CDH: add log to configuration

Related to confidential-containers#1324

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>

Author: Xynnn007

confidential-data-hub/example.config.json

@@ -65,5 +65,8 @@
             "-----BEGIN CERTIFICATE-----\nMIIFTDCCAvugAwIBAgIBADBGBgkqhkiG9w0BAQowOaAPMA0GCWCGSAFlAwQCAgUA\noRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAgUAogMCATCjAwIBATB7MRQwEgYD\nVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDASBgNVBAcMC1NhbnRhIENs\nYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5jZWQgTWljcm8gRGV2aWNl\nczESMBAGA1UEAwwJU0VWLU1pbGFuMB4XDTIzMDEyNDE3NTgyNloXDTMwMDEyNDE3\nNTgyNlowejEUMBIGA1UECwwLRW5naW5lZXJpbmcxCzAJBgNVBAYTAlVTMRQwEgYD\nVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExHzAdBgNVBAoMFkFkdmFuY2Vk\nIE1pY3JvIERldmljZXMxETAPBgNVBAMMCFNFVi1WQ0VLMHYwEAYHKoZIzj0CAQYF\nK4EEACIDYgAExmG1ZbuoAQK93USRyZQcsyobfbaAEoKEELf/jK39cOVJt1t4s83W\nXM3rqIbS7qHUHQw/FGyOvdaEUs5+wwxpCWfDnmJMAQ+ctgZqgDEKh1NqlOuuKcKq\n2YAWE5cTH7sHo4IBFjCCARIwEAYJKwYBBAGceAEBBAMCAQAwFwYJKwYBBAGceAEC\nBAoWCE1pbGFuLUIwMBEGCisGAQQBnHgBAwEEAwIBAzARBgorBgEEAZx4AQMCBAMC\nAQAwEQYKKwYBBAGceAEDBAQDAgEAMBEGCisGAQQBnHgBAwUEAwIBADARBgorBgEE\nAZx4AQMGBAMCAQAwEQYKKwYBBAGceAEDBwQDAgEAMBEGCisGAQQBnHgBAwMEAwIB\nCDARBgorBgEEAZx4AQMIBAMCAXMwTQYJKwYBBAGceAEEBEDDhCejDUx6+dlvehW5\ncmmCWmTLdqI1L/1dGBFdia1HP46MC82aXZKGYSutSq37RCYgWjueT+qCMBE1oXDk\nd1JOMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0B\nAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBA4ICAQACgCai9x8DAWzX/2IelNWm\nituEBSiq9C9eDnBEckQYikAhPasfagnoWFAtKu/ZWTKHi+BMbhKwswBS8W0G1ywi\ncUWGlzigI4tdxxf1YBJyCoTSNssSbKmIh5jemBfrvIBo1yEd+e56ZJMdhN8e+xWU\nbvovUC2/7Dl76fzAaACLSorZUv5XPJwKXwEOHo7FIcREjoZn+fKjJTnmdXce0LD6\n9RHr+r+ceyE79gmK31bI9DYiJoL4LeGdXZ3gMOVDR1OnDos5lOBcV+quJ6JujpgH\nd9g3Sa7Du7pusD9Fdap98ocZslRfFjFi//2YdVM4MKbq6IwpYNB+2PCEKNC7SfbO\nNgZYJuPZnM/wViES/cP7MZNJ1KUKBI9yh6TmlSsZZOclGJvrOsBZimTXpATjdNMt\ncluKwqAUUzYQmU7bf2TMdOXyA9iH5wIpj1kWGE1VuFADTKILkTc6LzLzOWCofLxf\nonhTtSDtzIv/uel547GZqq+rVRvmIieEuEvDETwuookfV6qu3D/9KuSr9xiznmEg\nxynud/f525jppJMcD/ofbQxUZuGKvb3f3zy+aLxqidoX7gca2Xd9jyUy5Y/83+ZN\nbz4PZx81UJzXVI9ABEh8/xilATh1ZxOePTBJjN7lgr0lXtKYjV/43yyxgUYrXNZS\noLSG2dLCK9mjjraPjau34Q==\n-----END CERTIFICATE-----"
         ],
         "work_dir": "/run/image-rs"
+    },
+    "log": {
+        "level": "info"
     }
 }

