From 4a8fb475bebe9d373e5c3e05f8ab7c23ee8c2a9e Mon Sep 17 00:00:00 2001 From: Alex Carter Date: Wed, 7 Jun 2023 20:21:45 +0000 Subject: [PATCH 1/2] tee: osbuilder: Set /run to use 50% of the image with systemd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's ensure at least 50% of the memory is used for /run, as systemd by default forces it to be 10%, which is way too small even for very small workloads. This is only done for the rootfs-confidential image. Fixes: kata-containers#6775 Signed-off-by: Alex Carter Signed-off-by: Wang, Arron Signed-off-by: ChengyuZhu6 --- tools/osbuilder/rootfs-builder/rootfs.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index d2e7a4ba5e..f604ec5d0e 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -708,6 +708,20 @@ EOF mkdir -p "${ROOTFS_DIR}/etc/systemd/system/kata-containers.target.wants" ln -sf "/usr/lib/systemd/system/dbus.socket" "${ROOTFS_DIR}/etc/systemd/system/kata-containers.target.wants/dbus.socket" chmod g+rx,o+x "${ROOTFS_DIR}" + + if [ "${CONFIDENTIAL_GUEST}" == "yes" ]; then + info "Tweaking /run to use 50% of the available memory" + # Tweak the kata-agent service to have /run using 50% of the memory available + # This is needed as, by default, systemd would only allow 10%, which is way + # too low, even for very small test images + fstab_file="${ROOTFS_DIR}/etc/fstab" + [ -e ${fstab_file} ] && sed -i '/\/run/d' ${fstab_file} + echo "tmpfs /run tmpfs nodev,nosuid,size=50% 0 0" >> ${fstab_file} + + kata_systemd_target="${ROOTFS_DIR}/usr/lib/systemd/system/kata-containers.target" + grep -qE "^Requires=.*systemd-remount-fs.service.*" ${kata_systemd_target} || \ + echo "Requires=systemd-remount-fs.service" >> ${kata_systemd_target} + fi fi if [ "${AGENT_POLICY}" == "yes" ]; then From 5f146e10a1cc149f355a85ead40dfc818a65d51b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 26 Jul 2024 14:20:45 +0200 Subject: [PATCH 2/2] osbuilder: Add logs for setting up systemd based stuff MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This helps us to debug any kind of changes. Signed-off-by: Fabiano FidĂȘncio --- tools/osbuilder/rootfs-builder/rootfs.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index f604ec5d0e..5fd77290dc 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -702,6 +702,7 @@ EOF if [ "${AGENT_INIT}" == "yes" ]; then setup_agent_init "${AGENT_DEST}" "${init}" else + info "Setup systemd-base environment for kata-agent" # Setup systemd-based environment for kata-agent mkdir -p "${ROOTFS_DIR}/etc/systemd/system/basic.target.wants" ln -sf "/usr/lib/systemd/system/kata-containers.target" "${ROOTFS_DIR}/etc/systemd/system/basic.target.wants/kata-containers.target"