Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove mount points #438

Merged
merged 2 commits into from
Jul 29, 2024
Merged

Remove mount points #438

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6a54155
podvm: Mount overlay as tmpfs for CoCo
bpradipt Jul 18, 2024
13ec28a
Fix shellcheck warning for double quotes. Fix ShellCheck SC2086 error
bpradipt Jul 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 42 additions & 5 deletions config/peerpods/podvm/lib.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,20 +208,27 @@ function prepare_source_code() {
# links must be relative
if [[ "${AGENT_POLICY}" ]]; then
echo "Custom agent policy is being set through the AGENT_POLICY value"
echo ${AGENT_POLICY} | base64 -d > "${podvm_dir}"/files/etc/kata-opa/custom.rego
if [[ $? == 0 ]] && grep -q "agent_policy" "${podvm_dir}"/files/etc/kata-opa/custom.rego; then # checks policy validity
ln -sf custom.rego "${podvm_dir}"/files/etc/kata-opa/default-policy.rego
echo "${AGENT_POLICY}" | base64 -d >"${podvm_dir}"/files/etc/kata-opa/custom.rego
bpradipt marked this conversation as resolved.
Show resolved Hide resolved
return_code=$?
if [[ "$return_code" == 0 ]] && grep -q "agent_policy" "${podvm_dir}"/files/etc/kata-opa/custom.rego; then # checks policy validity
ln -sf custom.rego "${podvm_dir}"/files/etc/kata-opa/default-policy.rego
else
error_exit "Invalid AGENT_POLICY value set, expected base64 encoded valid agent policy, got: \"${AGENT_POLICY}\""
fi
fi
elif [[ "$CONFIDENTIAL_COMPUTE_ENABLED" == "yes" ]]; then
echo "Setting custom agent policy to CoCo's recommended policy"
sed 's/default ReadStreamRequest := true/default ReadStreamRequest := false/;
s/default ExecProcessRequest := true/default ExecProcessRequest := false/' \
"${podvm_dir}"/files/etc/kata-opa/default-policy.rego > "${podvm_dir}"/files/etc/kata-opa/coco-default-policy.rego
"${podvm_dir}"/files/etc/kata-opa/default-policy.rego >"${podvm_dir}"/files/etc/kata-opa/coco-default-policy.rego
ln -sf coco-default-policy.rego "${podvm_dir}"/files/etc/kata-opa/default-policy.rego
fi
echo "~~~ Current Agent Policy ~~~" && cat "${podvm_dir}"/files/etc/kata-opa/default-policy.rego

# Fix disk mounts for CoCo
if [[ "$CONFIDENTIAL_COMPUTE_ENABLED" == "yes" ]]; then
create_overlay_mount_unit
bpradipt marked this conversation as resolved.
Show resolved Hide resolved
fi

}

# Download and extract pause container image
Expand Down Expand Up @@ -267,6 +274,36 @@ function download_and_extract_pause_image() {

}

# Function to create overlay mount unit in the podvm files
# this ensures rw (overlay) layer for the container images are in memory (encrypted)
function create_overlay_mount_unit() {
# The actual mount point is /run/kata-containers/image/overlay
local unit_name="run-kata\\x2dcontainers-image-overlay.mount"
local unit_path="${podvm_dir}/files/etc/systemd/system/${unit_name}"

cat <<EOF >"${unit_path}"
[Unit]
Description=Mount unit for /run/kata-containers/image/overlay
Before=kata-agent.service

[Mount]
What=tmpfs
Where=/run/kata-containers/image/overlay
Type=tmpfs

[Install]
WantedBy=multi-user.target
EOF

echo "Mount unit created at ${unit_name}"

# Enable the mount unit by creating a symlink
# This syntax works to create the symlink to the unit file in ${podvm_dir}/files/etc/systemd/system
ln -sf ../"${unit_name}" "${podvm_dir}/files/etc/systemd/system/multi-user.target.wants/${unit_name}" ||
error_exit "Failed to enable the overlay mount unit"

}

# Global variables

# Set global variable for the source code directory
Expand Down