cdh: add secure mount feature in cdh #345
Conversation
There was a problem hiding this comment.
Thank you @LindaYu17 for the contribution! only some nits..
| { "volume-type":"alibaba-cloud-oss", | ||
| "device":"/var/lib/kubelet/pods/xxxx-xxxx-xxxx-xxxx/volumes/kubernetes.io~csi/pv-oss-direct-assigned/mount", | ||
| "fstype":"oss", | ||
| "metadata": | ||
| { | ||
| "akId":"sealed.XXX", | ||
| "akSecret":"sealed.XXX", | ||
| "annotations":"", | ||
| "bucket":"oss", | ||
| "encrypted":"gocryptfs", | ||
| "encPasswd":"sealed.XXX", | ||
| "kmsKeyId":"", | ||
| "otherOpts":"-o max_stat_cache_size=0 -o allow_other", | ||
| "path":"/", | ||
| "readonly":"false", | ||
| "targetPath":"/var/lib/kubelet/pods/xxxx-xxxx-xxxx-xxxx/volumes/kubernetes.io~csi/pv-oss-direct-assigned/mount", | ||
| "url":"oss-cn-hangzhou.aliyuncs.com", | ||
| "volumeId":"pv-oss-direct-assigned" | ||
| }, | ||
| "options":["-o","max_stat_cache_size=0","-o","allow_other"] | ||
| } |
There was a problem hiding this comment.
I think it is better to include this test json in the concrete implementation of fn secure_mount PR, or it would be confusing to other reviewers
| @@ -18,10 +18,22 @@ message GetResourceResponse { | |||
| bytes Resource = 1; | |||
| } | |||
|
|
|||
| message SecureMountRequest { | |||
| bytes mountInfo = 1; | |||
There was a problem hiding this comment.
so it is implied that the concrete mount type (s.t. driver type to be called) would be included inside the mountInfo? Thus do we have a common struct format of the parameter?
| } | ||
|
|
||
| message SecureMountResponse { | ||
| bytes mountPath = 1; |
There was a problem hiding this comment.
only a little question: as path is a string, is it better to use a string rather than a bytes?
confidential-data-hub/hub/src/hub.rs
Outdated
| @@ -66,4 +66,8 @@ impl DataHub for Hub { | |||
| .map_err(|e| Error::GetResource(format!("get rersource failed: {e}")))?; | |||
| Ok(res) | |||
| } | |||
|
|
|||
| async fn secure_mount(&self, mount_info: Vec<u8>) -> Result<Vec<u8>> { | |||
| todo!() | |||
There was a problem hiding this comment.
Do you want to do this feature in multiple parts or should we wait for this to be implemented before merging?
There was a problem hiding this comment.
Do you want to do this feature in multiple parts or should we wait for this to be implemented before merging?
the feature is still under development, and the patches will be submitted within this PR soon, so we can wait for them. Thank you @fitzthum
There was a problem hiding this comment.
You might want to make this PR into a draft for now btw
There was a problem hiding this comment.
the development is done now, and I will update based on the review comments.
LindaYu17
changed the title
|
Please don't add compiled binaries to the repository. If they are needed by this feature then you have to build them into the kata guest image in the kata-containers repo. |
Also, depending on how large dependencies are (including for future storage options, we might need to think about whether we can really support a generic image. |
| .to_string(); | ||
|
|
||
| match volumetype.as_str() { | ||
| "alibaba-cloud-oss" => { |
There was a problem hiding this comment.
Maybe we should have a feature to enable/disable particular storage vendors?
There was a problem hiding this comment.
Can we just call ossfs and gocryptfs directly from Rust and get rid of this script?
There was a problem hiding this comment.
need the oss account to do more test, and then I will update accordingly, thanks
There was a problem hiding this comment.
call ossfs and gocryptfs from rust in latest commit, and the script is removed. Thanks
| .arg("-o") | ||
| .arg(self.other_opts.clone()) | ||
| .arg("-d") | ||
| .arg(source) |
There was a problem hiding this comment.
-d is the mountpoint according to the script. It's a bit confusing to me that it is set to the source here.
There was a problem hiding this comment.
mount.sh is removed.
removed, thanks |
| .ok_or(anyhow!("split by \"=\" failed")) | ||
| .map_err(|e| Error::SecureMountFailed(format!("split by \"=\" failed: {e}")))?; |
There was a problem hiding this comment.
| .ok_or(anyhow!("split by \"=\" failed")) | |
| .map_err(|e| Error::SecureMountFailed(format!("split by \"=\" failed: {e}")))?; | |
| .ok_or(Error::SecureMountFailed(format!("split by \"=\" failed)))?; |
| &_ => { | ||
| return Err(Error::SecureMountFailed(format!( | ||
| "illegal mount info with unsupported volumetype" | ||
| ))) |
There was a problem hiding this comment.
We'd better mention what volume type is for better debugging
| &_ => { | |
| return Err(Error::SecureMountFailed(format!( | |
| "illegal mount info with unsupported volumetype" | |
| ))) | |
| other => { | |
| return Err(Error::SecureMountFailed(format!( | |
| "illegal mount info with unsupported volumetype: {other}" | |
| ))) |
confidential-data-hub/hub/src/hub.rs
Outdated
| let res = storage | ||
| .mount() | ||
| .await | ||
| .map_err(|e| Error::SecureMount(format!("mount failed: {e}")))?; |
There was a problem hiding this comment.
duplicated error information
| .map_err(|e| Error::SecureMount(format!("mount failed: {e}")))?; | |
| .map_err(|e| Error::SecureMount(e.to_string())))?; |
| #[derive(Error, Debug)] | ||
| pub enum Error { | ||
| #[error("secure mount failed: {0}")] | ||
| SecureMountFailed(String), |
There was a problem hiding this comment.
Nice to see that thiserror crate is used!
I suggest that we have some more fine grained error types. In fact SecureMountFailed applies all the errors returned from the crate.
The storage is somehow similiar with kms. I divided the errors by the plugin type here https://github.com/confidential-containers/guest-components/blob/main/confidential-data-hub/kms/src/error.rs and I know that is not perfect. Please think about this and refer to this in your preferred way
| .await; | ||
| } | ||
| other => { | ||
| println!("skip mount info with unsupported volumetype: {other}"); |
There was a problem hiding this comment.
shall we use log here instead of println!? s.t. log::info! or log::debug!
There was a problem hiding this comment.
@LindaYu17 is there any description of the feature where I can read about the scope of secure mount, limitations etc. ?
|
Signed-off-by: Linda Yu <linda.yu@intel.com>
Signed-off-by: Linda Yu <linda.yu@intel.com>
|
LGTM |
| impl Storage { | ||
| pub async fn mount(&self) -> Result<String> { | ||
| for driver_option in &self.driver_options { | ||
| let (volumetype, metadata) = |
There was a problem hiding this comment.
nit: volumetype -> volume_type
| } | ||
|
|
||
| message SecureMountResponse { | ||
| string mountPath = 1; |
| const OSSFS_PASSWD_FILE: &str = "/tmp/ossfs_passwd"; | ||
| const GOCRYPTFS_PASSWD_FILE: &str = "/tmp/gocryptfs_passwd"; | ||
| const OSSFS_BIN: &str = "/usr/local/bin/ossfs"; | ||
| const GOCRYPTFS_BIN: &str = "/usr/local/bin/gocryptfs"; |
There was a problem hiding this comment.
I assume there will be changes in Kata to install these in the rootfs? Are we going to add them to every rootfs or just certain runtime classes?
There was a problem hiding this comment.
add the tools to rootfs image like this:
kata-containers/kata-containers@066e042
| Ok(res) | ||
| } | ||
|
|
||
| async fn get_plain(secret: &str) -> Result<String> { |
There was a problem hiding this comment.
Can this function name be a little more descriptive, like get_plaintext_secret?
Signed-off-by: Linda Yu <linda.yu@intel.com>
Signed-off-by: Linda Yu <linda.yu@intel.com>
Signed-off-by: Linda Yu <linda.yu@intel.com>
|
@Xynnn007 @LindaYu17 I don't have the expertise to review this code. Although I wanted to have a document describing the details which @LindaYu17 kindly added. So I'm good with it. Thanks. |
There was a problem hiding this comment.
LGTM. Thanks @LindaYu17
I think the test failure can be fixed by a rebase.
No description provided.