kata-deploy: Configure containerd erofs for dm-verity integrity mode

The deploy will read EROFS_SNAPSHOTTER_MODE and EROFS_DMVERITY from
the environment to enable dmverity_mode and enable_dmverity in the
containerd erofs snapshotter/differ config.

Add validation for the mode value and use an explicit 300s timeout
for node-readiness checks during kata-deply in github CI.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
This commit is contained in:
Alex Lyn
2026-06-16 15:19:37 +08:00
parent 562c9acdb2
commit adcbef0c53
6 changed files with 63 additions and 9 deletions

View File

@@ -74,6 +74,12 @@ pub async fn configure_erofs_snapshotter(config: &Config, configuration_file: &P
"[\"erofs\",\"walking\"]",
)?;
// dm-verity is orthogonal to rw-layer backing — it verifies lower (erofs)
// layers via device-mapper regardless of whether the upper rw-layer lives on
// disk or in memory. When dm-verity is enabled, fsverity and immutable are
// disabled on the snapshotter side in favor of dm-verity.
let use_dmverity = config.erofs_dmverity;
toml_utils::set_toml_value(
configuration_file,
".plugins.\"io.containerd.snapshotter.v1.erofs\".enable_fsverity",
@@ -85,6 +91,14 @@ pub async fn configure_erofs_snapshotter(config: &Config, configuration_file: &P
"true",
)?;
if use_dmverity {
toml_utils::set_toml_value(
configuration_file,
".plugins.\"io.containerd.snapshotter.v1.erofs\".dmverity_mode",
"\"auto\"",
)?;
}
// Erofs differ plugin options (requires erofs-utils >= 1.8.2 on the host).
toml_utils::set_toml_value(
configuration_file,
@@ -97,6 +111,14 @@ pub async fn configure_erofs_snapshotter(config: &Config, configuration_file: &P
"false",
)?;
if use_dmverity {
toml_utils::set_toml_value(
configuration_file,
".plugins.\"io.containerd.differ.v1.erofs\".enable_dmverity",
"true",
)?;
}
toml_utils::set_toml_value(
configuration_file,
".plugins.\"io.containerd.snapshotter.v1.erofs\".default_size",

View File

@@ -199,6 +199,11 @@ pub struct Config {
pub daemonset_name: String,
pub custom_runtimes_enabled: bool,
pub custom_runtimes: Vec<CustomRuntime>,
/// EROFS snapshotter rw-layer backing mode ("disk" or "memory").
pub erofs_snapshotter_mode: Option<String>,
/// Enable dm-verity integrity for EROFS lower layers.
/// Independent of rw-layer backing; works with both disk and memory modes.
pub erofs_dmverity: bool,
}
impl Config {
@@ -337,6 +342,16 @@ impl Config {
Vec::new()
};
let erofs_snapshotter_mode = env::var("EROFS_SNAPSHOTTER_MODE")
.ok()
.map(|s| s.trim().to_string())
.filter(|s| !s.is_empty());
let erofs_dmverity = env::var("EROFS_DMVERITY")
.unwrap_or_default()
.trim()
.eq_ignore_ascii_case("dmverity");
let config = Config {
node_name,
debug,
@@ -365,6 +380,8 @@ impl Config {
daemonset_name,
custom_runtimes_enabled,
custom_runtimes,
erofs_snapshotter_mode,
erofs_dmverity,
};
// Validate the configuration
@@ -546,6 +563,19 @@ impl Config {
}
}
// Validate EROFS_SNAPSHOTTER_MODE.
if let Some(mode) = self.erofs_snapshotter_mode.as_ref() {
match mode.as_str() {
"disk" | "memory" => {}
_ => {
return Err(anyhow::anyhow!(
"Unsupported EROFS_SNAPSHOTTER_MODE: '{}'. Supported values: disk, memory",
mode
));
}
}
}
Ok(())
}

View File

@@ -809,7 +809,7 @@ async fn reset(config: &config::Config, runtime: &str) -> Result<()> {
if matches!(runtime, "crio" | "containerd") {
utils::host_systemctl(&["restart", "kubelet"])?;
}
runtime::lifecycle::wait_till_node_is_ready(config).await?;
runtime::lifecycle::wait_till_node_is_ready_timeout(config, Some(300)).await?;
info!("Kata Containers reset completed successfully");
Ok(())

View File

@@ -11,10 +11,6 @@ use log::info;
use std::time::Duration;
use tokio::time::sleep;
pub async fn wait_till_node_is_ready(config: &Config) -> Result<()> {
wait_till_node_is_ready_timeout(config, None).await
}
pub async fn wait_till_node_is_ready_timeout(
config: &Config,
timeout_secs: Option<u64>,
@@ -83,7 +79,7 @@ pub async fn restart_runtime(config: &Config, runtime: &str) -> Result<()> {
}
info!("restart_runtime: Waiting for node to become ready");
wait_till_node_is_ready(config).await?;
wait_till_node_is_ready_timeout(config, Some(300)).await?;
info!("restart_runtime: Node is ready");
Ok(())
}

View File

@@ -585,6 +585,10 @@ e.g. `{{- include "kata-deploy.commonEnv" . | nindent 8 }}`.
- name: EROFS_SNAPSHOTTER_MODE
value: {{ .Values.snapshotter.erofsSnapshotterMode | trim | quote }}
{{- end }}
{{- if .Values.snapshotter.erofsDmverity }}
- name: EROFS_DMVERITY
value: "dmverity"
{{- end }}
{{- $forceGuestPullAmd64 := include "kata-deploy.getForceGuestPullForArch" (dict "root" . "arch" "amd64") | trim -}}
{{- if $forceGuestPullAmd64 }}
- name: EXPERIMENTAL_FORCE_GUEST_PULL_X86_64

View File

@@ -283,10 +283,12 @@ snapshotter:
# erofs snapshotter. When empty, kata-deploy uses its built-in default
# (merged).
erofsMergeMode: ""
# EROFS snapshotter mode. When set to "integrity", dm-verity is enabled
# and fsverity/immutable are disabled for erofs layers.
# Valid values: "" (default) or "integrity".
# EROFS snapshotter mode. Controls the rw-layer backing strategy.
# Valid values: "" (default), "disk", or "memory".
erofsSnapshotterMode: ""
# Enable dm-verity integrity verification for EROFS lower layers.
# Independent of erofsSnapshotterMode — works with both disk and memory.
erofsDmverity: false
# Shim configuration
# By default (disableAll: false), all shims with enabled: ~ (null) are enabled.