agent: Add guest-pull feature for kata-agent

Add "guest-pull" feature option to determine that the related dependencies would be compiled if the feature is enabled. By default, agent would be built with default-pull feature, which would support all pull types, including sharing images by virtio-fs and pulling images in the guest. Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
2025-09-16 14:28:35 +00:00 · 2023-11-23 22:12:53 +08:00
parent 965da9bc9b
commit c269b9e8c6
8 changed files with 40 additions and 28 deletions
--- a/src/agent/Cargo.lock
+++ b/src/agent/Cargo.lock
@@ -1578,19 +1578,6 @@ version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"

-[[package]]
-name = "globset"
-version = "0.4.13"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "759c97c1e17c55525b57192c06a267cda0ac5210b222d6b82189a2338fa1c13d"
-dependencies = [
- "aho-corasick",
- "bstr",
- "fnv",
- "log",
- "regex",
-]
-
 [[package]]
 name = "gloo-timers"
 version = "0.2.6"
@@ -3833,7 +3820,7 @@ dependencies = [
 "regex",
 "relative-path",
 "rustc_version",
- "syn 2.0.50",
+ "syn 2.0.52",
 "unicode-ident",
 ]

--- a/src/agent/Cargo.toml
+++ b/src/agent/Cargo.toml
@@ -95,9 +95,12 @@ members = [
 lto = true

 [features]
+# The default-pull feature would support all pull types, including sharing images by virtio-fs and pulling images in the guest
+default-pull = [ "guest-pull" ]
 seccomp = ["rustjail/seccomp"]
 standard-oci-runtime = ["rustjail/standard-oci-runtime"]
 agent-policy = ["http", "openssl", "reqwest"]
+guest-pull = ["image-rs", "openssl"]

 [[bin]]
 name = "kata-agent"
--- a/src/agent/Makefile
+++ b/src/agent/Makefile
@@ -41,6 +41,16 @@ ifeq ($(AGENT_POLICY),yes)
    override EXTRA_RUSTFEATURES += agent-policy
 endif

+##VAR PULL_TYPE=default|guest-pull define if agent enables the guest pull image feature
+PULL_TYPE ?= default
+ifeq ($(PULL_TYPE),default)
+	override EXTRA_RUSTFEATURES += default-pull
+# Enable guest pull image feature of rust build
+else ifeq ($(PULL_TYPE),guest-pull)
+    override EXTRA_RUSTFEATURES += guest-pull
+endif
+
+
 include ../../utils.mk

 ifeq ($(ARCH), ppc64le)
--- a/src/agent/src/main.rs
+++ b/src/agent/src/main.rs
@@ -73,7 +73,9 @@ use tokio::{
    task::JoinHandle,
 };

+#[cfg(feature = "guest-pull")]
 mod image;
+
 mod rpc;
 mod tracer;

--- a/src/agent/src/rpc.rs
+++ b/src/agent/src/rpc.rs
@@ -54,7 +54,6 @@ use rustjail::process::ProcessOperations;

 use crate::device::{add_devices, get_virtio_blk_pci_device_name, update_env_pci};
 use crate::features::get_build_features;
-use crate::image;
 use crate::linux_abi::*;
 use crate::metrics::get_metrics;
 use crate::mount::baremount;
@@ -74,6 +73,9 @@ use crate::tracer::extract_carrier_from_ttrpc;
 #[cfg(feature = "agent-policy")]
 use crate::policy::{do_set_policy, is_allowed};

+#[cfg(feature = "guest-pull")]
+use crate::image;
+
 use opentelemetry::global;
 use tracing::span;
 use tracing_opentelemetry::OpenTelemetrySpanExt;
@@ -202,8 +204,11 @@ impl AgentService {

        // In case of pulling image inside guest, we need to merge the image bundle OCI spec
        // into the container creation request OCI spec.
-        let image_service = image::ImageService::singleton().await?;
-        image_service.merge_bundle_oci(&mut oci).await?;
+        #[cfg(feature = "guest-pull")]
+        {
+            let image_service = image::ImageService::singleton().await?;
+            image_service.merge_bundle_oci(&mut oci).await?;
+        }

        // Some devices need some extra processing (the ones invoked with
        // --device for instance), and that's what this call is doing. It
@@ -1603,9 +1608,11 @@ pub async fn start(
    let health_service = Box::new(HealthService {}) as Box<dyn health_ttrpc::Health + Send + Sync>;
    let hservice = health_ttrpc::create_health(Arc::new(health_service));

-    let image_service = image::ImageService::new();
-    *image::IMAGE_SERVICE.lock().await = Some(image_service.clone());
-
+    #[cfg(feature = "guest-pull")]
+    {
+        let image_service = image::ImageService::new();
+        *image::IMAGE_SERVICE.lock().await = Some(image_service.clone());
+    }
    let server = TtrpcServer::new()
        .bind(server_address)?
        .register_service(aservice)
--- a/src/agent/src/storage/image_pull_handler.rs
+++ b/src/agent/src/storage/image_pull_handler.rs
@@ -3,6 +3,8 @@
 // SPDX-License-Identifier: Apache-2.0
 //

+use crate::image;
+use crate::storage::{StorageContext, StorageHandler};
 use anyhow::{anyhow, Result};
 use kata_types::mount::KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL;
 use kata_types::mount::{ImagePullVolume, StorageDevice};
@@ -10,9 +12,6 @@ use protocols::agent::Storage;
 use std::sync::Arc;
 use tracing::instrument;

-use crate::image;
-use crate::storage::{StorageContext, StorageHandler};
-
 use super::{common_storage_handler, new_device};

 #[derive(Debug)]
--- a/src/agent/src/storage/mod.rs
+++ b/src/agent/src/storage/mod.rs
@@ -12,10 +12,9 @@ use std::sync::Arc;

 use anyhow::{anyhow, Context, Result};
 use kata_sys_util::mount::{create_mount_destination, parse_mount_options};
-use kata_types::mount::{
-    StorageDevice, StorageHandlerManager, KATA_SHAREDFS_GUEST_PREMOUNT_TAG,
-    KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL,
-};
+#[cfg(feature = "guest-pull")]
+use kata_types::mount::KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL;
+use kata_types::mount::{StorageDevice, StorageHandlerManager, KATA_SHAREDFS_GUEST_PREMOUNT_TAG};
 use nix::unistd::{Gid, Uid};
 use protocols::agent::Storage;
 use protocols::types::FSGroupChangePolicy;
@@ -27,6 +26,7 @@ use self::bind_watcher_handler::BindWatcherHandler;
 use self::block_handler::{PmemHandler, ScsiHandler, VirtioBlkMmioHandler, VirtioBlkPciHandler};
 use self::ephemeral_handler::EphemeralHandler;
 use self::fs_handler::{OverlayfsHandler, Virtio9pHandler, VirtioFsHandler};
+#[cfg(feature = "guest-pull")]
 use self::image_pull_handler::ImagePullHandler;
 use self::local_handler::LocalHandler;
 use crate::device::{
@@ -43,6 +43,7 @@ mod bind_watcher_handler;
 mod block_handler;
 mod ephemeral_handler;
 mod fs_handler;
+#[cfg(feature = "guest-pull")]
 mod image_pull_handler;
 mod local_handler;

@@ -150,6 +151,7 @@ lazy_static! {
        manager.add_handler(DRIVER_SCSI_TYPE, Arc::new(ScsiHandler{})).unwrap();
        manager.add_handler(DRIVER_VIRTIOFS_TYPE, Arc::new(VirtioFsHandler{})).unwrap();
        manager.add_handler(DRIVER_WATCHABLE_BIND_TYPE, Arc::new(BindWatcherHandler{})).unwrap();
+        #[cfg(feature = "guest-pull")]
        manager.add_handler(KATA_VIRTUAL_VOLUME_IMAGE_GUEST_PULL, Arc::new(ImagePullHandler{})).unwrap();
        manager
    };
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@@ -17,6 +17,8 @@ RUST_VERSION="null"
 AGENT_BIN=${AGENT_BIN:-kata-agent}
 AGENT_INIT=${AGENT_INIT:-no}
 MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
+# The kata agent enables guest-pull feature.
+PULL_TYPE=${PULL_TYPE:-default}
 KERNEL_MODULES_DIR=${KERNEL_MODULES_DIR:-""}
 OSBUILDER_VERSION="unknown"
 DOCKER_RUNTIME=${DOCKER_RUNTIME:-runc}
@@ -706,7 +708,7 @@ EOF
 			git checkout "${AGENT_VERSION}" && OK "git checkout successful" || die "checkout agent ${AGENT_VERSION} failed!"
 		fi
 		make clean
-		make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP} AGENT_POLICY=${AGENT_POLICY}
+		make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP} AGENT_POLICY=${AGENT_POLICY} PULL_TYPE=${PULL_TYPE}
 		make install DESTDIR="${ROOTFS_DIR}" LIBC=${LIBC} INIT=${AGENT_INIT}
 		if [ "${SECCOMP}" == "yes" ]; then
 			rm -rf "${libseccomp_install_dir}" "${gperf_install_dir}"