Change the if statement to check if the CWD is set to /
Add unit tests for the correct merging of working directory
in the container and image process
Note: there is an outstanding question about one test case
Format code
Fixes: #5721
Co-authored-by: stevenhorsman <steven@uk.ibm.com>
Signed-off-by: Jordan Jackson <jordan.jackson@ibm.com>
Loop through the images enviroment variables, checking if it exists
inside the target. If it does then do not append it.
Add unit tests for correctly merging the env variables of the pod yaml
and image itself in the container and image process
Format code
Fixes: #5730
Signed-off-by: Jordan Jackson <jordan.jackson@ibm.com>
Some rootfs put iptables-save and iptables-restore
under /usr/sbin instead of /sbin. This pr checks both
and returns the one exist.
Fixes: #5608
Signed-off-by: Ji-Xinyou <jerryji0414@outlook.com>
If the attestation-agent is used then enable image_client_auth
to enable the attempt to get registry credentials for the pull
Fixes: #5652
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
test_ip_tables test depends on iptables tools. But we can't
ensure these tools are exist. it's better to skip the test
if there is no such tools.
Fixes: #5697
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
This is just to keep the support for s390x without the cosign
verification while looking for a solution for #5582.
Fixes: #5599
Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
image-rs tagged its v0.2.0 release, let's bump it here as we're about to
release the payload for the v0.2.0 Confidential Containers release.
Fixes: #5593
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
1. be able to check does hypervisor support use block device, block
device hotplug, multi-queue, and share file
2. be able to set the hypervisor capability of using block device, block
device hotplug, multi-queue, and share file
Fixes: #5569
Signed-off-by: Zhongtao Hu <zhongtaohu.tim@linux.alibaba.com>
Replace hard-coded aa_kbc_param check to set the image_client's
security_validate, with reading the setting from the agent config
Fixes: #4888
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
- Add a new agent config parameter enable_signature_verification which
defaults to true for security reasons
- Add unit tests to check parsing and defaults
Fixes: #4888
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Allows parameters in the agent config file to be overwritten
by the kernel commandline. Does not change trust model since
the commandline is measured.
Makes sure to set endpoints_allowed correctly.
Fixes: #5173
Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
As we discussed in #5178, user need set aa_kbc_params config without
modify kata guest image, since kernel params is also measured in TEE
boot flow, we make aa_kbc_params can be parsed through kernel cmdline.
Fixes: #5178
Signed-off-by: Wang, Arron <arron.wang@intel.com>
To support cosign signature verification.
Fix build warning in signal.rs:
error: unused `tokio::sync::MutexGuard` that must be used
--> src/signal.rs:27:9
|
27 | rustjail::container::WAIT_PID_LOCKER.lock().await;
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: `-D unused-must-use` implied by `-D warnings`
= note: if unused the Mutex will immediately unlock
Fixes: #5541
Signed-off-by: Wang, Arron <arron.wang@intel.com>
1. Implemented a rust module for operating cgroups through systemd with the help of zbus (src/agent/rustjail/src/cgroups/systemd).
2. Add support for optional cgroup configuration through fs and systemd at agent (src/agent/rustjail/src/container.rs).
3. Described the usage and supported properties of the agent systemd cgroup (docs/design/agent-systemd-cgroup.md).
Fixes: #4336
Signed-off-by: Yuan-Zhuo <yuanzhuo0118@outlook.com>
before setting a limit, otherwise paths may not be found.
guest supporting different hugepage size is more likely with peer-pods where
podvm may use different flavor.
Fixes: #5191
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
Prior to this patch, we were missing a call to `verify_cid` when the cid
was derived from the image path, which meant that the host could specify
something like "prefix/..", and we would use ".." as the cid. Paths
derived from this (e.g., `bundle_path`) would not be at the intended
tree.
This patch factors the code out of `pull_image` so that it can be more
easily tested. Tests are added for a number of cases.
Fixes#5421
Signed-off-by: Wedson Almeida Filho <walmeida@microsoft.com>
This also slightly improves readability by decluttering the function
declaration and call site.
Fixes#5405
Signed-off-by: Wedson Almeida Filho <walmeida@microsoft.com>
ESRCH usually means the process has exited. In this case,
the execution should continue to kill remaining container processes.
Fixes: #5366
Signed-off-by: Feng Wang <feng.wang@databricks.com>
[Fix up cargo updates]
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
The kata agent adds a reference for each storage object before mount
and skip mount again if the storage object is known. We need to
remove the object reference if mount fails.
Fixes: #5364
Signed-off-by: Feng Wang <feng.wang@databricks.com>
before setting a limit, otherwise paths may not be found.
guest supporting different hugepage size is more likely with peer-pods where
podvm may use different flavor.
Fixes: #5191
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
