diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock index 03a3ea2d72..fe02bd72b4 100644 --- a/src/agent/Cargo.lock +++ b/src/agent/Cargo.lock @@ -1578,19 +1578,6 @@ version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b" -[[package]] -name = "globset" -version = "0.4.13" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "759c97c1e17c55525b57192c06a267cda0ac5210b222d6b82189a2338fa1c13d" -dependencies = [ - "aho-corasick", - "bstr", - "fnv", - "log", - "regex", -] - [[package]] name = "gloo-timers" version = "0.2.6" @@ -3833,7 +3820,7 @@ dependencies = [ "regex", "relative-path", "rustc_version", - "syn 2.0.50", + "syn 2.0.52", "unicode-ident", ] diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml index 3ee6ea8142..31092c0aa4 100644 --- a/src/agent/Cargo.toml +++ b/src/agent/Cargo.toml @@ -95,9 +95,12 @@ members = [ lto = true [features] +# The default-pull feature would support all pull types, including sharing images by virtio-fs and pulling images in the guest +default-pull = [ "guest-pull" ] seccomp = ["rustjail/seccomp"] standard-oci-runtime = ["rustjail/standard-oci-runtime"] agent-policy = ["http", "openssl", "reqwest"] +guest-pull = ["image-rs", "openssl"] [[bin]] name = "kata-agent" diff --git a/src/agent/Makefile b/src/agent/Makefile index 5b118beb9c..2f36e04852 100644 --- a/src/agent/Makefile +++ b/src/agent/Makefile @@ -41,6 +41,16 @@ ifeq ($(AGENT_POLICY),yes) override EXTRA_RUSTFEATURES += agent-policy endif +##VAR PULL_TYPE=default|guest-pull define if agent enables the guest pull image feature +PULL_TYPE ?= default +ifeq ($(PULL_TYPE),default) + override EXTRA_RUSTFEATURES += default-pull +# Enable guest pull image feature of rust build +else ifeq ($(PULL_TYPE),guest-pull) + override EXTRA_RUSTFEATURES += guest-pull +endif + + include ../../utils.mk ifeq ($(ARCH), ppc64le) diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs index 7e7979b10c..468efaa226 100644 --- a/src/agent/src/main.rs +++ b/src/agent/src/main.rs @@ -73,7 +73,9 @@ use tokio::{ task::JoinHandle, }; +#[cfg(feature = "guest-pull")] mod image; + mod rpc; mod tracer; diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs index d919df76d5..0cf1d45d86 100644 --- a/src/agent/src/rpc.rs +++ b/src/agent/src/rpc.rs @@ -54,7 +54,6 @@ use rustjail::process::ProcessOperations; use crate::device::{add_devices, get_virtio_blk_pci_device_name, update_env_pci}; use crate::features::get_build_features; -use crate::image; use crate::linux_abi::*; use crate::metrics::get_metrics; use crate::mount::baremount; @@ -74,6 +73,9 @@ use crate::tracer::extract_carrier_from_ttrpc; #[cfg(feature = "agent-policy")] use crate::policy::{do_set_policy, is_allowed}; +#[cfg(feature = "guest-pull")] +use crate::image; + use opentelemetry::global; use tracing::span; use tracing_opentelemetry::OpenTelemetrySpanExt; @@ -202,8 +204,11 @@ impl AgentService { // In case of pulling image inside guest, we need to merge the image bundle OCI spec // into the container creation request OCI spec. - let image_service = image::ImageService::singleton().await?; - image_service.merge_bundle_oci(&mut oci).await?; + #[cfg(feature = "guest-pull")] + { + let image_service = image::ImageService::singleton().await?; + image_service.merge_bundle_oci(&mut oci).await?; + } // Some devices need some extra processing (the ones invoked with // --device for instance), and that's what this call is doing. It @@ -1603,9 +1608,11 @@ pub async fn start( let health_service = Box::new(HealthService {}) as Box; let hservice = health_ttrpc::create_health(Arc::new(health_service)); - let image_service = image::ImageService::new(); - *image::IMAGE_SERVICE.lock().await = Some(image_service.clone()); - + #[cfg(feature = "guest-pull")] + { + let image_service = image::ImageService::new(); + *image::IMAGE_SERVICE.lock().await = Some(image_service.clone()); + } let server = TtrpcServer::new() .bind(server_address)? .register_service(aservice) diff --git a/src/agent/src/storage/image_pull_handler.rs b/src/agent/src/storage/image_pull_handler.rs index 5f5c3d7147..e713198975 100644 --- a/src/agent/src/storage/image_pull_handler.rs +++ b/src/agent/src/storage/image_pull_handler.rs @@ -3,6 +3,8 @@ // SPDX-License-Identifier: Apache-2.0 // +use crate::image; +use crate::storage::{StorageContext, StorageHandler}; use anyhow::{anyhow, Result}; use kata_types::mount::KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL; use kata_types::mount::{ImagePullVolume, StorageDevice}; @@ -10,9 +12,6 @@ use protocols::agent::Storage; use std::sync::Arc; use tracing::instrument; -use crate::image; -use crate::storage::{StorageContext, StorageHandler}; - use super::{common_storage_handler, new_device}; #[derive(Debug)] diff --git a/src/agent/src/storage/mod.rs b/src/agent/src/storage/mod.rs index 42ca1da0d3..93892af9dc 100644 --- a/src/agent/src/storage/mod.rs +++ b/src/agent/src/storage/mod.rs @@ -12,10 +12,9 @@ use std::sync::Arc; use anyhow::{anyhow, Context, Result}; use kata_sys_util::mount::{create_mount_destination, parse_mount_options}; -use kata_types::mount::{ - StorageDevice, StorageHandlerManager, KATA_SHAREDFS_GUEST_PREMOUNT_TAG, - KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL, -}; +#[cfg(feature = "guest-pull")] +use kata_types::mount::KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL; +use kata_types::mount::{StorageDevice, StorageHandlerManager, KATA_SHAREDFS_GUEST_PREMOUNT_TAG}; use nix::unistd::{Gid, Uid}; use protocols::agent::Storage; use protocols::types::FSGroupChangePolicy; @@ -27,6 +26,7 @@ use self::bind_watcher_handler::BindWatcherHandler; use self::block_handler::{PmemHandler, ScsiHandler, VirtioBlkMmioHandler, VirtioBlkPciHandler}; use self::ephemeral_handler::EphemeralHandler; use self::fs_handler::{OverlayfsHandler, Virtio9pHandler, VirtioFsHandler}; +#[cfg(feature = "guest-pull")] use self::image_pull_handler::ImagePullHandler; use self::local_handler::LocalHandler; use crate::device::{ @@ -43,6 +43,7 @@ mod bind_watcher_handler; mod block_handler; mod ephemeral_handler; mod fs_handler; +#[cfg(feature = "guest-pull")] mod image_pull_handler; mod local_handler; @@ -150,6 +151,7 @@ lazy_static! { manager.add_handler(DRIVER_SCSI_TYPE, Arc::new(ScsiHandler{})).unwrap(); manager.add_handler(DRIVER_VIRTIOFS_TYPE, Arc::new(VirtioFsHandler{})).unwrap(); manager.add_handler(DRIVER_WATCHABLE_BIND_TYPE, Arc::new(BindWatcherHandler{})).unwrap(); + #[cfg(feature = "guest-pull")] manager.add_handler(KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL, Arc::new(ImagePullHandler{})).unwrap(); manager }; diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index 8b4df39db5..5fed5a0b7e 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -17,6 +17,8 @@ RUST_VERSION="null" AGENT_BIN=${AGENT_BIN:-kata-agent} AGENT_INIT=${AGENT_INIT:-no} MEASURED_ROOTFS=${MEASURED_ROOTFS:-no} +# The kata agent enables guest-pull feature. +PULL_TYPE=${PULL_TYPE:-default} KERNEL_MODULES_DIR=${KERNEL_MODULES_DIR:-""} OSBUILDER_VERSION="unknown" DOCKER_RUNTIME=${DOCKER_RUNTIME:-runc} @@ -706,7 +708,7 @@ EOF git checkout "${AGENT_VERSION}" && OK "git checkout successful" || die "checkout agent ${AGENT_VERSION} failed!" fi make clean - make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP} AGENT_POLICY=${AGENT_POLICY} + make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP} AGENT_POLICY=${AGENT_POLICY} PULL_TYPE=${PULL_TYPE} make install DESTDIR="${ROOTFS_DIR}" LIBC=${LIBC} INIT=${AGENT_INIT} if [ "${SECCOMP}" == "yes" ]; then rm -rf "${libseccomp_install_dir}" "${gperf_install_dir}"