node-installer: support bare-metal platforms

This adds support for the K3s- / RKE2-based bare-metal TDX deployment platforms in the node-installer. Depending on which platform is provided to the node-installer command line, different units are restarted, configs are written, etc. This does not yet add support of writing the appropriate commandline in the node-installer deployment, as this will be done in a follow-up PR. Thus, for now, to keep main healthy and deploy-able, we default to AKS-CLH-SNP in the node-installer if no platform is specified.
edgelesssys · Jun 28, 2024 · b324c2f · b324c2f
1 parent 2df2a10
commit b324c2f
Show file tree

Hide file tree

Showing 6 changed files with 500 additions and 150 deletions.
diff --git a/node-installer/internal/constants/configuration-qemu-tdx.toml b/node-installer/internal/constants/configuration-qemu-tdx.toml
@@ -0,0 +1,61 @@
+# Minimized list, inactive options removed.
+# upstream source: https://github.com/kata-containers/kata-containers/blob/0f2a4d202e90b39b50074725b2cfe9c3088a4e20/src/runtime/config/configuration-qemu-tdx.toml.in
+[hypervisor.qemu]
+path = "/usr/bin/qemu-system-x86_64"
+kernel = "/opt/kata/share/kata-containers/vmlinuz-confidential.container"
+image = "/opt/kata/share/kata-containers/kata-containers-confidential.img"
+machine_type = "q35"
+tdx_quote_generation_service_socket_port = 4050
+rootfs_type="erofs"
+confidential_guest = true
+enable_annotations = ["enable_iommu", "virtio_fs_extra_args", "kernel_params", "default_vcpus", "default_memory"]
+valid_hypervisor_paths = ["/usr/bin/qemu-system-x86_64"]
+kernel_params = ""
+firmware = "/usr/share/ovmf/OVMF.fd"
+firmware_volume = ""
+machine_accelerators=""
+cpu_features="-vmx-rdseed-exit,pmu=off"
+default_vcpus = 1
+default_maxvcpus = 0
+default_bridges = 1
+default_memory = 2048
+default_maxmemory = 0
+disable_block_device_use = false
+shared_fs = "virtio-9p"
+virtio_fs_daemon = "/opt/kata/libexec/virtiofsd"
+valid_virtio_fs_daemon_paths = ["/opt/kata/libexec/virtiofsd"]
+virtio_fs_cache_size = 0
+virtio_fs_queue_size = 1024
+virtio_fs_extra_args = ["--thread-pool-size=1", "--announce-submounts"]
+virtio_fs_cache = "auto"
+block_device_driver = "virtio-scsi"
+block_device_aio = "io_uring"
+enable_iothreads = false
+enable_vhost_user_store = false
+vhost_user_store_path = "/var/run/kata-containers/vhost-user"
+valid_vhost_user_store_paths = ["/var/run/kata-containers/vhost-user"]
+vhost_user_reconnect_timeout_sec = 0
+valid_file_mem_backends = [""]
+pflashes = []
+enable_debug = false
+valid_entropy_sources = ["/dev/urandom","/dev/random",""]
+disable_selinux=false
+disable_guest_selinux=true
+
+[agent.kata]
+enable_debug = false
+kernel_modules=[]
+debug_console_enabled = false
+dial_timeout = 60
+
+[runtime]
+enable_debug = false
+internetworking_model="tcfilter"
+disable_guest_seccomp=true
+sandbox_cgroup_only=false
+static_sandbox_resource_mgmt=true
+sandbox_bind_mounts=[]
+vfio_mode="guest-kernel"
+disable_guest_empty_dir=false
+experimental=[]
+create_container_timeout = 60
diff --git a/node-installer/internal/constants/constants.go b/node-installer/internal/constants/constants.go
@@ -5,17 +5,26 @@ package constants
 
 import (
 	_ "embed"
+	"fmt"
 	"path/filepath"
 
 	"github.com/edgelesssys/contrast/node-installer/internal/config"
+	"github.com/edgelesssys/contrast/node-installer/platforms"
 	"github.com/pelletier/go-toml/v2"
 )
 
 var (
-	// containerdRuntimeBaseConfig is the configuration file for the containerd runtime
+	// kataCLHSNPBaseConfig is the configuration file for the Kata runtime on AKS SEV-SNP
+	// with Cloud-Hypervisor.
 	//
 	//go:embed configuration-clh-snp.toml
-	containerdRuntimeBaseConfig string
+	kataCLHSNPBaseConfig string
+
+	// kataBareMetalQEMUTDXBaseConfig is the configuration file for the Kata runtime on bare-metal TDX
+	// with QEMU.
+	//
+	//go:embed configuration-qemu-tdx.toml
+	kataBareMetalQEMUTDXBaseConfig string
 
 	// containerdBaseConfig is the base configuration file for containerd
 	//
@@ -27,17 +36,40 @@ var (
 const CRIFQDN = "io.containerd.grpc.v1.cri"
 