confidential-data-hub/example.config.toml

@@ -245,3 +245,7 @@ http_proxy = "http://127.0.0.1:5432"
 #
 # By default this value is not set.
 no_proxy = "192.168.0.1,localhost"
+
+[log]
+# log level
+level = "info"

confidential-data-hub/hub/src/bin/cdh-oneshot.rs

@@ -9,9 +9,11 @@
 
 use base64::{engine::general_purpose::STANDARD, Engine};
 use clap::{Args, Parser, Subcommand};
-use confidential_data_hub::{hub::Hub, storage::volume_type::Storage, CdhConfig, DataHub};
-use tracing::warn;
+use confidential_data_hub::{hub::Hub, storage::volume_type::Storage, DataHub};
+use tracing::{debug, info, warn};
+use tracing_subscriber::{fmt::Subscriber, EnvFilter};
 
+mod config;
 #[derive(Parser)]
 #[command(name = "cdh_oneshot")]
 #[command(bin_name = "cdh_oneshot")]
@@ -94,14 +96,24 @@ struct PullImageArgs {
 
 #[tokio::main]
 async fn main() {
-    let args = Cli::parse();
-    let config = CdhConfig::new(args.config).expect("failed to initialize cdh config");
-    config.set_configuration_envs();
+    let cli = Cli::parse();
 
+    let (config, config_log) = config::read_config(cli.config).expect("failed to read config");
+
+    let env_filter = match std::env::var_os("RUST_LOG") {
+        Some(_) => EnvFilter::try_from_default_env().expect("RUST_LOG is present but invalid"),
+        None => EnvFilter::try_new(&config.log.level)
+            .unwrap_or_else(|_| panic!("Invalid log level: {}", config.log.level)),
+    };
+
+    Subscriber::builder().with_env_filter(env_filter).init();
+
+    info!("{config_log}");
+    debug!(config = ?config, "Using config");
     let cdh = Hub::new(config).await.expect("failed to start CDH");
 
     let mut tried = 1;
-    match args.operation {
+    match cli.operation {
         Operation::UnsealSecret(op_args) => {
             let secret = tokio::fs::read(op_args.secret_path)
                 .await
@@ -114,7 +126,7 @@ async fn main() {
                         break;
                     }
                     Err(e) => {
-                        if tried > args.retry {
+                        if tried > cli.retry {
                             let error = format!("failed to unseal secret, {e:?}");
                             panic!("{error}");
                         }
@@ -136,7 +148,7 @@ async fn main() {
                         break;
                     }
                     Err(e) => {
-                        if tried > args.retry {
+                        if tried > cli.retry {
                             panic!("failed to unwrap key");
                         }
                         warn!("Tried {tried} times... failed to unwrap key: {e}.");
@@ -153,7 +165,7 @@ async fn main() {
                     break;
                 }
                 Err(e) => {
-                    if tried > args.retry {
+                    if tried > cli.retry {
                         let error = format!("failed to get resource, {e:?}");
                         panic!("{error}");
                     }

