CC: Integrate pause image into rootfs #9032
Labels
Projects
Comments
ChengyuZhu6
added
enhancement
ChengyuZhu6
added a commit
to ChengyuZhu6/kata-containers
that referenced
this issue
Feb 6, 2024
For Confidential containers stack, the pause image is managed by host side, then it may configure a malicious pause image, we need package a pause image inside the rootfs and don't the pause image from host. But the installation of skopeo is not included in 20.04 release, so we can not directly install skopeo in rootfs and pull pause image. So I plan to let the task as a static build stuff, which would not be influenced by the system version in rootfs. And the pause image will be part of the Kata Containers rootfs that's used by the Confidential Containers usecase. This commit enables the component to be built both locally and in our CI environment with the command: make pause-image-tarball. Fixes: kata-containers#9032 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Fabiano Fidêncio <fabiano.fidencio@intel.com> Co-authored-by: Wang, Arron <arron.wang@intel.com> Co-authored-by: stevenhorsman <steven@uk.ibm.com> Co-authored-by: Jakob Naucke <jakob.naucke@ibm.com>
ChengyuZhu6
added a commit
to ChengyuZhu6/kata-containers
that referenced
this issue
Feb 6, 2024
For Confidential containers stack, the pause image is managed by host side, then it may configure a malicious pause image, we need package a pause image inside the rootfs and don't the pause image from host. But the installation of skopeo is not included in 20.04 release, so we can not directly install skopeo in rootfs and pull pause image. So I plan to let the task as a static build stuff, which would not be influenced by the system version in rootfs. And the pause image will be part of the Kata Containers rootfs that's used by the Confidential Containers usecase. This commit enables the component to be built both locally and in our CI environment with the command: make pause-image-tarball. Fixes: kata-containers#9032 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Fabiano Fidêncio <fabiano.fidencio@intel.com> Co-authored-by: Wang, Arron <arron.wang@intel.com> Co-authored-by: stevenhorsman <steven@uk.ibm.com> Co-authored-by: Jakob Naucke <jakob.naucke@ibm.com>
|
I hope there is an option to keep some of these components out of the Guest rootfs. Updating the Guest rootfs is expensive in a Production environment so ideally the pause container, the Attestation client, etc. should be pulled from a container image repository rather than cramming all of them into the Guest rootfs. |
ChengyuZhu6
added a commit
to ChengyuZhu6/kata-containers
that referenced
this issue
Feb 7, 2024
For Confidential containers stack, the pause image is managed by host side, then it may configure a malicious pause image, we need package a pause image inside the rootfs and don't the pause image from host. But the installation of skopeo is not included in 20.04 release, so we can not directly install skopeo in rootfs and pull pause image. So I plan to let the task as a static build stuff, which would not be influenced by the system version in rootfs. And the pause image will be part of the Kata Containers rootfs that's used by the Confidential Containers usecase. This commit enables the component to be built both locally and in our CI environment with the command: make pause-image-tarball. Fixes: kata-containers#9032 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Fabiano Fidêncio <fabiano.fidencio@intel.com> Co-authored-by: Wang, Arron <arron.wang@intel.com> Co-authored-by: stevenhorsman <steven@uk.ibm.com> Co-authored-by: Jakob Naucke <jakob.naucke@ibm.com>
ChengyuZhu6
added a commit
to ChengyuZhu6/kata-containers
that referenced
this issue
Feb 7, 2024
For Confidential containers stack, the pause image is managed by host side, then it may configure a malicious pause image, we need package a pause image inside the rootfs and don't the pause image from host. But the installation of skopeo is not included in 20.04 release, so we can not directly install skopeo in rootfs and pull pause image. So I plan to let the task as a static build stuff, which would not be influenced by the system version in rootfs. And the pause image will be part of the Kata Containers rootfs that's used by the Confidential Containers usecase. This commit enables the component to be built both locally and in our CI environment with the command: make pause-image-tarball. Fixes: kata-containers#9032 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Fabiano Fidêncio <fabiano.fidencio@intel.com> Co-authored-by: Wang, Arron <arron.wang@intel.com> Co-authored-by: stevenhorsman <steven@uk.ibm.com> Co-authored-by: Jakob Naucke <jakob.naucke@ibm.com>
ChengyuZhu6
added a commit
to ChengyuZhu6/kata-containers
that referenced
this issue
Feb 7, 2024
For Confidential containers stack, the pause image is managed by host side, then it may configure a malicious pause image, we need package a pause image inside the rootfs and don't the pause image from host. But the installation of skopeo is not included in 20.04 release, so we can not directly install skopeo in rootfs and pull pause image. So I plan to let the task as a static build stuff, which would not be influenced by the system version in rootfs. And the pause image will be part of the Kata Containers rootfs that's used by the Confidential Containers usecase. This commit enables the component to be built both locally and in our CI environment with the command: make pause-image-tarball. Fixes: kata-containers#9032 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Fabiano Fidêncio <fabiano.fidencio@intel.com> Co-authored-by: Wang, Arron <arron.wang@intel.com> Co-authored-by: stevenhorsman <steven@uk.ibm.com> Co-authored-by: Jakob Naucke <jakob.naucke@ibm.com>
ChengyuZhu6
added a commit
to ChengyuZhu6/kata-containers
that referenced
this issue
Feb 8, 2024
For Confidential containers stack, the pause image is managed by host side, then it may configure a malicious pause image, we need package a pause image inside the rootfs and don't the pause image from host. But the installation of skopeo is not included in 20.04 release, so we can not directly install skopeo in rootfs and pull pause image. So I plan to let the task as a static build stuff, which would not be influenced by the system version in rootfs. And the pause image will be part of the Kata Containers rootfs that's used by the Confidential Containers usecase. This commit enables the component to be built both locally and in our CI environment with the command: make pause-image-tarball. Fixes: kata-containers#9032 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Fabiano Fidêncio <fabiano.fidencio@intel.com> Co-authored-by: Wang, Arron <arron.wang@intel.com> Co-authored-by: stevenhorsman <steven@uk.ibm.com> Co-authored-by: Jakob Naucke <jakob.naucke@ibm.com>
ChengyuZhu6
added a commit
to ChengyuZhu6/kata-containers
that referenced
this issue
Feb 8, 2024
For Confidential containers stack, the pause image is managed by host side, then it may configure a malicious pause image, we need package a pause image inside the rootfs and don't the pause image from host. But the installation of skopeo is not included in 20.04 release, so we can not directly install skopeo in rootfs and pull pause image. So I plan to let the task as a static build stuff, which would not be influenced by the system version in rootfs. And the pause image will be part of the Kata Containers rootfs that's used by the Confidential Containers usecase. This commit enables the component to be built both locally and in our CI environment with the command: make pause-image-tarball. Fixes: kata-containers#9032 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Fabiano Fidêncio <fabiano.fidencio@intel.com> Co-authored-by: Wang, Arron <arron.wang@intel.com> Co-authored-by: stevenhorsman <steven@uk.ibm.com> Co-authored-by: Jakob Naucke <jakob.naucke@ibm.com>
fidencio
added a commit
to fidencio/kata-containers
that referenced
this issue
Feb 13, 2024
It doesn't make sense to ship the pause-image itself as an release artefact. The reason we build it and cache it is in order to use it inside the rootfs, and that's it, there's not need to ship it as part of the release, at all. Fixes: kata-containers#9032 -- part II Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
c3d
pushed a commit
to c3d/kata-containers
that referenced
this issue
Feb 23, 2024
For Confidential containers stack, the pause image is managed by host side, then it may configure a malicious pause image, we need package a pause image inside the rootfs and don't the pause image from host. But the installation of skopeo is not included in 20.04 release, so we can not directly install skopeo in rootfs and pull pause image. So I plan to let the task as a static build stuff, which would not be influenced by the system version in rootfs. And the pause image will be part of the Kata Containers rootfs that's used by the Confidential Containers usecase. This commit enables the component to be built both locally and in our CI environment with the command: make pause-image-tarball. Fixes: kata-containers#9032 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Fabiano Fidêncio <fabiano.fidencio@intel.com> Co-authored-by: Wang, Arron <arron.wang@intel.com> Co-authored-by: stevenhorsman <steven@uk.ibm.com> Co-authored-by: Jakob Naucke <jakob.naucke@ibm.com>
c3d
pushed a commit
to c3d/kata-containers
that referenced
this issue
Feb 23, 2024
It doesn't make sense to ship the pause-image itself as an release artefact. The reason we build it and cache it is in order to use it inside the rootfs, and that's it, there's not need to ship it as part of the release, at all. Fixes: kata-containers#9032 -- part II Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
fidencio
added a commit
to fidencio/kata-containers
that referenced
this issue
Feb 28, 2024
We were never passing the arguments to add the PAUSE_IMAGE to the rootfs, leading to it never being present in the confidential image / initrd. Fixes: kata-containers#9032 -- part II Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
fidencio
added a commit
to fidencio/kata-containers
that referenced
this issue
Feb 28, 2024
We were never passing the arguments to add the PAUSE_IMAGE to the rootfs, leading to it never being present in the confidential image / initrd. Fixes: kata-containers#9032 -- part II Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
fidencio
added a commit
to fidencio/kata-containers
that referenced
this issue
Feb 28, 2024
We were never passing the arguments to add the PAUSE_IMAGE to the rootfs, leading to it never being present in the confidential image / initrd. Fixes: kata-containers#9032 -- part II Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Which feature do you think can be improved?
For Confidential containers stack, the pause image is managed by host side, then it may configure a malicious pause image, we need package a pause image inside the rootfs and don't the pause image from host. So the pause image will be part of the Kata Containers rootfs that's used by the Confidential Containers usecase.
The text was updated successfully, but these errors were encountered: