Skip to content

Commit

Permalink
config: Whitelist hypervisor annotations by name
Browse files Browse the repository at this point in the history
Add a field "enable_annotations" to the runtime configuration that can
be used to whitelist annotations using a list of regular expressions,
which are used to match any part of the base annotation name, i.e. the
part after "io.katacontainers.config.hypervisor."

For example, the following configuraiton will match "virtio_fs_daemon",
"initrd" and "jailer_path", but not "path" nor "firmware":

  enable_annotations = [ "virtio.*", "initrd", "_path" ]

The default is an empty list of enabled annotations, which disables
annotations entirely.

If an anontation is rejected, the message is something like:

  annotation io.katacontainers.config.hypervisor.virtio_fs_daemon is not enabled

Fixes: kata-containers#3004

Suggested-by: Peng Tao <tao.peng@linux.alibaba.com>
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
  • Loading branch information
c3d authored and fidencio committed Nov 11, 2020
1 parent db5fb82 commit 33021ef
Show file tree
Hide file tree
Showing 12 changed files with 54 additions and 1 deletion.
2 changes: 2 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,7 @@ DEFMEMSZ := 2048
DEFMEMSLOTS := 10
#Default number of bridges
DEFBRIDGES := 1
DEFENABLEANNOTATIONS := []
DEFDISABLEGUESTSECCOMP := true
#Default experimental features enabled
DEFAULTEXPFEATURES := []
Expand Down Expand Up @@ -664,6 +665,7 @@ $(GENERATED_FILES): %: %.in $(MAKEFILE_LIST) VERSION .git-commit
-e "s|@DEFNETWORKMODEL_CLH@|$(DEFNETWORKMODEL_CLH)|g" \
-e "s|@DEFNETWORKMODEL_FC@|$(DEFNETWORKMODEL_FC)|g" \
-e "s|@DEFNETWORKMODEL_QEMU@|$(DEFNETWORKMODEL_QEMU)|g" \
-e "s|@DEFENABLEANNOTATIONS@|$(DEFENABLEANNOTATIONS)|g" \
-e "s|@DEFDISABLEGUESTSECCOMP@|$(DEFDISABLEGUESTSECCOMP)|g" \
-e "s|@DEFAULTEXPFEATURES@|$(DEFAULTEXPFEATURES)|g" \
-e "s|@DEFDISABLEBLOCK@|$(DEFDISABLEBLOCK)|g" \
Expand Down
5 changes: 5 additions & 0 deletions cli/config/configuration-acrn.toml.in
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,11 @@ ctlpath = "@ACRNCTLPATH@"
kernel = "@KERNELPATH_ACRN@"
image = "@IMAGEPATH@"

# List of valid annotation names for the hypervisor
# Each member of the list is a regular expression, which is the base name
# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
enable_annotations = @DEFENABLEANNOTATIONS@

# List of valid annotations values for the hypervisor (default: empty)
# Each member of the list is a path pattern as described by glob(3).
path_list = @ACRNPATHLIST@
Expand Down
5 changes: 5 additions & 0 deletions cli/config/configuration-clh.toml.in
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,11 @@ path = "@CLHPATH@"
kernel = "@KERNELPATH_CLH@"
image = "@IMAGEPATH@"

# List of valid annotation names for the hypervisor
# Each member of the list is a regular expression, which is the base name
# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
enable_annotations = @DEFENABLEANNOTATIONS@

# List of valid annotations values for the hypervisor (default: empty)
# Each member of the list is a path pattern as described by glob(3).
path_list = @CLHPATHLIST@
Expand Down
5 changes: 5 additions & 0 deletions cli/config/configuration-fc.toml.in
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,11 @@ path = "@FCPATH@"
kernel = "@KERNELPATH_FC@"
image = "@IMAGEPATH@"

# List of valid annotation names for the hypervisor
# Each member of the list is a regular expression, which is the base name
# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
enable_annotations = @DEFENABLEANNOTATIONS@

# List of valid annotations values for the hypervisor (default: empty)
# Each member of the list is a path pattern as described by glob(3).
path_list = @FCPATHLIST@
Expand Down
5 changes: 5 additions & 0 deletions cli/config/configuration-qemu-virtiofs.toml.in
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,11 @@ kernel = "@KERNELVIRTIOFSPATH@"
image = "@IMAGEPATH@"
machine_type = "@MACHINETYPE@"

# List of valid annotation names for the hypervisor
# Each member of the list is a regular expression, which is the base name
# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
enable_annotations = @DEFENABLEANNOTATIONS@

# List of valid annotations values for the hypervisor (default: empty)
# Each member of the list is a path pattern as described by glob(3).
path_list = @QEMUVIRTIOFSPATHLIST@
Expand Down
5 changes: 5 additions & 0 deletions cli/config/configuration-qemu.toml.in
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,11 @@ initrd = "@INITRDPATH@"
image = "@IMAGEPATH@"
machine_type = "@MACHINETYPE@"

# List of valid annotation names for the hypervisor
# Each member of the list is a regular expression, which is the base name
# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
enable_annotations = @DEFENABLEANNOTATIONS@

# List of valid annotations values for the hypervisor (default: empty)
# Each member of the list is a path pattern as described by glob(3).
path_list = @QEMUPATHLIST@
Expand Down
5 changes: 5 additions & 0 deletions pkg/katautils/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,7 @@ type hypervisor struct {
HotplugVFIOOnRootBus bool `toml:"hotplug_vfio_on_root_bus"`
DisableVhostNet bool `toml:"disable_vhost_net"`
GuestHookPath string `toml:"guest_hook_path"`
EnableAnnotations []string `toml:"enable_annotations"`
}

type proxy struct {
Expand Down Expand Up @@ -565,6 +566,7 @@ func newFirecrackerHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
DisableVhostNet: true, // vhost-net backend is not supported in Firecracker
UseVSock: true,
GuestHookPath: h.guestHookPath(),
EnableAnnotations: h.EnableAnnotations,
}, nil
}

Expand Down Expand Up @@ -675,6 +677,7 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
VhostUserStorePath: h.vhostUserStorePath(),
VhostUserStorePathList: h.VhostUserStorePathList,
GuestHookPath: h.guestHookPath(),
EnableAnnotations: h.EnableAnnotations,
}, nil
}

Expand Down Expand Up @@ -738,6 +741,7 @@ func newAcrnHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
BlockDeviceDriver: blockDriver,
DisableVhostNet: h.DisableVhostNet,
GuestHookPath: h.guestHookPath(),
EnableAnnotations: h.EnableAnnotations,
}, nil
}

Expand Down Expand Up @@ -829,6 +833,7 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
PCIeRootPort: h.PCIeRootPort,
DisableVhostNet: true,
UseVSock: true,
EnableAnnotations: h.EnableAnnotations,
}, nil
}

Expand Down
3 changes: 3 additions & 0 deletions virtcontainers/hypervisor.go
Original file line number Diff line number Diff line change
Expand Up @@ -424,6 +424,9 @@ type HypervisorConfig struct {

// SELinux label for the VM
SELinuxProcessLabel string

// Enable annotations by name
EnableAnnotations []string
}

// vcpu mapping from vcpu number to thread number
Expand Down
2 changes: 2 additions & 0 deletions virtcontainers/persist.go
Original file line number Diff line number Diff line change
Expand Up @@ -262,6 +262,7 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) {
VhostUserStorePathList: sconfig.HypervisorConfig.VhostUserStorePathList,
GuestHookPath: sconfig.HypervisorConfig.GuestHookPath,
VMid: sconfig.HypervisorConfig.VMid,
EnableAnnotations: sconfig.HypervisorConfig.EnableAnnotations,
}

if sconfig.AgentType == "kata" {
Expand Down Expand Up @@ -557,6 +558,7 @@ func loadSandboxConfig(id string) (*SandboxConfig, error) {
VhostUserStorePathList: hconf.VhostUserStorePathList,
GuestHookPath: hconf.GuestHookPath,
VMid: hconf.VMid,
EnableAnnotations: hconf.EnableAnnotations,
}

if savedConf.AgentType == "kata" {
Expand Down
3 changes: 3 additions & 0 deletions virtcontainers/persist/api/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,9 @@ type HypervisorConfig struct {
// VMid is the id of the VM that create the hypervisor if the VM is created by the factory.
// VMid is "" if the hypervisor is not created by the factory.
VMid string

// Enable annotations by name
EnableAnnotations []string
}

// KataAgentConfig is a structure storing information needed
Expand Down
1 change: 1 addition & 0 deletions virtcontainers/pkg/annotations/annotations.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ const (
//
// Assets
//
KataAnnotationHypervisorPrefix = kataAnnotHypervisorPrefix

// KernelPath is a sandbox annotation for passing a per container path pointing at the kernel needed to boot the container VM.
KernelPath = kataAnnotHypervisorPrefix + "kernel"
Expand Down
14 changes: 13 additions & 1 deletion virtcontainers/pkg/oci/utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,14 @@ func checkPathIsInGlobList(list []string, path string) bool {
return false
}

// Check if an annotation name either belongs to another prefix, matches regexp list
func checkAnnotationNameIsValid(list []string, name string, prefix string) bool {
if strings.HasPrefix(name, prefix) {
return regexpContains(list, strings.TrimPrefix(name, prefix))
}
return true
}

func newLinuxDeviceInfo(d specs.LinuxDevice) (*config.DeviceInfo, error) {
allowedDeviceTypes := []string{"c", "b", "u", "p"}

Expand Down Expand Up @@ -357,11 +365,15 @@ func SandboxID(spec specs.Spec) (string, error) {
}

func addAnnotations(ocispec specs.Spec, config *vc.SandboxConfig, runtime RuntimeConfig) error {
for key := range ocispec.Annotations {
if !checkAnnotationNameIsValid(runtime.HypervisorConfig.EnableAnnotations, key, vcAnnotations.KataAnnotationHypervisorPrefix) {
return fmt.Errorf("annotation %v is not enabled", key)
}
}
err := addAssetAnnotations(ocispec, config)
if err != nil {
return err
}

if err := addHypervisorConfigOverrides(ocispec, config, runtime); err != nil {
return err
}
Expand Down

0 comments on commit 33021ef

Please sign in to comment.