github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-17 14:58:16 +00:00
Code Issues Projects Releases Wiki Activity

agent: Enable security_validate if required

Browse Source 
If we are using the offline_fs_kbc and have created a resource json
then switch security_validate on the image_client to enable
the signature verification feature for image-rs

Fixes: #4581
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This commit is contained in:
stevenhorsman
2022-09-12 17:01:49 +01:00
committed by Samuel Ortiz
parent 216c066795
commit 812818d381
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/agent/src/image_rpc.rs
View File

@@ -35,6 +35,7 @@ const OCICRYPT_CONFIG_PATH: &str = "/tmp/ocicrypt_config.json";
const KATA_CC_IMAGE_WORK_DIR: &str = "/run/image/"; const KATA_CC_IMAGE_WORK_DIR: &str = "/run/image/";
const KATA_CC_PAUSE_BUNDLE: &str = "/pause_bundle"; const KATA_CC_PAUSE_BUNDLE: &str = "/pause_bundle";
const CONFIG_JSON: &str = "config.json"; const CONFIG_JSON: &str = "config.json";
const OFFLINE_FS_KBC_RESOURCE_PATH: &str = "/etc/aa-offline_fs_kbc-resources.json";
// Convenience macro to obtain the scope logger // Convenience macro to obtain the scope logger
macro_rules! sl { macro_rules! sl {
@@ -273,6 +274,14 @@ impl ImageService {
Self::unpack_image(&cid)?; Self::unpack_image(&cid)?;
} else { } else {
// TODO #4888 - Create a better way to enable signature verification. This is temporary for the PoC
if aa_kbc_params.eq("offline_fs_kbc::null")
&& Path::new(OFFLINE_FS_KBC_RESOURCE_PATH).exists()
{
info!(sl!(), "Enabling security_validate on image_client");
self.image_client.lock().await.config.security_validate = true;
}
let bundle_path = Path::new(CONTAINER_BASE).join(&cid); let bundle_path = Path::new(CONTAINER_BASE).join(&cid);
fs::create_dir_all(&bundle_path)?; fs::create_dir_all(&bundle_path)?;