diff --git a/docs/design/arch-images/guest-image-management-architecture.png b/docs/design/arch-images/guest-image-management-architecture.png deleted file mode 100644 index 83ab0f022..000000000 Binary files a/docs/design/arch-images/guest-image-management-architecture.png and /dev/null differ diff --git a/docs/design/arch-images/guest-image-management-details.png b/docs/design/arch-images/guest-image-management-details.png deleted file mode 100644 index d58afe71a..000000000 Binary files a/docs/design/arch-images/guest-image-management-details.png and /dev/null differ diff --git a/docs/design/kata-guest-image-management-design.md b/docs/design/kata-guest-image-management-design.md index 160cf5321..a68a0db6e 100644 --- a/docs/design/kata-guest-image-management-design.md +++ b/docs/design/kata-guest-image-management-design.md @@ -49,13 +49,58 @@ Pull the container image directly from the guest VM using `nydus snapshotter` ba #### Architecture The following diagram provides an overview of the architecture for pulling image in the guest with key components. -![guest-image-management-architecture](arch-images/guest-image-management-architecture.png) +```mermaid +flowchart LR + Kubelet[kubelet]--> |1\. Pull image request & metadata|Containerd + Containerd-->|2\. Pull image metadata| E + Containerd-->Snapshotter[Nydus Snapshotter] + Snapshotter-->|3\. Pack image info| Containerd + Containerd-->Runtime[Kata Runtime] + Runtime-->Hypervisor + Hypervisor-->TEE + Runtime-->|4\. Pass image info to VM| Agent + CDH1-->|6\. Pull image with image info|E[Container Images Registry] + subgraph TEE [Virtual Machine] + Images[Container Images]-->|7\. Prepare container rootfs|H[Container] + + subgraph CDH [Confidential Data Hub] + CDH1[Image Mgmt] + end + + CDH-->Images + Agent[Kata Agent]-->|5\. Call image pull RPC|CDH + end +``` #### Sequence diagrams The following sequence diagram depicted below offers a detailed overview of the messages/calls exchanged to pull an unencrypted unsigned image from an unauthenticated container registry. This involves the kata-runtime, kata-agent, and the guest-components’ image-rs to use the guest pull mechanism. -![guest-image-management-details](arch-images/guest-image-management-details.png) +```mermaid +sequenceDiagram + par Hosts Side + Containerd/Kubelet->>runtime.kata_agent: createContainer(ctx,sandbox,c) + runtime.kata_agent->>runtime.fs_share_linux: ShareRootFilesystem(ctx,c) + runtime.fs_share_linux->>runtime.kata_agent: handleVirtualVolumeStorageObject(c,...,KataVolumeType) + runtime.kata_agent->>runtime.kata_agent: handleImageGuestPullBlockVolume(c,virtVolume,vol) + runtime.kata_agent->>runtime.fs_share_linux: ret:storage + runtime.fs_share_linux->>runtime.kata_agent: ret:sharedFile + and Guest Side + runtime.kata_agent->>agent.rpc: CreateContainerRequest(cid,...,storages,...,oci,...) + agent.rpc->>agent.storage: add_storage(storages...) + agent.storage->>agent.storage: StorageHandler.handler(driver) + agent.storage->>agent.storage.StorageHandler.ImagePullHandler: create_device(storage) + agent.storage.StorageHandler.ImagePullHandler->>agent.confidential_data_hub: pull_image(img,cid,img_metadata) + agent.confidential_data_hub->>Confidential Data Hub: pull_image(img,bundle_path) + Confidential Data Hub->>agent.confidential_data_hub: ret + agent.confidential_data_hub->>agent.storage.StorageHandler.ImagePullHandler: ret: bundle_path + agent.storage.StorageHandler.ImagePullHandler->>agent.storage: ret: device + agent.storage->>agent.rpc: ret: mount_list + and Return + agent.rpc->>runtime.kata_agent: ret: ok + runtime.kata_agent->>Containerd/Kubelet: ret: ok + end +``` First and foremost, the guest pull code path is only activated when `nydus snapshotter` requires the handling of a volume which type is `image_guest_pull`, as can be seen on the message below: ```json @@ -108,10 +153,10 @@ Below is an example of storage information packaged in the message sent to the k ``` Next, the kata-agent's RPC module will handle the create container request which, among other things, involves adding storages to the sandbox. The storage module contains implementations of `StorageHandler` interface for various storage types, being the `ImagePullHandler` in charge of handling the storage object for the container image (the storage manager instantiates the handler based on the value of the "driver"). -`ImagePullHandler` delegates the image pulling operation to the `ImageService.pull_image()` that is going to create the image's bundle directory on the guest filesystem and, in turn, class the image-rs to in fact fetch and uncompress the image's bundle. +`ImagePullHandler` delegates the image pulling operation to the `confidential_data_hub.pull_image()` that is going to create the image's bundle directory on the guest filesystem and, in turn, the `ImagePullService` of Confidential Data Hub to fetch, uncompress and mount the image's rootfs. > **Notes:** -> In this flow, `ImageService.pull_image()` parses the image metadata, looking for either the `io.kubernetes.cri.container-type: sandbox` or `io.kubernetes.cri-o.ContainerType: sandbox` (CRI-IO case) annotation, then it never calls the `image-rs.pull_image()` because the pause image is expected to already be inside the guest's filesystem, so instead `ImageService.unpack_pause_image()` is called. +> In this flow, `confidential_data_hub.pull_image()` parses the image metadata, looking for either the `io.kubernetes.cri.container-type: sandbox` or `io.kubernetes.cri-o.ContainerType: sandbox` (CRI-IO case) annotation, then it never calls the `pull_image()` RPC of Confidential Data Hub because the pause image is expected to already be inside the guest's filesystem, so instead `confidential_data_hub.unpack_pause_image()` is called. ## Using guest image pull with `nerdctl` @@ -121,6 +166,6 @@ nerdctl run --runtime io.containerd.kata.v2 --snapshotter nydus --label io.kuber ``` References: -[1] [[RFC] Image management proposal for hosting sharing and peer pods](https://github.com/confidential-containers/confidential-containers/issues/137) -[2] https://github.com/containerd/containerd/blob/main/docs/content-flow.md - +1. [[RFC] Image management proposal for hosting sharing and peer pods](https://github.com/confidential-containers/confidential-containers/issues/137) +2. https://github.com/containerd/containerd/blob/main/docs/content-flow.md +3. [Move guest pull ability to a configurable component](https://github.com/kata-containers/kata-containers/issues/9266) diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock index 4ea5dbb5b..c5fe85543 100644 --- a/src/agent/Cargo.lock +++ b/src/agent/Cargo.lock @@ -17,51 +17,6 @@ version = "2.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "512761e0bb2578dd7380c6baaa0f4ce03e84f95e960231d1dec8bf4d7d6e2627" -[[package]] -name = "aead" -version = "0.5.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d122413f284cf2d62fb1b7db97e02edb8cda96d769b16e443a4f6195e35662b0" -dependencies = [ - "crypto-common", - "generic-array", -] - -[[package]] -name = "aes" -version = "0.8.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b169f7a6d4742236a0a00c541b845991d0ac43e546831af1249753ab4c3aa3a0" -dependencies = [ - "cfg-if", - "cipher", - "cpufeatures", - "zeroize", -] - -[[package]] -name = "aes-gcm" -version = "0.10.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "831010a0f742e1209b3bcea8fab6a8e149051ba6099432c8cb2cc117dec3ead1" -dependencies = [ - "aead", - "aes", - "cipher", - "ctr", - "ghash", - "subtle", -] - -[[package]] -name = "aes-kw" -version = "0.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69fa2b352dcefb5f7f3a5fb840e02665d311d878955380515e4fd50095dd3d8c" -dependencies = [ - "aes", -] - [[package]] name = "ahash" version = "0.7.8" @@ -181,55 +136,12 @@ version = "1.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "69f7f8c3906b62b754cd5326047894316021dcfe5a194c8ea52bdd94934a3457" -[[package]] -name = "argon2" -version = "0.5.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3c3610892ee6e0cbce8ae2700349fcf8f98adb0dbfbee85aec3c9179d29cc072" -dependencies = [ - "base64ct", - "blake2", - "cpufeatures", - "password-hash", -] - -[[package]] -name = "arrayref" -version = "0.3.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "76a2e8124351fda1ef8aaaa3bbd7ebbcb486bbcd4225aca0aa0d84bb2db8fecb" - [[package]] name = "arrayvec" version = "0.7.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50" -[[package]] -name = "ascii-canvas" -version = "3.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8824ecca2e851cec16968d54a01dd372ef8f95b244fb84b84e70128be347c3c6" -dependencies = [ - "term", -] - -[[package]] -name = "astral-tokio-tar" -version = "0.5.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "65152cbda42e8ab5ecff69e8811e8333d69188c7d5c41e3eedb8d127e3f23b27" -dependencies = [ - "filetime", - "futures-core", - "libc", - "portable-atomic", - "rustc-hash 2.1.1", - "tokio", - "tokio-stream", - "xattr 1.5.0", -] - [[package]] name = "async-attributes" version = "1.1.2" @@ -281,12 +193,9 @@ checksum = "b37fc50485c4f3f736a4fb14199f6d5f5ba008d7f28fe710306c92780f004c07" dependencies = [ "flate2", "futures-core", - "futures-io", "memchr", "pin-project-lite", "tokio", - "zstd", - "zstd-safe", ] [[package]] @@ -496,26 +405,6 @@ version = "1.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0" -[[package]] -name = "attester" -version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=0a06ef241190780840fbb0542e51b198f1f72b0b#0a06ef241190780840fbb0542e51b198f1f72b0b" -dependencies = [ - "anyhow", - "async-trait", - "base64 0.22.1", - "cfg-if", - "hex", - "kbs-types", - "log", - "serde", - "serde_json", - "serde_with", - "sha2", - "strum 0.27.1", - "thiserror 2.0.12", -] - [[package]] name = "atty" version = "0.2.14" @@ -554,46 +443,18 @@ dependencies = [ "windows-targets 0.52.6", ] -[[package]] -name = "base16ct" -version = "0.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf" - [[package]] name = "base64" version = "0.13.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8" -[[package]] -name = "base64" -version = "0.21.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567" - [[package]] name = "base64" version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" -[[package]] -name = "base64-serde" -version = "0.7.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ba368df5de76a5bea49aaf0cf1b39ccfbbef176924d1ba5db3e4135216cbe3c7" -dependencies = [ - "base64 0.21.7", - "serde", -] - -[[package]] -name = "base64ct" -version = "1.6.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8c3c1a368f70d6cf7302d78f8f7093da241fb8e8807c05cc9e51a125895a6d5b" - [[package]] name = "bincode" version = "1.3.3" @@ -603,32 +464,6 @@ dependencies = [ "serde", ] -[[package]] -name = "bindgen" -version = "0.63.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "36d860121800b2a9a94f9b5604b332d5cffb234ce17609ea479d723dbc9d3885" -dependencies = [ - "bitflags 1.3.2", - "cexpr", - "clang-sys", - "lazy_static", - "lazycell", - "peeking_take_while", - "proc-macro2", - "quote", - "regex", - "rustc-hash 1.1.0", - "shlex", - "syn 1.0.109", -] - -[[package]] -name = "binstring" -version = "0.1.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9a3a3c2603413428303761fae99d4b6d936404208221a44eba47d7c1e6dd03a3" - [[package]] name = "bit-set" version = "0.5.3" @@ -678,26 +513,6 @@ dependencies = [ "wyz", ] -[[package]] -name = "blake2" -version = "0.10.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "46502ad458c9a52b69d4d4d32775c788b7a1b85e8bc9d482d92250fc0e3f8efe" -dependencies = [ - "digest", -] - -[[package]] -name = "blake2b_simd" -version = "1.0.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "06e903a20b159e944f91ec8499fe1e55651480c541ea0a584f5d967c49ad9d99" -dependencies = [ - "arrayref", - "arrayvec", - "constant_time_eq", -] - [[package]] name = "block-buffer" version = "0.10.4" @@ -707,15 +522,6 @@ dependencies = [ "generic-array", ] -[[package]] -name = "block-padding" -version = "0.3.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a8894febbff9f758034a5b8e12d87918f56dfc64a8e1fe757d65e29041538d93" -dependencies = [ - "generic-array", -] - [[package]] name = "blocking" version = "1.6.1" @@ -729,16 +535,6 @@ dependencies = [ "piper", ] -[[package]] -name = "blowfish" -version = "0.9.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e412e2cd0f2b2d93e02543ceae7917b3c70331573df19ee046bcbc35e45e87d7" -dependencies = [ - "byteorder", - "cipher", -] - [[package]] name = "borsh" version = "1.5.7" @@ -762,17 +558,6 @@ dependencies = [ "syn 2.0.101", ] -[[package]] -name = "buffered-reader" -version = "1.4.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "db26bf1f092fd5e05b5ab3be2f290915aeb6f3f20c4e9f86ce0f07f336c2412f" -dependencies = [ - "bzip2", - "flate2", - "libc", -] - [[package]] name = "bumpalo" version = "3.17.0" @@ -840,35 +625,6 @@ version = "1.10.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d71b6127be86fdcfddb610f7182ac57211d4b18a3e9c82eb2d17662f2227ad6a" -[[package]] -name = "bzip2" -version = "0.5.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49ecfb22d906f800d4fe833b6282cf4dc1c298f5057ca0b5445e5c209735ca47" -dependencies = [ - "bzip2-sys", -] - -[[package]] -name = "bzip2-sys" -version = "0.1.13+1.0.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "225bff33b2141874fe80d71e07d6eec4f85c5c216453dd96388240f96e1acc14" -dependencies = [ - "cc", - "pkg-config", -] - -[[package]] -name = "camellia" -version = "0.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3264e2574e9ef2b53ce6f536dea83a69ac0bc600b762d1523ff83fe07230ce30" -dependencies = [ - "byteorder", - "cipher", -] - [[package]] name = "capctl" version = "0.2.4" @@ -890,32 +646,12 @@ dependencies = [ "thiserror 1.0.69", ] -[[package]] -name = "cast5" -version = "0.11.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26b07d673db1ccf000e90f54b819db9e75a8348d6eb056e9b8ab53231b7a9911" -dependencies = [ - "cipher", -] - -[[package]] -name = "cbc" -version = "0.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26b52a9543ae338f279b96b0b9fed9c8093744685043739079ce85cd58f289a6" -dependencies = [ - "cipher", -] - [[package]] name = "cc" version = "1.2.22" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "32db95edf998450acc7881c932f94cd9b05c87b4b2599e8bab064753da4acfd1" dependencies = [ - "jobserver", - "libc", "shlex", ] @@ -932,7 +668,7 @@ dependencies = [ "libc", "nix 0.24.3", "notify", - "oci-spec 0.6.8", + "oci-spec", "once_cell", "path-clean", "regex", @@ -943,30 +679,6 @@ dependencies = [ "serde_yaml", ] -[[package]] -name = "cesu8" -version = "1.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6d43a04d8753f35258c91f8ec639f792891f748a1edbd759cf1dcea3382ad83c" - -[[package]] -name = "cexpr" -version = "0.6.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766" -dependencies = [ - "nom 7.1.3", -] - -[[package]] -name = "cfb-mode" -version = "0.8.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "738b8d467867f80a71351933f70461f5b56f24d5c93e0cf216e59229c968d330" -dependencies = [ - "cipher", -] - [[package]] name = "cfg-if" version = "1.0.0" @@ -1001,33 +713,10 @@ dependencies = [ "iana-time-zone", "js-sys", "num-traits", - "serde", "wasm-bindgen", "windows-link", ] -[[package]] -name = "cipher" -version = "0.4.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad" -dependencies = [ - "crypto-common", - "inout", - "zeroize", -] - -[[package]] -name = "clang-sys" -version = "1.8.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b023947811758c97c59bf9d1c188fd619ad4718dcaa767947df1cadb14f39f4" -dependencies = [ - "glob", - "libc", - "libloading", -] - [[package]] name = "clap" version = "3.2.25" @@ -1107,59 +796,18 @@ version = "0.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6" -[[package]] -name = "cmac" -version = "0.7.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8543454e3c3f5126effff9cd44d562af4e31fb8ce1cc0d3dcd8f084515dbc1aa" -dependencies = [ - "cipher", - "dbl", - "digest", -] - -[[package]] -name = "coarsetime" -version = "0.1.36" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "91849686042de1b41cd81490edc83afbcb0abe5a9b6f2c4114f23ce8cca1bcf4" -dependencies = [ - "libc", - "wasix", - "wasm-bindgen", -] - [[package]] name = "colorchoice" version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990" -[[package]] -name = "combine" -version = "4.6.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ba5a308b75df32fe02788e748662718f03fde005016435c444eea572398219fd" -dependencies = [ - "bytes 1.10.1", - "memchr", -] - [[package]] name = "common-path" version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2382f75942f4b3be3690fe4f86365e9c853c1587d6ee58212cebf6e2a9ccd101" -[[package]] -name = "concat-kdf" -version = "0.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2d72c1252426a83be2092dd5884a5f6e3b8e7180f6891b6263d2c21b92ec8816" -dependencies = [ - "digest", -] - [[package]] name = "concurrent-queue" version = "2.5.0" @@ -1169,12 +817,6 @@ dependencies = [ "crossbeam-utils", ] -[[package]] -name = "const-oid" -version = "0.9.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8" - [[package]] name = "const_format" version = "0.2.34" @@ -1195,51 +837,6 @@ dependencies = [ "unicode-xid", ] -[[package]] -name = "constant_time_eq" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7c74b8349d32d297c9134b8c88677813a227df8f779daa29bfc29c183fe3dca6" - -[[package]] -name = "cookie" -version = "0.18.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4ddef33a339a91ea89fb53151bd0a4689cfce27055c291dfa69945475d22c747" -dependencies = [ - "percent-encoding", - "time", - "version_check", -] - -[[package]] -name = "cookie_store" -version = "0.21.