[Draft] Update instructions for azure-file csi driver #347
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Specify --release when BUILD_TYPE was not specified, or when BUILD_TYPE=release. The default "cargo build" behavior is to build in debug mode. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
- post-process to remove box_pointers annotation for generated files - while this unblocks the build, should look for better solution: - request/teach codegen to not add certain linter annotation - update ttrpc-codegen or other dependencies Signed-off-by: Manuel Huber <mahuber@microsoft.com>
- counterpart to upstream a131eec - unblocks build with rust v1.84 Signed-off-by: Manuel Huber <mahuber@microsoft.com>
- rust linter detects a potential future name collision - see rustc lint static 'UNSTABLE_NAME_COLLISIONS' - we can revisit this at a later point Signed-off-by: Manuel Huber <mahuber@microsoft.com>
Use protobuf = "=3.7.1" for both agent and genpolicy, to fix version mismatches with the protobuf crate. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Fix rebase merge in genpolicy-settings.json. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Enable allow_storages after rule.rego rebase merge. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
$ git rev-parse cc-msft-prototypes 328e440 $ git checkout cc-msft-prototypes src/utarfs $ git checkout cc-msft-prototypes src/tarfs $ git checkout cc-msft-prototypes src/overlay $ git checkout cc-msft-prototypes src/tardev-snapshotter $ git checkout cc-msft-prototypes Makefile
Add option to use an IGVM image in the UVM Signed-off-by: Dallas Delaney <dadelan@microsoft.com>
Add configuration file configuration-clh-snp.toml with SNP related settings enabled Signed-off-by: Dallas Delaney <dadelan@microsoft.com>
* Remove unused param from CLH SNP config * Remove extra package definition from cbl-mariner rootfs config
* Enable SNP=on with CH conf-guest enabled and add dummy host_data value * Add IGVM, HostData, Snp to config markdown doc * sanitize clh-snp.toml.in and clh.toml.in * Further changes required for SEV SNP enablement * Remove unnecessary debug output * Update outdated comment in config
Signed-off-by: Dallas Delaney <dadelan@microsoft.com>
* Set PCI segments in all cases * Clean-up
This makes it so that any container has access to /dev/sev-guest out of
the box with no privileges required.
Since /dev/sev-guest isn't available yet, I've validated this change
using /dev/cpu_dma_latency (original chmod 600) by:
1. Verifying that the device is present in the container.
2. Verifying that reading from the device from a container yields
the same result as from the VM context.
Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
Add image build macro to change partition format for kernel's "dm-mod.create" command, and allow for igvm + image usecase in kata shim Signed-off-by: Dallas Delaney <dadelan@microsoft.com>
This is a workaround for kata-containers#7993. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
* rootfs: delete some of the mariner packages Delete some of the mariner packages from the Guest image, for faster TEE memory measurement. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
The shell is useful for debugging. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Useful for debugging. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Useful for debugging. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Make sure the hash of an incoming Policy matches the value of the SNP Host Data field. The value of Host Data will be validated through Remote Attestation, outside of this patch. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
There are 10 segments in the ACPI tables, and CLH works better when it uses all of them. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
This is needed when enabling dm-verity. `udevd` reads kernel uevents that announce the creation of `/dev/dm-XXX` devices, and then creates devices with the actual names under `/dev/mapper/`. Signed-off-by: Wedson Almeida Filho <walmeida@microsoft.com>
This allows us to avoid repeating paths when they're the same. Signed-off-by: Wedson Almeida Filho <walmeida@microsoft.com>
This replicates Wedson's changes in 0935263 in a way that is aligned with the upstream implementation introduced in kata-containers#7200. NOTE: This will require compiling the runtime with DEFSHAREDFS_CLH_SNP_VIRTIOFS=none.
Upstream now uses the new DEFSTATICRESOURCEMGMT_TEE variable to set static resource management for TEEs so we align on that. It's true by default so we don't have to update our build script for this. NOTE: For non-tee CH, upstream now uses DEFSTATICRESOURCEMGMT_CLH (already in our codebase) instead of DEFSTATICRESOURCEMGMT. It's still false by default so we WILL have to update our build script for this one.
