Adding Memory Monitor disable test and launch policy tests (#394)

google · Dec 4, 2023 · f7d91b3 · f7d91b3
1 parent 38bab91
commit f7d91b3
Show file tree

Hide file tree

Showing 10 changed files with 180 additions and 41 deletions.
diff --git a/launcher/container_runner.go b/launcher/container_runner.go
@@ -122,6 +122,8 @@ func NewRunner(ctx context.Context, cdClient *containerd.Client, token oauth2.To
 		return nil, err
 	}
 
+	logger.Printf("Launch Policy              : %+v\n", launchPolicy)
+
 	if imageConfigDescriptor, err := image.Config(ctx); err != nil {
 		logger.Println(err)
 	} else {
@@ -508,22 +510,24 @@ func (r *ContainerRunner) Run(ctx context.Context) error {
 		defer teeServer.Shutdown(ctx)
 	}
 
-	// start node-problem-detector.service to collect memory related metrics.
-	if r.launchSpec.MemoryMonitoringEnabled {
-		r.logger.Println("MemoryMonitoring is enabled")
-		s, err := systemctl.New()
-		if err != nil {
-			return fmt.Errorf("failed to create systemctl client: %v", err)
-		}
-		defer s.Close()
+	if r.launchSpec.Experiments.EnableMemoryMonitoring {
+		// start node-problem-detector.service to collect memory related metrics.
+		if r.launchSpec.MemoryMonitoringEnabled {
+			r.logger.Println("MemoryMonitoring is enabled by the VM operator")
+			s, err := systemctl.New()
+			if err != nil {
+				return fmt.Errorf("failed to create systemctl client: %v", err)
+			}
+			defer s.Close()
 
-		r.logger.Println("Starting a systemctl operation: systemctl start node-problem-detector.service")
-		if err := s.Start("node-problem-detector.service"); err != nil {
-			return fmt.Errorf("failed to start node-problem-detector.service: %v", err)
+			r.logger.Println("Starting a systemctl operation: systemctl start node-problem-detector.service")
+			if err := s.Start("node-problem-detector.service"); err != nil {
+				return fmt.Errorf("failed to start node-problem-detector.service: %v", err)
+			}
+			r.logger.Println("node-problem-detector.service successfully started.")
+		} else {
+			r.logger.Println("MemoryMonitoring is disabled by the VM operator")
 		}
-		r.logger.Println("node-problem-detector.service successfully started.")
-	} else {
-		r.logger.Println("MemoryMonitoring is disabled.")
 	}
 
 	var streamOpt cio.Opt

diff --git a/launcher/image/test/scripts/test_launchpolicy_memory_monitoring.sh b/launcher/image/test/scripts/test_launchpolicy_memory_monitoring.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+set -euo pipefail
+source util/read_serial.sh
+
+# Allow VM some time to boot and write to serial console.
+sleep 120
+
+SERIAL_OUTPUT=$(read_serial $1 $2)
+if echo $SERIAL_OUTPUT | grep -q "$3"
+then
+    echo "- Memory monitoring launch policy verified"
+else
+    echo "FAILED: Memory monitoring launch policy verification"
+    echo 'TEST FAILED' > /workspace/status.txt
+    echo $SERIAL_OUTPUT
+fi
diff --git a/launcher/image/test/scripts/test_memory_monitoring.sh b/launcher/image/test/scripts/test_memory_monitoring.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+set -euxo pipefail
+source util/read_serial.sh
+
+# Allow VM some time to boot and write to serial console.
+sleep 120
+
+SERIAL_OUTPUT=$(read_serial $1 $2)
+if echo $SERIAL_OUTPUT | grep -q "$3"
+then
+    echo "- '$3' found in the VM serial output"
+else
+    echo "FAILED: '$3' not found in the VM serial output"
+    echo 'TEST FAILED.' > /workspace/status.txt
+    echo $SERIAL_OUTPUT
+fi
+
diff --git a/launcher/image/test/scripts/test_memory_monitoring_enabled.sh b/launcher/image/test/scripts/test_memory_monitoring_enabled.sh
diff --git a/launcher/image/test/test_launchpolicy_cloudbuild.yaml b/launcher/image/test/test_launchpolicy_cloudbuild.yaml
@@ -10,6 +10,9 @@ substitutions:
   '_WORKLOAD_IMAGE_LOG_DEBUG': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/launchpolicylogdebug:latest'
   '_WORKLOAD_IMAGE_ENV': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/basic-test:latest'
   '_WORKLOAD_IMAGE_CMD': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/launchpolicycmd:latest'
+  '_WORKLOAD_IMAGE_MEMORY_MONITOR_NEVER': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/memorymonitoringnever:latest'
+  '_WORKLOAD_IMAGE_MEMORY_MONITOR_DEBUG': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/memorymonitoringdebug:latest'
+  '_MEMORY_MONITOR_VM_NAME_PREFIX': 'memory-monitor'
 steps:
 - name: 'gcr.io/cloud-builders/gcloud'
   id: CreateVMLogOverride
@@ -141,6 +144,56 @@ steps:
   args: ['cleanup.sh', '${_VM_NAME_PREFIX}-cmd-${BUILD_ID}', '${_ZONE}']
   waitFor: ['CmdOverrideTest', 'CmdOverrideTestCloudLogging']
 
