CDH | add image pull API #608
Conversation
|
Do you think we should do this before doing encryped/signed images in Kata? Also, are we going to run into problems here if we don't have init-data supported? I saw you mentioned some problems with provisioning the config file on your encrypted image PR. |
|
@fitzthum Before initdata is implemented, the config for CDH is hard to inject so we might need to wait for that. So logically we might still merge to main with what we are doing, and then initdata, and then this PR and move things to CDH in kata. |
Xynnn007
force-pushed
the
feat-cdh-image-pull
branch
2 times, most recently
from
4e1d4d3
to
e021335
Compare
Xynnn007
force-pushed
the
feat-cdh-image-pull
branch
from
e021335
to
2a5588e
Compare
|
Ok, for image decryption, it does not work because some dead lock happens inside ocicrypt-rs. let me try to refactor some code inside ocicrypt-rs to make it work |
Xynnn007
force-pushed
the
feat-cdh-image-pull
branch
2 times, most recently
from
4f9c7ca
to
e23effe
Compare
| @@ -37,7 +37,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> { | |||
| .include("src/utils") | |||
| .rust_protobuf() | |||
| .customize(ttrpc_codegen::Customize { | |||
| async_all: true, | |||
| async_all: false, | |||
There was a problem hiding this comment.
Hi @arronwy , I changed the ttrpc client to sync here. Please take a look if it is good to you
Xynnn007
force-pushed
the
feat-cdh-image-pull
branch
2 times, most recently
from
1017c52
to
1b8e10c
Compare
Xynnn007
requested review from
sameo,
jiangliu,
arronwy,
lumjjb and
jialez0
as code owners
|
Sorry to ping, now it passes! Hi @fitzthum @stevenhorsman I think this is now ready for review. |
Xynnn007
force-pushed
the
feat-cdh-image-pull
branch
2 times, most recently
from
c808e1d
to
64255ea
Compare
Xynnn007
force-pushed
the
feat-cdh-image-pull
branch
from
64255ea
to
3de4344
Compare
Xynnn007
force-pushed
the
feat-cdh-image-pull
branch
2 times, most recently
from
17710a4
to
c9fbddd
Compare
|
cc @bpradipt |
|
I think an error below for s390x looks legit: Thanks! |
this error is not related to this PR. Probably we could fix it in another pr then |
Xynnn007
force-pushed
the
feat-cdh-image-pull
branch
2 times, most recently
from
316ac26
to
3fd0233
Compare
There was a problem hiding this comment.
A few more comments. These are mainly about the config file. I think we can take this opportunity to clarify a lot of our parameter names.
We should also make sure we have really clear documentation of all the parameters either in the source or in the sample config.
Xynnn007
force-pushed
the
feat-cdh-image-pull
branch
4 times, most recently
from
6cd213a
to
0c02ec5
Compare
|
@fitzthum I changed the config names, ptal |
There was a problem hiding this comment.
Looking good. I appreciate the changes to the config. I think combining the flags to enable the features with the URIs was a good idea.
I have a few more comments. Let's just try to settle on the names for the parameters. We can tweak the descriptions in a follow-up.
Xynnn007
force-pushed
the
feat-cdh-image-pull
branch
from
0c02ec5
to
a83b1f2
Compare
Xynnn007
force-pushed
the
feat-cdh-image-pull
branch
from
a83b1f2
to
3190f33
Compare
|
Just did a rebase to resolve conflicts. |
|
|
||
| if let Some(number) = config.image.max_concurrent_layer_downloads_per_image { | ||
| image_client.config.max_concurrent_download = number; | ||
| } |
There was a problem hiding this comment.
Do you think it would make sense to move this logic into the initializer for the image_client (and pass config.image into that) rather than putting all this image-specific stuff in this function?
There was a problem hiding this comment.
There are some barriers because the parameters is different from image-rs's. If you are worrying about the exposion of the args of iamge_client, we can add a Builder logic to ImageClient. If you are worrying about the duplication of settings, we could do a refactoring upon image-rs to have a ClientBuilder logic to make it better.
wdyt?
There was a problem hiding this comment.
I guess the fundamental issue is duplication. We have configs for image-rs but we also have the image config for the CDH. Ideally those might be the same thing, which would simplify this code. That would take some messing around, though, so we can skip it for now.
This commit adds a new API `pull_image()` for Confidential DataHub. This new api will converge all operations related to image pull to one API, hinting that image signature validation, auth file retrievement, security policy enforcement will all be done inside CDH. Related configurations is included in CDH's config.image item. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
actions-rs/toolchain@v1 is now out of data. Also, we need extra permission to run CDH tests. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
The original ttrpc keyprovider client is marked `async`, but we use it as sync version by fork a new thread and create a new tokio runtime. This commit changes the client into sync version, this will match the original usage. Why we need this commit is the original fork-thread-and-tokio-runtime way would create a dead lock for CDH's image-pull API when an encrypted image is pulled. When we bring in a tokio::spawn_blocking in image-rs, the tokio runtime would have possibility to switch context thus a dead lock can be avoided. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
meta_store stores the metadata about the pulled images. Using Mutex would block the concurrent performance when there are few write cases to meta_store, like pulling a lot of pulled images. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
meta store json file records the current state of pulled images and the layers. Before this commit, the json file is not ever written back to local filesystem. For legacy CoCo, everytime a new pull request comes, a new ImageClient would be specified a new workdir, thus there is no re-use of the meta-store and works fine. With this commit, when a ImageClient with same workdir restarts, it still can share the same metadata of pulled images. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Before this commit, different Overlayfs mounts of a same ImageClient would mark its mounts as 1, 2, 3... Thus there will be 0,1,2... under $work_dir/overlayfs. If a ImageClient with same work dir launches, new mounts will fail as the original index cannot be correctly read from the meta store json file. To make it easy, we changed the way to distinguish different mounts, by calculating a hash from (overlay layer paths, mount paths, time). As the three variables should not be the same, thus we could avoid collisions of overlayfs working dir. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
/run is a tmpfs workdir that would live inside guest memory for CoCo, while `/var/lib` is on disk. This would help CDH to avoid setting another default image workdir. As image-rs is able to set any workdir from its config, this patch will not influence the flexibility. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Xynnn007
force-pushed
the
feat-cdh-image-pull
branch
from
3190f33
to
8480ae9
Compare
This commit adds a new API
pull_image()for Confidential DataHub. This new api will converge all operations related to image pull to one API, hinting that image signature validation, auth file retrievement, security policy enforcement will all be done inside CDH.Related configurations is included in CDH's config.image item.
Although the basic workflow passes due to the unit test, let's keep this PR as draft because some details still needs to promote.
Related to kata-containers/kata-containers#9266