Add launch policy for cmd and env vars #195
Conversation
jkl73
force-pushed
the
launchpolicy
branch
2 times, most recently
from
0f599c2 to
f2b6847
Compare
jkl73
force-pushed
the
launchpolicy
branch
3 times, most recently
from
fc7a3e4 to
11da8cc
Compare
jkl73
changed the title
| @@ -6,7 +6,8 @@ After=network-online.target gcr-online.target containerd.service | |||
| [Service] | |||
| ExecStart=/var/lib/google/cc_container_launcher --addr=${ATTEST_ENDPOINT} | |||
| # Shutdown the host after the launcher exits | |||
| ExecStopPost=systemctl poweroff | |||
| ExecStopPost=/bin/sleep 60 | |||
There was a problem hiding this comment.
I tried looking through the documentation (https://www.freedesktop.org/software/systemd/man/systemd.service.html) but couldn't find anything about ordering. Does systemd guarantee execution in order or declaration?
There was a problem hiding this comment.
Good point, I can't find documentation either. From my testing, it is in order. I think this fine for now, later we should create an exit script.
| @@ -345,10 +345,8 @@ func (r *ContainerRunner) Run(ctx context.Context) error { | |||
| return fmt.Errorf("failed to fetch and write OIDC token: %v", err) | |||
| } | |||
|
|
|||
| loggerAndStdout := io.MultiWriter(os.Stdout, r.logger.Writer()) | |||
| loggerAndStderr := io.MultiWriter(os.Stderr, r.logger.Writer()) | |||
There was a problem hiding this comment.
do we no longer want the ability to distinguish b/w stdout/err?
There was a problem hiding this comment.
I moved this step to the beginning, so all log generated by the launcher will have these two destination, better debug.
| } | ||
|
|
||
| if v, ok := imageLabels[cmdOverride]; ok { | ||
| if launchPolicy.AllowedCmdOverride, err = strconv.ParseBool(v); err != nil { |
There was a problem hiding this comment.
because ParseBool (https://pkg.go.dev/strconv#ParseBool) accepts so many different bool-like values, we should clearly document that this is the current interface. Alternatively, we can consider only allowing a string "true" and a string "false" and maybe different capitalizations
There was a problem hiding this comment.
I agree we should emphasis this in the codelab/doc for image authors, recommend using (true/false), but other value are also accept but may not work later.
I just don't want/too lazy to implement our own logic for checking bool val...
Signed-off-by: Jiankun Lu <jiankun@google.com>
Launcher logger will be published to stdout and Cloud Logging Signed-off-by: Jiankun Lu <jiankun@google.com>
Signed-off-by: Jiankun Lu <jiankun@google.com>
Add the launch policy implementation for env vars and cmd
Update logger so it output everything from launcher to stdout and cloud logging (for better debug)
Update service file so it will sleep for 60 seconds before shutting down the machine.
Update cloudbuild.yaml with the new image name.