confidential-containers · Xynnn007 · May 9, 2024 · May 9, 2024 · May 9, 2024 · May 9, 2024
@@ -31,6 +31,7 @@ pub trait ApiHandler: Send {
     }
 
     // Build json response.
+    #[allow(dead_code)]
     fn json_response(&self, json: String) -> Result<Response<Body>> {
         Ok(Response::builder()
             .status(StatusCode::OK)

@@ -12,7 +12,7 @@ use attester::{detect_tee_type, BoxedAttester};
 pub use attester::InitdataResult;
 
 pub mod config;
-mod token;
+pub mod token;
 
 use log::{info, warn};
 use token::*;

@@ -158,7 +158,7 @@ impl KeyProviderService for Server {
         })?;
 
         reply.KeyProviderKeyWrapProtocolOutput = lek;
-        debug!("[ttRPC CDH] send back the resource");
+        debug!("[ttRPC CDH] unwrap key succeeded.");
         Ok(reply)
     }
 }
@@ -170,7 +170,7 @@ impl SecureMountService for Server {
         _ctx: &TtrpcContext,
         req: SecureMountRequest,
     ) -> ::ttrpc::Result<SecureMountResponse> {
-        debug!("[ttRPC CDH] get new Secure mount request");
+        debug!("[ttRPC CDH] get new secure mount request");
         let reader = HUB.read().await;
         let reader = reader.as_ref().expect("must be initialized");
         let storage = Storage {
@@ -190,7 +190,7 @@ impl SecureMountService for Server {
 
         let mut reply = SecureMountResponse::new();
         reply.mount_path = resource;
-        debug!("[ttRPC CDH] send back the resource");
+        debug!("[ttRPC CDH] secure mount succeeded.");
         Ok(reply)
     }
 }
@@ -10,6 +10,7 @@ anyhow.workspace = true
 async-trait.workspace = true
 base64.workspace = true
 log.workspace = true
+rand = { workspace = true, optional = true }
 secret = { path = "../secret" }
 serde.workspace = true
 serde_json.workspace = true
@@ -27,4 +28,4 @@ anyhow.workspace = true
 
 [features]
 default = ["aliyun"]
-aliyun = [ "tempfile", "tokio/fs", "tokio/process", "tokio/io-util", "tokio/time" ]
+aliyun = [ "rand", "tempfile", "tokio/fs", "tokio/process", "tokio/io-util", "tokio/time" ]
@@ -10,9 +10,14 @@ use std::{collections::HashMap, os::unix::fs::PermissionsExt};
 
 use anyhow::Context;
 use async_trait::async_trait;
-use log::debug;
+use log::{debug, error};
+use rand::{distributions::Alphanumeric, Rng};
 use serde::{Deserialize, Serialize};
-use tokio::{fs, io::AsyncWriteExt, process::Command};
+use tokio::{
+    fs,
+    io::{AsyncReadExt, AsyncWriteExt},
+    process::Command,
+};
 
 use error::{AliyunError, Result};
 
@@ -69,6 +74,22 @@ async fn get_plaintext_secret(secret: &str) -> anyhow::Result<String> {
     }
 }
 
+async fn create_random_dir() -> anyhow::Result<String> {
+    const NAME_LENGTH: usize = 10;
+
+    let name: String = rand::thread_rng()
+        .sample_iter(&Alphanumeric)
+        .take(NAME_LENGTH)
+        .map(char::from)
+        .collect();
+
+    let path_name = format!("/tmp/{name}");
+    fs::create_dir_all(&path_name)
+        .await
+        .context("create /tmp dir")?;
+    Ok(path_name)
+}
+
 impl Oss {
     async fn real_mount(
         &self,
@@ -85,7 +106,7 @@ impl Oss {
         let plain_ak_id = get_plaintext_secret(&oss_parameter.ak_id).await?;
         let plain_ak_secret = get_plaintext_secret(&oss_parameter.ak_secret).await?;
 
-        // create temp directory to storage metadata for this mount operation
+        // create temp directory to store metadata for this mount operation
         let tempdir = tempfile::tempdir()?;
 
         // create ossfs passwd file
@@ -105,7 +126,8 @@ impl Oss {
                 .as_bytes(),
             )
             .await?;
-        ossfs_passwd.flush().await?;
+        ossfs_passwd.sync_all().await?;
+        drop(ossfs_passwd);
 
         // generate parameters for ossfs command
         let mut opts = oss_parameter
@@ -115,12 +137,11 @@ impl Oss {
             .collect();
 
         if oss_parameter.encrypted == "gocryptfs" {
-            let gocryptfs_dir = tempfile::tempdir()?;
+            let gocryptfs_dir = create_random_dir().await?;
 
-            let gocryptfs_dir_path = gocryptfs_dir.path().to_string_lossy().to_string();
             let mut parameters = vec![
                 format!("{}:{}", oss_parameter.bucket, oss_parameter.path),
-                gocryptfs_dir_path.clone(),
+                gocryptfs_dir.clone(),
                 format!("-ourl={}", oss_parameter.url),
                 format!("-opasswd_file={ossfs_passwd_path}"),
             ];
@@ -129,10 +150,21 @@ impl Oss {
             let mut oss = Command::new(OSSFS_BIN)
                 .args(parameters)
                 .spawn()
-                .map_err(|_| AliyunError::OssfsMountFailed)?;
+                .map_err(|e| {
+                    error!("oss cmd fork failed: {e}");
+                    AliyunError::OssfsMountFailed
+                })?;
             let oss_res = oss.wait().await?;
             if !oss_res.success() {
                 {
+                    let mut stderr = String::new();
+                    if let Some(mut err) = oss.stderr {
+                        err.read_to_string(&mut stderr).await?;
+                        error!("OSS mount failed with stderr: {stderr}");
+                    } else {
+                        error!("OSS mount failed");
+                    }
+
                     return Err(AliyunError::OssfsMountFailed);
                 }
             }
@@ -147,11 +179,12 @@ impl Oss {
             let mut gocryptfs_passwd = fs::File::create(&gocryptfs_passwd_path).await?;
 
             gocryptfs_passwd.write_all(plain_passwd.as_bytes()).await?;
-            gocryptfs_passwd.flush().await?;
+            gocryptfs_passwd.sync_all().await?;
+            drop(gocryptfs_passwd);
 
             // generate parameters for gocryptfs, and execute
             let parameters = vec![
-                gocryptfs_dir_path,
+                gocryptfs_dir,
                 mount_point.to_string(),
                 "-passfile".to_string(),
                 gocryptfs_passwd_path,
@@ -165,6 +198,14 @@ impl Oss {
             let gocryptfs_res = gocryptfs.wait().await?;
             if !gocryptfs_res.success() {
                 {
+                    let mut stderr = String::new();
+
+                    if let Some(mut err) = gocryptfs.stderr {
+                        err.read_to_string(&mut stderr).await?;
+                        error!("gocryptfs failed with stderr: {stderr}");
+                    } else {
+                        error!("gocryptfs failed");
+                    }
                     return Err(AliyunError::GocryptfsMountFailed);
                 }
             }
@@ -180,10 +221,20 @@ impl Oss {
             let mut oss = Command::new(OSSFS_BIN)
                 .args(parameters)
                 .spawn()
-                .map_err(|_| AliyunError::OssfsMountFailed)?;
+                .map_err(|e| {
+                    error!("oss cmd fork failed: {e}");
+                    AliyunError::OssfsMountFailed
+                })?;
             let oss_res = oss.wait().await?;
             if !oss_res.success() {
                 {
+                    let mut stderr = String::new();
+                    if let Some(mut err) = oss.stderr {
+                        err.read_to_string(&mut stderr).await?;
+                        error!("oss mount failed with stderr: {stderr}");
+                    } else {
+                        error!("oss mount failed");
+                    }
                     return Err(AliyunError::OssfsMountFailed);
                 }
             }

@@ -95,7 +95,7 @@ pub fn create_runtime_config(
         // - Config.Labels
         if let Some(labels2) = config.labels() {
             annotations.extend(labels2.clone());
-            labels = labels2.clone();
+            labels.clone_from(labels2);
         }
         if !labels.contains_key(ANNOTATION_STOP_SIGNAL) {
             if let Some(stop_signal) = config.stop_signal() {

@@ -47,7 +47,7 @@ impl EncLayerFinalizer {
             let mut b64_annotations = String::new();
             let anno = annotations.unwrap_or(&DEFAULT_ANNOTATION_MAP);
             if let Some(key_annotations) = anno.get(annotations_id) {
-                b64_annotations = key_annotations.clone();
+                b64_annotations.clone_from(key_annotations);
             }
 
             let key_wrapper = get_key_wrapper(scheme)?;