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2eac901828f88a5241ee0600950ab981148a18f2f756900ffba1b125ca6a3ef9" -dependencies = [ - "cookie", - "document-features", - "idna", - "log", - "publicsuffix", - "serde", - "serde_derive", - "serde_json", - "time", - "url", -] - -[[package]] -name = "core-foundation" -version = "0.10.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b55271e5c8c478ad3f38ad24ef34923091e0548492a266d19b3c0b4d82574c63" -dependencies = [ - "core-foundation-sys", - "libc", -] - [[package]] name = "core-foundation-sys" version = "0.8.7" @@ -1320,47 +917,6 @@ version = "0.8.21" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28" -[[package]] -name = "crunchy" -version = "0.2.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "43da5946c66ffcc7745f48db692ffbb10a83bfe0afd96235c5c2a4fb23994929" - -[[package]] -name = "crypto" -version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=0a06ef241190780840fbb0542e51b198f1f72b0b#0a06ef241190780840fbb0542e51b198f1f72b0b" -dependencies = [ - "aes-gcm", - "aes-kw", - "anyhow", - "base64 0.22.1", - "concat-kdf", - "ctr", - "kbs-types", - "p256", - "rand 0.8.5", - "rand 0.9.1", - "rsa", - "serde", - "serde_json", - "sha2", - "strum 0.27.1", - "zeroize", -] - -[[package]] -name = "crypto-bigint" -version = "0.5.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76" -dependencies = [ - "generic-array", - "rand_core 0.6.4", - "subtle", - "zeroize", -] - [[package]] name = "crypto-common" version = "0.1.6" @@ -1368,67 +924,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3" dependencies = [ "generic-array", - "rand_core 0.6.4", "typenum", ] -[[package]] -name = "crypto_secretbox" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b9d6cf87adf719ddf43a805e92c6870a531aedda35ff640442cbaf8674e141e1" -dependencies = [ - "aead", - "cipher", - "generic-array", - "poly1305", - "salsa20", - "subtle", - "zeroize", -] - -[[package]] -name = "ct-codecs" -version = "1.1.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dd0d274c65cbc1c34703d2fc2ce0fb892ff68f4516b677671a2f238a30b9b2b2" - -[[package]] -name = "ctr" -version = "0.9.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0369ee1ad671834580515889b80f2ea915f23b8be8d0daa4bbaf2ac5c7590835" -dependencies = [ - "cipher", -] - -[[package]] -name = "curve25519-dalek" -version = "4.1.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be" -dependencies = [ - "cfg-if", - "cpufeatures", - "curve25519-dalek-derive", - "digest", - "fiat-crypto", - "rustc_version", - "subtle", - "zeroize", -] - -[[package]] -name = "curve25519-dalek-derive" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3" -dependencies = [ - "proc-macro2", - "quote", - "syn 2.0.101", -] - [[package]] name = "darling" version = "0.14.4" @@ -1498,45 +996,6 @@ dependencies = [ "syn 2.0.101", ] -[[package]] -name = "dbl" -version = "0.3.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bd2735a791158376708f9347fe8faba9667589d82427ef3aed6794a8981de3d9" -dependencies = [ - "generic-array", -] - -[[package]] -name = "decoded-char" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5440d1dc8ea7cae44cda3c64568db29bfa2434aba51ae66a50c00488841a65a3" - -[[package]] -name = "der" -version = "0.7.10" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb" -dependencies = [ - "const-oid", - "der_derive", - "flagset", - "pem-rfc7468", - "zeroize", -] - -[[package]] -name = "der_derive" -version = "0.7.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8034092389675178f570469e6c3b0465d3d30b4505c294a6550db47f3c17ad18" -dependencies = [ - "proc-macro2", - "quote", - "syn 2.0.101", -] - [[package]] name = "deranged" version = "0.4.0" @@ -1544,7 +1003,6 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9c9e6a11ca8224451684bc0d7d5a7adbf8f2fd6887261a1cfc3c0432f9d4068e" dependencies = [ "powerfmt", - "serde", ] [[package]] @@ -1600,15 +1058,6 @@ dependencies = [ "syn 2.0.101", ] -[[package]] -name = "des" -version = "0.8.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ffdd80ce8ce993de27e9f063a444a4d53ce8e8db4c1f00cc03af5ad5a9867a1e" -dependencies = [ - "cipher", -] - [[package]] name = "digest" version = "0.10.7" @@ -1616,9 +1065,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292" dependencies = [ "block-buffer", - "const-oid", "crypto-common", - "subtle", ] [[package]] @@ -1653,150 +1100,18 @@ dependencies = [ "syn 2.0.101", ] -[[package]] -name = "document-features" -version = "0.2.11" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95249b50c6c185bee49034bcb378a49dc2b5dff0be90ff6616d31d64febab05d" -dependencies = [ - "litrs", -] - [[package]] name = "downcast" version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1435fa1053d8b2fbbe9be7e97eca7f33d37b28409959813daefc1446a14247f1" -[[package]] -name = "dsa" -version = "0.6.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "48bc224a9084ad760195584ce5abb3c2c34a225fa312a128ad245a6b412b7689" -dependencies = [ - "digest", - "num-bigint-dig", - "num-traits", - "pkcs8", - "rfc6979", - "sha2", - "signature", - "zeroize", -] - -[[package]] -name = "dyn-clone" -version = "1.0.19" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1c7a8fb8a9fbf66c1f703fe16184d10ca0ee9d23be5b4436400408ba54a95005" - -[[package]] -name = "eax" -version = "0.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9954fabd903b82b9d7a68f65f97dc96dd9ad368e40ccc907a7c19d53e6bfac28" -dependencies = [ - "aead", - "cipher", - "cmac", - "ctr", - "subtle", -] - -[[package]] -name = "ecb" -version = "0.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a8bfa975b1aec2145850fcaa1c6fe269a16578c44705a532ae3edc92b8881c7" -dependencies = [ - "cipher", -] - -[[package]] -name = "ecdsa" -version = "0.16.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca" -dependencies = [ - "der", - "digest", - "elliptic-curve", - "rfc6979", - "signature", - "spki", -] - -[[package]] -name = "ed25519" -version = "2.2.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53" -dependencies = [ - "pkcs8", - "signature", -] - -[[package]] -name = "ed25519-compact" -version = "2.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e9b3460f44bea8cd47f45a0c70892f1eff856d97cd55358b2f73f663789f6190" -dependencies = [ - "ct-codecs", - "getrandom 0.2.16", -] - -[[package]] -name = "ed25519-dalek" -version = "2.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4a3daa8e81a3963a60642bcc1f90a670680bd4a77535faa384e9d1c79d620871" -dependencies = [ - "curve25519-dalek", - "ed25519", - "rand_core 0.6.4", - "serde", - "sha2", - "subtle", - "zeroize", -] - [[package]] name = "either" version = "1.15.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719" -[[package]] -name = "elliptic-curve" -version = "0.13.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47" -dependencies = [ - "base16ct", - "crypto-bigint", - "digest", - "ff", - "generic-array", - "group", - "hkdf", - "pem-rfc7468", - "pkcs8", - "rand_core 0.6.4", - "sec1", - "subtle", - "zeroize", -] - -[[package]] -name = "ena" -version = "0.14.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d248bdd43ce613d87415282f69b9bb99d947d290b10962dd6c56233312c2ad5" -dependencies = [ - "log", -] - [[package]] name = "enumflags2" version = "0.7.11" @@ -1824,17 +1139,6 @@ version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f" -[[package]] -name = "errno" -version = "0.2.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f639046355ee4f37944e44f60642c6f3a7efa3cf6b78c78a0d989a8ce6c396a1" -dependencies = [ - "errno-dragonfly", - "libc", - "winapi", -] - [[package]] name = "errno" version = "0.3.11" @@ -1845,16 +1149,6 @@ dependencies = [ "windows-sys 0.59.0", ] -[[package]] -name = "errno-dragonfly" -version = "0.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aa68f1b12764fab894d2755d2518754e71b4fd80ecfb822714a1206c2aab39bf" -dependencies = [ - "cc", - "libc", -] - [[package]] name = "event-listener" version = "2.5.3" @@ -1901,7 +1195,7 @@ checksum = "fe5e43d0f78a42ad591453aedb1d7ae631ce7ee445c7643691055a9ed8d3b01c" dependencies = [ "log", "once_cell", - "rand 0.8.5", + "rand", ] [[package]] @@ -1930,22 +1224,6 @@ version = "2.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be" -[[package]] -name = "ff" -version = "0.13.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c0b50bfb653653f9ca9095b427bed08ab8d75a137839d9ad64eb11810d5b6393" -dependencies = [ - "rand_core 0.6.4", - "subtle", -] - -[[package]] -name = "fiat-crypto" -version = "0.2.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d" - [[package]] name = "filetime" version = "0.2.25" @@ -1964,18 +1242,6 @@ version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "37ab347416e802de484e4d03c7316c48f1ecb56574dfd4a46a80f173ce1de04d" -[[package]] -name = "fixedbitset" -version = "0.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80" - -[[package]] -name = "flagset" -version = "0.4.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b7ac824320a75a52197e8f2d787f6a38b6718bb6897a35142d749af3c0e8f4fe" - [[package]] name = "flate2" version = "1.1.1" @@ -2172,7 +1438,6 @@ checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a" dependencies = [ "typenum", "version_check", - "zeroize", ] [[package]] @@ -2195,11 +1460,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "26145e563e54f2cadc477553f1ec5ee650b00862f0a58bcd12cbdc5f0ea2d2f4" dependencies = [ "cfg-if", - "js-sys", "libc", "r-efi", "wasi 0.14.2+wasi-0.2.4", - "wasm-bindgen", ] [[package]] @@ -2214,16 +1477,6 @@ dependencies = [ "syn 2.0.101", ] -[[package]] -name = "ghash" -version = "0.5.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f0d8a4362ccb29cb0b265253fb0a2728f592895ee6854fd9bc13f2ffda266ff1" -dependencies = [ - "opaque-debug", - "polyval", -] - [[package]] name = "gimli" version = "0.31.1" @@ -2248,17 +1501,6 @@ dependencies = [ "wasm-bindgen", ] -[[package]] -name = "group" -version = "0.13.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63" -dependencies = [ - "ff", - "rand_core 0.6.4", - "subtle", -] - [[package]] name = "hashbrown" version = "0.12.3" @@ -2328,48 +1570,6 @@ version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" -[[package]] -name = "hkdf" -version = "0.12.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b5f8eb2ad728638ea2c7d47a21db23b7b58a72ed6a38256b8a1849f15fbbdf7" -dependencies = [ - "hmac", -] - -[[package]] -name = "hmac" -version = "0.12.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e" -dependencies = [ - "digest", -] - -[[package]] -name = "hmac-sha1-compact" -version = "1.1.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "18492c9f6f9a560e0d346369b665ad2bdbc89fa9bceca75796584e79042694c3" - -[[package]] -name = "hmac-sha256" -version = "1.1.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4a8575493d277c9092b988c780c94737fb9fd8651a1001e16bee3eccfc1baedb" -dependencies = [ - "digest", -] - -[[package]] -name = "hmac-sha512" -version = "1.1.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b0b3a0f572aa8389d325f5852b9e0a333a15b0f86ecccbb3fdb6e97cd86dc67c" -dependencies = [ - "digest", -] - [[package]] name = "home" version = "0.5.9" @@ -2390,15 +1590,6 @@ dependencies = [ "itoa", ] -[[package]] -name = "http-auth" -version = "0.1.10" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "150fa4a9462ef926824cf4519c84ed652ca8f4fbae34cb8af045b5cbcaf98822" -dependencies = [ - "memchr", -] - [[package]] name = "http-body" version = "1.0.1" @@ -2447,25 +1638,6 @@ dependencies = [ "want", ] -[[package]] -name = "hyper-rustls" -version = "0.27.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2d191583f3da1305256f22463b9bb0471acad48a4e534a5218b9963e9c1f59b2" -dependencies = [ - "futures-util", - "http", - "hyper", - "hyper-util", - "rustls", - "rustls-native-certs", - "rustls-pki-types", - "tokio", - "tokio-rustls", - "tower-service", - "webpki-roots 0.26.11", -] - [[package]] name = "hyper-util" version = "0.1.11" @@ -2628,15 +1800,6 @@ dependencies = [ "syn 2.0.101", ] -[[package]] -name = "idea" -version = "0.5.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "075557004419d7f2031b8bb7f44bb43e55a83ca7b63076a8fb8fe75753836477" -dependencies = [ - "cipher", -] - [[package]] name = "ident_case" version = "1.0.1" @@ -2664,50 +1827,6 @@ dependencies = [ "icu_properties", ] -[[package]] -name = "image-rs" -version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=0a06ef241190780840fbb0542e51b198f1f72b0b#0a06ef241190780840fbb0542e51b198f1f72b0b" -dependencies = [ - "anyhow", - "astral-tokio-tar", - "async-compression", - "async-trait", - "base64 0.22.1", - "cfg-if", - "filetime", - "flate2", - "futures", - "futures-util", - "hex", - "kbc", - "log", - "loopdev", - "nix 0.29.0", - "oci-client", - "oci-spec 0.8.1", - "ocicrypt-rs", - "protobuf 3.7.1", - "reqwest", - "sequoia-openpgp", - "serde", - "serde_json", - "serde_yaml", - "sha2", - "sigstore", - "strum 0.27.1", - "strum_macros 0.27.1", - "tokio", - "tokio-util", - "toml 0.8.22", - "ttrpc", - "ttrpc-codegen", - "url", - "walkdir", - "xattr 1.5.0", - "zstd", -] - [[package]] name = "indexmap" version = "1.9.3" @@ -2716,7 +1835,6 @@ checksum = "bd070e393353796e801d209ad339e89596eb4c8d430d18ede6a1cced8fafbd99" dependencies = [ "autocfg", "hashbrown 0.12.3", - "serde", ] [[package]] @@ -2727,7 +1845,6 @@ checksum = "cea70ddb795996207ad57735b50c5982d8844f38ba9ee5f1aedcfb708a2aa11e" dependencies = [ "equivalent", "hashbrown 0.15.3", - "serde", ] [[package]] @@ -2752,16 +1869,6 @@ dependencies = [ "libc", ] -[[package]] -name = "inout" -version = "0.1.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "879f10e63c20629ecabbb64a8010319738c66a5cd0c29b02d63d272b03751d01" -dependencies = [ - "block-padding", - "generic-array", -] - [[package]] name = "instant" version = "0.1.13" @@ -2841,53 +1948,12 @@ dependencies = [ "either", ] -[[package]] -name = "itertools" -version = "0.11.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b1c173a5686ce8bfa551b3563d0c2170bf24ca44da99c7ca4bfdab5418c3fe57" -dependencies = [ - "either", -] - [[package]] name = "itoa" version = "1.0.15" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c" -[[package]] -name = "jni" -version = "0.21.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a87aa2bb7d2af34197c04845522473242e1aa17c12f4935d5856491a7fb8c97" -dependencies = [ - "cesu8", - "cfg-if", - "combine", - "jni-sys", - "log", - "thiserror 1.0.69", - "walkdir", - "windows-sys 0.45.0", -] - -[[package]] -name = "jni-sys" -version = "0.3.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8eaf4bc02d17cbdd7ff4c7438cafcdf7fb9a4613313ad11b4f8fefe7d3fa0130" - -[[package]] -name = "jobserver" -version = "0.1.33" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "38f262f097c174adebe41eb73d66ae9c06b2844fb0da69969647bbddd9b0538a" -dependencies = [ - "getrandom 0.3.3", - "libc", -] - [[package]] name = "js-sys" version = "0.3.77" @@ -2898,18 +1964,6 @@ dependencies = [ "wasm-bindgen", ] -[[package]] -name = "json-number" -version = "0.4.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "66994b2bac615128d07a1e4527ad29e98b004dd1a1769e7b8fbc1173ccf43006" -dependencies = [ - "lexical", - "ryu-js", - "serde", - "smallvec", -] - [[package]] name = "json-patch" version = "2.0.0" @@ -2922,25 +1976,6 @@ dependencies = [ "thiserror 1.0.69", ] -[[package]] -name = "json-syntax" -version = "0.12.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "044a68aba3f96d712f492b72be25e10f96201eaaca3207a7d6e68d6d5105fda9" -dependencies = [ - "decoded-char", - "hashbrown 0.12.3", - "indexmap 1.9.3", - "json-number", - "locspan", - "locspan-derive", - "ryu-js", - "serde", - "smallstr", - "smallvec", - "utf8-decode", -] - [[package]] name = "jsonptr" version = "0.4.7" @@ -2982,61 +2017,6 @@ dependencies = [ "uuid", ] -[[package]] -name = "jwt" -version = "0.16.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6204285f77fe7d9784db3fdc449ecce1a0114927a51d5a41c4c7a292011c015f" -dependencies = [ - "base64 0.13.1", - "crypto-common", - "digest", - "hmac", - "serde", - "serde_json", - "sha2", -] - -[[package]] -name = "jwt-simple" -version = "0.12.12" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "731011e9647a71ff4f8474176ff6ce6e0d2de87a0173f15613af3a84c3e3401a" -dependencies = [ - "anyhow", - "binstring", - "blake2b_simd", - "coarsetime", - "ct-codecs", - "ed25519-compact", - "hmac-sha1-compact", - "hmac-sha256", - "hmac-sha512", - "k256", - "p256", - "p384", - "rand 0.8.5", - "serde", - "serde_json", - "superboring", - "thiserror 2.0.12", - "zeroize", -] - -[[package]] -name = "k256" -version = "0.13.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f6e3919bbaa2945715f0bb6d3934a173d1e9a59ac23767fbaaef277265a7411b" -dependencies = [ - "cfg-if", - "ecdsa", - "elliptic-curve", - "once_cell", - "sha2", - "signature", -] - [[package]] name = "kata-agent" version = "0.1.0" @@ -3055,7 +2035,6 @@ dependencies = [ "const_format", "derivative", "futures", - "image-rs", "ipnetwork", "kata-agent-policy", "kata-sys-util", @@ -3069,7 +2048,7 @@ dependencies = [ "netlink-packet-route", "netlink-sys 0.7.0", "nix 0.24.3", - "oci-spec 0.6.8", + "oci-spec", "opentelemetry", "procfs 0.12.0", "prometheus", @@ -3092,14 +2071,14 @@ dependencies = [ "slog-scope", "slog-stdlog", "slog-term", - "strum 0.26.3", - "strum_macros 0.26.4", + "strum", + "strum_macros", "tempfile", "test-utils", "thiserror 1.0.69", "tokio", "tokio-vsock 0.3.4", - "toml 0.5.11", + "toml", "tracing", "tracing-opentelemetry", "tracing-subscriber", @@ -3138,10 +2117,10 @@ dependencies = [ "libc", "mockall", "nix 0.24.3", - "oci-spec 0.6.8", + "oci-spec", "once_cell", "pci-ids", - "rand 0.8.5", + "rand", "runtime-spec", "safe-path", "serde", @@ -3163,7 +2142,7 @@ dependencies = [ "glob", "lazy_static", "num_cpus", - "oci-spec 0.6.8", + "oci-spec", "regex", "safe-path", "serde", @@ -3173,71 +2152,7 @@ dependencies = [ "slog-scope", "sysinfo", "thiserror 1.0.69", - "toml 0.5.11", -] - -[[package]] -name = "kbc" -version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=0a06ef241190780840fbb0542e51b198f1f72b0b#0a06ef241190780840fbb0542e51b198f1f72b0b" -dependencies = [ - "anyhow", - "async-trait", - "base64 0.22.1", - "crypto", - "kbs_protocol", - "log", - "resource_uri", - "serde", - "serde_json", - "strum 0.27.1", - "url", - "zeroize", -] - -[[package]] -name = "kbs-types" -version = "0.10.