-
Notifications
You must be signed in to change notification settings - Fork 244
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new ctrdtaskapi
package for shim task API support.
#1485
Conversation
@KenGordon this is how fragments will be eventually presented in GCS. FYI @SeanTAllen @matajoh |
|
short for ContainerD 😄 |
32563e2
to
af25645
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The actual InjectFragment
implementations is coming soon, I imagine?
yup |
We already have the |
We need to pass in a new resource type when sending a container update request. This package is meant to have those additional resource definitions. Adding new rpc call to |
af25645
to
b9a5a55
Compare
b9a5a55
to
0857829
Compare
pkg/ctrdtaskapi/update.go
Outdated
Fragment string `json:"fragment,omitempty"` | ||
// Annotations hold arbitrary additional information that can be used to | ||
// (e.g.) provide more context about Fragment. | ||
Annotations map[string]string `json:"annotations,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have an expectation of what this will be used for? Pretty sure the overall update request already takes annotations, so rather we not just add it onto everything for future proofing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We briefly discussed with @KenGordon about potentially sending a "media-type", so that the guest would be able to process different content, e.g., tar, raw bytes etc. But I agree that we can add it later if we ever have a need to extend supported fragment formats
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the fragment format today a raw string of Rego? Do we know of cases where that will need to change in the future?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as far as I know yes, it's a raw string of Rego. @KenGordon or @matajoh can we get your input here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At this level the payload is a COSE_Sign1 document base64 encoded so we can check the signatures inside the UVM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh, right. I should've known this 🤦♂️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be better to rename this field to reflect this? Or at least add a comment stating it's a COSE_Sign1 doc with base64 encoding?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a few comments
7434f36
to
5d9408d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Add new typeurl registered data structure to represent additional security policy constraint fragments, which can be passed as part of shim's task Update request. Change behavior of UpdateContainerConstraints to return an error when an invalid resource is passed. Make sure hcsshim can consume the new resource as part of task Update request handling and new GCS protocol message can be properly accepted by the guest. Signed-off-by: Maksim An <maksiman@microsoft.com>
Signed-off-by: Maksim An <maksiman@microsoft.com>
Signed-off-by: Maksim An <maksiman@microsoft.com>
5d9408d
to
bb1a14d
Compare
I did a little jig when I saw this was merged. |
) Add new typeurl registered data structure to represent additional security policy constraint fragments, which can be passed as part of shim's task Update request. Rename `UpdateContainerConstraints` to `Update` and change the behavior to return an error when an invalid resource is passed. Make sure hcsshim can consume the new resource as part of task Update request handling and new GCS protocol message can be properly accepted by the guest. Signed-off-by: Maksim An <maksiman@microsoft.com>
Add new typeurl registered data structure to represent
additional security policy constraint fragments, which
can be passed as part of shim's task Update request.
Change behavior of UpdateContainerConstraints to return
an error when an invalid resource is passed.
Make sure hcsshim can consume the new resource as part
of task Update request handling and new GCS protocol
message can be properly accepted by the guest.
Signed-off-by: Maksim An maksiman@microsoft.com