podvm: Mount overlay as tmpfs for CoCo

For CoCo, we don't want root disk to be used without encryption or integrity protection. However till we have root disk encryption or integrity protection support, let's at least ensure that overlay (rw) directory for container image is in memory. The container image layers will still be downloaded to disk, however the writeable layer will be in memory when CONFIDENTIAL_COMPUTE_ENABLED=yes. Note that this means you'll need to have sufficient VM memory depending on the amount of writes you expect your workload to perform Fixes: #KATA-3229 Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
openshift · Jul 26, 2024 · 06fde57 · 06fde57
1 parent a5328ae
commit 06fde57
Showing 1 changed file with 57 additions and 4 deletions.
diff --git a/config/peerpods/podvm/lib.sh b/config/peerpods/podvm/lib.sh
@@ -208,18 +208,23 @@ function prepare_source_code() {
     # links must be relative
     if [[ "${AGENT_POLICY}" ]]; then
         echo "Custom agent policy is being set through the AGENT_POLICY value"
-        echo ${AGENT_POLICY} | base64 -d > "${podvm_dir}"/files/etc/kata-opa/custom.rego
+        echo ${AGENT_POLICY} | base64 -d >"${podvm_dir}"/files/etc/kata-opa/custom.rego
         if [[ $? == 0 ]] && grep -q "agent_policy" "${podvm_dir}"/files/etc/kata-opa/custom.rego; then # checks policy validity
-            ln -sf custom.rego  "${podvm_dir}"/files/etc/kata-opa/default-policy.rego
+            ln -sf custom.rego "${podvm_dir}"/files/etc/kata-opa/default-policy.rego
         else
             error_exit "Invalid AGENT_POLICY value set, expected base64 encoded valid agent policy, got: \"${AGENT_POLICY}\""
-	fi
+        fi
     elif [[ "$CONFIDENTIAL_COMPUTE_ENABLED" == "yes" ]]; then
         echo "Setting custom agent policy to CoCo's recommended policy"
         sed 's/default ReadStreamRequest := true/default ReadStreamRequest := false/;
             s/default ExecProcessRequest := true/default ExecProcessRequest := false/' \
-            "${podvm_dir}"/files/etc/kata-opa/default-policy.rego > "${podvm_dir}"/files/etc/kata-opa/coco-default-policy.rego
+            "${podvm_dir}"/files/etc/kata-opa/default-policy.rego >"${podvm_dir}"/files/etc/kata-opa/coco-default-policy.rego
         ln -sf coco-default-policy.rego "${podvm_dir}"/files/etc/kata-opa/default-policy.rego
+
+        # Fix disk mounts for CoCo
+        remove_mount_units
+        create_overlay_mount_unit
+
     fi
     echo "~~~ Current Agent Policy ~~~" && cat "${podvm_dir}"/files/etc/kata-opa/default-policy.rego
 }
@@ -265,6 +270,54 @@ function download_and_extract_pause_image() {
     umoci unpack --rootless --image "${pause_src}:${pause_image_tag}" "${pause_bundle}" ||
         error_exit "Failed to extract the pause image"
 
+}
+# Function to remove mount points in the podvm files
+function remove_mount_units() {
+    local podvm_dir="${CAA_SRC_DIR}/podvm"
+    # Let's use an array to store the mount points that need to be removed
+    # Currently we only have one mount point to remove
+    local mount_units=(
+        "run-image.mount"
+    )
+
+    for unit_name in "${mount_units[@]}"; do
+        echo "Removing mount unit ${unit_name}"
+
+        rm -f "${podvm_dir}/files/etc/systemd/system/${unit_name}"
+        rm -f "${podvm_dir}/files/etc/systemd/system/multi-user.target.wants/${unit_name}"
+
+        echo "Removed mount unit ${unit_name}"
+    done
+
+    echo "Mount unit removed at ${unit_path}"
+}
+
+# Function to create overlay mount unit in the podvm files
+function create_overlay_mount_unit() {
+    # The actual mount point is /run/kata-containers/image/overlay
+    local unit_name="run-kata\\x2dcontainers-image-overlay.mount"
+    local unit_path="${podvm_dir}/files/etc/systemd/system/${unit_name}"
+
+    cat <<EOF >"${unit_path}"
+[Unit]
+Description=Mount unit for /run/kata-containers/image/overlay
+Before=kata-agent.service
+
+[Mount]
+What=tmpfs
+Where=/run/kata-containers/image/overlay
+Type=tmpfs
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+    echo "Mount unit created at ${unit_path}"
+
+    # Enable the mount unit by creating a symlink
+    ln -sf "${unit_path}" "${podvm_dir}/files/etc/systemd/system/multi-user.target.wants/${unit_name}" ||
+        error_exit "Failed to enable the overlay mount unit"
+
 }
 
 # Global variables