diff --git a/kuasar.spec b/kuasar.spec index ca7ea2ca945857c4c36dc7188f158997c7da950f..6048acad9ac88eaa5f65f486bfb9942b22628f6d 100644 --- a/kuasar.spec +++ b/kuasar.spec @@ -2,7 +2,7 @@ Name: kuasar Version: 1.0.0 -Release: 19 +Release: 22 Summary: Kuasar is an efficient container runtime that supports multiple sandbox techniques. License: Apache License 2.0 URL: https://github.com/kuasar-io/kuasar @@ -10,6 +10,9 @@ Source0: kuasar-openeuler.tar.gz Source1: kernel.tar.gz BuildRequires: automake golang bc glibc-devel glibc-static busybox glib2-devel glib2 ipvsadm conntrack-tools nfs-utils bash gcc cmake gcc-c++ musl-gcc clang-libs BuildRequires: patch elfutils-libelf-devel openssl-devel bison flex rust cargo rust-packaging libgcc dtc-devel runc coreutils procps +%ifarch %{ix86} aarch64 +BuildRequires: secGear-aa +%endif %define _cargo /usr/bin/env CARGO_HOME=.cargo /usr/bin/cargo %define hypervisor qemu @@ -135,13 +138,22 @@ rm -rf %{buildroot} %endif %changelog +* Tue Apr 22 zhongjiawei -1.0.0-21 +- add the dependency packages for qemu command execute bind cpu + +* Tue Apr 22 zhongjiawei -1.0.0-21 +- remove the secGear feature and use the image-service feature to start the agent process + +* Thu Apr 17 zhongjiawei -1.0.0-20 +- start attestation agent when init start in vm + * Tue Mar 4 liuxu -1.0.0-19 - coco: mount certs and image-rs use https -* Thu Feb 27 zhongjiawei -1.0.0-18 +* Mon Mar 3 zhongjiawei -1.0.0-18 - bind one cpu for qemu command -* Fri Feb 21 liuxu -1.0.0-17 +* Fri Feb 21 zhongjiawei -1.0.0-17 - setup loop device * Fri Feb 21 liuxu -1.0.0-16 diff --git a/patch/0018-start-attestation-agent-when-init-start-in-vm.patch b/patch/0018-start-attestation-agent-when-init-start-in-vm.patch new file mode 100644 index 0000000000000000000000000000000000000000..661d78411e275a9c438be3f7728ddc6c0ecaa08d --- /dev/null +++ b/patch/0018-start-attestation-agent-when-init-start-in-vm.patch @@ -0,0 +1,146 @@ +From 0b6fa915e4b277f8b85624105b16a192d554caab Mon Sep 17 00:00:00 2001 +From: Super User +Date: Thu, 17 Apr 2025 19:38:58 +0800 +Subject: [PATCH] start attestation agent when init start in vm + +--- + vmm/task/Cargo.toml | 1 + + vmm/task/src/config.rs | 33 +++++++++++++++++++++++++++++++++ + vmm/task/src/main.rs | 28 +++++++++++++++++++++++++++- + 3 files changed, 61 insertions(+), 1 deletion(-) + +diff --git a/vmm/task/Cargo.toml b/vmm/task/Cargo.toml +index adbb58b0..d0b88723 100644 +--- a/vmm/task/Cargo.toml ++++ b/vmm/task/Cargo.toml +@@ -51,3 +51,4 @@ ttrpc = { git = "https://github.com/kuasar-io/ttrpc-rust.git", branch = "v0.7.1- + + [features] + image-service = ["image-rs"] ++secGear = [] +diff --git a/vmm/task/src/config.rs b/vmm/task/src/config.rs +index ca4f5d56..b1a7d887 100644 +--- a/vmm/task/src/config.rs ++++ b/vmm/task/src/config.rs +@@ -37,6 +37,15 @@ const IMAGE_REGISTRY_AUTH_FILE: &str = "task.image_registry_auth"; + #[cfg(feature = "image-service")] + const SIMPLE_SIGNING_SIGSTORE_CONFIG: &str = "task.simple_signing_sigstore_config"; + ++#[cfg(feature = "secGear")] ++const AA_SER_URL: &str = "task.aa_ser_url"; ++#[cfg(feature = "secGear")] ++const AA_CERT: &str = "task.aa_cert"; ++#[cfg(feature = "secGear")] ++const AA_SOCKET_ADDR: &str = "task.aa_socket_addr"; ++#[cfg(feature = "secGear")] ++const AA_PROTO: &str = "task.aa_proto"; ++ + macro_rules! parse_cmdline { + ($param:ident, $key:ident, $field:expr) => { + if $param.len() == 1 && $param[0] == $key { +@@ -64,6 +73,14 @@ pub struct ImageConfig { + pub(crate) simple_signing_sigstore_config: String, + } + ++#[derive(Debug)] ++pub struct SecGearConfig { ++ pub(crate) aa_ser_url: String, ++ pub(crate) aa_cert: String, ++ pub(crate) aa_proto: String, ++ pub(crate) aa_socket_addr: String, ++} ++ + #[derive(Debug)] + pub struct TaskConfig { + pub(crate) sharefs_type: String, +@@ -72,6 +89,8 @@ pub struct TaskConfig { + pub(crate) debug_shell: String, + #[cfg(feature = "image-service")] + pub(crate) image_config: ImageConfig, ++ #[cfg(feature = "secGear")] ++ pub(crate) aa_config: SecGearConfig, + } + + impl Default for TaskConfig { +@@ -90,6 +109,13 @@ impl Default for TaskConfig { + image_policy_file: "".to_string(), + image_registry_auth_file: "".to_string(), + simple_signing_sigstore_config: "".to_string(), ++ }, ++ #[cfg(feature = "secGear")] ++ aa_config: SecGearConfig { ++ aa_ser_url: "http://127.0.0.1:8080".to_string(), ++ aa_cert: "/etc/attestation/attestation-agent/as_cert.pem".to_string(), ++ aa_socket_addr: "127.0.0.1:8081".to_string(), ++ aa_proto: "http".to_string(), + } + } + } +@@ -123,6 +149,13 @@ impl TaskConfig { + // used when simple signing verification is used + parse_cmdline!(param, SIMPLE_SIGNING_SIGSTORE_CONFIG, config.image_config.simple_signing_sigstore_config, String::from); + } ++ #[cfg(feature = "secGear")] ++ { ++ parse_cmdline!(param, AA_SER_URL, config.aa_config.aa_ser_url, String::from); ++ parse_cmdline!(param, AA_CERT, config.aa_config.aa_cert, String::from); ++ parse_cmdline!(param, AA_SOCKET_ADDR, config.aa_config.aa_socket_addr, String::from); ++ parse_cmdline!(param, AA_PROTO, config.aa_config.aa_proto, String::from); ++ } + } + Ok(config) + } +diff --git a/vmm/task/src/main.rs b/vmm/task/src/main.rs +index c833f274..789c3d69 100644 +--- a/vmm/task/src/main.rs ++++ b/vmm/task/src/main.rs +@@ -17,7 +17,7 @@ limitations under the License. + #![warn(clippy::expect_fun_call, clippy::expect_used)] + + use std::{ +- collections::HashMap, convert::TryFrom, path::Path, process::exit, str::FromStr, sync::Arc, ++ collections::HashMap, convert::TryFrom, path::Path, process::{exit, Command}, str::FromStr, sync::Arc, + }; + + use containerd_shim::{ +@@ -190,11 +190,37 @@ async fn initialize() -> anyhow::Result<()> { + certs_init(ETC_ANCHORS_CERTS_DIR_SUFFIX, ETC_ANCHORS_CERTS_DIR).await?; + } + ++ #[cfg(feature = "secGear")] ++ { ++ let aa_pid = start_attestation_agent(&config).await?; ++ info!("start attestation_agent, pid is {}", aa_pid); ++ } ++ + late_init_call().await?; + + Ok(()) + } + ++#[cfg(feature = "secGear")] ++async fn start_attestation_agent(task_config: &TaskConfig) -> Result { ++ let child = match Command::new("/usr/bin/attestation-agent") ++ .arg("--socketaddr") ++ .arg(task_config.aa_config.aa_socket_addr.clone()) ++ .arg("--serverurl") ++ .arg(task_config.aa_config.aa_ser_url.clone()) ++ .arg("--protocol") ++ .arg(task_config.aa_config.aa_proto.clone()) ++ .arg("--cert_root") ++ .arg(task_config.aa_config.aa_cert.clone()) ++ .spawn() ++ { ++ Ok(child) => child, ++ Err(err) => return Err(other!("failed to spawn virtiofsd command: {}", err)), ++ }; ++ ++ Ok(child.id()) ++} ++ + #[tokio::main] + async fn main() { + if let Err(e) = initialize().await { +-- +2.48.1 + diff --git a/patch/0019-remove-the-secGear-feature-and-use-the-image-service.patch b/patch/0019-remove-the-secGear-feature-and-use-the-image-service.patch new file mode 100644 index 0000000000000000000000000000000000000000..a6587cf800fa4638216dfa441e944480f45a79f9 --- /dev/null +++ b/patch/0019-remove-the-secGear-feature-and-use-the-image-service.patch @@ -0,0 +1,123 @@ +From 64247a20d4e32ed607f28daf01ebb07b4061b212 Mon Sep 17 00:00:00 2001 +From: zhong-jiawei-1 +Date: Tue, 22 Apr 2025 15:11:02 +0800 +Subject: [PATCH] remove the secGear feature and use the image-service feature + to start the agent process + +--- + vmm/task/Cargo.toml | 1 - + vmm/task/src/config.rs | 18 +++++------------- + vmm/task/src/main.rs | 14 ++++++-------- + 3 files changed, 11 insertions(+), 22 deletions(-) + +diff --git a/vmm/task/Cargo.toml b/vmm/task/Cargo.toml +index d0b88723..adbb58b0 100644 +--- a/vmm/task/Cargo.toml ++++ b/vmm/task/Cargo.toml +@@ -51,4 +51,3 @@ ttrpc = { git = "https://github.com/kuasar-io/ttrpc-rust.git", branch = "v0.7.1- + + [features] + image-service = ["image-rs"] +-secGear = [] +diff --git a/vmm/task/src/config.rs b/vmm/task/src/config.rs +index b1a7d887..5152e91a 100644 +--- a/vmm/task/src/config.rs ++++ b/vmm/task/src/config.rs +@@ -37,13 +37,11 @@ const IMAGE_REGISTRY_AUTH_FILE: &str = "task.image_registry_auth"; + #[cfg(feature = "image-service")] + const SIMPLE_SIGNING_SIGSTORE_CONFIG: &str = "task.simple_signing_sigstore_config"; + +-#[cfg(feature = "secGear")] ++#[cfg(feature = "image-service")] + const AA_SER_URL: &str = "task.aa_ser_url"; +-#[cfg(feature = "secGear")] ++#[cfg(feature = "image-service")] + const AA_CERT: &str = "task.aa_cert"; +-#[cfg(feature = "secGear")] +-const AA_SOCKET_ADDR: &str = "task.aa_socket_addr"; +-#[cfg(feature = "secGear")] ++#[cfg(feature = "image-service")] + const AA_PROTO: &str = "task.aa_proto"; + + macro_rules! parse_cmdline { +@@ -78,7 +76,6 @@ pub struct SecGearConfig { + pub(crate) aa_ser_url: String, + pub(crate) aa_cert: String, + pub(crate) aa_proto: String, +- pub(crate) aa_socket_addr: String, + } + + #[derive(Debug)] +@@ -89,7 +86,7 @@ pub struct TaskConfig { + pub(crate) debug_shell: String, + #[cfg(feature = "image-service")] + pub(crate) image_config: ImageConfig, +- #[cfg(feature = "secGear")] ++ #[cfg(feature = "image-service")] + pub(crate) aa_config: SecGearConfig, + } + +@@ -110,11 +107,10 @@ impl Default for TaskConfig { + image_registry_auth_file: "".to_string(), + simple_signing_sigstore_config: "".to_string(), + }, +- #[cfg(feature = "secGear")] ++ #[cfg(feature = "image-service")] + aa_config: SecGearConfig { + aa_ser_url: "http://127.0.0.1:8080".to_string(), + aa_cert: "/etc/attestation/attestation-agent/as_cert.pem".to_string(), +- aa_socket_addr: "127.0.0.1:8081".to_string(), + aa_proto: "http".to_string(), + } + } +@@ -148,12 +144,8 @@ impl TaskConfig { + // URI of the simple signing sigstore file + // used when simple signing verification is used + parse_cmdline!(param, SIMPLE_SIGNING_SIGSTORE_CONFIG, config.image_config.simple_signing_sigstore_config, String::from); +- } +- #[cfg(feature = "secGear")] +- { + parse_cmdline!(param, AA_SER_URL, config.aa_config.aa_ser_url, String::from); + parse_cmdline!(param, AA_CERT, config.aa_config.aa_cert, String::from); +- parse_cmdline!(param, AA_SOCKET_ADDR, config.aa_config.aa_socket_addr, String::from); + parse_cmdline!(param, AA_PROTO, config.aa_config.aa_proto, String::from); + } + } +diff --git a/vmm/task/src/main.rs b/vmm/task/src/main.rs +index 789c3d69..a28e0db1 100644 +--- a/vmm/task/src/main.rs ++++ b/vmm/task/src/main.rs +@@ -188,12 +188,10 @@ async fn initialize() -> anyhow::Result<()> { + *image_rpc::KUASAR_IMAGE_CLIENT.lock().await = Some(image_client.clone()); + certs_init(ETC_CERTS_DIR_SUFFIX, ETC_CERTS_DIR).await?; + certs_init(ETC_ANCHORS_CERTS_DIR_SUFFIX, ETC_ANCHORS_CERTS_DIR).await?; +- } +- +- #[cfg(feature = "secGear")] +- { +- let aa_pid = start_attestation_agent(&config).await?; +- info!