Merge pull request #351 from Dstack-TEE/refactor-sys-config

kvinwang · web-flow · commit ec8e2514ad8f · 2025-09-28T14:51:41.000+08:00
vmm: Refactor sys-config generation code
diff --git a/vmm/src/app.rs b/vmm/src/app.rs
@@ -8,7 +8,7 @@ use anyhow::{bail, Context, Result};
 use bon::Builder;
 use dstack_kms_rpc::kms_client::KmsClient;
 use dstack_types::shared_filenames::{
-    compat_v3, APP_COMPOSE, ENCRYPTED_ENV, INSTANCE_INFO, SYS_CONFIG, USER_CONFIG,
+    APP_COMPOSE, ENCRYPTED_ENV, INSTANCE_INFO, SYS_CONFIG, USER_CONFIG,
 };
 use dstack_vmm_rpc::{self as pb, GpuInfo, StatusRequest, StatusResponse, VmConfiguration};
 use fs_err as fs;
@@ -489,119 +489,9 @@ impl App {
         let shared_dir = self.shared_dir(id);
         let manifest = work_dir.manifest().context("Failed to read manifest")?;
         let cfg = &self.config;
-        let image_path = cfg.image_path.join(&manifest.image);
-        let image = Image::load(image_path).context("Failed to load image info")?;
-        let img_ver = image.info.version_tuple().unwrap_or((0, 0, 0));
-        let kms_urls = if manifest.kms_urls.is_empty() {
-            cfg.cvm.kms_urls.clone()
-        } else {
-            manifest.kms_urls.clone()
-        };
-        let gateway_urls = if manifest.gateway_urls.is_empty() {
-            cfg.cvm.gateway_urls.clone()
-        } else {
-            manifest.gateway_urls.clone()
-        };
-        let sys_config = if img_ver >= (0, 5, 0) {
-            let os_image_hash = hex::decode(image.digest.unwrap_or_default())
-                .context("Failed to decode image digest")?;
-            let gpus = manifest.gpus.unwrap_or_default();
-            let vm_config = serde_json::to_string(&dstack_types::VmConfig {
-                spec_version: 1,
-                os_image_hash,
-                cpu_count: manifest.vcpu,
-                memory_size: manifest.memory as u64 * 1024 * 1024,
-                qemu_single_pass_add_pages: cfg.cvm.qemu_single_pass_add_pages,
-                pic: cfg.cvm.qemu_pic,
-                qemu_version: cfg.cvm.qemu_version.clone(),
-                pci_hole64_size: cfg.cvm.qemu_pci_hole64_size,
-                hugepages: manifest.hugepages,
-                num_gpus: gpus.gpus.len() as u32,
-                num_nvswitches: gpus.bridges.len() as u32,
-                hotplug_off: cfg.cvm.qemu_hotplug_off,
-                image: Some(manifest.image.clone()),
-            })?;
-            json!({
-                "kms_urls": kms_urls,
-                "gateway_urls": gateway_urls,
-                "pccs_url": cfg.cvm.pccs_url,
-                "docker_registry": cfg.cvm.docker_registry,
-                "host_api_url": format!("vsock://2:{}/api", cfg.host_api.port),
-                "vm_config": vm_config,
-            })
-        } else if img_ver >= (0, 4, 2) {
-            json!({
-                "kms_urls": kms_urls,
-                "gateway_urls": gateway_urls,
-                "pccs_url": cfg.cvm.pccs_url,
-                "docker_registry": cfg.cvm.docker_registry,
-                "host_api_url": format!("vsock://2:{}/api", cfg.host_api.port),
-            })
-        } else if img_ver >= (0, 4, 0) {
-            let rootfs_hash = image
-                .info
-                .rootfs_hash
-                .as_ref()
-                .context("Rootfs hash not found in image info")?;
-            json!({
-                "rootfs_hash": rootfs_hash,
-                "kms_urls": kms_urls,
-                "tproxy_urls": gateway_urls,
-                "pccs_url": cfg.cvm.pccs_url,
-                "docker_registry": cfg.cvm.docker_registry,
-                "host_api_url": format!("vsock://2:{}/api", cfg.host_api.port),
-            })
-        } else {
-            let rootfs_hash = image
-                .info
-                .rootfs_hash
-                .as_ref()
-                .context("Rootfs hash not found in image info")?;
-            json!({
-                "rootfs_hash": rootfs_hash,
-                "kms_url": kms_urls.first(),
-                "tproxy_url": gateway_urls.first(),
-                "pccs_url": cfg.cvm.pccs_url,
-                "docker_registry": cfg.cvm.docker_registry,
-                "host_api_url": format!("vsock://2:{}/api", cfg.host_api.port),
-            })
-        };
-        let sys_config_str =
-            serde_json::to_string(&sys_config).context("Failed to serialize vm config")?;
-        let config_file = if img_ver >= (0, 4, 0) {
-            SYS_CONFIG
-        } else {
-            compat_v3::SYS_CONFIG
-        };
-        fs::write(shared_dir.join(config_file), sys_config_str)
+        let sys_config_str = make_sys_config(cfg, &manifest)?;
+        fs::write(shared_dir.join(SYS_CONFIG), sys_config_str)
             .context("Failed to write vm config")?;
-        if img_ver < (0, 4, 0) {
-            // Sync .encrypted-env to encrypted-env
-            let compat_encrypted_env_path = shared_dir.join(compat_v3::ENCRYPTED_ENV);
-            let encrypted_env_path = shared_dir.join(ENCRYPTED_ENV);
-            if compat_encrypted_env_path.exists() {
-                fs::remove_file(&compat_encrypted_env_path)?;
-            }
-            if encrypted_env_path.exists() {
-                fs::copy(&encrypted_env_path, &compat_encrypted_env_path)?;
-            }
-
-            // Sync certs
-            let certs_dir = shared_dir.join("certs");
-            fs::create_dir_all(&certs_dir).context("Failed to create certs directory")?;
-            if cfg.cvm.ca_cert.is_empty()
-                || cfg.cvm.tmp_ca_cert.is_empty()
-                || cfg.cvm.tmp_ca_key.is_empty()
-            {
-                bail!("Certificates are required for older images");
-            }
-            fs::copy(&cfg.cvm.ca_cert, certs_dir.join("ca.cert"))
-                .context("Failed to copy ca cert")?;
-            fs::copy(&cfg.cvm.tmp_ca_cert, certs_dir.join("tmp-ca.cert"))
-                .context("Failed to copy tmp ca cert")?;
-            fs::copy(&cfg.cvm.tmp_ca_key, certs_dir.join("tmp-ca.key"))
-                .context("Failed to copy tmp ca key")?;
-        }
         Ok(())
     }
 
