github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-17 08:53:26 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #10078 from fidencio/topic/increase-rootfs-confidential-slash-run-to-50-percent

Browse Source 
tee: osbuilder: Set /run to use 50% of the image with systemd
This commit is contained in:
Fabiano Fidêncio 2024-07-26 18:37:41 +02:00 committed by GitHub
commit b0b04bd2f3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
tools/osbuilder/rootfs-builder/rootfs.sh
View File

@ -702,12 +702,27 @@ EOF
if [ "${AGENT_INIT}" == "yes" ]; then if [ "${AGENT_INIT}" == "yes" ]; then
setup_agent_init "${AGENT_DEST}" "${init}" setup_agent_init "${AGENT_DEST}" "${init}"
else else
info "Setup systemd-base environment for kata-agent"
# Setup systemd-based environment for kata-agent # Setup systemd-based environment for kata-agent
mkdir -p "${ROOTFS_DIR}/etc/systemd/system/basic.target.wants" mkdir -p "${ROOTFS_DIR}/etc/systemd/system/basic.target.wants"
ln -sf "/usr/lib/systemd/system/kata-containers.target" "${ROOTFS_DIR}/etc/systemd/system/basic.target.wants/kata-containers.target" ln -sf "/usr/lib/systemd/system/kata-containers.target" "${ROOTFS_DIR}/etc/systemd/system/basic.target.wants/kata-containers.target"
mkdir -p "${ROOTFS_DIR}/etc/systemd/system/kata-containers.target.wants" mkdir -p "${ROOTFS_DIR}/etc/systemd/system/kata-containers.target.wants"
ln -sf "/usr/lib/systemd/system/dbus.socket" "${ROOTFS_DIR}/etc/systemd/system/kata-containers.target.wants/dbus.socket" ln -sf "/usr/lib/systemd/system/dbus.socket" "${ROOTFS_DIR}/etc/systemd/system/kata-containers.target.wants/dbus.socket"
chmod g+rx,o+x "${ROOTFS_DIR}" chmod g+rx,o+x "${ROOTFS_DIR}"
if [ "${CONFIDENTIAL_GUEST}" == "yes" ]; then
info "Tweaking /run to use 50% of the available memory"
# Tweak the kata-agent service to have /run using 50% of the memory available
# This is needed as, by default, systemd would only allow 10%, which is way
# too low, even for very small test images
fstab_file="${ROOTFS_DIR}/etc/fstab"
[ -e ${fstab_file} ] && sed -i '/\/run/d' ${fstab_file}
echo "tmpfs /run tmpfs nodev,nosuid,size=50% 0 0" >> ${fstab_file}
kata_systemd_target="${ROOTFS_DIR}/usr/lib/systemd/system/kata-containers.target"
grep -qE "^Requires=.*systemd-remount-fs.service.*" ${kata_systemd_target} || \
echo "Requires=systemd-remount-fs.service" >> ${kata_systemd_target}
fi
fi fi
if [ "${AGENT_POLICY}" == "yes" ]; then if [ "${AGENT_POLICY}" == "yes" ]; then