Skip to content

Commit

Permalink
podvm: Start Attestation Agent as Systemd Unit
Browse files Browse the repository at this point in the history
fixes #773

- Add Attestation Agent process in podns namespace
- Move netns mgmt into its own unit
- Add docs for secure key release at runtime

Signed-off-by: Magnus Kulke <[email protected]>
  • Loading branch information
mkulke authored and bpradipt committed May 17, 2023
1 parent 10e6c93 commit cb02742
Show file tree
Hide file tree
Showing 6 changed files with 45 additions and 7 deletions.
21 changes: 21 additions & 0 deletions docs/runtime-key-release.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Secure Key Release at Runtime

To request a key at runtime a Pod can invoke a local Key Broker Client (KBC) implemented in [Attestation Agent](https://github.com/confidential-containers/attestation-agent) (AA). An instance of AA is available as gRPC endpoint in the Pod's network namespace on port `50001`. Depending on the KBC implementation this might trigger a remote attestation exchange with an external [Key Broker Service](https://github.com/confidential-containers/kbs) (KBS).


## Example

The following code is supposed to run in a Peer Pod. It downloads a grpcurl binary, the respective proto files for the gRPC service, and triggers a request to retrieve a key. The example below is using an external KBS via the `cc_kbc` KBC implementation.

```bash
wget https://github.com/fullstorydev/grpcurl/releases/download/v1.8.7/grpcurl_1.8.7_linux_x86_64.tar.gz -O grpcurl.tar.gz
tar -xvf grpcurl.tar.gz
wget https://raw.githubusercontent.com/confidential-containers/attestation-agent/main/protos/getresource.proto -O aa.proto
./grpcurl -proto aa.proto -plaintext -d @ localhost:50001 getresource.GetResourceService.GetResource <<EOM
{
"ResourcePath": "/my_repo/resource_type/123abc",
"KbcName":"cc_kbc",
"KbsUri": "https://some-kbs.com"
}
EOM
```
5 changes: 2 additions & 3 deletions podvm/Makefile.inc
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ ARCH := $(subst amd64,x86_64,$(ARCH))
DEB_ARCH := $(subst x86_64,amd64,$(ARCH))
LIBC ?= $(if $(findstring s390x,$(ARCH)),gnu,musl)
RUST_TARGET := $(ARCH)-unknown-linux-$(LIBC)
AA_KBC ?= offline_fs_kbc
KBC_URI ?= null

ifneq ($(HOST_ARCH),$(ARCH))
ifeq ($(CC),cc)
Expand Down Expand Up @@ -55,11 +57,8 @@ ATTESTATION_AGENT = $(FILES_DIR)/usr/local/bin/attestation-agent
# Allow BINARIES to be overriden externally
BINARIES ?= $(AGENT_PROTOCOL_FORWARDER) $(KATA_AGENT) $(PAUSE)

KBC_URI ?= "null"
ifdef AA_KBC
BINARIES += $(ATTESTATION_AGENT)
$(shell sed -i "s/\(aa_kbc_params = \)\"[^\"]*\"/\1\"${AA_KBC}::${KBC_URI}\"/g" $(FILES_DIR)/etc/agent-config.toml)
endif

AGENT_PROTOCOL_FORWARDER_SRC = ../..

Expand Down
13 changes: 13 additions & 0 deletions podvm/files/etc/systemd/system/attestation-agent.service
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
[Unit]
Description=Attestation Agent Service
BindsTo[email protected]
After=network.target kata-agent.service [email protected]

[Service]
Type=simple
NetworkNamespacePath=/run/netns/podns
ExecStart=/usr/local/bin/attestation-agent --getresource_sock 127.0.0.1:50001
Restart=always

[Install]
WantedBy=multi-user.target
6 changes: 2 additions & 4 deletions podvm/files/etc/systemd/system/kata-agent.service
Original file line number Diff line number Diff line change
@@ -1,13 +1,11 @@
[Unit]
Description=Kata Agent
After=network.target
BindsTo[email protected]
After=network.target [email protected]

[Service]
ExecStart=/usr/local/bin/kata-agent --config /etc/agent-config.toml
ExecStartPre=-umount /sys/fs/cgroup/misc
ExecStartPre=ip netns add podns
ExecStartPre=ip netns exec podns ip link set lo up
ExecStopPost=ip netns delete podns
ExecStopPost=/usr/local/bin/kata-agent-clean --config /etc/agent-config.toml
# Now specified in the agent-config.toml Environment="KATA_AGENT_SERVER_ADDR=unix:///run/kata-containers/agent.sock"
SyslogIdentifier=kata-agent
Expand Down
6 changes: 6 additions & 0 deletions podvm/files/etc/systemd/system/[email protected]
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStartPre=ip netns add %I
ExecStart=ip netns exec %I ip link set lo up
ExecStop=ip netns del %I

0 comments on commit cb02742

Please sign in to comment.