Implement fsverity functionality
Implement calls to the fsverity kernel module, allowing containerd to enable fsverity on blob data in the content store. This causes fsverity to veirfy the integrity of blob data when the blob is read. Signed-off-by: James Jenkins <James.Jenkins@ibm.com>
This commit is contained in:
James Jenkins
@@ -29,6 +29,7 @@ import (
|
||||
|
||||
"github.com/containerd/containerd/v2/core/content"
|
||||
"github.com/containerd/containerd/v2/pkg/filters"
|
||||
"github.com/containerd/containerd/v2/pkg/fsverity"
|
||||
"github.com/containerd/errdefs"
|
||||
"github.com/containerd/log"
|
||||
|
||||
@@ -62,8 +63,9 @@ type LabelStore interface {
|
||||
// Store can generally support multi-reader, single-writer ingest of data,
|
||||
// including resumable ingest.
|
||||
type store struct {
|
||||
root string
|
||||
ls LabelStore
|
||||
root string
|
||||
ls LabelStore
|
||||
integritySupported bool
|
||||
}
|
||||
|
||||
// NewStore returns a local content store
|
||||
@@ -81,9 +83,12 @@ func NewLabeledStore(root string, ls LabelStore) (content.Store, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
supported, _ := fsverity.IsSupported(root)
|
||||
|
||||
return &store{
|
||||
root: root,
|
||||
ls: ls,
|
||||
root: root,
|
||||
ls: ls,
|
||||
integritySupported: supported,
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
||||
@@ -35,6 +35,7 @@ import (
|
||||
"github.com/containerd/containerd/v2/core/content"
|
||||
"github.com/containerd/containerd/v2/core/content/testsuite"
|
||||
"github.com/containerd/containerd/v2/internal/randutil"
|
||||
"github.com/containerd/containerd/v2/pkg/fsverity"
|
||||
"github.com/containerd/containerd/v2/pkg/testutil"
|
||||
"github.com/containerd/errdefs"
|
||||
|
||||
@@ -193,6 +194,18 @@ func TestContentWriter(t *testing.T) {
|
||||
t.Fatal("mismatched data written to disk")
|
||||
}
|
||||
|
||||
// ensure fsverity is enabled on blob if fsverity is supported
|
||||
ok, err := fsverity.IsSupported(tmpdir)
|
||||
if !ok || err != nil {
|
||||
t.Log("fsverity not supported, skipping fsverity check")
|
||||
return
|
||||
}
|
||||
|
||||
ok, err = fsverity.IsEnabled(path)
|
||||
if !ok || err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
func TestWalkBlobs(t *testing.T) {
|
||||
|
||||
@@ -27,6 +27,7 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/containerd/containerd/v2/core/content"
|
||||
"github.com/containerd/containerd/v2/pkg/fsverity"
|
||||
"github.com/containerd/errdefs"
|
||||
"github.com/containerd/log"
|
||||
"github.com/opencontainers/go-digest"
|
||||
@@ -137,6 +138,14 @@ func (w *writer) Commit(ctx context.Context, size int64, expected digest.Digest,
|
||||
return err
|
||||
}
|
||||
|
||||
// Enable content blob integrity verification if supported
|
||||
|
||||
if w.s.integritySupported {
|
||||
if err := fsverity.Enable(target); err != nil {
|
||||
log.G(ctx).Warnf("failed to enable integrity for blob %v: %s", target, err.Error())
|
||||
}
|
||||
}
|
||||
|
||||
// Ingest has now been made available in the content store, attempt to complete
|
||||
// setting metadata but errors should only be logged and not returned since
|
||||
// the content store cannot be cleanly rolled back.
|
||||
|
||||
Reference in New Issue
Block a user