genpolicy: add utility script for containerd pull #213
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Useful for debugging. Signed-off-by: Dan Mihai <[email protected]>
Useful for debugging. Signed-off-by: Dan Mihai <[email protected]>
Make sure the hash of an incoming Policy matches the value of the SNP Host Data field. The value of Host Data will be validated through Remote Attestation, outside of this patch. Signed-off-by: Dan Mihai <[email protected]>
There are 10 segments in the ACPI tables, and CLH works better when it uses all of them. Signed-off-by: Dan Mihai <[email protected]>
When a request cannot be evaluated to true, OPA can return an empty response. It doesn't respond with "response = false" unless a default value of false has been defined. Handle empry responses the same way as "response = false", thus allowing users to bypass those responses by using AllowRequestsFailingPolicy := true. Signed-off-by: Dan Mihai <[email protected]>
This is needed when enabling dm-verity. `udevd` reads kernel uevents that announce the creation of `/dev/dm-XXX` devices, and then creates devices with the actual names under `/dev/mapper/`. Signed-off-by: Wedson Almeida Filho <[email protected]>
This allows us to avoid repeating paths when they're the same. Signed-off-by: Wedson Almeida Filho <[email protected]>
This replicates Wedson's changes in 0935263 in a way that is aligned with the upstream implementation introduced in kata-containers#7200. NOTE: This will require compiling the runtime with DEFSHAREDFS_CLH_SNP_VIRTIOFS=none.
Upstream now uses the new DEFSTATICRESOURCEMGMT_TEE variable to set static resource management for TEEs so we align on that. It's true by default so we don't have to update our build script for this. NOTE: For non-tee CH, upstream now uses DEFSTATICRESOURCEMGMT_CLH (already in our codebase) instead of DEFSTATICRESOURCEMGMT. It's still false by default so we WILL have to update our build script for this one.
The layer string is now base64-encoded, so decode it before inspecting the fields. Signed-off-by: Wedson Almeida Filho <[email protected]>
Newer versions of depmod are failing without the -a option. They get confused with the kernel version and expect it to start with a slash: depmod: FATAL: modules: not absolute path. Signed-off-by: Wedson Almeida Filho <[email protected]>
This allows the agent to ensure the integrity of the device. Signed-off-by: Wedson Almeida Filho <[email protected]>
This allows snapshotters to skip the path to layers. They can, naturally, still specify the full path to other locations when needed. Signed-off-by: Wedson Almeida Filho <[email protected]>
This allows us to tell, from the error, what the agent was attempting to do with the devicemapper. Signed-off-by: Wedson Almeida Filho <[email protected]>
This is so that dependents are removed first, so that depencies don't have references anymore when they're unmounted. Signed-off-by: Wedson Almeida Filho <[email protected]>
- Add missing systemd command line parameters for initrd images
An upstream change in CBL-Mariner now requires the UVM to have the zstd-libs package as a dependency of systemd
Pick up genpolicy improvements from the main branch. Signed-off-by: Dan Mihai <[email protected]>
Allow genpolicy to process Pod YAML files including topologySpreadConstraints. Signed-off-by: Dan Mihai <[email protected]>
Add Policy doc. Signed-off-by: Dan Mihai <[email protected]>
This partially applies 2b5c84b. Adding SNP template for config, and values to the runtime makefile to generate the output toml. Based on [Joana's SNP Guide](https://github.com/kata-containers/kata-containers/blob/main/docs/how-to/how-to-run-kata-containers-with-SNP-VMs.md). Signed-Off-By: Alex Carter <[email protected]> Signed-Off-By: Aurelien Bombo <[email protected]>
This is so that file systems don't fail when we pass kata-specific options from the snapshotter to kata. We already had this upstreamed in kata-containers@6163c35, however upstream broke us in kata-containers@8392c71: `parse_mount_flags_and_options()` was replaced with a new function `parse_mount_options()` which didn't take `io.katacontainers.*` options into account.
* WIP almost compiles * Add special fields * remove dependency on /protocol * Remove special fields * renamy my_agent to agent * clean up * update busybox sample * remove unused struct
containerd needs this in some cases when using volume mounts, so implement it to unblock containerd. Signed-off-by: Wedson Almeida Filho <[email protected]>
genpolicy: add persistent storage support for stateful sets
Add common images category Signed-off-by: Saul Paredes <[email protected]>
The two samples define Pod overhead values. When testing these samples on clusters where different podOverhead values are defined by the respective runtime classes, the tests fail as the values need to match, see: /plugin/pkg/admission/runtimeclass/admission.go in the kubernetes GitHub repository. Hence, removing the overhead definitions. Re-ran update_policy_samples.py. No change. Signed-off-by: Manuel Huber <[email protected]>
samples: add common images category
genpolicy: update policy samples
For docker-based builds only install Rust when necessary. Further, execute the detect Rust version check only when intending to install Rust. As of today, this is the case when we intend to build the agent during rootfs build. Signed-off-by: Manuel Huber <[email protected]>
We set the VERSION variable consistently across Makefiles to 'unknown' if the file is empty or not present. We also use git commands consistently for calculating the COMMIT, COMMIT_NO variables, not erroring out when building outside of a git repository. In create_summary_file we also account for a missing/empty VERSION file. This makes e.g. the UVM build process in an environment where we build outside of git with a minimal/reduced set of files smoother. Signed-off-by: Manuel Huber <[email protected]>
Avoid hitting docker.io by using mcr.microsoft.com/acc/samples/acc-perl:1.0. Signed-off-by: Dan Mihai <[email protected]>
samples: change job.yaml to an mcr container image
Add the new category for tests we want to run genpolicy against, but not run them in deployments (as the name suggests, we cannot run those). Signed-off-by: Manuel Huber <[email protected]>
samples: introduce incomplete_init category
Cherry-pick upstream PR kata-containers#9825: osbuilder: allow rootfs builds w/o git or version file deps
- Support for Mariner 3 builds using OS_VERSION variable - Improvements to IGVM build process and flow as described in README - Adoption of using only cloud-hypervisor-cvm on CBL-Mariner Signed-off-by: Manuel Huber <[email protected]>
tools: Improve igvm-builder and node-builder/azure-linux scripting
At the moment, we have circular dependencies between tardev-snapshotter.service and containerd.service. Specifically, containerd.service needs tardev-snapshotter.service to run any CC pods, while tardev-snapshotter.service needs containerd.service to download image layers. This dependency will be eliminated once we switch to using remote-snapshotter. Currently, tardev-snapshotter.service's binding to containerd.service gets delayed, and we won't be able to run any CC pods until the boot process is completed. It doesn't matter which service starts first. Based on the current logic, it makes more sense to use WantedBy=kubelet.service in tardev-snapshotter.service, as we won't be able to start any CC pods without kubelet. In the future, once tardev-snapshotter becomes a remote snapshotter again, it will make more sense to use WantedBy=containerd.service. Signed-off-by: Mitch Zhu <[email protected]>
tardev: update tardev-snapshotter.service
Use container image sources from ACR/MCR. Signed-off-by: Manuel Huber <[email protected]>
samples: reduce dependencies to docker hub
Add script that helps adapt containerd and docker config for containerd pull feature to work as expected. Signed-off-by: Saul Paredes <[email protected]>
Redent0r
force-pushed
the
saulparedes/add_util_setup_script
branch
from
c36d773 to
7f872b1
Compare
danmihai1
requested changes
Aug 5, 2024
| You may specify `-d` to use existing `containerd` installation as image manager. This method supports a wider set of images (e.g., older images with `v1` manifest). Needs `sudo` permission to access socket - e.g., | ||
| # Use containerd to pull and manage images (required for managed identity based authentication) | ||
|
|
||
| Prereq: This features needs to run the following script to adapt your docker and containerd config (needs `sudo` access): |
There was a problem hiding this comment.
I think these changes are too intrusive to push average users to use this script.
For average users, I would prefer a list of steps in an MD file - similar to the steps from https://github.com/kata-containers/kata-containers/blob/main/docs/how-to/containerd-kata.md. Also, I would like to update such doc Upstream instead of pushing just MSFT users in this direction.
But let's talk with other folks in our team too - maybe they have different opinions.
There was a problem hiding this comment.
I agree it's too much to require them to use this. This might exist for users that don't feel like doing all these steps, but they are also welcome to do them on their own. I'll add better instructions to the MD, and open a PR upstream with all squashed changes
There was a problem hiding this comment.
I disagree with:
- Calling this script a prerequisite. We should say something like: "if you need help with your containerd settings, see this doc for related tips".
- Hiding a bunch of details in a script. Users that want to perform these steps should review the doc and perform just those steps that look reasonable to them.
Signed-off-by: Saul Paredes <[email protected]>
Add guide on how to setup containerd and docker for genpolicy containerd pull feature. Signed-off-by: Saul Paredes <[email protected]>
danmihai1
requested changes
Aug 7, 2024
| You may specify `-d` to use existing `containerd` installation as image manager. This method supports a wider set of images (e.g., older images with `v1` manifest). Needs `sudo` permission to access socket - e.g., | ||
| # Use containerd to pull and manage images (required for managed identity based authentication) | ||
|
|
||
| Prereq: This features needs to run the following script to adapt your docker and containerd config (needs `sudo` access): |
There was a problem hiding this comment.
I disagree with:
- Calling this script a prerequisite. We should say something like: "if you need help with your containerd settings, see this doc for related tips".
- Hiding a bunch of details in a script. Users that want to perform these steps should review the doc and perform just those steps that look reasonable to them.
| @@ -0,0 +1,96 @@ | |||
| # Manual Steps for Setting Up Containerd and Docker for Genpolicy Tool | |||
There was a problem hiding this comment.
The name of this doc should include "genpolicy".
| sudo apt-get install -y containerd | ||
| ``` | ||
|
|
||
| #### Using `tdnf` (for Photon OS-based systems) |
There was a problem hiding this comment.
This is not an automated script, so it's OK to keep just the Ubuntu example. That's one advantage of providing a doc instead a script.
| ## Steps | ||
|
|
||
| ### 1. Install Containerd | ||
|
|
There was a problem hiding this comment.
Add the OS version that you used for testing - because other versions might not work, and that's OK.
|
|
||
| The socket file is usually `/run/containerd/containerd.sock` or `/var/run/containerd/containerd.sock` | ||
|
|
||
| ### 6. Fix Containerd Socket File Permissions |
There was a problem hiding this comment.
This is not a "fix" - it's just something that might be useful for genpolicy users.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add script that helps adapt containerd and docker config for containerd pull feature to work as expected.
Merge Checklist
upstream/missinglabel (orupstream/not-needed) has been set on the PR.Summary
Add script that helps adapt containerd and docker config for containerd pull feature to work as expected.
Test Methodology
Tested locally that I'm able to authenticate to private registry after running the script