From 0bfaebdbb2e1d8d01290ebbc448d8102afdd133a Mon Sep 17 00:00:00 2001 From: Jessie Liu Date: Wed, 16 Oct 2024 21:31:03 +0000 Subject: [PATCH 01/12] add cloudbuild test files for health monitoring --- .../test/scripts/test_health_monitoring.sh | 21 ++++ .../image/test/test_health_monitoring.yaml | 97 +++++++++++++++++++ 2 files changed, 118 insertions(+) create mode 100644 launcher/image/test/scripts/test_health_monitoring.sh create mode 100644 launcher/image/test/test_health_monitoring.yaml diff --git a/launcher/image/test/scripts/test_health_monitoring.sh b/launcher/image/test/scripts/test_health_monitoring.sh new file mode 100644 index 000000000..3f2535fa9 --- /dev/null +++ b/launcher/image/test/scripts/test_health_monitoring.sh @@ -0,0 +1,21 @@ +#!/bin/bash +set -euxo pipefail +source util/read_serial.sh + +# This test requires the workload to run and printing +# corresponding messages to the serial console. +SERIAL_OUTPUT=$(read_serial $1 $2) +print_serial=false + +if echo $SERIAL_OUTPUT | grep -q 'node-problem-detector.service successfully started' +then + echo "- memory monitoring enabled" +else + echo "FAILED: memory monitoring disabled" + echo 'TEST FAILED.' > /workspace/status.txt + print_serial=true +fi + +if $print_serial; then + echo $SERIAL_OUTPUT +fi \ No newline at end of file diff --git a/launcher/image/test/test_health_monitoring.yaml b/launcher/image/test/test_health_monitoring.yaml new file mode 100644 index 000000000..745dd9166 --- /dev/null +++ b/launcher/image/test/test_health_monitoring.yaml @@ -0,0 +1,97 @@ +substitutions: + '_IMAGE_NAME': '' + '_IMAGE_PROJECT': '' + '_CLEANUP': 'true' + '_VM_NAME_PREFIX': 'health-monitoring' + '_ZONE': 'us-west1-a' + '_WORKLOAD_IMAGE': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/healthmonitoring:latest' + +steps: +- name: 'gcr.io/cloud-builders/gcloud' + id: CreateVMAllMonitoringEnabled + entrypoint: 'bash' + env: + - 'BUILD_ID=$BUILD_ID' + args: ['create_vm.sh','-i', '${_IMAGE_NAME}', + '-p', '${_IMAGE_PROJECT}', + '-m', 'tee-image-reference=${_WORKLOAD_IMAGE},tee-monitoring-enable=all', + '-n', '${_VM_NAME_PREFIX}-enable-${BUILD_ID}', + '-z', '${_ZONE}', + ] + waitFor: ['-'] # The '-' indicates that this step begins immediately. +- name: 'gcr.io/cloud-builders/gcloud' + id: CheckAllMonitoringEnabled + entrypoint: 'bash' + # Search a regex pattern that ensures all monitoring is enabled and measured into COS event logs. + args: ['scripts/test_memory_monitoring.sh', '${_VM_NAME_PREFIX}-enable-${BUILD_ID}', '${_ZONE}', 'Health Monitoring is enabled by the VM operator.*All health monitoring metrics enabled'] + waitFor: ['CreateVMAllMonitoringEnabled'] +- name: 'gcr.io/cloud-builders/gcloud' + id: CleanUpVMAllMonitoringEnabled + entrypoint: 'bash' + env: + - 'CLEANUP=$_CLEANUP' + args: ['cleanup.sh', '${_VM_NAME_PREFIX}-enable-${BUILD_ID}', '${_ZONE}'] + waitFor: ['CheckAllMonitoringEnabled'] + +- name: 'gcr.io/cloud-builders/gcloud' + id: CreateVMMemoryOnlyMonitoringEnabled + entrypoint: 'bash' + env: + - 'BUILD_ID=$BUILD_ID' + args: ['create_vm.sh','-i', '${_IMAGE_NAME}', + '-p', '${_IMAGE_PROJECT}', + '-m', 'tee-image-reference=${_WORKLOAD_IMAGE},tee-monitoring-enable=memoryonly', + '-n', '${_VM_NAME_PREFIX}-enable-${BUILD_ID}', + '-z', '${_ZONE}', + ] + waitFor: ['-'] # The '-' indicates that this step begins immediately. +- name: 'gcr.io/cloud-builders/gcloud' + id: CheckMemoryOnlyMonitoringEnabled + entrypoint: 'bash' + # Search a regex pattern that ensures all monitoring is enabled and measured into COS event logs. + args: ['scripts/test_memory_monitoring.sh', '${_VM_NAME_PREFIX}-memoryonly-${BUILD_ID}', '${_ZONE}', 'Health Monitoring is enabled by the VM operator.