agent: Bump image-rs to 514c561d93

As this brings in the commit bumping ttrpc to 0.8.4, which fixes connection issues with kernel 6.12.9+. As image-rs has a new builder pattern and several of the values in the image client config have been renamed, let's change the agent to account for this. Signed-off-by: Tobin Feldman-Fitzthum <tobin@linux.ibm.com> Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org> Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-04-27 19:35:32 +00:00 · 2025-01-27 21:22:38 +01:00 · 2025-01-27 21:22:38 +01:00 · a13d5a3f04
commit a13d5a3f04
parent 8614e5efc4
4 changed files with 205 additions and 156 deletions
--- a/src/agent/Cargo.lock
+++ b/src/agent/Cargo.lock
--- a/src/agent/Cargo.toml
+++ b/src/agent/Cargo.toml
@ -78,7 +78,7 @@ strum = "0.26.2"
 strum_macros = "0.26.2"

 # Image pull/decrypt
-image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "v0.10.0", default-features = false, optional = true }
+image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "514c561d933cb11a0f1628621a0b930157af76cd", default-features = false, optional = true }

 # Agent Policy
 regorus = { version = "0.2.6", default-features = false, features = [
--- a/src/agent/src/image.rs
+++ b/src/agent/src/image.rs
@ -9,10 +9,11 @@ use safe_path::scoped_join;
 use std::collections::HashMap;
 use std::env;
 use std::fs;
-use std::path::{Path, PathBuf};
+use std::path::Path;
 use std::sync::Arc;

 use anyhow::{anyhow, bail, Context, Result};
+use image_rs::builder::ClientBuilder;
 use image_rs::image::ImageClient;
 use kata_sys_util::validate::verify_id;
 use oci_spec::runtime as oci;
@ -57,15 +58,16 @@ pub struct ImageService {
 }

 impl ImageService {
-    pub fn new() -> Self {
-        let mut image_client = ImageClient::new(PathBuf::from(KATA_IMAGE_WORK_DIR));
+    pub async fn new() -> Result<Self> {
+        let mut image_client_builder =
+            ClientBuilder::default().work_dir(KATA_IMAGE_WORK_DIR.into());
        #[cfg(feature = "guest-pull")]
        {
            if !AGENT_CONFIG.image_registry_auth.is_empty() {
                let registry_auth = &AGENT_CONFIG.image_registry_auth;
                debug!(sl(), "Set registry auth file {:?}", registry_auth);
-                image_client.config.file_paths.auth_file = registry_auth.clone();
-                image_client.config.auth = true;
+                image_client_builder = image_client_builder
+                    .authenticated_registry_credentials_uri(registry_auth.into());
            }

            let enable_signature_verification = &AGENT_CONFIG.enable_signature_verification;
@ -73,15 +75,15 @@ impl ImageService {
                sl(),
                "Enable image signature verification: {:?}", enable_signature_verification
            );
-            image_client.config.security_validate = *enable_signature_verification;
-
-            if !AGENT_CONFIG.image_policy_file.is_empty() {
+            if !AGENT_CONFIG.image_policy_file.is_empty() && *enable_signature_verification {
                let image_policy_file = &AGENT_CONFIG.image_policy_file;
-                debug!(sl(), "Use imagepolicy file {:?}", image_policy_file);
-                image_client.config.file_paths.policy_path = image_policy_file.clone();
+                debug!(sl(), "Use image policy file {:?}", image_policy_file);
+                image_client_builder =
+                    image_client_builder.image_security_policy_uri(image_policy_file.into());
            }
        }
-        Self { image_client }
+        let image_client = image_client_builder.build().await?;
+        Ok(Self { image_client })
    }

    /// get guest pause image process specification
@ -276,9 +278,10 @@ pub async fn set_proxy_env_vars() {
 }

 /// Init the image service
-pub async fn init_image_service() {
-    let image_service = ImageService::new();
+pub async fn init_image_service() -> Result<()> {
+    let image_service = ImageService::new().await?;
    *IMAGE_SERVICE.lock().await = Some(image_service);
+    Ok(())
 }

 pub async fn pull_image(
--- a/src/agent/src/rpc.rs
+++ b/src/agent/src/rpc.rs
@ -1749,7 +1749,7 @@ pub async fn start(
    let hservice = health_ttrpc::create_health(Arc::new(health_service));

    #[cfg(feature = "guest-pull")]
-    image::init_image_service().await;
+    image::init_image_service().await?;

    let server = TtrpcServer::new()
        .bind(server_address)?