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6db954f164e19a63a1eb7c04c46511167d68a5eb5025d4a435c1ba297f00dbf4" -dependencies = [ - "base64 0.22.1", - "serde", - "serde_json", - "thiserror 2.0.12", -] - -[[package]] -name = "kbs_protocol" -version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=0a06ef241190780840fbb0542e51b198f1f72b0b#0a06ef241190780840fbb0542e51b198f1f72b0b" -dependencies = [ - "anyhow", - "async-trait", - "attester", - "base64 0.22.1", - "crypto", - "jwt-simple", - "kbs-types", - "log", - "reqwest", - "resource_uri", - "serde", - "serde_json", - "sha2", - "thiserror 2.0.12", - "tokio", - "url", - "zeroize", -] - -[[package]] -name = "keccak" -version = "0.1.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ecc2af9a1119c51f12a14607e783cb977bde58bc069ff0c3da1095e635d70654" -dependencies = [ - "cpufeatures", + "toml", ] [[package]] @@ -3269,123 +2184,11 @@ dependencies = [ "log", ] -[[package]] -name = "lalrpop" -version = "0.20.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "55cb077ad656299f160924eb2912aa147d7339ea7d69e1b5517326fdcec3c1ca" -dependencies = [ - "ascii-canvas", - "bit-set", - "ena", - "itertools 0.11.0", - "lalrpop-util", - "petgraph 0.6.5", - "regex", - "regex-syntax 0.8.5", - "string_cache", - "term", - "tiny-keccak", - "unicode-xid", - "walkdir", -] - -[[package]] -name = "lalrpop-util" -version = "0.20.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "507460a910eb7b32ee961886ff48539633b788a36b65692b95f225b844c82553" -dependencies = [ - "regex-automata 0.4.9", -] - [[package]] name = "lazy_static" version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" -dependencies = [ - "spin", -] - -[[package]] -name = "lazycell" -version = "1.3.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" - -[[package]] -name = "lexical" -version = "7.0.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "70ed980ff02623721dc334b9105150b66d0e1f246a92ab5a2eca0335d54c48f6" -dependencies = [ - "lexical-core", -] - -[[package]] -name = "lexical-core" -version = "1.0.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b765c31809609075565a70b4b71402281283aeda7ecaf4818ac14a7b2ade8958" -dependencies = [ - "lexical-parse-float", - "lexical-parse-integer", - "lexical-util", - "lexical-write-float", - "lexical-write-integer", -] - -[[package]] -name = "lexical-parse-float" -version = "1.0.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "de6f9cb01fb0b08060209a057c048fcbab8717b4c1ecd2eac66ebfe39a65b0f2" -dependencies = [ - "lexical-parse-integer", - "lexical-util", - "static_assertions", -] - -[[package]] -name = "lexical-parse-integer" -version = "1.0.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72207aae22fc0a121ba7b6d479e42cbfea549af1479c3f3a4f12c70dd66df12e" -dependencies = [ - "lexical-util", - "static_assertions", -] - -[[package]] -name = "lexical-util" -version = "1.0.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a82e24bf537fd24c177ffbbdc6ebcc8d54732c35b50a3f28cc3f4e4c949a0b3" -dependencies = [ - "static_assertions", -] - -[[package]] -name = "lexical-write-float" -version = "1.0.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c5afc668a27f460fb45a81a757b6bf2f43c2d7e30cb5a2dcd3abf294c78d62bd" -dependencies = [ - "lexical-util", - "lexical-write-integer", - "static_assertions", -] - -[[package]] -name = "lexical-write-integer" -version = "1.0.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "629ddff1a914a836fb245616a7888b62903aae58fa771e1d83943035efa0f978" -dependencies = [ - "lexical-util", - "static_assertions", -] [[package]] name = "libc" @@ -3393,22 +2196,6 @@ version = "0.2.172" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d750af042f7ef4f724306de029d18836c26c1765a54a6a3f094cbd23a7267ffa" -[[package]] -name = "libloading" -version = "0.8.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fc2f4eb4bc735547cfed7c0a4922cbd04a4655978c09b54f1f7b228750664c34" -dependencies = [ - "cfg-if", - "windows-targets 0.48.5", -] - -[[package]] -name = "libm" -version = "0.2.15" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f9fbbcab51052fe104eb5e5d351cf728d30a5be1fe14d9be8a3b097481fb97de" - [[package]] name = "libredox" version = "0.1.3" @@ -3462,12 +2249,6 @@ version = "0.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4ee93343901ab17bd981295f2cf0026d4ad018c7c31ba84549a4ddbb47a45104" -[[package]] -name = "litrs" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b4ce301924b7887e9d637144fdade93f9dfff9b60981d4ac161db09720d39aa5" - [[package]] name = "lock_api" version = "0.4.12" @@ -3478,24 +2259,6 @@ dependencies = [ "scopeguard", ] -[[package]] -name = "locspan" -version = "0.8.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33890449fcfac88e94352092944bf321f55e5deb4e289a6f51c87c55731200a0" - -[[package]] -name = "locspan-derive" -version = "0.6.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e88991223b049a3d29ca1f60c05639581336a0f3ee4bf8a659dddecc11c4961a" -dependencies = [ - "proc-macro-error", - "proc-macro2", - "quote", - "syn 1.0.109", -] - [[package]] name = "log" version = "0.4.27" @@ -3519,22 +2282,6 @@ dependencies = [ "slog-term", ] -[[package]] -name = "loopdev" -version = "0.5.0" -source = "git+https://github.com/mdaffin/loopdev?rev=c9f91e8f0326ce8a3364ac911e81eb32328a5f27#c9f91e8f0326ce8a3364ac911e81eb32328a5f27" -dependencies = [ - "bindgen", - "errno 0.2.8", - "libc", -] - -[[package]] -name = "lru-slab" -version = "0.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154" - [[package]] name = "matchers" version = "0.0.1" @@ -3544,16 +2291,6 @@ dependencies = [ "regex-automata 0.1.10", ] -[[package]] -name = "md-5" -version = "0.10.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d89e7ee0cfbedfc4da3340218492196241d89eefb6dab27de5df917a6d2e78cf" -dependencies = [ - "cfg-if", - "digest", -] - [[package]] name = "mem-agent" version = "0.1.0" @@ -3602,12 +2339,6 @@ dependencies = [ "autocfg", ] -[[package]] -name = "memsec" -version = "0.7.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c797b9d6bb23aab2fc369c65f871be49214f5c759af65bde26ffaaa2b646b492" - [[package]] name = "mime" version = "0.3.17" @@ -3684,12 +2415,6 @@ version = "0.8.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e5ce46fe64a9d73be07dcbe690a38ce1b293be448fd8ce1e6c1b8062c9f72c6a" -[[package]] -name = "ndk-context" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "27b02d87554356db9e9a873add8782d4ea6e3e58ea071a9adb9a2e8ddb884a8b" - [[package]] name = "netlink-packet-core" version = "0.7.0" @@ -3766,12 +2491,6 @@ dependencies = [ "tokio", ] -[[package]] -name = "new_debug_unreachable" -version = "1.0.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "650eef8c711430f1a879fdd01d4745a7deea475becfb90269c06775983bbf086" - [[package]] name = "nix" version = "0.23.2" @@ -3833,18 +2552,6 @@ dependencies = [ "libc", ] -[[package]] -name = "nix" -version = "0.29.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "71e2746dc3a24dd78b3cfcb7be93368c6de9963d30f43a6a73998a9cf4b17b46" -dependencies = [ - "bitflags 2.9.0", - "cfg-if", - "cfg_aliases", - "libc", -] - [[package]] name = "nom" version = "7.1.3" @@ -3916,23 +2623,6 @@ dependencies = [ "num-traits", ] -[[package]] -name = "num-bigint-dig" -version = "0.8.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dc84195820f291c7697304f3cbdadd1cb7199c0efc917ff5eafd71225c136151" -dependencies = [ - "byteorder", - "lazy_static", - "libm", - "num-integer", - "num-iter", - "num-traits", - "rand 0.8.5", - "smallvec", - "zeroize", -] - [[package]] name = "num-cmp" version = "0.1.0" @@ -3992,7 +2682,6 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841" dependencies = [ "autocfg", - "libm", ] [[package]] @@ -4005,15 +2694,6 @@ dependencies = [ "libc", ] -[[package]] -name = "objc2" -version = "0.6.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "88c6597e14493ab2e44ce58f2fdecf095a51f12ca57bec060a11c57332520551" -dependencies = [ - "objc2-encode", -] - [[package]] name = "objc2-core-foundation" version = "0.3.1" @@ -4023,22 +2703,6 @@ dependencies = [ "bitflags 2.9.0", ] -[[package]] -name = "objc2-encode" -version = "4.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ef25abbcd74fb2609453eb695bd2f860d389e457f67dc17cafc8b8cbc89d0c33" - -[[package]] -name = "objc2-foundation" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "900831247d2fe1a09a683278e5384cfb8c80c79fe6b166f9d14bfdde0ea1b03c" -dependencies = [ - "bitflags 2.9.0", - "objc2", -] - [[package]] name = "object" version = "0.36.7" @@ -4048,44 +2712,6 @@ dependencies = [ "memchr", ] -[[package]] -name = "ocb3" -version = "0.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c196e0276c471c843dd5777e7543a36a298a4be942a2a688d8111cd43390dedb" -dependencies = [ - "aead", - "cipher", - "ctr", - "subtle", -] - -[[package]] -name = "oci-client" -version = "0.14.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "474675fdc023fbcc9dcf4782e938a3a1ae5fd469c728d8db40599bd25c77e1ba" -dependencies = [ - "bytes 1.10.1", - "chrono", - "futures-util", - "http", - "http-auth", - "jwt", - "lazy_static", - "oci-spec 0.7.1", - "olpc-cjson", - "regex", - "reqwest", - "serde", - "serde_json", - "sha2", - "thiserror 1.0.69", - "tokio", - "tracing", - "unicase", -] - [[package]] name = "oci-spec" version = "0.6.8" @@ -4098,97 +2724,17 @@ dependencies = [ "regex", "serde", "serde_json", - "strum 0.26.3", - "strum_macros 0.26.4", + "strum", + "strum_macros", "thiserror 1.0.69", ] -[[package]] -name = "oci-spec" -version = "0.7.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "da406e58efe2eb5986a6139626d611ce426e5324a824133d76367c765cf0b882" -dependencies = [ - "derive_builder", - "getset", - "regex", - "serde", - "serde_json", - "strum 0.26.3", - "strum_macros 0.26.4", - "thiserror 2.0.12", -] - -[[package]] -name = "oci-spec" -version = "0.8.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "57e9beda9d92fac7bf4904c34c83340ef1024159faee67179a04e0277523da33" -dependencies = [ - "const_format", - "derive_builder", - "getset", - "regex", - "serde", - "serde_json", - "strum 0.27.1", - "strum_macros 0.27.1", - "thiserror 2.0.12", -] - -[[package]] -name = "ocicrypt-rs" -version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=0a06ef241190780840fbb0542e51b198f1f72b0b#0a06ef241190780840fbb0542e51b198f1f72b0b" -dependencies = [ - "aes", - "anyhow", - "async-trait", - "base64 0.22.1", - "base64-serde", - "cfg-if", - "ctr", - "hmac", - "kbc", - "pin-project-lite", - "protobuf 3.7.1", - "ring", - "serde", - "serde_json", - "sha2", - "tokio", - "ttrpc", -] - -[[package]] -name = "olpc-cjson" -version = "0.1.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "696183c9b5fe81a7715d074fd632e8bd46f4ccc0231a3ed7fc580a80de5f7083" -dependencies = [ - "serde", - "serde_json", - "unicode-normalization", -] - [[package]] name = "once_cell" version = "1.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" -[[package]] -name = "opaque-debug" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381" - -[[package]] -name = "openssl-probe" -version = "0.1.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e" - [[package]] name = "opentelemetry" version = "0.14.0" @@ -4202,7 +2748,7 @@ dependencies = [ "lazy_static", "percent-encoding", "pin-project", - "rand 0.8.5", + "rand", "serde", "thiserror 1.0.69", "tokio", @@ -4225,44 +2771,6 @@ version = "6.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e2355d85b9a3786f481747ced0e0ff2ba35213a1f9bd406ed906554d7af805a1" -[[package]] -name = "p256" -version = "0.13.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c9863ad85fa8f4460f9c48cb909d38a0d689dba1f6f6988a5e3e0d31071bcd4b" -dependencies = [ - "ecdsa", - "elliptic-curve", - "primeorder", - "sha2", -] - -[[package]] -name = "p384" -version = "0.13.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fe42f1670a52a47d448f14b6a5c61dd78fce51856e68edaa38f7ae3a46b8d6b6" -dependencies = [ - "ecdsa", - "elliptic-curve", - "primeorder", - "sha2", -] - -[[package]] -name = "p521" -version = "0.13.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0fc9e2161f1f215afdfce23677034ae137bbd45016a880c2eb3ba8eb95f085b2" -dependencies = [ - "base16ct", - "ecdsa", - "elliptic-curve", - "primeorder", - "rand_core 0.6.4", - "sha2", -] - [[package]] name = "page_size" version = "0.6.0" @@ -4327,17 +2835,6 @@ dependencies = [ "windows-targets 0.52.6", ] -[[package]] -name = "password-hash" -version = "0.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "346f04948ba92c43e8469c1ee6736c7563d71012b17d40745260fe106aac2166" -dependencies = [ - "base64ct", - "rand_core 0.6.4", - "subtle", -] - [[package]] name = "paste" version = "1.0.15" @@ -4369,16 +2866,6 @@ dependencies = [ "lazy_static", ] -[[package]] -name = "pbkdf2" -version = "0.12.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f8ed6a7761f76e3b9f92dfb0a60a6a6477c61024b775147ff0973a02653abaf2" -dependencies = [ - "digest", - "hmac", -] - [[package]] name = "pci-ids" version = "0.2.5" @@ -4392,31 +2879,6 @@ dependencies = [ "quote", ] -[[package]] -name = "peeking_take_while" -version = "0.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099" - -[[package]] -name = "pem" -version = "3.0.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "38af38e8470ac9dee3ce1bae1af9c1671fffc44ddfd8bd1d0a3445bf349a8ef3" -dependencies = [ - "base64 0.22.1", - "serde", -] - -[[package]] -name = "pem-rfc7468" -version = "0.7.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412" -dependencies = [ - "base64ct", -] - [[package]] name = "percent-encoding" version = "2.3.1" @@ -4429,20 +2891,10 @@ version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "467d164a6de56270bd7c4d070df81d07beace25012d5103ced4e9ff08d6afdb7" dependencies = [ - "fixedbitset 0.2.0", + "fixedbitset", "indexmap 1.9.3", ] -[[package]] -name = "petgraph" -version = "0.6.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db" -dependencies = [ - "fixedbitset 0.4.2", - "indexmap 2.9.0", -] - [[package]] name = "phf" version = "0.11.3" @@ -4469,7 +2921,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3c80231409c20246a13fddb31776fb942c38553c51e871f8cbd687a4cfb5843d" dependencies = [ "phf_shared", - "rand 0.8.5", + "rand", ] [[package]] @@ -4524,44 +2976,6 @@ dependencies = [ "futures-io", ] -[[package]] -name = "pkcs1" -version = "0.7.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f" -dependencies = [ - "der", - "pkcs8", - "spki", -] - -[[package]] -name = "pkcs5" -version = "0.7.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e847e2c91a18bfa887dd028ec33f2fe6f25db77db3619024764914affe8b69a6" -dependencies = [ - "aes", - "cbc", - "der", - "pbkdf2", - "scrypt", - "sha2", - "spki", -] - -[[package]] -name = "pkcs8" -version = "0.10.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7" -dependencies = [ - "der", - "pkcs5", - "rand_core 0.6.4", - "spki", -] - [[package]] name = "pkg-config" version = "0.3.32" @@ -4599,35 +3013,6 @@ dependencies = [ "windows-sys 0.59.0", ] -[[package]] -name = "poly1305" -version = "0.8.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8159bd90725d2df49889a078b54f4f79e87f1f8a8444194cdca81d38f5393abf" -dependencies = [ - "cpufeatures", - "opaque-debug", - "universal-hash", -] - -[[package]] -name = "polyval" -version = "0.6.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d1fe60d06143b2430aa532c94cfe9e29783047f06c0d7fd359a9a51b729fa25" -dependencies = [ - "cfg-if", - "cpufeatures", - "opaque-debug", - "universal-hash", -] - -[[package]] -name = "portable-atomic" -version = "1.11.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "350e9b48cbc6b0e028b0473b114454c6316e57336ee184ceab6e53f72c178b3e" - [[package]] name = "powerfmt" version = "0.2.0" @@ -4643,12 +3028,6 @@ dependencies = [ "zerocopy 0.8.25", ] -[[package]] -name = "precomputed-hash" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "925383efa346730478fb4838dbe9137d2a47675ad789c546d150a6e1dd4ab31c" - [[package]] name = "predicates" version = "3.1.3" @@ -4675,15 +3054,6 @@ dependencies = [ "termtree", ] -[[package]] -name = "primeorder" -version = "0.13.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "353e1ca18966c16d9deb1c69278edbc5f194139612772bd9537af60ac231e1e6" -dependencies = [ - "elliptic-curve", -] - [[package]] name = "proc-macro-crate" version = "1.3.1" @@ -4831,10 +3201,10 @@ checksum = "355f634b43cdd80724ee7848f95770e7e70eefa6dcf14fea676216573b8fd603" dependencies = [ "bytes 1.10.1", "heck 0.3.3", - "itertools 0.10.5", + "itertools", "log", "multimap", - "petgraph 0.5.1", + "petgraph", "prost", "prost-types", "tempfile", @@ -4848,7 +3218,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "600d2f334aa05acb02a755e217ef1ab6dea4d51b58b7846588b747edec04efba" dependencies = [ "anyhow", - "itertools 0.10.5", + "itertools", "proc-macro2", "quote", "syn 1.0.109", @@ -4935,7 +3305,7 @@ name = "protocols" version = "0.1.0" dependencies = [ "async-trait", - "oci-spec 0.6.8", + "oci-spec", "protobuf 3.7.1", "serde", "serde_json", @@ -4943,12 +3313,6 @@ dependencies = [ "ttrpc-codegen", ] -[[package]] -name = "psl-types" -version = "2.0.11" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33cb294fe86a74cbcf50d4445b37da762029549ebeea341421c7c70370f86cac" - [[package]] name = "ptr_meta" version = "0.1.4" @@ -4969,71 +3333,6 @@ dependencies = [ "syn 1.0.109", ] -[[package]] -name = "publicsuffix" -version = "2.3.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6f42ea446cab60335f76979ec15e12619a2165b5ae2c12166bef27d283a9fadf" -dependencies = [ - "idna", - "psl-types", -] - -[[package]] -name = "quinn" -version = "0.11.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "626214629cda6781b6dc1d316ba307189c85ba657213ce642d9c77670f8202c8" -dependencies = [ - "bytes 1.10.1", - "cfg_aliases", - "pin-project-lite", - "quinn-proto", - "quinn-udp", - "rustc-hash 2.1.1", - "rustls", - "socket2 0.5.9", - "thiserror 2.0.12", - "tokio", - "tracing", - "web-time", -] - -[[package]] -name = "quinn-proto" -version = "0.11.12" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49df843a9161c85bb8aae55f101bc0bac8bcafd637a620d9122fd7e0b2f7422e" -dependencies = [ - "bytes 1.10.1", - "getrandom 0.3.3", - "lru-slab", - "rand 0.9.1", - "ring", - "rustc-hash 2.1.1", - "rustls", - "rustls-pki-types", - "slab", - "thiserror 2.0.12", - "tinyvec", - "tracing", - "web-time", -] - -[[package]] -name = "quinn-udp" -version = "0.5.12" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ee4e529991f949c5e25755532370b8af5d114acae52326361d68d47af64aa842" -dependencies = [ - "cfg_aliases", - "libc", - "once_cell", - "socket2 0.5.9", - "tracing", - "windows-sys 0.59.0", -] - [[package]] name = "quote" version = "1.0.40" @@ -5062,18 +3361,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" dependencies = [ "libc", - "rand_chacha 0.3.1", - "rand_core 0.6.4", -] - -[[package]] -name = "rand" -version = "0.9.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9fbfd9d094a40bf3ae768db9361049ace4c0e04a4fd6b359518bd7b73a73dd97" -dependencies = [ - "rand_chacha 0.9.0", - "rand_core 0.9.3", + "rand_chacha", + "rand_core", ] [[package]] @@ -5083,17 +3372,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88" dependencies = [ "ppv-lite86", - "rand_core 0.6.4", -] - -[[package]] -name = "rand_chacha" -version = "0.9.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb" -dependencies = [ - "ppv-lite86", - "rand_core 0.9.3", + "rand_core", ] [[package]] @@ -5105,15 +3384,6 @@ dependencies = [ "getrandom 0.2.16", ] -[[package]] -name = "rand_core" -version = "0.9.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "99d9a13982dcf210057a8a78572b2217b667c3beacbf3a0d8b454f6f82837d38" -dependencies = [ - "getrandom 0.3.3", -] - [[package]] name = "redox_syscall" version = "0.2.16" @@ -5195,7 +3465,7 @@ checksum = "843c3d97f07e3b5ac0955d53ad0af4c91fe4a4f8525843ece5bf014f27829b73" dependencies = [ "anyhow", "lazy_static", - "rand 0.8.5", + "rand", "regex", "scientific", "serde", @@ -5225,8 +3495,6 @@ checksum = "d19c46a6fdd48bc4dab94b6103fccc55d34c67cc0ad04653aad4ea2a07cd7bbb" dependencies = [ "base64 0.22.1", "bytes 1.10.1", - "cookie", - "cookie_store", "futures-channel", "futures-core", "futures-util", @@ -5234,7 +3502,6 @@ dependencies = [ "http-body", "http-body-util", "hyper", - "hyper-rustls", "hyper-util", "ipnet", "js-sys", @@ -5243,73 +3510,20 @@ dependencies = [ "once_cell", "percent-encoding", "pin-project-lite", - "quinn", - "rustls", - "rustls-native-certs", - "rustls-pemfile", - "rustls-pki-types", "serde", "serde_json", "serde_urlencoded", "sync_wrapper", "tokio", - "tokio-rustls", - "tokio-util", "tower", "tower-service", "url", "wasm-bindgen", "wasm-bindgen-futures", - "wasm-streams", "web-sys", - "webpki-roots 0.26.11", "windows-registry", ] -[[package]] -name = "resource_uri" -version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components?rev=0a06ef241190780840fbb0542e51b198f1f72b0b#0a06ef241190780840fbb0542e51b198f1f72b0b" -dependencies = [ - "anyhow", - "serde", - "serde_json", - "url", -] - -[[package]] -name = "rfc6979" -version = "0.4.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2" -dependencies = [ - "hmac", - "subtle", -] - -[[package]] -name = "ring" -version = "0.17.14" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7" -dependencies = [ - "cc", - "cfg-if", - "getrandom 0.2.16", - "libc", - "untrusted", - "windows-sys 0.52.0", -] - -[[package]] -name = "ripemd" -version = "0.1.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bd124222d17ad93a644ed9d011a40f4fb64aa54275c08cc216524a9ea82fb09f" -dependencies = [ - "digest", -] - [[package]] name = "rkyv" version = "0.7.45" @@ -5348,27 +3562,6 @@ dependencies = [ "libc", ] -[[package]] -name = "rsa" -version = "0.9.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "78928ac1ed176a5ca1d17e578a1825f3d81ca54cf41053a592584b020cfd691b" -dependencies = [ - "const-oid", - "digest", - "num-bigint-dig", - "num-integer", - "num-traits", - "pkcs1", - "pkcs8", - "rand_core 0.6.4", - "sha2", - "signature", - "spki", - "subtle", - "zeroize", -] - [[package]] name = "rstest" version = "0.18.2" @@ -5436,7 +3629,7 @@ dependencies = [ "borsh", "bytes 1.10.1", "num-traits", - "rand 0.8.5", + "rand", "rkyv", "serde", "serde_json", @@ -5448,18 +3641,6 @@ version = "0.1.24" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "719b953e2095829ee67db738b3bfa9fa368c94900df327b3f07fe6e794d2fe1f" -[[package]] -name = "rustc-hash" -version = "1.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2" - -[[package]] -name = "rustc-hash" -version = "2.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d" - [[package]] name = "rustc_version" version = "0.4.1" @@ -5476,7 +3657,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "519165d378b97752ca44bbe15047d5d3409e875f39327546b42ac81d7e18c1b6" dependencies = [ "bitflags 1.3.2", - "errno 0.3.11", + "errno", "io-lifetimes", "libc", "linux-raw-sys 0.3.8", @@ -5490,7 +3671,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fdb5bc1ae2baa591800df16c9ca78619bf65c0488b41b96ccec5d11220d8c154" dependencies = [ "bitflags 2.9.0", - "errno 0.3.11", + "errno", "libc", "linux-raw-sys 0.4.15", "windows-sys 0.59.0", @@ -5503,7 +3684,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c71e83d6afe7ff64890ec6b71d6a69bb8a610ab78ce364b3352876bb4c801266" dependencies = [ "bitflags 2.9.0", - "errno 0.3.11", + "errno", "libc", "linux-raw-sys 0.9.4", "windows-sys 0.59.0", @@ -5528,7 +3709,7 @@ dependencies = [ "libc", "libseccomp", "nix 0.24.3", - "oci-spec 0.6.8", + "oci-spec", "path-absolutize", "protobuf 3.7.1", "protocols", @@ -5547,77 +3728,10 @@ dependencies = [ "test-utils", "tokio", "tokio-vsock 0.3.4", - "xattr 0.2.3", + "xattr", "zbus", ] -[[package]] -name = "rustls" -version = "0.23.27" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "730944ca083c1c233a75c09f199e973ca499344a2b7ba9e755c457e86fb4a321" -dependencies = [ - "once_cell", - "ring", - "rustls-pki-types", - "rustls-webpki 0.103.3", - "subtle", - "zeroize", -] - -[[package]] -name = "rustls-native-certs" -version = "0.8.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7fcff2dd52b58a8d98a70243663a0d234c4e2b79235637849d15913394a247d3" -dependencies = [ - "openssl-probe", - "rustls-pki-types", - "schannel", - "security-framework", -] - -[[package]] -name = "rustls-pemfile" -version = "2.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50" -dependencies = [ - "rustls-pki-types", -] - -[[package]] -name = "rustls-pki-types" -version = "1.12.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "229a4a4c221013e7e1f1a043678c5cc39fe5171437c88fb47151a21e6f5b5c79" -dependencies = [ - "web-time", - "zeroize", -] - -[[package]] -name = "rustls-webpki" -version = "0.102.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9" -dependencies = [ - "ring", - "rustls-pki-types", - "untrusted", -] - -[[package]] -name = "rustls-webpki" -version = "0.103.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e4a72fe2bcf7a6ac6fd7d0b9e5cb68aeb7d4c0a0271730218b3e92d43b4eb435" -dependencies = [ - "ring", - "rustls-pki-types", - "untrusted", -] - [[package]] name = "rustversion" version = "1.0.20" @@ -5630,12 +3744,6 @@ version = "1.0.20" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "28d3b2b1366ec20994f1fd18c3c594f05c5dd4bc44d8bb0c1c632c8d6829481f" -[[package]] -name = "ryu-js" -version = "0.2.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6518fc26bced4d53678a22d6e423e9d8716377def84545fe328236e3af070e7f" - [[package]] name = "s390_pv_core" version = "0.11.0" @@ -5657,15 +3765,6 @@ dependencies = [ "libc", ] -[[package]] -name = "salsa20" -version = "0.10.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "97a22f5af31f73a954c10289c93e8a50cc23d971e80ee446f1f6f7137a088213" -dependencies = [ - "cipher", -] - [[package]] name = "same-file" version = "1.0.6" @@ -5684,15 +3783,6 @@ dependencies = [ "regex", ] -[[package]] -name = "schannel" -version = "0.1.27" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1f29ebaa345f945cec9fbbc532eb307f0fdad8161f281b6369539c8d84876b3d" -dependencies = [ - "windows-sys 0.59.0", -] - [[package]] name = "scientific" version = "0.5.3" @@ -5719,127 +3809,18 @@ version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" -[[package]] -name = "scrypt" -version = "0.11.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0516a385866c09368f0b5bcd1caff3366aace790fcd46e2bb032697bb172fd1f" -dependencies = [ - "password-hash", - "pbkdf2", - "salsa20", - "sha2", -] - [[package]] name = "seahash" version = "4.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1c107b6f4780854c8b126e228ea8869f4d7b71260f962fefb57b996b8959ba6b" -[[package]] -name = "sec1" -version = "0.7.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc" -dependencies = [ - "base16ct", - "der", - "generic-array", - "pkcs8", - "subtle", - "zeroize", -] - -[[package]] -name = "security-framework" -version = "3.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "271720403f46ca04f7ba6f55d438f8bd878d6b8ca0a1046e8228c4145bcbb316" -dependencies = [ - "bitflags 2.9.0", - "core-foundation", - "core-foundation-sys", - "libc", - "security-framework-sys", -] - -[[package]] -name = "security-framework-sys" -version = "2.14.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49db231d56a190491cb4aeda9527f1ad45345af50b0851622a7adb8c03b01c32" -dependencies = [ - "core-foundation-sys", - "libc", -] - [[package]] name = "semver" version = "1.0.26" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "56e6fa9c48d24d85fb3de5ad847117517440f6beceb7798af16b4a87d616b8d0" -[[package]] -name = "sequoia-openpgp" -version = "2.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "015e5fc3d023418b9db98ca9a7f3e90b305872eeafe5ca45c5c32b5eb335c1e8" -dependencies = [ - "aes", - "aes-gcm", - "anyhow", - "argon2", - "base64 0.22.1", - "block-padding", - "blowfish", - "buffered-reader", - "bzip2", - "camellia", - "cast5", - "cfb-mode", - "chrono", - "cipher", - "des", - "digest", - "dsa", - "dyn-clone", - "eax", - "ecb", - "ecdsa", - "ed25519", - "ed25519-dalek", - "flate2", - "getrandom 0.2.16", - "hkdf", - "idea", - "idna", - "lalrpop", - "lalrpop-util", - "libc", - "md-5", - "memsec", - "num-bigint-dig", - "ocb3", - "p256", - "p384", - "p521", - "rand 0.8.5", - "rand_core 0.6.4", - "regex", - "regex-syntax 0.8.5", - "ripemd", - "rsa", - "sha1collisiondetection", - "sha2", - "sha3", - "thiserror 2.0.12", - "twofish", - "typenum", - "x25519-dalek", - "xxhash-rust", -] - [[package]] name = "serde" version = "1.0.219" @@ -5913,15 +3894,6 @@ dependencies = [ "syn 2.0.101", ] -[[package]] -name = "serde_spanned" -version = "0.6.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "87607cb1398ed59d48732e575a4c28a7a8ebf2454b964fe3f224f2afc07909e1" -dependencies = [ - "serde", -] - [[package]] name = "serde_urlencoded" version = "0.7.1" @@ -5934,36 +3906,6 @@ dependencies = [ "serde", ] -[[package]] -name = "serde_with" -version = "3.12.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d6b6f7f2fcb69f747921f79f3926bd1e203fce4fef62c268dd3abfb6d86029aa" -dependencies = [ - "base64 0.22.1", - "chrono", - "hex", - "indexmap 1.9.3", - "indexmap 2.9.0", - "serde", - "serde_derive", - "serde_json", - "serde_with_macros", - "time", -] - -[[package]] -name = "serde_with_macros" -version = "3.12.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8d00caa5193a3c8362ac2b73be6b9e768aa5a4b2f721d8f4b339600c3cb51f8e" -dependencies = [ - "darling 0.20.11", - "proc-macro2", - "quote", - "syn 2.0.101", -] - [[package]] name = "serde_yaml" version = "0.9.34+deprecated" @@ -6010,17 +3952,6 @@ dependencies = [ "digest", ] -[[package]] -name = "sha1collisiondetection" -version = "0.3.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1f606421e4a6012877e893c399822a4ed4b089164c5969424e1b9d1e66e6964b" -dependencies = [ - "const-oid", - "digest", - "generic-array", -] - [[package]] name = "sha2" version = "0.10.9" @@ -6032,16 +3963,6 @@ dependencies = [ "digest", ] -[[package]] -name = "sha3" -version = "0.10.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "75872d278a8f37ef87fa0ddbda7802605cb18344497949862c0d4dcb291eba60" -dependencies = [ - "digest", - "keccak", -] - [[package]] name = "sharded-slab" version = "0.1.7" @@ -6066,66 +3987,6 @@ dependencies = [ "libc", ] -[[package]] -name = "signature" -version = "2.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de" -dependencies = [ - "digest", - "rand_core 0.6.4", -] - -[[package]] -name = "sigstore" -version = "0.11.0" -source = "git+https://github.com/sigstore/sigstore-rs.git?rev=c39c519#c39c519dd99be23f18e6143dd233b46bf2096e4d" -dependencies = [ - "async-trait", - "base64 0.22.1", - "cfg-if", - "chrono", - "const-oid", - "crypto_secretbox", - "digest", - "ecdsa", - "ed25519", - "ed25519-dalek", - "elliptic-curve", - "futures", - "getrandom 0.2.16", - "hex", - "json-syntax", - "lazy_static", - "oci-client", - "olpc-cjson", - "p256", - "p384", - "pem", - "pkcs1", - "pkcs8", - "rand 0.8.5", - "regex", - "ring", - "rsa", - "rustls-webpki 0.102.8", - "scrypt", - "serde", - "serde_json", - "serde_repr", - "sha2", - "signature", - "thiserror 2.0.12", - "tls_codec", - "tokio", - "tokio-util", - "tracing", - "url", - "webbrowser", - "x509-cert", - "zeroize", -] - [[package]] name = "simdutf8" version = "0.1.5" @@ -6218,16 +4079,6 @@ dependencies = [ "time", ] -[[package]] -name = "smallstr" -version = "0.3.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "63b1aefdf380735ff8ded0b15f31aab05daf1f70216c01c02a12926badd1df9d" -dependencies = [ - "serde", - "smallvec", -] - [[package]] name = "smallvec" version = "1.15.0" @@ -6254,22 +4105,6 @@ dependencies = [ "windows-sys 0.52.0", ] -[[package]] -name = "spin" -version = "0.9.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" - -[[package]] -name = "spki" -version = "0.7.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d" -dependencies = [ - "base64ct", - "der", -] - [[package]] name = "stable_deref_trait" version = "1.2.0" @@ -6282,18 +4117,6 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f" -[[package]] -name = "string_cache" -version = "0.8.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf776ba3fa74f83bf4b63c3dcbbf82173db2632ed8452cb2d891d33f459de70f" -dependencies = [ - "new_debug_unreachable", - "parking_lot 0.12.3", - "phf_shared", - "precomputed-hash", -] - [[package]] name = "strsim" version = "0.10.0" @@ -6312,15 +4135,6 @@ version = "0.26.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8fec0f0aef304996cf250b31b5a10dee7980c85da9d759361292b8bca5a18f06" -[[package]] -name = "strum" -version = "0.27.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f64def088c51c9510a8579e3c5d67c65349dcf755e5479ad3d010aa6454e2c32" -dependencies = [ - "strum_macros 0.27.1", -] - [[package]] name = "strum_macros" version = "0.26.4" @@ -6334,19 +4148,6 @@ dependencies = [ "syn 2.0.101", ] -[[package]] -name = "strum_macros" -version = "0.27.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c77a8c5abcaf0f9ce05d62342b7d298c346515365c36b673df4ebe3ced01fde8" -dependencies = [ - "heck 0.5.0", - "proc-macro2", - "quote", - "rustversion", - "syn 2.0.101", -] - [[package]] name = "subprocess" version = "0.2.9" @@ -6357,25 +4158,6 @@ dependencies = [ "winapi", ] -[[package]] -name = "subtle" -version = "2.6.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" - -[[package]] -name = "superboring" -version = "0.1.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "515cce34a781d7250b8a65706e0f2a5b99236ea605cb235d4baed6685820478f" -dependencies = [ - "getrandom 0.2.16", - "hmac-sha256", - "hmac-sha512", - "rand 0.8.5", - "rsa", -] - [[package]] name = "syn" version = "1.0.109" @@ -6576,15 +4358,6 @@ dependencies = [ "time-core", ] -[[package]] -name = "tiny-keccak" -version = "2.0.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2c9d3793400a45f954c52e73d068316d76b6f4e36977e3fcebb13a2721e80237" -dependencies = [ - "crunchy", -] - [[package]] name = "tinystr" version = "0.7.6" @@ -6610,27 +4383,6 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" -[[package]] -name = "tls_codec" -version = "0.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0de2e01245e2bb89d6f05801c564fa27624dbd7b1846859876c7dad82e90bf6b" -dependencies = [ - "tls_codec_derive", - "zeroize", -] - -[[package]] -name = "tls_codec_derive" -version = "0.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2d2e76690929402faae40aebdda620a2c0e25dd6d3b9afe48867dfd95991f4bd" -dependencies = [ - "proc-macro2", - "quote", - "syn 2.0.101", -] - [[package]] name = "tokio" version = "1.45.0" @@ -6660,16 +4412,6 @@ dependencies = [ "syn 2.0.101", ] -[[package]] -name = "tokio-rustls" -version = "0.26.