From a18c7ca307f09d596e254786c3fe5928c987ff26 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Fri, 22 Sep 2023 12:55:38 -0400 Subject: [PATCH 1/3] runtime: remove unimplemented CoCo configurations These experimental options were added 2 years ago in anticipation of features that would be added in CoCo. These do not match the features that were eventually added and will soon be ported to main. Fixes: #8047 Signed-off-by: Tobin Feldman-Fitzthum --- .../how-to-run-kata-containers-with-SE-VMs.md | 4 --- .../config/configuration-qemu.toml.in | 27 ------------------ src/runtime/Makefile | 4 --- src/runtime/config/configuration-clh.toml.in | 27 ------------------ .../configuration-qemu-nvidia-gpu.toml.in | 27 ------------------ .../config/configuration-qemu-se.toml.in | 27 ------------------ .../config/configuration-qemu-sev.toml.in | 27 ------------------ .../config/configuration-qemu-snp.toml.in | 27 ------------------ .../config/configuration-qemu-tdx.toml.in | 27 ------------------ src/runtime/config/configuration-qemu.toml.in | 27 ------------------ .../config/configuration-remote.toml.in | 28 ------------------- 11 files changed, 252 deletions(-) diff --git a/docs/how-to/how-to-run-kata-containers-with-SE-VMs.md b/docs/how-to/how-to-run-kata-containers-with-SE-VMs.md index 799668f4f..41dcf8e35 100644 --- a/docs/how-to/how-to-run-kata-containers-with-SE-VMs.md +++ b/docs/how-to/how-to-run-kata-containers-with-SE-VMs.md @@ -224,10 +224,6 @@ $ diff ${runtime_config_path}.old ${runtime_config_path} < dial_timeout = 45 --- > dial_timeout = 90 -679c679 -< #service_offload = true ---- -> service_offload = true ``` ### Verification diff --git a/src/runtime-rs/config/configuration-qemu.toml.in b/src/runtime-rs/config/configuration-qemu.toml.in index 933960b82..12d0c7888 100644 --- a/src/runtime-rs/config/configuration-qemu.toml.in +++ b/src/runtime-rs/config/configuration-qemu.toml.in @@ -700,30 +700,3 @@ experimental=@DEFAULTEXPFEATURES@ # If enabled, user can run pprof tools with shim v2 process through kata-monitor. # (default: false) # enable_pprof = true - -# WARNING: All the options in the following section have not been implemented yet. -# This section was added as a placeholder. DO NOT USE IT! -[image] -# Container image service. -# -# Offload the CRI image management service to the Kata agent. -# (default: false) -#service_offload = true - -# Container image decryption keys provisioning. -# Applies only if service_offload is true. -# Keys can be provisioned locally (e.g. through a special command or -# a local file) or remotely (usually after the guest is remotely attested). -# The provision setting is a complete URL that lets the Kata agent decide -# which method to use in order to fetch the keys. -# -# Keys can be stored in a local file, in a measured and attested initrd: -#provision=data:///local/key/file -# -# Keys could be fetched through a special command or binary from the -# initrd (guest) image, e.g. a firmware call: -#provision=file:///path/to/bin/fetcher/in/guest -# -# Keys can be remotely provisioned. The Kata agent fetches them from e.g. -# a HTTPS URL: -#provision=https://my-key-broker.foo/tenant/ diff --git a/src/runtime/Makefile b/src/runtime/Makefile index b2386feea..c3847dc05 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -262,9 +262,6 @@ DEFSTATICRESOURCEMGMT_TEE = true DEFBINDMOUNTS := [] -# Image Service Offload -DEFSERVICEOFFLOAD ?= false - # Create Container Timeout in seconds DEFCREATECONTAINERTIMEOUT ?= 60 @@ -681,7 +678,6 @@ USER_VARS += DEFSTATICRESOURCEMGMT_FC USER_VARS += DEFSTATICRESOURCEMGMT_STRATOVIRT USER_VARS += DEFSTATICRESOURCEMGMT_TEE USER_VARS += DEFBINDMOUNTS -USER_VARS += DEFSERVICEOFFLOAD USER_VARS += DEFCREATECONTAINERTIMEOUT USER_VARS += DEFVFIOMODE USER_VARS += BUILDFLAGS diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in index 7f037ad1d..b006d6fb6 100644 --- a/src/runtime/config/configuration-clh.toml.in +++ b/src/runtime/config/configuration-clh.toml.in @@ -456,30 +456,3 @@ experimental=@DEFAULTEXPFEATURES@ # (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) and create_container_timeout. # In essence, the timeout used for guest pull=runtime-request-timeout diff --git a/src/runtime/config/configuration-qemu-nvidia-gpu.toml.in b/src/runtime/config/configuration-qemu-nvidia-gpu.toml.in index f20ba3d53..1fac77b34 100644 --- a/src/runtime/config/configuration-qemu-nvidia-gpu.toml.in +++ b/src/runtime/config/configuration-qemu-nvidia-gpu.toml.in @@ -687,30 +687,3 @@ experimental=@DEFAULTEXPFEATURES@ # (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) and create_container_timeout. # In essence, the timeout used for guest pull=runtime-request-timeout diff --git a/src/runtime/config/configuration-qemu-se.toml.in b/src/runtime/config/configuration-qemu-se.toml.in index 35516f9b0..919391608 100644 --- a/src/runtime/config/configuration-qemu-se.toml.in +++ b/src/runtime/config/configuration-qemu-se.toml.in @@ -652,30 +652,3 @@ experimental=@DEFAULTEXPFEATURES@ # (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) and create_container_timeout. # In essence, the timeout used for guest pull=runtime-request-timeout diff --git a/src/runtime/config/configuration-qemu-sev.toml.in b/src/runtime/config/configuration-qemu-sev.toml.in index 4b47ca1bb..91f5e100a 100644 --- a/src/runtime/config/configuration-qemu-sev.toml.in +++ b/src/runtime/config/configuration-qemu-sev.toml.in @@ -630,30 +630,3 @@ experimental=@DEFAULTEXPFEATURES@ # (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) and create_container_timeout. # In essence, the timeout used for guest pull=runtime-request-timeout diff --git a/src/runtime/config/configuration-qemu-snp.toml.in b/src/runtime/config/configuration-qemu-snp.toml.in index 08b204691..38bec359d 100644 --- a/src/runtime/config/configuration-qemu-snp.toml.in +++ b/src/runtime/config/configuration-qemu-snp.toml.in @@ -670,30 +670,3 @@ experimental=@DEFAULTEXPFEATURES@ # (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) and create_container_timeout. # In essence, the timeout used for guest pull=runtime-request-timeout diff --git a/src/runtime/config/configuration-qemu-tdx.toml.in b/src/runtime/config/configuration-qemu-tdx.toml.in index e41f6e63c..34b34eb55 100644 --- a/src/runtime/config/configuration-qemu-tdx.toml.in +++ b/src/runtime/config/configuration-qemu-tdx.toml.in @@ -666,30 +666,3 @@ experimental=@DEFAULTEXPFEATURES@ # (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) and create_container_timeout. # In essence, the timeout used for guest pull=runtime-request-timeout diff --git a/src/runtime/config/configuration-qemu.toml.in b/src/runtime/config/configuration-qemu.toml.in index 134e7f6fd..e32473933 100644 --- a/src/runtime/config/configuration-qemu.toml.in +++ b/src/runtime/config/configuration-qemu.toml.in @@ -699,30 +699,3 @@ experimental=@DEFAULTEXPFEATURES@ # (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) and create_container_timeout. # In essence, the timeout used for guest pull=runtime-request-timeout diff --git a/src/runtime/config/configuration-remote.toml.in b/src/runtime/config/configuration-remote.toml.in index 1fdf8e72c..786ed5821 100644 --- a/src/runtime/config/configuration-remote.toml.in +++ b/src/runtime/config/configuration-remote.toml.in @@ -296,31 +296,3 @@ experimental=@DEFAULTEXPFEATURES@ # (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=runtime%2Drequest%2Dtimeout) and create_container_timeout. # In essence, the timeout used for guest pull=runtime-request-timeout From 9856fe5beaae55bb4cb544c1aee43ea6777871e5 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Fri, 22 Mar 2024 13:02:09 -0500 Subject: [PATCH 2/3] runtime: remove ServiceOffload parameter Since we no longer use the service_offload configuration, remove the ServiceOffload field from the image struct. Signed-off-by: Tobin Feldman-Fitzthum --- src/runtime/pkg/katautils/config.go | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/runtime/pkg/katautils/config.go b/src/runtime/pkg/katautils/config.go index 997b83ed2..695002eaa 100644 --- a/src/runtime/pkg/katautils/config.go +++ b/src/runtime/pkg/katautils/config.go @@ -64,16 +64,10 @@ const ( type tomlConfig struct { Hypervisor map[string]hypervisor Agent map[string]agent - Image image Factory factory Runtime runtime } -type image struct { - Provision string `toml:"provision"` - ServiceOffload bool `toml:"service_offload"` -} - type factory struct { TemplatePath string `toml:"template_path"` VMCacheEndpoint string `toml:"vm_cache_endpoint"` From 04d021bd12f9133e1e400c47480544bdd60ab4a4 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Fri, 22 Mar 2024 13:04:05 -0500 Subject: [PATCH 3/3] packaging: remove SERVICEOFFLOAD option Since we're removing the unused service_offload parameter, don't set it in any of the packaging scripts. Signed-off-by: Tobin Feldman-Fitzthum --- tools/packaging/static-build/shim-v2/build.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/tools/packaging/static-build/shim-v2/build.sh b/tools/packaging/static-build/shim-v2/build.sh index f37cb91f4..77303d0e7 100755 --- a/tools/packaging/static-build/shim-v2/build.sh +++ b/tools/packaging/static-build/shim-v2/build.sh @@ -26,7 +26,6 @@ EXTRA_OPTS="${EXTRA_OPTS:-""}" [ "${CROSS_BUILD}" == "true" ] && container_image_bk="${container_image}" && container_image="${container_image}-cross-build" if [ "${MEASURED_ROOTFS}" == "yes" ]; then - EXTRA_OPTS+=" DEFSERVICEOFFLOAD=true" info "Enable rootfs measurement config" root_hash_file="${repo_root_dir}/tools/osbuilder/root_hash.txt"