search

confidential-containers / cloud-api-adaptor

Ability to create Kata pods using cloud provider APIs aka the peer-pods approach
Apache License 2.0
44 stars 71 forks source link

podvm: launch guest-components as systemd units #1858

Closed mkulke closed 2 weeks ago

mkulke commented 2 weeks ago

Prior to this change the kata-agent was launching the guest-components programatically as child process. For CAA it is preferable to launch the processes as systemd units for improved reliability and to remove redundancy (due to the network ns requirement api-server-rest was spawned in the root ns by kata and via systemd in the podns ns by systemd)

We need to make the "update" functionality aware of the guest_components_procs agent setting, so it will be copied to the destination agent configuration file.

The attestation-agent unit is spawned after process-user-data, because it will consume the templated kata-agent config. The confidential-data-hub and api-server-rest units are activated by the presence of the unix sockets they connect to.

attestation-agent will keep defaulting to the kata agent config for the aa_kbc_params config, that's why we need to configure the agent path in the mkosi image.

The process tree on a podvm will look like this after in change:

$ pstree
systemd-+-agent-protocol----6*[{agent-protocol-}]
        |-api-server-rest---2*[{api-server-rest}]
        |-attestation-age---2*[{attestation-age}]
        |-confidential-da---2*[{confidential-da}]
        |-dbus-broker-lau---dbus-broker
        |-kata-agent-+-nginx---2*[nginx]
        |            |-pause
        |            `-5*[{kata-agent}]
        |-2*[login---bash]
        |-opa---6*[{opa}]
        |-sshd---sshd---sshd---bash---pstree
        |-systemd---(sd-pam)
        |-systemd-homed
        |-systemd-journal
        |-systemd-logind
        |-systemd-network
        |-systemd-oomd
        |-systemd-resolve
        |-systemd-udevd
        `-systemd-userdbd---3*[systemd-userwor]

note: at the moment the kata entry in versions.yaml is pointing at a fork, this will be toggled once the respective PR is merged

note 2: at the moment both kata-agent and attestation-agent start after the process-user-data oneshot unit, we'll have to see whether there will be race conditions with encrypted images and tweak the order of those units.