podman
570 строк · 19.1 Кб
1package mkcw2import (4"archive/tar"5"bytes"6"compress/gzip"7"encoding/binary"8"encoding/json"9"errors"10"fmt"11"io"12"io/fs"13"os"14"os/exec"15"path/filepath"16"strconv"17"strings"18"time"19"github.com/containers/buildah/internal/tmpdir"21"github.com/containers/buildah/pkg/overlay"22"github.com/containers/luksy"23"github.com/containers/storage/pkg/idtools"24"github.com/containers/storage/pkg/mount"25"github.com/containers/storage/pkg/system"26"github.com/docker/docker/pkg/ioutils"27"github.com/docker/go-units"28digest "github.com/opencontainers/go-digest"29v1 "github.com/opencontainers/image-spec/specs-go/v1"30"github.com/sirupsen/logrus"31)32const minimumImageSize = 10 * 1024 * 102434// ArchiveOptions includes optional settings for generating an archive.36type ArchiveOptions struct {37// If supplied, we'll register the workload with this server.38// Practically necessary if DiskEncryptionPassphrase is not set, in39// which case we'll generate one and throw it away after.40AttestationURL string41// Used to measure the environment. If left unset (0, ""), defaults will be applied.43CPUs int44Memory int45// Can be manually set. If left unset ("", false, nil), reasonable values will be used.47TempDir string48TeeType TeeType49IgnoreAttestationErrors bool50ImageSize int6451WorkloadID string52Slop string53DiskEncryptionPassphrase string54FirmwareLibrary string55Logger *logrus.Logger56GraphOptions []string // passed in from a storage Store, probably57ExtraImageContent map[string]string58}59type chainRetrievalError struct {61stderr string62err error63}64func (c chainRetrievalError) Error() string {66if trimmed := strings.TrimSpace(c.stderr); trimmed != "" {67return fmt.Sprintf("retrieving SEV certificate chain: sevctl: %v: %v", strings.TrimSpace(c.stderr), c.err)68}69return fmt.Sprintf("retrieving SEV certificate chain: sevctl: %v", c.err)70}71// Archive generates a WorkloadConfig for a specified directory and produces a73// tar archive of a container image's rootfs with the expected contents.74func Archive(rootfsPath string, ociConfig *v1.Image, options ArchiveOptions) (io.ReadCloser, WorkloadConfig, error) {75const (76teeDefaultCPUs = 277teeDefaultMemory = 51278teeDefaultFilesystem = "ext4"79teeDefaultTeeType = SNP80)81if rootfsPath == "" {83return nil, WorkloadConfig{}, fmt.Errorf("required path not specified")84}85logger := options.Logger86if logger == nil {87logger = logrus.StandardLogger()88}89teeType := options.TeeType91if teeType == "" {92teeType = teeDefaultTeeType93}94cpus := options.CPUs95if cpus == 0 {96cpus = teeDefaultCPUs97}98memory := options.Memory99if memory == 0 {100memory = teeDefaultMemory101}102filesystem := teeDefaultFilesystem103workloadID := options.WorkloadID104if workloadID == "" {105digestInput := rootfsPath + filesystem + time.Now().String()106workloadID = digest.Canonical.FromString(digestInput).Encoded()107}108workloadConfig := WorkloadConfig{109Type: teeType,110WorkloadID: workloadID,111CPUs: cpus,112Memory: memory,113AttestationURL: options.AttestationURL,114}115if options.TempDir == "" {116options.TempDir = tmpdir.GetTempDir()117}118// Do things which are specific to the type of TEE we're building for.120var chainBytes []byte121var chainBytesFile string122var chainInfo fs.FileInfo123switch teeType {124default:125return nil, WorkloadConfig{}, fmt.Errorf("don't know how to generate TeeData for TEE type %q", teeType)126case SEV, SEV_NO_ES:127// If we need a certificate chain, get it.128chain, err := os.CreateTemp(options.TempDir, "chain")129if err != nil {130return nil, WorkloadConfig{}, err131}132chain.Close()133defer func() {134if err := os.Remove(chain.Name()); err != nil {135logger.Warnf("error removing temporary file %q: %v", chain.Name(), err)136}137}()138logrus.Debugf("sevctl export -f %s", chain.Name())139cmd := exec.Command("sevctl", "export", "-f", chain.Name())140var stdout, stderr bytes.Buffer141cmd.Stdout, cmd.Stderr = &stdout, &stderr142if err := cmd.Run(); err != nil {143if !options.IgnoreAttestationErrors {144return nil, WorkloadConfig{}, chainRetrievalError{stderr.String(), err}145}146logger.Warn(chainRetrievalError{stderr.String(), err}.Error())147}148if chainBytes, err = os.ReadFile(chain.Name()); err != nil {149chainBytes = []byte{}150}151var teeData SevWorkloadData152if len(chainBytes) > 0 {153chainBytesFile = "sev.chain"154chainInfo, err = os.Stat(chain.Name())155if err != nil {156return nil, WorkloadConfig{}, err157}158teeData.VendorChain = "/" + chainBytesFile159}160encodedTeeData, err := json.Marshal(teeData)161if err != nil {162return nil, WorkloadConfig{}, fmt.Errorf("encoding tee data: %w", err)163}164workloadConfig.TeeData = string(encodedTeeData)165case SNP:166teeData := SnpWorkloadData{167Generation: "milan",168}169encodedTeeData, err := json.Marshal(teeData)170if err != nil {171return nil, WorkloadConfig{}, fmt.Errorf("encoding tee data: %w", err)172}173workloadConfig.TeeData = string(encodedTeeData)174}175// We're going to want to add some content to the rootfs, so set up an177// overlay that uses it as a lower layer so that we can write to it.178st, err := system.Stat(rootfsPath)179if err != nil {180return nil, WorkloadConfig{}, fmt.Errorf("reading information about the container root filesystem: %w", err)181}182// Create a temporary directory to hold all of this. Use tmpdir.GetTempDir()183// instead of the passed-in location, which a crafty caller might have put in an184// overlay filesystem in storage because there tends to be more room there than185// in, say, /var/tmp, and the plaintext disk image, which we put in the passed-in186// location, can get quite large.187rootfsParentDir, err := os.MkdirTemp(tmpdir.GetTempDir(), "buildah-rootfs")188if err != nil {189return nil, WorkloadConfig{}, fmt.Errorf("setting up parent for container root filesystem: %w", err)190}191defer func() {192if err := os.RemoveAll(rootfsParentDir); err != nil {193logger.Warnf("cleaning up parent for container root filesystem: %v", err)194}195}()196// Create a mountpoint for the new overlay, which we'll use as the rootfs.197rootfsDir := filepath.Join(rootfsParentDir, "rootfs")198if err := idtools.MkdirAndChown(rootfsDir, fs.FileMode(st.Mode()), idtools.IDPair{UID: int(st.UID()), GID: int(st.GID())}); err != nil {199return nil, WorkloadConfig{}, fmt.Errorf("creating mount target for container root filesystem: %w", err)200}201defer func() {202if err := os.Remove(rootfsDir); err != nil {203logger.Warnf("removing mount target for container root filesystem: %v", err)204}205}()206// Create a directory to hold all of the overlay package's working state.207tempDir := filepath.Join(rootfsParentDir, "tmp")208if err = os.Mkdir(tempDir, 0o700); err != nil {209return nil, WorkloadConfig{}, err210}211// Create some working state in there.212overlayTempDir, err := overlay.TempDir(tempDir, int(st.UID()), int(st.GID()))213if err != nil {214return nil, WorkloadConfig{}, fmt.Errorf("setting up mount of container root filesystem: %w", err)215}216defer func() {217if err := overlay.RemoveTemp(overlayTempDir); err != nil {218logger.Warnf("cleaning up mount of container root filesystem: %v", err)219}220}()221// Create a mount point using that working state.222rootfsMount, err := overlay.Mount(overlayTempDir, rootfsPath, rootfsDir, 0, 0, options.GraphOptions)223if err != nil {224return nil, WorkloadConfig{}, fmt.Errorf("setting up support for overlay of container root filesystem: %w", err)225}226defer func() {227if err := overlay.Unmount(overlayTempDir); err != nil {228logger.Warnf("unmounting support for overlay of container root filesystem: %v", err)229}230}()231// Follow through on the overlay or bind mount, whatever the overlay package decided232// to leave to us to do.233rootfsMountOptions := strings.Join(rootfsMount.Options, ",")234logrus.Debugf("mounting %q to %q as %q with options %v", rootfsMount.Source, rootfsMount.Destination, rootfsMount.Type, rootfsMountOptions)235if err := mount.Mount(rootfsMount.Source, rootfsMount.Destination, rootfsMount.Type, rootfsMountOptions); err != nil {236return nil, WorkloadConfig{}, fmt.Errorf("mounting overlay of container root filesystem: %w", err)237}238defer func() {239logrus.Debugf("unmounting %q", rootfsMount.Destination)240if err := mount.Unmount(rootfsMount.Destination); err != nil {241logger.Warnf("unmounting overlay of container root filesystem: %v", err)242}243}()244// Pretend that we didn't have to do any of the preceding.245rootfsPath = rootfsDir246// Write extra content to the rootfs, creating intermediate directories if necessary.248for location, content := range options.ExtraImageContent {249err := func() error {250if err := idtools.MkdirAllAndChownNew(filepath.Dir(filepath.Join(rootfsPath, location)), 0o755, idtools.IDPair{UID: int(st.UID()), GID: int(st.GID())}); err != nil {251return fmt.Errorf("ensuring %q is present in container root filesystem: %w", filepath.Dir(location), err)252}253output, err := os.OpenFile(filepath.Join(rootfsPath, location), os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o644)254if err != nil {255return fmt.Errorf("preparing to write %q to container root filesystem: %w", location, err)256}257defer output.Close()258input, err := os.Open(content)259if err != nil {260return err261}262defer input.Close()263if _, err := io.Copy(output, input); err != nil {264return fmt.Errorf("copying contents of %q to %q in container root filesystem: %w", content, location, err)265}266if err := output.Chown(int(st.UID()), int(st.GID())); err != nil {267return fmt.Errorf("setting owner of %q in the container root filesystem: %w", location, err)268}269if err := output.Chmod(0o644); err != nil {270return fmt.Errorf("setting permissions on %q in the container root filesystem: %w", location, err)271}272return nil273}()274if err != nil {275return nil, WorkloadConfig{}, err276}277}278// Write part of the config blob where the krun init process will be280// looking for it. The oci2cw tool used `buildah inspect` output, but281// init is just looking for fields that have the right names in any282// object, and the image's config will have that, so let's try encoding283// it directly.284krunConfigPath := filepath.Join(rootfsPath, ".krun_config.json")285krunConfigBytes, err := json.Marshal(ociConfig)286if err != nil {287return nil, WorkloadConfig{}, fmt.Errorf("creating .krun_config from image configuration: %w", err)288}289if err := ioutils.AtomicWriteFile(krunConfigPath, krunConfigBytes, 0o600); err != nil {290return nil, WorkloadConfig{}, fmt.Errorf("saving krun config: %w", err)291}292// Encode the workload config, in case it fails for any reason.294cleanedUpWorkloadConfig := workloadConfig295switch cleanedUpWorkloadConfig.Type {296default:297return nil, WorkloadConfig{}, fmt.Errorf("don't know how to canonicalize TEE type %q", cleanedUpWorkloadConfig.Type)298case SEV, SEV_NO_ES:299cleanedUpWorkloadConfig.Type = SEV300case SNP:301cleanedUpWorkloadConfig.Type = SNP302}303workloadConfigBytes, err := json.Marshal(cleanedUpWorkloadConfig)304if err != nil {305return nil, WorkloadConfig{}, err306}307// Make sure we have the passphrase to use for encrypting the disk image.309diskEncryptionPassphrase := options.DiskEncryptionPassphrase310if diskEncryptionPassphrase == "" {311diskEncryptionPassphrase, err = GenerateDiskEncryptionPassphrase()312if err != nil {313return nil, WorkloadConfig{}, err314}315}316// If we weren't told how big the image should be, get a rough estimate318// of the input data size, then add a hedge to it.319imageSize := slop(options.ImageSize, options.Slop)320if imageSize == 0 {321var sourceSize int64322if err := filepath.WalkDir(rootfsPath, func(path string, d fs.DirEntry, err error) error {323if err != nil && !errors.Is(err, os.ErrNotExist) && !errors.Is(err, os.ErrPermission) {324return err325}326info, err := d.Info()327if err != nil && !errors.Is(err, os.ErrNotExist) && !errors.Is(err, os.ErrPermission) {328return err329}330sourceSize += info.Size()331return nil332}); err != nil {333return nil, WorkloadConfig{}, err334}335imageSize = slop(sourceSize, options.Slop)336}337if imageSize%4096 != 0 {338imageSize += (4096 - (imageSize % 4096))339}340if imageSize < minimumImageSize {341imageSize = minimumImageSize342}343// Create a file to use as the unencrypted version of the disk image.345plain, err := os.CreateTemp(options.TempDir, "plain.img")346if err != nil {347return nil, WorkloadConfig{}, err348}349removePlain := true350defer func() {351if removePlain {352if err := os.Remove(plain.Name()); err != nil {353logger.Warnf("removing temporary file %q: %v", plain.Name(), err)354}355}356}()357// Lengthen the plaintext disk image file.359if err := plain.Truncate(imageSize); err != nil {360plain.Close()361return nil, WorkloadConfig{}, err362}363plainInfo, err := plain.Stat()364plain.Close()365if err != nil {366return nil, WorkloadConfig{}, err367}368// Format the disk image with the filesystem contents.370if _, stderr, err := MakeFS(rootfsPath, plain.Name(), filesystem); err != nil {371if strings.TrimSpace(stderr) != "" {372return nil, WorkloadConfig{}, fmt.Errorf("%s: %w", strings.TrimSpace(stderr), err)373}374return nil, WorkloadConfig{}, err375}376// If we're registering the workload, we can do that now.378if workloadConfig.AttestationURL != "" {379if err := SendRegistrationRequest(workloadConfig, diskEncryptionPassphrase, options.FirmwareLibrary, options.IgnoreAttestationErrors, logger); err != nil {380return nil, WorkloadConfig{}, err381}382}383// Try to encrypt on the fly.385pipeReader, pipeWriter := io.Pipe()386removePlain = false387go func() {388var err error389defer func() {390if err := os.Remove(plain.Name()); err != nil {391logger.Warnf("removing temporary file %q: %v", plain.Name(), err)392}393if err != nil {394pipeWriter.CloseWithError(err)395} else {396pipeWriter.Close()397}398}()399plain, err := os.Open(plain.Name())400if err != nil {401logrus.Errorf("opening unencrypted disk image %q: %v", plain.Name(), err)402return403}404defer plain.Close()405tw := tar.NewWriter(pipeWriter)406defer tw.Flush()407// Write /entrypoint409var decompressedEntrypoint bytes.Buffer410decompressor, err := gzip.NewReader(bytes.NewReader(entrypointCompressedBytes))411if err != nil {412logrus.Errorf("decompressing copy of entrypoint: %v", err)413return414}415defer decompressor.Close()416if _, err = io.Copy(&decompressedEntrypoint, decompressor); err != nil {417logrus.Errorf("decompressing copy of entrypoint: %v", err)418return419}420entrypointHeader, err := tar.FileInfoHeader(plainInfo, "")421if err != nil {422logrus.Errorf("building header for entrypoint: %v", err)423return424}425entrypointHeader.Name = "entrypoint"426entrypointHeader.Mode = 0o755427entrypointHeader.Uname, entrypointHeader.Gname = "", ""428entrypointHeader.Uid, entrypointHeader.Gid = 0, 0429entrypointHeader.Size = int64(decompressedEntrypoint.Len())430if err = tw.WriteHeader(entrypointHeader); err != nil {431logrus.Errorf("writing header for %q: %v", entrypointHeader.Name, err)432return433}434if _, err = io.Copy(tw, &decompressedEntrypoint); err != nil {435logrus.Errorf("writing %q: %v", entrypointHeader.Name, err)436return437}438// Write /sev.chain440if chainInfo != nil {441chainHeader, err := tar.FileInfoHeader(chainInfo, "")442if err != nil {443logrus.Errorf("building header for %q: %v", chainInfo.Name(), err)444return445}446chainHeader.Name = chainBytesFile447chainHeader.Mode = 0o600448chainHeader.Uname, chainHeader.Gname = "", ""449chainHeader.Uid, chainHeader.Gid = 0, 0450chainHeader.Size = int64(len(chainBytes))451if err = tw.WriteHeader(chainHeader); err != nil {452logrus.Errorf("writing header for %q: %v", chainHeader.Name, err)453return454}455if _, err = tw.Write(chainBytes); err != nil {456logrus.Errorf("writing %q: %v", chainHeader.Name, err)457return458}459}460// Write /krun-sev.json.462workloadConfigHeader, err := tar.FileInfoHeader(plainInfo, "")463if err != nil {464logrus.Errorf("building header for %q: %v", plainInfo.Name(), err)465return466}467workloadConfigHeader.Name = "krun-sev.json"468workloadConfigHeader.Mode = 0o600469workloadConfigHeader.Uname, workloadConfigHeader.Gname = "", ""470workloadConfigHeader.Uid, workloadConfigHeader.Gid = 0, 0471workloadConfigHeader.Size = int64(len(workloadConfigBytes))472if err = tw.WriteHeader(workloadConfigHeader); err != nil {473logrus.Errorf("writing header for %q: %v", workloadConfigHeader.Name, err)474return475}476if _, err = tw.Write(workloadConfigBytes); err != nil {477logrus.Errorf("writing %q: %v", workloadConfigHeader.Name, err)478return479}480// Write /tmp.482tmpHeader, err := tar.FileInfoHeader(plainInfo, "")483if err != nil {484logrus.Errorf("building header for %q: %v", plainInfo.Name(), err)485return486}487tmpHeader.Name = "tmp/"488tmpHeader.Typeflag = tar.TypeDir489tmpHeader.Mode = 0o1777490tmpHeader.Uname, tmpHeader.Gname = "", ""491tmpHeader.Uid, tmpHeader.Gid = 0, 0492tmpHeader.Size = 0493if err = tw.WriteHeader(tmpHeader); err != nil {494logrus.Errorf("writing header for %q: %v", tmpHeader.Name, err)495return496}497// Now figure out the footer that we'll append to the encrypted disk.499var footer bytes.Buffer500lengthBuffer := make([]byte, 8)501footer.Write(workloadConfigBytes)502footer.WriteString("KRUN")503binary.LittleEndian.PutUint64(lengthBuffer, uint64(len(workloadConfigBytes)))504footer.Write(lengthBuffer)505// Start encrypting and write /disk.img.507header, encrypt, blockSize, err := luksy.EncryptV1([]string{diskEncryptionPassphrase}, "")508paddingBoundary := int64(4096)509paddingNeeded := (paddingBoundary - ((int64(len(header)) + imageSize + int64(footer.Len())) % paddingBoundary)) % paddingBoundary510diskHeader := workloadConfigHeader511diskHeader.Name = "disk.img"512diskHeader.Mode = 0o600513diskHeader.Size = int64(len(header)) + imageSize + paddingNeeded + int64(footer.Len())514if err = tw.WriteHeader(diskHeader); err != nil {515logrus.Errorf("writing archive header for disk.img: %v", err)516return517}518if _, err = io.Copy(tw, bytes.NewReader(header)); err != nil {519logrus.Errorf("writing encryption header for disk.img: %v", err)520return521}522encryptWrapper := luksy.EncryptWriter(encrypt, tw, blockSize)523if _, err = io.Copy(encryptWrapper, plain); err != nil {524logrus.Errorf("encrypting disk.img: %v", err)525return526}527encryptWrapper.Close()528if _, err = tw.Write(make([]byte, paddingNeeded)); err != nil {529logrus.Errorf("writing padding for disk.img: %v", err)530return531}532if _, err = io.Copy(tw, &footer); err != nil {533logrus.Errorf("writing footer for disk.img: %v", err)534return535}536tw.Close()537}()538return pipeReader, workloadConfig, nil540}541func slop(size int64, slop string) int64 {543if slop == "" {544return size * 5 / 4545}546for _, factor := range strings.Split(slop, "+") {547factor = strings.TrimSpace(factor)548if factor == "" {549continue550}551if strings.HasSuffix(factor, "%") {552percentage := strings.TrimSuffix(factor, "%")553percent, err := strconv.ParseInt(percentage, 10, 8)554if err != nil {555logrus.Warnf("parsing percentage %q: %v", factor, err)556} else {557size *= (percent + 100)558size /= 100559}560} else {561more, err := units.RAMInBytes(factor)562if err != nil {563logrus.Warnf("parsing %q as a size: %v", factor, err)564} else {565size += more566}567}568}569return size570}571