@@ -676,6 +566,61 @@ impl App {
     }
 }
 
+pub(crate) fn make_sys_config(cfg: &Config, manifest: &Manifest) -> Result<String> {
+    let image_path = cfg.image_path.join(&manifest.image);
+    let image = Image::load(image_path).context("Failed to load image info")?;
+    let img_ver = image.info.version_tuple().unwrap_or((0, 0, 0));
+    let kms_urls = if manifest.kms_urls.is_empty() {
+        cfg.cvm.kms_urls.clone()
+    } else {
+        manifest.kms_urls.clone()
+    };
+    let gateway_urls = if manifest.gateway_urls.is_empty() {
+        cfg.cvm.gateway_urls.clone()
+    } else {
+        manifest.gateway_urls.clone()
+    };
+    if img_ver < (0, 5, 0) {
+        bail!("Unsupported image version: {img_ver:?}");
+    }
+
+    let sys_config = json!({
+        "kms_urls": kms_urls,
+        "gateway_urls": gateway_urls,
+        "pccs_url": cfg.cvm.pccs_url,
+        "docker_registry": cfg.cvm.docker_registry,
+        "host_api_url": format!("vsock://2:{}/api", cfg.host_api.port),
+        "vm_config": serde_json::to_string(&make_vm_config(cfg, manifest, &image))?,
+    });
+    let sys_config_str =
+        serde_json::to_string(&sys_config).context("Failed to serialize vm config")?;
+    Ok(sys_config_str)
+}
+
+fn make_vm_config(cfg: &Config, manifest: &Manifest, image: &Image) -> dstack_types::VmConfig {
+    let os_image_hash = image
+        .digest
+        .as_ref()
+        .and_then(|d| hex::decode(d).ok())
+        .unwrap_or_default();
+    let gpus = manifest.gpus.clone().unwrap_or_default();
+    dstack_types::VmConfig {
+        spec_version: 1,
+        os_image_hash,
+        cpu_count: manifest.vcpu,
+        memory_size: manifest.memory as u64 * 1024 * 1024,
+        qemu_single_pass_add_pages: cfg.cvm.qemu_single_pass_add_pages,
+        pic: cfg.cvm.qemu_pic,
+        qemu_version: cfg.cvm.qemu_version.clone(),
+        pci_hole64_size: cfg.cvm.qemu_pci_hole64_size,
+        hugepages: manifest.hugepages,
+        num_gpus: gpus.gpus.len() as u32,
+        num_nvswitches: gpus.bridges.len() as u32,
+        hotplug_off: cfg.cvm.qemu_hotplug_off,
+        image: Some(manifest.image.clone()),
+    }
+}
+
 fn paginate<T>(items: Vec<T>, page: u32, page_size: u32) -> impl Iterator<Item = T> {
     let skip;
     let take;
diff --git a/vmm/src/config.rs b/vmm/src/config.rs
@@ -170,16 +170,6 @@ pub struct CvmConfig {
     /// Use sudo to run the VM
     pub user: String,
 
