Merge pull request #530 from jiangliu/coco

Support host sharing and guest pulling for Confidential Container image management
containerd · Sep 12, 2023 · 106a9a1 · 106a9a1
2 parents 2f1bfad + 0da2966
commit 106a9a1
Show file tree

Hide file tree

Showing 17 changed files with 1,018 additions and 330 deletions.
diff --git a/config/config.go b/config/config.go
@@ -104,6 +104,7 @@ const (
 	FsDriverFusedev  string = constant.FsDriverFusedev
 	FsDriverFscache  string = constant.FsDriverFscache
 	FsDriverNodev    string = constant.FsDriverNodev
+	FsDriverProxy    string = constant.FsDriverProxy
 )
 
 type Experimental struct {
@@ -114,6 +115,7 @@ type Experimental struct {
 
 type TarfsConfig struct {
 	EnableTarfs       bool   `toml:"enable_tarfs"`
+	MountTarfsOnHost  bool   `toml:"mount_tarfs_on_host"`
 	TarfsHint         bool   `toml:"tarfs_hint"`
 	MaxConcurrentProc int    `toml:"max_concurrent_proc"`
 	ExportMode        string `toml:"export_mode"`
@@ -156,6 +158,7 @@ type ImageConfig struct {
 // requests from containerd
 type SnapshotConfig struct {
 	EnableNydusOverlayFS bool `toml:"enable_nydus_overlayfs"`
+	EnableKataVolume     bool `toml:"enable_kata_volume"`
 	SyncRemove           bool `toml:"sync_remove"`
 }
 
@@ -182,6 +185,7 @@ type AuthConfig struct {
 type RemoteConfig struct {
 	AuthConfig         AuthConfig    `toml:"auth"`
 	ConvertVpcRegistry bool          `toml:"convert_vpc_registry"`
+	SkipSSLVerify      bool          `toml:"skip_ssl_verify"`
 	MirrorsConfig      MirrorsConfig `toml:"mirrors_config"`
 }
 
@@ -272,7 +276,9 @@ func ValidateConfig(c *SnapshotterConfig) error {
 		return errors.New("empty root directory")
 	}
 
-	if c.DaemonConfig.FsDriver != FsDriverFscache && c.DaemonConfig.FsDriver != FsDriverFusedev {
+	if c.DaemonConfig.FsDriver != FsDriverFscache && c.DaemonConfig.FsDriver != FsDriverFusedev &&
+		c.DaemonConfig.FsDriver != FsDriverBlockdev && c.DaemonConfig.FsDriver != FsDriverNodev &&
+		c.DaemonConfig.FsDriver != FsDriverProxy {
 		return errors.Errorf("invalid filesystem driver %q", c.DaemonConfig.FsDriver)
 	}
 	if _, err := ParseRecoverPolicy(c.DaemonConfig.RecoverPolicy); err != nil {

diff --git a/config/global.go b/config/global.go
@@ -112,6 +112,10 @@ func GetDaemonProfileCPUDuration() int64 {
 	return globalConfig.origin.SystemControllerConfig.DebugConfig.ProfileDuration
 }
 
+func GetSkipSSLVerify() bool {
+	return globalConfig.origin.RemoteConfig.SkipSSLVerify
+}
+
 const (
 	TarfsLayerVerityOnly      string = "layer_verity_only"
 	TarfsImageVerityOnly      string = "image_verity_only"
@@ -121,6 +125,10 @@ const (
 	TarfsImageBlockWithVerity string = "image_block_with_verity"
 )
 
+func GetTarfsMountOnHost() bool {
+	return globalConfig.origin.Experimental.TarfsConfig.MountTarfsOnHost
+}
+
 func GetTarfsExportEnabled() bool {
 	switch globalConfig.origin.Experimental.TarfsConfig.ExportMode {
 	case TarfsLayerVerityOnly, TarfsLayerBlockDevice, TarfsLayerBlockWithVerity:

diff --git a/internal/constant/values.go b/internal/constant/values.go
@@ -25,6 +25,8 @@ const (
 	FsDriverFscache string = "fscache"
 	// Only prepare/supply meta/data blobs, do not mount RAFS filesystem.
 	FsDriverNodev string = "nodev"
+	// Relay layer content download operation to other agents.
+	FsDriverProxy string = "proxy"
 )
 
 const (

diff --git a/misc/snapshotter/config-coco-guest-pulling.toml b/misc/snapshotter/config-coco-guest-pulling.toml
@@ -0,0 +1,15 @@
+version = 1
+
+# Snapshotter's own home directory where it stores and creates necessary resources
+root = "/var/lib/containerd-nydus"
+
+# The snapshotter's GRPC server socket, containerd will connect to plugin on this socket
+address = "/run/containerd-nydus/containerd-nydus-grpc.sock"
+
+[daemon]
+# Enable proxy mode
+fs_driver = "proxy"
+
+[snapshot]
+# Insert Kata volume information to `Mount.Options`
+enable_kata_volume = true
diff --git a/misc/snapshotter/config-coco-host-sharing.toml b/misc/snapshotter/config-coco-host-sharing.toml
@@ -0,0 +1,40 @@
+
+version = 1
+# Snapshotter's own home directory where it stores and creates necessary resources
+root = "/var/lib/containerd-nydus"
+# The snapshotter's GRPC server socket, containerd will connect to plugin on this socket
+address = "/run/containerd-nydus/containerd-nydus-grpc.sock"
+# No nydusd daemon needed
+daemon_mode = "none"
+
+[daemon]
+# Use `blockdev` for tarfs
+fs_driver = "blockdev"
+# Path to nydus-image binary
+nydusimage_path = "/usr/local/bin/nydus-image"
+
+[remote]
+skip_ssl_verify = true
+
+[snapshot]
+# Insert Kata volume information to `Mount.Options`
+enable_kata_volume = true
+
+[experimental.tarfs]
+# Whether to enable nydus tarfs mode. Tarfs is supported by:
+# - The EROFS filesystem driver since Linux 6.4
+# - Nydus Image Service release v2.3
+enable_tarfs = true
+
+# Mount rafs on host by loopdev and EROFS
+mount_tarfs_on_host = false
+
+# Mode to export tarfs images:
+# - "none" or "": do not export tarfs
+# - "layer_verity_only": only generate disk verity information for a layer blob
+# - "image_verity_only": only generate disk verity information for all blobs of an image
+# - "layer_block": generate a raw block disk image with tarfs for a layer
+# - "image_block": generate a raw block disk image with tarfs for an image
+# - "layer_block_with_verity": generate a raw block disk image with tarfs for a layer with dm-verity info
+# - "image_block_with_verity": generate a raw block disk image with tarfs for an image with dm-verity info
+export_mode = "image_block_with_verity"
diff --git a/misc/snapshotter/config.toml b/misc/snapshotter/config.toml
@@ -83,6 +83,8 @@ enable_cri_keychain = false
 [snapshot]
 # Let containerd use nydus-overlayfs mount helper
 enable_nydus_overlayfs = false
+# Insert Kata Virtual Volume option to `Mount.Options`
+enable_kata_volume = false
 # Whether to remove resources when a snapshot is removed
 sync_remove = false
 
@@ -109,6 +111,8 @@ enable_referrer_detect = false
 # - The EROFS filesystem driver since Linux 6.4
 # - Nydus Image Service release v2.3
 enable_tarfs = false
+# Mount rafs on host by loopdev and EROFS
+mount_tarfs_on_host = false
 # Only enable nydus tarfs mode for images with `tarfs hint` label when true
 tarfs_hint = false
 # Maximum of concurrence to converting OCIv1 images to tarfs, 0 means default

diff --git a/pkg/filesystem/config.go b/pkg/filesystem/config.go
@@ -8,7 +8,6 @@
 package filesystem
 
 import (
-	"github.com/containerd/nydus-snapshotter/config"
 	"github.com/containerd/nydus-snapshotter/pkg/cache"
 	"github.com/containerd/nydus-snapshotter/pkg/manager"
 	"github.com/containerd/nydus-snapshotter/pkg/referrer"
@@ -27,20 +26,14 @@ func WithNydusImageBinaryPath(p string) NewFSOpt {
 	}
 }
 
-func WithManager(pm *manager.Manager) NewFSOpt {
+func WithManagers(managers []*manager.Manager) NewFSOpt {
 	return func(fs *Filesystem) error {
-		if pm != nil {
-			switch pm.FsDriver {
-			case config.FsDriverBlockdev:
-				fs.blockdevManager = pm
-			case config.FsDriverFscache:
-				fs.fscacheManager = pm
-			case config.FsDriverFusedev:
-				fs.fusedevManager = pm
-			}
-			fs.enabledManagers = append(fs.enabledManagers, pm)
+		if fs.enabledManagers == nil {
+			fs.enabledManagers = map[string]*manager.Manager{}
+		}
+		for _, pm := range managers {
+			fs.enabledManagers[pm.FsDriver] = pm
 		}
-
 		return nil
 	}
 }