From 0c83f87e13f34b7aee3fa685bbd793a1ebe108c0 Mon Sep 17 00:00:00 2001 From: Qi Feng Huo Date: Thu, 20 Jun 2024 21:09:27 +0800 Subject: [PATCH] agent-config: generate and use attestation-agent toml agent-config: generate and use attestation-agent toml - Generate the attestation-agent toml file aa.toml when aaKBCParams provided - Use the cfg file to start attestation agent service when it exists - Start attestation agent service directly when no cfg file exists - remove aa_kbc_params in agent-config so that cdh won't read from it - rename agent to aa to reflect the real config Signed-off-by: Qi Feng Huo --- .../cmd/process-user-data/main.go | 18 +- src/cloud-api-adaptor/go.mod | 1 - src/cloud-api-adaptor/go.sum | 2 - src/cloud-api-adaptor/pkg/aa/config.go | 49 ++++ src/cloud-api-adaptor/pkg/aa/config_test.go | 36 +++ .../pkg/adaptor/cloud/cloud.go | 10 + .../agent/test-data/sample-agent-config.toml | 11 - src/cloud-api-adaptor/pkg/agent/update.go | 193 --------------- .../pkg/agent/update_test.go | 227 ------------------ .../10-override.conf | 4 - src/cloud-api-adaptor/podvm/Makefile.inc | 4 - .../podvm/files/etc/agent-config.toml | 5 - .../systemd/system/attestation-agent.service | 4 +- .../system/confidential-data-hub.service | 2 +- .../etc/systemd/system/kata-agent.service | 2 +- .../systemd/system/process-user-data.service | 3 +- 16 files changed, 102 insertions(+), 469 deletions(-) create mode 100644 src/cloud-api-adaptor/pkg/aa/config.go create mode 100644 src/cloud-api-adaptor/pkg/aa/config_test.go delete mode 100644 src/cloud-api-adaptor/pkg/agent/test-data/sample-agent-config.toml delete mode 100644 src/cloud-api-adaptor/pkg/agent/update.go delete mode 100644 src/cloud-api-adaptor/pkg/agent/update_test.go delete mode 100644 src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/systemd/system/attestation-agent.service.d/10-override.conf diff --git a/src/cloud-api-adaptor/cmd/process-user-data/main.go b/src/cloud-api-adaptor/cmd/process-user-data/main.go index 625ef720bb..d5ac81ef3e 100644 --- a/src/cloud-api-adaptor/cmd/process-user-data/main.go +++ b/src/cloud-api-adaptor/cmd/process-user-data/main.go @@ -7,7 +7,6 @@ import ( "os" cmdUtil "github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/cmd" - "github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/agent" "github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/cdh" daemon "github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/forwarder" "github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/userdata" @@ -19,8 +18,7 @@ const ( providerAzure = "azure" providerAws = "aws" - defaultAgentConfigPath = "/etc/agent-config.toml" - defaultAuthJsonPath = "/run/peerpod/auth.json" + defaultAuthJsonPath = "/run/peerpod/auth.json" ) var versionFlag bool @@ -37,7 +35,7 @@ var rootCmd = &cobra.Command{ } func init() { - var agentConfigPath, cdhConfigPath, daemonConfigPath string + var cdhConfigPath, daemonConfigPath string var fetchTimeout int rootCmd.PersistentFlags().BoolVarP(&versionFlag, "version", "v", false, "Print the version") @@ -55,18 +53,6 @@ func init() { } provisionFilesCmd.Flags().IntVarP(&fetchTimeout, "user-data-fetch-timeout", "t", 180, "Timeout (in secs) for fetching user data") rootCmd.AddCommand(provisionFilesCmd) - - var updateAgentConfigCmd = &cobra.Command{ - Use: "update-agent-config", - Short: "Update the agent configuration