*memory/bytes_used enabled'] + waitFor: ['CreateVMMemoryOnlyMonitoringEnabled'] +- name: 'gcr.io/cloud-builders/gcloud' + id: CleanUpVMMemoryOnlyMonitoringEnabled + entrypoint: 'bash' + env: + - 'CLEANUP=$_CLEANUP' + args: ['cleanup.sh', '${_VM_NAME_PREFIX}-enable-${BUILD_ID}', '${_ZONE}'] + waitFor: ['CheckMemoryOnlyMonitoringEnabled'] + +- name: 'gcr.io/cloud-builders/gcloud' + id: CreateVMMonitoringDisabled + entrypoint: 'bash' + env: + - 'BUILD_ID=$BUILD_ID' + args: ['create_vm.sh','-i', '${_IMAGE_NAME}', + '-p', '${_IMAGE_PROJECT}', + '-m', 'tee-image-reference=${_WORKLOAD_IMAGE},tee-monitoring-enable=none', + '-n', '${_VM_NAME_PREFIX}-disable-${BUILD_ID}', + '-z', '${_ZONE}', + ] + waitFor: ['-'] # The '-' indicates that this step begins immediately. +- name: 'gcr.io/cloud-builders/gcloud' + id: CheckMonitoringDisabled + entrypoint: 'bash' + # Search a regex pattern that ensures monitoring is disabled and measured into COS event logs. + args: ['scripts/test_memory_monitoring.sh', '${_VM_NAME_PREFIX}-disable-${BUILD_ID}', '${_ZONE}', 'Health Monitoring is disabled'] + waitFor: ['CreateVMMonitoringDisabled'] +- name: 'gcr.io/cloud-builders/gcloud' + id: CleanUpVMMonitoringDisabled + entrypoint: 'bash' + env: + - 'CLEANUP=$_CLEANUP' + args: ['cleanup.sh', '${_VM_NAME_PREFIX}-disable-${BUILD_ID}', '${_ZONE}'] + waitFor: ['CheckMonitoringDisabled'] +# Must come after cleanup. +- name: 'gcr.io/cloud-builders/gcloud' + id: CheckFailure + entrypoint: 'bash' + env: + - 'BUILD_ID=$BUILD_ID' + args: ['check_failure.sh'] + +options: + pool: + name: 'projects/confidential-space-images-dev/locations/us-west1/workerPools/cs-image-build-vpc' From d61124d2ffe9cc744fba0e06b9508f336b630a1e Mon Sep 17 00:00:00 2001 From: Jessie Liu Date: Wed, 16 Oct 2024 23:43:58 +0000 Subject: [PATCH 02/12] add dockerfiles --- launcher/image/test/test_health_monitoring.yaml | 2 +- .../image/testworkloads/allmonitoring/Dockerfile | 15 +++++++++++++++ .../testworkloads/allmonitoringdebug/Dockerfile | 15 +++++++++++++++ .../testworkloads/allmonitoringnone/Dockerfile | 15 +++++++++++++++ 4 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 launcher/image/testworkloads/allmonitoring/Dockerfile create mode 100644 launcher/image/testworkloads/allmonitoringdebug/Dockerfile create mode 100644 launcher/image/testworkloads/allmonitoringnone/Dockerfile diff --git a/launcher/image/test/test_health_monitoring.yaml b/launcher/image/test/test_health_monitoring.yaml index 745dd9166..02c07e9ce 100644 --- a/launcher/image/test/test_health_monitoring.yaml +++ b/launcher/image/test/test_health_monitoring.yaml @@ -4,7 +4,7 @@ substitutions: '_CLEANUP': 'true' '_VM_NAME_PREFIX': 'health-monitoring' '_ZONE': 'us-west1-a' - '_WORKLOAD_IMAGE': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/healthmonitoring:latest' + '_WORKLOAD_IMAGE': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoring:latest' steps: - name: 'gcr.io/cloud-builders/gcloud' diff --git a/launcher/image/testworkloads/allmonitoring/Dockerfile b/launcher/image/testworkloads/allmonitoring/Dockerfile new file mode 100644 index 000000000..aeec52556 --- /dev/null +++ b/launcher/image/testworkloads/allmonitoring/Dockerfile @@ -0,0 +1,15 @@ +# From current directory: +# GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o main ../basic +# gcloud builds submit --tag us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoring:latest --project confidential-space-images-dev +FROM alpine + +COPY main / + +ENV env_bar="val_bar" + +LABEL "tee.launch_policy.hardened_monitoring"="ALL" +LABEL "tee.launch_policy.debug_monitoring"="ALL" + +ENTRYPOINT ["/main"] + +CMD ["arg_foo"] \ No newline at end of file diff --git a/launcher/image/testworkloads/allmonitoringdebug/Dockerfile b/launcher/image/testworkloads/allmonitoringdebug/Dockerfile new file mode 100644 index 000000000..34d2c0d3d --- /dev/null +++ b/launcher/image/testworkloads/allmonitoringdebug/Dockerfile @@ -0,0 +1,15 @@ +# From current directory: +# GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o main ../basic +# gcloud builds submit --tag us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoringdebug:latest --project confidential-space-images-dev +FROM alpine + +COPY main / + +ENV env_bar="val_bar" + +LABEL "tee.launch_policy.hardened_monitoring"="NONE" +LABEL "tee.launch_policy.debug_monitoring"="ALL" + +ENTRYPOINT ["/main"] + +CMD ["arg_foo"] \ No newline at end of file diff --git a/launcher/image/testworkloads/allmonitoringnone/Dockerfile b/launcher/image/testworkloads/allmonitoringnone/Dockerfile new file mode 100644 index 000000000..eaa48d701 --- /dev/null +++ b/launcher/image/testworkloads/allmonitoringnone/Dockerfile @@ -0,0 +1,15 @@ +# From current directory: +# GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o main ../basic +# gcloud builds submit --tag us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoringnone:latest --project confidential-space-images-dev +FROM alpine + +COPY main / + +ENV env_bar="val_bar" + +LABEL "tee.launch_policy.hardened_monitoring"="NONE" +LABEL "tee.launch_policy.debug_monitoring"="NONE" + +ENTRYPOINT ["/main"] + +CMD ["arg_foo"] \ No newline at end of file From 15936e8205da97be7b1573e080b607dee43fab60 Mon Sep 17 00:00:00 2001 From: Jessie Liu Date: Wed, 16 Oct 2024 23:52:54 +0000 Subject: [PATCH 03/12] remove unneeded script --- .../test/scripts/test_health_monitoring.sh | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 launcher/image/test/scripts/test_health_monitoring.sh diff --git a/launcher/image/test/scripts/test_health_monitoring.sh b/launcher/image/test/scripts/test_health_monitoring.sh deleted file mode 100644 index 3f2535fa9..000000000 --- a/launcher/image/test/scripts/test_health_monitoring.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -set -euxo pipefail -source util/read_serial.sh - -# This test requires the workload to run and printing -# corresponding messages to the serial console. -SERIAL_OUTPUT=$(read_serial $1 $2) -print_serial=false - -if echo $SERIAL_OUTPUT | grep -q 'node-problem-detector.service successfully started' -then - echo "- memory monitoring enabled" -else - echo "FAILED: memory monitoring disabled" - echo 'TEST FAILED.' > /workspace/status.txt - print_serial=true -fi - -if $print_serial; then - echo $SERIAL_OUTPUT -fi \ No newline at end of file From 720bbeec74ed5bb54177e7ba5f9e985bc272782a Mon Sep 17 00:00:00 2001 From: Jessie Liu Date: Sat, 19 Oct 2024 00:41:03 +0000 Subject: [PATCH 04/12] update cloudbuild.yaml --- launcher/cloudbuild.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/launcher/cloudbuild.yaml b/launcher/cloudbuild.yaml index ed9b2378d..4e5c81d43 100644 --- a/launcher/cloudbuild.yaml +++ b/launcher/cloudbuild.yaml @@ -228,6 +228,20 @@ steps: gcloud builds submit --config=test_memory_monitoring.yaml --region us-west1 \ --substitutions _IMAGE_NAME=${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX},_IMAGE_PROJECT=${PROJECT_ID} exit +- name: 'gcr.io/cloud-builders/gcloud' + id: HealthMonitoringTests + waitFor: ['HardenedImageBuild'] + env: + - 'OUTPUT_IMAGE_PREFIX=$_OUTPUT_IMAGE_PREFIX' + - 'OUTPUT_IMAGE_SUFFIX=$_OUTPUT_IMAGE_SUFFIX' + - 'PROJECT_ID=$PROJECT_ID' + script: | + #!/usr/bin/env bash + cd launcher/image/test + echo "running health monitoring tests on ${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX}" + gcloud builds submit --config=test_health_monitoring.yaml --region us-west1 \ + --substitutions _IMAGE_NAME=${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX},_IMAGE_PROJECT=${PROJECT_ID} + exit - name: 'gcr.io/cloud-builders/gcloud' id: ODAWithSignedContainerTest waitFor: ['HardenedImageBuild'] From c30a6e8cd8b4857e38dffa569901afecc3272613 Mon Sep 17 00:00:00 2001 From: Jessie Liu Date: Mon, 21 Oct 2024 21:57:02 +0000 Subject: [PATCH 05/12] change repeated VM name --- launcher/image/test/test_health_monitoring.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/launcher/image/test/test_health_monitoring.yaml b/launcher/image/test/test_health_monitoring.yaml index 02c07e9ce..17a5b1cef 100644 --- a/launcher/image/test/test_health_monitoring.yaml +++ b/launcher/image/test/test_health_monitoring.yaml @@ -41,7 +41,7 @@ steps: args: ['create_vm.sh','-i', '${_IMAGE_NAME}', '-p', '${_IMAGE_PROJECT}', '-m', 'tee-image-reference=${_WORKLOAD_IMAGE},tee-monitoring-enable=memoryonly', - '-n', '${_VM_NAME_PREFIX}-enable-${BUILD_ID}', + '-n', '${_VM_NAME_PREFIX}-memoryonly-${BUILD_ID}', '-z', '${_ZONE}', ] waitFor: ['-'] # The '-' indicates that this step begins immediately. @@ -56,7 +56,7 @@ steps: entrypoint: 'bash' env: - 'CLEANUP=$_CLEANUP' - args: ['cleanup.sh', '${_VM_NAME_PREFIX}-enable-${BUILD_ID}', '${_ZONE}'] + args: ['cleanup.sh', '${_VM_NAME_PREFIX}-memoryonly-${BUILD_ID}', '${_ZONE}'] waitFor: ['CheckMemoryOnlyMonitoringEnabled'] - name: 'gcr.io/cloud-builders/gcloud' From fe99655fa53ec24f76fad00e92bfcd307fe6f4fa Mon Sep 17 00:00:00 2001 From: Jessie Liu Date: Tue, 22 Oct 2024 01:46:43 +0000 Subject: [PATCH 06/12] shorten memoryonly VM name --- launcher/image/test/test_health_monitoring.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/launcher/image/test/test_health_monitoring.yaml b/launcher/image/test/test_health_monitoring.yaml index 17a5b1cef..8786eff80 100644 --- a/launcher/image/test/test_health_monitoring.yaml +++ b/launcher/image/test/test_health_monitoring.yaml @@ -41,7 +41,7 @@ steps: args: ['create_vm.sh','-i', '${_IMAGE_NAME}', '-p', '${_IMAGE_PROJECT}', '-m', 'tee-image-reference=${_WORKLOAD_IMAGE},tee-monitoring-enable=memoryonly', - '-n', '${_VM_NAME_PREFIX}-memoryonly-${BUILD_ID}', + '-n', '${_VM_NAME_PREFIX}-mem-${BUILD_ID}', '-z', '${_ZONE}', ] waitFor: ['-'] # The '-' indicates that this step begins immediately. @@ -49,14 +49,14 @@ steps: id: CheckMemoryOnlyMonitoringEnabled entrypoint: 'bash' # Search a regex pattern that ensures all monitoring is enabled and measured into COS event logs. - args: ['scripts/test_memory_monitoring.sh', '${_VM_NAME_PREFIX}-memoryonly-${BUILD_ID}', '${_ZONE}', 'Health Monitoring is enabled by the VM operator.*memory/bytes_used enabled'] + args: ['scripts/test_memory_monitoring.sh', '${_VM_NAME_PREFIX}-mem-${BUILD_ID}', '${_ZONE}', 'Health Monitoring is enabled by the VM operator.*memory/bytes_used enabled'] waitFor: ['CreateVMMemoryOnlyMonitoringEnabled'] - name: 'gcr.io/cloud-builders/gcloud' id: CleanUpVMMemoryOnlyMonitoringEnabled entrypoint: 'bash' env: - 'CLEANUP=$_CLEANUP' - args: ['cleanup.sh', '${_VM_NAME_PREFIX}-memoryonly-${BUILD_ID}', '${_ZONE}'] + args: ['cleanup.sh', '${_VM_NAME_PREFIX}-mem-${BUILD_ID}', '${_ZONE}'] waitFor: ['CheckMemoryOnlyMonitoringEnabled'] - name: 'gcr.io/cloud-builders/gcloud' From ea08c94df291a555f3e014d33833613ac5b058de Mon Sep 17 00:00:00 2001 From: Jessie Liu Date: Tue, 22 Oct 2024 17:53:54 +0000 Subject: [PATCH 07/12] add launchpolicy tests --- .../test_launchpolicy_health_monitoring.sh | 16 ++++ .../test/test_launchpolicy_cloudbuild.yaml | 79 +++++++++++++++++++ .../allmonitoringmemoryonly/Dockerfile | 15 ++++ launcher/spec/launch_policy.go | 2 + 4 files changed, 112 insertions(+) create mode 100644 launcher/image/test/scripts/test_launchpolicy_health_monitoring.sh create mode 100644 launcher/image/testworkloads/allmonitoringmemoryonly/Dockerfile diff --git a/launcher/image/test/scripts/test_launchpolicy_health_monitoring.sh b/launcher/image/test/scripts/test_launchpolicy_health_monitoring.sh new file mode 100644 index 000000000..046b350cc --- /dev/null +++ b/launcher/image/test/scripts/test_launchpolicy_health_monitoring.sh @@ -0,0 +1,16 @@ +#!