agent: add agent.image_pull_timeout parameter

This new parameter for kata-agent is used to control the timeout for a guest pull request. Note that sometimes an image can be really big, so we set default timeout to 1200 seconds (20 minutes). Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-08-31 16:36:38 +00:00 · 2025-05-14 00:06:41 +08:00
parent 93826ff90c
commit aae64fa3d6
3 changed files with 23 additions and 3 deletions
--- a/src/agent/README.md
+++ b/src/agent/README.md
@@ -129,6 +129,7 @@ The kata agent has the ability to configure agent options in guest kernel comman
 | `agent.guest_components_procs` | guest-components processes | Attestation-related processes that should be spawned as children of the guest. Valid values are `none`, `attestation-agent`, `confidential-data-hub` (implies `attestation-agent`), `api-server-rest` (implies `attestation-agent` and `confidential-data-hub`) | string | `api-server-rest` |
 | `agent.hotplug_timeout` | Hotplug timeout | Allow to configure hotplug timeout(seconds) of block devices | integer | `3` |
 | `agent.cdh_api_timeout` | Confidential Data Hub (CDH) API timeout | Allow to configure CDH API timeout(seconds) | integer | `50` |
+| `agent.image_pull_timeout` | Confidential Data Hub (CDH) Image Pull API timeout | Allow to configure CDH API image pull timeout(seconds) | integer | `1200` |
 | `agent.https_proxy` | HTTPS proxy | Allow to configure `https_proxy` in the guest | string | `""` |
 | `agent.image_registry_auth` | Image registry credential URI | The URI to where image-rs can find the credentials for pulling images from private registries e.g. `file:///root/.docker/config.json` to read from a file in the guest image, or `kbs:///default/credentials/test` to get the file from the KBS| string | `""` |
 | `agent.enable_signature_verification` | Image security policy flag | Whether enable image security policy enforcement. If `true`, the resource indexed by URI `agent.image_policy_file` will be got to work as image pulling policy. | string | `""` |
@@ -148,7 +149,7 @@ The kata agent has the ability to configure agent options in guest kernel comman
 >    The agent will fail to start if the configuration file is not present,
 >    or if it can't be parsed properly.
 >  - `agent.devmode`: true | false
->  - `agent.hotplug_timeout` and `agent.cdh_api_timeout`: a whole number of seconds
+>  - `agent.hotplug_timeout`, `agent.image_pull_timeout` and `agent.cdh_api_timeout`: a whole number of seconds
 >  - `agent.log`:   "critical"("fatal" | "panic") | "error" | "warn"("warning") | "info" | "debug"
 >  - `agent.server_addr`: "{VSOCK_ADDR}:{VSOCK_PORT}"
 >  - `agent.trace`: true | false
--- a/src/agent/src/confidential_data_hub/mod.rs
+++ b/src/agent/src/confidential_data_hub/mod.rs
@@ -131,7 +131,7 @@ impl CDHClient {
        let _ = self
            .image_pull_client
            .pull_image(
-                ttrpc::context::with_timeout(AGENT_CONFIG.cdh_api_timeout.as_nanos() as i64),
+                ttrpc::context::with_timeout(AGENT_CONFIG.image_pull_timeout.as_nanos() as i64),
                &req,
            )
            .await?;
--- a/src/agent/src/config.rs
+++ b/src/agent/src/config.rs
@@ -23,6 +23,7 @@ const SERVER_ADDR_OPTION: &str = "agent.server_addr";
 const PASSFD_LISTENER_PORT: &str = "agent.passfd_listener_port";
 const HOTPLUG_TIMOUT_OPTION: &str = "agent.hotplug_timeout";
 const CDH_API_TIMOUT_OPTION: &str = "agent.cdh_api_timeout";
+const CDH_IMAGE_PULL_TIMEOUT_OPTION: &str = "agent.image_pull_timeout";
 const CDI_TIMEOUT_OPTION: &str = "agent.cdi_timeout";
 const DEBUG_CONSOLE_VPORT_OPTION: &str = "agent.debug_console_vport";
