tools: genpolicy: cbl-mariner: container root path is incorrect #8835
Labels
Projects
Comments
danmihai1
added
bug
danmihai1
added a commit
to microsoft/kata-containers
that referenced
this issue
Jan 15, 2024
Adjust genpolicy-settings.json to match the container root path from the main branch + cbl-mariner Guest VMs. This configuration might have to be adjusted again when other types of Guest VMs will be tested during CI using genpolicy, in the future. Also, improve logging from allow_root_path(), to easier debug these issues in the future. Fixes: kata-containers#8835 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
danmihai1
added a commit
to microsoft/kata-containers
that referenced
this issue
Jan 16, 2024
Adjust genpolicy-settings.json to match the container root path from the main branch + cbl-mariner Guest VMs. This configuration might have to be adjusted again when other types of Guest VMs will be tested during CI using genpolicy, in the future. Also, improve logging from allow_root_path(), to easier debug these issues in the future. Fixes: kata-containers#8835 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
danmihai1
added a commit
to microsoft/kata-containers
that referenced
this issue
Jan 17, 2024
Adjust genpolicy-settings.json to match the container root path from the main branch + cbl-mariner Guest VMs. This configuration might have to be adjusted again when other types of Guest VMs will be tested during CI using genpolicy, in the future. Also, improve logging from allow_root_path(), to easier debug these issues in the future. Fixes: kata-containers#8835 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
danmihai1
added a commit
to microsoft/kata-containers
that referenced
this issue
Jan 20, 2024
Adjust genpolicy-settings.json to match the container root path from the main branch + cbl-mariner Guest VMs. This configuration might have to be adjusted again when other types of Guest VMs will be tested during CI using genpolicy, in the future. Also, improve logging from allow_root_path(), to easier debug these issues in the future. Fixes: kata-containers#8835 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
c3d
pushed a commit
to c3d/kata-containers
that referenced
this issue
Feb 23, 2024
Adjust genpolicy-settings.json to match the container root path from the main branch + cbl-mariner Guest VMs. This configuration might have to be adjusted again when other types of Guest VMs will be tested during CI using genpolicy, in the future. Also, improve logging from allow_root_path(), to easier debug these issues in the future. Fixes: kata-containers#8835 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As a step towards testing genpolicy for CoCo, we should start by testing policies generated by this tool on cbl-mariner Guest VMs. Testing cbl-mariner on AKS might be easier than testing using a different Guest that supports AGENT_POLICY=yes, because my team at Microsoft is already testing on cbl-mariner.
genpolicy expects a container Rootfs path similar to:
/run/kata-containers/shared/containers/d5dff9a64f2e096c0ebbfbc2daab5da2a6975c83e231cf03f33c4561a8cf5e85
That path is incorrect for Kata main branch + cbl-mariner Guest VMs, and that blocks the testing described above. The actual path is similar to:
/run/kata-containers/shared/containers/d5dff9a64f2e096c0ebbfbc2daab5da2a6975c83e231cf03f33c4561a8cf5e85/rootfs
The text was updated successfully, but these errors were encountered: