From adcbef0c539a2613b4903ccb037fc6f21b733ea9 Mon Sep 17 00:00:00 2001 From: Alex Lyn Date: Tue, 16 Jun 2026 15:19:37 +0800 Subject: [PATCH] kata-deploy: Configure containerd erofs for dm-verity integrity mode The deploy will read EROFS_SNAPSHOTTER_MODE and EROFS_DMVERITY from the environment to enable dmverity_mode and enable_dmverity in the containerd erofs snapshotter/differ config. Add validation for the mode value and use an explicit 300s timeout for node-readiness checks during kata-deply in github CI. Signed-off-by: Alex Lyn --- .../binary/src/artifacts/snapshotters.rs | 22 ++++++++++++++ .../kata-deploy/binary/src/config.rs | 30 +++++++++++++++++++ .../packaging/kata-deploy/binary/src/main.rs | 2 +- .../binary/src/runtime/lifecycle.rs | 6 +--- .../kata-deploy/templates/_helpers.tpl | 4 +++ .../helm-chart/kata-deploy/values.yaml | 8 +++-- 6 files changed, 63 insertions(+), 9 deletions(-) diff --git a/tools/packaging/kata-deploy/binary/src/artifacts/snapshotters.rs b/tools/packaging/kata-deploy/binary/src/artifacts/snapshotters.rs index a2b7599d3e..4015db1b90 100644 --- a/tools/packaging/kata-deploy/binary/src/artifacts/snapshotters.rs +++ b/tools/packaging/kata-deploy/binary/src/artifacts/snapshotters.rs @@ -74,6 +74,12 @@ pub async fn configure_erofs_snapshotter(config: &Config, configuration_file: &P "[\"erofs\",\"walking\"]", )?; + // dm-verity is orthogonal to rw-layer backing — it verifies lower (erofs) + // layers via device-mapper regardless of whether the upper rw-layer lives on + // disk or in memory. When dm-verity is enabled, fsverity and immutable are + // disabled on the snapshotter side in favor of dm-verity. + let use_dmverity = config.erofs_dmverity; + toml_utils::set_toml_value( configuration_file, ".plugins.\"io.containerd.snapshotter.v1.erofs\".enable_fsverity", @@ -85,6 +91,14 @@ pub async fn configure_erofs_snapshotter(config: &Config, configuration_file: &P "true", )?; + if use_dmverity { + toml_utils::set_toml_value( + configuration_file, + ".plugins.\"io.containerd.snapshotter.v1.erofs\".dmverity_mode", + "\"auto\"", + )?; + } + // Erofs differ plugin options (requires erofs-utils >= 1.8.2 on the host). toml_utils::set_toml_value( configuration_file, @@ -97,6 +111,14 @@ pub async fn configure_erofs_snapshotter(config: &Config, configuration_file: &P "false", )?; + if use_dmverity { + toml_utils::set_toml_value( + configuration_file, + ".plugins.\"io.containerd.differ.v1.erofs\".enable_dmverity", + "true", + )?; + } + toml_utils::set_toml_value( configuration_file, ".plugins.\"io.containerd.snapshotter.v1.erofs\".default_size", diff --git a/tools/packaging/kata-deploy/binary/src/config.rs b/tools/packaging/kata-deploy/binary/src/config.rs index 4700940740..ee94c8808a 100644 --- a/tools/packaging/kata-deploy/binary/src/config.rs +++ b/tools/packaging/kata-deploy/binary/src/config.rs @@ -199,6 +199,11 @@ pub struct Config { pub daemonset_name: String, pub custom_runtimes_enabled: bool, pub custom_runtimes: Vec, + /// EROFS snapshotter rw-layer backing mode ("disk" or "memory"). + pub erofs_snapshotter_mode: Option, + /// Enable dm-verity integrity for EROFS lower layers. + /// Independent of rw-layer backing; works with both disk and memory modes. + pub erofs_dmverity: bool, } impl Config { @@ -337,6 +342,16 @@ impl Config { Vec::new() }; + let erofs_snapshotter_mode = env::var("EROFS_SNAPSHOTTER_MODE") + .ok() + .map(|s| s.trim().to_string()) + .filter(|s| !s.is_empty()); + + let erofs_dmverity = env::var("EROFS_DMVERITY") + .unwrap_or_default() + .trim() + .eq_ignore_ascii_case("dmverity"); + let config = Config { node_name, debug, @@ -365,6 +380,8 @@ impl Config { daemonset_name, custom_runtimes_enabled, custom_runtimes, + erofs_snapshotter_mode, + erofs_dmverity, }; // Validate the configuration @@ -546,6 +563,19 @@ impl Config { } } + // Validate EROFS_SNAPSHOTTER_MODE. + if let Some(mode) = self.erofs_snapshotter_mode.as_ref() { + match mode.as_str() { + "disk" | "memory" => {} + _ => { + return Err(anyhow::anyhow!