("start attestation_agent, pid is {}", aa_pid); ++ if config.image_config.aa_kbc_params != "" { ++ let aa_pid = start_attestation_agent(&config).await?; ++ info!("start attestation_agent, pid is {}", aa_pid); ++ } + } + + late_init_call().await?; +@@ -201,11 +199,11 @@ async fn initialize() -> anyhow::Result<()> { + Ok(()) + } + +-#[cfg(feature = "secGear")] ++#[cfg(feature = "image-service")] + async fn start_attestation_agent(task_config: &TaskConfig) -> Result { + let child = match Command::new("/usr/bin/attestation-agent") + .arg("--socketaddr") +- .arg(task_config.aa_config.aa_socket_addr.clone()) ++ .arg(task_config.image_config.aa_kbc_params.clone()) + .arg("--serverurl") + .arg(task_config.aa_config.aa_ser_url.clone()) + .arg("--protocol") +-- +2.48.1 + diff --git a/rootfs/cc-rpm.list b/rootfs/cc-rpm.list new file mode 100755 index 0000000000000000000000000000000000000000..c67578e25f1812cd1760a54d6f92bee62a89c710 --- /dev/null +++ b/rootfs/cc-rpm.list @@ -0,0 +1,42 @@ +# nfs-utils +nfs-utils +# tcp_wrappers-libs +tcp_wrappers-libs +# rpcbind +rpcbind +# libverto-tevent +libverto-tevent +# libtirpc +libtirpc +# libtevent +libtevent +# libtalloc +libtalloc +# libref_array +libref_array +# libpath_utils +libpath_utils +# libnfsidmap +libnfsidmap +# libini_config +libini_config +# libevent +libevent +# libcom_err +libcom_err +# libcollection +libcollection +# libbasicobjects +libbasicobjects +# keyutils +keyutils +# gssproxy +gssproxy +# e2fsprogs-libs +e2fsprogs-libs +# runc +runc +# bash +bash +#secGear-agent +secGear-aa diff --git a/rootfs/make_kuasar_initrd.sh b/rootfs/make_kuasar_initrd.sh index 2fe0343ecc1a6fe67b441467b5f9596657786e24..0f6c5d71ce8a6bbfb6887e1efd08e40110c91e22 100755 --- a/rootfs/make_kuasar_initrd.sh +++ b/rootfs/make_kuasar_initrd.sh @@ -12,7 +12,7 @@ # Description: make kuasar initrd script_dir="$(dirname $(readlink -f $0))" -rpmlist=${script_dir}/make-initrd-rpm.list +rpmlist=${script_dir}/rpm.list IMAGE_NAME=${IMAGE_NAME:-kuasar.initrd} ROOTFS_DIR=${ROOTFS_DIR:-/tmp/kuasar-rootfs} diff --git a/rootfs/make_kuasar_virtcca_image.sh b/rootfs/make_kuasar_virtcca_image.sh index 6bf53a62ebe9be8672ed1c722b637d3a9dc87437..c0caaefb936ed9d6f8e41063e0d8a06ec7077880 100755 --- a/rootfs/make_kuasar_virtcca_image.sh +++ b/rootfs/make_kuasar_virtcca_image.sh @@ -12,7 +12,7 @@ # Description: make kuasar initrd script_dir="$(dirname $(readlink -f $0))" -rpmlist=${script_dir}/make-initrd-rpm.list +rpmlist=${script_dir}/cc-rpm.list IMAGE_NAME=${IMAGE_NAME:-rootfs.img} ROOTFS_DIR=${ROOTFS_DIR:-/tmp/kuasar-rootfs} @@ -87,7 +87,7 @@ do ln -sf /sbin/busybox ${ROOTFS_DIR}/${bin} done -LDD_BINARIES=(/init /sbin/busybox /usr/bin/bash /usr/bin/runc) +LDD_BINARIES=(/init /sbin/busybox /usr/bin/bash /usr/bin/runc /usr/bin/attestation-agent) for bin in ${LDD_BINARIES[@]} do # 使用ldd命令获取指定二进制所有的共享库,并将共享库解析复制到rootfs中 diff --git a/rootfs/make-initrd-rpm.list b/rootfs/rpm.list similarity index 100% rename from rootfs/make-initrd-rpm.list rename to rootfs/rpm.list diff --git a/series.conf b/series.conf index 6ae58241fd987aa41b4fb07a86311c327d7bce25..ac4fc19d8255810389a6c17a011be722a3ae1194 100644 --- a/series.conf +++ b/series.conf @@ -15,3 +15,5 @@ 0015-auto-restart-when-kuasar-exits-in-failure-state.patch 0016-qemu-bind-one-cpu-for-qemu-command.patch 0017-coco-mount-certs.patch +0018-start-attestation-agent-when-init-start-in-vm.patch +0019-remove-the-secGear-feature-and-use-the-image-service.patch