 const LOG_VPORT_OPTION: &str = "agent.log_vport";
@@ -63,6 +64,7 @@ const MEM_AGENT_COMPACT_FORCE_TIMES: &str = "agent.mem_agent_compact_force_times
 const DEFAULT_LOG_LEVEL: slog::Level = slog::Level::Info;
 const DEFAULT_HOTPLUG_TIMEOUT: time::Duration = time::Duration::from_secs(3);
 const DEFAULT_CDH_API_TIMEOUT: time::Duration = time::Duration::from_secs(50);
+const DEFAULT_IMAGE_PULL_TIMEOUT: time::Duration = time::Duration::from_secs(1200);
 const DEFAULT_CDI_TIMEOUT: time::Duration = time::Duration::from_secs(100);
 const DEFAULT_CONTAINER_PIPE_SIZE: i32 = 0;
 const VSOCK_ADDR: &str = "vsock://-1";
@@ -126,6 +128,7 @@ pub struct AgentConfig {
    pub log_level: slog::Level,
    pub hotplug_timeout: time::Duration,
    pub cdh_api_timeout: time::Duration,
+    pub image_pull_timeout: time::Duration,
    pub cdi_timeout: time::Duration,
    pub debug_console_vport: i32,
    pub log_vport: i32,
@@ -158,6 +161,7 @@ pub struct AgentConfigBuilder {
    pub log_level: Option<String>,
    pub hotplug_timeout: Option<time::Duration>,
    pub cdh_api_timeout: Option<time::Duration>,
+    pub image_pull_timeout: Option<time::Duration>,
    pub cdi_timeout: Option<time::Duration>,
    pub debug_console_vport: Option<i32>,
    pub log_vport: Option<i32>,
@@ -251,6 +255,7 @@ impl Default for AgentConfig {
            log_level: DEFAULT_LOG_LEVEL,
            hotplug_timeout: DEFAULT_HOTPLUG_TIMEOUT,
            cdh_api_timeout: DEFAULT_CDH_API_TIMEOUT,
+            image_pull_timeout: DEFAULT_IMAGE_PULL_TIMEOUT,
            cdi_timeout: DEFAULT_CDI_TIMEOUT,
            debug_console_vport: 0,
            log_vport: 0,
@@ -291,6 +296,7 @@ impl FromStr for AgentConfig {
        );
        config_override!(agent_config_builder, agent_config, hotplug_timeout);
        config_override!(agent_config_builder, agent_config, cdh_api_timeout);
+        config_override!(agent_config_builder, agent_config, image_pull_timeout);
        config_override!(agent_config_builder, agent_config, cdi_timeout);
        config_override!(agent_config_builder, agent_config, debug_console_vport);
        config_override!(agent_config_builder, agent_config, log_vport);
@@ -457,6 +463,15 @@ impl AgentConfig {
                |cdh_api_timeout: &time::Duration| cdh_api_timeout.as_secs() > 0
            );

+            // ensure the timeout is a positive value
+            parse_cmdline_param!(
+                param,
+                CDH_IMAGE_PULL_TIMEOUT_OPTION,
+                config.image_pull_timeout,
+                get_timeout,
+                |image_pull_timeout: &time::Duration| image_pull_timeout.as_secs() > 0
+            );
+
            // ensure the timeout is a positive value
            parse_cmdline_param!(
                param,
@@ -723,7 +738,10 @@ fn get_timeout(param: &str) -> Result<time::Duration> {
    ensure!(
        matches!(
            fields[0],
-            HOTPLUG_TIMOUT_OPTION | CDH_API_TIMOUT_OPTION | CDI_TIMEOUT_OPTION
+            HOTPLUG_TIMOUT_OPTION
+                | CDH_API_TIMOUT_OPTION
+                | CDH_IMAGE_PULL_TIMEOUT_OPTION
+                | CDI_TIMEOUT_OPTION
        ),
        ERR_INVALID_TIMEOUT_KEY
    );
@@ -1608,6 +1626,7 @@ Caused by:
    )))]
    #[case("agent.chd_api_timeout=1", Err(anyhow!(ERR_INVALID_TIMEOUT_KEY)))]
    #[case("agent.cdh_api_timeout=600", Ok(time::Duration::from_secs(600)))]
+    #[case("agent.image_pull_timeout=1200", Ok(time::Duration::from_secs(1200)))]
    #[case("agent.cdi_timeout=320", Ok(time::Duration::from_secs(320)))]
    fn test_timeout(#[case] param: &str, #[case] expected: Result<time::Duration>) {
        let result = get_timeout(param);