packages/kata-runtime: add guest hook support to genpolicy

This adds a patch that integrates support for setting guest hooks to genpolicy, which is a prerequisite for GPU containers, which require guest hooks.
edgelesssys · Dec 19, 2024 · 9bbaca6 · 9bbaca6
1 parent 6c6fbaf
commit 9bbaca6
Show file tree

Hide file tree

Showing 2 changed files with 93 additions and 3 deletions.
diff --git a/packages/by-name/kata/kata-runtime/0020-genpolicy-support-guest-hooks.patch b/packages/by-name/kata/kata-runtime/0020-genpolicy-support-guest-hooks.patch
@@ -0,0 +1,80 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Markus Rudy <[email protected]>
+Date: Fri, 6 Dec 2024 17:14:57 +0100
+Subject: [PATCH] genpolicy: support guest hooks
+
+Some custom images come with guest hooks that are required to set up
+VM-level resources for containers, such as GPU support.
+
+This commit adds a new setting, `allowed_guest_hooks`, which controls
+what paths may be set for hooks.
+
+Signed-off-by: Markus Rudy <[email protected]>
+---
+ src/tools/genpolicy/genpolicy-settings.json |  3 ++-
+ src/tools/genpolicy/rules.rego              | 17 ++++++++++++++++-
+ src/tools/genpolicy/src/policy.rs           |  2 ++
+ 3 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
+index e3b36a6555a646ffefc7733c807d6b0da9967dea..026d5128dfd1ca72367961824de8ea1c1ff7fb44 100644
+--- a/src/tools/genpolicy/genpolicy-settings.json
++++ b/src/tools/genpolicy/genpolicy-settings.json
+@@ -240,7 +240,8 @@
+                 "mount_point": "/run/kata-containers/sandbox/shm",
+                 "fs_group": null
+             }
+-        ]
++        ],
++        "allowed_guest_hooks": ["/usr/share/oci/hooks"]
+     },
+     "common": {
+         "cpath": "/run/kata-containers",
+diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
+index 823e5e76d55bac47ad9c79d8916f92702efa316d..ed11bb69b49809f48340d60e50ea8c546f19d6ae 100644
+--- a/src/tools/genpolicy/rules.rego
++++ b/src/tools/genpolicy/rules.rego
+@@ -1220,7 +1220,7 @@ CopyFileRequest {
+
+ CreateSandboxRequest {
+     print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path)
+-    count(input.guest_hook_path) == 0
++    allow_hook(input.guest_hook_path)
+
+     print("CreateSandboxRequest: input.kernel_modules =", input.kernel_modules)
+     count(input.kernel_modules) == 0
+@@ -1231,6 +1231,21 @@ CreateSandboxRequest {
+     allow_sandbox_storages(input.storages)
+ }
+
++allow_hook(i_hook) {
++    print("allow_hook 1: start")
++    count(i_hook) == 0
++    print("allow_hook 1: true")
++}
++
++allow_hook(i_hook) {
++    print("allow_hook 2: start")
++    p_hooks := policy_data.sandbox.allowed_guest_hooks
++    print("allow_hook 2: p_hooks =", p_hooks)
++    print("allow_hook 2: i_hook =", i_hook)
++    i_hook in p_hooks
++    print("allow_hook 2: true")
++}
++
+ ExecProcessRequest {
+     print("ExecProcessRequest 1: input =", input)
+
+diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
+index 9e69126d9008f361e77086018414abc75a8cc092..9f4accaca8c57620f9becd1d10d9606004be3adb 100644
+--- a/src/tools/genpolicy/src/policy.rs
++++ b/src/tools/genpolicy/src/policy.rs
+@@ -408,6 +408,8 @@ pub struct ClusterConfig {
+ pub struct SandboxData {
+     /// Expected value of the CreateSandboxRequest storages field.
+     pub storages: Vec<agent::Storage>,
++    /// Guest hook paths that are allowed to be set in all CreateContainerRequests.
++    pub allowed_guest_hooks: Vec<String>,
+ }
+
+ impl AgentPolicy {
diff --git a/packages/by-name/kata/kata-runtime/package.nix b/packages/by-name/kata/kata-runtime/package.nix
@@ -114,6 +114,12 @@ buildGoModule rec {
       # vanilla Kata setting.
       # Relevant discussion: https://github.com/kata-containers/kata-containers/pull/10614.
       ./0019-genpolicy-allow-non-watchable-ConfigMaps.patch
+
+      # Guest hooks are required for GPU support, but unsupported in
+      # upstream Kata / genpolicy as of now. This patch adds a new
+      # `allowed_guest_hooks` setting , which controls what paths may be set for hooks.
+      # Upstream issue: https://github.com/kata-containers/kata-containers/issues/10633
+      ./0020-genpolicy-support-guest-hooks.patch
     ];
   };
 
@@ -170,9 +176,13 @@ buildGoModule rec {
   # is used when Kata starts a VM.
   # For example, this command should do the job:
   # `journalctl -t kata -l --no-pager | grep launching | tail -1`
-  passthru.cmdline = {
-    default = "tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/vda1 rootflags=ro rootfstype=erofs console=hvc0 console=hvc1 quiet systemd.show_status=false panic=1 nr_cpus=1 selinux=0 systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket scsi_mod.scan=none";
-    debug = "tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/vda1 rootflags=ro rootfstype=erofs console=hvc0 console=hvc1 debug systemd.show_status=true systemd.log_level=debug panic=1 nr_cpus=1 selinux=0 systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket scsi_mod.scan=none agent.log=debug agent.debug_console agent.debug_console_vport=1026";
+  passthru = {
+    inherit src;
+
+    cmdline = {
+      default = "tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/vda1 rootflags=ro rootfstype=erofs console=hvc0 console=hvc1 quiet systemd.show_status=false panic=1 nr_cpus=1 selinux=0 systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket scsi_mod.scan=none";
+      debug = "tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/vda1 rootflags=ro rootfstype=erofs console=hvc0 console=hvc1 debug systemd.show_status=true systemd.log_level=debug panic=1 nr_cpus=1 selinux=0 systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket scsi_mod.scan=none agent.log=debug agent.debug_console agent.debug_console_vport=1026";
+    };
   };
 
   meta.mainProgram = "containerd-shim-kata-v2";