From d5f907dcf1b387ab013802b8b8ad23ea47bad9c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 17 Jan 2025 18:12:42 +0100 Subject: [PATCH 1/3] rootfs-confidential: Ensure systemd is used as init MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's make sure that we don't use Kata Containers' agent as init for the Confidential related rootfses*, as we don't want to increase the agent's complexity for no reason ... mainly when we can rely on a proper init system. *: - images already used systemd as init - initrds are now using systemd as init Signed-off-by: Fabiano FidĂȘncio --- tools/packaging/guest-image/build_image.sh | 2 +- .../kata-deploy/local-build/kata-deploy-binaries-in-docker.sh | 2 ++ .../packaging/kata-deploy/local-build/kata-deploy-binaries.sh | 4 ++++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh index c80d6b7abdb3..0b33bd9f0034 100755 --- a/tools/packaging/guest-image/build_image.sh +++ b/tools/packaging/guest-image/build_image.sh @@ -44,7 +44,7 @@ build_initrd() { ROOTFS_BUILD_DEST="${builddir}/initrd-image" \ USE_DOCKER=1 \ AGENT_TARBALL="${AGENT_TARBALL}" \ - AGENT_INIT="yes" \ + AGENT_INIT="${AGENT_INIT:-no}" \ AGENT_POLICY="${AGENT_POLICY:-}" \ PULL_TYPE="${PULL_TYPE:-default}" \ COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}" \ diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index 3619a5e06749..36e77fbdb6fb 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -98,6 +98,7 @@ SHIM_V2_CONTAINER_BUILDER="${SHIM_V2_CONTAINER_BUILDER:-}" TDSHIM_CONTAINER_BUILDER="${TDSHIM_CONTAINER_BUILDER:-}" TOOLS_CONTAINER_BUILDER="${TOOLS_CONTAINER_BUILDER:-}" VIRTIOFSD_CONTAINER_BUILDER="${VIRTIOFSD_CONTAINER_BUILDER:-}" +AGENT_INIT="${AGENT_INIT:-no}" MEASURED_ROOTFS="${MEASURED_ROOTFS:-}" PULL_TYPE="${PULL_TYPE:-default}" USE_CACHE="${USE_CACHE:-}" @@ -128,6 +129,7 @@ docker run \ --env TDSHIM_CONTAINER_BUILDER="${TDSHIM_CONTAINER_BUILDER}" \ --env TOOLS_CONTAINER_BUILDER="${TOOLS_CONTAINER_BUILDER}" \ --env VIRTIOFSD_CONTAINER_BUILDER="${VIRTIOFSD_CONTAINER_BUILDER}" \ + --env AGENT_INIT="${AGENT_INIT}" \ --env MEASURED_ROOTFS="${MEASURED_ROOTFS}" \ --env PULL_TYPE="${PULL_TYPE}" \ --env USE_CACHE="${USE_CACHE}" \ diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 04fba73ababe..8e81cbfee270 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -454,8 +454,12 @@ install_initrd() { export PAUSE_IMAGE_TARBALL="$(get_pause_image_tarball_path)" fi else + # No variant is passed, it means vanilla kata containers os_name="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.name")" os_version="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.version")" + if [ "${os_name}" = "alpine" ]; then + export AGENT_INIT=yes + fi fi export AGENT_TARBALL=$(get_agent_tarball_path) From 18137b1583be10394eac7a8c5de7c7bbc4b63fbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 23 Jan 2025 08:22:05 +0100 Subject: [PATCH 2/3] tests: k8s: confidential: Increase log_buf_len to 4M MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Relying on dmesg is really not ideal, as we may lose important info, mainly those which happen very early in the boot, depending on the size of kernel ring buffer. So, for this specific test, let's increase the kernel ring buffer, by default, to 4M. Signed-off-by: Fabiano FidĂȘncio --- .../runtimeclass_workloads/pod-confidential-unencrypted.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/integration/kubernetes/runtimeclass_workloads/pod-confidential-unencrypted.yaml b/tests/integration/kubernetes/runtimeclass_workloads/pod-confidential-unencrypted.yaml index 591d86de875c..b1f9aedb8cee 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/pod-confidential-unencrypted.yaml +++ b/tests/integration/kubernetes/runtimeclass_workloads/pod-confidential-unencrypted.yaml @@ -22,6 +22,8 @@ spec: app: "confidential-unencrypted" template: metadata: + annotations: + io.katacontainers.config.hypervisor.kernel_params: "log_buf_len=4M" labels: app: "confidential-unencrypted" spec: From 734ef71cf7d780d6d5738a6bda62640c49b52abe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 21 Jan 2025 18:28:19 +0100 Subject: [PATCH 3/3] tests: k8s: confidential: Cleanup $HOME/.ssh/known_hosts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I've noticed the following error when running the tests with SEV: ``` 2025-01-21T17:10:28.7999896Z # @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 2025-01-21T17:10:28.8000614Z # @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ 2025-01-21T17:10:28.8001217Z # @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 2025-01-21T17:10:28.8001857Z # IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! 2025-01-21T17:10:28.8003009Z # Someone could be eavesdropping on you right now (man-in-the-middle attack)! 2025-01-21T17:10:28.8003348Z # It is also possible that a host key has just been changed. 2025-01-21T17:10:28.8004422Z # The fingerprint for the ED25519 key sent by the remote host is 2025-01-21T17:10:28.8005019Z # SHA256:x7wF8zI+LLyiwphzmUhqY12lrGY4gs5qNCD81f1Cn1E. 2025-01-21T17:10:28.8005459Z # Please contact your system administrator. 2025-01-21T17:10:28.8006734Z # Add correct host key in /home/kata/.ssh/known_hosts to get rid of this message. 2025-01-21T17:10:28.8007031Z # Offending ED25519 key in /home/kata/.ssh/known_hosts:178 2025-01-21T17:10:28.8007254Z # remove with: 2025-01-21T17:10:28.8008172Z # ssh-keygen -f "/home/kata/.ssh/known_hosts" -R "10.244.0.71" ``` And this was causing a failure to ssh into the confidential pod. Signed-off-by: Fabiano FidĂȘncio --- tests/integration/kubernetes/k8s-confidential.bats | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/integration/kubernetes/k8s-confidential.bats b/tests/integration/kubernetes/k8s-confidential.bats index afb464b04755..84d1201b6f40 100644 --- a/tests/integration/kubernetes/k8s-confidential.bats +++ b/tests/integration/kubernetes/k8s-confidential.bats @@ -29,6 +29,7 @@ setup() { coco_enabled="" for i in {1..6}; do + rm -f "${HOME}/.ssh/known_hosts" if ! pod_ip=$(kubectl get pod -o wide | grep "confidential-unencrypted" | awk '{print $6;}'); then warn "Failed to get pod IP address." else