file", - RunE: func(_ *cobra.Command, _ []string) error { - cfg := agent.NewConfig(agentConfigPath, defaultAuthJsonPath, daemonConfigPath) - return agent.UpdateConfig(cfg) - }, - SilenceUsage: true, // Silence usage on error - } - updateAgentConfigCmd.Flags().StringVarP(&agentConfigPath, "agent-config-file", "a", defaultAgentConfigPath, "Path to a agent config file") - rootCmd.AddCommand(updateAgentConfigCmd) } func main() { diff --git a/src/cloud-api-adaptor/go.mod b/src/cloud-api-adaptor/go.mod index 99d2638104..aad186f837 100644 --- a/src/cloud-api-adaptor/go.mod +++ b/src/cloud-api-adaptor/go.mod @@ -55,7 +55,6 @@ require ( github.com/pelletier/go-toml/v2 v2.1.0 github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.7.0 - github.com/tj/assert v0.0.3 golang.org/x/crypto v0.23.0 golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 google.golang.org/protobuf v1.33.0 diff --git a/src/cloud-api-adaptor/go.sum b/src/cloud-api-adaptor/go.sum index a9619f51d7..7d3aab35e8 100644 --- a/src/cloud-api-adaptor/go.sum +++ b/src/cloud-api-adaptor/go.sum @@ -540,8 +540,6 @@ github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtse github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= -github.com/tj/assert v0.0.3 h1:Df/BlaZ20mq6kuai7f5z2TvPFiwC3xaWJSDQNiIS3Rk= -github.com/tj/assert v0.0.3/go.mod h1:Ne6X72Q+TB1AteidzQncjw9PabbMp4PBMZ1k+vd1Pvk= github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs= github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho= github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= diff --git a/src/cloud-api-adaptor/pkg/aa/config.go b/src/cloud-api-adaptor/pkg/aa/config.go new file mode 100644 index 0000000000..2d6bb52216 --- /dev/null +++ b/src/cloud-api-adaptor/pkg/aa/config.go @@ -0,0 +1,49 @@ +package aa + +import ( + "fmt" + "strings" + + toml "github.com/pelletier/go-toml/v2" +) + +const ( + DefaultAaConfigPath = "/run/peerpod/aa.toml" +) + +type AAConfig struct { + TokenCfg struct { + CocoAs struct { + URL string `toml:"url"` + } `toml:"coco_as"` + Kbs struct { + URL string `toml:"url"` + } `toml:"kbs"` + } `toml:"token_configs"` +} + +func parseAAKBCParams(aaKBCParams string) (string, error) { + parts := strings.SplitN(aaKBCParams, "::", 2) + if len(parts) != 2 { + return "", fmt.Errorf("Invalid aa-kbs-params input: %s", aaKBCParams) + } + _, url := parts[0], parts[1] + return url, nil +} + +func CreateConfigFile(aaKBCParams string) (string, error) { + url, err := parseAAKBCParams(aaKBCParams) + if err != nil { + return "", err + } + + config := AAConfig{} + config.TokenCfg.CocoAs.URL = "" + config.TokenCfg.Kbs.URL = url + + bytes, err := toml.Marshal(config) + if err != nil { + return "", err + } + return string(bytes), nil +} diff --git a/src/cloud-api-adaptor/pkg/aa/config_test.go b/src/cloud-api-adaptor/pkg/aa/config_test.go new file mode 100644 index 0000000000..059625364b --- /dev/null +++ b/src/cloud-api-adaptor/pkg/aa/config_test.go @@ -0,0 +1,36 @@ +package aa + +import ( + "testing" +) + +func Test_parseAAKBCParams(t *testing.T) { + url, err := parseAAKBCParams("cc_kbc::http://127.0.0.1:8080") + if err != nil { + t.Error(err) + } + + expected := "http://127.0.0.1:8080" + if url != expected { + t.Errorf("Expected %s, got %s", expected, url) + } +} + +func TestConfigFile(t *testing.T) { + refcfg := `[token_configs] +[token_configs.coco_as] +url = '' + +[token_configs.kbs] +url = 'http://127.0.0.1:8080' +` + + config, err := CreateConfigFile("cc_kbc::http://127.0.0.1:8080") + if err != nil { + t.Error(err) + } + + if config != refcfg { + t.Errorf("Expected: \n%s, got: \n%s", refcfg, config) + } +} diff --git a/src/cloud-api-adaptor/pkg/adaptor/cloud/cloud.go b/src/cloud-api-adaptor/pkg/adaptor/cloud/cloud.go index 4cb2bb874b..c1e0f4596a 100644 --- a/src/cloud-api-adaptor/pkg/adaptor/cloud/cloud.go +++ b/src/cloud-api-adaptor/pkg/adaptor/cloud/cloud.go @@ -19,6 +19,7 @@ import ( "github.com/containerd/containerd/pkg/cri/annotations" pb "github.com/kata-containers/kata-containers/src/runtime/protocols/hypervisor" + "github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/aa" "github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/adaptor/k8sops" "github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/adaptor/proxy" "github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/cdh" @@ -279,6 +280,15 @@ func (s *cloudService) CreateVM(ctx context.Context, req *pb.CreateVMRequest) (r Path: cdh.ConfigFilePath, Content: toml, }) + + toml, err = aa.CreateConfigFile(s.aaKBCParams) + if err != nil { + return nil, fmt.Errorf("creating attestation agent config: %w", err) + } + cloudConfig.WriteFiles = append(cloudConfig.WriteFiles, cloudinit.WriteFile{ + Path: aa.DefaultAaConfigPath, + Content: toml, + }) } sandbox := &sandbox{ diff --git a/src/cloud-api-adaptor/pkg/agent/test-data/sample-agent-config.toml b/src/cloud-api-adaptor/pkg/agent/test-data/sample-agent-config.toml deleted file mode 100644 index 12fb059567..0000000000 --- a/src/cloud-api-adaptor/pkg/agent/test-data/sample-agent-config.toml +++ /dev/null @@ -1,11 +0,0 @@ -server_addr = "unix:///run/kata-containers/agent.sock" - -# This field sets up the KBC that attestation agent uses -# This is replaced in the makefile steps so do not set it manually -aa_kbc_params = "" - -# This field sets up the container registry auth -image_registry_auth_file = "file:///etc/attestation-agent/auth.json" - -# Do not spawn guest components in kata agent -guest_components_procs = "none" diff --git a/src/cloud-api-adaptor/pkg/agent/update.go b/src/cloud-api-adaptor/pkg/agent/update.go deleted file mode 100644 index 27b740b4e2..0000000000 --- a/src/cloud-api-adaptor/pkg/agent/update.go +++ /dev/null @@ -1,193 +0,0 @@ -package agent - -import ( - "encoding/json" - "fmt" - "log" - "os" - "strings" - - daemon "github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/forwarder" - toml "github.com/pelletier/go-toml/v2" -) - -var logger = log.New(log.Writer(), "[agent/update] ", log.LstdFlags|log.Lmsgprefix) - -type Config struct { - agentConfigPath string - authJsonPath string - daemonConfigPath string -} - -func NewConfig(agentConfigPath, authJsonPath, daemonConfigPath string) *Config { - return &Config{agentConfigPath, authJsonPath, daemonConfigPath} -} - -type AgentConfig struct { - ServerAddr string `toml:"server_addr"` - AaKbcParams string `toml:"aa_kbc_params"` - ImageRegistryAuthFile string `toml:"image_registry_auth_file"` - GuestComponentsProcs string `toml:"guest_components_procs"` -} - -// Get daemon.Config from local file -func getConfigFromLocalFile(daemonConfigPath string) daemon.Config { - - // if daemonConfigPath is empty then return - if daemonConfigPath == "" { - logger.Printf("daemonConfigPath is empty\n") - return daemon.Config{} - } - - // Read the daemonConfigPath file - daemonConfig, err := os.ReadFile(daemonConfigPath) - if err != nil { - logger.Printf("failed to read daemon config file: %s\n", err) - return daemon.Config{} - } - - // UnMarshal the daemonConfig into forwarder (daemon) Config struct - var config daemon.Config - - err = json.Unmarshal(daemonConfig, &config) - if err != nil { - logger.Printf("failed to unmarshal daemon config: %s\n", err) - return daemon.Config{} - } - - return config -} - -// Add method to get the value of aa-kbc-param from userdata and replace the value of aa_kbc_params in the -// /etc/agent-config.toml file -func updateAAKBCParams(aaKBCParams string, agentConfigFile string) error { - - // if aaKBCParams is empty then return. Nothing to do - if aaKBCParams == "" { - logger.Printf("aaKBCParams is empty. Nothing to do\n") - return nil - } - - if agentConfigFile == "" { - return fmt.Errorf("agentConfigFile is empty") - } - - // Replace the aa_kbc_params line in agentConfigFile with the aaKBCParams value - // Read the agentConfigFile - agentConfig, err := os.ReadFile(agentConfigFile) - if err != nil { - return fmt.Errorf("failed to read agent config file: %s", err) - } - - // Split the agentConfigFile into lines - lines := strings.Split(string(agentConfig), "\n") - - // Loop through the lines and replace the line that starts with aa_kbc_params - for i, line := range lines { - if strings.Contains(line, "aa_kbc_params") { - lines[i] = fmt.Sprintf("aa_kbc_params = \"%s\"", aaKBCParams) - logger.Printf("Updated line: %s\n", lines[i]) - } - } - - // Join the lines back into a string - newAgentConfig := strings.Join(lines, "\n") - - // Write the newAgentConfig to the agentConfigFile - err = os.WriteFile(agentConfigFile, []byte(newAgentConfig), 0644) - if err != nil { - return fmt.Errorf("failed to write agent config file: %s", err) - } - - logger.Printf("Updated agent config file: %s\n", agentConfigFile) - - return nil -} - -func UpdateConfig(cfg *Config) error { - - // Get the daemon.Config from the daemonConfigPath - // It's assumed that the local file is already provisioned either via the provision-files command - // or via some other means - config := getConfigFromLocalFile(cfg.daemonConfigPath) - if config == (daemon.Config{}) { - return fmt.Errorf("failed to get daemon config from local file") - } - - // Parse the agent config file - agentConfig, err := parseAgentConfig(cfg.agentConfigPath) - if err != nil { - return fmt.Errorf("failed to parse agent config file: %s", err) - } - - if config.AAKBCParams != "" { - logger.Printf("Updating aa_kbc_params in agent config file\n") - agentConfig.AaKbcParams = config.AAKBCParams - } - - if config.AuthJson != "" { - - logger.Printf("Updating image_registry_auth_file in agent config file with value\n") - - // Check if authJsonFilePath exists. If it doesn't exists create the file - - if _, err := os.Stat(cfg.authJsonPath); err != nil && os.IsNotExist(err) { - // Write the authJson to the defaultAuthJsonFilePath - err = os.WriteFile(cfg.authJsonPath, []byte(config.AuthJson), 0644) - if err != nil { - return fmt.Errorf("failed to write auth.json file: %s", err) - } - } - - // Update the file path in the agent config - agentConfig.ImageRegistryAuthFile = "file://" + cfg.authJsonPath - - } - - // Write the updated agent config file - err = writeAgentConfig(*agentConfig, cfg.agentConfigPath) - if err != nil { - return fmt.Errorf("failed to write agent config file: %s", err) - } - - return nil -} - -// Kata agent config is a TOML file, parse it and return the AgentConfig struct -func parseAgentConfig(agentConfigFile string) (agentConfig *AgentConfig, err error) { - - agentConfig = &AgentConfig{} - - data, err := os.ReadFile(agentConfigFile) - if err != nil { - fmt.Println("Error reading file:", err) - return nil, err - } - - // Parse the agent config file data - err = toml.Unmarshal(data, agentConfig) - if err != nil { - fmt.Println("Error parsing agent config file:", err) - return nil, err - } - - return agentConfig, nil -} - -// Write the agent config file -func writeAgentConfig(agentConfig AgentConfig, agentConfigFile string) error { - - data, err := toml.Marshal(agentConfig) - if err != nil { - return fmt.Errorf("error marshalling agent config: %s", err) - } - - // Write the newAgentConfig to the agentConfigFile - err = os.WriteFile(agentConfigFile, data, 0644) - if err != nil { - return fmt.Errorf("failed to write agent config file: %s", err) - } - - logger.Printf("Updated agent config file: %s\n", agentConfigFile) - return nil -} diff --git a/src/cloud-api-adaptor/pkg/agent/update_test.go b/src/cloud-api-adaptor/pkg/agent/update_test.go deleted file mode 100644 index 0dfa8bcd54..0000000000 --- a/src/cloud-api-adaptor/pkg/agent/update_test.go +++ /dev/null @@ -1,227 +0,0 @@ -package agent - -import ( - "fmt" - "os" - "strings" - "testing" - - daemon "github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/forwarder" - "github.com/tj/assert" -) - -func TestUpdateAAKBCParams(t *testing.T) { - // Create a temporary directory for the test - tmpDir, err := os.MkdirTemp("", "test") - if err != nil { - t.Fatalf("failed to create temp dir: %v", err) - } - defer os.RemoveAll(tmpDir) - - // Create a temporary file for the test - tmpFile, err := os.CreateTemp(tmpDir, "test") - if err != nil { - t.Fatalf("failed to create temp file: %v", err) - } - - defer os.Remove(tmpFile.Name()) - - // Write a sample agent config data to the file - testAgentConfigData := ` - server_addr="unix:///run/kata-containers/agent.sock" - - # This field sets up the KBC that attestation agent uses - # This is replaced in the makefile steps so do not set it manually - aa_kbc_params = "offline_fs_kbc::null" - guest_components_procs = "none" - ` - if _, err := tmpFile.WriteString(testAgentConfigData); err != nil { - t.Fatalf("failed to write test data to file: %v", err) - } - - // Close the file - if err := tmpFile.Close(); err != nil { - t.Fatalf("failed to close temp file: %v", err) - } - - testAAKBCParams := "cc_kbc::http://192.168.100.2:8080" - // Call the updateAAKBCParams function with the test data and file path - if err := updateAAKBCParams(testAAKBCParams, tmpFile.Name()); err != nil { - t.Fatalf("updateAAKBCParams failed: %v", err) - } - - // Read the file and check that the aa_kbc_params line has been replaced with the test data - fileData, err := os.ReadFile(tmpFile.Name()) - if err != nil { - t.Fatalf("failed to read file: %v", err) - } - expectedData := "aa_kbc_params = \"cc_kbc::http://192.168.100.2:8080\"\n" - if !strings.Contains(string(fileData), expectedData) { - t.Fatalf("file contents do not match expected data: expected %q, got %q", expectedData, string(fileData)) - } -} - -func TestGetConfigFromLocalFile(t *testing.T) { - // Create a temporary directory for the test - tmpDir, err := os.MkdirTemp("", "test") - if err != nil { - t.Fatalf("failed to create temp dir: %v", err) - } - defer os.RemoveAll(tmpDir) - - // Create a temporary file for the test - tmpFile, err := os.CreateTemp(tmpDir, "test-config.json") - if err != nil { - t.Fatalf("failed to create temp file: %v", err) - } - - defer os.Remove(tmpFile.Name()) - - // Write some test data to the file - testData := `{ - "aa-kbc-params": "test" - }` - - if _, err := tmpFile.Write([]byte(testData)); err != nil { - t.Fatal(err) - } - - // Close the file - if err := tmpFile.Close(); err != nil { - t.Fatal(err) - } - - // Call the getConfigFromLocalFile function - config := getConfigFromLocalFile(tmpFile.Name()) - - fmt.Printf("%v\n", config) - // Check if the config has been unmarshalled correctly - expectedConfig := daemon.Config{ - AAKBCParams: "test", - } - - if config != expectedConfig { - t.Fatalf("Expected %+v, but got %+v", expectedConfig, config) - } -} - -// Test the writeAgentConfig function -func TestWriteAgentConfig(t *testing.T) { - // Create a temporary directory for the test - tmpDir, err := os.MkdirTemp("", "test") - if err != nil { - t.Fatalf("failed to create temp dir: %v", err) - } - defer os.RemoveAll(tmpDir) - - // Create a temporary file for the test - tmpFile, err := os.CreateTemp(tmpDir, "agent-config.json") - if err != nil { - t.Fatalf("failed to create temp file: %v", err) - } - - defer os.Remove(tmpFile.Name()) - - // Create an instance of AgentConfig - agentConfig := AgentConfig{ - // Set the fields of AgentConfig - ServerAddr: "unix:///run/kata-containers/agent.sock", - AaKbcParams: "cc_kbc::http://192.168.1.2:8080", - ImageRegistryAuthFile: "/etc/attestation-agent/auth.json", - GuestComponentsProcs: "none", - } - - // Call the writeAgentConfig function - err = writeAgentConfig(agentConfig, tmpFile.Name()) - assert.NoError(t, err) - - // Parse the agent config file data - tmpAgentConfig, err := parseAgentConfig(tmpFile.Name()) - if err != nil { - t.Fatalf("failed to parse agent config file: %v", err) - } - - // Use deepequal to match agentConfig and tmpAgentConfig - assert.Equal(t, agentConfig, *tmpAgentConfig) - -} - -// Test the parseAgentConfig function -func TestParseAgentConfig(t *testing.T) { - - // Parse the agent config file data - agentConfig, err := parseAgentConfig("test-data/sample-agent-config.toml") - if err != nil { - t.Fatalf("failed to parse agent config file: %v", err) - } - - if agentConfig.ServerAddr != "unix:///run/kata-containers/agent.sock" { - t.Fatalf("agentConfig.ServerAddr does not match test data: expected %v, got %v", "unix:///run/kata-containers/agent.sock", agentConfig.ServerAddr) - } - - if agentConfig.AaKbcParams != "" { - t.Fatalf("agentConfig.AaKbcParams does not match test data: expected %v, got %v", "", agentConfig.AaKbcParams) - } - - if agentConfig.ImageRegistryAuthFile != "file:///etc/attestation-agent/auth.json" { - t.Fatalf("agentConfig.ImageRegistryAuthFile does not match test data: expected %v, got %v", "/etc/attestation-agent/auth.json", agentConfig.ImageRegistryAuthFile) - } - - if agentConfig.GuestComponentsProcs != "none" { - t.Fatalf("agentConfig.GuestComponentsProcs does not match test data: expected %v, got %v", "none", agentConfig.GuestComponentsProcs) - } -} - -// Test the writeAgentConfig function