From f94d80783dfc41f83673d1959558410a0bd4d1e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 11 Sep 2024 13:31:57 +0200 Subject: [PATCH 1/4] agent: image-rs: Update to a version that supports ITA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ITA stands for Intel Trust Authority, which is in the process to being renamed to ITTS (Intel Tiber Trust Services). As we've bumped guest-components on trustee, let's make sure we also bump image-rs to the commit that brings ITA support in: * https://github.com/confidential-containers/guest-components/commit/1db6c3a87665dde58d0efa56f4e4af5fcd19620e The reason we need to bump the dependency here is to avoid kbs_protocol mismatch between the version used by the agent and the trustee one. Signed-off-by: Fabiano Fidêncio --- src/agent/Cargo.lock | 65 ++++++++++++++++++++++++-------------------- src/agent/Cargo.toml | 2 +- 2 files changed, 37 insertions(+), 30 deletions(-) diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock index abe2e13d91..f685655145 100644 --- a/src/agent/Cargo.lock +++ b/src/agent/Cargo.lock @@ -380,9 +380,9 @@ checksum = "8b75356056920673b02621b35afd0f7dda9306d03c79a30f5c56c44cf256e3de" [[package]] name = "async-trait" -version = "0.1.81" +version = "0.1.82" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6e0c28dcc82d7c8ead5cb13beb15405b57b8546e93215673ff8ca0349a028107" +checksum = "a27b8a3a6e1a44fa4c8baf1f653e4172e81486d4941f2237e20dc2d0cf4ddff1" dependencies = [ "proc-macro2", "quote", @@ -398,7 +398,7 @@ checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0" [[package]] name = "attester" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=02af65abc984f91eb97ac7a6b7ff3acce9746334#02af65abc984f91eb97ac7a6b7ff3acce9746334" +source = "git+https://github.com/confidential-containers/guest-components?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e" dependencies = [ "anyhow", "async-trait", @@ -1157,7 +1157,7 @@ checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7" [[package]] name = "crypto" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=02af65abc984f91eb97ac7a6b7ff3acce9746334#02af65abc984f91eb97ac7a6b7ff3acce9746334" +source = "git+https://github.com/confidential-containers/guest-components?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e" dependencies = [ "aes-gcm", "anyhow", @@ -2463,7 +2463,7 @@ dependencies = [ [[package]] name = "image-rs" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=02af65abc984f91eb97ac7a6b7ff3acce9746334#02af65abc984f91eb97ac7a6b7ff3acce9746334" +source = "git+https://github.com/confidential-containers/guest-components?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e" dependencies = [ "anyhow", "async-compression", @@ -2484,7 +2484,7 @@ dependencies = [ "oci-client", "oci-spec", "ocicrypt-rs", - "protobuf 3.5.0", + "protobuf 3.5.1", "reqwest", "sequoia-openpgp", "serde", @@ -2800,7 +2800,7 @@ dependencies = [ "opentelemetry", "procfs 0.12.0", "prometheus", - "protobuf 3.5.0", + "protobuf 3.5.1", "protocols", "regex", "regorus", @@ -2890,7 +2890,7 @@ dependencies = [ [[package]] name = "kbc" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=02af65abc984f91eb97ac7a6b7ff3acce9746334#02af65abc984f91eb97ac7a6b7ff3acce9746334" +source = "git+https://github.com/confidential-containers/guest-components?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e" dependencies = [ "anyhow", "async-trait", @@ -2919,7 +2919,7 @@ dependencies = [ [[package]] name = "kbs_protocol" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=02af65abc984f91eb97ac7a6b7ff3acce9746334#02af65abc984f91eb97ac7a6b7ff3acce9746334" +source = "git+https://github.com/confidential-containers/guest-components?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e" dependencies = [ "anyhow", "async-trait", @@ -2942,13 +2942,14 @@ dependencies = [ [[package]] name = "krata-tokio-tar" -version = "0.4.0" +version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ba844968838c1c5892da2116e5f744bceab2b43af34539abdd6cd3975eaca973" +checksum = "e8bd5fee9b96acb5fc36b401896d601e6fdcce52b0e651ce24a3b21fb524e79f" dependencies = [ "filetime", "futures-core", "libc", + "portable-atomic", "redox_syscall 0.3.5", "tokio", "tokio-stream", @@ -3699,7 +3700,7 @@ dependencies = [ [[package]] name = "ocicrypt-rs" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=02af65abc984f91eb97ac7a6b7ff3acce9746334#02af65abc984f91eb97ac7a6b7ff3acce9746334" +source = "git+https://github.com/confidential-containers/guest-components?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e" dependencies = [ "aes", "anyhow", @@ -3712,7 +3713,7 @@ dependencies = [ "kbc", "lazy_static", "pin-project-lite", - "protobuf 3.5.0", + "protobuf 3.5.1", "ring", "serde", "serde_json", @@ -4119,6 +4120,12 @@ dependencies = [ "universal-hash", ] +[[package]] +name = "portable-atomic" +version = "1.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "da544ee218f0d287a911e9c99a39a8c9bc8fcad3cb8db5959940044ecfc67265" + [[package]] name = "powerfmt" version = "0.2.0" @@ -4312,9 +4319,9 @@ checksum = "106dd99e98437432fed6519dedecfade6a06a73bb7b2a1e019fdd2bee5778d94" [[package]] name = "protobuf" -version = "3.5.0" +version = "3.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df67496db1a89596beaced1579212e9b7c53c22dca1d9745de00ead76573d514" +checksum = "0bcc343da15609eaecd65f8aa76df8dc4209d325131d8219358c0aaaebab0bf6" dependencies = [ "once_cell", "protobuf-support", @@ -4332,13 +4339,13 @@ dependencies = [ [[package]] name = "protobuf-codegen" -version = "3.5.0" +version = "3.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eab09155fad2d39333d3796f67845d43e29b266eea74f7bc93f153f707f126dc" +checksum = "c4d0cde5642ea4df842b13eb9f59ea6fafa26dcb43e3e1ee49120e9757556189" dependencies = [ "anyhow", "once_cell", - "protobuf 3.5.0", + "protobuf 3.5.1", "protobuf-parse", "regex", "tempfile", @@ -4347,14 +4354,14 @@ dependencies = [ [[package]] name = "protobuf-parse" -version = "3.5.0" +version = "3.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a16027030d4ec33e423385f73bb559821827e9ec18c50e7874e4d6de5a4e96f" +checksum = "1b0e9b447d099ae2c4993c0cbb03c7a9d6c937b17f2d56cfc0b1550e6fcfdb76" dependencies = [ "anyhow", "indexmap 2.2.6", "log", - "protobuf 3.5.0", + "protobuf 3.5.1", "protobuf-support", "tempfile", "thiserror", @@ -4363,9 +4370,9 @@ dependencies = [ [[package]] name = "protobuf-support" -version = "3.5.0" +version = "3.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "70e2d30ab1878b2e72d1e2fc23ff5517799c9929e2cf81a8516f9f4dcf2b9cf3" +checksum = "f0766e3675a627c327e4b3964582594b0e8741305d628a98a5de75a1d15f99b9" dependencies = [ "thiserror", ] @@ -4377,7 +4384,7 @@ dependencies = [ "async-trait", "kata-sys-util", "oci-spec", - "protobuf 3.5.0", + "protobuf 3.5.1", "serde", "serde_json", "ttrpc", @@ -4704,7 +4711,7 @@ dependencies = [ [[package]] name = "resource_uri" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=02af65abc984f91eb97ac7a6b7ff3acce9746334#02af65abc984f91eb97ac7a6b7ff3acce9746334" +source = "git+https://github.com/confidential-containers/guest-components?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e" dependencies = [ "anyhow", "serde", @@ -4944,7 +4951,7 @@ dependencies = [ "nix 0.24.3", "oci-spec", "path-absolutize", - "protobuf 3.5.0", + "protobuf 3.5.1", "protocols", "regex", "rlimit", @@ -6185,8 +6192,8 @@ dependencies = [ "libc", "log", "nix 0.26.4", - "protobuf 3.5.0", - "protobuf-codegen 3.5.0", + "protobuf 3.5.1", + "protobuf-codegen 3.5.1", "thiserror", "tokio", "tokio-vsock 0.4.0", @@ -6200,7 +6207,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "94d7f7631d7a9ebed715a47cd4cb6072cbc7ae1d4ec01598971bbec0024340c2" dependencies = [ "protobuf 2.28.0", - "protobuf-codegen 3.5.0", + "protobuf-codegen 3.5.1", "protobuf-support", "ttrpc-compiler", ] diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml index 01ea570ca8..91c40b35e1 100644 --- a/src/agent/Cargo.toml +++ b/src/agent/Cargo.toml @@ -77,7 +77,7 @@ strum = "0.26.2" strum_macros = "0.26.2" # Image pull/decrypt -image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "02af65abc984f91eb97ac7a6b7ff3acce9746334", default-features = false, optional = true } +image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "1db6c3a87665dde58d0efa56f4e4af5fcd19620e", default-features = false, optional = true } # Agent Policy regorus = { version = "0.1.4", default-features = false, features = [ From d3e3ee7755ac32e76d69dfb555c3b55fefcac92e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 11 Sep 2024 13:35:27 +0200 Subject: [PATCH 2/4] versions: guest-components: Update to a version that supports ITA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ITA stands for Intel Trust Authority, which is in