-    /// The CA certificate
-    #[serde(default)]
-    pub ca_cert: String,
-    /// The tmp CA certificate
-    #[serde(default)]
-    pub tmp_ca_cert: String,
-    /// The tmp CA key
-    #[serde(default)]
-    pub tmp_ca_key: String,
-
     /// Auto restart configuration
     pub auto_restart: AutoRestartConfig,
 
diff --git a/vmm/src/one_shot.rs b/vmm/src/one_shot.rs
@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-use crate::app::{Image, VmConfig, VmWorkDir};
+use crate::app::{make_sys_config, Image, VmConfig, VmWorkDir};
 use crate::config::Config;
 use crate::main_service;
 use anyhow::{Context, Result};
@@ -235,44 +235,9 @@ Compose file content (first 200 chars):
 
     // 2. Create .sys-config.json (critical for 0.5.x VMs)
     // Use manifest URLs if available, fallback to config URLs (matching VMM's sync_dynamic_config logic)
-    let kms_urls = if manifest.kms_urls.is_empty() {
-        config.cvm.kms_urls.clone()
-    } else {
-        manifest.kms_urls.clone()
-    };
-    let gateway_urls = if manifest.gateway_urls.is_empty() {
-        config.cvm.gateway_urls.clone()
-    } else {
-        manifest.gateway_urls.clone()
-    };
-
-    let sys_config = serde_json::json!({
-        "kms_urls": kms_urls,
-        "gateway_urls": gateway_urls,
-        "pccs_url": config.cvm.pccs_url,
-        "docker_registry": config.cvm.docker_registry,
-        "host_api_url": format!("vsock://2:{}/api", config.host_api.port),
-        "vm_config": serde_json::to_string(&dstack_types::VmConfig {
-            spec_version: 1,
-            os_image_hash: image.digest.as_ref()
-                .and_then(|d| hex::decode(d).ok())
-                .unwrap_or_default(),
-            cpu_count: manifest.vcpu,
-            memory_size: manifest.memory as u64 * 1024 * 1024,
-            qemu_single_pass_add_pages: config.cvm.qemu_single_pass_add_pages,
-            pic: config.cvm.qemu_pic,
-            qemu_version: config.cvm.qemu_version.clone(),
-            pci_hole64_size: config.cvm.qemu_pci_hole64_size,
-            hugepages: manifest.hugepages,
-            num_gpus: manifest.gpus.as_ref().map_or(0, |g| g.gpus.len() as u32),
-            num_nvswitches: manifest.gpus.as_ref().map_or(0, |g| g.bridges.len() as u32),
-            hotplug_off: config.cvm.qemu_hotplug_off,
-            image: Some(manifest.image.clone()),
-        })?
-    });
+    let sys_config_str = make_sys_config(&config, &manifest)?;
     let sys_config_path = vm_work_dir.shared_dir().join(".sys-config.json");
-    fs_err::write(&sys_config_path, serde_json::to_string(&sys_config)?)
-        .context("Failed to write sys config")?;
+    fs_err::write(&sys_config_path, sys_config_str).context("Failed to write sys config")?;
 
     // Create vm-state.json with initial state
     vm_work_dir
