You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to create a pod with CoCo 0.2.0 on AMD SEV machine with simple_kbs and offline_sev_kbs. The image was encrypted with skopeo + attestation_agent and actually the image-rs fails to decrypt it:
$ kubectl describe pod/coco-fedora-6f8c58859c-5g5cd
Name: coco-fedora-6f8c58859c-5g5cd
Namespace: default
Priority: 0
Node: virtlab1012/10.8.0.194
Start Time: Wed, 14 Dec 2022 14:02:08 -0500
Labels: app=coco-fedora
pod-template-hash=6f8c58859c
Annotations: <none>
Status: Pending
IP: 10.244.0.212
IPs:
IP: 10.244.0.212
Controlled By: ReplicaSet/coco-fedora-6f8c58859c
Containers:
coco-fedora:
Container ID:
Image: docker.io/wainersm/coco-fedora_sshd-encrypted:latest
Image ID:
Port: <none>
Host Port: <none>
State: Waiting
Reason: ImagePullBackOff
Ready: False
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-qff86 (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
kube-api-access-qff86:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: node-role.kubernetes.io/worker=
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 24s default-scheduler Successfully assigned default/coco-fedora-6f8c58859c-5g5cd to virtlab1012
Normal BackOff 21s kubelet Back-off pulling image "docker.io/wainersm/coco-fedora_sshd-encrypted:latest"
Warning Failed 21s kubelet Error: ImagePullBackOff
Normal Pulling 10s (x2 over 22s) kubelet Pulling image "docker.io/wainersm/coco-fedora_sshd-encrypted:latest"
Warning Failed 10s (x2 over 21s) kubelet Failed to pull image "docker.io/wainersm/coco-fedora_sshd-encrypted:latest": rpc error: code = Internal desc = decrypt failed!
Warning Failed 10s (x2 over 21s) kubelet Error: ErrImagePull
As you can see on the above log, the only message regarding the error is rpc error: code = Internal desc = decrypt failed! which doesn't tell much. I turned on all the debug flags on Kata Containers but I couldn't obtain more information. Therefore, I am opening this issue as a request for enhancement, to improve the log message so that it contains hints about the cause of the error.
I'm trying to create a pod with CoCo 0.2.0 on AMD SEV machine with simple_kbs and offline_sev_kbs. The image was encrypted with skopeo + attestation_agent and actually the image-rs fails to decrypt it:
As you can see on the above log, the only message regarding the error is rpc error: code = Internal desc = decrypt failed! which doesn't tell much. I turned on all the debug flags on Kata Containers but I couldn't obtain more information. Therefore, I am opening this issue as a request for enhancement, to improve the log message so that it contains hints about the cause of the error.
The message was raised in https://github.com/confidential-containers/image-rs/blob/main/src/decrypt.rs#L90 . Perhaps we could combine with the error returned by
ocicrypt_rs::encryption::decrypt_layer.The text was updated successfully, but these errors were encountered: