mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-07-01 14:38:33 +00:00
kata-deploy: Configure containerd erofs for dm-verity integrity mode
The deploy will read EROFS_SNAPSHOTTER_MODE and EROFS_DMVERITY from the environment to enable dmverity_mode and enable_dmverity in the containerd erofs snapshotter/differ config. Add validation for the mode value and use an explicit 300s timeout for node-readiness checks during kata-deply in github CI. Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
This commit is contained in:
@@ -74,6 +74,12 @@ pub async fn configure_erofs_snapshotter(config: &Config, configuration_file: &P
|
||||
"[\"erofs\",\"walking\"]",
|
||||
)?;
|
||||
|
||||
// dm-verity is orthogonal to rw-layer backing — it verifies lower (erofs)
|
||||
// layers via device-mapper regardless of whether the upper rw-layer lives on
|
||||
// disk or in memory. When dm-verity is enabled, fsverity and immutable are
|
||||
// disabled on the snapshotter side in favor of dm-verity.
|
||||
let use_dmverity = config.erofs_dmverity;
|
||||
|
||||
toml_utils::set_toml_value(
|
||||
configuration_file,
|
||||
".plugins.\"io.containerd.snapshotter.v1.erofs\".enable_fsverity",
|
||||
@@ -85,6 +91,14 @@ pub async fn configure_erofs_snapshotter(config: &Config, configuration_file: &P
|
||||
"true",
|
||||
)?;
|
||||
|
||||
if use_dmverity {
|
||||
toml_utils::set_toml_value(
|
||||
configuration_file,
|
||||
".plugins.\"io.containerd.snapshotter.v1.erofs\".dmverity_mode",
|
||||
"\"auto\"",
|
||||
)?;
|
||||
}
|
||||
|
||||
// Erofs differ plugin options (requires erofs-utils >= 1.8.2 on the host).
|
||||
toml_utils::set_toml_value(
|
||||
configuration_file,
|
||||
@@ -97,6 +111,14 @@ pub async fn configure_erofs_snapshotter(config: &Config, configuration_file: &P
|
||||
"false",
|
||||
)?;
|
||||
|
||||
if use_dmverity {
|
||||
toml_utils::set_toml_value(
|
||||
configuration_file,
|
||||
".plugins.\"io.containerd.differ.v1.erofs\".enable_dmverity",
|
||||
"true",
|
||||
)?;
|
||||
}
|
||||
|
||||
toml_utils::set_toml_value(
|
||||
configuration_file,
|
||||
".plugins.\"io.containerd.snapshotter.v1.erofs\".default_size",
|
||||
|
||||
@@ -199,6 +199,11 @@ pub struct Config {
|
||||
pub daemonset_name: String,
|
||||
pub custom_runtimes_enabled: bool,
|
||||
pub custom_runtimes: Vec<CustomRuntime>,
|
||||
/// EROFS snapshotter rw-layer backing mode ("disk" or "memory").
|
||||
pub erofs_snapshotter_mode: Option<String>,
|
||||
/// Enable dm-verity integrity for EROFS lower layers.
|
||||
/// Independent of rw-layer backing; works with both disk and memory modes.
|
||||
pub erofs_dmverity: bool,
|
||||
}
|
||||
|
||||
impl Config {
|
||||
@@ -337,6 +342,16 @@ impl Config {
|
||||
Vec::new()
|
||||
};
|
||||
|
||||
let erofs_snapshotter_mode = env::var("EROFS_SNAPSHOTTER_MODE")
|
||||
.ok()
|
||||
.map(|s| s.trim().to_string())
|
||||
.filter(|s| !s.is_empty());
|
||||
|
||||
let erofs_dmverity = env::var("EROFS_DMVERITY")
|
||||
.unwrap_or_default()
|
||||
.trim()
|
||||
.eq_ignore_ascii_case("dmverity");
|
||||
|
||||
let config = Config {
|
||||
node_name,
|
||||
debug,
|
||||
@@ -365,6 +380,8 @@ impl Config {
|
||||
daemonset_name,
|
||||
custom_runtimes_enabled,
|
||||
custom_runtimes,
|
||||
erofs_snapshotter_mode,
|
||||
erofs_dmverity,
|
||||
};
|
||||
|
||||
// Validate the configuration
|
||||
@@ -546,6 +563,19 @@ impl Config {
|
||||
}
|
||||
}
|
||||
|
||||
// Validate EROFS_SNAPSHOTTER_MODE.
|
||||
if let Some(mode) = self.erofs_snapshotter_mode.as_ref() {
|
||||
match mode.as_str() {
|
||||
"disk" | "memory" => {}
|
||||
_ => {
|
||||
return Err(anyhow::anyhow!(
|
||||
"Unsupported EROFS_SNAPSHOTTER_MODE: '{}'. Supported values: disk, memory",
|
||||
mode
|
||||
));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
|
||||
@@ -809,7 +809,7 @@ async fn reset(config: &config::Config, runtime: &str) -> Result<()> {
|
||||
if matches!(runtime, "crio" | "containerd") {
|
||||
utils::host_systemctl(&["restart", "kubelet"])?;
|
||||
}
|
||||
runtime::lifecycle::wait_till_node_is_ready(config).await?;
|
||||
runtime::lifecycle::wait_till_node_is_ready_timeout(config, Some(300)).await?;
|
||||
|
||||
info!("Kata Containers reset completed successfully");
|
||||
Ok(())
|
||||
|
||||
@@ -11,10 +11,6 @@ use log::info;
|
||||
use std::time::Duration;
|
||||
use tokio::time::sleep;
|
||||
|
||||
pub async fn wait_till_node_is_ready(config: &Config) -> Result<()> {
|
||||
wait_till_node_is_ready_timeout(config, None).await
|
||||
}
|
||||
|
||||
pub async fn wait_till_node_is_ready_timeout(
|
||||
config: &Config,
|
||||
timeout_secs: Option<u64>,
|
||||
@@ -83,7 +79,7 @@ pub async fn restart_runtime(config: &Config, runtime: &str) -> Result<()> {
|
||||
}
|
||||
|
||||
info!("restart_runtime: Waiting for node to become ready");
|
||||
wait_till_node_is_ready(config).await?;
|
||||
wait_till_node_is_ready_timeout(config, Some(300)).await?;
|
||||
info!("restart_runtime: Node is ready");
|
||||
Ok(())
|
||||
}
|
||||
|
||||
@@ -585,6 +585,10 @@ e.g. `{{- include "kata-deploy.commonEnv" . | nindent 8 }}`.
|
||||
- name: EROFS_SNAPSHOTTER_MODE
|
||||
value: {{ .Values.snapshotter.erofsSnapshotterMode | trim | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.snapshotter.erofsDmverity }}
|
||||
- name: EROFS_DMVERITY
|
||||
value: "dmverity"
|
||||
{{- end }}
|
||||
{{- $forceGuestPullAmd64 := include "kata-deploy.getForceGuestPullForArch" (dict "root" . "arch" "amd64") | trim -}}
|
||||
{{- if $forceGuestPullAmd64 }}
|
||||
- name: EXPERIMENTAL_FORCE_GUEST_PULL_X86_64
|
||||
|
||||
@@ -283,10 +283,12 @@ snapshotter:
|
||||
# erofs snapshotter. When empty, kata-deploy uses its built-in default
|
||||
# (merged).
|
||||
erofsMergeMode: ""
|
||||
# EROFS snapshotter mode. When set to "integrity", dm-verity is enabled
|
||||
# and fsverity/immutable are disabled for erofs layers.
|
||||
# Valid values: "" (default) or "integrity".
|
||||
# EROFS snapshotter mode. Controls the rw-layer backing strategy.
|
||||
# Valid values: "" (default), "disk", or "memory".
|
||||
erofsSnapshotterMode: ""
|
||||
# Enable dm-verity integrity verification for EROFS lower layers.
|
||||
# Independent of erofsSnapshotterMode — works with both disk and memory.
|
||||
erofsDmverity: false
|
||||
|
||||
# Shim configuration
|
||||
# By default (disableAll: false), all shims with enabled: ~ (null) are enabled.
|
||||
|
||||
Reference in New Issue
Block a user