eliminate virtiofs, with AGENT_POLICY=yes

Author: miz060

src/runtime/config/configuration-clh-snp.toml.in

@@ -137,7 +137,7 @@ default_maxmemory = @DEFMAXMEMSZ@
 #   - virtio-fs (default)
 #   - virtio-fs-nydus
 #   - none
-shared_fs = "@DEFSHAREDFS_CLH_SNP_VIRTIOFS@"
+shared_fs = "none"
 
 # Path to vhost-user-fs daemon.
 virtio_fs_daemon = "@DEFVIRTIOFSDAEMON@"

src/runtime/config/configuration-clh.toml.in

@@ -132,7 +132,7 @@ default_maxmemory = @DEFMAXMEMSZ@
 #   - virtio-fs (default)
 #   - virtio-fs-nydus
 #   - none
-shared_fs = "@DEFSHAREDFS_CLH_VIRTIOFS@"
+shared_fs = "none"
 
 # Path to vhost-user-fs daemon.
 virtio_fs_daemon = "@DEFVIRTIOFSDAEMON@"

tools/osbuilder/node-builder/azure-linux/package_build.sh

@@ -41,29 +41,27 @@ fi
 
 agent_make_flags="LIBC=gnu OPENSSL_NO_VENDOR=Y DESTDIR=${AGENT_INSTALL_DIR} BUILD_TYPE=${AGENT_BUILD_TYPE}"
 
-if [ "${CONF_PODS}" == "yes" ]; then
-	agent_make_flags+=" AGENT_POLICY=yes"
-fi
+#if [ "${CONF_PODS}" == "yes" ]; then
+#	agent_make_flags+=" AGENT_POLICY=yes"
+#fi
+agent_make_flags+=" AGENT_POLICY=yes"
 
 pushd "${repo_dir}"
 
-if [ "${CONF_PODS}" == "yes" ]; then
-
-	echo "Building utarfs binary"
-	pushd src/utarfs/
-	make all
-	popd
+echo "Building utarfs binary"
+pushd src/utarfs/
+make all
+popd
 
-	echo "Building kata-overlay binary"
-	pushd src/overlay/
-	make all
-	popd
+echo "Building kata-overlay binary"
+pushd src/overlay/
+make all
+popd
 
-	echo "Building tardev-snapshotter service binary"
-	pushd src/tardev-snapshotter/
-	make all
-	popd
-fi
+echo "Building tardev-snapshotter service binary"
+pushd src/tardev-snapshotter/
+make all
+popd
 
 echo "Building shim binary and configuration"
 pushd src/runtime/

tools/osbuilder/node-builder/azure-linux/package_install.sh

@@ -29,16 +29,21 @@ mkdir -p "${PREFIX}/${SHIM_CONFIG_PATH}"
 mkdir -p "${PREFIX}/${DEBUGGING_BINARIES_PATH}"
 mkdir -p "${PREFIX}/${SHIM_BINARIES_PATH}"
 
-if [ "${CONF_PODS}" == "yes" ]; then
-	echo "Installing tardev-snapshotter binaries and service file"
-	mkdir -p ${PREFIX}/usr/sbin
-	cp -a --backup=numbered src/utarfs/target/release/utarfs ${PREFIX}/usr/sbin/mount.tar
-	mkdir -p ${PREFIX}/usr/bin
-	cp -a --backup=numbered src/overlay/target/release/kata-overlay ${PREFIX}/usr/bin/
-	cp -a --backup=numbered src/tardev-snapshotter/target/release/tardev-snapshotter ${PREFIX}/usr/bin/
-	mkdir -p ${PREFIX}/usr/lib/systemd/system/
-	cp -a --backup=numbered src/tardev-snapshotter/tardev-snapshotter.service ${PREFIX}/usr/lib/systemd/system/
+echo "Installing tardev-snapshotter binaries and service file"
+mkdir -p ${PREFIX}/usr/sbin
+cp -a --backup=numbered src/utarfs/target/release/utarfs ${PREFIX}/usr/sbin/mount.tar
+mkdir -p ${PREFIX}/usr/bin
+cp -a --backup=numbered src/overlay/target/release/kata-overlay ${PREFIX}/usr/bin/
+cp -a --backup=numbered src/tardev-snapshotter/target/release/tardev-snapshotter ${PREFIX}/usr/bin/
+mkdir -p ${PREFIX}/usr/lib/systemd/system/
+cp -a --backup=numbered src/tardev-snapshotter/tardev-snapshotter.service ${PREFIX}/usr/lib/systemd/system/
+
+echo "Enabling and starting snapshotter service"
+if [ "${START_SERVICES}" == "yes" ]; then
+	systemctl enable tardev-snapshotter && systemctl daemon-reload && systemctl restart tardev-snapshotter
+fi
 
