Adds support for enabling integrity protection for LCOW layers #6000
Conversation
|
Hi @anmaxvl. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Build succeeded.
|
|
Build succeeded.
|
|
/ok-to-test |
|
Build succeeded.
|
|
We're trying to finalize new hcsshim release (0.9.0), that's why this is still in draft. |
|
Build succeeded.
|
|
Build succeeded.
|
|
Build succeeded.
|
anmaxvl
changed the title
anmaxvl
changed the title
|
Build succeeded.
|
|
hcsshim has been re-vendored #6099, can anyone take a look? |
|
Build succeeded.
|
|
@kevpar @katiewasnothere @dcantah PTAL 😃 |
katiewasnothere
left a comment
katiewasnothere
left a comment
There was a problem hiding this comment.
couple questions, but otherwise LGTM
|
Are the extra bits just ignored (like the vhd footer, virtstacks the only thing that cares about it) if the kernels not built with dm-verity? |
dcantah
left a comment
dcantah
left a comment
There was a problem hiding this comment.
lgtm also, minor suggestion and a question
Yeah, if the linux guest doesn't read the dm-verity footer, like we do in opengcs, the extra bits will just be ignored. ext4 file system isn't even aware of the footer, since we don't update the superblock at all. |
|
Merge Failed. This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset. |
|
Build succeeded.
|
|
/retest |
|
@kevpar PTAL 😄 |
|
@mikebrow any thoughts on Labels vs Annotations and PR in general? thanks 😄 |
|
gentle ping |
A new feature has been added to hcsshim where read-only LCOW layers can be mounted with integrity protection. This is done by reading the hash device information from layer VHD and passing it to the LCOW UVM, where device mapper checks the integrity via dm-verity Linux kernel feature. Layout on disk is expected to be: ``` |Byte 0 |Byte size(ext4) |Byte size(ext4)+size(hash device)| |ext4 data|dm-verity hash device|VHD footer | ``` This PR adds ability to append hash device data during LCOW image extraction. The additional metadata to tar2ext4 converter is passed via diff.ApplyConfig.ProcessorPayloads. Signed-off-by: Maksim An <[email protected]>
client_opts.go
Outdated
|
|
||
| // WithContainerLayerIntegrity enables integrity protection of WCOW/LCOW layers by | ||
| // setting appropriate RemoteContext label | ||
| func WithContainerLayerIntegrity() RemoteOpt { |
There was a problem hiding this comment.
Makes me wonder whether we should have this option, I don't see any RemoteOpt's before this that only work for a specific platform. I don't think supplying the WithPullLabel bit would be too cumbersome and would leave all of the options freely usable on *nix and Windows
There was a problem hiding this comment.
yeah, makes sense. maybe I'll just limit the change to our fork.
|
Build succeeded.
|
1 similar comment
|
Build succeeded.
|
7 participants
A new feature has been added to hcsshim where read-only LCOW layers
can be mounted with integrity protection. This is done by reading
the hash device information from layer VHD and passing it to the
LCOW UVM, where device mapper checks the integrity via dm-verity
Linux kernel feature. Layout on disk is expected to be:
This PR adds ability to append hash device data during LCOW image
extraction. The additional metadata to tar2ext4 converter is passed
via diff.ApplyConfig.ProcessorPayloads.
Signed-off-by: Maksim An [email protected]