/bin/bash +set -euo pipefail +source util/read_serial.sh + +# Allow VM some time to boot and write to serial console. +sleep 120 + +SERIAL_OUTPUT=$(read_serial $1 $2) +if echo $SERIAL_OUTPUT | grep -q "$3" +then + echo "- Health monitoring launch policy verified" +else + echo "FAILED: Health monitoring launch policy verification" + echo 'TEST FAILED' > /workspace/status.txt + echo $SERIAL_OUTPUT +fi diff --git a/launcher/image/test/test_launchpolicy_cloudbuild.yaml b/launcher/image/test/test_launchpolicy_cloudbuild.yaml index 9baed5816..7f5fc3f5e 100644 --- a/launcher/image/test/test_launchpolicy_cloudbuild.yaml +++ b/launcher/image/test/test_launchpolicy_cloudbuild.yaml @@ -12,7 +12,11 @@ substitutions: '_WORKLOAD_IMAGE_CMD': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/launchpolicycmd:latest' '_WORKLOAD_IMAGE_MEMORY_MONITOR_NEVER': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/memorymonitoringnever:latest' '_WORKLOAD_IMAGE_MEMORY_MONITOR_DEBUG': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/memorymonitoringdebug:latest' + '_WORKLOAD_IMAGE_HEALTH_MONITOR_NEVER': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoringnever:latest' + '_WORKLOAD_IMAGE_HEALTH_MONITOR_DEBUG': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoringdebug:latest' + '_WORKLOAD_IMAGE_HEALTH_MONITOR_MEMORY': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoringmemory:latest' '_MEMORY_MONITOR_VM_NAME_PREFIX': 'memory-monitor' + '_HEALTH_MONITOR_VM_NAME_PREFIX': 'health-monitor' steps: - name: 'gcr.io/cloud-builders/gcloud' id: CreateVMLogOverride @@ -194,6 +198,81 @@ steps: args: ['cleanup.sh', '${_MEMORY_MONITOR_VM_NAME_PREFIX}-never-${BUILD_ID}', '${_ZONE}'] waitFor: ['MemoryMonitorNeverTest'] + - name: 'gcr.io/cloud-builders/gcloud' + id: CreateVMHealthMonitorDebugOnly + entrypoint: 'bash' + env: + - 'BUILD_ID=$BUILD_ID' + args: ['create_vm.sh','-i', '${_HARDENED_IMAGE_NAME}', + '-p', '${_IMAGE_PROJECT}', + '-m', 'tee-image-reference=${_WORKLOAD_IMAGE_HEALTH_MONITOR_DEBUG},tee-monitoring-enable=all', + '-n', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-debugonly-${BUILD_ID}', + '-z', '${_ZONE}', + ] + waitFor: ['-'] # The '-' indicates that this step begins immediately. +- name: 'gcr.io/cloud-builders/gcloud' + id: HealthMonitorDebugOnlyTest + entrypoint: 'bash' + args: ['scripts/test_launchpolicy_health_monitoring.sh', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-debugonly-${BUILD_ID}', '${_ZONE}', '\'none\' monitoring allowed on hardened environment.*\'all\' monitoring allowed on debug environment'] + waitFor: ['CreateVMHealthMonitorDebugOnly'] +- name: 'gcr.io/cloud-builders/gcloud' + id: CleanUpHealthMonitorDebugOnly + entrypoint: 'bash' + env: + - 'CLEANUP=$_CLEANUP' + args: ['cleanup.sh', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-debugonly-${BUILD_ID}', '${_ZONE}'] + waitFor: ['HealthMonitorDebugOnlyTest'] + +- name: 'gcr.io/cloud-builders/gcloud' + id: CreateVMHealthMonitorNever + entrypoint: 'bash' + env: + - 'BUILD_ID=$BUILD_ID' + args: ['create_vm.sh','-i', '${_HARDENED_IMAGE_NAME}', + '-p', '${_IMAGE_PROJECT}', + '-m', 'tee-image-reference=${_WORKLOAD_IMAGE_HEALTH_MONITOR_NEVER},tee-monitoring-enable=all', + '-n', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-never-${BUILD_ID}', + '-z', '${_ZONE}', + ] + waitFor: ['-'] # The '-' indicates that this step begins immediately. +- name: 'gcr.io/cloud-builders/gcloud' + id: HealthMonitorNeverTest + entrypoint: 'bash' + args: ['scripts/test_launchpolicy_health_monitoring.sh', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-never-${BUILD_ID}', '${_ZONE}', '\'none\' monitoring allowed on hardened environment.