confidential-data-hub/hub/src/bin/config/mod.rs

@@ -0,0 +1,141 @@
+// Copyright (c) 2026 Alibaba Cloud
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+use std::env;
+
+use anyhow::{Context, Result};
+use confidential_data_hub::CdhConfig;
+use tracing::info;
+
+const CDH_DEFAULT_IMAGE_AUTHENTICATED_REGISTRY_CREDENTIALS: &str =
+    "CDH_DEFAULT_IMAGE_AUTHENTICATED_REGISTRY_CREDENTIALS";
+
+pub fn read_config(config_path: Option<String>) -> Result<(CdhConfig, String)> {
+    let (mut config, config_log) = match config_path {
+        Some(config_path) => {
+            let config = CdhConfig::from_file(&config_path[..])
+                .with_context(|| format!("failed to read config file {config_path}"))?;
+            let log = format!("Using config file: {config_path}");
+            (config, log)
+        }
+        None => {
+            if let std::result::Result::Ok(env_path) = env::var("CDH_CONFIG_PATH") {
+                let log = format!("Read CDH's config path from env: {env_path}");
+                let config = CdhConfig::from_file(&env_path[..])
+                    .with_context(|| format!("failed to read config file {env_path}"))?;
+                (config, log)
+            } else {
+                let log = "No CDH config path specified. Using default configuration.".to_string();
+                let config = CdhConfig::default_with_kernel_cmdline()
+                    .with_context(|| "failed to read default configuration".to_string())?;
+                (config, log)
+            }
+        }
+    };
+
+    if let std::result::Result::Ok(env) =
+        env::var(CDH_DEFAULT_IMAGE_AUTHENTICATED_REGISTRY_CREDENTIALS)
+    {
+        info!("Read authenticated registry credentials URI from env: {env}");
+        config.image.authenticated_registry_credentials_uri = Some(env);
+    }
+
+    config.extend_credentials_from_kernel_cmdline()?;
+
+    Ok((config, config_log))
+}
+
+#[cfg(test)]
+mod tests {
+    use std::{env, io::Write};
+
+    use anyhow::anyhow;
+    use confidential_data_hub::{CdhConfig, KbsConfig, LogConfig, DEFAULT_CDH_SOCKET_ADDR};
+    use image_rs::config::ImageConfig;
+    use serial_test::serial;
+
+    use crate::config::read_config;
+
+    #[test]
+    #[serial]
+    fn test_config_auth_override_by_env() {
+        let config = r#"
+[kbc]
+name = "offline_fs_kbc"
+
+[image]
+authenticated_registry_credentials_uri = "kbs:///default/auth/1"
+        "#;
+        let mut file = tempfile::Builder::new()
+            .append(true)
+            .suffix(".toml")
+            .tempfile()
+            .unwrap();
+        file.write_all(config.as_bytes()).unwrap();
+
+        // without env and from config file
+        let config_path = file.path().to_str().unwrap().to_string();
+        let (config, _) = read_config(Some(config_path.clone())).expect("Must be successful");
+        assert_eq!(
+            config.image.authenticated_registry_credentials_uri,
+            Some("kbs:///default/auth/1".into())
+        );
+
+        // overrided by env
+        env::set_var(
+            "CDH_DEFAULT_IMAGE_AUTHENTICATED_REGISTRY_CREDENTIALS",
+            "file:///test",
+        );
+        let (config, _) = read_config(Some(config_path.clone())).unwrap();
+        assert_eq!(
+            config.image.authenticated_registry_credentials_uri,
+            Some("file:///test".to_string())
+        );
+        env::remove_var("CDH_DEFAULT_IMAGE_AUTHENTICATED_REGISTRY_CREDENTIALS");
+
+        // no env again
+        let (config, _) = read_config(Some(config_path)).unwrap();
+        assert_eq!(
+            config.image.authenticated_registry_credentials_uri,
+            Some("kbs:///default/auth/1".into())
+        );
+    }
+
+    #[test]
+    #[serial]
+    fn test_config_path() {
+        // --config takes precedence,
+        // then env.CDH_CONFIG_PATH
+
+        let config = CdhConfig::default_with_kernel_cmdline().expect("Must be successful");
+        let expected = CdhConfig {
+            log: LogConfig::default(),
+            kbc: KbsConfig {
+                name: "offline_fs_kbc".into(),
+                url: "".into(),
+                kbs_cert: None,
+            },
+            credentials: Vec::new(),
+            socket: DEFAULT_CDH_SOCKET_ADDR.into(),
+            image: ImageConfig::from_kernel_cmdline(),
+            skip_sealed_secret_verification: false,
+        };
+        assert_eq!(config, expected);
+
+        let config = CdhConfig::from_file("/thing").unwrap_err();
+        let expected = anyhow!("configuration file \"/thing\" not found");
+        assert_eq!(format!("{config}"), format!("{expected}"));
+
+        env::set_var("CDH_CONFIG_PATH", "/byenv");
+        let result = read_config(None).unwrap_err();
+        let expected = anyhow!("failed to read config file /byenv");
+        assert_eq!(format!("{result}"), format!("{expected}"));
+        env::remove_var("CDH_CONFIG_PATH");
+
+        let config = CdhConfig::from_file("/thing").unwrap_err();
+        let expected = anyhow!("configuration file \"/thing\" not found");
+        assert_eq!(format!("{config}"), format!("{expected}"));
+    }
+}

