CDH | Refactor secure mount module #539
Conversation
The old secure mount API aligns with kata-agent's Storage object, thus brings more parameters of no use, like `source`, `fstype`, etc. This new definition organizes parameters into options(k-v pairs) and flags (purely strings), also a `volume_type` field to specify the concrete secure mount type, and last a `mount_point` to specify the target mount point. The change makes it easier to write requests when we directly use CDH inside a non-CoCo scenario. Signed-off-by: Xynnn007 <[email protected]>
This commit refactored the secure mount module according to the new API defnition. Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Before this PR, it is possible that CDH will read a file that is still not flushed onto the local filesystem. The similiar problem is the gocryptfs mount is based on oss mount. We should make sure that the oss mount succeeds and then do gocryptfs mount. Signed-off-by: Xynnn007 <[email protected]>
| { | ||
| "driver": "", | ||
| "driver_options": [ | ||
| "alibaba-cloud-oss={\"akId\":\"XXX\",\"akSecret\":\"XXX\",\"annotations\":\"\",\"bucket\":\"<bucket-id>\",\"encrypted\":\"gocryptfs\",\"encPasswd\":\"<PASSWORD>\",\"kmsKeyId\":\"\",\"otherOpts\":\"-o max_stat_cache_size=0 -o allow_other\",\"path\":\"<bucket-path>\",\"readonly\":\"\",\"targetPath\":\"/mnt/aliyun-oss\",\"url\":\"https://oss-cn-beijing.aliyuncs.com\",\"volumeId\":\"\"}" | ||
| ], | ||
| "source": "", | ||
| "fstype": "", | ||
| "options": [], | ||
| "volume_type": "alibaba-cloud-oss", | ||
| "options": { | ||
| "akId": "XXX", | ||
| "akSecret": "XXX", | ||
| "annotations": "", | ||
| "bucket": "<bucket-id>", | ||
| "encrypted": "gocryptfs", | ||
| "encPasswd": "<PASSWORD>", | ||
| "kmsKeyId": "", | ||
| "otherOpts": "-o max_stat_cache_size=0 -o allow_other", | ||
| "path": "<bucket-path>", | ||
| "readonly": "", | ||
| "targetPath": "/mnt/aliyun-oss", | ||
| "url": "https://oss-cn-beijing.aliyuncs.com", | ||
| "volumeId": "" | ||
| }, | ||
| "flags": [], | ||
| "mount_point": "/mnt/target-path" | ||
| } |
There was a problem hiding this comment.
@Xynnn007 indeed :-)
A related question, can I use the secure mount functionality today to mount S3 or Azure blob volumes inside the container today ? Or code changes will be needed to support different object storages ?
There was a problem hiding this comment.
Take aliyun oss for example, we might need
- CDH to impl the plugin. If 1 is achieved, a confidential VM support is ok. The following points are for confidential containers.
- kata-runtime & kata-agent deliver
secure-mountmetadata to CDH. This is what https://github.com/kata-containers/kata-containers/pull/7965/files did. - The CSI driver of S3/Azure blob/other kinds of storages should support deliver mount info to kata as aliyun-oss does
There was a problem hiding this comment.
Thanks @Xynnn007. This makes sense
There was a problem hiding this comment.
Looks pretty good overall.
I guess you're removing the source parameter (at least from the top level). I think that's fine, but I wonder if it could be useful in cases where the encrypted dir is already inside the guest i.e. mounted from the host by the kata agent.
confidential-data-hub/storage/src/volume_type/alibaba_cloud_oss/error.rs
Outdated
Show resolved
Hide resolved
|
|
||
| #[derive(Error, Debug)] | ||
| pub enum Error { | ||
| #[error("Error when getting plaintext of OSS parameters")] |
There was a problem hiding this comment.
Might want to add {0} to the error message somewhere. I'm not sure the source error gets printed otherwise.
There was a problem hiding this comment.
This seems like a high level issue. I'd suggest that we resolve this in another separate issue? Probably #541 can cover this.
Oh. I once thought from the CDH point of view, such a parameter could be included inside |
Signed-off-by: Xynnn007 <[email protected]>
Xynnn007
force-pushed
the
fix-secure-mount
branch
from
848cc5b to
e1a207d
Compare
yeah, should be fine to us an option for it, but that might mean we do a bit more juggling in the kata agent. i guess it might actually be better to have an option for it since the source probably won't be used in most cases |
Well. I am still thinking about the scenarios outside CoCo, like in confidential VM.
So, maybe we can leave this as-is? |
That's fine. We can always change it in the future once we start implementing more storage backends. |
The old secure mount API aligns with kata-agent's Storage object, thus brings more parameters of no use, like
source,fstype, etc.This new definition organizes parameters into options(k-v pairs) and flags (purely strings), also a
volume_typefield to specify the concrete secure mount type, and last amount_pointto specify the target mount point.The change makes it much easier and straightforward to write requests when we directly use CDH inside a non-CoCo scenario.
This PR would break PR https://github.com/kata-containers/kata-containers/pull/7965/files. But as it is not merged now, we can make a new PR based on that when doing secure mount feature merge-to-main.
cc @ChengyuZhu6