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CreateVMMemoryMonitorDebugOnly
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['create_vm.sh','-i', '${_HARDENED_IMAGE_NAME}',
+          '-p', '${_IMAGE_PROJECT}',
+          '-m', 'tee-image-reference=${_WORKLOAD_IMAGE_MEMORY_MONITOR_DEBUG},tee-monitoring-memory-enable=true',
+          '-n', '${_MEMORY_MONITOR_VM_NAME_PREFIX}-debugonly-${BUILD_ID}',
+          '-z', '${_ZONE}',
+        ]
+  waitFor: ['-']  # The '-' indicates that this step begins immediately.
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: MemoryMonitorDebugOnlyTest
+  entrypoint: 'bash'
+  args: ['scripts/test_launchpolicy_memory_monitoring.sh', '${_MEMORY_MONITOR_VM_NAME_PREFIX}-debugonly-${BUILD_ID}', '${_ZONE}', 'memory monitoring only allowed on debug environment by image']
+  waitFor: ['CreateVMMemoryMonitorDebugOnly']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CleanUpMemoryMonitorDebugOnly
+  entrypoint: 'bash'
+  env:
+  - 'CLEANUP=$_CLEANUP'
+  args: ['cleanup.sh', '${_MEMORY_MONITOR_VM_NAME_PREFIX}-debugonly-${BUILD_ID}', '${_ZONE}']
+  waitFor: ['MemoryMonitorDebugOnlyTest']
+
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CreateVMMemoryMonitorNever
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['create_vm.sh','-i', '${_HARDENED_IMAGE_NAME}',
+          '-p', '${_IMAGE_PROJECT}',
+          '-m', 'tee-image-reference=${_WORKLOAD_IMAGE_MEMORY_MONITOR_NEVER},tee-monitoring-memory-enable=true',
+          '-n', '${_MEMORY_MONITOR_VM_NAME_PREFIX}-never-${BUILD_ID}',
+          '-z', '${_ZONE}',
+        ]
+  waitFor: ['-']  # The '-' indicates that this step begins immediately.
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: MemoryMonitorNeverTest
+  entrypoint: 'bash'
+  args: ['scripts/test_launchpolicy_memory_monitoring.sh', '${_MEMORY_MONITOR_VM_NAME_PREFIX}-never-${BUILD_ID}', '${_ZONE}', 'memory monitoring not allowed by image']
+  waitFor: ['CreateVMMemoryMonitorNever']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CleanUpMemoryMonitorNever
+  entrypoint: 'bash'
+  env:
+  - 'CLEANUP=$_CLEANUP'
+  args: ['cleanup.sh', '${_MEMORY_MONITOR_VM_NAME_PREFIX}-never-${BUILD_ID}', '${_ZONE}']
+  waitFor: ['MemoryMonitorNeverTest']
+
 # Must come after cleanup.
 - name: 'gcr.io/cloud-builders/gcloud'
   id: CheckFailure

diff --git a/launcher/image/test/test_memory_monitoring.yaml b/launcher/image/test/test_memory_monitoring.yaml
@@ -8,27 +8,54 @@ substitutions:
 
 steps:
 - name: 'gcr.io/cloud-builders/gcloud'
-  id: CreateVM
+  id: CreateVMMemoryMemonitorEnabled
   entrypoint: 'bash'
   env:
   - 'BUILD_ID=$BUILD_ID'
   args: ['create_vm.sh','-i', '${_IMAGE_NAME}',
           '-p', '${_IMAGE_PROJECT}',
           '-m', 'tee-image-reference=${_WORKLOAD_IMAGE},tee-monitoring-memory-enable=true',
-          '-n', '${_VM_NAME_PREFIX}-${BUILD_ID}',
+          '-n', '${_VM_NAME_PREFIX}-enable-${BUILD_ID}',
           '-z', '${_ZONE}',
         ]
+  waitFor: ['-']  # The '-' indicates that this step begins immediately.
 - name: 'gcr.io/cloud-builders/gcloud'
   id: CheckMemoryMonitoringEnabled
   entrypoint: 'bash'
-  args: ['scripts/test_memory_monitoring_enabled.sh', '${_VM_NAME_PREFIX}-${BUILD_ID}', '${_ZONE}']
+  args: ['scripts/test_memory_monitoring.sh', '${_VM_NAME_PREFIX}-enable-${BUILD_ID}', '${_ZONE}', 'node-problem-detector.service successfully started']
+  waitFor: ['CreateVMMemoryMemonitorEnabled']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CleanUpVMMemoryMonitorEnabled
+  entrypoint: 'bash'
+  env:
+  - 'CLEANUP=$_CLEANUP'
+  args: ['cleanup.sh', '${_VM_NAME_PREFIX}-enable-${BUILD_ID}', '${_ZONE}']
+  waitFor: ['CheckMemoryMonitoringEnabled']
 
 - name: 'gcr.io/cloud-builders/gcloud'
-  id: CleanUp
+  id: CreateVMMemoryMemonitorDisabled
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['create_vm.sh','-i', '${_IMAGE_NAME}',
+          '-p', '${_IMAGE_PROJECT}',
+          '-m', 'tee-image-reference=${_WORKLOAD_IMAGE},tee-monitoring-memory-enable=false',
+          '-n', '${_VM_NAME_PREFIX}-disable-${BUILD_ID}',
+          '-z', '${_ZONE}',
+        ]
+  waitFor: ['-']  # The '-' indicates that this step begins immediately.
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CheckMemoryMonitoringDisabled
+  entrypoint: 'bash'
+  args: ['scripts/test_memory_monitoring.sh', '${_VM_NAME_PREFIX}-disable-${BUILD_ID}', '${_ZONE}', 'MemoryMonitoring is disabled by the VM operator']
+  waitFor: ['CreateVMMemoryMemonitorDisabled']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CleanUpVMMemoryMonitorDisabled
   entrypoint: 'bash'
   env:
   - 'CLEANUP=$_CLEANUP'
-  args: ['cleanup.sh', '${_VM_NAME_PREFIX}-${BUILD_ID}', '${_ZONE}']
+  args: ['cleanup.sh', '${_VM_NAME_PREFIX}-disable-${BUILD_ID}', '${_ZONE}']
+  waitFor: ['CheckMemoryMonitoringDisabled']
 # Must come after cleanup.
 - name: 'gcr.io/cloud-builders/gcloud'
   id: CheckFailure

diff --git a/launcher/image/testworkloads/memorymonitoringdebug/Dockerfile b/launcher/image/testworkloads/memorymonitoringdebug/Dockerfile
@@ -0,0 +1,14 @@
+# From current directory:
+# GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o main ../basic
+# gcloud builds submit --tag us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/memorymonitoringdebug:latest --project confidential-space-images-dev
+FROM alpine
+
+COPY main /
+
+ENV env_bar="val_bar"
+
+LABEL "tee.launch_policy.monitoring_memory_allow"="debugonly"
+
+ENTRYPOINT ["/main"]
+
+CMD ["arg_foo"]
diff --git a/launcher/image/testworkloads/memorymonitoringnever/Dockerfile b/launcher/image/testworkloads/memorymonitoringnever/Dockerfile
@@ -0,0 +1,14 @@
+# From current directory:
+# GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o main ../basic
+# gcloud builds submit --tag us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/memorymonitoringnever:latest --project confidential-space-images-dev
+FROM alpine
+
+COPY main /
+
+ENV env_bar="val_bar"
+
+LABEL "tee.launch_policy.monitoring_memory_allow"="never"
+
+ENTRYPOINT ["/main"]
+
+CMD ["arg_foo"]
diff --git a/launcher/internal/experiments/experiments.go b/launcher/internal/experiments/experiments.go
@@ -14,6 +14,7 @@ type Experiments struct {
 	EnableTestFeatureForImage  bool
 	EnableSignedContainerImage bool
 	EnableOnDemandAttestation  bool
+	EnableMemoryMonitoring     bool
 }
 
 // New takes a filepath, opens the file, and calls ReadJsonInput with the contents

diff --git a/launcher/spec/launch_policy.go b/launcher/spec/launch_policy.go
@@ -23,6 +23,20 @@ const (
 	never
 )
 
+// String returns LaunchPolicy details.
+func (p policy) String() string {
+	switch p {
+	case debugOnly:
+		return "debugonly"
+	case always:
+		return "always"
+	case never:
+		return "never"
+	default:
+		return "unspecified launch policy"
+	}
+}
+
 func toPolicy(policy, s string) (policy, error) {
 	s = strings.ToLower(s)
 	s = strings.TrimSpace(s)
@@ -79,7 +93,7 @@ func GetLaunchPolicy(imageLabels map[string]string) (LaunchPolicy, error) {
 	if v, ok := imageLabels[memoryMonitoring]; ok {
 		launchPolicy.AllowedMemoryMonitoring, err = toPolicy(memoryMonitoring, v)
 		if err != nil {
-			return LaunchPolicy{}, fmt.Errorf("invalid image LABEL '%s'; contact the image author", logRedirect)
+			return LaunchPolicy{}, fmt.Errorf("invalid image LABEL '%s'; contact the image author", memoryMonitoring)
 		}
 	}