node-installer: configure executability in config

Signed-off-by: Paul Meyer <[email protected]>

nodeinstaller/internal/config/config.go

@@ -37,6 +37,8 @@ type File struct {
 	URL string `json:"url"`
 	// Path is the absolute path (on the host) to save the file to.
 	Path string `json:"path"`
+	// Executable is true if the file should be executable.
+	Executable bool `json:"executable"`
 	// Integrity is the content subresource integrity (expected hash) of the file. Required if the file is downloaded.
 	// The format of a subresource integrity string is defined here:
 	// https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

nodeinstaller/node-installer.go

@@ -91,33 +91,15 @@ func run(ctx context.Context, fetcher assetFetcher, platform platforms.Platform,
 		if fetchErr != nil {
 			return fmt.Errorf("fetching file from %q to %q: %w", file.URL, targetPath, fetchErr)
 		}
-	}
 
-	// Fix-up the permissions of executables
-	runtimeBase := filepath.Join("/opt", "edgeless", runtimeHandlerName)
-	binDirs := []string{filepath.Join(hostMount, runtimeBase, "bin")}
-	switch platform {
-	case platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
-		binDirs = append(binDirs, filepath.Join(hostMount, runtimeBase, "tdx", "bin"))
-	case platforms.K3sQEMUSNP:
-		binDirs = append(binDirs, filepath.Join(hostMount, runtimeBase, "snp", "bin"))
-	}
-	for _, binDir := range binDirs {
-		items, err := os.ReadDir(binDir)
-		if err != nil {
-			return fmt.Errorf("reading bin directory %q: %w", binDir, err)
-		}
-
-		for _, item := range items {
-			if !item.Type().IsRegular() {
-				continue
-			}
-			if err := os.Chmod(filepath.Join(binDir, item.Name()), 0o755); err != nil {
-				return fmt.Errorf("chmod %q: %w", item.Name(), err)
+		if file.Executable {
+			if err := os.Chmod(filepath.Join(hostMount, targetPath), 0o755); err != nil {
+				return fmt.Errorf("chmod %q: %w", targetPath, err)
 			}
 		}
 	}
 
+	runtimeBase := filepath.Join("/opt", "edgeless", runtimeHandlerName)
 	kataConfigPath := filepath.Join(hostMount, runtimeBase, "etc")
 	if err := os.MkdirAll(kataConfigPath, os.ModePerm); err != nil {
 		return fmt.Errorf("creating directory %q: %w", kataConfigPath, err)

packages/by-name/kata/contrast-node-installer-image/package.nix

@@ -41,10 +41,12 @@ let
             {
               url = "file:///opt/edgeless/snp/bin/qemu-system-x86_64";
               path = "/opt/edgeless/@@runtimeName@@/snp/bin/qemu-system-x86_64";
+              executable = true;
             }
             {
               url = "file:///opt/edgeless/tdx/bin/qemu-system-x86_64";
               path = "/opt/edgeless/@@runtimeName@@/tdx/bin/qemu-system-x86_64";
+              executable = true;
             }
             {
               url = "file:///opt/edgeless/snp/share/OVMF.fd";
@@ -57,10 +59,12 @@ let
             {
               url = "file:///opt/edgeless/bin/containerd-shim-contrast-cc-v2";
               path = "/opt/edgeless/@@runtimeName@@/bin/containerd-shim-contrast-cc-v2";
+              executable = true;
             }
             {
               url = "file:///opt/edgeless/bin/kata-runtime";
               path = "/opt/edgeless/@@runtimeName@@/bin/kata-runtime";
+              executable = true;
             }
             {
               url = "file:///opt/edgeless/snp/share/qemu/kvmvapic.bin";

packages/by-name/microsoft/contrast-node-installer-image/package.nix

@@ -41,10 +41,12 @@ let
             {
               url = "file:///opt/edgeless/bin/cloud-hypervisor-snp";
               path = "/opt/edgeless/@@runtimeName@@/bin/cloud-hypervisor-snp";
+              executable = true;
             }
             {
               url = "file:///opt/edgeless/bin/containerd-shim-contrast-cc-v2";
               path = "/opt/edgeless/@@runtimeName@@/bin/containerd-shim-contrast-cc-v2";
+              executable = true;
             }
           ];
           inherit (microsoft.runtime-class-files) debugRuntime;