Nitro reformatting + rootfs writing update #521
Conversation
tylerfanelli
requested review from
MatiasVara,
jakecorrenti,
mtjhrc and
slp
as code owners
tylerfanelli
force-pushed
the
nitro-rootfs-update
branch
2 times, most recently
from
b0c814c to
fad8431
Compare
tylerfanelli
force-pushed
the
nitro-rootfs-update
branch
from
fad8431 to
089b131
Compare
tylerfanelli
force-pushed
the
nitro-rootfs-update
branch
from
dc49ac4 to
1da71c3
Compare
tylerfanelli
force-pushed
the
nitro-rootfs-update
branch
2 times, most recently
from
69b60e8 to
4fccb3e
Compare
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
"nitro" on its own may be a bit confusing. Change the module names to "aws-nitro" to better explain their purposes. Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
tylerfanelli
force-pushed
the
nitro-rootfs-update
branch
from
4fccb3e to
f69c1e6
Compare
|
It was my understanding that we used "nitro", "tdx", and "cca" as the CC feature names to avoid verbosity introduced by SNP ("amd-snp"). Has this changed? In other words, should CCA and TDX get renamed as well? I think that we need to come to a consensus on the naming scheme that we want to use here |
|
Those acronyms have specific meanings more than "nitro" does. I think they can remain the same. |
tylerfanelli
force-pushed
the
nitro-rootfs-update
branch
2 times, most recently
from
f96f26c to
415cd3d
Compare
|
|
||
| const KRUN_NITRO_EIF_PATH_ENV_VAR: &str = "KRUN_NITRO_EIF_PATH"; | ||
| const KRUN_NITRO_EIF_PATH_DEFAULT: &str = "/usr/share/krun-nitro/krun-nitro.eif"; | ||
| const KRUN_NITRO_EIF_PATH_DEFAULT: &str = "/krun-awsnitro/krun-awsnitro.eif"; |
There was a problem hiding this comment.
We shouldn't be putting anything in the root directory. The XDG standard says cached/non-essential data for a user application should go in $HOME/.cache/krun-awsnitro/
There was a problem hiding this comment.
It's only within the root directory for container images, and even then it is only used to access the cached EIF, not writing to the application itself. If a user wants to store it elsewhere, they can specify the path with KRUN_NITRO_EIF_PATH=...
Putting it in the root directory makes writing the rootfs much simpler when running inside of a container environment.
There was a problem hiding this comment.
I'm not sure I understand. I thought, in this PR's state, either the nitro-cli or krun-awsnitro-eif-ctl needs to create an EIF file and either put it at /krun-awsnitro or have the user put it there in order for libkrun to find it by default so that we can run the enclave.
In that case we'd still be putting application-specific data in the root directory of the parent EC2 instance, or at least making the assumption that something could be there
There was a problem hiding this comment.
That is the default location, which should only be used when sharing a volume with a container. For running on a host EC2 instance, you can specify KRUN_NITRO_EIF_PATH=... and it will instead use that path.
You aren't required to actually put anything in the EC2 host instances root directory, but for container images you can share the volume at that directory and ensure it is not written within the enclave itself.
tylerfanelli
force-pushed
the
nitro-rootfs-update
branch
from
415cd3d to
612eead
Compare
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
This directory can be used in the container image to launch an enclave by making the cached EIF file available through a shared volume. However, it should not be written to the enclave with the rootfs. Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
Forward the application return code to the caller of krun_start_enter to gauge application exit status. Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
tylerfanelli
force-pushed
the
nitro-rootfs-update
branch
from
612eead to
f3e7ddf
Compare
2 participants
No description provided.