annotations: Improve asset annotation handling

[jodh-intel]

Make asset.go the arbiter of asset annotations by removing all asset
annotations lists from other parts of the codebase.

This makes the code simpler, easier to maintain, and more robust.

Specifically, the previous behaviour was inconsistent as the following
ways:

• createAssets() in sandbox.go was not handling the following asset
  annotations:

  • firmware:

    • io.katacontainers.config.hypervisor.firmware
    • io.katacontainers.config.hypervisor.firmware_hash

  • hypervisor:

    • io.katacontainers.config.hypervisor.path
    • io.katacontainers.config.hypervisor.hypervisor_hash

  • hypervisor control binary:

    • io.katacontainers.config.hypervisor.ctlpath
    • io.katacontainers.config.hypervisor.hypervisorctl_hash

  • jailer:

    • io.katacontainers.config.hypervisor.jailer_path
    • io.katacontainers.config.hypervisor.jailer_hash

• addAssetAnnotations() in the oci package was not handling the
  following asset annotations:

  • hypervisor:

    • io.katacontainers.config.hypervisor.path
    • io.katacontainers.config.hypervisor.hypervisor_hash

  • hypervisor control binary:

    • io.katacontainers.config.hypervisor.ctlpath
    • io.katacontainers.config.hypervisor.hypervisorctl_hash

  • jailer:

    • io.katacontainers.config.hypervisor.jailer_path
    • io.katacontainers.config.hypervisor.jailer_hash

This change fixes the bug where specifying a custom hypervisor path via an
asset annotation was having no effect.

Fixes: #3030.

Signed-off-by: James O. D. Hunt [email protected]

[jodh-intel]

/test

[jodh-intel]

Minimal manual test (based on https://github.com/kata-containers/documentation/blob/master/Developer-Guide.md#running-standalone):

$ bundle="/tmp/bundle"
$ rootfs="$bundle/rootfs"
$ mkdir -p "$rootfs" && (cd "$bundle" && kata-runtime spec)
$ sudo docker export $(sudo docker create busybox) | tar -C "$rootfs" -xvf -
$ (cd $bundle && jq '. |= . + {"annotations": {"io.katacontainers.config.hypervisor.path": "/does/not/exist"}}' < config.json > tmp && mv tmp config.json)
$ sudo kata-runtime --log=/dev/stdout run --bundle "$bundle" foo

The above will work (incorrectly) with current releases, but will fail with this PR (assuming /does/not/exist really doesn't exist ;)

/cc @gkunz

[gkunz]

@jodh-intel thanks for the quick fix! I'll test this PR as well in my lab.

[codecov]

Codecov Report

Merging #3031 into master will increase coverage by 0.05%.
The diff coverage is 60.60%.

@@            Coverage Diff             @@
##           master    #3031      +/-   ##
==========================================
+ Coverage   50.25%   50.30%   +0.05%     
==========================================
  Files         120      120              
  Lines       15844    15840       -4     
==========================================
+ Hits         7963     7969       +6     
+ Misses       6799     6786      -13     
- Partials     1082     1085       +3     

[jodh-intel]

@GabyCT - jenkins-ci-podman-clh-fedora-31 is failing with:

16:08:18 ./scripts/dev_cli.sh: line 122: docker: command not found

[GabyCT]

@jodh-intel kata-containers/ci#340 /cc @likebreath @jcvenegas

[gkunz]

are you not missing vcAnnotations.HypervisorPath here? In my local test of this PR, the hypervisor annotations still gets ignored. Upon including vcAnnotations.HypervisorPath here, it works.

[jodh-intel]

@gkunz - apologies - git stash fail :) I've actually found a way to make the code more robust, so marking as do-not-merge for now. I'll push an update tomorrow...

[gkunz]

@jodh-intel no problem. Thanks again for addressing the issue so quickly!

