node-installer: configure and run tardev-snapshotter

Signed-off-by: Paul Meyer <[email protected]>
edgelesssys · Jul 12, 2024 · a249004 · a249004
1 parent c154614
commit a249004
Show file tree

Hide file tree

Showing 6 changed files with 45 additions and 26 deletions.
diff --git a/internal/kuberesource/parts.go b/internal/kuberesource/parts.go
@@ -36,12 +36,12 @@ type NodeInstallerConfig struct {
 func NodeInstaller(namespace string, platform platforms.Platform) (*NodeInstallerConfig, error) {
 	name := "contrast-node-installer"
 
-	var imageURL string
+	var nodeInstallerImageURL string
 	switch platform {
 	case platforms.AKSCloudHypervisorSNP:
-		imageURL = "ghcr.io/edgelesssys/contrast/node-installer-microsoft:latest"
+		nodeInstallerImageURL = "ghcr.io/edgelesssys/contrast/node-installer-microsoft:latest"
 	case platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
-		imageURL = "ghcr.io/edgelesssys/contrast/node-installer-kata:latest"
+		nodeInstallerImageURL = "ghcr.io/edgelesssys/contrast/node-installer-kata:latest"
 	default:
 		return nil, fmt.Errorf("unsupported platform %q", platform)
 	}
@@ -62,7 +62,7 @@ func NodeInstaller(namespace string, platform platforms.Platform) (*NodeInstalle
 					WithHostPID(true).
 					WithInitContainers(Container().
 						WithName("installer").
-						WithImage(imageURL).
+						WithImage(nodeInstallerImageURL).
 						WithResources(ResourceRequirements().
 							WithMemoryLimitAndRequest(100),
 						).
@@ -74,10 +74,27 @@ func NodeInstaller(namespace string, platform platforms.Platform) (*NodeInstalle
 					).
 					WithContainers(
 						Container().
-							WithName("pause").
-							WithImage("k8s.gcr.io/pause").
+							WithName("tardev-snapshotter").
+							WithImage("ghcr.io/edgelesssys/contrast/tardev-snapshotter:latest").
 							WithResources(ResourceRequirements().
-								WithMemoryLimitAndRequest(10),
+								WithMemoryLimitAndRequest(800),
+							).
+							WithVolumeMounts(
+								VolumeMount().
+									WithName("host-mount").
+									WithMountPath("/host"),
+								VolumeMount().
+									WithName("var-lib-containerd").
+									WithMountPath("/var/lib/containerd"),
+							).
+							WithArgs(
+								"tardev-snapshotter",
+								fmt.Sprintf("/var/lib/containerd/io.containerd.snapshotter.v1.tardev-%s", runtimeHandler),
+								fmt.Sprintf("/host/run/containerd/tardev-snapshotter-%s.sock", runtimeHandler),
+								"/host/var/run/containerd/containerd.sock",
+							).
+							WithEnv(
+								NewEnvVar("RUST_LOG", "tardev_snapshotter=trace"),
 							),
 					).
 					WithVolumes(
@@ -87,6 +104,12 @@ func NodeInstaller(namespace string, platform platforms.Platform) (*NodeInstalle
 								WithPath("/").
 								WithType(corev1.HostPathDirectory),
 							),
+						Volume().
+							WithName("var-lib-containerd").
+							WithHostPath(HostPathVolumeSource().
+								WithPath("/var/lib/containerd").
+								WithType(corev1.HostPathDirectory),
+							),
 					),
 				),
 			),

diff --git a/justfile b/justfile
@@ -33,7 +33,7 @@ default_platform := "AKS-CLH-SNP"
 workspace_dir := "workspace"
 
 # Build the node-installer, containerize and push it.
-node-installer platform=default_platform:
+node-installer platform=default_platform: tardev-snapshotter
     #!/usr/bin/env bash
     case {{ platform }} in
         "AKS-CLH-SNP")

diff --git a/node-installer/internal/constants/constants.go b/node-installer/internal/constants/constants.go
@@ -81,7 +81,7 @@ func ContainerdBaseConfig() config.ContainerdConfig {
 }
 
 // ContainerdRuntimeConfigFragment returns the containerd runtime configuration fragment.
-func ContainerdRuntimeConfigFragment(baseDir string, platform platforms.Platform) (*config.Runtime, error) {
+func ContainerdRuntimeConfigFragment(baseDir, snapshotter string, platform platforms.Platform) (*config.Runtime, error) {
 	cfg := config.Runtime{
 		Type:                         "io.containerd.contrast-cc.v2",
 		Path:                         filepath.Join(baseDir, "bin", "containerd-shim-contrast-cc-v2"),
@@ -91,7 +91,7 @@ func ContainerdRuntimeConfigFragment(baseDir string, platform platforms.Platform
 
 	switch platform {
 	case platforms.AKSCloudHypervisorSNP:
-		cfg.Snapshotter = "tardev"
+		cfg.Snapshotter = snapshotter
 		cfg.Options = map[string]any{
 			"ConfigPath": filepath.Join(baseDir, "etc", "configuration-clh-snp.toml"),
 		}
@@ -105,11 +105,3 @@ func ContainerdRuntimeConfigFragment(baseDir string, platform platforms.Platform
 
 	return &cfg, nil
 }
-
-// TardevSnapshotterConfigFragment returns the tardev snapshotter configuration fragment.
-func TardevSnapshotterConfigFragment() config.ProxyPlugin {
-	return config.ProxyPlugin{
-		Type:    "snapshot",
-		Address: "/run/containerd/tardev-snapshotter.sock",
-	}
-}
diff --git a/node-installer/node-installer.go b/node-installer/node-installer.go
@@ -199,19 +199,23 @@ func patchContainerdConfig(runtimeName, basePath, configPath string, platform pl
 		existing = constants.ContainerdBaseConfig()
 	}
 
+	snapshotterName := "no-snapshotter"
 	// Add tardev snapshotter, only required for AKS
 	if platform == platforms.AKSCloudHypervisorSNP {
 		if existing.ProxyPlugins == nil {
 			existing.ProxyPlugins = make(map[string]config.ProxyPlugin)
 		}
-		if _, ok := existing.ProxyPlugins["tardev"]; !ok {
-			existing.ProxyPlugins["tardev"] = constants.TardevSnapshotterConfigFragment()
+		snapshotterName = fmt.Sprintf("tardev-%s", runtimeName)
+		socketName := fmt.Sprintf("/run/containerd/tardev-snapshotter-%s.sock", runtimeName)
+		existing.ProxyPlugins[snapshotterName] = config.ProxyPlugin{
+			Type:    "snapshot",
+			Address: socketName,
 		}
 	}
 
 	// Add contrast-cc runtime
 	runtimes := ensureMapPath(&existing.Plugins, constants.CRIFQDN, "containerd", "runtimes")
-	containerdRuntimeConfig, err := constants.ContainerdRuntimeConfigFragment(basePath, platform)
+	containerdRuntimeConfig, err := constants.ContainerdRuntimeConfigFragment(basePath, snapshotterName, platform)
 	if err != nil {
 		return fmt.Errorf("generating containerd runtime config: %w", err)
 	}
@@ -240,7 +244,7 @@ func patchContainerdConfigTemplate(runtimeName, basePath, configTemplatePath str
 	// Extend a scratchpad config with the new plugin configuration. (including the new contrast-cc runtime)
 	var newConfigFragment config.ContainerdConfig
 	runtimes := ensureMapPath(&newConfigFragment.Plugins, constants.CRIFQDN, "containerd", "runtimes")
-	containerdRuntimeConfig, err := constants.ContainerdRuntimeConfigFragment(basePath, platform)
+	containerdRuntimeConfig, err := constants.ContainerdRuntimeConfigFragment(basePath, "no-snapshotter", platform)
 	if err != nil {
 		return fmt.Errorf("generating containerd runtime config: %w", err)
 	}

diff --git a/node-installer/node-installer_test.go b/node-installer/node-installer_test.go
@@ -64,7 +64,7 @@ func TestPatchContainerdConfig(t *testing.T) {
 
 			configData, err := os.ReadFile(configPath)
 			require.NoError(err)
-			assert.Equal(tc.expected, configData)
+			assert.Equal(string(tc.expected), string(configData))
 		})
 	}
 }
diff --git a/node-installer/testdata/expected-aks-clh-snp.toml b/node-installer/testdata/expected-aks-clh-snp.toml
@@ -56,7 +56,7 @@ runtime_type = 'io.containerd.contrast-cc.v2'
 runtime_path = '/opt/edgeless/my-runtime/bin/containerd-shim-contrast-cc-v2'
 pod_annotations = ['io.katacontainers.*']
 privileged_without_host_devices = true
-snapshotter = 'tardev'
+snapshotter = 'tardev-my-runtime'
 
 [plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.my-runtime.options]
 ConfigPath = '/opt/edgeless/my-runtime/etc/configuration-clh-snp.toml'
@@ -80,6 +80,6 @@ config_path = '/etc/containerd/certs.d'
 X-Meta-Source-Client = ['azure/aks']
 
 [proxy_plugins]
-[proxy_plugins.tardev]
+[proxy_plugins.tardev-my-runtime]
 type = 'snapshot'
-address = '/run/containerd/tardev-snapshotter.sock'
+address = '/run/containerd/tardev-snapshotter-my-runtime.sock'