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e727b36a1a0e8b74c376ac2211e40c2c8af09fb4013c60d910495810f008e9b" -dependencies = [ - "rustls", - "tokio", -] - [[package]] name = "tokio-stream" version = "0.1.17" @@ -6681,19 +4423,6 @@ dependencies = [ "tokio", ] -[[package]] -name = "tokio-util" -version = "0.7.15" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "66a539a9ad6d5d281510d5bd368c973d636c02dbf8a67300bfb6b950696ad7df" -dependencies = [ - "bytes 1.10.1", - "futures-core", - "futures-sink", - "pin-project-lite", - "tokio", -] - [[package]] name = "tokio-vsock" version = "0.3.4" @@ -6729,26 +4458,11 @@ dependencies = [ "serde", ] -[[package]] -name = "toml" -version = "0.8.22" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "05ae329d1f08c4d17a59bed7ff5b5a769d062e64a62d34a3261b219e62cd5aae" -dependencies = [ - "serde", - "serde_spanned", - "toml_datetime", - "toml_edit 0.22.26", -] - [[package]] name = "toml_datetime" version = "0.6.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3da5db5a963e24bc68be8b17b6fa82814bb22ee8660f192bb182771d498f09a3" -dependencies = [ - "serde", -] [[package]] name = "toml_edit" @@ -6768,19 +4482,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "310068873db2c5b3e7659d2cc35d21855dbafa50d1ce336397c666e3cb08137e" dependencies = [ "indexmap 2.9.0", - "serde", - "serde_spanned", "toml_datetime", - "toml_write", "winnow 0.7.10", ] -[[package]] -name = "toml_write" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bfb942dfe1d8e29a7ee7fcbde5bd2b9a25fb89aa70caea2eba3bee836ff41076" - [[package]] name = "tower" version = "0.5.2" @@ -6814,7 +4519,6 @@ version = "0.1.41" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "784e0ac535deb450455cbfa28a6f0df145ea1bb7ae51b821cf5e7927fdcfbdd0" dependencies = [ - "log", "pin-project-lite", "tracing-attributes", "tracing-core", @@ -6954,15 +4658,6 @@ dependencies = [ "tempfile", ] -[[package]] -name = "twofish" -version = "0.7.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a78e83a30223c757c3947cd144a31014ff04298d8719ae10d03c31c0448c8013" -dependencies = [ - "cipher", -] - [[package]] name = "typenum" version = "1.18.0" @@ -6980,27 +4675,12 @@ dependencies = [ "winapi", ] -[[package]] -name = "unicase" -version = "2.8.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "75b844d17643ee918803943289730bec8aac480150456169e647ed0b576ba539" - [[package]] name = "unicode-ident" version = "1.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5a5f39404a5da50712a4c1eecf25e90dd62b613502b7e925fd4e4d19b5c96512" -[[package]] -name = "unicode-normalization" -version = "0.1.24" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5033c97c4262335cded6d6fc3e5c18ab755e1a3dc96376350f3d8e9f009ad956" -dependencies = [ - "tinyvec", -] - [[package]] name = "unicode-segmentation" version = "1.12.0" @@ -7013,28 +4693,12 @@ version = "0.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853" -[[package]] -name = "universal-hash" -version = "0.5.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fc1de2c688dc15305988b563c3854064043356019f97a4b46276fe734c4f07ea" -dependencies = [ - "crypto-common", - "subtle", -] - [[package]] name = "unsafe-libyaml" version = "0.2.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861" -[[package]] -name = "untrusted" -version = "0.9.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" - [[package]] name = "url" version = "2.5.4" @@ -7052,12 +4716,6 @@ version = "1.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c8232dd3cdaed5356e0f716d285e4b40b932ac434100fe9b7e0e8e935b9e6246" -[[package]] -name = "utf8-decode" -version = "1.0.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ca61eb27fa339aa08826a29f03e87b99b4d8f0fc2255306fd266bb1b6a9de498" - [[package]] name = "utf8-width" version = "0.1.7" @@ -7175,15 +4833,6 @@ dependencies = [ "wit-bindgen-rt", ] -[[package]] -name = "wasix" -version = "0.12.21" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c1fbb4ef9bbca0c1170e0b00dd28abc9e3b68669821600cad1caaed606583c6d" -dependencies = [ - "wasi 0.11.0+wasi-snapshot-preview1", -] - [[package]] name = "wasm-bindgen" version = "0.2.100" @@ -7255,19 +4904,6 @@ dependencies = [ "unicode-ident", ] -[[package]] -name = "wasm-streams" -version = "0.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "15053d8d85c7eccdbefef60f06769760a563c7f0a9d6902a13d35c7800b0ad65" -dependencies = [ - "futures-util", - "js-sys", - "wasm-bindgen", - "wasm-bindgen-futures", - "web-sys", -] - [[package]] name = "web-sys" version = "0.3.77" @@ -7278,51 +4914,6 @@ dependencies = [ "wasm-bindgen", ] -[[package]] -name = "web-time" -version = "1.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a6580f308b1fad9207618087a65c04e7a10bc77e02c8e84e9b00dd4b12fa0bb" -dependencies = [ - "js-sys", - "wasm-bindgen", -] - -[[package]] -name = "webbrowser" -version = "1.0.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d5df295f8451142f1856b1bd86a606dfe9587d439bc036e319c827700dbd555e" -dependencies = [ - "core-foundation", - "home", - "jni", - "log", - "ndk-context", - "objc2", - "objc2-foundation", - "url", - "web-sys", -] - -[[package]] -name = "webpki-roots" -version = "0.26.11" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "521bc38abb08001b01866da9f51eb7c5d647a19260e00054a8c7fd5f9e57f7a9" -dependencies = [ - "webpki-roots 1.0.0", -] - -[[package]] -name = "webpki-roots" -version = "1.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2853738d1cc4f2da3a225c18ec6c3721abb31961096e9dbf5ab35fa88b19cfdb" -dependencies = [ - "rustls-pki-types", -] - [[package]] name = "which" version = "4.4.2" @@ -7498,15 +5089,6 @@ dependencies = [ "windows-link", ] -[[package]] -name = "windows-sys" -version = "0.45.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0" -dependencies = [ - "windows-targets 0.42.2", -] - [[package]] name = "windows-sys" version = "0.48.0" @@ -7534,21 +5116,6 @@ dependencies = [ "windows-targets 0.52.6", ] -[[package]] -name = "windows-targets" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e5180c00cd44c9b1c88adb3693291f1cd93605ded80c250a75d472756b4d071" -dependencies = [ - "windows_aarch64_gnullvm 0.42.2", - "windows_aarch64_msvc 0.42.2", - "windows_i686_gnu 0.42.2", - "windows_i686_msvc 0.42.2", - "windows_x86_64_gnu 0.42.2", - "windows_x86_64_gnullvm 0.42.2", - "windows_x86_64_msvc 0.42.2", -] - [[package]] name = "windows-targets" version = "0.48.5" @@ -7596,12 +5163,6 @@ dependencies = [ "windows_x86_64_msvc 0.53.0", ] -[[package]] -name = "windows_aarch64_gnullvm" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8" - [[package]] name = "windows_aarch64_gnullvm" version = "0.48.5" @@ -7620,12 +5181,6 @@ version = "0.53.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "86b8d5f90ddd19cb4a147a5fa63ca848db3df085e25fee3cc10b39b6eebae764" -[[package]] -name = "windows_aarch64_msvc" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43" - [[package]] name = "windows_aarch64_msvc" version = "0.48.5" @@ -7644,12 +5199,6 @@ version = "0.53.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c7651a1f62a11b8cbd5e0d42526e55f2c99886c77e007179efff86c2b137e66c" -[[package]] -name = "windows_i686_gnu" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f" - [[package]] name = "windows_i686_gnu" version = "0.48.5" @@ -7680,12 +5229,6 @@ version = "0.53.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9ce6ccbdedbf6d6354471319e781c0dfef054c81fbc7cf83f338a4296c0cae11" -[[package]] -name = "windows_i686_msvc" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060" - [[package]] name = "windows_i686_msvc" version = "0.48.5" @@ -7704,12 +5247,6 @@ version = "0.53.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "581fee95406bb13382d2f65cd4a908ca7b1e4c2f1917f143ba16efe98a589b5d" -[[package]] -name = "windows_x86_64_gnu" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36" - [[package]] name = "windows_x86_64_gnu" version = "0.48.5" @@ -7728,12 +5265,6 @@ version = "0.53.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2e55b5ac9ea33f2fc1716d1742db15574fd6fc8dadc51caab1c16a3d3b4190ba" -[[package]] -name = "windows_x86_64_gnullvm" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3" - [[package]] name = "windows_x86_64_gnullvm" version = "0.48.5" @@ -7752,12 +5283,6 @@ version = "0.53.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0a6e035dd0599267ce1ee132e51c27dd29437f63325753051e71dd9e42406c57" -[[package]] -name = "windows_x86_64_msvc" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0" - [[package]] name = "windows_x86_64_msvc" version = "0.48.5" @@ -7824,31 +5349,6 @@ dependencies = [ "tap", ] -[[package]] -name = "x25519-dalek" -version = "2.0.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c7e468321c81fb07fa7f4c636c3972b9100f0346e5b6a9f2bd0603a52f7ed277" -dependencies = [ - "curve25519-dalek", - "rand_core 0.6.4", - "zeroize", -] - -[[package]] -name = "x509-cert" -version = "0.2.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1301e935010a701ae5f8655edc0ad17c44bad3ac5ce8c39185f75453b720ae94" -dependencies = [ - "const-oid", - "der", - "sha1", - "signature", - "spki", - "tls_codec", -] - [[package]] name = "xattr" version = "0.2.3" @@ -7858,16 +5358,6 @@ dependencies = [ "libc", ] -[[package]] -name = "xattr" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0d65cbf2f12c15564212d48f4e3dfb87923d25d611f2aed18f4cb23f0413d89e" -dependencies = [ - "libc", - "rustix 1.0.7", -] - [[package]] name = "xdg-home" version = "1.3.0" @@ -7878,12 +5368,6 @@ dependencies = [ "windows-sys 0.59.0", ] -[[package]] -name = "xxhash-rust" -version = "0.8.15" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fdd20c5420375476fbd4394763288da7eb0cc0b8c11deed431a91562af7335d3" - [[package]] name = "yoke" version = "0.7.5" @@ -7935,7 +5419,7 @@ dependencies = [ "nix 0.26.4", "once_cell", "ordered-stream", - "rand 0.8.5", + "rand", "serde", "serde_repr", "sha1", @@ -8036,26 +5520,6 @@ dependencies = [ "synstructure", ] -[[package]] -name = "zeroize" -version = "1.8.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde" -dependencies = [ - "zeroize_derive", -] - -[[package]] -name = "zeroize_derive" -version = "1.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" -dependencies = [ - "proc-macro2", - "quote", - "syn 2.0.101", -] - [[package]] name = "zerovec" version = "0.10.4" @@ -8078,34 +5542,6 @@ dependencies = [ "syn 2.0.101", ] -[[package]] -name = "zstd" -version = "0.13.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e91ee311a569c327171651566e07972200e76fcfe2242a4fa446149a3881c08a" -dependencies = [ - "zstd-safe", -] - -[[package]] -name = "zstd-safe" -version = "7.2.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f49c4d5f0abb602a93fb8736af2a4f4dd9512e36f7f570d66e65ff867ed3b9d" -dependencies = [ - "zstd-sys", -] - -[[package]] -name = "zstd-sys" -version = "2.0.15+zstd.1.5.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb81183ddd97d0c74cedf1d50d85c8d08c1b8b68ee863bdee9e706eedba1a237" -dependencies = [ - "cc", - "pkg-config", -] - [[package]] name = "zvariant" version = "3.15.2" diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml index 0d16c460b..88c7ac3d6 100644 --- a/src/agent/Cargo.toml +++ b/src/agent/Cargo.toml @@ -162,9 +162,6 @@ clap.workspace = true strum.workspace = true strum_macros.workspace = true -# Image pull/decrypt -image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "0a06ef241190780840fbb0542e51b198f1f72b0b", default-features = false, optional = true } - # Agent Policy cdi = { git = "https://github.com/cncf-tags/container-device-interface-rs", rev = "fba5677a8e7cc962fc6e495fcec98d7d765e332a" } @@ -202,12 +199,9 @@ test-utils.workspace = true lto = true [features] -# The default-pull feature supports all sharing images by virtio-fs, for guest-pull build with the guest-pull feature -default-pull = [] seccomp = ["rustjail/seccomp"] standard-oci-runtime = ["rustjail/standard-oci-runtime"] agent-policy = ["kata-agent-policy"] -guest-pull = ["image-rs/kata-cc-rustls-tls"] [[bin]] name = "kata-agent" diff --git a/src/agent/Makefile b/src/agent/Makefile index 2e51c3a11..0fed742b9 100644 --- a/src/agent/Makefile +++ b/src/agent/Makefile @@ -41,16 +41,6 @@ ifeq ($(AGENT_POLICY),yes) override EXTRA_RUSTFEATURES += agent-policy endif -##VAR PULL_TYPE=default|guest-pull define if agent enables the guest pull image feature -PULL_TYPE ?= default -ifeq ($(PULL_TYPE),default) - override EXTRA_RUSTFEATURES += default-pull -# Enable guest pull image feature of rust build -else ifeq ($(PULL_TYPE),guest-pull) - override EXTRA_RUSTFEATURES += guest-pull -endif - - include ../../utils.mk ##VAR STANDARD_OCI_RUNTIME=yes|no define if agent enables standard oci runtime feature diff --git a/src/agent/README.md b/src/agent/README.md index 430967664..2f291321e 100644 --- a/src/agent/README.md +++ b/src/agent/README.md @@ -129,6 +129,7 @@ The kata agent has the ability to configure agent options in guest kernel comman | `agent.guest_components_procs` | guest-components processes | Attestation-related processes that should be spawned as children of the guest. Valid values are `none`, `attestation-agent`, `confidential-data-hub` (implies `attestation-agent`), `api-server-rest` (implies `attestation-agent` and `confidential-data-hub`) | string | `api-server-rest` | | `agent.hotplug_timeout` | Hotplug timeout | Allow to configure hotplug timeout(seconds) of block devices | integer | `3` | | `agent.cdh_api_timeout` | Confidential Data Hub (CDH) API timeout | Allow to configure CDH API timeout(seconds) | integer | `50` | +| `agent.image_pull_timeout` | Confidential Data Hub (CDH) Image Pull API timeout | Allow to configure CDH API image pull timeout(seconds) | integer | `1200` | | `agent.https_proxy` | HTTPS proxy | Allow to configure `https_proxy` in the guest | string | `""` | | `agent.image_registry_auth` | Image registry credential URI | The URI to where image-rs can find the credentials for pulling images from private registries e.g. `file:///root/.docker/config.json` to read from a file in the guest image, or `kbs:///default/credentials/test` to get the file from the KBS| string | `""` | | `agent.enable_signature_verification` | Image security policy flag | Whether enable image security policy enforcement. If `true`, the resource indexed by URI `agent.image_policy_file` will be got to work as image pulling policy. | string | `""` | @@ -148,7 +149,7 @@ The kata agent has the ability to configure agent options in guest kernel comman > The agent will fail to start if the configuration file is not present, > or if it can't be parsed properly. > - `agent.devmode`: true | false -> - `agent.hotplug_timeout` and `agent.cdh_api_timeout`: a whole number of seconds +> - `agent.hotplug_timeout`, `agent.image_pull_timeout` and `agent.cdh_api_timeout`: a whole number of seconds > - `agent.log`: "critical"("fatal" | "panic") | "error" | "warn"("warning") | "info" | "debug" > - `agent.server_addr`: "{VSOCK_ADDR}:{VSOCK_PORT}" > - `agent.trace`: true | false diff --git a/src/agent/src/confidential_data_hub/image.rs b/src/agent/src/confidential_data_hub/image.rs new file mode 100644 index 000000000..2087b7a37 --- /dev/null +++ b/src/agent/src/confidential_data_hub/image.rs @@ -0,0 +1,156 @@ +// Copyright (c) 2021 Alibaba Cloud +// Copyright (c) 2021, 2023 IBM Corporation +// Copyright (c) 2022 Intel Corporation +// +// SPDX-License-Identifier: Apache-2.0 +// + +use safe_path::scoped_join; +use std::collections::HashMap; +use std::fs; +use std::path::Path; + +use anyhow::{anyhow, bail, Context, Result}; +use kata_sys_util::validate::verify_id; +use oci_spec::runtime as oci; + +use crate::rpc::CONTAINER_BASE; + +use kata_types::mount::KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL; +use protocols::agent::Storage; + +pub const KATA_IMAGE_WORK_DIR: &str = "/run/kata-containers/image/"; +const CONFIG_JSON: &str = "config.json"; +const KATA_PAUSE_BUNDLE: &str = "/pause_bundle"; + +const K8S_CONTAINER_TYPE_KEYS: [&str; 2] = [ + "io.kubernetes.cri.container-type", + "io.kubernetes.cri-o.ContainerType", +]; + +// Convenience function to obtain the scope logger. +fn sl() -> slog::Logger { + slog_scope::logger().new(o!("subsystem" => "image")) +} + +// Function to copy a file if it does not exist at the destination +// This function creates a dir, writes a file and if necessary, +// overwrites an existing file. +fn copy_if_not_exists(src: &Path, dst: &Path) -> Result<()> { + if let Some(dst_dir) = dst.parent() { + fs::create_dir_all(dst_dir)?; + } + fs::copy(src, dst)?; + Ok(()) +} + +/// get guest pause image process specification +fn get_pause_image_process() -> Result { + let guest_pause_bundle = Path::new(KATA_PAUSE_BUNDLE); + if !guest_pause_bundle.exists() { + bail!("Pause image not present in rootfs"); + } + let guest_pause_config = scoped_join(guest_pause_bundle, CONFIG_JSON)?; + + let image_oci = oci::Spec::load(guest_pause_config.to_str().ok_or_else(|| { + anyhow!( + "Failed to load the guest pause image config from {:?}", + guest_pause_config + ) + })?) + .context("load image config file")?; + + let image_oci_process = image_oci.process().as_ref().ok_or_else(|| { + anyhow!("The guest pause image config does not contain a process specification. Please check the pause image.") + })?; + Ok(image_oci_process.clone()) +} + +/// pause image is packaged in rootfs +pub fn unpack_pause_image(cid: &str) -> Result { + verify_id(cid).context("The guest pause image cid contains invalid characters.")?; + + let guest_pause_bundle = Path::new(KATA_PAUSE_BUNDLE); + if !guest_pause_bundle.exists() { + bail!("Pause image not present in rootfs"); + } + let guest_pause_config = scoped_join(guest_pause_bundle, CONFIG_JSON)?; + info!(sl(), "use guest pause image cid {:?}", cid); + + let image_oci = oci::Spec::load(guest_pause_config.to_str().ok_or_else(|| { + anyhow!( + "Failed to load the guest pause image config from {:?