( + "Unsupported EROFS_SNAPSHOTTER_MODE: '{}'. Supported values: disk, memory", + mode + )); + } + } + } + Ok(()) } diff --git a/tools/packaging/kata-deploy/binary/src/main.rs b/tools/packaging/kata-deploy/binary/src/main.rs index d015fa05e1..d3cdde3d20 100644 --- a/tools/packaging/kata-deploy/binary/src/main.rs +++ b/tools/packaging/kata-deploy/binary/src/main.rs @@ -809,7 +809,7 @@ async fn reset(config: &config::Config, runtime: &str) -> Result<()> { if matches!(runtime, "crio" | "containerd") { utils::host_systemctl(&["restart", "kubelet"])?; } - runtime::lifecycle::wait_till_node_is_ready(config).await?; + runtime::lifecycle::wait_till_node_is_ready_timeout(config, Some(300)).await?; info!("Kata Containers reset completed successfully"); Ok(()) diff --git a/tools/packaging/kata-deploy/binary/src/runtime/lifecycle.rs b/tools/packaging/kata-deploy/binary/src/runtime/lifecycle.rs index 09c161cd1a..bfedf799c1 100644 --- a/tools/packaging/kata-deploy/binary/src/runtime/lifecycle.rs +++ b/tools/packaging/kata-deploy/binary/src/runtime/lifecycle.rs @@ -11,10 +11,6 @@ use log::info; use std::time::Duration; use tokio::time::sleep; -pub async fn wait_till_node_is_ready(config: &Config) -> Result<()> { - wait_till_node_is_ready_timeout(config, None).await -} - pub async fn wait_till_node_is_ready_timeout( config: &Config, timeout_secs: Option, @@ -83,7 +79,7 @@ pub async fn restart_runtime(config: &Config, runtime: &str) -> Result<()> { } info!("restart_runtime: Waiting for node to become ready"); - wait_till_node_is_ready(config).await?; + wait_till_node_is_ready_timeout(config, Some(300)).await?; info!("restart_runtime: Node is ready"); Ok(()) } diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/_helpers.tpl b/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/_helpers.tpl index 08269b4fdd..aa6678df30 100644 --- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/_helpers.tpl +++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/_helpers.tpl @@ -585,6 +585,10 @@ e.g. `{{- include "kata-deploy.commonEnv" . | nindent 8 }}`. - name: EROFS_SNAPSHOTTER_MODE value: {{ .Values.snapshotter.erofsSnapshotterMode | trim | quote }} {{- end }} +{{- if .Values.snapshotter.erofsDmverity }} +- name: EROFS_DMVERITY + value: "dmverity" +{{- end }} {{- $forceGuestPullAmd64 := include "kata-deploy.getForceGuestPullForArch" (dict "root" . "arch" "amd64") | trim -}} {{- if $forceGuestPullAmd64 }} - name: EXPERIMENTAL_FORCE_GUEST_PULL_X86_64 diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml b/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml index e786bbfffc..4bbeb2341f 100644 --- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml +++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml @@ -283,10 +283,12 @@ snapshotter: # erofs snapshotter. When empty, kata-deploy uses its built-in default # (merged). erofsMergeMode: "" - # EROFS snapshotter mode. When set to "integrity", dm-verity is enabled - # and fsverity/immutable are disabled for erofs layers. - # Valid values: "" (default) or "integrity". + # EROFS snapshotter mode. Controls the rw-layer backing strategy. + # Valid values: "" (default), "disk", or "memory". erofsSnapshotterMode: "" + # Enable dm-verity integrity verification for EROFS lower layers. + # Independent of erofsSnapshotterMode — works with both disk and memory. + erofsDmverity: false # Shim configuration # By default (disableAll: false), all shims with enabled: ~ (null) are enabled.