confidential-data-hub: Enable Guest components be exposed on sockets #1080
Conversation
This commit introduces a new binary, `guest-services`, which acts as a generic launcher for TTRPC services within the Confidential Data Hub (CDH). This change allows various services (ImagePull, SealedSecrets, etc.) to be run as separate TTRPC servers on individual Unix domain sockets. This design: - Improves service modularity and decoupling. - Enables individual services to be managed and configured independently. - Includes robust server startup logic, such as cleaning up stale sockets, setting permissions, and handling graceful shutdown signals (SIGINT/SIGTERM). The launcher uses `clap` for command-line parsing to easily select and configure the desired service, aligning with a more robust, microservice-oriented architecture. Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
|
A generic question: do you think we should merge this logic into CDH than adding a separate binary? |
Thx Ding. good question anyway. this is also my question with you. I have no strong option to make it a seperate binary or just wrapped in the original binary of cdh. I'd like hear different voices till we reach the same goal. |
|
cc @fitzthum @burgerdev @mkulke Could you please take a look at this PR ? Appreciate it ! |
IMO if we are going to use this to replace CDH in kata rootfs, directly change CDH than adding a new tool would be much beneficial for maintaince. |
|
Yeah the startup process for the CDH and AA is already a bit convoluted. I am wary of adding another component. Hopefully this could be a good chance to simplify things. |
|
What we need for the RFC is the functionality to launch the individual services on individual sockets, but other than that I don't think these need to be backed by different processes. Integrating the functionality into the CDH makes most sense, imho. |
4 participants
confidential-data-hub: Enable Guest components be exposed on sockets
This commit introduces a new binary,
guest-services, which acts as ageneric launcher for TTRPC services within the Confidential Data Hub
(CDH).
This change allows various services (ImagePull, SealedSecrets, etc.) to
be run as separate TTRPC servers on individual Unix domain sockets. This
design:
independently.
sockets, setting permissions, and handling graceful shutdown signals
(SIGINT/SIGTERM).
The launcher uses
clapfor command-line parsing to easily select andconfigure the desired service, aligning with a more robust,
microservice-oriented architecture.
Currently it's still under heavily developed as discussed in this RFC
Signed-off-by: Alex Lyn alex.lyn@antgroup.com