github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-26 15:32:30 +00:00
Code Issues Projects Releases Wiki Activity

agent:rpc: Refactor CDH-related operations

Browse Source 
Refactor CDH-related operations into the cdh_handler function to make the `create_container` code clearer.

Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
This commit is contained in:
ChengyuZhu6 2024-09-30 12:07:46 +08:00
parent 31e09058af
commit fe307303c8
1 changed files with 71 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

141
src/agent/src/rpc.rs
View File

@ -224,76 +224,7 @@ impl AgentService {
// cannot predict everything from the caller. // cannot predict everything from the caller.
add_devices(&sl(), &req.devices, &mut oci, &self.sandbox).await?; add_devices(&sl(), &req.devices, &mut oci, &self.sandbox).await?;
let process = oci cdh_handler(&mut oci).await?;
.process_mut()
.as_mut()
.ok_or_else(|| anyhow!("Spec didn't contain process field"))?;
if cdh::is_cdh_client_initialized().await {
if let Some(envs) = process.env_mut().as_mut() {
for env in envs.iter_mut() {
match cdh::unseal_env(env).await {
Ok(unsealed_env) => *env = unsealed_env.to_string(),
Err(e) => {
warn!(sl(), "Failed to unseal secret: {}", e)
}
}
}
}
}
let mounts = oci
.mounts_mut()
.as_mut()
.ok_or_else(|| anyhow!("Spec didn't contain mounts field"))?;
if cdh::is_cdh_client_initialized().await {
for m in mounts.iter_mut() {
if m.destination().starts_with("/sealed") {
info!(
sl(),
"sealed mount destination: {:?} source: {:?}",
m.destination(),
m.source()
);
if let Some(source_str) = m.source().as_ref().and_then(|p| p.to_str()) {
cdh::unseal_file(source_str).await?;
} else {
warn!(sl(), "Failed to unseal: Mount source is None or invalid");
}
}
}
}
let linux = oci
.linux()
.as_ref()
.ok_or_else(|| anyhow!("Spec didn't contain linux field"))?;
if cdh::is_cdh_client_initialized().await {
if let Some(devices) = linux.devices() {
for specdev in devices.iter() {
if specdev.path().as_path().to_str() == Some(TRUSTED_IMAGE_STORAGE_DEVICE) {
let dev_major_minor = format!("{}:{}", specdev.major(), specdev.minor());
let secure_storage_integrity =
AGENT_CONFIG.secure_storage_integrity.to_string();
info!(
sl(),
"trusted_store device major:min {}, enable data integrity {}",
dev_major_minor,
secure_storage_integrity
);
let options = std::collections::HashMap::from([
("deviceId".to_string(), dev_major_minor),
("encryptType".to_string(), "LUKS".to_string()),
("dataIntegrity".to_string(), secure_storage_integrity),
]);
cdh::secure_mount("BlockDevice", &options, vec![], KATA_IMAGE_WORK_DIR)
.await?;
break;
}
}
}
}
// Both rootfs and volumes (invoked with --volume for instance) will // Both rootfs and volumes (invoked with --volume for instance) will
// be processed the same way. The idea is to always mount any provided // be processed the same way. The idea is to always mount any provided
@ -2115,6 +2046,76 @@ fn load_kernel_module(module: &protocols::agent::KernelModule) -> Result<()> {
} }
} }
async fn cdh_handler(oci: &mut Spec) -> Result<()> {
if !cdh::is_cdh_client_initialized().await {
return Ok(());
}
let process = oci
.process_mut()
.as_mut()
.ok_or_else(|| anyhow!("Spec didn't contain process field"))?;
if let Some(envs) = process.env_mut().as_mut() {
for env in envs.iter_mut() {
match cdh::unseal_env(env).await {
Ok(unsealed_env) => *env = unsealed_env.to_string(),
Err(e) => {
warn!(sl(), "Failed to unseal secret: {}", e)
}
}
}
}
let mounts = oci
.mounts_mut()
.as_mut()
.ok_or_else(|| anyhow!("Spec didn't contain mounts field"))?;
for m in mounts.iter_mut() {
if m.destination().starts_with("/sealed") {
info!(
sl(),
"sealed mount destination: {:?} source: {:?}",
m.destination(),
m.source()
);
if let Some(source_str) = m.source().as_ref().and_then(|p| p.to_str()) {
cdh::unseal_file(source_str).await?;
} else {
warn!(sl(), "Failed to unseal: Mount source is None or invalid");
}
}
}
let linux = oci
.linux()
.as_ref()
.ok_or_else(|| anyhow!("Spec didn't contain linux field"))?;
if let Some(devices) = linux.devices() {
for specdev in devices.iter() {
if specdev.path().as_path().to_str() == Some(TRUSTED_IMAGE_STORAGE_DEVICE) {
let dev_major_minor = format!("{}:{}", specdev.major(), specdev.minor());
let secure_storage_integrity = AGENT_CONFIG.secure_storage_integrity.to_string();
info!(
sl(),
"trusted_store device major:min {}, enable data integrity {}",
dev_major_minor,
secure_storage_integrity
);
let options = std::collections::HashMap::from([
("deviceId".to_string(), dev_major_minor),
("encryptType".to_string(), "LUKS".to_string()),
("dataIntegrity".to_string(), secure_storage_integrity),
]);
cdh::secure_mount("BlockDevice", &options, vec![], KATA_IMAGE_WORK_DIR).await?;
break;
}
}
}
Ok(())
}
#[cfg(test)] #[cfg(test)]
#[allow(dead_code)] #[allow(dead_code)]
mod tests { mod tests {