github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-14 13:29:31 +00:00
Code Issues Projects Releases Wiki Activity

runtime-rs: Align shared fs guest path with runtime-go

Browse Source 
As runtime-rs use the "/run/kata-containers/shared/sandboxes/" which
will be checked and denied by agent policy. To make it pass the rules,
we'd better align it with runtime-go on the guest path definition.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
This commit is contained in:
Alex Lyn
2025-08-29 20:38:32 +08:00
parent b52bc51263
commit a90c8f5cf8
3 changed files with 11 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/runtime-rs/crates/resource/src/share_fs/mod.rs
View File

@@ -38,7 +38,7 @@ const INLINE_VIRTIO_FS: &str = "inline-virtio-fs";
const KATA_HOST_SHARED_DIR: &str = "/run/kata-containers/shared/sandboxes/"; const KATA_HOST_SHARED_DIR: &str = "/run/kata-containers/shared/sandboxes/";
/// share fs (for example virtio-fs) mount path in the guest /// share fs (for example virtio-fs) mount path in the guest
const KATA_GUEST_SHARE_DIR: &str = "/run/kata-containers/shared/containers/"; pub const KATA_GUEST_SHARE_DIR: &str = "/run/kata-containers/shared/containers/";
pub(crate) const DEFAULT_KATA_GUEST_SANDBOX_DIR: &str = "/run/kata-containers/sandbox/"; pub(crate) const DEFAULT_KATA_GUEST_SANDBOX_DIR: &str = "/run/kata-containers/sandbox/";

4
src/runtime-rs/crates/resource/src/volume/mod.rs
View File

@@ -59,7 +59,7 @@ impl VolumeResource {
pub async fn handler_volumes( pub async fn handler_volumes(
&self, &self,
share_fs: &Option<Arc<dyn ShareFs>>, share_fs: &Option<Arc<dyn ShareFs>>,
cid: &str, _cid: &str,
spec: &oci::Spec, spec: &oci::Spec,
d: &RwLock<DeviceManager>, d: &RwLock<DeviceManager>,
sid: &str, sid: &str,
@@ -108,7 +108,7 @@ impl VolumeResource {
share_fs_volume::ShareFsVolume::new( share_fs_volume::ShareFsVolume::new(
share_fs, share_fs,
m, m,
cid, sid,
spec, spec,
read_only, read_only,
agent.clone(), agent.clone(),

21
src/runtime-rs/crates/resource/src/volume/share_fs_volume.rs
View File

@@ -30,9 +30,7 @@ use tokio::{
use walkdir::WalkDir; use walkdir::WalkDir;
use super::Volume; use super::Volume;
use crate::share_fs::DEFAULT_KATA_GUEST_SANDBOX_DIR; use crate::share_fs::{MountedInfo, ShareFs, ShareFsVolumeConfig, KATA_GUEST_SHARE_DIR};
use crate::share_fs::PASSTHROUGH_FS_DIR;
use crate::share_fs::{MountedInfo, ShareFs, ShareFsVolumeConfig};
use kata_types::{ use kata_types::{
k8s::{is_configmap, is_downward_api, is_projected, is_secret}, k8s::{is_configmap, is_downward_api, is_projected, is_secret},
mount, mount,
@@ -342,7 +340,7 @@ impl VolumeManager {
} }
// Create a new volume // Create a new volume
let guest_path = generate_guest_path(&canonical_source, mount_destination); let guest_path = generate_guest_path(container_id, &canonical_source, mount_destination);
let mut containers = HashSet::new(); let mut containers = HashSet::new();
containers.insert(container_id.to_string()); containers.insert(container_id.to_string());
@@ -436,7 +434,7 @@ impl ShareFsVolume {
pub(crate) async fn new( pub(crate) async fn new(
share_fs: &Option<Arc<dyn ShareFs>>, share_fs: &Option<Arc<dyn ShareFs>>,
m: &oci::Mount, m: &oci::Mount,
cid: &str, sid: &str,
spec: &oci::Spec, spec: &oci::Spec,
readonly: bool, readonly: bool,
agent: Arc<dyn Agent>, agent: Arc<dyn Agent>,
@@ -457,14 +455,14 @@ impl ShareFsVolume {
storages: vec![], storages: vec![],
volume_manager: Some(volume_manager.clone()), volume_manager: Some(volume_manager.clone()),
source_path: Some(source_path.clone()), source_path: Some(source_path.clone()),
container_id: cid.to_string(), container_id: sid.to_string(),
}; };
match share_fs { match share_fs {
None => { None => {
// Get or create the guest path // Get or create the guest path
let (guest_path, need_copy) = volume_manager let (guest_path, need_copy) = volume_manager
.get_or_create_volume(&source_path, cid, m.destination()) .get_or_create_volume(&source_path, sid, m.destination())
.await?; .await?;
let src = std::fs::canonicalize(&source_path)?; let src = std::fs::canonicalize(&source_path)?;
@@ -552,7 +550,7 @@ impl ShareFsVolume {
// The current mount should be upgraded to readwrite permission // The current mount should be upgraded to readwrite permission
info!( info!(
sl!(), sl!(),
"The mount will be upgraded, mount = {:?}, cid = {}", m, cid "The mount will be upgraded, mount = {:?}, sid = {}", m, sid
); );
share_fs_mount share_fs_mount
.upgrade_to_rw( .upgrade_to_rw(
@@ -1019,7 +1017,7 @@ pub(crate) fn is_watchable_volume(source_path: &PathBuf) -> bool {
} }
/// Generates a guest path with hashed source path /// Generates a guest path with hashed source path
fn generate_guest_path(source_path: &str, mount_destination: &Path) -> String { fn generate_guest_path(sid: &str, source_path: &str, mount_destination: &Path) -> String {
// Use a hash of the source path to generate a unique but deterministic identifier // Use a hash of the source path to generate a unique but deterministic identifier
let mut hasher = Sha256::new(); let mut hasher = Sha256::new();
hasher.update(source_path.as_bytes()); hasher.update(source_path.as_bytes());
@@ -1031,10 +1029,7 @@ fn generate_guest_path(source_path: &str, mount_destination: &Path) -> String {
.and_then(|n| n.to_str()) .and_then(|n| n.to_str())
.unwrap_or("volume"); .unwrap_or("volume");
format!( format!("{}{}-{}-{}", KATA_GUEST_SHARE_DIR, sid, hash_str, dest_base)
"{}/{}/shared-{}-{}",
DEFAULT_KATA_GUEST_SANDBOX_DIR, PASSTHROUGH_FS_DIR, hash_str, dest_base
)
} }
#[cfg(test)] #[cfg(test)]