the process to being renamed to ITTS (Intel Tiber Trust Services). As we've bumped guest-components on trustee, let's make sure we also bump image-rs to the commit that brings ITA support in: * https://github.com/confidential-containers/guest-components/commit/1db6c3a87665dde58d0efa56f4e4af5fc Signed-off-by: Fabiano Fidêncio --- versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.yaml b/versions.yaml index 7f8563f3c2..8f54e7cc9f 100644 --- a/versions.yaml +++ b/versions.yaml @@ -231,7 +231,7 @@ externals: coco-guest-components: description: "Provides attested key unwrapping for image decryption" url: "https://github.com/confidential-containers/guest-components/" - version: "d996c692207a983426ae0043952d15ed18e84f66" + version: "1db6c3a87665dde58d0efa56f4e4af5fcd19620e" toolchain: "1.76.0" coco-trustee: From e2200f0690a5a81eaa820c4bf63679ce83a99900 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 11 Sep 2024 13:39:35 +0200 Subject: [PATCH 3/4] versions: trustee: Update to a version that supports ITA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ITA stands for Intel Trust Authority, which is in the process to being renamed to ITTS (Intel Tiber Trust Services). Proper ITA / ITTS support on Trustee was finished as part of: * https://github.com/confidential-containers/trustee/commit/6f767fa15fb0119dcae5ff77cad9987741e4e788 Signed-off-by: Fabiano Fidêncio --- versions.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/versions.yaml b/versions.yaml index 8f54e7cc9f..cb1a1870dd 100644 --- a/versions.yaml +++ b/versions.yaml @@ -237,9 +237,9 @@ externals: coco-trustee: description: "Provides attestation and secret delivery components" url: "https://github.com/confidential-containers/trustee" - version: "e890fc90c384207668fa3a4d6a2f2a2d652797ee" + version: "6f767fa15fb0119dcae5ff77cad9987741e4e788" image: "ghcr.io/confidential-containers/staged-images/kbs" - image_tag: "e890fc90c384207668fa3a4d6a2f2a2d652797ee" + image_tag: "6f767fa15fb0119dcae5ff77cad9987741e4e788" toolchain: "1.74.0" crio: From 1178fe20e9ce20e8e98992b75764584b2ac73fb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 11 Sep 2024 17:07:56 +0200 Subject: [PATCH 4/4] tests: Adapt error parser for failed image decryption MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With an older version of image-rs, we were getting the following error: ``` Message: failed to create containerd task: failed to create shim task: failed to handle layer: failed to get decrypt key no suitable key found for decrypting layer key: ``` However, with the version of image-rs we are bumping to, the error comes as: ``` Message: failed to create containerd task: failed to create shim task: failed to handle layer: failed to get decrypt key Caused by: no suitable key found for decrypting layer key: keyprovider: failed to unwrap key by ttrpc ``` Due to this change, I'm splitting the check in two different ones. Signed-off-by: Fabiano Fidêncio --- .../kubernetes/k8s-guest-pull-image-encrypted.bats | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats b/tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats index 2e7788705e..1a87198245 100644 --- a/tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats +++ b/tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats @@ -79,7 +79,8 @@ function create_pod_yaml_with_encrypted_image() { echo "Pod ${kata_pod_with_encrypted_image}: $(cat ${kata_pod_with_encrypted_image})" assert_pod_fail "${kata_pod_with_encrypted_image}" - assert_logs_contain "${node}" kata "${node_start_time}" 'failed to get decrypt key no suitable key found for decrypting layer key' + assert_logs_contain "${node}" kata "${node_start_time}" 'failed to get decrypt key' + assert_logs_contain "${node}" kata "${node_start_time}" 'no suitable key found for decrypting layer key' } @@ -106,7 +107,8 @@ function create_pod_yaml_with_encrypted_image() { echo "Pod ${kata_pod_with_encrypted_image}: $(cat ${kata_pod_with_encrypted_image})" assert_pod_fail "${kata_pod_with_encrypted_image}" - assert_logs_contain "${node}" kata "${node_start_time}" 'failed to get decrypt key no suitable key found for decrypting layer key' + assert_logs_contain "${node}" kata "${node_start_time}" 'failed to get decrypt key' + assert_logs_contain "${node}" kata "${node_start_time}" 'no suitable key found for decrypting layer key' } teardown() {