[devimc]

thanks @jodh-intel

[jodh-intel]

/test

[jodh-intel]

/test

[jodh-intel]

This is incorrect as it changes the function to return the asset annotation name, not the config value. I'm about to push a fix and a new TestAssetPath() test to assert the expected behaviour. However, I'm going to have to revert this change meaning we will still have a "list of asset annotations" outside of asset.go. This is annoying as I'd like to totally encapsulate that list in asset.go.

One possible improvement would be to annotate HypervisorConfig with custom struct tags like this:

type HypervisorConfig struct {
    FirmwarePath      string `annotation:"io.katacontainers.config.hypervisor.firmware"`
    HypervisorCtlPath string `annotation:"io.katacontainers.config.hypervisor.ctlpath"`
    HypervisorPath    string `annotation:"io.katacontainers.config.hypervisor.path"`
    ImagePath         string `annotation:"io.katacontainers.config.hypervisor.image"`
    InitrdPath        string `annotation:"io.katacontainers.config.hypervisor.initrd"`
    JailerPath        string `annotation:"io.katacontainers.config.hypervisor.jailer_path"`
    KernelPath        string `annotation:"io.katacontainers.config.hypervisor.kernel"`
}

That may make the code clearer and less error prone. However, there would be a runtime impact as we'd need to use reflect to map the struct tag (annotation) back to the config value.

[amshinde]

@jodh-intel I like the idea of encapsulating all the assets constants and logic in assets.go, feel that it is all over the place right now. Maybe using reflection is not such a bad idea if we can cleanup the code and make sure that we do this once in the CreateSandbox code path.
We can address that in a separate PR.

What I did see is that the hypervisor.go has a lot of functions CustomFirmwareAsset, CustomJailerAsset etc which are not being called at all.
We need to assess if these functions should be called from getHypervisorDetails or we can just get rid of them.

[jodh-intel]

/test

[jodh-intel]

HI @gkunz - I've updated the branch now if you'd like to give the latest a try?

[gkunz]

@jodh-intel works nicely for me!

[jodh-intel]

Thanks for confirming @gkunz !

[jodh-intel]

Added dnm label to allow for a few more eyes to review before this lands.

[jodh-intel]

@amshinde - any further thoughts on this? I've updated since you approved I think.

[amshinde]

We dont need to address this in this PR.
But raising my concern about value of supporting this. Maybe we should just support sha512 hash and document it so, rather than providing this.

[jodh-intel]

Fixed.

[amshinde]

Nit: Suggestion to move all the consts for FirmwareAsset, HypervisorAsset etc to the top of the file for better readability.

[jodh-intel]

Fixed.

[amshinde]

In terms of cleanup, there is another function called Valid() which could make use of this list instead of comparing against individual values.

[jodh-intel]

Fixed.

[amshinde]

@jodh-intel I like the idea of encapsulating all the assets constants and logic in assets.go, feel that it is all over the place right now. Maybe using reflection is not such a bad idea if we can cleanup the code and make sure that we do this once in the CreateSandbox code path.
We can address that in a separate PR.

What I did see is that the hypervisor.go has a lot of functions CustomFirmwareAsset, CustomJailerAsset etc which are not being called at all.
We need to assess if these functions should be called from getHypervisorDetails or we can just get rid of them.

[jodh-intel]

@amshinde - I've removed the unused functions. On reflection (:smile:), I'm not totally convinced about my reflection idea: there
is another problem of using that technique - we can't use variables in the struct tags so we'd end up with another maintenance issue as it would be easy to rename an annotation variable value, but forget to update the corresponding static struct tag annotation string. Sigh.

Let's ponder this some more and make further improvements if possible on a follow-up PR.

For now, I'd like to get this landed so it can be ported to 2.x.

[jodh-intel]

/test

[amshinde]

Let's ponder this some more and make further improvements if possible on a follow-up PR.

For now, I'd like to get this landed so it can be ported to 2.x.

Agree. SGTM.

[jodh-intel]

/test

[jodh-intel]

forward port PR: kata-containers/kata-containers#1086