diff --git a/integration/confidential/lib.sh b/integration/confidential/lib.sh index dd714610b..e47b2a287 100644 --- a/integration/confidential/lib.sh +++ b/integration/confidential/lib.sh @@ -13,6 +13,12 @@ source "${BATS_TEST_DIRNAME}/../../../.ci/lib.sh" FIXTURES_DIR="${BATS_TEST_DIRNAME}/fixtures" SHARED_FIXTURES_DIR="${BATS_TEST_DIRNAME}/../../confidential/fixtures" +# Nydus related configurations +NYDUS_SNAPSHOTTER_BINARY="/usr/local/bin/containerd-nydus-grpc" +NYDUS_SNAPSHOTTER_TARFS_CONFIG="/usr/local/share/nydus-snapshotter/config-coco-host-sharing.toml" +NYDUS_SNAPSHOTTER_GUEST_CONFIG="/usr/local/share/nydus-snapshotter/config-coco-guest-pulling.toml" +NYDUS_SNAPSHOTTER_CONFIG="${NYDUS_SNAPSHOTTER_CONFIG:-${NYDUS_SNAPSHOTTER_TARFS_CONFIG}}" + # Toggle between true and false the service_offload configuration of # the Kata agent. # @@ -216,11 +222,13 @@ configure_cc_containerd() { restart_containerd # Ensure the cc CRI handler is set. - local cri_handler=$(sudo crictl info | \ - jq '.config.containerd.runtimes.kata.cri_handler') - if [[ ! "$cri_handler" =~ cc ]]; then - sudo sed -i 's/\([[:blank:]]*\)\(runtime_type = "io.containerd.kata.v2"\)/\1\2\n\1cri_handler = "cc"/' \ - "$containerd_conf_file" + if [ "${IMAGE_OFFLOAD_TO_GUEST:-"no"}" == "no" ]; then + local cri_handler=$(sudo crictl info | \ + jq '.config.containerd.runtimes.kata.cri_handler') + if [[ ! "$cri_handler" =~ cc ]]; then + sudo sed -i 's/\([[:blank:]]*\)\(runtime_type = "io.containerd.kata.v2"\)/\1\2\n\1cri_handler = "cc"/' \ + "$containerd_conf_file" + fi fi if [ "$(sudo crictl info | jq -r '.config.cni.confDir')" = "null" ]; then @@ -448,3 +456,48 @@ EOF EOF fi } + +############################################################################### + +# remote-snapshotter + +configure_containerd_for_nydus_snapshotter() { + local containerd_config="$1" + snapshotter_socket="/run/containerd-nydus/containerd-nydus-grpc.sock" + proxy_config=" [proxy_plugins.$SNAPSHOTTER]\n type = \"snapshot\"\n address = \"${snapshotter_socket}\"" + + if grep -q "\[proxy_plugins\]" "$containerd_config"; then + sudo sed -i '/\[proxy_plugins\]/a\'"$proxy_config" "$containerd_config" + else + sudo echo -e "[proxy_plugins]" >>"$containerd_config" + sudo echo -e "$proxy_config" >>"$containerd_config" + fi + + sudo sed -i 's/disable_snapshot_annotations = .*/disable_snapshot_annotations = false/g' "$containerd_config" + sudo sed -i 's/snapshotter = .*/snapshotter = "nydus"/g' "$containerd_config" +} + +kill_nydus_snapshotter_process() { + echo "Kill nydus snapshotter" + local bin="containerd-nydus-grpc" + sudo kill -9 $(pidof $bin) || true + sudo rm -rf "/var/lib/containerd-nydus" || true +} + +restart_nydus_snapshotter() { + kill_nydus_snapshotter_process || true + echo "Restart nydus snapshotter" + sudo "$NYDUS_SNAPSHOTTER_BINARY" --config "$NYDUS_SNAPSHOTTER_CONFIG" >/dev/stdout 2>&1 & +} + +configure_nydus_snapshotter() { + echo "Configure nydus snapshotter" + if [ "${IMAGE_OFFLOAD_TO_GUEST:-"no"}" == "yes" ]; then + NYDUS_SNAPSHOTTER_CONFIG="$NYDUS_SNAPSHOTTER_GUEST_CONFIG" + else + NYDUS_SNAPSHOTTER_CONFIG="$NYDUS_SNAPSHOTTER_TARFS_CONFIG" + sudo sed -i "s/export_mode = .*/export_mode = \"$EXPORT_MODE\"/" "$NYDUS_SNAPSHOTTER_CONFIG" + fi + + restart_nydus_snapshotter +} diff --git a/integration/kubernetes/confidential/agent_image.bats b/integration/kubernetes/confidential/agent_image.bats index 1b789a981..e72f4978f 100644 --- a/integration/kubernetes/confidential/agent_image.bats +++ b/integration/kubernetes/confidential/agent_image.bats @@ -31,9 +31,17 @@ RUNTIMECLASS="${RUNTIMECLASS:-kata}" test_tag="[cc][agent][kubernetes][containerd]" setup() { + remove_test_image "$image_unsigned_protected" || true setup_containerd + if [ "${IMAGE_OFFLOAD_TO_GUEST}" == "yes" ]; then + configure_containerd_for_nydus_snapshotter "/etc/containerd/config.toml" + fi restart_containerd reconfigure_kata + if [ "${IMAGE_OFFLOAD_TO_GUEST}" == "yes" ]; then + switch_image_service_offload off + EXPORT_MODE="image_guest_pull" RUNTIMECLASS="$RUNTIMECLASS" configure_nydus_snapshotter + fi } @test "$test_tag Test can launch pod with measured boot enabled" { @@ -154,4 +162,7 @@ setup() { teardown() { teardown_common + remove_test_image "$image_unsigned_protected" || true + kill_nydus_snapshotter_process + restart_containerd }