*\'none\' monitoring allowed on debug environment'] + waitFor: ['CreateVMHealthMonitorNever'] +- name: 'gcr.io/cloud-builders/gcloud' + id: CleanUpHealthMonitorNever + entrypoint: 'bash' + env: + - 'CLEANUP=$_CLEANUP' + args: ['cleanup.sh', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-never-${BUILD_ID}', '${_ZONE}'] + waitFor: ['HealthMonitorNeverTest'] + + - name: 'gcr.io/cloud-builders/gcloud' + id: CreateVMHealthMonitorMemory + entrypoint: 'bash' + env: + - 'BUILD_ID=$BUILD_ID' + args: ['create_vm.sh','-i', '${_HARDENED_IMAGE_NAME}', + '-p', '${_IMAGE_PROJECT}', + '-m', 'tee-image-reference=${_WORKLOAD_IMAGE_HEALTH_MONITOR_MEMORY},tee-monitoring-enable=all', + '-n', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-mem-${BUILD_ID}', + '-z', '${_ZONE}', + ] + waitFor: ['-'] # The '-' indicates that this step begins immediately. +- name: 'gcr.io/cloud-builders/gcloud' + id: HealthMonitorMemoryTest + entrypoint: 'bash' + args: ['scripts/test_launchpolicy_health_monitoring.sh', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-mem-${BUILD_ID}', '${_ZONE}', '\'memoryonly\' monitoring allowed on hardened environment.*\'memoryonly\' monitoring allowed on debug environment'] + waitFor: ['CreateVMHealthMonitorMemory'] +- name: 'gcr.io/cloud-builders/gcloud' + id: CleanUpHealthMonitorMemory + entrypoint: 'bash' + env: + - 'CLEANUP=$_CLEANUP' + args: ['cleanup.sh', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-mem-${BUILD_ID}', '${_ZONE}'] + waitFor: ['HealthMonitorMemoryTest'] + # Must come after cleanup. - name: 'gcr.io/cloud-builders/gcloud' id: CheckFailure diff --git a/launcher/image/testworkloads/allmonitoringmemoryonly/Dockerfile b/launcher/image/testworkloads/allmonitoringmemoryonly/Dockerfile new file mode 100644 index 000000000..fb7ef3311 --- /dev/null +++ b/launcher/image/testworkloads/allmonitoringmemoryonly/Dockerfile @@ -0,0 +1,15 @@ +# From current directory: +# GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o main ../basic +# gcloud builds submit --tag us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoringmemory:latest --project confidential-space-images-dev +FROM alpine + +COPY main / + +ENV env_bar="val_bar" + +LABEL "tee.launch_policy.hardened_monitoring"="MEMORYONLY" +LABEL "tee.launch_policy.debug_monitoring"="MEMORYONLY" + +ENTRYPOINT ["/main"] + +CMD ["arg_foo"] \ No newline at end of file diff --git a/launcher/spec/launch_policy.go b/launcher/spec/launch_policy.go index 8a21afe0d..0db61decf 100644 --- a/launcher/spec/launch_policy.go +++ b/launcher/spec/launch_policy.go @@ -155,6 +155,7 @@ func configureMonitoringPolicy(imageLabels map[string]string, launchPolicy *Laun if err != nil { return fmt.Errorf("invalid monitoring type for hardened image: %v", err) } + logger.Printf("'%s' monitoring allowed on hardened environment", launchPolicy.HardenedImageMonitoring) } else { launchPolicy.HardenedImageMonitoring = None } @@ -164,6 +165,7 @@ func configureMonitoringPolicy(imageLabels map[string]string, launchPolicy *Laun if err != nil { return fmt.Errorf("invalid monitoring type for debug image: %v", err) } + logger.Printf("'%s' monitoring allowed on debug environment", launchPolicy.DebugImageMonitoring) } else { launchPolicy.DebugImageMonitoring = MemoryOnly } From 6303d968c6f3f85eb31fcb804ebc857bb3e26e2a Mon Sep 17 00:00:00 2001 From: Jessie Liu Date: Tue, 22 Oct 2024 20:02:14 +0000 Subject: [PATCH 08/12] fix indentation error --- launcher/image/test/test_launchpolicy_cloudbuild.