How to start attestation agent when deploying a confidential container

[Toyken-P]

Hello, I'm trying to deploy kata with remote attestation, but the documentation only describes how to start the attestation agent from the command line. Can the attestation agent be started from the configuration file?

[Xynnn007]

Yes we can. AA can be launched via -c arg with a config file like https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/attestation-agent/config.example.toml

[Toyken-P]

Sorry for not being clear about our needs.
Currently, when I run kata, the attestation agent is not started at the same time.
I want the attestation agent to be started at the same time when I start the kata container with the following command:
ctr run --runtime "io.containerd.kata.v2" --rm -t "docker.io/library/busybox:latest" test-kata sh
What am I supposed to do?

[fitzthum]

I'm a little unclear about your situation. If you are using confidential containers, the attestation agent should be started automatically inside the guest and an attestation should be carried out the first time that your workload requires a secret.