confidential-data-hub/hub/src/bin/grpc-cdh.rs

@@ -3,18 +3,19 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
-use std::{env, net::SocketAddr};
+use std::net::SocketAddr;
 
 use anyhow::{Context, Result};
 use clap::Parser;
-use confidential_data_hub::{hub::Hub, CdhConfig};
+use confidential_data_hub::hub::Hub;
 use shadow_rs::shadow;
 use tokio::signal::unix::{signal, SignalKind};
-use tracing::info;
+use tracing::{debug, info};
 use tracing_subscriber::{fmt::Subscriber, EnvFilter};
 
 shadow!(build);
 
+mod config;
 mod grpc_server;
 mod message;
 
@@ -32,9 +33,14 @@ struct Cli {
 
 #[tokio::main]
 async fn main() -> Result<()> {
+    let cli = Cli::parse();
+
+    let (config, config_log) = config::read_config(cli.config).context("failed to read config")?;
+
     let env_filter = match std::env::var_os("RUST_LOG") {
-        Some(_) => EnvFilter::try_from_default_env().expect("RUST_LOG is present but invalid"),
-        None => EnvFilter::new("info"),
+        Some(_) => EnvFilter::try_from_default_env().context("RUST_LOG is present but invalid")?,
+        None => EnvFilter::try_new(&config.log.level)
+            .context(format!("Invalid log level: {}", config.log.level))?,
     };
 
     let version = format!(
@@ -60,17 +66,11 @@ rpc: grpc
     Subscriber::builder().with_env_filter(env_filter).init();
 
     info!("Welcome to Confidential Containers Confidential Data Hub (gRPC version)!\n\n{version}");
-    let cli = Cli::parse();
-
-    let config = CdhConfig::new(cli.config)?;
+    info!("{config_log}");
+    debug!(config = ?config, "Using config");
 
     let cdh_socket = config.socket.parse::<SocketAddr>()?;
 
-    info!(
-        "[gRPC] Confidential Data Hub starts to listen to request: {}",
-        config.socket
-    );
-
     let cdh = Hub::new(config).await.context("start CDH")?;
 
     let mut interrupt = signal(SignalKind::interrupt())?;

confidential-data-hub/hub/src/bin/ttrpc-cdh.rs

@@ -3,12 +3,11 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
-use std::{env, path::Path, sync::Arc};
+use std::{path::Path, sync::Arc};
 
 use anyhow::{anyhow, Context, Result};
 use clap::Parser;
-use confidential_data_hub::CdhConfig;
-use tracing::info;
+use tracing::{debug, info};
 
 use protos::ttrpc::cdh::{
     api_ttrpc::{
@@ -28,6 +27,7 @@ use ttrpc_server::Server;
 
 shadow!(build);
 
+mod config;
 mod message;
 mod ttrpc_server;
 
@@ -47,9 +47,14 @@ struct Cli {
 
 #[tokio::main]
 async fn main() -> Result<()> {
+    let cli = Cli::parse();
+
+    let (config, config_log) = config::read_config(cli.config).context("failed to read config")?;
+
     let env_filter = match std::env::var_os("RUST_LOG") {
-        Some(_) => EnvFilter::try_from_default_env().expect("RUST_LOG is present but invalid"),
-        None => EnvFilter::new("info"),
+        Some(_) => EnvFilter::try_from_default_env().context("RUST_LOG is present but invalid")?,
+        None => EnvFilter::try_new(&config.log.level)
+            .context(format!("Invalid log level: {}", config.log.level))?,
     };
 
     let version = format!(
@@ -75,9 +80,8 @@ rpc: ttrpc
     Subscriber::builder().with_env_filter(env_filter).init();
 
     info!("Welcome to Confidential Containers Confidential Data Hub (ttRPC version)!\n\n{version}");
-    let cli = Cli::parse();
-
-    let config = CdhConfig::new(cli.config)?;
+    info!("{config_log}");
+    debug!(config = ?config, "Using config");
 
     let unix_socket_path = config
         .socket