 // KataRuntimeConfig returns the Kata runtime configuration.
-func KataRuntimeConfig(baseDir string, debug bool) config.KataRuntimeConfig {
+func KataRuntimeConfig(baseDir string, platform platforms.Platform, debug bool) (*config.KataRuntimeConfig, error) {
 	var config config.KataRuntimeConfig
-	if err := toml.Unmarshal([]byte(containerdRuntimeBaseConfig), &config); err != nil {
-		panic(err) // should never happen
+	switch platform {
+	case platforms.AKSCloudHypervisorSNP:
+		if err := toml.Unmarshal([]byte(kataCLHSNPBaseConfig), &config); err != nil {
+			return nil, fmt.Errorf("failed to unmarshal kata runtime configuration: %w", err)
+		}
+		config.Hypervisor["clh"]["path"] = filepath.Join(baseDir, "bin", "cloud-hypervisor-snp")
+		config.Hypervisor["clh"]["igvm"] = filepath.Join(baseDir, "share", "kata-containers-igvm.img")
+		config.Hypervisor["clh"]["image"] = filepath.Join(baseDir, "share", "kata-containers.img")
+		config.Hypervisor["clh"]["valid_hypervisor_paths"] = []string{filepath.Join(baseDir, "bin", "cloud-hypervisor-snp")}
+		config.Hypervisor["clh"]["enable_debug"] = debug
+		return &config, nil
+	case platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
+		if err := toml.Unmarshal([]byte(kataBareMetalQEMUTDXBaseConfig), &config); err != nil {
+			return nil, fmt.Errorf("failed to unmarshal kata runtime configuration: %w", err)
+		}
+		config.Hypervisor["qemu"]["path"] = filepath.Join(baseDir, "bin", "qemu-system-x86_64")
+		config.Hypervisor["qemu"]["firmware"] = filepath.Join(baseDir, "shae", "OVMF_CODE.fd")
+		config.Hypervisor["qemu"]["firmware_volume"] = filepath.Join(baseDir, "share", "OVMF_VARS.fd")
+		config.Hypervisor["qemu"]["image"] = filepath.Join(baseDir, "share", "kata-containers.img")
+		config.Hypervisor["qemu"]["kernel"] = filepath.Join(baseDir, "share", "kata-kernel")
+		config.Hypervisor["qemu"]["valid_hypervisor_paths"] = []string{filepath.Join(baseDir, "bin", "qemu-system-x86_64")}
+		if debug {
+			config.Hypervisor["qemu"]["enable_debug"] = true
+			config.Hypervisor["qemu"]["kernel_params"] = " agent.log=debug initcall_debug"
+			config.Agent["kata"]["enable_debug"] = true
+			config.Agent["kata"]["debug_console_enabled"] = true
+			config.Runtime["enable_debug"] = true
+		}
+		return &config, nil
+	default:
+		return nil, fmt.Errorf("unsupported platform: %s", platform)
 	}
-	config.Hypervisor["clh"]["path"] = filepath.Join(baseDir, "bin", "cloud-hypervisor-snp")
-	config.Hypervisor["clh"]["igvm"] = filepath.Join(baseDir, "share", "kata-containers-igvm.img")
-	config.Hypervisor["clh"]["image"] = filepath.Join(baseDir, "share", "kata-containers.img")
-	config.Hypervisor["clh"]["valid_hypervisor_paths"] = []string{filepath.Join(baseDir, "bin", "cloud-hypervisor-snp")}
-	config.Hypervisor["clh"]["enable_debug"] = debug
-	return config
 }
 
 // ContainerdBaseConfig returns the base containerd configuration.
@@ -50,17 +82,29 @@ func ContainerdBaseConfig() config.ContainerdConfig {
 }
 
 // ContainerdRuntimeConfigFragment returns the containerd runtime configuration fragment.
-func ContainerdRuntimeConfigFragment(baseDir string) config.Runtime {
-	return config.Runtime{
-		Type:           "io.containerd.contrast-cc.v2",
-		Path:           filepath.Join(baseDir, "bin", "containerd-shim-contrast-cc-v2"),
-		PodAnnotations: []string{"io.katacontainers.*"},
-		Options: map[string]any{
-			"ConfigPath": filepath.Join(baseDir, "etc", "configuration-clh-snp.toml"),
-		},
+func ContainerdRuntimeConfigFragment(baseDir string, platform platforms.Platform) (*config.Runtime, error) {
+	cfg := config.Runtime{
+		Type:                         "io.containerd.contrast-cc.v2",
+		Path:                         filepath.Join(baseDir, "bin", "containerd-shim-contrast-cc-v2"),
+		PodAnnotations:               []string{"io.katacontainers.*"},
 		PrivilegedWithoutHostDevices: true,
-		Snapshotter:                  "tardev",
 	}
+
+	switch platform {
+	case platforms.AKSCloudHypervisorSNP:
+		cfg.Snapshotter = "tardev"
+		cfg.Options = map[string]any{
+			"ConfigPath": filepath.Join(baseDir, "etc", "configuration-clh-snp.toml"),
+		}
+	case platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
+		cfg.Options = map[string]any{
+			"ConfigPath": filepath.Join(baseDir, "etc", "configuration-qemu-tdx.toml"),
+		}
+	default:
+		return nil, fmt.Errorf("unsupported platform: %s", platform)
+	}
+
+	return &cfg, nil
 }
 
 // TardevSnapshotterConfigFragment returns the tardev snapshotter configuration fragment.