Skip to content

Commit

Permalink
podvm: add scratch-space logic
Browse files Browse the repository at this point in the history
This adds the configuration for an encrypted scratch space in /dev/sda4
on an mkosi image. If the image has space available it will create a
"scratch" partition and encrypt it using an adhoc LUKS key.

An empty `/run/peerpod/mount-scratch` file is being added to the
write-files directive of userdata, if a disk size param has been set. In
this case kata-agent will mount the encrypted scratch space to
`/run/kata-containers` prior to startup.

Signed-off-by: Magnus Kulke <[email protected]>
  • Loading branch information
mkulke committed Dec 17, 2024
1 parent ace8f77 commit 6655aa3
Show file tree
Hide file tree
Showing 11 changed files with 10 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Release=40

[Content]
CleanPackageMetadata=true
SkeletonTrees=../../resources/binaries-tree
SkeletonTrees=../../mkosi.skeleton-rootfs,../../resources/binaries-tree,
Packages=
kernel
kernel-core
Expand All @@ -23,6 +23,7 @@ Packages=
iptables
afterburn
neofetch
e2fsprogs

RemoveFiles=/etc/issue
RemoveFiles=/etc/issue.net
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
scratch /dev/disk/by-label/scratch - try-empty-password
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
[Service]
ExecStartPre=sh -c '[[ -f /run/peerpod/mount-scratch ]] && mount /dev/mapper/scratch /run/kata-containers'
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[Partition]
Type=linux-generic
Label=scratch
Encrypt=key-file
Format=ext4

0 comments on commit 6655aa3

Please sign in to comment.