From e698f49ef87ad73854f897b9931432eb4d2c8ee9 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Wed, 4 Dec 2024 14:18:21 +0100 Subject: [PATCH 1/4] platforms: introduce generic bare-metal platform Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- cli/genpolicy/config.go | 2 +- cli/main.go | 2 +- e2e/internal/contrasttest/contrasttest.go | 6 ++--- internal/kuberesource/parts.go | 22 ++++++++++++++----- internal/platforms/platforms.go | 14 +++++++++++- justfile | 10 ++++----- nodeinstaller/internal/constants/constants.go | 8 +++---- nodeinstaller/node-installer.go | 10 +++++++-- packages/by-name/contrast/package.nix | 4 ++++ 9 files changed, 55 insertions(+), 23 deletions(-) diff --git a/cli/genpolicy/config.go b/cli/genpolicy/config.go index 19a5c07611..5b479580ea 100644 --- a/cli/genpolicy/config.go +++ b/cli/genpolicy/config.go @@ -43,7 +43,7 @@ func NewConfig(platform platforms.Platform) *Config { Settings: aksSettings, Bin: aksGenpolicyBin, } - case platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX: + case platforms.MetalQEMUSNP, platforms.MetalQEMUTDX, platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX: return &Config{ Rules: kataRules, Settings: kataSettings, diff --git a/cli/main.go b/cli/main.go index 54e3889e13..63cc5671b5 100644 --- a/cli/main.go +++ b/cli/main.go @@ -105,7 +105,7 @@ func buildVersionString() (string, error) { switch platform { case platforms.AKSCloudHypervisorSNP: fmt.Fprintf(versionsWriter, "\tgenpolicy version:\t%s\n", constants.MicrosoftGenpolicyVersion) - case platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX: + case platforms.MetalQEMUSNP, platforms.MetalQEMUTDX, platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX: fmt.Fprintf(versionsWriter, "\tgenpolicy version:\t%s\n", constants.KataGenpolicyVersion) } } diff --git a/e2e/internal/contrasttest/contrasttest.go b/e2e/internal/contrasttest/contrasttest.go index 8b79e1547d..f169933f8c 100644 --- a/e2e/internal/contrasttest/contrasttest.go +++ b/e2e/internal/contrasttest/contrasttest.go @@ -196,7 +196,7 @@ func (ct *ContrastTest) patchReferenceValues(t *testing.T, platform platforms.Pl SNPVersion: toPtr(manifest.SVN(255)), MicrocodeVersion: toPtr(manifest.SVN(255)), } - case platforms.K3sQEMUSNP: + case platforms.MetalQEMUSNP, platforms.K3sQEMUSNP: // The generate command doesn't fill in all required fields when // generating a manifest for baremetal SNP. Do that now. for i, snp := range m.ReferenceValues.SNP { @@ -206,7 +206,7 @@ func (ct *ContrastTest) patchReferenceValues(t *testing.T, platform platforms.Pl snp.MinimumTCB.MicrocodeVersion = toPtr(manifest.SVN(0)) m.ReferenceValues.SNP[i] = snp } - case platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX: + case platforms.MetalQEMUTDX, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX: // The generate command doesn't fill in all required fields when // generating a manifest for baremetal TDX. Do that now. for i, tdx := range m.ReferenceValues.TDX { @@ -366,7 +366,7 @@ func (ct *ContrastTest) FactorPlatformTimeout(timeout time.Duration) time.Durati switch ct.Platform { case platforms.AKSCloudHypervisorSNP: // AKS defined is the baseline return timeout - case platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX: + case platforms.MetalQEMUSNP, platforms.MetalQEMUTDX, platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX: return 2 * timeout default: return timeout diff --git a/internal/kuberesource/parts.go b/internal/kuberesource/parts.go index 056aadb958..ee8c9ec210 100644 --- a/internal/kuberesource/parts.go +++ b/internal/kuberesource/parts.go @@ -110,12 +110,6 @@ func NodeInstaller(namespace string, platform platforms.Platform) (*NodeInstalle fmt.Sprintf("--nydus-overlayfs-path=/opt/edgeless/%s/bin/nydus-overlayfs", runtimeHandler), ) nydusSnapshotterVolumes := []*applycorev1.VolumeApplyConfiguration{ - Volume(). - WithName("var-lib-containerd"). - WithHostPath(HostPathVolumeSource(). - WithPath("/var/lib/rancher/k3s/agent/containerd"). - WithType(corev1.HostPathDirectory), - ), Volume(). WithName("var-lib-nydus-snapshotter"). WithHostPath(HostPathVolumeSource(). @@ -132,9 +126,25 @@ func NodeInstaller(namespace string, platform platforms.Platform) (*NodeInstalle nodeInstallerImageURL = "ghcr.io/edgelesssys/contrast/node-installer-microsoft:latest" snapshotter = tardevSnapshotter snapshotterVolumes = tardevSnapshotterVolumes + case platforms.MetalQEMUSNP, platforms.MetalQEMUTDX: + nodeInstallerImageURL = "ghcr.io/edgelesssys/contrast/node-installer-kata:latest" + snapshotter = nydusSnapshotter + nydusSnapshotterVolumes = append(nydusSnapshotterVolumes, Volume(). + WithName("var-lib-containerd"). + WithHostPath(HostPathVolumeSource(). + WithPath("/var/lib/containerd"). + WithType(corev1.HostPathDirectory), + )) + snapshotterVolumes = nydusSnapshotterVolumes case platforms.K3sQEMUTDX, platforms.K3sQEMUSNP, platforms.RKE2QEMUTDX: nodeInstallerImageURL = "ghcr.io/edgelesssys/contrast/node-installer-kata:latest" snapshotter = nydusSnapshotter + nydusSnapshotterVolumes = append(nydusSnapshotterVolumes, Volume(). + WithName("var-lib-containerd"). + WithHostPath(HostPathVolumeSource(). + WithPath("/var/lib/rancher/k3s/agent/containerd"). + WithType(corev1.HostPathDirectory), + )) snapshotterVolumes = nydusSnapshotterVolumes default: return nil, fmt.Errorf("unsupported platform %q", platform) diff --git a/internal/platforms/platforms.go b/internal/platforms/platforms.go index 92966870c0..106f6f7330 100644 --- a/internal/platforms/platforms.go +++ b/internal/platforms/platforms.go @@ -24,11 +24,15 @@ const ( K3sQEMUSNP // RKE2QEMUTDX represents a deployment with QEMU on bare-metal TDX RKE2. RKE2QEMUTDX + // MetalQEMUSNP is the generic platform for bare-metal SNP deployments. + MetalQEMUSNP + // MetalQEMUTDX is the generic platform for bare-metal TDX deployments. + MetalQEMUTDX ) // All returns a list of all available platforms. func All() []Platform { - return []Platform{AKSCloudHypervisorSNP, K3sQEMUTDX, K3sQEMUSNP, RKE2QEMUTDX} + return []Platform{AKSCloudHypervisorSNP, K3sQEMUTDX, K3sQEMUSNP, RKE2QEMUTDX, MetalQEMUSNP, MetalQEMUTDX} } // AllStrings returns a list of all available platforms as strings. @@ -51,6 +55,10 @@ func (p Platform) String() string { return "K3s-QEMU-SNP" case RKE2QEMUTDX: return "RKE2-QEMU-TDX" + case MetalQEMUSNP: + return "Metal-QEMU-SNP" + case MetalQEMUTDX: + return "Metal-QEMU-TDX" default: return "Unknown" } @@ -67,6 +75,10 @@ func FromString(s string) (Platform, error) { return K3sQEMUSNP, nil case "rke2-qemu-tdx": return RKE2QEMUTDX, nil + case "metal-qemu-snp": + return MetalQEMUSNP, nil + case "metal-qemu-tdx": + return MetalQEMUTDX, nil default: return Unknown, fmt.Errorf("unknown platform: %s", s) } diff --git a/justfile b/justfile index 58e10e9030..2aa4544397 100644 --- a/justfile +++ b/justfile @@ -47,7 +47,7 @@ node-installer platform=default_platform: just push "tardev-snapshotter" just push "node-installer-microsoft" ;; - "K3s-QEMU-SNP"|"K3s-QEMU-TDX"|"RKE2-QEMU-TDX") + "Metal-QEMU-SNP"|"Metal-QEMU-TDX"|"K3s-QEMU-SNP"|"K3s-QEMU-TDX"|"RKE2-QEMU-TDX") just push "nydus-snapshotter" just push "node-installer-kata" ;; @@ -117,12 +117,12 @@ generate cli=default_cli platform=default_platform: # On baremetal SNP, we don't have default values for MinimumTCB, so we need to set some here. case {{ platform }} in - "K3s-QEMU-SNP") + "Metal-QEMU-SNP"|"K3s-QEMU-SNP") yq --inplace \ '.ReferenceValues.snp.[].MinimumTCB = {"BootloaderVersion":0,"TEEVersion":0,"SNPVersion":0,"MicrocodeVersion":0}' \ {{ workspace_dir }}/manifest.json ;; - "K3s-QEMU-TDX" | "RKE2-QEMU-TDX") + "Metal-QEMU-TDX"|"K3s-QEMU-TDX" | "RKE2-QEMU-TDX") yq --inplace \ '.ReferenceValues.tdx.[].MinimumTeeTcbSvn = "04010200000000000000000000000000" | .ReferenceValues.tdx.[].MrSeam = "1cc6a17ab799e9a693fac7536be61c12ee1e0fabada82d0c999e08ccee2aa86de77b0870f558c570e7ffe55d6d47fa04"' \ {{ workspace_dir }}/manifest.json @@ -186,7 +186,7 @@ create-pre platform=default_platform: # TODO(burgerdev): this should create the resource group for consistency : ;; - "K3s-QEMU-SNP"|"K3s-QEMU-TDX"|"RKE2-QEMU-TDX") + "Metal-QEMU-SNP"|"Metal-QEMU-TDX"|"K3s-QEMU-SNP"|"K3s-QEMU-TDX"|"RKE2-QEMU-TDX") : ;; "AKS-PEER-SNP") @@ -215,7 +215,7 @@ create platform=default_platform: "AKS-CLH-SNP") nix run -L .#scripts.create-coco-aks -- --name="$azure_resource_group" --location="$azure_location" ;; - "K3s-QEMU-SNP"|"K3s-QEMU-TDX"|"RKE2-QEMU-TDX") + "Metal-QEMU-SNP"|"Metal-QEMU-TDX"|"K3s-QEMU-SNP"|"K3s-QEMU-TDX"|"RKE2-QEMU-TDX") : ;; "AKS-PEER-SNP") diff --git a/nodeinstaller/internal/constants/constants.go b/nodeinstaller/internal/constants/constants.go index be75b60c20..106bc70655 100644 --- a/nodeinstaller/internal/constants/constants.go +++ b/nodeinstaller/internal/constants/constants.go @@ -57,7 +57,7 @@ func KataRuntimeConfig(baseDir string, platform platforms.Platform, qemuExtraKer config.Hypervisor["clh"]["image"] = filepath.Join(baseDir, "share", "kata-containers.img") config.Hypervisor["clh"]["valid_hypervisor_paths"] = []string{filepath.Join(baseDir, "bin", "cloud-hypervisor-snp")} config.Hypervisor["clh"]["enable_debug"] = debug - case platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX: + case platforms.MetalQEMUTDX, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX: if err := toml.Unmarshal([]byte(kataBareMetalQEMUTDXBaseConfig), &config); err != nil { return nil, fmt.Errorf("failed to unmarshal kata runtime configuration: %w", err) } @@ -75,7 +75,7 @@ func KataRuntimeConfig(baseDir string, platform platforms.Platform, qemuExtraKer if debug { config.Hypervisor["qemu"]["enable_debug"] = true } - case platforms.K3sQEMUSNP: + case platforms.MetalQEMUSNP, platforms.K3sQEMUSNP: if err := toml.Unmarshal([]byte(kataBareMetalQEMUSNPBaseConfig), &config); err != nil { return nil, fmt.Errorf("failed to unmarshal kata runtime configuration: %w", err) } @@ -129,11 +129,11 @@ func ContainerdRuntimeConfigFragment(baseDir, snapshotter string, platform platf cfg.Options = map[string]any{ "ConfigPath": filepath.Join(baseDir, "etc", "configuration-clh-snp.toml"), } - case platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX: + case platforms.MetalQEMUTDX, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX: cfg.Options = map[string]any{ "ConfigPath": filepath.Join(baseDir, "etc", "configuration-qemu-tdx.toml"), } - case platforms.K3sQEMUSNP: + case platforms.MetalQEMUSNP, platforms.K3sQEMUSNP: cfg.Options = map[string]any{ "ConfigPath": filepath.Join(baseDir, "etc", "configuration-qemu-snp.toml"), } diff --git a/nodeinstaller/node-installer.go b/nodeinstaller/node-installer.go index 623813623a..158bbbca98 100644 --- a/nodeinstaller/node-installer.go +++ b/nodeinstaller/node-installer.go @@ -107,6 +107,12 @@ func run(ctx context.Context, fetcher assetFetcher, platform platforms.Platform, case platforms.AKSCloudHypervisorSNP: kataConfigPath = filepath.Join(kataConfigPath, "configuration-clh-snp.toml") containerdConfigPath = filepath.Join(hostMount, "etc", "containerd", "config.toml") + case platforms.MetalQEMUSNP: + kataConfigPath = filepath.Join(kataConfigPath, "configuration-qemu-snp.toml") + containerdConfigPath = filepath.Join(hostMount, "etc", "containerd", "config.toml") + case platforms.MetalQEMUTDX: + kataConfigPath = filepath.Join(kataConfigPath, "configuration-qemu-tdx.toml") + containerdConfigPath = filepath.Join(hostMount, "etc", "containerd", "config.toml") case platforms.K3sQEMUSNP: kataConfigPath = filepath.Join(kataConfigPath, "configuration-qemu-snp.toml") containerdConfigPath = filepath.Join(hostMount, "var", "lib", "rancher", "k3s", "agent", "etc", "containerd", "config.toml.tmpl") @@ -139,7 +145,7 @@ func run(ctx context.Context, fetcher assetFetcher, platform platforms.Platform, } switch platform { - case platforms.AKSCloudHypervisorSNP: + case platforms.AKSCloudHypervisorSNP, platforms.MetalQEMUSNP, platforms.MetalQEMUTDX: return restartHostContainerd(containerdConfigPath, "containerd") case platforms.K3sQEMUTDX, platforms.K3sQEMUSNP: if hostServiceExists("k3s") { @@ -206,7 +212,7 @@ func patchContainerdConfig(runtimeHandler, basePath, configPath string, platform case platforms.AKSCloudHypervisorSNP: snapshotterName = fmt.Sprintf("tardev-%s", runtimeHandler) socketName = fmt.Sprintf("/run/containerd/tardev-snapshotter-%s.sock", runtimeHandler) - case platforms.K3sQEMUTDX, platforms.K3sQEMUSNP, platforms.RKE2QEMUTDX: + case platforms.MetalQEMUTDX, platforms.MetalQEMUSNP, platforms.K3sQEMUTDX, platforms.K3sQEMUSNP, platforms.RKE2QEMUTDX: snapshotterName = fmt.Sprintf("nydus-%s", runtimeHandler) socketName = fmt.Sprintf("/run/containerd/containerd-nydus-grpc-%s.sock", runtimeHandler) diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix index cd426b2e27..463822aab2 100644 --- a/packages/by-name/contrast/package.nix +++ b/packages/by-name/contrast/package.nix @@ -52,8 +52,10 @@ let "contrast-cc-${platform}-${builtins.substring 0 8 (builtins.readFile hashFile)}"; aks-clh-snp-handler = runtimeHandler "aks-clh-snp" microsoft.contrast-node-installer-image.runtimeHash; + metal-qemu-tdx-handler = runtimeHandler "metal-qemu-tdx" kata.contrast-node-installer-image.runtimeHash; k3s-qemu-tdx-handler = runtimeHandler "k3s-qemu-tdx" kata.contrast-node-installer-image.runtimeHash; rke2-qemu-tdx-handler = runtimeHandler "rke2-qemu-tdx" kata.contrast-node-installer-image.runtimeHash; + metal-qemu-snp-handler = runtimeHandler "metal-qemu-snp" kata.contrast-node-installer-image.runtimeHash; k3s-qemu-snp-handler = runtimeHandler "k3s-qemu-snp" kata.contrast-node-installer-image.runtimeHash; aksRefVals = { @@ -128,8 +130,10 @@ let builtins.toFile "reference-values.json" ( builtins.toJSON { "${aks-clh-snp-handler}" = aksRefVals; + "${metal-qemu-tdx-handler}" = tdxRefVals; "${k3s-qemu-tdx-handler}" = tdxRefVals; "${rke2-qemu-tdx-handler}" = tdxRefVals; + "${metal-qemu-snp-handler}" = snpRefVals; "${k3s-qemu-snp-handler}" = snpRefVals; } ); From 161418d2352ec271b0ed82a317175e2b09982ffa Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Fri, 6 Dec 2024 10:30:45 +0100 Subject: [PATCH 2/4] kata.kata-runtime: drop OCI version check from policy Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- ...y-rules-remove-check-for-OCI-version.patch | 24 +++++++++++++++ ...-genpolicy-settings-bump-OCI-version.patch | 30 ------------------- ...gs-change-cpath-for-Nydus-guest-pull.patch | 2 +- ...009-genpolicy-allow-image_guest_pull.patch | 14 ++++----- ...port-mount-propagation-and-ro-mounts.patch | 4 +-- .../by-name/kata/kata-runtime/package.nix | 11 ++++--- 6 files changed, 41 insertions(+), 44 deletions(-) create mode 100644 packages/by-name/kata/kata-runtime/0007-genpolicy-rules-remove-check-for-OCI-version.patch delete mode 100644 packages/by-name/kata/kata-runtime/0007-genpolicy-settings-bump-OCI-version.patch diff --git a/packages/by-name/kata/kata-runtime/0007-genpolicy-rules-remove-check-for-OCI-version.patch b/packages/by-name/kata/kata-runtime/0007-genpolicy-rules-remove-check-for-OCI-version.patch new file mode 100644 index 0000000000..b7052cda3a --- /dev/null +++ b/packages/by-name/kata/kata-runtime/0007-genpolicy-rules-remove-check-for-OCI-version.patch @@ -0,0 +1,24 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Paul Meyer <49727155+katexochen@users.noreply.github.com> +Date: Fri, 6 Dec 2024 15:16:45 +0100 +Subject: [PATCH] genpolicy/rules: remove check for OCI version + +Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> +--- + src/tools/genpolicy/rules.rego | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego +index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..c8de30897a01a0de49b99587c7e12ef534c353bc 100644 +--- a/src/tools/genpolicy/rules.rego ++++ b/src/tools/genpolicy/rules.rego +@@ -71,9 +71,6 @@ CreateContainerRequest { + + p_oci := p_container.OCI + +- print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version) +- p_oci.Version == i_oci.Version +- + print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly) + p_oci.Root.Readonly == i_oci.Root.Readonly + diff --git a/packages/by-name/kata/kata-runtime/0007-genpolicy-settings-bump-OCI-version.patch b/packages/by-name/kata/kata-runtime/0007-genpolicy-settings-bump-OCI-version.patch deleted file mode 100644 index b1dbf4c31c..0000000000 --- a/packages/by-name/kata/kata-runtime/0007-genpolicy-settings-bump-OCI-version.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Markus Rudy -Date: Wed, 24 Jul 2024 11:16:37 +0200 -Subject: [PATCH] genpolicy-settings: bump OCI version - -Kata hard-codes OCI version 1.1.0, but latest K3S has 1.2.0. ---- - src/tools/genpolicy/genpolicy-settings.json | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json -index e50d5e545e3fe42db486771345310d4c2157be2f..fcafa46cc3b62b74aa5ba08fdbd76fa3370ae77e 100644 ---- a/src/tools/genpolicy/genpolicy-settings.json -+++ b/src/tools/genpolicy/genpolicy-settings.json -@@ -312,7 +312,7 @@ - }, - "kata_config": { - "confidential_guest": false, -- "oci_version": "1.1.0" -+ "oci_version": "1.2.0" - }, - "cluster_config": { - "default_namespace": "default", -@@ -348,4 +348,4 @@ - "UpdateEphemeralMountsRequest": false, - "WriteStreamRequest": false - } --} -\ No newline at end of file -+} diff --git a/packages/by-name/kata/kata-runtime/0008-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch b/packages/by-name/kata/kata-runtime/0008-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch index 1b2a2f104f..e0176763d1 100644 --- a/packages/by-name/kata/kata-runtime/0008-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch +++ b/packages/by-name/kata/kata-runtime/0008-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch @@ -10,7 +10,7 @@ https://github.com/kata-containers/kata-containers/blob/775f6bd/tests/integratio 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json -index fcafa46cc3b62b74aa5ba08fdbd76fa3370ae77e..4e9f6481d649fc45716f182c394f38059792eb91 100644 +index e50d5e545e3fe42db486771345310d4c2157be2f..d2d1511ae75d56c4f39915515343b2cd20d9d65a 100644 --- a/src/tools/genpolicy/genpolicy-settings.json +++ b/src/tools/genpolicy/genpolicy-settings.json @@ -243,7 +243,7 @@ diff --git a/packages/by-name/kata/kata-runtime/0009-genpolicy-allow-image_guest_pull.patch b/packages/by-name/kata/kata-runtime/0009-genpolicy-allow-image_guest_pull.patch index 5060d3259c..c3536db09b 100644 --- a/packages/by-name/kata/kata-runtime/0009-genpolicy-allow-image_guest_pull.patch +++ b/packages/by-name/kata/kata-runtime/0009-genpolicy-allow-image_guest_pull.patch @@ -26,7 +26,7 @@ don't even bother handling that case. create mode 100644 src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/testcases.json diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json -index 4e9f6481d649fc45716f182c394f38059792eb91..e3b36a6555a646ffefc7733c807d6b0da9967dea 100644 +index d2d1511ae75d56c4f39915515343b2cd20d9d65a..ef20413eacc029d4fcb0b1d2f538a13314a25670 100644 --- a/src/tools/genpolicy/genpolicy-settings.json +++ b/src/tools/genpolicy/genpolicy-settings.json @@ -148,7 +148,7 @@ @@ -39,10 +39,10 @@ index 4e9f6481d649fc45716f182c394f38059792eb91..e3b36a6555a646ffefc7733c807d6b0d "source": "local", "fstype": "local", diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego -index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..44af45437f550877652c33019f42b0b29fdcfbdb 100644 +index c8de30897a01a0de49b99587c7e12ef534c353bc..b9cf357508e632b2d64a5332a3c4e7a6442852de 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego -@@ -80,7 +80,7 @@ CreateContainerRequest { +@@ -77,7 +77,7 @@ CreateContainerRequest { allow_anno(p_oci, i_oci) p_storages := p_container.storages @@ -51,7 +51,7 @@ index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..44af45437f550877652c33019f42b0b2 p_devices := p_container.devices allow_devices(p_devices, i_devices) -@@ -160,47 +160,48 @@ allow_anno_key(i_key, p_oci) { +@@ -157,47 +157,48 @@ allow_anno_key(i_key, p_oci) { # Get the value of the "io.kubernetes.cri.sandbox-name" annotation and # correlate it with other annotations and process fields. @@ -108,7 +108,7 @@ index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..44af45437f550877652c33019f42b0b2 allow_process(p_oci, i_oci, s_name) print("allow_by_sandbox_name: true") -@@ -506,11 +507,12 @@ allow_linux_sysctl(p_linux, i_linux) { +@@ -503,11 +504,12 @@ allow_linux_sysctl(p_linux, i_linux) { # Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path" # and io.kubernetes.cri.sandbox-id" values with other fields. @@ -122,7 +122,7 @@ index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..44af45437f550877652c33019f42b0b2 p_regex := p_oci.Annotations[key] sandbox_id := i_oci.Annotations[key] -@@ -530,8 +532,7 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { +@@ -527,8 +529,7 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { allow_mount(p_oci, i_mount, bundle_id, sandbox_id) } @@ -132,7 +132,7 @@ index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..44af45437f550877652c33019f42b0b2 print("allow_by_bundle_or_sandbox_id: true") } -@@ -829,30 +830,109 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { +@@ -826,30 +827,109 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { ###################################################################### # Create container Storages diff --git a/packages/by-name/kata/kata-runtime/0012-genpolicy-support-mount-propagation-and-ro-mounts.patch b/packages/by-name/kata/kata-runtime/0012-genpolicy-support-mount-propagation-and-ro-mounts.patch index 85efbd904d..094e8e4f8b 100644 --- a/packages/by-name/kata/kata-runtime/0012-genpolicy-support-mount-propagation-and-ro-mounts.patch +++ b/packages/by-name/kata/kata-runtime/0012-genpolicy-support-mount-propagation-and-ro-mounts.patch @@ -9,10 +9,10 @@ Subject: [PATCH] genpolicy: support mount propagation and ro-mounts 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego -index 44af45437f550877652c33019f42b0b29fdcfbdb..823e5e76d55bac47ad9c79d8916f92702efa316d 100644 +index b9cf357508e632b2d64a5332a3c4e7a6442852de..6cabea53a52c2e0b9b52a086d166613d3440d5c4 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego -@@ -105,7 +105,8 @@ allow_create_container_input { +@@ -102,7 +102,8 @@ allow_create_container_input { count(i_linux.GIDMappings) == 0 count(i_linux.MountLabel) == 0 count(i_linux.Resources.Devices) == 0 diff --git a/packages/by-name/kata/kata-runtime/package.nix b/packages/by-name/kata/kata-runtime/package.nix index 404a0d528c..c7e0c521af 100644 --- a/packages/by-name/kata/kata-runtime/package.nix +++ b/packages/by-name/kata/kata-runtime/package.nix @@ -53,10 +53,13 @@ buildGoModule rec { # Contrast specific layer-src-prefix, also applied to microsoft.kata-runtime. # TODO(burgerdev): discuss relaxing the checks for host paths with Kata maintainers. ./0006-genpolicy-regex-check-contrast-specific-layer-src-pr.patch - # Kata hard-codes OCI version 1.1.0, but latest K3S has 1.2.0. - # TODO(burgerdev): discuss relaxing the OCI version checks with Kata maintainers. - # TODO(burgerdev): move to genpolicy-settings patches - ./0007-genpolicy-settings-bump-OCI-version.patch + # An attacker can set any OCI version they like, so we can't rely on it. + # The policy must be secure no matter what OCI version is communicated. + # TODO(kateoxchen): upstream. See https://github.com/kata-containers/kata-containers/issues/10632. + # TODO(katexochen): Additional security measures should be taken to ensure the OCI + # version is the same well use to create the container and the policy covers all the + # fields of the spec. + ./0007-genpolicy-rules-remove-check-for-OCI-version.patch # Nydus uses a different base dir for container rootfs, # see https://github.com/kata-containers/kata-containers/blob/775f6bd/tests/integration/kubernetes/tests_common.sh#L139. # TODO(burgerdev): discuss the discrepancy and path forward with Kata maintainers. From adc1afcf23bab1a3040e18336c84ff5ca8478aa3 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Fri, 6 Dec 2024 10:31:48 +0100 Subject: [PATCH 3/4] coordinator: decrease log level on unset manifest Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- coordinator/internal/authority/credentials.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/coordinator/internal/authority/credentials.go b/coordinator/internal/authority/credentials.go index 80107f4304..08a64d7dad 100644 --- a/coordinator/internal/authority/credentials.go +++ b/coordinator/internal/authority/credentials.go @@ -69,7 +69,7 @@ func (c *Credentials) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.A log := c.logger.With("peer", rawConn.RemoteAddr()) state, err := c.getState() if err != nil { - log.Error("Could not get manifest state to validate peer", "error", err) + log.Warn("Could not get manifest state to validate peer", "error", err) return nil, nil, fmt.Errorf("getting state: %w", err) } From 2e123741e8a83f96a989918ade6cbcbbf836ef5a Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Fri, 6 Dec 2024 14:34:41 +0100 Subject: [PATCH 4/4] attestation/snp: use context with timeout on THIM request Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- internal/attestation/snp/issuer/issuer.go | 4 ++-- internal/attestation/snp/issuer/thim.go | 7 +++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/internal/attestation/snp/issuer/issuer.go b/internal/attestation/snp/issuer/issuer.go index e4f4b45211..532fc445eb 100644 --- a/internal/attestation/snp/issuer/issuer.go +++ b/internal/attestation/snp/issuer/issuer.go @@ -44,7 +44,7 @@ func (i *Issuer) OID() asn1.ObjectIdentifier { } // Issue the attestation document. -func (i *Issuer) Issue(_ context.Context, ownPublicKey []byte, nonce []byte) (res []byte, err error) { +func (i *Issuer) Issue(ctx context.Context, ownPublicKey []byte, nonce []byte) (res []byte, err error) { i.logger.Info("Issue called") defer func() { if err != nil { @@ -71,7 +71,7 @@ func (i *Issuer) Issue(_ context.Context, ownPublicKey []byte, nonce []byte) (re // Get cert chain from THIM var certChain *spb.CertificateChain - thimRaw, err := i.thimGetter.GetCertification() + thimRaw, err := i.thimGetter.GetCertification(ctx) if err != nil { i.logger.Info("Could not retrieve THIM certification", "error", err) } else { diff --git a/internal/attestation/snp/issuer/thim.go b/internal/attestation/snp/issuer/thim.go index 94b4ca8b91..6564f24c92 100644 --- a/internal/attestation/snp/issuer/thim.go +++ b/internal/attestation/snp/issuer/thim.go @@ -4,6 +4,7 @@ package issuer import ( + "context" "encoding/json" "encoding/pem" "fmt" @@ -78,7 +79,7 @@ func NewTHIMGetter(httpClient httpClient) *THIMGetter { } // GetCertification returns the THIM certification. -func (t *THIMGetter) GetCertification() (THIMSNPCertification, error) { +func (t *THIMGetter) GetCertification(ctx context.Context) (THIMSNPCertification, error) { // Return cached response if it is still valid. if cached := t.getCached(); cached != nil { var certification THIMSNPCertification @@ -102,7 +103,9 @@ func (t *THIMGetter) GetCertification() (THIMSNPCertification, error) { "Metadata": {"true"}, }, } - resp, err := t.httpClient.Do(req) + reqCtx, cancel := context.WithTimeout(ctx, 3*time.Second) + defer cancel() + resp, err := t.httpClient.Do(req.WithContext(reqCtx)) if err != nil { return THIMSNPCertification{}, fmt.Errorf("getting THIM certification: %w", err) }