nil {
|
if err := addHypervisorConfigOverrides(ocispec, config, runtime); err != nil {
|
||||||
return err
|
return err
|
||||||
|
Reference in New Issue
Block a user