Adjust configuration-clh-snp.toml.in to be more consistent with configuration-qemu-snp.toml.in. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
The layer string is now base64-encoded, so decode it before inspecting the fields. Signed-off-by: Wedson Almeida Filho <walmeida@microsoft.com>
JOB_COMPLETION_INDEX might be empty, so the regex should be changed to match the empty string. Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
The storage destination is already validated in allow_mount_point(). Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
After validating the storage source and destination, validate that the mount source == storage destination. Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
Trivial validation. Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
PolicyCreateContainerRequest will be a wrapper to CreateContainerRequest and will allow the agent to transform the input such that is easier to validate in the policy. Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
- Add environment variable map to the engine on the agent - Add environment variable map to the policy on genpolicy - Validate this environemnt variable map on the rules - Restrain some environment variable values that we expect to look like a subdomain and use a regex to validate them Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
- Mark old arg validation methods as deprecated - Mark old arg policy data field as deprecated Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Add a new rule that validates args by substituting env variables received from the input. This new rule ensures that the args received from the input are the same as the args received from the policy. Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Using a symlink would create a cycle after calling this script again when copying the final configuration at line 74 so we just use cp instead. Also, I moved this block to the end of the file to properly override the final config file. Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
Fix regression introduced in https://github.com/microsoft/kata-containers/pull/308/files#diff-456165c5b51c7f523a8f6226bab85a095af361c1430c61141d40361fa0a25892 where we no longer expect the struct to of the input to always ressemble an OCI CreateContainerRequest (coming from older agent versions). The input may also be a PolicyCreateContainerRequest (coming from new agent versions), which wraps an OCI CreateContainerRequest. Hence get the mounts from i_oci, which we know refers to the input OCI, as opposed to input.OCI, which may be null in inputs coming from new agent versions. Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
The policy module augments the policy generated with genpolicy by keeping and providing state to each invocation. Therefore, it is not sufficient anymore to test the passing of requests in the genpolicy crate. Since in Rust, integration tests cannot call functions that are not exposed publicly, this commit factors out the policy module of the agent into its own crate and exposes the necessary functions to be consumed by the agent and an integration tests. The integration test itself is implemented in the following commits. Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
The generated rego policies for `CreateContainerRequest` are stateful and that state is handled in the policy crate. We use this policy crate in the genpolicy integration test to be able to test if those state changes are handled correctly without spinning up an agent or even a cluster. This also allows to easily test on a e.g., CreateContainerRequest level instead of relying on changing the yaml that is applied to a cluster. Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
Move PolicyCopyFile request to shared policy crate so we can test it Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Useful for go dependency upgrades, so that we actually commit changes in the vendor folder Signed-off-by: Manuel Huber <mahuber@microsoft.com>
Introduce rule to block routes from source addresses which are the loopback. Block routes added to the lo device. Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
Introduce rules for UpdateInterfaceRequest and genpolicy tests for them. Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
Add test cases for basic and legacy requests to create pause container Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Validate sandbox name using a regex. If the YAML specifies metadata.name, use a regex that exact matches. If the YAML specifies metadata.generateName, use a regex that matches the prefix of the generated name. Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Copy the sample yaml files from the msft-main branch after rebasing to upstream. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Fix the scripts after rebase merge. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Re-generate Cargo.lock for protocols, agent, and genpolicy. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Update samples with the latest policy after rebasing to recent upstream code. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
This keeps the repo changes clean while running update script and removes the need to remove the test settings at the end of the script Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
arc9693
changed the title
sprt
requested changes
May 12, 2025
| @@ -228,32 +231,22 @@ experience this error. | |||
| ## Installing the CoCo Azure Files driver | |||
There was a problem hiding this comment.
We should:
- Remove the contents of this section and link to the official AKS Azure Files docs.
- Add the known limitations to the official AKS docs.
There was a problem hiding this comment.
Correction: Let's keep the known limitations in this doc for now. First point still stands.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge Checklist
upstream/missinglabel (orupstream/not-needed) has been set on the PR.Summary
Test Methodology