+if [ "${CONF_PODS}" == "yes" ]; then
 	if [ "${SHIM_REDEPLOY_CONFIG}" == "yes" ]; then
 		echo "Installing SNP shim debug configuration"
 		cp -a --backup=numbered src/runtime/config/"${SHIM_DBG_CONFIG_FILE_NAME}" "${PREFIX}/${SHIM_CONFIG_PATH}"/"${SHIM_DBG_CONFIG_INST_FILE_NAME}"
@@ -51,11 +56,6 @@ if [ "${CONF_PODS}" == "yes" ]; then
 		# which is probably fine when debugging.
 		ln -sf src/runtime/config/"${SHIM_DBG_CONFIG_FILE_NAME}" src/runtime/config/"${SHIM_CONFIG_FILE_NAME}" 
 	fi
-
-	echo "Enabling and starting snapshotter service"
-	if [ "${START_SERVICES}" == "yes" ]; then
-		systemctl enable tardev-snapshotter && systemctl daemon-reload && systemctl restart tardev-snapshotter
-	fi
 fi
 
 echo "Installing diagnosability binaries (monitor, runtime, collect-data script)"

tools/osbuilder/node-builder/azure-linux/package_tools_install.sh

@@ -27,10 +27,10 @@ mkdir -p "${PREFIX}/${UVM_TOOLS_PATH_OSB}/rootfs-builder/cbl-mariner"
 mkdir -p "${PREFIX}/${UVM_TOOLS_PATH_OSB}/image-builder"
 mkdir -p "${PREFIX}/${UVM_TOOLS_PATH_OSB}/node-builder/azure-linux/agent-install/usr/bin"
 mkdir -p "${PREFIX}/${UVM_TOOLS_PATH_OSB}/node-builder/azure-linux/agent-install/usr/lib/systemd/system"
+mkdir -p "${PREFIX}/${UVM_TOOLS_PATH_SRC}/tarfs"
+mkdir -p "${PREFIX}/${UVM_TOOLS_PATH_SRC}/kata-opa"
 
 if [ "${CONF_PODS}" == "yes" ]; then
-	mkdir -p "${PREFIX}/${UVM_TOOLS_PATH_SRC}/kata-opa"
-	mkdir -p "${PREFIX}/${UVM_TOOLS_PATH_SRC}/tarfs"
 	mkdir -p "${PREFIX}/${UVM_TOOLS_PATH_OSB}/igvm-builder/azure-linux"
 fi
 
@@ -52,11 +52,13 @@ cp -a --backup=numbered tools/osbuilder/node-builder/azure-linux/agent-install/u
 cp -a --backup=numbered tools/osbuilder/node-builder/azure-linux/agent-install/usr/lib/systemd/system/kata-containers.target "${PREFIX}/${UVM_TOOLS_PATH_OSB}/node-builder/azure-linux/agent-install/usr/lib/systemd/system/"
 cp -a --backup=numbered tools/osbuilder/node-builder/azure-linux/agent-install/usr/lib/systemd/system/kata-agent.service "${PREFIX}/${UVM_TOOLS_PATH_OSB}/node-builder/azure-linux/agent-install/usr/lib/systemd/system/"
 
