search

intel / confidential-cloud-native-primitives

The project has been moved to CC-API organization. For more information:
https://github.com/cc-api/confidential-cloud-native-primitives
Apache License 2.0
24 stars 13 forks source link

cvm-image-rewriter issues #164

Closed jyizheng closed 9 months ago

jyizheng commented 9 months ago

What happened?

I have tried to run tools/cvm-image-rewriter/run.sh.

using non-root account image

using root account

image

What did you expect to happen?

Expect to generate an modified output image

How can we reproduce it (as minimally and precisely as possible)?

Not sure.

Anything else we need to know?

No response

Kubernetes version

No kubernetes

Cloud provider or bare metal

Bare metal

OS version

PRETTY_NAME="Ubuntu 22.04.3 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.3 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy

HaokunX-intel commented 9 months ago

Thanks for your reply.

  1. The first problem is caused by the virt-customize embedded in the tool. The virt-customize will use the /usr/bin/supermin to copy the current kernel used by the host to some place. If current user can not read the kernel, the tool will exit with failure.

Export the env variables export LIBGUESTFS_DEBUG=1 LIBGUESTFS_TRACE=1 and rerun the command as non-root again, it will print detail message, which may looks like this.

...
supermin: kernel: kernel_version 6.2.16-v5.0.mvp40-generic
supermin: kernel: modpath /lib/modules/6.2.16-v5.0.mvp40-generic
cp: cannot open '/boot/vmlinuz-6.2.16-v5.0.mvp40-generic' for reading: Permission denied
supermin: cp -p '/boot/vmlinuz-6.2.16-v5.0.mvp40-generic' '/var/tmp/.guestfs-1015/appliance.d.ms09i2q9/kernel': command failed, see earlier errors
libguestfs: trace: launch = -1 (error)
virt-customize: error: libguestfs error: /usr/bin/supermin exited with
error status 1, see debug messages above

If reporting bugs, run virt-customize with debugging enabled and include
the complete output:

  virt-customize -v -x [...]
libguestfs: trace: close
libguestfs: closing guestfs handle 0x55560f7bcea0 (state 0)
libguestfs: command: run: rm
libguestfs: command: run: \ -rf /tmp/libguestfs4kCdat

That is to say, the current user can not read the kernel image so that the supermin fails to copy the kernel. These are two options to avoid the failure.

The first one is to run the tool as root.

The second one is to grant read permission to the tool user. In technical, this tool can change the access privilege of the kernel image automatically, but it seems too dangerous and is outside the area of its responsibility.

  1. The second problem maybe is caused by the access privilege on the directory /tmp.

We reproduce the problem by creating a tarball file in a non-writable directory. It fails and prints the log as you show.

tar cpzf /opt/sm.tar.gz .
tar (child): /opt/sm.tar.gz: Cannot open: Permission denied
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error is not recoverable: exiting now

In theory, the root user can access every file in the system, but in some case it does not work. Can you check the directory /tmp and give the root user more right? If it fails again, please attach more info about the access control.

kenplusplus commented 9 months ago

Let close this issue firstly, please try the recent 0.3 release