Skip to content

Optimize sealed secret scanning to avoid full file reads #11647

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 20, 2025
Merged

Optimize sealed secret scanning to avoid full file reads #11647

merged 1 commit into from
Aug 20, 2025

Conversation

Park-Jiyeonn
Copy link
Contributor

Fixes: #11643

This PR optimizes the sealed secret scanning logic to avoid unnecessary full file reads, which can cause performance and reliability issues in certain environments.

Optimization

Instead of reading the entire file, we now:

  • Open the file and read only the first N bytes (N = SEALED_SECRET_PREFIX.len()).
  • Compare the read bytes with the prefix.
  • Only perform a full read if the prefix matches.

This avoids expensive I/O and reduces memory usage, while still preserving the intended functionality.

@Park-Jiyeonn Park-Jiyeonn force-pushed the opt/sealed-secret-prefix-check branch from bb0eeb9 to ab643d1 Compare August 1, 2025 01:47
@Apokleos
Copy link
Contributor

Apokleos commented Aug 1, 2025

Thx for your contribution to refactor this code. Could you please correct the commit message and commit title following our community guidence and example. Please see patch format and examples

@Park-Jiyeonn Park-Jiyeonn force-pushed the opt/sealed-secret-prefix-check branch from ab643d1 to e4a0319 Compare August 1, 2025 09:04
@Park-Jiyeonn
Copy link
Contributor Author

Thx for your contribution to refactor this code. Could you please correct the commit message and commit title following our community guidence and example. Please see patch format and examples

Commit message updated as per contribution guidelines. PTAL, thanks!

@Park-Jiyeonn
Copy link
Contributor Author

Hi @Apokleos, Could you please add ok-to-test? Thanks in advance!

@Park-Jiyeonn Park-Jiyeonn force-pushed the opt/sealed-secret-prefix-check branch from e4a0319 to c3a89cf Compare August 4, 2025 03:42
@ditingdapeng
Copy link

This optimization looks promising, It definitely seems like it could lead to some performance improvements.

@Park-Jiyeonn
Copy link
Contributor Author

Hi @Apokleos, this PR is ready for review. Could you please help add some reviewers? Thx!

@Apokleos Apokleos requested review from bpradipt and burgerdev August 6, 2025 01:40
Apokleos
Apokleos reviewed Aug 6, 2025
View reviewed changes
src/agent/src/confidential_data_hub/mod.rs Outdated
@@ -262,6 +264,14 @@ pub async fn unseal_file(path: &str) -> Result<()> {
Ok(())
}

fn content_starts_with_prefix(path: &Path, prefix: &str) -> std::io::Result<bool> {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not rewite the function with async ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, updated to async now. Thx.

@Park-Jiyeonn Park-Jiyeonn force-pushed the opt/sealed-secret-prefix-check branch from c3a89cf to 5e3baa3 Compare August 6, 2025 02:48
bpradipt
bpradipt approved these changes Aug 6, 2025
View reviewed changes
Copy link
Contributor

@bpradipt bpradipt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
Thanks @Park-Jiyeonn

burgerdev
burgerdev reviewed Aug 6, 2025
View reviewed changes
@Park-Jiyeonn
Copy link
Contributor Author

Hi @Apokleos, some CI checks are still failing — is there anything else I need to do on my side? Thx!

@Park-Jiyeonn
agent: avoid full file reads when scanning sealed secrets.
2f50c85 
Read only the sealed secret prefix instead of the whole file.
Improves performance and reduces memory usage in I/O-heavy environments.

Fixes: kata-containers#11643

Signed-off-by: Park.Jiyeon <jiyeonnn2@icloud.com>
@Park-Jiyeonn Park-Jiyeonn force-pushed the opt/sealed-secret-prefix-check branch from 5041123 to 2f50c85 Compare August 13, 2025 12:33
@Park-Jiyeonn
Copy link
Contributor Author

Park-Jiyeonn commented Aug 18, 2025
edited
Loading

Hi @Apokleos, some CI checks are still failing — Could you please help me take a look when you have a moment? Your guidance would be really appreciated.

Thx in advance!!

@burgerdev
Copy link
Contributor

The only required test still failing was due to a sporadic I've seen some times already. I believe this is good to merge.

@burgerdev burgerdev merged commit 30aff42 into kata-containers:main Aug 20, 2025
535 of 581 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Apokleos Apokleos Apokleos left review comments

@burgerdev burgerdev burgerdev approved these changes

@bpradipt bpradipt bpradipt approved these changes

Assignees
No one assigned
Labels
ok-to-test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Proposal: Optimize file reading in sealed secret scanning to avoid full file reads
5 participants
@Park-Jiyeonn @Apokleos @ditingdapeng @burgerdev @bpradipt