with non existent toml entry in agent config file -func TestWriteAgentConfigNonExistentTomlEntry(t *testing.T) { - // Create a temporary directory for the test - tmpDir, err := os.MkdirTemp("", "test") - if err != nil { - t.Fatalf("failed to create temp dir: %v", err) - } - defer os.RemoveAll(tmpDir) - - // Create a temporary file for the test - tmpFile, err := os.CreateTemp(tmpDir, "agent-config.json") - if err != nil { - t.Fatalf("failed to create temp file: %v", err) - } - - defer os.Remove(tmpFile.Name()) - - // Create an instance of AgentConfig - agentConfig := AgentConfig{ - // Set the fields of AgentConfig - ServerAddr: "unix:///run/kata-containers/agent.sock", - AaKbcParams: "cc_kbc::http://192.168.1.2:8080", - } - - // Call the writeAgentConfig function - err = writeAgentConfig(agentConfig, tmpFile.Name()) - assert.NoError(t, err) - - // Parse the agent config file data - newAgentConfig, err := parseAgentConfig(tmpFile.Name()) - if err != nil { - t.Fatalf("failed to parse agent config file: %v", err) - } - - // Add the missing field to the agentConfig - newAgentConfig.ImageRegistryAuthFile = "file:///etc/attestation-agent/auth.json" - - // Update existing field - newAgentConfig.AaKbcParams = "cc_kbc::offline_kbc" - - // Call the writeAgentConfig function - err = writeAgentConfig(*newAgentConfig, tmpFile.Name()) - assert.NoError(t, err) - - // Parse the agent config file data - tmpAgentConfig, err := parseAgentConfig(tmpFile.Name()) - if err != nil { - t.Fatalf("failed to parse agent config file: %v", err) - } - - // Check if tmpAgentConfig has the new fields - assert.Equal(t, newAgentConfig, tmpAgentConfig) -} diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/systemd/system/attestation-agent.service.d/10-override.conf b/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/systemd/system/attestation-agent.service.d/10-override.conf deleted file mode 100644 index 06e2707385..0000000000 --- a/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/systemd/system/attestation-agent.service.d/10-override.conf +++ /dev/null @@ -1,4 +0,0 @@ -# On a read-only fs the kata-agent config is created in /run/peerpod, since it contains -# a parameter that can be set at pod creation time. -[Service] -Environment=KATA_AGENT_CONFIG_PATH=/run/peerpod/agent-config.toml diff --git a/src/cloud-api-adaptor/podvm/Makefile.inc b/src/cloud-api-adaptor/podvm/Makefile.inc index d9c48b1b1c..02bbbcc360 100644 --- a/src/cloud-api-adaptor/podvm/Makefile.inc +++ b/src/cloud-api-adaptor/podvm/Makefile.inc @@ -23,8 +23,6 @@ ARCH := $(or $(ARCH),$(HOST_ARCH)) # Normalise x86_64 / amd64 for input ARCH ARCH := $(subst amd64,x86_64,$(ARCH)) DEB_ARCH := $(subst x86_64,amd64,$(ARCH)) -AA_KBC ?= offline_fs_kbc -KBC_URI ?= null LIBC ?= $(if $(filter $(ARCH),s390x ppc64le),gnu,musl) RUST_ARCH ?= $(subst ppc64le,powerpc64le,$(ARCH)) RUST_TARGET := $(RUST_ARCH)-unknown-linux-$(LIBC) @@ -77,8 +75,6 @@ PROCESS_USER_DATA = $(FILES_DIR)/usr/local/bin/process-user-data BINARIES ?= $(AGENT_PROTOCOL_FORWARDER) $(KATA_AGENT) $(PAUSE) $(ATTESTATION_AGENT) $(CONFIDENTIAL_DATA_HUB) $(API_SERVER_REST) $(PROCESS_USER_DATA) -$(shell sed -i "s|\(aa_kbc_params = \)\"[^\"]*\"|\1\"${AA_KBC}::${KBC_URI}\"|g" $(FILES_DIR)/etc/agent-config.toml) - KATA_CONTAINERS_SRC = $(ROOT_DIR)/../kata-containers KATA_AGENT_SRC = $(KATA_CONTAINERS_SRC)/src/agent KATA_AGENT_BUILD_TYPE = release diff --git a/src/cloud-api-adaptor/podvm/files/etc/agent-config.toml b/src/cloud-api-adaptor/podvm/files/etc/agent-config.toml index b96c2ec530..3994551f7c 100644 --- a/src/cloud-api-adaptor/podvm/files/etc/agent-config.toml +++ b/src/cloud-api-adaptor/podvm/files/etc/agent-config.toml @@ -1,8 +1,3 @@ server_addr = "unix:///run/kata-containers/agent.sock" - -# This field sets up the KBC that attestation agent uses -# This is replaced in the makefile steps so do not set it manually -aa_kbc_params = "" - # prevent the agent from launching coco guest-components guest_components_procs = "none" diff --git a/src/cloud-api-adaptor/podvm/files/etc/systemd/system/attestation-agent.service b/src/cloud-api-adaptor/podvm/files/etc/systemd/system/attestation-agent.service index c37b496c91..162d68c739 100644 --- a/src/cloud-api-adaptor/podvm/files/etc/systemd/system/attestation-agent.service +++ b/src/cloud-api-adaptor/podvm/files/etc/systemd/system/attestation-agent.service @@ -1,11 +1,11 @@ [Unit] Description=Attestation Agent TTRPC API Server -After=network.target process-user-data.service +After=network.target cloud-final.service process-user-data.service [Service] Type=simple ExecStartPre=mkdir -p /run/confidential-containers/attestation-agent -ExecStart=/usr/local/bin/attestation-agent +ExecStart=/bin/bash -c 'if [ -f /run/peerpod/aa.toml ]; then /usr/local/bin/attestation-agent -c /run/peerpod/aa.toml; else /usr/local/bin/attestation-agent; fi' RestartSec=1 Restart=always diff --git a/src/cloud-api-adaptor/podvm/files/etc/systemd/system/confidential-data-hub.service b/src/cloud-api-adaptor/podvm/files/etc/systemd/system/confidential-data-hub.service index c2680ada13..57929f9476 100644 --- a/src/cloud-api-adaptor/podvm/files/etc/systemd/system/confidential-data-hub.service +++ b/src/cloud-api-adaptor/podvm/files/etc/systemd/system/confidential-data-hub.service @@ -1,6 +1,6 @@ [Unit] Description=Confidential Data Hub TTRPC API Server -After=network.target process-user-data.service +After=network.target cloud-final.service process-user-data.service [Service] Type=simple diff --git a/src/cloud-api-adaptor/podvm/files/etc/systemd/system/kata-agent.service b/src/cloud-api-adaptor/podvm/files/etc/systemd/system/kata-agent.service index b731659cc9..a31b9f39f3 100644 --- a/src/cloud-api-adaptor/podvm/files/etc/systemd/system/kata-agent.service +++ b/src/cloud-api-adaptor/podvm/files/etc/systemd/system/kata-agent.service @@ -2,7 +2,7 @@ Description=Kata Agent BindsTo=netns@podns.service Wants=process-user-data.service -After=netns@podns.service process-user-data.service +After=netns@podns.service cloud-final.service process-user-data.service [Service] ExecStartPre=mkdir -p /run/kata-containers diff --git a/src/cloud-api-adaptor/podvm/files/etc/systemd/system/process-user-data.service b/src/cloud-api-adaptor/podvm/files/etc/systemd/system/process-user-data.service index 2a858837f2..26bad136cb 100644 --- a/src/cloud-api-adaptor/podvm/files/etc/systemd/system/process-user-data.service +++ b/src/cloud-api-adaptor/podvm/files/etc/systemd/system/process-user-data.service @@ -9,8 +9,7 @@ DefaultDependencies=no [Service] Type=oneshot -ExecStartPre=/usr/local/bin/process-user-data provision-files -ExecStart=/usr/local/bin/process-user-data update-agent-config +ExecStart=/usr/local/bin/process-user-data provision-files RemainAfterExit=yes [Install]