agent: add agent.image_pull_timeout parameter

This new parameter for kata-agent is used to control the timeout for a
guest pull request. Note that sometimes an image can be really big, so
we set default timeout to 1200 seconds (20 minutes).

Signed-off-by: Xynnn007 <[email protected]>

Author: Xynnn007

src/agent/README.md

@@ -129,6 +129,7 @@ The kata agent has the ability to configure agent options in guest kernel comman
 | `agent.guest_components_procs` | guest-components processes | Attestation-related processes that should be spawned as children of the guest. Valid values are `none`, `attestation-agent`, `confidential-data-hub` (implies `attestation-agent`), `api-server-rest` (implies `attestation-agent` and `confidential-data-hub`) | string | `api-server-rest` |
 | `agent.hotplug_timeout` | Hotplug timeout | Allow to configure hotplug timeout(seconds) of block devices | integer | `3` |
 | `agent.cdh_api_timeout` | Confidential Data Hub (CDH) API timeout | Allow to configure CDH API timeout(seconds) | integer | `50` |
+| `agent.image_pull_timeout` | Confidential Data Hub (CDH) Image Pull API timeout | Allow to configure CDH API image pull timeout(seconds) | integer | `1200` |
 | `agent.https_proxy` | HTTPS proxy | Allow to configure `https_proxy` in the guest | string | `""` |
 | `agent.image_registry_auth` | Image registry credential URI | The URI to where image-rs can find the credentials for pulling images from private registries e.g. `file:///root/.docker/config.json` to read from a file in the guest image, or `kbs:///default/credentials/test` to get the file from the KBS| string | `""` |
 | `agent.enable_signature_verification` | Image security policy flag | Whether enable image security policy enforcement. If `true`, the resource indexed by URI `agent.image_policy_file` will be got to work as image pulling policy. | string | `""` |
@@ -148,7 +149,7 @@ The kata agent has the ability to configure agent options in guest kernel comman
 >    The agent will fail to start if the configuration file is not present,
 >    or if it can't be parsed properly.
 >  - `agent.devmode`: true | false
->  - `agent.hotplug_timeout` and `agent.cdh_api_timeout`: a whole number of seconds
+>  - `agent.hotplug_timeout`, `agent.image_pull_timeout` and `agent.cdh_api_timeout`: a whole number of seconds
 >  - `agent.log`:   "critical"("fatal" | "panic") | "error" | "warn"("warning") | "info" | "debug"
 >  - `agent.server_addr`: "{VSOCK_ADDR}:{VSOCK_PORT}"
 >  - `agent.trace`: true | false

src/agent/src/confidential_data_hub/mod.rs

@@ -131,7 +131,7 @@ impl CDHClient {
         let _ = self
             .image_pull_client
             .pull_image(
-                ttrpc::context::with_timeout(AGENT_CONFIG.cdh_api_timeout.as_nanos() as i64),
+                ttrpc::context::with_timeout(AGENT_CONFIG.image_pull_timeout.as_nanos() as i64),
                 &req,
             )
             .await?;
@@ -174,7 +174,7 @@ pub async fn unseal_env(env: &str) -> Result<String> {
 /// pull_image is used for call confidential data hub to pull image in the guest.
 /// Image layers will store at [`image::KATA_IMAGE_WORK_DIR`]`,
 /// rootfs and config.json will store under given `bundle_path`.
-/// 
+///
 /// # Parameters
 /// - `image`: Image name (exp: quay.io/prometheus/busybox:latest)
 /// - `bundle_path`: The path to store the image bundle (exp. /run/kata-containers/cb0b47276ea66ee9f44cc53afa94d7980b57a52c3f306f68cb034e58d9fbd3c6/rootfs)
@@ -189,7 +189,7 @@ pub async fn pull_image(image: &str, bundle_path: PathBuf) -> Result<String> {
     cdh_client
         .pull_image(image, bundle_path.to_string_lossy().as_ref())
         .await?;
-    
+
     let image_bundle_path = scoped_join(&bundle_path, "rootfs")?;
     Ok(image_bundle_path.as_path().display().to_string())
 }

src/agent/src/config.rs

@@ -23,6 +23,7 @@ const SERVER_ADDR_OPTION: &str = "agent.server_addr";
 const PASSFD_LISTENER_PORT: &str = "agent.passfd_listener_port";
 const HOTPLUG_TIMOUT_OPTION: &str = "agent.hotplug_timeout";
 const CDH_API_TIMOUT_OPTION: &str = "agent.cdh_api_timeout";
+const CDH_IMAGE_PULL_TIMEOUT_OPTION: &str = "agent.image_pull_timeout";
 const CDI_TIMEOUT_OPTION: &str = "agent.cdi_timeout";
 const DEBUG_CONSOLE_VPORT_OPTION: &str = "agent.debug_console_vport";
 const LOG_VPORT_OPTION: &str = "agent.log_vport";
@@ -63,6 +64,7 @@ const MEM_AGENT_COMPACT_FORCE_TIMES: &str = "agent.mem_agent_compact_force_times
 const DEFAULT_LOG_LEVEL: slog::Level = slog::Level::Info;
 const DEFAULT_HOTPLUG_TIMEOUT: time::Duration = time::Duration::from_secs(3);
 const DEFAULT_CDH_API_TIMEOUT: time::Duration = time::Duration::from_secs(50);
+const DEFAULT_IMAGE_PULL_TIMEOUT: time::Duration = time::Duration::from_secs(1200);
 const DEFAULT_CDI_TIMEOUT: time::Duration = time::Duration::from_secs(100);
 const DEFAULT_CONTAINER_PIPE_SIZE: i32 = 0;
 const VSOCK_ADDR: &str = "vsock://-1";
@@ -126,6 +128,7 @@ pub struct AgentConfig {
     pub log_level: slog::Level,
     pub hotplug_timeout: time::Duration,
     pub cdh_api_timeout: time::Duration,
+    pub image_pull_timeout: time::Duration,
     pub cdi_timeout: time::Duration,
     pub debug_console_vport: i32,
     pub log_vport: i32,
@@ -158,6 +161,7 @@ pub struct AgentConfigBuilder {
     pub log_level: Option<String>,
     pub hotplug_timeout: Option<time::Duration>,
     pub cdh_api_timeout: Option<time::Duration>,
+    pub image_pull_timeout: Option<time::Duration>,
     pub cdi_timeout: Option<time::Duration>,
     pub debug_console_vport: Option<i32>,
     pub log_vport: Option<i32>,
@@ -251,6 +255,7 @@ impl Default for AgentConfig {
             log_level: DEFAULT_LOG_LEVEL,
             hotplug_timeout: DEFAULT_HOTPLUG_TIMEOUT,
             cdh_api_timeout: DEFAULT_CDH_API_TIMEOUT,
+            image_pull_timeout: DEFAULT_IMAGE_PULL_TIMEOUT,
             cdi_timeout: DEFAULT_CDI_TIMEOUT,
             debug_console_vport: 0,
             log_vport: 0,
@@ -291,6 +296,7 @@ impl FromStr for AgentConfig {
         );
         config_override!(agent_config_builder, agent_config, hotplug_timeout);
         config_override!(agent_config_builder, agent_config, cdh_api_timeout);
+        config_override!(agent_config_builder, agent_config, image_pull_timeout);
         config_override!(agent_config_builder, agent_config, cdi_timeout);
         config_override!(agent_config_builder, agent_config, debug_console_vport);
         config_override!(agent_config_builder, agent_config, log_vport);
@@ -457,6 +463,15 @@ impl AgentConfig {
                 |cdh_api_timeout: &time::Duration| cdh_api_timeout.as_secs() > 0
             );
 
+            // ensure the timeout is a positive value
+            parse_cmdline_param!(
+                param,
+                CDH_IMAGE_PULL_TIMEOUT_OPTION,
+                config.image_pull_timeout,
+                get_timeout,
+                |image_pull_timeout: &time::Duration| image_pull_timeout.as_secs() > 0
+            );
+
             // ensure the timeout is a positive value
             parse_cmdline_param!(
                 param,
@@ -723,7 +738,10 @@ fn get_timeout(param: &str) -> Result<time::Duration> {
     ensure!(
         matches!(
             fields[0],
-            HOTPLUG_TIMOUT_OPTION | CDH_API_TIMOUT_OPTION | CDI_TIMEOUT_OPTION
+            HOTPLUG_TIMOUT_OPTION
+                | CDH_API_TIMOUT_OPTION
+                | CDH_IMAGE_PULL_TIMEOUT_OPTION
+                | CDI_TIMEOUT_OPTION
         ),
         ERR_INVALID_TIMEOUT_KEY
     );
@@ -1608,6 +1626,7 @@ Caused by:
     )))]
     #[case("agent.chd_api_timeout=1", Err(anyhow!(ERR_INVALID_TIMEOUT_KEY)))]
     #[case("agent.cdh_api_timeout=600", Ok(time::Duration::from_secs(600)))]
+    #[case("agent.image_pull_timeout=1200", Ok(time::Duration::from_secs(1200)))]
     #[case("agent.cdi_timeout=320", Ok(time::Duration::from_secs(320)))]
     fn test_timeout(#[case] param: &str, #[case] expected: Result<time::Duration>) {
         let result = get_timeout(param);