Closed huoqifeng closed 5 days ago
Hey @huoqifeng - for the cdh configuration we also need aa_kbc_params
set in /run/confidential-containers/cdh.toml
(see https://github.com/confidential-containers/cloud-api-adaptor/pull/1748), do you know if that is working okay for libvirt in fedora too?
Hey @huoqifeng - for the cdh configuration we also need
aa_kbc_params
set in/run/confidential-containers/cdh.toml
(see #1748), do you know if that is working okay for libvirt in fedora too?
CDH configure is OK on Fedora.
Right, maybe we should handle agent-config.toml similar as cdh.toml and remove the algorithm for its update
in process-user-data.
@stevenhorsman @mkulke @bpradipt @liudalibj We can handle agent-config.toml just like cdh.toml here https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/pkg/adaptor/cloud/cloud.go#L258-L282 via cloudConfig
rather than update it in process-user-data
. wdyt?
@stevenhorsman @mkulke @bpradipt @liudalibj We can handle agent-config.toml just like cdh.toml here https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/pkg/adaptor/cloud/cloud.go#L258-L282 via
cloudConfig
rather than update it inprocess-user-data
. wdyt?
in principle yes, if we assume the agent-config will be static and the same for all cases, we can generate it in code and don't attempt to update the file, that would be the cleaner approach.
it will also be useful if we want to provision a registry auth file via user-data, we could set the required kata-agent config option in the same file.
https://github.com/confidential-containers/cloud-api-adaptor/pull/1850#pullrequestreview-2090837084
When creating libvirt PeerPod based on the fedora image on a s390x machine, which is built from mkosi. The field "aa-kbc-params" in agent-config.toml under /run/peerpod was not customized correctly.
Which should be caused by the process-user-data. Logs looks like:
After disable the "ExecStartPre" https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/podvm/files/etc/systemd/system/process-user-data.service#L12 Error like this:
The problem is on fedora, the failure in
ExecStartPre
inprocess-user-data
causesExecStart
skipped because libvirt provider does not implement the provision API.Option 1
I tried and broken it into 2 services.
process-user-data-provision
andprocess-user-data-update
whileprocess-user-data-update
depends oncloud-final.service
because libvirt and other providers like ibmcloud usescloud-init
to provision user-data. It works for libvirt provider on ubuntu because:ExecStartPre
inprocess-user-data
won't causeExecStart
skip on ubuntu/etc/agent-config.toml
rather than/run/peerpod/ agent-config.toml
on ubuntuOption 2:
We can handle agent-config.toml just like cdh.toml here https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/pkg/adaptor/cloud/cloud.go#L258-L282 via cloudConfig rather than update it in
process-user-data