mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-06-24 06:27:39 +00:00
734ef71cf7
I've noticed the following error when running the tests with SEV: ``` 2025-01-21T17:10:28.7999896Z # @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 2025-01-21T17:10:28.8000614Z # @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ 2025-01-21T17:10:28.8001217Z # @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 2025-01-21T17:10:28.8001857Z # IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! 2025-01-21T17:10:28.8003009Z # Someone could be eavesdropping on you right now (man-in-the-middle attack)! 2025-01-21T17:10:28.8003348Z # It is also possible that a host key has just been changed. 2025-01-21T17:10:28.8004422Z # The fingerprint for the ED25519 key sent by the remote host is 2025-01-21T17:10:28.8005019Z # SHA256:x7wF8zI+LLyiwphzmUhqY12lrGY4gs5qNCD81f1Cn1E. 2025-01-21T17:10:28.8005459Z # Please contact your system administrator. 2025-01-21T17:10:28.8006734Z # Add correct host key in /home/kata/.ssh/known_hosts to get rid of this message. 2025-01-21T17:10:28.8007031Z # Offending ED25519 key in /home/kata/.ssh/known_hosts:178 2025-01-21T17:10:28.8007254Z # remove with: 2025-01-21T17:10:28.8008172Z # ssh-keygen -f "/home/kata/.ssh/known_hosts" -R "10.244.0.71" ``` And this was causing a failure to ssh into the confidential pod. Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
54 lines
1.9 KiB
Bash
54 lines
1.9 KiB
Bash
#!/usr/bin/env bats
|
|
# Copyright 2022-2023 Advanced Micro Devices, Inc.
|
|
# Copyright 2023 Intel Corporation
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
|
|
load "${BATS_TEST_DIRNAME}/../../common.bash"
|
|
load "${BATS_TEST_DIRNAME}/confidential_common.sh"
|
|
load "${BATS_TEST_DIRNAME}/tests_common.sh"
|
|
|
|
setup() {
|
|
if ! is_confidential_hardware; then
|
|
skip "Test is supported only on confidential hardware (which ${KATA_HYPERVISOR} is not)"
|
|
fi
|
|
setup_unencrypted_confidential_pod
|
|
}
|
|
|
|
@test "Test unencrypted confidential container launch success and verify that we are running in a secure enclave." {
|
|
[[ " ${SUPPORTED_NON_TEE_HYPERVISORS} " =~ " ${KATA_HYPERVISOR} " ]] && skip "Test not supported for ${KATA_HYPERVISOR}."
|
|
# Start the service/deployment/pod
|
|
kubectl apply -f "${pod_config_dir}/pod-confidential-unencrypted.yaml"
|
|
|
|
# Retrieve pod name, wait for it to come up, retrieve pod ip
|
|
pod_name=$(kubectl get pod -o wide | grep "confidential-unencrypted" | awk '{print $1;}')
|
|
|
|
# Check pod creation
|
|
kubectl wait --for=condition=Ready --timeout=$timeout pod "${pod_name}"
|
|
|
|
coco_enabled=""
|
|
for i in {1..6}; do
|
|
rm -f "${HOME}/.ssh/known_hosts"
|
|
if ! pod_ip=$(kubectl get pod -o wide | grep "confidential-unencrypted" | awk '{print $6;}'); then
|
|
warn "Failed to get pod IP address."
|
|
else
|
|
info "Pod IP address: ${pod_ip}"
|
|
coco_enabled=$(ssh -i ${SSH_KEY_FILE} -o "StrictHostKeyChecking no" -o "PasswordAuthentication=no" root@${pod_ip} "$(get_remote_command_per_hypervisor)" 2> /dev/null) && break
|
|
warn "Failed to connect to pod."
|
|
fi
|
|
sleep 5
|
|
done
|
|
[ -z "$coco_enabled" ] && die "Confidential compute is expected but not enabled."
|
|
info "ssh client output: ${coco_enabled}"
|
|
}
|
|
|
|
teardown() {
|
|
if ! is_confidential_hardware; then
|
|
skip "Test is supported only on confidential hardware (which ${KATA_HYPERVISOR} is not)"
|
|
fi
|
|
|
|
kubectl describe "pod/${pod_name}" || true
|
|
kubectl delete -f "${pod_config_dir}/pod-confidential-unencrypted.yaml" || true
|
|
}
|