Add new ctrdtaskapi package for shim task API support.
#1485
Conversation
|
@KenGordon this is how fragments will be eventually presented in GCS. FYI @SeanTAllen @matajoh |
|
short for ContainerD 😄 |
anmaxvl
force-pushed
the
ctrdtaskapi-fragment
branch
from
32563e2
to
af25645
Compare
yup |
|
We already have the |
We need to pass in a new resource type when sending a container update request. This package is meant to have those additional resource definitions. Adding new rpc call to |
anmaxvl
force-pushed
the
ctrdtaskapi-fragment
branch
from
af25645
to
b9a5a55
Compare
anmaxvl
force-pushed
the
ctrdtaskapi-fragment
branch
from
b9a5a55
to
0857829
Compare
pkg/ctrdtaskapi/update.go
Outdated
| Fragment string `json:"fragment,omitempty"` | ||
| // Annotations hold arbitrary additional information that can be used to | ||
| // (e.g.) provide more context about Fragment. | ||
| Annotations map[string]string `json:"annotations,omitempty"` |
There was a problem hiding this comment.
Do we have an expectation of what this will be used for? Pretty sure the overall update request already takes annotations, so rather we not just add it onto everything for future proofing.
There was a problem hiding this comment.
We briefly discussed with @KenGordon about potentially sending a "media-type", so that the guest would be able to process different content, e.g., tar, raw bytes etc. But I agree that we can add it later if we ever have a need to extend supported fragment formats
There was a problem hiding this comment.
Is the fragment format today a raw string of Rego? Do we know of cases where that will need to change in the future?
There was a problem hiding this comment.
as far as I know yes, it's a raw string of Rego. @KenGordon or @matajoh can we get your input here?
There was a problem hiding this comment.
At this level the payload is a COSE_Sign1 document base64 encoded so we can check the signatures inside the UVM.
There was a problem hiding this comment.
oh, right. I should've known this 🤦♂️
There was a problem hiding this comment.
Would it be better to rename this field to reflect this? Or at least add a comment stating it's a COSE_Sign1 doc with base64 encoding?
anmaxvl
force-pushed
the
ctrdtaskapi-fragment
branch
2 times, most recently
from
7434f36
to
5d9408d
Compare
Add new typeurl registered data structure to represent additional security policy constraint fragments, which can be passed as part of shim's task Update request. Change behavior of UpdateContainerConstraints to return an error when an invalid resource is passed. Make sure hcsshim can consume the new resource as part of task Update request handling and new GCS protocol message can be properly accepted by the guest. Signed-off-by: Maksim An <maksiman@microsoft.com>
Signed-off-by: Maksim An <maksiman@microsoft.com>
Signed-off-by: Maksim An <maksiman@microsoft.com>
anmaxvl
force-pushed
the
ctrdtaskapi-fragment
branch
from
5d9408d
to
bb1a14d
Compare
|
I did a little jig when I saw this was merged. |
) Add new typeurl registered data structure to represent additional security policy constraint fragments, which can be passed as part of shim's task Update request. Rename `UpdateContainerConstraints` to `Update` and change the behavior to return an error when an invalid resource is passed. Make sure hcsshim can consume the new resource as part of task Update request handling and new GCS protocol message can be properly accepted by the guest. Signed-off-by: Maksim An <maksiman@microsoft.com>
Add new typeurl registered data structure to represent
additional security policy constraint fragments, which
can be passed as part of shim's task Update request.
Change behavior of UpdateContainerConstraints to return
an error when an invalid resource is passed.
Make sure hcsshim can consume the new resource as part
of task Update request handling and new GCS protocol
message can be properly accepted by the guest.
Signed-off-by: Maksim An maksiman@microsoft.com