}", + guest_pause_config + ) + })?) + .context("load image config file")?; + + let image_oci_process = image_oci.process().as_ref().ok_or_else(|| { + anyhow!("The guest pause image config does not contain a process specification. Please check the pause image.") + })?; + info!( + sl(), + "pause image oci process {:?}", + image_oci_process.clone() + ); + + // Ensure that the args vector is not empty before accessing its elements. + // Check the number of arguments. + let args = if let Some(args_vec) = image_oci_process.args() { + args_vec + } else { + bail!("The number of args should be greater than or equal to one! Please check the pause image."); + }; + + let pause_bundle = scoped_join(CONTAINER_BASE, cid)?; + fs::create_dir_all(&pause_bundle)?; + let pause_rootfs = scoped_join(&pause_bundle, "rootfs")?; + fs::create_dir_all(&pause_rootfs)?; + info!(sl(), "pause_rootfs {:?}", pause_rootfs); + + copy_if_not_exists(&guest_pause_config, &pause_bundle.join(CONFIG_JSON))?; + let arg_path = Path::new(&args[0]).strip_prefix("/")?; + copy_if_not_exists( + &guest_pause_bundle.join("rootfs").join(arg_path), + &pause_rootfs.join(arg_path), + )?; + Ok(pause_rootfs.display().to_string()) +} + +/// check whether the image is for sandbox or for container. +pub fn is_sandbox(image_metadata: &HashMap) -> bool { + let mut is_sandbox = false; + for key in K8S_CONTAINER_TYPE_KEYS.iter() { + if let Some(value) = image_metadata.get(key as &str) { + if value == "sandbox" { + is_sandbox = true; + break; + } + } + } + is_sandbox +} + +/// get_process overrides the OCI process spec with pause image process spec if needed +pub fn get_process( + ocip: &oci::Process, + oci: &oci::Spec, + storages: Vec, +) -> Result { + let mut guest_pull = false; + for storage in storages { + if storage.driver == KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL { + guest_pull = true; + break; + } + } + if guest_pull { + if let Some(a) = oci.annotations() { + if is_sandbox(a) { + return get_pause_image_process(); + } + } + } + + Ok(ocip.clone()) +} diff --git a/src/agent/src/cdh.rs b/src/agent/src/confidential_data_hub/mod.rs similarity index 79% rename from src/agent/src/cdh.rs rename to src/agent/src/confidential_data_hub/mod.rs index d34ad2038..7099251d3 100644 --- a/src/agent/src/cdh.rs +++ b/src/agent/src/confidential_data_hub/mod.rs @@ -1,4 +1,5 @@ // Copyright (c) 2023 Intel Corporation +// Copyright (c) 2025 Alibaba Cloud // // SPDX-License-Identifier: Apache-2.0 // @@ -15,19 +16,19 @@ use protocols::{ confidential_data_hub::GetResourceRequest, confidential_data_hub_ttrpc_async, confidential_data_hub_ttrpc_async::{ - GetResourceServiceClient, SealedSecretServiceClient, SecureMountServiceClient, + GetResourceServiceClient, ImagePullServiceClient, SealedSecretServiceClient, + SecureMountServiceClient, }, }; +use safe_path::scoped_join; use std::fs; -use std::os::unix::fs::symlink; use std::path::Path; +use std::{os::unix::fs::symlink, path::PathBuf}; use tokio::sync::OnceCell; -// Nanoseconds -lazy_static! { - static ref CDH_API_TIMEOUT: i64 = AGENT_CONFIG.cdh_api_timeout.as_nanos() as i64; - pub static ref CDH_CLIENT: OnceCell = OnceCell::new(); -} +pub mod image; + +pub static CDH_CLIENT: OnceCell = OnceCell::const_new(); const SEALED_SECRET_PREFIX: &str = "sealed."; @@ -45,6 +46,8 @@ pub struct CDHClient { secure_mount_client: SecureMountServiceClient, #[derivative(Debug = "ignore")] get_resource_client: GetResourceServiceClient, + #[derivative(Debug = "ignore")] + image_pull_client: ImagePullServiceClient, } impl CDHClient { @@ -52,6 +55,8 @@ impl CDHClient { let client = ttrpc::asynchronous::Client::connect(cdh_socket_uri)?; let sealed_secret_client = confidential_data_hub_ttrpc_async::SealedSecretServiceClient::new(client.clone()); + let image_pull_client = + confidential_data_hub_ttrpc_async::ImagePullServiceClient::new(client.clone()); let secure_mount_client = confidential_data_hub_ttrpc_async::SecureMountServiceClient::new(client.clone()); let get_resource_client = @@ -60,6 +65,7 @@ impl CDHClient { sealed_secret_client, secure_mount_client, get_resource_client, + image_pull_client, }) } @@ -69,12 +75,14 @@ impl CDHClient { let unsealed_secret = self .sealed_secret_client - .unseal_secret(ttrpc::context::with_timeout(*CDH_API_TIMEOUT), &input) + .unseal_secret( + ttrpc::context::with_timeout(AGENT_CONFIG.cdh_api_timeout.as_nanos() as i64), + &input, + ) .await?; Ok(unsealed_secret.plaintext) } - #[cfg(feature = "guest-pull")] pub async fn secure_mount( &self, volume_type: &str, @@ -90,7 +98,10 @@ impl CDHClient { ..Default::default() }; self.secure_mount_client - .secure_mount(ttrpc::context::with_timeout(*CDH_API_TIMEOUT), &req) + .secure_mount( + ttrpc::context::with_timeout(AGENT_CONFIG.cdh_api_timeout.as_nanos() as i64), + &req, + ) .await?; Ok(()) } @@ -102,10 +113,31 @@ impl CDHClient { }; let res = self .get_resource_client - .get_resource(ttrpc::context::with_timeout(*CDH_API_TIMEOUT), &req) + .get_resource( + ttrpc::context::with_timeout(AGENT_CONFIG.cdh_api_timeout.as_nanos() as i64), + &req, + ) .await?; Ok(res.Resource) } + + pub async fn pull_image(&self, image: &str, bundle_path: &str) -> Result<()> { + let req = confidential_data_hub::ImagePullRequest { + image_url: image.to_string(), + bundle_path: bundle_path.to_string(), + ..Default::default() + }; + + let _ = self + .image_pull_client + .pull_image( + ttrpc::context::with_timeout(AGENT_CONFIG.image_pull_timeout.as_nanos() as i64), + &req, + ) + .await?; + + Ok(()) + } } pub async fn init_cdh_client(cdh_socket_uri: &str) -> Result<()> { @@ -114,11 +146,12 @@ pub async fn init_cdh_client(cdh_socket_uri: &str) -> Result<()> { CDHClient::new(cdh_socket_uri).context("Failed to create CDH Client") }) .await?; + Ok(()) } /// Check if the CDH client is initialized -pub async fn is_cdh_client_initialized() -> bool { +pub fn is_cdh_client_initialized() -> bool { CDH_CLIENT.get().is_some() // Returns true if CDH_CLIENT is initialized, false otherwise } @@ -138,6 +171,29 @@ pub async fn unseal_env(env: &str) -> Result { Ok((*env.to_owned()).to_string()) } +/// pull_image is used for call confidential data hub to pull image in the guest. +/// Image layers will store at [`image::KATA_IMAGE_WORK_DIR`]`, +/// rootfs and config.json will store under given `bundle_path`. +/// +/// # Parameters +/// - `image`: Image name (exp: quay.io/prometheus/busybox:latest) +/// - `bundle_path`: The path to store the image bundle (exp. /run/kata-containers/cb0b47276ea66ee9f44cc53afa94d7980b57a52c3f306f68cb034e58d9fbd3c6/rootfs) +pub async fn pull_image(image: &str, bundle_path: PathBuf) -> Result { + fs::create_dir_all(&bundle_path)?; + info!(sl(), "pull image {image:?}, bundle path {bundle_path:?}"); + + let cdh_client = CDH_CLIENT + .get() + .expect("Confidential Data Hub not initialized"); + + cdh_client + .pull_image(image, bundle_path.to_string_lossy().as_ref()) + .await?; + + let image_bundle_path = scoped_join(&bundle_path, "rootfs")?; + Ok(image_bundle_path.as_path().display().to_string()) +} + pub async fn unseal_file(path: &str) -> Result<()> { let cdh_client = CDH_CLIENT .get() @@ -206,7 +262,6 @@ pub async fn unseal_file(path: &str) -> Result<()> { Ok(()) } -#[cfg(feature = "guest-pull")] pub async fn secure_mount( volume_type: &str, options: &std::collections::HashMap, @@ -257,6 +312,18 @@ mod tests { } } + #[async_trait] + impl confidential_data_hub_ttrpc_async::ImagePullService for TestService { + async fn pull_image( + &self, + _ctx: &::ttrpc::asynchronous::TtrpcContext, + _req: confidential_data_hub::ImagePullRequest, + ) -> ttrpc::error::Result { + let output = confidential_data_hub::ImagePullResponse::new(); + Ok(output) + } + } + fn remove_if_sock_exist(sock_addr: &str) -> std::io::Result<()> { let path = sock_addr .strip_prefix("unix://") diff --git a/src/agent/src/config.rs b/src/agent/src/config.rs index c124d6015..6db42ff91 100644 --- a/src/agent/src/config.rs +++ b/src/agent/src/config.rs @@ -23,6 +23,7 @@ const SERVER_ADDR_OPTION: &str = "agent.server_addr"; const PASSFD_LISTENER_PORT: &str = "agent.passfd_listener_port"; const HOTPLUG_TIMOUT_OPTION: &str = "agent.hotplug_timeout"; const CDH_API_TIMOUT_OPTION: &str = "agent.cdh_api_timeout"; +const CDH_IMAGE_PULL_TIMEOUT_OPTION: &str = "agent.image_pull_timeout"; const CDI_TIMEOUT_OPTION: &str = "agent.cdi_timeout"; const DEBUG_CONSOLE_VPORT_OPTION: &str = "agent.debug_console_vport"; const LOG_VPORT_OPTION: &str = "agent.log_vport"; @@ -32,16 +33,8 @@ const UNIFIED_CGROUP_HIERARCHY_OPTION: &str = "systemd.unified_cgroup_hierarchy" const CONFIG_FILE: &str = "agent.config_file"; const GUEST_COMPONENTS_REST_API_OPTION: &str = "agent.guest_components_rest_api"; const GUEST_COMPONENTS_PROCS_OPTION: &str = "agent.guest_components_procs"; -#[cfg(feature = "guest-pull")] -const IMAGE_REGISTRY_AUTH_OPTION: &str = "agent.image_registry_auth"; const SECURE_STORAGE_INTEGRITY_OPTION: &str = "agent.secure_storage_integrity"; -#[cfg(feature = "guest-pull")] -const ENABLE_SIGNATURE_VERIFICATION: &str = "agent.enable_signature_verification"; - -#[cfg(feature = "guest-pull")] -const IMAGE_POLICY_FILE: &str = "agent.image_policy_file"; - // Configure the proxy settings for HTTPS requests in the guest, // to solve the problem of not being able to access the specified image in some cases. const HTTPS_PROXY: &str = "agent.https_proxy"; @@ -71,6 +64,7 @@ const MEM_AGENT_COMPACT_FORCE_TIMES: &str = "agent.mem_agent_compact_force_times const DEFAULT_LOG_LEVEL: slog::Level = slog::Level::Info; const DEFAULT_HOTPLUG_TIMEOUT: time::Duration = time::Duration::from_secs(3); const DEFAULT_CDH_API_TIMEOUT: time::Duration = time::Duration::from_secs(50); +const DEFAULT_IMAGE_PULL_TIMEOUT: time::Duration = time::Duration::from_secs(1200); const DEFAULT_CDI_TIMEOUT: time::Duration = time::Duration::from_secs(100); const DEFAULT_CONTAINER_PIPE_SIZE: i32 = 0; const VSOCK_ADDR: &str = "vsock://-1"; @@ -134,6 +128,7 @@ pub struct AgentConfig { pub log_level: slog::Level, pub hotplug_timeout: time::Duration, pub cdh_api_timeout: time::Duration, + pub image_pull_timeout: time::Duration, pub cdi_timeout: time::Duration, pub debug_console_vport: i32, pub log_vport: i32, @@ -147,13 +142,7 @@ pub struct AgentConfig { pub no_proxy: String, pub guest_components_rest_api: GuestComponentsFeatures, pub guest_components_procs: GuestComponentsProcs, - #[cfg(feature = "guest-pull")] - pub image_registry_auth: String, pub secure_storage_integrity: bool, - #[cfg(feature = "guest-pull")] - pub enable_signature_verification: bool, - #[cfg(feature = "guest-pull")] - pub image_policy_file: String, #[cfg(feature = "agent-policy")] pub policy_file: String, pub mem_agent: Option, @@ -172,6 +161,7 @@ pub struct AgentConfigBuilder { pub log_level: Option, pub hotplug_timeout: Option, pub cdh_api_timeout: Option, + pub image_pull_timeout: Option, pub cdi_timeout: Option, pub debug_console_vport: Option, pub log_vport: Option, @@ -184,13 +174,7 @@ pub struct AgentConfigBuilder { pub no_proxy: Option, pub guest_components_rest_api: Option, pub guest_components_procs: Option, - #[cfg(feature = "guest-pull")] - pub image_registry_auth: Option, pub secure_storage_integrity: Option, - #[cfg(feature = "guest-pull")] - pub enable_signature_verification: Option, - #[cfg(feature = "guest-pull")] - pub image_policy_file: Option, #[cfg(feature = "agent-policy")] pub policy_file: Option, pub mem_agent_enable: Option, @@ -271,6 +255,7 @@ impl Default for AgentConfig { log_level: DEFAULT_LOG_LEVEL, hotplug_timeout: DEFAULT_HOTPLUG_TIMEOUT, cdh_api_timeout: DEFAULT_CDH_API_TIMEOUT, + image_pull_timeout: DEFAULT_IMAGE_PULL_TIMEOUT, cdi_timeout: DEFAULT_CDI_TIMEOUT, debug_console_vport: 0, log_vport: 0, @@ -284,13 +269,7 @@ impl Default for AgentConfig { no_proxy: String::from(""), guest_components_rest_api: GuestComponentsFeatures::default(), guest_components_procs: GuestComponentsProcs::default(), - #[cfg(feature = "guest-pull")] - image_registry_auth: String::from(""), secure_storage_integrity: false, - #[cfg(feature = "guest-pull")] - enable_signature_verification: false, - #[cfg(feature = "guest-pull")] - image_policy_file: String::from(""), #[cfg(feature = "agent-policy")] policy_file: String::from(""), mem_agent: None, @@ -317,6 +296,7 @@ impl FromStr for AgentConfig { ); config_override!(agent_config_builder, agent_config, hotplug_timeout); config_override!(agent_config_builder, agent_config, cdh_api_timeout); + config_override!(agent_config_builder, agent_config, image_pull_timeout); config_override!(agent_config_builder, agent_config, cdi_timeout); config_override!(agent_config_builder, agent_config, debug_console_vport); config_override!(agent_config_builder, agent_config, log_vport); @@ -333,16 +313,6 @@ impl FromStr for AgentConfig { guest_components_rest_api ); config_override!(agent_config_builder, agent_config, guest_components_procs); - #[cfg(feature = "guest-pull")] - { - config_override!(agent_config_builder, agent_config, image_registry_auth); - config_override!( - agent_config_builder, - agent_config, - enable_signature_verification - ); - config_override!(agent_config_builder, agent_config, image_policy_file); - } config_override!(agent_config_builder, agent_config, secure_storage_integrity); #[cfg(feature = "agent-policy")] @@ -493,6 +463,15 @@ impl AgentConfig { |cdh_api_timeout: &time::Duration| cdh_api_timeout.as_secs() > 0 ); + // ensure the timeout is a positive value + parse_cmdline_param!( + param, + CDH_IMAGE_PULL_TIMEOUT_OPTION, + config.image_pull_timeout, + get_timeout, + |image_pull_timeout: &time::Duration| image_pull_timeout.as_secs() > 0 + ); + // ensure the timeout is a positive value parse_cmdline_param!( param, @@ -557,27 +536,6 @@ impl AgentConfig { config.guest_components_procs, get_guest_components_procs_value ); - #[cfg(feature = "guest-pull")] - { - parse_cmdline_param!( - param, - IMAGE_REGISTRY_AUTH_OPTION, - config.image_registry_auth, - get_string_value - ); - parse_cmdline_param!( - param, - ENABLE_SIGNATURE_VERIFICATION, - config.enable_signature_verification, - get_bool_value - ); - parse_cmdline_param!( - param, - IMAGE_POLICY_FILE, - config.image_policy_file, - get_string_value - ); - } parse_cmdline_param!( param, SECURE_STORAGE_INTEGRITY_OPTION, @@ -780,7 +738,10 @@ fn get_timeout(param: &str) -> Result { ensure!( matches!( fields[0], - HOTPLUG_TIMOUT_OPTION | CDH_API_TIMOUT_OPTION | CDI_TIMEOUT_OPTION + HOTPLUG_TIMOUT_OPTION + | CDH_API_TIMOUT_OPTION + | CDH_IMAGE_PULL_TIMEOUT_OPTION + | CDI_TIMEOUT_OPTION ), ERR_INVALID_TIMEOUT_KEY ); @@ -901,11 +862,6 @@ mod tests { assert!(!config.dev_mode); assert_eq!(config.log_level, DEFAULT_LOG_LEVEL); assert_eq!(config.hotplug_timeout, DEFAULT_HOTPLUG_TIMEOUT); - #[cfg(feature = "guest-pull")] - { - assert!(!config.enable_signature_verification); - assert_eq!(config.image_policy_file, ""); - } } #[test] @@ -931,13 +887,7 @@ mod tests { no_proxy: &'a str, guest_components_rest_api: GuestComponentsFeatures, guest_components_procs: GuestComponentsProcs, - #[cfg(feature = "guest-pull")] - image_registry_auth: &'a str, secure_storage_integrity: bool, - #[cfg(feature = "guest-pull")] - enable_signature_verification: bool, - #[cfg(feature = "guest-pull")] - image_policy_file: &'a str, #[cfg(feature = "agent-policy")] policy_file: &'a str, mem_agent: Option, @@ -961,13 +911,7 @@ mod tests { no_proxy: "", guest_components_rest_api: GuestComponentsFeatures::default(), guest_components_procs: GuestComponentsProcs::default(), - #[cfg(feature = "guest-pull")] - image_registry_auth: "", secure_storage_integrity: false, - #[cfg(feature = "guest-pull")] - enable_signature_verification: false, - #[cfg(feature = "guest-pull")] - image_policy_file: "", #[cfg(feature = "agent-policy")] policy_file: "", mem_agent: None, @@ -1418,18 +1362,6 @@ mod tests { guest_components_procs: GuestComponentsProcs::None, ..Default::default() }, - #[cfg(feature = "guest-pull")] - TestData { - contents: "agent.image_registry_auth=file:///root/.docker/config.json", - image_registry_auth: "file:///root/.docker/config.json", - ..Default::default() - }, - #[cfg(feature = "guest-pull")] - TestData { - contents: "agent.image_registry_auth=kbs:///default/credentials/test", - image_registry_auth: "kbs:///default/credentials/test", - ..Default::default() - }, TestData { contents: "", secure_storage_integrity: false, @@ -1455,24 +1387,6 @@ mod tests { secure_storage_integrity: false, ..Default::default() }, - #[cfg(feature = "guest-pull")] - TestData { - contents: "agent.enable_signature_verification=true", - enable_signature_verification: true, - ..Default::default() - }, - #[cfg(feature = "guest-pull")] - TestData { - contents: "agent.image_policy_file=kbs:///default/image-policy/test", - image_policy_file: "kbs:///default/image-policy/test", - ..Default::default() - }, - #[cfg(feature = "guest-pull")] - TestData { - contents: "agent.image_policy_file=file:///etc/image-policy.json", - image_policy_file: "file:///etc/image-policy.json", - ..Default::default() - }, #[cfg(feature = "agent-policy")] // Test environment TestData { @@ -1575,16 +1489,6 @@ mod tests { "{}", msg ); - #[cfg(feature = "guest-pull")] - { - assert_eq!(d.image_registry_auth, config.image_registry_auth, "{}", msg); - assert_eq!( - d.enable_signature_verification, config.enable_signature_verification, - "{}", - msg - ); - assert_eq!(d.image_policy_file, config.image_policy_file, "{}", msg); - } assert_eq!( d.secure_storage_integrity, config.secure_storage_integrity, "{}", @@ -1722,6 +1626,7 @@ Caused by: )))] #[case("agent.chd_api_timeout=1", Err(anyhow!(ERR_INVALID_TIMEOUT_KEY)))] #[case("agent.cdh_api_timeout=600", Ok(time::Duration::from_secs(600)))] + #[case("agent.image_pull_timeout=1200", Ok(time::Duration::from_secs(1200)))] #[case("agent.cdi_timeout=320", Ok(time::Duration::from_secs(320)))] fn test_timeout(#[case] param: &str, #[case] expected: Result) { let result = get_timeout(param); diff --git a/src/agent/src/device/vfio_device_handler.rs b/src/agent/src/device/vfio_device_handler.rs index e0fd4d00d..ec9866688 100644 --- a/src/agent/src/device/vfio_device_handler.rs +++ b/src/agent/src/device/vfio_device_handler.rs @@ -29,7 +29,7 @@ use tracing::instrument; cfg_if! { if #[cfg(target_arch = "s390x")] { use crate::ap; - use crate::cdh::get_cdh_resource; + use crate::confidential_data_hub::get_cdh_resource; use std::convert::TryFrom; use pv_core::ap::{ Apqn, diff --git a/src/agent/src/features.rs b/src/agent/src/features.rs index 3c06d8cef..c5f1b00e2 100644 --- a/src/agent/src/features.rs +++ b/src/agent/src/features.rs @@ -8,8 +8,6 @@ pub fn get_build_features() -> Vec { let features: Vec<&str> = vec![ #[cfg(feature = "agent-policy")] "agent-policy", - #[cfg(feature = "guest-pull")] - "guest-pull", #[cfg(feature = "seccomp")] "seccomp", #[cfg(feature = "standard-oci-runtime")] diff --git a/src/agent/src/image.rs b/src/agent/src/image.rs deleted file mode 100644 index 861ca3a5b..000000000 --- a/src/agent/src/image.rs +++ /dev/null @@ -1,296 +0,0 @@ -// Copyright (c) 2021 Alibaba Cloud -// Copyright (c) 2021, 2023 IBM Corporation -// Copyright (c) 2022 Intel Corporation -// -// SPDX-License-Identifier: Apache-2.0 -// - -use safe_path::scoped_join; -use std::collections::HashMap; -use std::env; -use std::fs; -use std::path::Path; -use std::sync::Arc; - -use anyhow::{anyhow, bail, Context, Result}; -use image_rs::builder::ClientBuilder; -use image_rs::image::ImageClient; -use kata_sys_util::validate::verify_id; -use oci_spec::runtime as oci; -use tokio::sync::Mutex; - -use crate::rpc::CONTAINER_BASE; -use crate::AGENT_CONFIG; - -use kata_types::mount::KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL; -use protocols::agent::Storage; - -pub const KATA_IMAGE_WORK_DIR: &str = "/run/kata-containers/image/"; -const CONFIG_JSON: &str = "config.json"; -const KATA_PAUSE_BUNDLE: &str = "/pause_bundle"; - -const K8S_CONTAINER_TYPE_KEYS: [&str; 2] = [ - "io.kubernetes.cri.container-type", - "io.kubernetes.cri-o.ContainerType", -]; - -#[rustfmt::skip] -lazy_static! { - pub static ref IMAGE_SERVICE: Arc>> = Arc::new(Mutex::new(None)); -} - -// Convenience function to obtain the scope logger. -fn sl() -> slog::Logger { - slog_scope::logger().new(o!("subsystem" => "image")) -} - -// Function to copy a file if it does not exist at the destination -fn copy_if_not_exists(src: &Path, dst: &Path) -> Result<()> { - if let Some(dst_dir) = dst.parent() { - fs::create_dir_all(dst_dir)?; - } - fs::copy(src, dst)?; - Ok(()) -} - -pub struct ImageService { - image_client: ImageClient, -} - -impl ImageService { - pub async fn new() -> Result { - let mut image_client_builder = - ClientBuilder::default().work_dir(KATA_IMAGE_WORK_DIR.into()); - #[cfg(feature = "guest-pull")] - { - if !AGENT_CONFIG.image_registry_auth.is_empty() { - let registry_auth = &AGENT_CONFIG.image_registry_auth; - debug!(sl(), "Set registry auth file {:?}", registry_auth); - image_client_builder = image_client_builder - .authenticated_registry_credentials_uri(registry_auth.into()); - } - - let enable_signature_verification = &AGENT_CONFIG.enable_signature_verification; - debug!( - sl(), - "Enable image signature verification: {:?}", enable_signature_verification - ); - if !AGENT_CONFIG.image_policy_file.is_empty() && *enable_signature_verification { - let image_policy_file = &AGENT_CONFIG.image_policy_file; - debug!(sl(), "Use image policy file {:?}", image_policy_file); - image_client_builder = - image_client_builder.image_security_policy_uri(image_policy_file.into()); - } - } - let image_client = image_client_builder.build().await?; - Ok(Self { image_client }) - } - - /// get guest pause image process specification - fn get_pause_image_process() -> Result { - let guest_pause_bundle = Path::new(KATA_PAUSE_BUNDLE); - if !guest_pause_bundle.exists() { - bail!("Pause image not present in rootfs"); - } - let guest_pause_config = scoped_join(guest_pause_bundle, CONFIG_JSON)?; - - let image_oci = oci::Spec::load(guest_pause_config.to_str().ok_or_else(|| { - anyhow!( - "Failed to load the guest pause image config from {:?}", - guest_pause_config - ) - })?) - .context("load image config file")?; - - let image_oci_process = image_oci.process().as_ref().ok_or_else(|| { - anyhow!("The guest pause image config does not contain a process specification. Please check the pause image.") - })?; - Ok(image_oci_process.clone()) - } - - /// pause image is packaged in rootfs - fn unpack_pause_image(cid: &str) -> Result { - verify_id(cid).context("The guest pause image cid contains invalid characters.")?; - - let guest_pause_bundle = Path::new(KATA_PAUSE_BUNDLE); - if !guest_pause_bundle.exists() { - bail!("Pause image not present in rootfs"); - } - let guest_pause_config = scoped_join(guest_pause_bundle, CONFIG_JSON)?; - info!(sl(), "use guest pause image cid {:?}", cid); - - let image_oci = oci::Spec::load(guest_pause_config.to_str().ok_or_else(|| { - anyhow!( - "Failed to load the guest pause image config from {:?}", - guest_pause_config - ) - })?) - .context("load image config file")?; - - let image_oci_process = image_oci.process().as_ref().ok_or_else(|| { - anyhow!("The guest pause image config does not contain a process specification. Please check the pause image.") - })?; - info!( - sl(), - "pause image oci process {:?}", - image_oci_process.clone() - ); - - // Ensure that the args vector is not empty before accessing its elements. - // Check the number of arguments. - let args = if let Some(args_vec) = image_oci_process.args() { - args_vec - } else { - bail!("The number of args should be greater than or equal to one! Please check the pause image."); - }; - - let pause_bundle = scoped_join(CONTAINER_BASE, cid)?; - fs::create_dir_all(&pause_bundle)?; - let pause_rootfs = scoped_join(&pause_bundle, "rootfs")?; - fs::create_dir_all(&pause_rootfs)?; - info!(sl(), "pause_rootfs {:?}", pause_rootfs); - - copy_if_not_exists(&guest_pause_config, &pause_bundle.join(CONFIG_JSON))?; - let arg_path = Path::new(&args[0]).strip_prefix("/")?; - copy_if_not_exists( - &guest_pause_bundle.join("rootfs").join(arg_path), - &pause_rootfs.join(arg_path), - )?; - Ok(pause_rootfs.display().to_string()) - } - - /// check whether the image is for sandbox or for container. - fn is_sandbox(image_metadata: &HashMap) -> bool { - let mut is_sandbox = false; - for key in K8S_CONTAINER_TYPE_KEYS.iter() { - if let Some(value) = image_metadata.get(key as &str) { - if value == "sandbox" { - is_sandbox = true; - break; - } - } - } - is_sandbox - } - - /// pull_image is used for call image-rs to pull image in the guest. - /// # Parameters - /// - `image`: Image name (exp: quay.io/prometheus/busybox:latest) - /// - `cid`: Container id - /// - `image_metadata`: Annotations about the image (exp: "containerd.io/snapshot/cri.layer-digest": "sha256:24fb2886d6f6c5d16481dd7608b47e78a8e92a13d6e64d87d57cb16d5f766d63") - /// # Returns - /// - The image rootfs bundle path. (exp. /run/kata-containers/cb0b47276ea66ee9f44cc53afa94d7980b57a52c3f306f68cb034e58d9fbd3c6/rootfs) - pub async fn pull_image( - &mut self, - image: &str, - cid: &str, - image_metadata: &HashMap, - ) -> Result { - info!(sl(), "image metadata: {image_metadata:?}"); - - if Self::is_sandbox(image_metadata) { - let mount_path = Self::unpack_pause_image(cid)?; - return Ok(mount_path); - } - - // Image layers will store at KATA_IMAGE_WORK_DIR, generated bundles - // with rootfs and config.json will store under CONTAINER_BASE/cid/images. - let bundle_path = scoped_join(CONTAINER_BASE, cid)?; - fs::create_dir_all(&bundle_path)?; - info!(sl(), "pull image {image:?}, bundle path {bundle_path:?}"); - - let res = self - .image_client - .pull_image(image, &bundle_path, &None, &None) - .await; - match res { - Ok(image) => { - info!( - sl(), - "pull and unpack image {image:?}, cid: {cid:?} succeeded." - ); - } - Err(e) => { - error!( - sl(), - "pull and unpack image {image:?}, cid: {cid:?} failed with {:?}.", - e.to_string() - ); - return Err(e); - } - }; - let image_bundle_path = scoped_join(&bundle_path, "rootfs")?; - Ok(image_bundle_path.as_path().display().to_string()) - } -} - -/// get_process overrides the OCI process spec with pause image process spec if needed -pub fn get_process( - ocip: &oci::Process, - oci: &oci::Spec, - storages: Vec, -) -> Result { - let mut guest_pull = false; - for storage in storages { - if storage.driver == KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL { - guest_pull = true; - break; - } - } - if guest_pull { - if let Some(a) = oci.annotations() { - if ImageService::is_sandbox(a) { - return ImageService::get_pause_image_process(); - } - } - } - Ok(ocip.clone()) -} - -/// Set proxy environment from AGENT_CONFIG -pub async fn set_proxy_env_vars() { - if env::var("HTTPS_PROXY").is_err() { - let https_proxy = &AGENT_CONFIG.https_proxy; - if !https_proxy.is_empty() { - env::set_var("HTTPS_PROXY", https_proxy); - } - } - - match env::var("HTTPS_PROXY") { - Ok(val) => info!(sl(), "https_proxy is set to: {}", val), - Err(e) => info!(sl(), "https_proxy is not set ({})", e), - }; - - if env::var("NO_PROXY").is_err() { - let no_proxy = &AGENT_CONFIG.no_proxy; - if !no_proxy.is_empty() { - env::set_var("NO_PROXY", no_proxy); - } - } - - match env::var("NO_PROXY") { - Ok(val) => info!(sl(), "no_proxy is set to: {}", val), - Err(e) => info!(sl(), "no_proxy is not set ({})", e), - }; -} - -/// Init the image service -pub async fn init_image_service() -> Result<()> { - let image_service = ImageService::new().await?; - *IMAGE_SERVICE.lock().await = Some(image_service); - Ok(()) -} - -pub async fn pull_image( - image: &str, - cid: &str, - image_metadata: &HashMap, -) -> Result { - let image_service = IMAGE_SERVICE.clone(); - let mut image_service = image_service.lock().await; - let image_service = image_service - .as_mut() - .expect("Image Service not initialized"); - - image_service.pull_image(image, cid, image_metadata).await -} diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs index cc9fa53ad..13c48f410 100644 --- a/src/agent/src/main.rs +++ b/src/agent/src/main.rs @@ -22,7 +22,7 @@ use anyhow::{anyhow, bail, Context, Result}; use base64::Engine; use cfg_if::cfg_if; use clap::{AppSettings, Parser}; -use const_format::{concatcp, formatcp}; +use const_format::concatcp; use initdata::{InitdataReturnValue, AA_CONFIG_PATH, CDH_CONFIG_PATH}; use nix::fcntl::OFlag; use nix::sys::reboot::{reboot, RebootMode}; @@ -38,7 +38,7 @@ use std::process::exit; use std::sync::Arc; use tracing::{instrument, span}; -mod cdh; +mod confidential_data_hub; mod config; mod console; mod device; @@ -79,9 +79,6 @@ use tokio::{ task::JoinHandle, }; -#[cfg(feature = "guest-pull")] -mod image; - mod rpc; mod tracer; @@ -110,19 +107,9 @@ const CDH_SOCKET_URI: &str = concatcp!(UNIX_SOCKET_PREFIX, CDH_SOCKET); const API_SERVER_PATH: &str = "/usr/local/bin/api-server-rest"; -/// Path of ocicrypt config file. This is used by image-rs when decrypting image. -const OCICRYPT_CONFIG_PATH: &str = "/run/confidential-containers/ocicrypt_config.json"; - -const OCICRYPT_CONFIG: &str = formatcp!( - r#"{{ - "key-providers": {{ - "attestation-agent": {{ - "ttrpc": "{}" - }} - }} -}}"#, - CDH_SOCKET_URI -); +/// Path of ocicrypt config file. This is used by CDH when decrypting image. +/// TODO: remove this when we move the launch of CDH out of the kata-agent. +const OCICRYPT_CONFIG_PATH: &str = "/etc/ocicrypt_config.json"; const DEFAULT_LAUNCH_PROCESS_TIMEOUT: i32 = 6; @@ -394,9 +381,6 @@ async fn start_sandbox( s.rtnl.handle_localhost().await?; } - #[cfg(feature = "guest-pull")] - image::set_proxy_env_vars().await; - #[cfg(feature = "agent-policy")] if let Err(e) = initialize_policy().await { error!(logger, "Failed to initialize agent policy: {:?}", e); @@ -516,6 +500,7 @@ async fn launch_guest_component_procs( Some(AA_CONFIG_PATH), AA_ATTESTATION_SOCKET, DEFAULT_LAUNCH_PROCESS_TIMEOUT, + &[], ) .await .map_err(|e| anyhow!("launch_process {} failed: {:?}", AA_PATH, e))?; @@ -537,6 +522,7 @@ async fn launch_guest_component_procs( Some(CDH_CONFIG_PATH), CDH_SOCKET, DEFAULT_LAUNCH_PROCESS_TIMEOUT, + &[("OCICRYPT_KEYPROVIDER_CONFIG", OCICRYPT_CONFIG_PATH)], ) .await .map_err(|e| anyhow!("launch_process {} failed: {:?}", CDH_PATH, e))?; @@ -558,6 +544,7 @@ async fn launch_guest_component_procs( None, "", 0, + &[], ) .await .map_err(|e| anyhow!("launch_process {} failed: {:?}", API_SERVER_PATH, e))?; @@ -580,9 +567,7 @@ async fn init_attestation_components( match tokio::fs::metadata(CDH_SOCKET).await { Ok(md) => { if md.file_type().is_socket() { - cdh::init_cdh_client(CDH_SOCKET_URI).await?; - fs::write(OCICRYPT_CONFIG_PATH, OCICRYPT_CONFIG.as_bytes())?; - env::set_var("OCICRYPT_KEYPROVIDER_CONFIG", OCICRYPT_CONFIG_PATH); + confidential_data_hub::init_cdh_client(CDH_SOCKET_URI).await?; } else { debug!(logger, "File {} is not a socket", CDH_SOCKET); } @@ -624,6 +609,7 @@ async fn launch_process( config: Option<&str>, unix_socket_path: &str, timeout_secs: i32, + envs: &[(&str, &str)], ) -> Result<()> { if !Path::new(path).exists() { bail!("path {} does not exist.", path); @@ -640,7 +626,12 @@ async fn launch_process( tokio::fs::remove_file(unix_socket_path).await?; } - tokio::process::Command::new(path).args(args).spawn()?; + let mut process = tokio::process::Command::new(path); + process.args(args); + for (k, v) in envs { + process.env(k, v); + } + process.spawn()?; if !unix_socket_path.is_empty() && timeout_secs > 0 { wait_for_path_to_exist(logger, unix_socket_path, timeout_secs).await?; } diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs index 3a1a4bd70..3bcdf5442 100644 --- a/src/agent/src/rpc.rs +++ b/src/agent/src/rpc.rs @@ -57,7 +57,7 @@ use rustjail::process::ProcessOperations; #[cfg(target_arch = "s390x")] use crate::ccw; -use crate::cdh; +use crate::confidential_data_hub::image::KATA_IMAGE_WORK_DIR; use crate::device::block_device_handler::get_virtio_blk_pci_device_name; #[cfg(target_arch = "s390x")] use crate::device::network_device_handler::wait_for_ccw_net_interface; @@ -65,9 +65,6 @@ use crate::device::network_device_handler::wait_for_ccw_net_interface; use crate::device::network_device_handler::wait_for_pci_net_interface; use crate::device::{add_devices, handle_cdi_devices, update_env_pci}; use crate::features::get_build_features; -#[cfg(feature = "guest-pull")] -use crate::image::KATA_IMAGE_WORK_DIR; -use crate::linux_abi::*; use crate::metrics::get_metrics; use crate::mount::baremount; use crate::namespace::{NSTYPEIPC, NSTYPEPID, NSTYPEUTS}; @@ -80,6 +77,7 @@ use crate::storage::{add_storages, update_ephemeral_mounts, STORAGE_HANDLERS}; use crate::util; use crate::version::{AGENT_VERSION, API_VERSION}; use crate::AGENT_CONFIG; +use crate::{confidential_data_hub, linux_abi::*}; use crate::trace_rpc_call; use crate::tracer::extract_carrier_from_ttrpc; @@ -87,9 +85,6 @@ use crate::tracer::extract_carrier_from_ttrpc; #[cfg(feature = "agent-policy")] use crate::policy::{do_set_policy, is_allowed}; -#[cfg(feature = "guest-pull")] -use crate::image; - use opentelemetry::global; use tracing::span; use tracing_opentelemetry::OpenTelemetrySpanExt; @@ -112,7 +107,6 @@ use kata_types::k8s; pub const CONTAINER_BASE: &str = "/run/kata-containers"; const MODPROBE_PATH: &str = "/sbin/modprobe"; -#[cfg(feature = "guest-pull")] const TRUSTED_IMAGE_STORAGE_DEVICE: &str = "/dev/trusted_store"; /// the iptables seriers binaries could appear either in /sbin /// or /usr/sbin, we need to check both of them @@ -242,7 +236,6 @@ impl AgentService { handle_cdi_devices(&sl(), &mut oci, "/var/run/cdi", AGENT_CONFIG.cdi_timeout).await?; // Handle trusted storage configuration before mounting any storage - #[cfg(feature = "guest-pull")] cdh_handler_trusted_storage(&mut oci) .await .map_err(|e| anyhow!("failed to handle trusted storage: {}", e))?; @@ -319,20 +312,14 @@ impl AgentService { let pipe_size = AGENT_CONFIG.container_pipe_size; - let p = if let Some(p) = oci.process() { - #[cfg(feature = "guest-pull")] - { - let new_p = image::get_process(p, &oci, req.storages.clone())?; - Process::new(&sl(), &new_p, cid.as_str(), true, pipe_size, proc_io)? - } - - #[cfg(not(feature = "guest-pull"))] - Process::new(&sl(), p, cid.as_str(), true, pipe_size, proc_io)? - } else { + let Some(p) = oci.process() else { info!(sl(), "no process configurations!"); return Err(anyhow!(nix::Error::EINVAL)); }; + let new_p = confidential_data_hub::image::get_process(p, &oci, req.storages.clone())?; + let p = Process::new(&sl(), &new_p, cid.as_str(), true, pipe_size, proc_io)?; + // if starting container failed, we will do some rollback work // to ensure no resources are leaked. if let Err(err) = ctr.start(p).await { @@ -1332,9 +1319,6 @@ impl agent_ttrpc::AgentService for AgentService { } } - #[cfg(feature = "guest-pull")] - image::init_image_service().await.map_ttrpc_err(same)?; - Ok(Empty::new()) } @@ -2274,9 +2258,8 @@ fn is_sealed_secret_path(source_path: &str) -> bool { .any(|suffix| source_path.ends_with(suffix)) } -#[cfg(feature = "guest-pull")] async fn cdh_handler_trusted_storage(oci: &mut Spec) -> Result<()> { - if !cdh::is_cdh_client_initialized().await { + if !confidential_data_hub::is_cdh_client_initialized() { return Ok(()); } let linux = oci @@ -2301,7 +2284,13 @@ async fn cdh_handler_trusted_storage(oci: &mut Spec) -> Result<()> { ("encryptType".to_string(), "LUKS".to_string()), ("dataIntegrity".to_string(), secure_storage_integrity), ]); - cdh::secure_mount("BlockDevice", &options, vec![], KATA_IMAGE_WORK_DIR).await?; + confidential_data_hub::secure_mount( + "BlockDevice", + &options, + vec![], + KATA_IMAGE_WORK_DIR, + ) + .await?; break; } } @@ -2310,7 +2299,7 @@ async fn cdh_handler_trusted_storage(oci: &mut Spec) -> Result<()> { } async fn cdh_handler_sealed_secrets(oci: &mut Spec) -> Result<()> { - if !cdh::is_cdh_client_initialized().await { + if !confidential_data_hub::is_cdh_client_initialized() { return Ok(()); } let process = oci @@ -2319,7 +2308,7 @@ async fn cdh_handler_sealed_secrets(oci: &mut Spec) -> Result<()> { .ok_or_else(|| anyhow!("Spec didn't contain process field"))?; if let Some(envs) = process.env_mut().as_mut() { for env in envs.iter_mut() { - match cdh::unseal_env(env).await { + match confidential_data_hub::unseal_env(env).await { Ok(unsealed_env) => *env = unsealed_env.to_string(), Err(e) => { warn!(sl(), "Failed to unseal secret: {}", e) @@ -2357,7 +2346,7 @@ async fn cdh_handler_sealed_secrets(oci: &mut Spec) -> Result<()> { // But currently there is no quick way to determine which volume-mount is referring // to a sealed secret without reading the file. // And relying on file naming heuristic is inflexible. So we are going with this approach. - if let Err(e) = cdh::unseal_file(source_path).await { + if let Err(e) = confidential_data_hub::unseal_file(source_path).await { warn!( sl(), "Failed to unseal file: {:?}, Error: {:?}", source_path, e diff --git a/src/agent/src/storage/image_pull_handler.rs b/src/agent/src/storage/image_pull_handler.rs index 4ed011d3d..74686abf4 100644 --- a/src/agent/src/storage/image_pull_handler.rs +++ b/src/agent/src/storage/image_pull_handler.rs @@ -4,12 +4,15 @@ // use super::new_device; -use crate::image; +use crate::confidential_data_hub; +use crate::confidential_data_hub::image::{is_sandbox, unpack_pause_image}; +use crate::rpc::CONTAINER_BASE; use crate::storage::{StorageContext, StorageHandler}; use anyhow::{anyhow, Result}; use kata_types::mount::KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL; use kata_types::mount::{ImagePullVolume, StorageDevice}; use protocols::agent::Storage; +use safe_path::scoped_join; use std::sync::Arc; use tracing::instrument; @@ -53,7 +56,35 @@ impl StorageHandler for ImagePullHandler { .cid .clone() .ok_or_else(|| anyhow!("failed to get container id"))?; - let bundle_path = image::pull_image(image_name, &cid, &image_pull_volume.metadata).await?; + + info!( + ctx.logger, + "image metadata: {:?}", image_pull_volume.metadata + ); + if is_sandbox(&image_pull_volume.metadata) { + let mount_path = unpack_pause_image(&cid)?; + return new_device(mount_path); + } + + // generated bundles with rootfs and config.json will store under CONTAINER_BASE/cid/images. + let bundle_path = scoped_join(CONTAINER_BASE, &cid)?; + let bundle_path = match confidential_data_hub::pull_image(image_name, bundle_path).await { + Ok(path) => { + info!( + ctx.logger, + "pull and unpack image {image_name}, cid: {cid} succeeded." + ); + path + } + Err(e) => { + error!( + ctx.logger, + "pull and unpack image {image_name}, cid: {cid} failed with {:?}.", + e.to_string() + ); + return Err(e); + } + }; new_device(bundle_path) } diff --git a/src/agent/src/storage/mod.rs b/src/agent/src/storage/mod.rs index 3b18f345e..237ca4417 100644 --- a/src/agent/src/storage/mod.rs +++ b/src/agent/src/storage/mod.rs @@ -24,7 +24,6 @@ use self::bind_watcher_handler::BindWatcherHandler; use self::block_handler::{PmemHandler, ScsiHandler, VirtioBlkMmioHandler, VirtioBlkPciHandler}; use self::ephemeral_handler::EphemeralHandler; use self::fs_handler::{OverlayfsHandler, Virtio9pHandler, VirtioFsHandler}; -#[cfg(feature = "guest-pull")] use self::image_pull_handler::ImagePullHandler; use self::local_handler::LocalHandler; use crate::mount::{baremount, is_mounted, remove_mounts}; @@ -36,7 +35,6 @@ mod bind_watcher_handler; mod block_handler; mod ephemeral_handler; mod fs_handler; -#[cfg(feature = "guest-pull")] mod image_pull_handler; mod local_handler; @@ -148,7 +146,6 @@ lazy_static! { Arc::new(BindWatcherHandler {}), #[cfg(target_arch = "s390x")] Arc::new(self::block_handler::VirtioBlkCcwHandler {}), - #[cfg(feature = "guest-pull")] Arc::new(ImagePullHandler {}), ]; diff --git a/src/libs/protocols/protos/confidential_data_hub.proto b/src/libs/protocols/protos/confidential_data_hub.proto index f639c94c9..e3d6ff00c 100644 --- a/src/libs/protocols/protos/confidential_data_hub.proto +++ b/src/libs/protocols/protos/confidential_data_hub.proto @@ -28,6 +28,21 @@ message SecureMountResponse { string mount_path = 1; } +message ImagePullRequest { + // - `image_url`: The reference of the image to pull + string image_url = 1; + + // - `bundle_path`: The path to store the OCI bundle. This path + // should be created by client, and initially empty. After the RPC is + // called, a mounted `rootfs` directory under the this path. Note + // that this path is CDH's root filesystem, not the caller's root filesystem. + // However, usually the caller (kata-agent) and the server (CDH) runs on the same + // root, so it's safe to use an absolute path of kata-agent. + string bundle_path = 2; +} + +message ImagePullResponse {} + service SealedSecretService { rpc UnsealSecret(UnsealSecretInput) returns (UnsealSecretOutput) {}; } @@ -46,4 +61,10 @@ message GetResourceResponse { service GetResourceService { rpc GetResource(GetResourceRequest) returns (GetResourceResponse) {}; +} + +// ImagePullService is used to pull images from a remote registry +// and mount the resulting root filesystems. +service ImagePullService { + rpc PullImage(ImagePullRequest) returns (ImagePullResponse) {}; } \ No newline at end of file diff --git a/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats b/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats index 27b71dbdb..3dd2cdbbd 100644 --- a/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats +++ b/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats @@ -87,7 +87,7 @@ function setup_kbs_credentials() { echo "Pod ${kata_pod}: $(cat ${kata_pod})" assert_pod_fail "${kata_pod}" - assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image" + assert_logs_contain "${node}" kata "${node_start_time}" "Not authorized" } @test "Test that creating a container from an authenticated image, with no credentials fails" { @@ -100,7 +100,7 @@ function setup_kbs_credentials() { echo "Pod ${kata_pod}: $(cat ${kata_pod})" assert_pod_fail "${kata_pod}" - assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image" + assert_logs_contain "${node}" kata "${node_start_time}" "Not authorized" } teardown() { diff --git a/tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats b/tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats index 564769bf3..a39876683 100644 --- a/tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats +++ b/tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats @@ -52,8 +52,7 @@ function setup_kbs_decryption_key() { echo "Pod ${kata_pod}: $(cat ${kata_pod})" assert_pod_fail "${kata_pod}" - assert_logs_contain "${node}" kata "${node_start_time}" 'decrypt image (unwrap key) failed' - assert_logs_contain "${node}" kata "${node_start_time}" 'kms interface when get KEK failed' + assert_logs_contain "${node}" kata "${node_start_time}" 'Failed to decrypt the image layer, please ensure that the decryption key is placed and correct' } @@ -80,7 +79,7 @@ function setup_kbs_decryption_key() { echo "Pod ${kata_pod}: $(cat ${kata_pod})" assert_pod_fail "${kata_pod}" - assert_logs_contain "${node}" kata "${node_start_time}" 'decrypt image (unwrap key) failed' + assert_logs_contain "${node}" kata "${node_start_time}" 'Failed to decrypt the image layer, please ensure that the decryption key is placed and correct' } teardown() { diff --git a/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats b/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats index 5276e8ec7..8741b107e 100644 --- a/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats +++ b/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats @@ -97,7 +97,7 @@ EOF echo "Pod ${kata_pod}: $(cat ${kata_pod})" assert_pod_fail "${kata_pod}" - assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image" + assert_logs_contain "${node}" kata "${node_start_time}" "Image policy rejected: Denied by policy" } @test "Create a pod from a signed image, on a 'restricted registry' is successful" { @@ -123,7 +123,7 @@ EOF echo "Pod ${kata_pod}: $(cat ${kata_pod})" assert_pod_fail "${kata_pod}" - assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image" + assert_logs_contain "${node}" kata "${node_start_time}" "Image policy rejected: Denied by policy" } @test "Create a pod from an unsigned image, on a 'restricted registry' works if policy files isn't set" { diff --git a/tests/integration/kubernetes/k8s-initdata.bats b/tests/integration/kubernetes/k8s-initdata.bats index d98f20747..1dd801dca 100644 --- a/tests/integration/kubernetes/k8s-initdata.bats +++ b/tests/integration/kubernetes/k8s-initdata.bats @@ -98,10 +98,6 @@ algorithm = "sha256" [data] "aa.toml" = ''' [token_configs] -[token_configs.coco_as] -# TODO: we should fix this on AA side to set this a default value if not set. -url = "${CC_KBS_ADDRESS}" - [token_configs.kbs] url = "${CC_KBS_ADDRESS}" ''' @@ -165,7 +161,7 @@ EOF echo "Pod ${kata_pod}: $(cat ${kata_pod})" assert_pod_fail "${kata_pod}" - assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image" + assert_logs_contain "${node}" kata "${node_start_time}" "Image policy rejected: Denied by policy" } @test "Test that creating a container from an rejected image not configured by initdata, fails according to CDH error" { diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index 0a79c21bf..9331c143e 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -17,8 +17,6 @@ RUST_VERSION="null" AGENT_BIN=${AGENT_BIN:-kata-agent} AGENT_INIT=${AGENT_INIT:-no} MEASURED_ROOTFS=${MEASURED_ROOTFS:-no} -# The kata agent enables guest-pull feature. -PULL_TYPE=${PULL_TYPE:-default} KERNEL_MODULES_DIR=${KERNEL_MODULES_DIR:-""} OSBUILDER_VERSION="unknown" DOCKER_RUNTIME=${DOCKER_RUNTIME:-runc} @@ -747,7 +745,7 @@ EOF git checkout "${AGENT_VERSION}" && OK "git checkout successful" || die "checkout agent ${AGENT_VERSION} failed!" fi make clean - make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP} AGENT_POLICY=${AGENT_POLICY} PULL_TYPE=${PULL_TYPE} + make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP} AGENT_POLICY=${AGENT_POLICY} make install DESTDIR="${ROOTFS_DIR}" LIBC=${LIBC} INIT=${AGENT_INIT} if [ "${SECCOMP}" == "yes" ]; then rm -rf "${libseccomp_install_dir}" "${gperf_install_dir}" diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh index 228b3e1c1..b0f896c7b 100755 --- a/tools/packaging/guest-image/build_image.sh +++ b/tools/packaging/guest-image/build_image.sh @@ -47,7 +47,6 @@ build_initrd() { AGENT_TARBALL="${AGENT_TARBALL}" \ AGENT_INIT="${AGENT_INIT:-no}" \ AGENT_POLICY="${AGENT_POLICY:-}" \ - PULL_TYPE="${PULL_TYPE:-default}" \ COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}" \ PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" \ GUEST_HOOKS_TARBALL="${GUEST_HOOKS_TARBALL}" @@ -77,7 +76,6 @@ build_image() { ROOTFS_BUILD_DEST="${builddir}/rootfs-image" \ AGENT_TARBALL="${AGENT_TARBALL}" \ AGENT_POLICY="${AGENT_POLICY:-}" \ - PULL_TYPE="${PULL_TYPE:-default}" \ COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}" \ PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" \ GUEST_HOOKS_TARBALL="${GUEST_HOOKS_TARBALL}" diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index 56a1f44d6..fc3e8ca8e 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -100,7 +100,6 @@ TOOLS_CONTAINER_BUILDER="${TOOLS_CONTAINER_BUILDER:-}" VIRTIOFSD_CONTAINER_BUILDER="${VIRTIOFSD_CONTAINER_BUILDER:-}" AGENT_INIT="${AGENT_INIT:-no}" MEASURED_ROOTFS="${MEASURED_ROOTFS:-}" -PULL_TYPE="${PULL_TYPE:-guest-pull}" USE_CACHE="${USE_CACHE:-}" BUSYBOX_CONF_FILE=${BUSYBOX_CONF_FILE:-} NVIDIA_GPU_STACK="${NVIDIA_GPU_STACK:-}" @@ -140,7 +139,6 @@ docker run \ --env VIRTIOFSD_CONTAINER_BUILDER="${VIRTIOFSD_CONTAINER_BUILDER}" \ --env AGENT_INIT="${AGENT_INIT}" \ --env MEASURED_ROOTFS="${MEASURED_ROOTFS}" \ - --env PULL_TYPE="${PULL_TYPE}" \ --env USE_CACHE="${USE_CACHE}" \ --env BUSYBOX_CONF_FILE="${BUSYBOX_CONF_FILE}" \ --env NVIDIA_GPU_STACK="${NVIDIA_GPU_STACK}" \ diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index d0c339490..902497481 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -43,7 +43,6 @@ readonly se_image_builder="${repo_root_dir}/tools/packaging/guest-image/build_se ARCH=${ARCH:-$(uname -m)} BUSYBOX_CONF_FILE="${BUSYBOX_CONF_FILE:-}" MEASURED_ROOTFS=${MEASURED_ROOTFS:-no} -PULL_TYPE=${PULL_TYPE:-guest-pull} USE_CACHE="${USE_CACHE:-"yes"}" ARTEFACT_REGISTRY="${ARTEFACT_REGISTRY:-ghcr.io}" ARTEFACT_REPOSITORY="${ARTEFACT_REPOSITORY:-kata-containers}" @@ -430,7 +429,6 @@ install_image_confidential() { else export MEASURED_ROOTFS=yes fi - export PULL_TYPE=default install_image "confidential" } @@ -529,7 +527,6 @@ install_initrd() { #Install guest initrd for confidential guests install_initrd_confidential() { export MEASURED_ROOTFS=no - export PULL_TYPE=default install_initrd "confidential" } @@ -997,7 +994,7 @@ install_agent() { export GPERF_URL="$(get_from_kata_deps ".externals.gperf.url")" info "build static agent" - DESTDIR="${destdir}" AGENT_POLICY="${AGENT_POLICY}" PULL_TYPE=${PULL_TYPE} "${agent_builder}" + DESTDIR="${destdir}" AGENT_POLICY="${AGENT_POLICY}" "${agent_builder}" } install_coco_guest_components() { diff --git a/tools/packaging/static-build/agent/build-static-agent.sh b/tools/packaging/static-build/agent/build-static-agent.sh index e57af1ad6..b2aa45ecb 100755 --- a/tools/packaging/static-build/agent/build-static-agent.sh +++ b/tools/packaging/static-build/agent/build-static-agent.sh @@ -18,8 +18,8 @@ build_agent_from_source() { /usr/bin/install_libseccomp.sh /opt /opt cd src/agent - DESTDIR=${DESTDIR} AGENT_POLICY=${AGENT_POLICY} PULL_TYPE=${PULL_TYPE} make - DESTDIR=${DESTDIR} AGENT_POLICY=${AGENT_POLICY} PULL_TYPE=${PULL_TYPE} make install + DESTDIR=${DESTDIR} AGENT_POLICY=${AGENT_POLICY} make + DESTDIR=${DESTDIR} AGENT_POLICY=${AGENT_POLICY} make install } build_agent_from_source "$@" diff --git a/tools/packaging/static-build/agent/build.sh b/tools/packaging/static-build/agent/build.sh index 6482b9680..c9ea6b83f 100755 --- a/tools/packaging/static-build/agent/build.sh +++ b/tools/packaging/static-build/agent/build.sh @@ -26,7 +26,6 @@ docker pull ${container_image} || \ docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ --env DESTDIR=${DESTDIR} \ --env AGENT_POLICY=${AGENT_POLICY:-no} \ - --env PULL_TYPE=${PULL_TYPE:-default} \ --env LIBSECCOMP_VERSION=${LIBSECCOMP_VERSION} \ --env LIBSECCOMP_URL=${LIBSECCOMP_URL} \ --env GPERF_VERSION=${GPERF_VERSION} \ diff --git a/tools/packaging/static-build/coco-guest-components/Dockerfile b/tools/packaging/static-build/coco-guest-components/Dockerfile index a9be1aaec..79ef04bba 100644 --- a/tools/packaging/static-build/coco-guest-components/Dockerfile +++ b/tools/packaging/static-build/coco-guest-components/Dockerfile @@ -3,7 +3,7 @@ # # SPDX-License-Identifier: Apache-2.0 -FROM ubuntu:22.04 +FROM ubuntu:24.04 ARG RUST_TOOLCHAIN ENV DEBIAN_FRONTEND=noninteractive @@ -28,6 +28,7 @@ RUN apt-get update && \ libssl-dev \ libtss2-dev \ make \ + cmake \ musl-tools \ openssl \ perl \ diff --git a/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh b/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh index 669773a5b..6eaf925ee 100755 --- a/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh +++ b/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh @@ -35,6 +35,7 @@ build_coco_guest_components_from_source() { DESTDIR="${DESTDIR}/usr/local/bin" TEE_PLATFORM=${TEE_PLATFORM} make install install -D -m0755 "confidential-data-hub/hub/src/storage/scripts/luks-encrypt-storage" "${DESTDIR}/usr/local/bin/luks-encrypt-storage" + install -D -m0644 "confidential-data-hub/hub/src/image/ocicrypt_config.json" "${DESTDIR}/etc/ocicrypt_config.json" popd } diff --git a/versions.yaml b/versions.yaml index b27ad5108..a2a150703 100644 --- a/versions.yaml +++ b/versions.yaml @@ -143,7 +143,7 @@ assets: version: "jammy" # 22.04 lTS confidential: name: "ubuntu" - version: "oracular" # 24.10 + version: "noble" # 24.04 LTS mariner: name: "cbl-mariner" version: "3.0" @@ -185,7 +185,7 @@ assets: version: "3.18" confidential: name: "ubuntu" - version: "jammy" # 22.04 LTS + version: "noble" # 24.04 LTS nvidia-gpu: name: "ubuntu" version: "jammy" # 22.04 LTS @@ -233,18 +233,18 @@ externals: coco-guest-components: description: "Provides attested key unwrapping for image decryption" url: "https://github.com/confidential-containers/guest-components/" - version: "0a06ef241190780840fbb0542e51b198f1f72b0b" + version: "028978dbaef2510ea92bc5038928f1d70c8aaad6" toolchain: "1.80.0" coco-trustee: description: "Provides attestation and secret delivery components" url: "https://github.com/confidential-containers/trustee" - version: "d9eb5e0cb0aca97abe35b58908e061850ff60a51" + version: "a333fa27a7ce538413bad3b537ffbeacf4a349d1" # image / ita_image and image_tag / ita_image_tag must be in sync image: "ghcr.io/confidential-containers/staged-images/kbs" - image_tag: "d9eb5e0cb0aca97abe35b58908e061850ff60a51" + image_tag: "a333fa27a7ce538413bad3b537ffbeacf4a349d1" ita_image: "ghcr.io/confidential-containers/staged-images/kbs-ita-as" - ita_image_tag: "d9eb5e0cb0aca97abe35b58908e061850ff60a51-x86_64" + ita_image_tag: "a333fa27a7ce538413bad3b537ffbeacf4a349d1-x86_64" toolchain: "1.80.0" crio: