Skip to content

agent: fix startup when guest_components_procs is set to none #10583

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 27, 2024
Merged

agent: fix startup when guest_components_procs is set to none #10583

merged 1 commit into from
Nov 27, 2024

Conversation

squarti
Copy link
Contributor

@squarti squarti commented Nov 25, 2024

This PR ensures that OCICRYPT_CONFIG_PATH file is initialized only when CDH socket exists. This prevents startup error if attestation binaries are not installed in PodVM.

Fixes: #10568

@katacontainersbot katacontainersbot added the size/tiny Smallest and simplest task label Nov 25, 2024
@fidencio
Copy link
Member

Although this is a valid approach, I wonder if we shouldn't move the check from https://github.com/kata-containers/kata-containers/pull/10583/files#diff-ed2edc9fa74154f8f6bbe195c07e456a861f1c9e20e0b07a1c66d2aed49a3f0cL460 to be the first thing done as part of the init_attestation_components(), and then simply return from there. Otherwise we get a useless warning when not using the CoCo guest components.

@mkulke, thoughts?

@mkulke
Copy link
Contributor

mkulke commented Nov 26, 2024

Although this is a valid approach, I wonder if we shouldn't move the check from https://github.com/kata-containers/kata-containers/pull/10583/files#diff-ed2edc9fa74154f8f6bbe195c07e456a861f1c9e20e0b07a1c66d2aed49a3f0cL460 to be the first thing done as part of the init_attestation_components(), and then simply return from there. Otherwise we get a useless warning when not using the CoCo guest components.

@mkulke, thoughts?

If we do this, there would be no initialization for attestation-related things (specifically: no cdh-client & no ocicrypt config) if guest_component_procs == None. we don't want this, right?

@fidencio
Copy link
Member

If we do this, there would be no initialization for attestation-related things (specifically: no cdh-client & no ocicrypt config) if guest_component_procs == None. we don't want this, right?

You tell me. :-)
My understanding is that if someone does not use the guest components, they don' t use anything from the guest components.
Is there a case where someone would still like to have cdh-client / ocicrypt if guest_components_procs == None?

@mkulke
Copy link
Contributor

mkulke commented Nov 26, 2024

You tell me. :-) My understanding is that if someone does not use the guest components, they don' t use anything from the guest components. Is there a case where someone would still like to have cdh-client / ocicrypt if guest_components_procs == None?

well, the param doesn't specify whether you use guest_components, it specifies whether kata should start those guest-components processes. I guess the intention of that param was originally to have a single rootfs with all guest-component binaries, but the option to e.g. not start CDH (but only AA). GuestComponentProcs::None was just added to not start any GC process (not even AA) as kata child-process (because all, including that one are managed by systemd in peerpod).

I think, now with a hard dependency on CDH, this gets more questionable. We could just have 2 options:

SpawnGuestComponentProcesses=true/false
InitAttestationComponents=true/false

I think the granularity of the GuestComponentProcs enum is not required anymore. maybe there is a usecase for not launching ASR, but then we could have this in a discrete flag.

@fidencio
Copy link
Member

I think the granularity of the GuestComponentProcs enum is not required anymore. maybe there is a usecase for not launching ASR, but then we could have this in a discrete flag.

Okay, so, what I'd suggest then is to take this discussion outside of the context of this PR and, if you're fine with this PR as it is, we can get it merged, and continue the discussion on the flags / enum on Slack / on a different issue.

Sounds fair? And sorry for adding a comment that triggered this whole discussion. :-)

@mkulke
Copy link
Contributor

mkulke commented Nov 26, 2024

regarding the fix in this PR. you will only see this warning in the case that someone sets GuestComponentProcs::None and has no gc-binaries on the rootfs. That's would be the case for a non-coco peerpod deployment. and in this context, this would be just a bugfix, because if you don't do coco stuff, there is no /run/confidential-containers folder.

@mkulke
Copy link
Contributor

mkulke commented Nov 26, 2024

I think the granularity of the GuestComponentProcs enum is not required anymore. maybe there is a usecase for not launching ASR, but then we could have this in a discrete flag.

Okay, so, what I'd suggest then is to take this discussion outside of the context of this PR and, if you're fine with this PR as it is, we can get it merged, and continue the discussion on the flags / enum on Slack / on a different issue.

Sounds fair? And sorry for adding a comment that triggered this whole discussion. :-)

yes. I think this make sense to bundle this with final picture of the initdata design. This will drive the requirements and then we can revisit this.

@mkulke
Copy link
Contributor

mkulke commented Nov 26, 2024

@squarti there seems to be formatting error, can you run cargo fmt the file you touched?

also, can you open an issue on the CAA repo describing your non-coco scenario, so we can accommodate this? the attestation components will be more and more integrated with the evolving initdata design and it's likely that there will be future breakage if guest-components are not available and running.

@squarti
agent: fix startup when guest_components_procs is set to none
1230bc7 
This PR ensures that OCICRYPT_CONFIG_PATH file is initialized only
when CDH socket exists. This prevents startup error if attestation
binaries are not installed in PodVM.

Fixes: kata-containers#10568

Signed-off-by: Silenio Quarti <silenio_quarti@ca.ibm.com>
@squarti squarti force-pushed the agent-startup-cdh-client branch from 768d57b to 1230bc7 Compare November 26, 2024 14:57
stevenhorsman
stevenhorsman approved these changes Nov 27, 2024
View reviewed changes
Copy link
Member

@stevenhorsman stevenhorsman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks @squarti!

@stevenhorsman
Copy link
Member

Based on @fidencio's above comments to separate the discussion on the longer term need/re-working of the config to a separate issue, I think we are good to merge this now.

@stevenhorsman stevenhorsman merged commit 6bb00d9 into kata-containers:main Nov 27, 2024
287 of 295 checks passed
@renovate renovate bot mentioned this pull request Mar 7, 2025
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevenhorsman stevenhorsman stevenhorsman approved these changes

+1 more reviewer

@mkulke mkulke mkulke approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
ok-to-test size/tiny Smallest and simplest task
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

agent: Exception starting agent with GuestComponentsProcs=none
5 participants
@squarti @fidencio @mkulke @stevenhorsman @katacontainersbot