snp: added snp unencrypted test#5594
Conversation
katacontainersbot
added
the
size/huge
katacontainersbot
added
size/tiny
| ) | ||
| if [[ -z "${measurement}" ]]; then return 1; fi | ||
| echo ${measurement} | ||
| } No newline at end of file |
There was a problem hiding this comment.
A few comments.
There may be some more code that could be shared with the non-tee tests, but I'm not sure it's worth getting into that given the impending merge and certain organizational issues with the tests.
I'm not very familiar with the stuff in .ci. Hopefully somoene else can help review those changes.
We will also need a new case in tests_runner.sh in the operator repo.
| # Delete all data with 'id = 10' | ||
| mysql -u${KBS_DB_USER} -p${KBS_DB_PW} -h ${kbs_db_host} -D ${KBS_DB} <<EOF | ||
| DELETE FROM secrets WHERE id = 10; | ||
| DELETE FROM keysets WHERE id = 10; |
There was a problem hiding this comment.
We shouldn't really have anything relating to keyses in the code anymore. I guess deleting them is fine as a precaution.
|
|
||
| NAME="${name}" IMAGE="${image}" RUNTIMECLASS="${RUNTIMECLASS}" \ | ||
| KBS_URI="${kbs_ip}:44444" \ | ||
| POLICY="${policy}" \ |
There was a problem hiding this comment.
Setting the policy and kbs_uri via annoation is not supported for SNP. The annotations will just be ignored so it isn't too bad, but this function isn't quite as general as it might seem.
| docker-compose \ | ||
| cpuid | ||
| pip install sev-snp-measure | ||
| "${TESTS_REPO_DIR}/.ci/install_yq.sh" >&2 |
There was a problem hiding this comment.
Not all of these are required currently. I don't think we use cpuid yet, for instance, since we don't calculate launch measurement. On the other hand maybe we should make these deps generic and move them to the common file.
There was a problem hiding this comment.
I like the idea of maintaining the packages to be installed in the script that needs them. I added these packages in anticipation for when attestation tests would be added, but for now I've trimmed them down to what's required.
| # Extract name from the file name | ||
| local name=$(basename "${service_yaml%.*}") | ||
|
|
||
| # Default policy is 3: |
There was a problem hiding this comment.
Only for SEV. SNP policies have different layout, but they don't get set here anyway (see below).
There was a problem hiding this comment.
Resolved by other fix from above.
ryansavino
force-pushed
the
add-snp-test
branch
3 times, most recently
from
6de094d to
b258a59
Compare
fitzthum
left a comment
fitzthum
left a comment
There was a problem hiding this comment.
LGTM with one little note.
Also, I think the lib code is probably in the wrong place, but I'm not sure what the optimal location is.
| local initrd_path="$(esudo /opt/confidential-containers/bin/kata-runtime \ | ||
| --config ${SEV_CONFIG} kata-env --json | jq -r .Initrd.Path)" | ||
| # Set the annotations for the simple-kbs URI and policy in the encrypted service yaml | ||
| encrypted_yaml_set_kbs_annotations() { |
There was a problem hiding this comment.
This can be used for unencrypted images as well. It might be best to just have a yaml generation function for SEV and one for SNP. That is currently the fundamental difference in what annotations are available.
There was a problem hiding this comment.
Are there any annotations we need to apply for the unencrypted?
There was a problem hiding this comment.
The policy annotation is totally separate from whether the image is encrypted or not. The policy enables SEV-ES. It is totally valid to use -ES with an unencrypted image. The KBS URI isn't directly tied to encryption either, actually. You need to set that for signed images as well. So none of the annotations are directly related to whether the image is encrypted. That is determined by the format of the image itself. SEV and SNP do have different annotations as of today, though.
There was a problem hiding this comment.
Updated. Check it out now. I think this way might be better. Created a k8s_yaml_set_annotation method in common.bash and removed the specific method from sev.bats.
ryansavino
force-pushed
the
add-snp-test
branch
from
b258a59 to
4f77038
Compare
katacontainersbot
added
size/huge
ryansavino
force-pushed
the
add-snp-test
branch
from
4f77038 to
af9a990
Compare
UnmeshDeodhar
force-pushed
the
add-snp-test
branch
2 times, most recently
from
ec9ff8b to
a08386a
Compare
|
/test |
UnmeshDeodhar
force-pushed
the
add-snp-test
branch
from
f093a53 to
a77e884
Compare
katacontainersbot
added
size/tiny
UnmeshDeodhar
force-pushed
the
add-snp-test
branch
from
510d263 to
d1ff5fe
Compare
|
/test-sev |
|
/test |
1 similar comment
|
/test |
UnmeshDeodhar
force-pushed
the
add-snp-test
branch
from
df90192 to
86c6947
Compare
katacontainersbot
removed
the
size/huge
UnmeshDeodhar
force-pushed
the
add-snp-test
branch
from
48f397a to
bb9fb6f
Compare
This line is duplicate with line 19 Signed-Off-By: Ryan Savino <ryan.savino@amd.com> Remove duplicate line
containerd config in /etc/containerd/config.toml requires sudo access Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
UnmeshDeodhar
force-pushed
the
add-snp-test
branch
2 times, most recently
from
e657bc1 to
3b54502
Compare
|
@ryansavino is this on track for 0.7.0 (feature freeze 12th of July) or should we move it to 0.8.0? |
| info "Running Confidential Containers tests for AMD SEV" | ||
| sudo -E PATH="$PATH" CRI_RUNTIME="containerd" bash -c "make cc-sev-kubernetes" | ||
| ;; | ||
| "CC_SNP_CRI_CONTAINERD_K8S") |
There was a problem hiding this comment.
Sorry, just notice this CC_SNP_CRI_CONTAINERD_K8S.... usually we have CC_CRI_CONTAINERD_K8S_SOME_SPECIFIC_CONFIG. So it should be CC_CRI_CONTAINERD_K8S_SNP.
CC_SEV_CRI_CONTAINERD_K8S above seems wrong but better not change it right now.
There was a problem hiding this comment.
@wainersm changing this will need changes to be made in the CI repo as well. So do you think it is safer to do that in a different PR? I can open one as soon as this gets merged. I already have a PR open in ci repo. What do you think?
There was a problem hiding this comment.
@UnmeshDeodhar Indeed it is safer to do that change on a follow up PR.
|
@ariel-adam, @ryansavino and I were on vacation this week so did not get a chance to reply. This is on track and I will incorporate all the feedback and get it ready before the merge. Will post something in the slack if I need someone's help to get it merged. |
UnmeshDeodhar
force-pushed
the
add-snp-test
branch
from
3b54502 to
1bab0a2
Compare
katacontainersbot
added
size/tiny
common methods from sev.bats moved into common.bash service.yaml.in generalized Signed-Off-By: Ryan Savino <ryan.savino@amd.com> Signed-Off-By: Unmesh Deodhar <udeodhar@amd.com>
|
Thanks @wainersm for the review. I have addressed all your comments. Please let me know if this looks good now. |
|
/test |
|
|
||
| echo "Create the test sandbox" | ||
| echo "Pod config is: $pod_config" | ||
| kubernetes_create_cc_pod $pod_config |
There was a problem hiding this comment.
Hi @UnmeshDeodhar , I prefer the other way around: change the name of the functions that you are introducing on this PR to Kubernetes_, and leave the existing non-snp tests untouched. I want to avoid any regressions on the exsiting tests at this point :)
There was a problem hiding this comment.
Changed all the functions back to kubernetes_*
|
|
||
| QEMU_PATH="/opt/kata/bin/qemu-system-x86_64-experimental" | ||
| if [ "${KATA_BUILD_QEMU_TYPE}" == "snp" ]; then | ||
| QEMU_PATH="/opt/confidential-containers/bin/qemu-system-x86_64-snp" |
There was a problem hiding this comment.
In a VM where I ran this script I got the qemu for snp installed with another name:
$ crudini --get /opt/confidential-containers/share/defaults/kata-containers/configuration-qemu-snp.toml hypervisor.qemu path
"/opt/confidential-containers/bin/qemu-system-x86_64-snp-experimental"
$ ls /opt/confidential-containers/bin/
containerd-shim-kata-v2 kata-collect-data.sh kata-monitor kata-runtime qemu-system-x86_64-snp-experimental
Maybe some code on this install_qemu_experimental.sh script is bogus?
There was a problem hiding this comment.
Good catch @wainersm.
I have removed the bogus code in build_qemu_experimental.sh
added makefile target as well Fixes: kata-containers#5593 Signed-Off-By: Ryan Savino <ryan.savino@amd.com> Signed-Off-By: Unmesh Deodhar <udeodhar@amd.com>
Fixes: kata-containers#5593 Signed-off-by: Unmesh Deodhar <udeodhar@amd.com>
Fixes: kata-containers#5593 Signed-Off-By: Unmesh Deodhar <udeodhar@amd.com>
SNP requires generic OVMF. Thus adding a code that builds generic OVMF. Fixes: kata-containers#5593 Signed-off-by: Unmesh Deodhar <udeodhar@amd.com>
Using pod annotation instead of changing the config file. Fixes: kata-containers#5593 Signed-Off-By: Unmesh Deodhar <udeodhar@amd.com>
Renaming k8s_* functions to kubernetes_* to match the rest of the functions. Fixes: kata-containers#5593 Signed-Off-By: Unmesh Deodhar <udeodhar@amd.com>
|
/test |
1 similar comment
|
/test |
|
Last week there was some discussion about organizing this PR in a way that is easier to review or possibly splitting it into multiple. At this point I'm not really sure what would be most efficient, but let me make a few notes to help anyone who looks at this.
|
|
I see that in http://jenkins.katacontainers.io/job/tests-CCv0-ubuntu-20.04_snp-x86_64-CC_SNP_CRI_CONTAINERD_K8S-PR/64/consoleFull the SNP test introduced on this PR ran fine: BTW, that job was manually created just to test this PR. It will be automatically created again once we get kata-containers/ci#547 merged (which depends on this PR). One last thing before we merge this.... the TDX job failed. @fidencio could you please tell us the failure is related with this PR (or not)? |
|
/test-tdx |
wainersm
left a comment
wainersm
left a comment
There was a problem hiding this comment.
@UnmeshDeodhar @ryansavino I think it can be merged now. Any improvement and fixes made to follow up PRs. Thanks!
8 participants
Fixes: #5593
added makefile target as well
moved common functions out of sev.bats
few minor fixes in separate commits
Signed-Off-By: Ryan Savino ryan.savino@amd.com