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/launcher/image/test/test_launchpolicy_cloudbuild.yaml b/launcher/image/test/test_launchpolicy_cloudbuild.yaml index 7f5fc3f5e..674b76412 100644 --- a/launcher/image/test/test_launchpolicy_cloudbuild.yaml +++ b/launcher/image/test/test_launchpolicy_cloudbuild.yaml @@ -248,7 +248,7 @@ steps: args: ['cleanup.sh', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-never-${BUILD_ID}', '${_ZONE}'] waitFor: ['HealthMonitorNeverTest'] - - name: 'gcr.io/cloud-builders/gcloud' +- name: 'gcr.io/cloud-builders/gcloud' id: CreateVMHealthMonitorMemory entrypoint: 'bash' env: From faca732d53f6f39c0011975b1e52907127a2d7cf Mon Sep 17 00:00:00 2001 From: Jessie Liu Date: Wed, 23 Oct 2024 00:39:53 +0000 Subject: [PATCH 09/12] remove indent --- launcher/image/test/test_launchpolicy_cloudbuild.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/launcher/image/test/test_launchpolicy_cloudbuild.yaml b/launcher/image/test/test_launchpolicy_cloudbuild.yaml index 674b76412..ab8dede27 100644 --- a/launcher/image/test/test_launchpolicy_cloudbuild.yaml +++ b/launcher/image/test/test_launchpolicy_cloudbuild.yaml @@ -198,7 +198,7 @@ steps: args: ['cleanup.sh', '${_MEMORY_MONITOR_VM_NAME_PREFIX}-never-${BUILD_ID}', '${_ZONE}'] waitFor: ['MemoryMonitorNeverTest'] - - name: 'gcr.io/cloud-builders/gcloud' +- name: 'gcr.io/cloud-builders/gcloud' id: CreateVMHealthMonitorDebugOnly entrypoint: 'bash' env: From 79a83022cf7ea2582a5c64a4822ef3d8c8db6bdf Mon Sep 17 00:00:00 2001 From: Jessie Liu Date: Wed, 23 Oct 2024 01:14:14 +0000 Subject: [PATCH 10/12] use double quotes for expected logs --- launcher/image/test/test_launchpolicy_cloudbuild.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/launcher/image/test/test_launchpolicy_cloudbuild.yaml b/launcher/image/test/test_launchpolicy_cloudbuild.yaml index ab8dede27..3826662fe 100644 --- a/launcher/image/test/test_launchpolicy_cloudbuild.yaml +++ b/launcher/image/test/test_launchpolicy_cloudbuild.yaml @@ -213,7 +213,7 @@ steps: - name: 'gcr.io/cloud-builders/gcloud' id: HealthMonitorDebugOnlyTest entrypoint: 'bash' - args: ['scripts/test_launchpolicy_health_monitoring.sh', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-debugonly-${BUILD_ID}', '${_ZONE}', '\'none\' monitoring allowed on hardened environment.*\'all\' monitoring allowed on debug environment'] + args: ['scripts/test_launchpolicy_health_monitoring.sh', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-debugonly-${BUILD_ID}', '${_ZONE}', "'none' monitoring allowed on hardened environment.*'all' monitoring allowed on debug environment"] waitFor: ['CreateVMHealthMonitorDebugOnly'] - name: 'gcr.io/cloud-builders/gcloud' id: CleanUpHealthMonitorDebugOnly @@ -238,7 +238,7 @@ steps: - name: 'gcr.io/cloud-builders/gcloud' id: HealthMonitorNeverTest entrypoint: 'bash' - args: ['scripts/test_launchpolicy_health_monitoring.sh', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-never-${BUILD_ID}', '${_ZONE}', '\'none\' monitoring allowed on hardened environment.*\'none\' monitoring allowed on debug environment'] + args: ['scripts/test_launchpolicy_health_monitoring.sh', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-never-${BUILD_ID}', '${_ZONE}', "'none' monitoring allowed on hardened environment.*'none' monitoring allowed on debug environment"] waitFor: ['CreateVMHealthMonitorNever'] - name: 'gcr.io/cloud-builders/gcloud' id: CleanUpHealthMonitorNever @@ -263,7 +263,7 @@ steps: - name: 'gcr.io/cloud-builders/gcloud' id: HealthMonitorMemoryTest entrypoint: 'bash' - args: ['scripts/test_launchpolicy_health_monitoring.sh', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-mem-${BUILD_ID}', '${_ZONE}', '\'memoryonly\' monitoring allowed on hardened environment.*\'memoryonly\' monitoring allowed on debug environment'] + args: ['scripts/test_launchpolicy_health_monitoring.sh', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-mem-${BUILD_ID}', '${_ZONE}', "'memoryonly' monitoring allowed on hardened environment.*'memoryonly' monitoring allowed on debug environment"] waitFor: ['CreateVMHealthMonitorMemory'] - name: 'gcr.io/cloud-builders/gcloud' id: CleanUpHealthMonitorMemory From 18fda0cbe41ea6cc6d7e7cf764881864240fc6b0 Mon Sep 17 00:00:00 2001 From: Jessie Liu Date: Fri, 25 Oct 2024 00:13:16 +0000 Subject: [PATCH 11/12] update logging methods --- launcher/image/test/test_launchpolicy_cloudbuild.yaml | 2 +- launcher/spec/launch_policy.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/launcher/image/test/test_launchpolicy_cloudbuild.yaml b/launcher/image/test/test_launchpolicy_cloudbuild.yaml index 3826662fe..8613fea7e 100644 --- a/launcher/image/test/test_launchpolicy_cloudbuild.yaml +++ b/launcher/image/test/test_launchpolicy_cloudbuild.yaml @@ -12,7 +12,7 @@ substitutions: '_WORKLOAD_IMAGE_CMD': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/launchpolicycmd:latest' '_WORKLOAD_IMAGE_MEMORY_MONITOR_NEVER': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/memorymonitoringnever:latest' '_WORKLOAD_IMAGE_MEMORY_MONITOR_DEBUG': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/memorymonitoringdebug:latest' - '_WORKLOAD_IMAGE_HEALTH_MONITOR_NEVER': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoringnever:latest' + '_WORKLOAD_IMAGE_HEALTH_MONITOR_NEVER': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoringnone:latest' '_WORKLOAD_IMAGE_HEALTH_MONITOR_DEBUG': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoringdebug:latest' '_WORKLOAD_IMAGE_HEALTH_MONITOR_MEMORY': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoringmemory:latest' '_MEMORY_MONITOR_VM_NAME_PREFIX': 'memory-monitor' diff --git a/launcher/spec/launch_policy.go b/launcher/spec/launch_policy.go index 0db61decf..003282237 100644 --- a/launcher/spec/launch_policy.go +++ b/launcher/spec/launch_policy.go @@ -155,7 +155,7 @@ func configureMonitoringPolicy(imageLabels map[string]string, launchPolicy *Laun if err != nil { return fmt.Errorf("invalid monitoring type for hardened image: %v", err) } - logger.Printf("'%s' monitoring allowed on hardened environment", launchPolicy.HardenedImageMonitoring) + logger.Info(fmt.Sprintf("'%s' monitoring allowed on hardened environment", launchPolicy.HardenedImageMonitoring)) } else { launchPolicy.HardenedImageMonitoring = None } @@ -165,7 +165,7 @@ func configureMonitoringPolicy(imageLabels map[string]string, launchPolicy *Laun if err != nil { return fmt.Errorf("invalid monitoring type for debug image: %v", err) } - logger.Printf("'%s' monitoring allowed on debug environment", launchPolicy.DebugImageMonitoring) + logger.Info(fmt.Sprintf("'%s' monitoring allowed on debug environment", launchPolicy.DebugImageMonitoring)) } else { launchPolicy.DebugImageMonitoring = MemoryOnly } From 5d3eff429420c68f1fee1049c40a1d9168ea228b Mon Sep 17 00:00:00 2001 From: Jessie Liu Date: Fri, 25 Oct 2024 00:48:09 +0000 Subject: [PATCH 12/12] fix tests --- launcher/image/test/test_health_monitoring.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/launcher/image/test/test_health_monitoring.yaml b/launcher/image/test/test_health_monitoring.yaml index 8786eff80..5e69b3dc9 100644 --- a/launcher/image/test/test_health_monitoring.yaml +++ b/launcher/image/test/test_health_monitoring.yaml @@ -49,7 +49,7 @@ steps: id: CheckMemoryOnlyMonitoringEnabled entrypoint: 'bash' # Search a regex pattern that ensures all monitoring is enabled and measured into COS event logs. - args: ['scripts/test_memory_monitoring.sh', '${_VM_NAME_PREFIX}-mem-${BUILD_ID}', '${_ZONE}', 'Health Monitoring is enabled by the VM operator.*memory/bytes_used enabled'] + args: ['scripts/test_memory_monitoring.sh', '${_VM_NAME_PREFIX}-mem-${BUILD_ID}', '${_ZONE}', 'memory/bytes_used enabled'] waitFor: ['CreateVMMemoryOnlyMonitoringEnabled'] - name: 'gcr.io/cloud-builders/gcloud' id: CleanUpVMMemoryOnlyMonitoringEnabled