+cp -a --backup=numbered src/tarfs/Makefile "${PREFIX}/${UVM_TOOLS_PATH_SRC}/tarfs/"
+cp -a --backup=numbered src/tarfs/tarfs.c "${PREFIX}/${UVM_TOOLS_PATH_SRC}/tarfs/"
+
+cp -a --backup=numbered src/kata-opa/allow-all.rego "${PREFIX}/${UVM_TOOLS_PATH_SRC}/kata-opa/"
+
 if [ "${CONF_PODS}" == "yes" ]; then
-	cp -a --backup=numbered src/kata-opa/allow-all.rego "${PREFIX}/${UVM_TOOLS_PATH_SRC}/kata-opa/"
 	cp -a --backup=numbered src/kata-opa/allow-set-policy.rego "${PREFIX}/${UVM_TOOLS_PATH_SRC}/kata-opa/"
-	cp -a --backup=numbered src/tarfs/Makefile "${PREFIX}/${UVM_TOOLS_PATH_SRC}/tarfs/"
-	cp -a --backup=numbered src/tarfs/tarfs.c "${PREFIX}/${UVM_TOOLS_PATH_SRC}/tarfs/"
 	cp -a --backup=numbered tools/osbuilder/igvm-builder/igvm_builder.sh "${PREFIX}/${UVM_TOOLS_PATH_OSB}/igvm-builder/"
 	cp -a --backup=numbered tools/osbuilder/igvm-builder/azure-linux/config.sh "${PREFIX}/${UVM_TOOLS_PATH_OSB}/igvm-builder/azure-linux/"
 	cp -a --backup=numbered tools/osbuilder/igvm-builder/azure-linux/igvm_lib.sh "${PREFIX}/${UVM_TOOLS_PATH_OSB}/igvm-builder/azure-linux/"

tools/osbuilder/node-builder/azure-linux/uvm_build.sh

@@ -26,14 +26,15 @@ source "${common_file}"
 rootfs_make_flags="AGENT_SOURCE_BIN=${AGENT_INSTALL_DIR}/usr/bin/kata-agent OS_VERSION=${OS_VERSION}"
 
 if [ "${CONF_PODS}" == "yes" ]; then
-	rootfs_make_flags+=" AGENT_POLICY=yes CONF_GUEST=yes AGENT_POLICY_FILE=${agent_policy_file_abs}"
+	rootfs_make_flags+=" CONF_GUEST=yes AGENT_POLICY=yes AGENT_POLICY_FILE=${agent_policy_file_abs}"
+else
+	agent_policy_allow_all="${repo_dir}/src/kata-opa/allow-all.rego"
+	rootfs_make_flags+=" AGENT_POLICY=yes AGENT_POLICY_FILE=${agent_policy_file_allow_all}"
 fi
 
-if [ "${CONF_PODS}" == "yes" ]; then
-	set_uvm_kernel_vars
-	if [ -z "${UVM_KERNEL_HEADER_DIR}}" ]; then
-		exit 1
-	fi
+set_uvm_kernel_vars
+if [ -z "${UVM_KERNEL_HEADER_DIR}}" ]; then
+	exit 1
 fi
 
 pushd "${repo_dir}"
@@ -49,13 +50,13 @@ echo "Installing agent service files into rootfs"
 sudo cp ${AGENT_INSTALL_DIR}/usr/lib/systemd/system/kata-containers.target ${ROOTFS_PATH}/usr/lib/systemd/system/kata-containers.target
 sudo cp ${AGENT_INSTALL_DIR}/usr/lib/systemd/system/kata-agent.service ${ROOTFS_PATH}/usr/lib/systemd/system/kata-agent.service
 
-if [ "${CONF_PODS}" == "yes" ]; then
-	echo "Building tarfs kernel driver and installing into rootfs"
+echo "Building tarfs kernel driver and installing into rootfs"
 	pushd src/tarfs
 	make KDIR=${UVM_KERNEL_HEADER_DIR}
 	sudo make KDIR=${UVM_KERNEL_HEADER_DIR} KVER=${UVM_KERNEL_VERSION} INSTALL_MOD_PATH=${ROOTFS_PATH} install
 	popd
 
+if [ "${CONF_PODS}" == "yes" ]; then
 	echo "Building dm-verity protected image based on rootfs"
 	pushd tools/osbuilder
 	sudo -E PATH=$PATH make DISTRO=cbl-mariner MEASURED_ROOTFS=yes DM_VERITY_FORMAT=kernelinit image

tools/osbuilder/rootfs-builder/cbl-mariner/config.sh

@@ -6,6 +6,5 @@ OS_NAME=cbl-mariner
 OS_VERSION=${OS_VERSION:-3.0}
 LIBC="gnu"
 PACKAGES="kata-packages-uvm"
-[ "$CONF_GUEST" = yes ] && PACKAGES+=" kata-packages-uvm-coco"
 [ "$AGENT_INIT" = no ] && PACKAGES+=" systemd"
 [ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp"