From 4de67838e96c85741dbd02041adeab946b2cfb93 Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Fri, 27 Sep 2024 12:35:59 +0200 Subject: [PATCH] podvm: use ORAS to pull cdh and asr and aa The artifacts are being retrieved from guest-component's ORAS now. Hence the rust build infrastructure can be removed with this change. The Rust build infra hasn't been fully removed yet, this should be done in a follow-up PR (otherwise the e2e test suite will fail, since those run on main). There are some notable changes: - guest-component exposed the TEE_PLATFORM param on its top level build script, which we use to pull the correct artifact. Since we don't build attestation-agent directly anymore the ATTESTER param has been removed from the project's build scripts - in versions.yaml kata and guest-components have been moved from the "git" section to the "oci" section, however since the tag is dynamic, we also provide a "reference" field in those entries. - bumped guest-components to a commit that is available as artifact in OCI Signed-off-by: Magnus Kulke --- .github/workflows/azure-e2e-test.yml | 3 - .github/workflows/azure-podvm-image-build.yml | 2 +- .github/workflows/e2e_libvirt.yaml | 6 +- docs/Release-Process.md | 2 +- src/cloud-api-adaptor/Makefile | 4 +- src/cloud-api-adaptor/Makefile.defaults | 13 ++-- src/cloud-api-adaptor/azure/build-image.md | 3 +- .../hack/verify-provenance.sh | 12 ++-- .../ibmcloud-powervs/image/prereq.sh | 5 -- src/cloud-api-adaptor/podvm-mkosi/Makefile | 5 +- src/cloud-api-adaptor/podvm-mkosi/README.md | 2 +- .../podvm/Dockerfile.podvm_binaries | 4 +- .../podvm/Dockerfile.podvm_binaries.fedora | 4 +- .../podvm/Dockerfile.podvm_binaries.rhel | 4 +- .../podvm/Dockerfile.podvm_builder | 8 +-- .../podvm/Dockerfile.podvm_builder.fedora | 6 +- .../podvm/Dockerfile.podvm_builder.rhel | 6 +- src/cloud-api-adaptor/podvm/Makefile | 3 - src/cloud-api-adaptor/podvm/Makefile.inc | 61 ++++++++----------- src/cloud-api-adaptor/podvm/README.md | 6 +- src/cloud-api-adaptor/versions.yaml | 17 +++--- 21 files changed, 71 insertions(+), 105 deletions(-) diff --git a/.github/workflows/azure-e2e-test.yml b/.github/workflows/azure-e2e-test.yml index 88d0b8383..bf3b7fd9d 100644 --- a/.github/workflows/azure-e2e-test.yml +++ b/.github/workflows/azure-e2e-test.yml @@ -232,9 +232,6 @@ jobs: SUBNET_ID="$(az network vnet subnet show -g "$NODE_RG" --vnet-name "$VNET_NAME" -n peerpod --query id -o tsv)" echo "AZURE_SUBNET_ID=\"${SUBNET_ID}\"" >> "$TEST_PROVISION_FILE" - - name: Extract kbs reference - run: echo "KBS_VERSION=$(yq -e '.git.kbs.reference' versions.yaml)" >> "$GITHUB_ENV" - - name: Checkout KBS Repository run: | test/utils/checkout_kbs.sh diff --git a/.github/workflows/azure-podvm-image-build.yml b/.github/workflows/azure-podvm-image-build.yml index 619db4606..7c3e2cced 100644 --- a/.github/workflows/azure-podvm-image-build.yml +++ b/.github/workflows/azure-podvm-image-build.yml @@ -63,7 +63,7 @@ jobs: - name: Build binaries run: | make fedora-binaries-builder - ATTESTER="az-snp-vtpm-attester,az-tdx-vtpm-attester" make binaries + TEE_PLATFORM=az-cvm-vtpm make binaries - name: Build image run: make image diff --git a/.github/workflows/e2e_libvirt.yaml b/.github/workflows/e2e_libvirt.yaml index 2f0e7e96d..9069ad1fa 100644 --- a/.github/workflows/e2e_libvirt.yaml +++ b/.github/workflows/e2e_libvirt.yaml @@ -53,10 +53,10 @@ jobs: sudo snap install yq echo "KBS_REPO=$(yq -e '.git.kbs.url' versions.yaml)" >> "$GITHUB_ENV" echo "KBS_VERSION=$(yq -e '.git.kbs.reference' versions.yaml)" >> "$GITHUB_ENV" - echo "RUST_VERSION=$(yq -e '.tools.rust' versions.yaml)" >> "$GITHUB_ENV" go_version="$(yq '.tools.golang' versions.yaml)" [ -n "$go_version" ] echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV" + echo "ORAS_VERSION=$(yq -e '.tools.oras' versions.yaml)" >> "$GITHUB_ENV" - name: Setup Golang version ${{ env.GO_VERSION }} uses: actions/setup-go@v5 @@ -96,6 +96,10 @@ jobs: override: true profile: minimal + - uses: oras-project/setup-oras@v1 + with: + version: ${{ env.ORAS_VERSION }} + - name: Install gh cli run: | sudo apt install -y gh diff --git a/docs/Release-Process.md b/docs/Release-Process.md index dd19d0365..4e795bbea 100644 --- a/docs/Release-Process.md +++ b/docs/Release-Process.md @@ -17,7 +17,7 @@ version is picked) and [trustee releases](https://github.com/confidential-contai `externals.coco-guest-components.version`, `externals.coco-trustee` and the `image-rs` crate in the agent's [`Cargo.toml`](https://github.com/kata-containers/kata-containers/blob/main/src/agent/Cargo.toml). - At this point it makes sense for us to stay in sync, by updating the guest-components and kbs that we use in peer pods, - by changing the `git.guest-components.reference` and `git.kbs.tag` values in [versions.yaml](../src/cloud-api-adaptor/versions.yaml). + by changing the `oci.guest-components.reference`, `oci.kbs.tag` and `oci.kbs-client.reference` values in [versions.yaml](../src/cloud-api-adaptor/versions.yaml). We should also bump the kata agent to the latest commit hash in our [version.yaml](../src/cloud-api-adaptor/versions.yaml) for testing. 1. Kata Containers [releases](https://github.com/kata-containers/kata-containers/releases) diff --git a/src/cloud-api-adaptor/Makefile b/src/cloud-api-adaptor/Makefile index e5eb976ce..57c4bd2ea 100644 --- a/src/cloud-api-adaptor/Makefile +++ b/src/cloud-api-adaptor/Makefile @@ -18,7 +18,6 @@ BINARIES := cloud-api-adaptor agent-protocol-forwarder process-user-data SOURCEDIRS := ./cmd ./pkg PACKAGES := $(shell go list $(addsuffix /...,$(SOURCEDIRS))) SOURCES := $(shell find $(SOURCEDIRS) -name '*.go' -print) -ATTESTER ?= none # End-to-end tests overall run timeout. TEST_E2E_TIMEOUT ?= 60m # To run a sub-set of tests, set an unanchored regex matching the test's name as in go's test -run option. @@ -182,7 +181,6 @@ podvm-builder: --build-arg ACTIVATION_KEY=$(ACTIVATION_KEY) \ --build-arg ARCH=$(ARCH) \ --build-arg PROTOC_VERSION=$(PROTOC_VERSION) \ - --build-arg RUST_VERSION=$(RUST_VERSION) \ --build-arg YQ_VERSION=$(YQ_VERSION) \ --build-arg YQ_CHECKSUM=${YQ_CHECKSUM_$(ARCH)} \ --build-arg YQ_ARCH=$(ARCH) \ @@ -197,7 +195,7 @@ podvm-binaries: --build-arg BUILDER_IMG=$(PODVM_BUILDER_IMAGE) \ --build-arg PODVM_DISTRO=$(PODVM_DISTRO) \ --build-arg ARCH=$(ARCH) \ - --build-arg ATTESTER=$(ATTESTER) \ + --build-arg TEE_PLATFORM=$(TEE_PLATFORM) \ --build-arg PAUSE_REPO=$(PAUSE_REPO) \ --build-arg PAUSE_VERSION=$(PAUSE_VERSION) \ --build-arg PAUSE_BIN=$(PAUSE_BIN) \ diff --git a/src/cloud-api-adaptor/Makefile.defaults b/src/cloud-api-adaptor/Makefile.defaults index 5ea0fc02c..a740c7aa6 100644 --- a/src/cloud-api-adaptor/Makefile.defaults +++ b/src/cloud-api-adaptor/Makefile.defaults @@ -7,7 +7,9 @@ PAUSE_BIN ?= pause # stored in versions.yaml YQ_VERSION := v4.35.1 YQ_CHECKSUM := "sha256:bd695a6513f1196aeda17b174a15e9c351843fb1cef5f9be0af170f2dd744f08" -YQ_CHECKSUM_s390x:= "sha256:4e6324d08630e7df733894a11830412a43703682d65a76f1fc925aac08268a45" +YQ_CHECKSUM_s390x := "sha256:4e6324d08630e7df733894a11830412a43703682d65a76f1fc925aac08268a45" +# none,az-cvm-vtpm,tdx,se,cca +TEE_PLATFORM ?= none VERSIONS_HASH := $(firstword $(shell sha256sum $(VERSIONS_SRC))) @@ -30,18 +32,17 @@ rhel_s390x_IMAGE_CHECKSUM := $(call query,cloudimg.rhel.$(rhel_RELEASE).s390x.ch COCO_OPERATOR_REF := $(or $(COCO_OPERATOR_REF),$(call query,git.coco-operator.reference)) COCO_OPERATOR_REPO := $(or $(COCO_OPERATOR_REPO),$(call query,git.coco-operator.url)) -KATA_SRC := $(or $(KATA_SRC),$(call query,git.kata-containers.url)) -KATA_SRC_REF := $(or $(KATA_SRC_REF),$(call query,git.kata-containers.reference)) +KATA_REGISTRY := $(or $(KATA_REGISTRY), $(call query,oci.kata-containers.registry)) +KATA_REF := $(or $(KATA_REF), $(call query,oci.kata-containers.reference)) GO_VERSION := $(or $(GO_VERSION),$(call query,tools.golang)) PROTOC_VERSION := $(or $(PROTOC_VERSION),$(call query,tools.protoc)) -RUST_VERSION := $(or $(RUST_VERSION),$(call query,tools.rust)) ORAS_VERSION := $(or $(ORAS_VERSION),$(call query,tools.oras)) SKOPEO_REPO := $(or $(SKOPEO_REPO),$(call query,git.skopeo.url)) SKOPEO_VERSION := $(or $(SKOPEO_VERSION),$(call query,git.skopeo.reference)) UMOCI_REPO := $(or $(UMOCI_REPO),$(call query,git.umoci.url)) UMOCI_VERSION := $(or $(UMOCI_VERSION),$(call query,git.umoci.reference)) -GUEST_COMPONENTS_REPO := $(or $(GUEST_COMPONENTS_REPO),$(call query,git.guest-components.url)) -GUEST_COMPONENTS_VERSION := $(or $(GUEST_COMPONENTS_VERSION),$(call query,git.guest-components.reference)) +GUEST_COMPONENTS_REGISTRY := $(or $(GUEST_COMPONENTS_REGISTRY), $(call query,oci.guest-components.registry)) +GUEST_COMPONENTS_REF := $(or $(GUEST_COMPONENTS_REF),$(call query,oci.guest-components.reference)) PAUSE_REPO := $(or $(PAUSE_REPO),$(call query,oci.pause.registry)) PAUSE_VERSION := $(or $(PAUSE_VERSION),$(call query,oci.pause.tag)) PACKER_VERSION := $(or $(PACKER_VERSION),$(call query,tools.packer)) diff --git a/src/cloud-api-adaptor/azure/build-image.md b/src/cloud-api-adaptor/azure/build-image.md index ed1b975af..2139206f6 100644 --- a/src/cloud-api-adaptor/azure/build-image.md +++ b/src/cloud-api-adaptor/azure/build-image.md @@ -92,7 +92,6 @@ sudo apt install \ - Install `yq` by following instructions [here](https://mikefarah.gitbook.io/yq/#install). - Install Golang by following instructions [here](https://go.dev/doc/install). -- Install Rust (`cargo`) by following instructions [here](https://www.rust-lang.org/tools/install). - Install packer by following [these instructions](https://learn.hashicorp.com/tutorials/packer/get-started-install-cli). **Build** @@ -110,7 +109,7 @@ export PKR_VAR_az_gallery_image_version="0.0.1" export PKR_VAR_offer=0001-com-ubuntu-confidential-vm-jammy export PKR_VAR_sku=22_04-lts-cvm -export ATTESTER="az-snp-vtpm-attester,az-tdx-vtpm-attester" +export TEE_PLATFORM="az-cvm-vtpm" export LIBC=gnu export CLOUD_PROVIDER=azure PODVM_DISTRO=ubuntu make image diff --git a/src/cloud-api-adaptor/hack/verify-provenance.sh b/src/cloud-api-adaptor/hack/verify-provenance.sh index 0675ee8d6..fd30cd4a9 100755 --- a/src/cloud-api-adaptor/hack/verify-provenance.sh +++ b/src/cloud-api-adaptor/hack/verify-provenance.sh @@ -18,12 +18,12 @@ set -euo pipefail usage() { - echo "Usage: $0 " - echo " -a " - echo " -d " - echo " -r " - echo " [-g] (optional. fetch attestation using github api)" - exit 1 + echo "Usage: $0 " + echo " -a " + echo " -d " + echo " -r " + echo " [-g] (optional. fetch attestation using github api)" + exit 1 } oci_artifact="" diff --git a/src/cloud-api-adaptor/ibmcloud-powervs/image/prereq.sh b/src/cloud-api-adaptor/ibmcloud-powervs/image/prereq.sh index d74686ba5..bef68e4a4 100755 --- a/src/cloud-api-adaptor/ibmcloud-powervs/image/prereq.sh +++ b/src/cloud-api-adaptor/ibmcloud-powervs/image/prereq.sh @@ -2,7 +2,6 @@ # FIXME to pickup these values from versions.yaml GO_VERSION="1.22.7" -RUST_VERSION="1.75.0" # Install dependencies yum install -y curl libseccomp-devel openssl openssl-devel skopeo clang clang-devel @@ -17,7 +16,3 @@ yum install -y device-mapper-devel-1.02.197-2.el9.ppc64le.rpm curl https://dl.google.com/go/go${GO_VERSION}.linux-ppc64le.tar.gz -o go${GO_VERSION}.linux-ppc64le.tar.gz && \ rm -rf /usr/local/go && tar -C /usr/local -xzf go${GO_VERSION}.linux-ppc64le.tar.gz && \ rm -f go${GO_VERSION}.linux-ppc64le.tar.gz - -# Install Rust -curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain ${RUST_VERSION} -rustup target add powerpc64le-unknown-linux-gnu diff --git a/src/cloud-api-adaptor/podvm-mkosi/Makefile b/src/cloud-api-adaptor/podvm-mkosi/Makefile index a246441f3..48a8e0624 100644 --- a/src/cloud-api-adaptor/podvm-mkosi/Makefile +++ b/src/cloud-api-adaptor/podvm-mkosi/Makefile @@ -1,6 +1,5 @@ include ../Makefile.defaults -ATTESTER ?= none ARCH ?= $(subst x86_64,amd64,$(shell uname -m)) BUILDER = fedora-binaries-builder-$(ARCH) SE_BOOT ?= false @@ -34,7 +33,6 @@ fedora-binaries-builder: --build-arg GO_VERSION=$(GO_VERSION) \ --build-arg ARCH=$(ARCH) \ --build-arg PROTOC_VERSION=$(PROTOC_VERSION) \ - --build-arg RUST_VERSION=$(RUST_VERSION) \ --build-arg YQ_VERSION=$(YQ_VERSION) \ --build-arg YQ_CHECKSUM=$(YQ_CHECKSUM) \ --build-arg YQ_ARCH=$(ARCH) \ @@ -51,8 +49,9 @@ ifeq ($(IS_DEBIAN),true) docker buildx use default endif docker buildx build \ + --progress=plain \ --build-arg BUILDER_IMG=$(BUILDER) \ - --build-arg ATTESTER=$(ATTESTER) \ + --build-arg TEE_PLATFORM=$(TEE_PLATFORM) \ --build-arg PAUSE_REPO=$(PAUSE_REPO) \ --build-arg PAUSE_VERSION=$(PAUSE_VERSION) \ --build-arg PAUSE_BIN=$(PAUSE_BIN) \ diff --git a/src/cloud-api-adaptor/podvm-mkosi/README.md b/src/cloud-api-adaptor/podvm-mkosi/README.md index 99bb26846..248e19e40 100644 --- a/src/cloud-api-adaptor/podvm-mkosi/README.md +++ b/src/cloud-api-adaptor/podvm-mkosi/README.md @@ -93,7 +93,7 @@ Another issue is s390x does not support UEFI. Instead, we can first use **mkosi* It requires a **s390x host** to build s390x image with make commands: ``` make fedora-binaries-builder -ATTESTER=se-attester make binaries +TEE_PLATFORM=se-attester make binaries make image # SE_BOOT=true make image # make image-debug diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries index 32f46545d..c8f601321 100644 --- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries +++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries @@ -14,7 +14,7 @@ ARG GUEST_COMPONENTS_VERSION ARG GUEST_COMPONENTS_REPO # By default AA will be built with the `all-attesters` feature, # which doesn't compile ootb on ubuntu. -ARG ATTESTER=none +ARG TEE_PLATFORM=none # If not provided, uses system architecture ARG ARCH #This is the name of the policy file under @@ -33,7 +33,7 @@ ENV CLOUD_PROVIDER=${CLOUD_PROVIDER} ENV PODVM_DISTRO=${PODVM_DISTRO} ENV GUEST_COMPONENTS_VERSION=${GUEST_COMPONENTS_VERSION} ENV GUEST_COMPONENTS_REPO=${GUEST_COMPONENTS_REPO} -ENV ATTESTER=${ATTESTER} +ENV TEE_PLATFORM=${TEE_PLATFORM} ENV ARCH=${ARCH} ENV DEFAULT_AGENT_POLICY_FILE=${DEFAULT_AGENT_POLICY_FILE} diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora index 3da7fe08f..567770eb1 100644 --- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora +++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora @@ -14,7 +14,7 @@ ARG GUEST_COMPONENTS_VERSION ARG GUEST_COMPONENTS_REPO # By default AA will be built with the `all-attesters` feature, # which doesn't compile on fedora. -ARG ATTESTER=none +ARG TEE_PLATFORM=none # If not provided, uses system architecture ARG ARCH #This is the name of the policy file under @@ -34,7 +34,7 @@ ENV CLOUD_PROVIDER=${CLOUD_PROVIDER} ENV PODVM_DISTRO=${PODVM_DISTRO} ENV GUEST_COMPONENTS_VERSION=${GUEST_COMPONENTS_VERSION} ENV GUEST_COMPONENTS_REPO=${GUEST_COMPONENTS_REPO} -ENV ATTESTER=${ATTESTER} +ENV TEE_PLATFORM=${TEE_PLATFORM} ENV ARCH=${ARCH} ENV DEFAULT_AGENT_POLICY_FILE=${DEFAULT_AGENT_POLICY_FILE} ENV IMAGE_NAME=${IMAGE_NAME} diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.rhel b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.rhel index bf59c28c8..3b74ab52b 100644 --- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.rhel +++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.rhel @@ -11,7 +11,7 @@ FROM ${BUILDER_IMG} AS podvm_builder ARG PODVM_DISTRO=rhel # By default AA will be built with the `all-attesters` feature, # which doesn't compile ootb on RHEL. -ARG ATTESTER=none +ARG TEE_PLATFORM=none # If not provided, uses system architecture ARG ARCH #This is the name of the policy file under @@ -27,7 +27,7 @@ ENV PAUSE_REPO=${PAUSE_REPO} ENV PAUSE_VERSION=${PAUSE_VERSION} ENV PAUSE_BIN=${PAUSE_BIN} ENV PODVM_DISTRO=${PODVM_DISTRO} -ENV ATTESTER=${ATTESTER} +ENV TEE_PLATFORM=${TEE_PLATFORM} ENV ARCH=${ARCH} ENV DEFAULT_AGENT_POLICY_FILE=${DEFAULT_AGENT_POLICY_FILE} diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder index 802c1778c..6574fc150 100644 --- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder +++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder @@ -14,13 +14,11 @@ ARG YQ_ARCH="amd64" ARG PROTOC_ARCH="x86_64" ARG GO_VERSION ARG PROTOC_VERSION -ARG RUST_VERSION ARG YQ_VERSION ARG YQ_CHECKSUM ARG ORAS_VERSION # Without setting ENV gh-action is failing to use the correct values ENV GO_VERSION=${GO_VERSION} -ENV RUST_VERSION=${RUST_VERSION} ENV PROTOC_VERSION=${PROTOC_VERSION} ENV ARCH=${ARCH} ENV YQ_ARCH=${YQ_ARCH} @@ -48,11 +46,7 @@ ADD https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_${Y RUN echo "${YQ_CHECKSUM#sha256:} /usr/local/bin/yq" | sha256sum -c RUN chmod a+x /usr/local/bin/yq -ENV PATH="/root/.cargo/bin:/usr/local/go/bin:$PATH" - -ADD https://sh.rustup.rs rustup -RUN chmod a+x rustup && ./rustup -y --default-toolchain ${RUST_VERSION} \ - && rustup target add x86_64-unknown-linux-musl && ln -sf /usr/bin/g++ /bin/musl-g++ +ENV PATH="/usr/local/go/bin:$PATH" ADD https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-linux-x86_64.zip protoc-${PROTOC_VERSION}-linux-x86_64.zip RUN unzip protoc-${PROTOC_VERSION}-linux-x86_64.zip -d /usr/local && rm -f protoc-${PROTOC_VERSION}-linux-x86_64.zip diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder.fedora b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder.fedora index b3bdee6d6..e1f4c7475 100644 --- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder.fedora +++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder.fedora @@ -13,7 +13,6 @@ ARG YQ_ARCH="amd64" ARG PROTOC_ARCH="x86_64" ARG GO_VERSION ARG PROTOC_VERSION -ARG RUST_VERSION ARG YQ_VERSION ARG YQ_CHECKSUM ARG ORAS_VERSION @@ -32,10 +31,7 @@ ADD https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_${Y RUN echo "${YQ_CHECKSUM#sha256:} /usr/local/bin/yq" | sha256sum -c RUN chmod a+x /usr/local/bin/yq -ENV PATH="/root/.cargo/bin:/usr/local/go/bin:$PATH" - -ADD https://sh.rustup.rs rustup -RUN chmod a+x rustup && ./rustup -y --default-toolchain ${RUST_VERSION} +ENV PATH="/usr/local/go/bin:$PATH" ADD https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip RUN unzip protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip -d /usr/local && rm -f protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder.rhel b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder.rhel index d7a5b58c1..ceb0ef7ec 100644 --- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder.rhel +++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder.rhel @@ -14,7 +14,6 @@ ARG YQ_ARCH="amd64" ARG PROTOC_ARCH="x86_64" ARG GO_VERSION ARG PROTOC_VERSION -ARG RUST_VERSION ARG PACKER_VERSION ARG ORAS_VERSION ARG YQ_VERSION @@ -24,7 +23,6 @@ ARG ACTIVATION_KEY # Without setting ENV gh-action is failing to use the correct values ENV GO_VERSION=${GO_VERSION} -ENV RUST_VERSION=${RUST_VERSION} ENV PROTOC_VERSION=${PROTOC_VERSION} ENV PROTOC_ARCH=${PROTOC_ARCH} ENV ARCH=${ARCH} @@ -74,9 +72,7 @@ RUN ln -s /usr/libexec/qemu-kvm /usr/bin/qemu-system-$(uname -m) RUN git clone https://github.com/canonical/cloud-utils RUN cd cloud-utils && make install -RUN curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain "${RUST_VERSION}" - -ENV PATH="/root/.cargo/bin:/usr/local/go/bin:$PATH" +ENV PATH="/usr/local/go/bin:$PATH" RUN wget https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip && \ unzip protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip -d /usr/local && rm -f protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip diff --git a/src/cloud-api-adaptor/podvm/Makefile b/src/cloud-api-adaptor/podvm/Makefile index 1afa224a9..4c29a646d 100644 --- a/src/cloud-api-adaptor/podvm/Makefile +++ b/src/cloud-api-adaptor/podvm/Makefile @@ -20,8 +20,6 @@ ifndef IMAGE_CHECKSUM $(error "IMAGE_CHECKSUM is not defined") endif -KATA_AGENT_SRC := ../../kata-containers/src/agent -STATIC_LIBSECCOMP_BUILDER := ../../kata-containers/ci/install_libseccomp.sh AGENT_PROTOCOL_FORWARDER_SRC := ../ QEMU_MACHINE_TYPE_s390x := s390-ccw-virtio @@ -105,4 +103,3 @@ clean: rm -fr "$(SKOPEO_SRC)" "$(UMOCI_SRC)" "$(PAUSE_SRC)" "$(FILES_DIR)/$(PAUSE_BUNDLE)" rm -fr "$(OPA_SRC)" - diff --git a/src/cloud-api-adaptor/podvm/Makefile.inc b/src/cloud-api-adaptor/podvm/Makefile.inc index a58198d48..f42406708 100644 --- a/src/cloud-api-adaptor/podvm/Makefile.inc +++ b/src/cloud-api-adaptor/podvm/Makefile.inc @@ -24,13 +24,11 @@ ARCH := $(or $(ARCH),$(HOST_ARCH)) ARCH := $(subst amd64,x86_64,$(ARCH)) DEB_ARCH := $(subst x86_64,amd64,$(ARCH)) LIBC ?= $(if $(filter $(ARCH),s390x ppc64le),gnu,musl) -RUST_ARCH ?= $(subst ppc64le,powerpc64le,$(ARCH)) -RUST_TARGET := $(RUST_ARCH)-unknown-linux-$(LIBC) # Auth json file for registry access. Used with skopeo AUTHFILE ?= -ATTESTER ?= none +TEE_PLATFORM ?= none CDH_RESOURCE_PROVIDER ?= kbs SEALED_SECRET ?= yes @@ -43,14 +41,6 @@ FORCE_TARGET := $(if $(FORCE),force,) SHELL := env PATH=$(PATH) /bin/bash -ifneq ($(HOST_ARCH),$(ARCH)) - ifeq ($(CC),cc) - CC := $(ARCH)-linux-$(LIBC)-gcc - $(warning A foreign ARCH was passed, but no CC alternative. Using $(CC) as best guess) - endif -RUST_FLAGS := CC=$(CC) ARCH=$(ARCH) -endif - ifndef IMAGE_NAME COMMIT := $(shell commit=$$(git describe --match '' --dirty --always) && \ if [ -n "$$(git ls-files --other --exclude-per-directory .gitignore "$(FILES_DIR)")" ]; then \ @@ -94,8 +84,6 @@ PAUSE_SRC = pause # Allows to override PAUSE_BUNDLE ?= pause_bundle -GUEST_COMPONENTS_SRC = ../../../guest-components - # Clone a specific commit/tag/branch of a repo. # $(1) - Repository URL # $(2) - Destination directory @@ -113,10 +101,11 @@ endef # Ensure that the oras tags is converted to something valid # $(1) - return value # $(2) - initial_tag +# $(3) - suffix define generate_tag - $(eval $0_tag_length_limit=$(shell expr 128 - $(shell echo "-$(ARCH)" | wc -c))) + $(eval $0_tag_length_limit=$(shell expr 128 - $(shell echo "-$(3)" | wc -c))) processed_tag=$(shell echo $(2) | tr -dc '[:print:]' | tr -c '[a-zA-Z0-9\_\.\-]' _ | head -c $(shell echo $($0_tag_length_limit))) - $(1) := $$(processed_tag)-$(ARCH) + $(1) := $$(processed_tag)-$(3) endef binaries: $(BINARIES) @@ -130,8 +119,8 @@ $(PROCESS_USER_DATA): always install -D --compare "$(ROOT_DIR)/process-user-data" "$@" $(KATA_AGENT): $(FORCE_TARGET) - $(eval $(call generate_tag,tag,$(KATA_SRC_REF))) - oras pull ghcr.io/kata-containers/cached-artefacts/agent:${tag} + $(eval $(call generate_tag,tag,$(KATA_REF),$(ARCH))) + oras pull $(KATA_REGISTRY)/agent:${tag} tar xvJpf kata-static-agent.tar.xz install -D --compare "./usr/bin/kata-agent" "$@" @@ -155,31 +144,31 @@ $(UMOCI_SRC)/umoci: $(UMOCI_SRC) $(PAUSE_SRC): $(SKOPEO_BIN) $(SKOPEO_BIN) --override-arch $(DEB_ARCH) --policy "$(FILES_DIR)/etc/containers/policy.json" copy \ - $(if $(AUTHFILE),--authfile $(AUTHFILE)) "$(PAUSE_REPO):$(PAUSE_VERSION)" "oci:$(PAUSE_SRC):$(PAUSE_VERSION)" + $(if $(AUTHFILE),--authfile $(AUTHFILE)) "docker://$(PAUSE_REPO):$(PAUSE_VERSION)" "oci:$(PAUSE_SRC):$(PAUSE_VERSION)" $(PAUSE): | $(PAUSE_SRC) $(UMOCI_SRC)/umoci $(UMOCI_SRC)/umoci unpack --rootless --image "$(PAUSE_SRC):$(PAUSE_VERSION)" "${FILES_DIR}/$(PAUSE_BUNDLE)" -$(GUEST_COMPONENTS_SRC): - $(call git_clone_repo_ref,$(GUEST_COMPONENTS_REPO),$(GUEST_COMPONENTS_SRC),$(GUEST_COMPONENTS_VERSION)) - -$(ATTESTATION_AGENT): $(FORCE_TARGET) | $(GUEST_COMPONENTS_SRC) - cd "$(GUEST_COMPONENTS_SRC)/attestation-agent" && CC= ARCH=$(ARCH) $(MAKE) ATTESTER=$(ATTESTER) ttrpc=true LIBC="$(LIBC)" - mkdir -p "$(@D)" - install --compare "$(GUEST_COMPONENTS_SRC)/target/$(RUST_TARGET)/release/attestation-agent" "$@" - -$(CONFIDENTIAL_DATA_HUB): $(FORCE_TARGET) | $(GUEST_COMPONENTS_SRC) - cd "$(GUEST_COMPONENTS_SRC)/confidential-data-hub" && CC= ARCH=$(ARCH) $(MAKE) RESOURCE_PROVIDER="$(CDH_RESOURCE_PROVIDER)" LIBC="$(LIBC)" - mkdir -p "$(@D)" - install --compare "$(GUEST_COMPONENTS_SRC)/target/$(RUST_TARGET)/release/confidential-data-hub" "$@" - -$(API_SERVER_REST): $(FORCE_TARGET) | $(GUEST_COMPONENTS_SRC) - cd "$(GUEST_COMPONENTS_SRC)/api-server-rest" && CC= ARCH=$(ARCH) $(MAKE) LIBC="$(LIBC)" - mkdir -p "$(@D)" - install --compare "$(GUEST_COMPONENTS_SRC)/target/$(RUST_TARGET)/release/api-server-rest" "$@" +$(ATTESTATION_AGENT): $(FORCE_TARGET) + $(eval SUFFIX := $(TEE_PLATFORM)_$(ARCH)) + $(eval $(call generate_tag,tag,$(GUEST_COMPONENTS_REF),$(SUFFIX))) + oras pull $(GUEST_COMPONENTS_REGISTRY)/attestation-agent:${tag} + tar xvJpf attestation-agent.tar.xz + install -D --compare attestation-agent "$@" + +$(CONFIDENTIAL_DATA_HUB): $(FORCE_TARGET) + $(eval $(call generate_tag,tag,$(GUEST_COMPONENTS_REF),$(ARCH))) + oras pull $(GUEST_COMPONENTS_REGISTRY)/confidential-data-hub:${tag} + tar xvJpf confidential-data-hub.tar.xz + install -D --compare confidential-data-hub "$@" + +$(API_SERVER_REST): $(FORCE_TARGET) + $(eval $(call generate_tag,tag,$(GUEST_COMPONENTS_REF),$(ARCH))) + oras pull $(GUEST_COMPONENTS_REGISTRY)/api-server-rest:${tag} + tar xvJpf api-server-rest.tar.xz + install -D --compare api-server-rest "$@" clean_sources: - [ -d "$(GUEST_COMPONENTS_SRC)" ] && cd "$(GUEST_COMPONENTS_SRC)" && git clean -xfd [ -d "$(ROOT_DIR)" ] && cd "$(ROOT_DIR)" && git clean -xfd -e podvm [ -d "$(PAUSE_SRC)" ] && cd "$(PAUSE_SRC)" && rm -rf * [ -d "$(UMOCI_SRC)" ] && cd "$(UMOCI_SRC)" && git clean -xfd -e umoci diff --git a/src/cloud-api-adaptor/podvm/README.md b/src/cloud-api-adaptor/podvm/README.md index b363e63d4..c1b074a4c 100644 --- a/src/cloud-api-adaptor/podvm/README.md +++ b/src/cloud-api-adaptor/podvm/README.md @@ -6,7 +6,7 @@ find [here](../docs/consuming-prebuilt-podvm-images.md) information on how to co # How to build locally -In order to build locally it requires the source trees and softwares mentioned in the [developer's guide](../docs/DEVELOPMENT.md) to build this project binaries. It will also need [packer](https://www.packer.io/) (to build the qcow2), [rust](https://www.rust-lang.org/tools/install) (to build the Kata Containers's agent), as well as the following packages: +In order to build locally it requires the source trees and softwares mentioned in the [developer's guide](../docs/DEVELOPMENT.md) to build this project binaries. It will also need [packer](https://www.packer.io/) (to build the qcow2) as well as the following packages: * On Ubuntu: @@ -14,8 +14,6 @@ In order to build locally it requires the source trees and softwares mentioned i $ apt-get install -y qemu-kvm cloud-utils qemu-utils protobuf-compiler pkg-config libdevmapper-dev libgpgme-dev ``` -You may need to link the agent with the musl C library. In this case, you should install the musl-tools (Ubuntu) package and setup the Rust toolchain as explained [here](https://github.com/kata-containers/kata-containers/blob/main/src/agent/README.md#build-with-musl). - Finally run the following commands to build the qcow2 image: ```bash @@ -192,7 +190,7 @@ Follow the steps below, replacing `DISTRO` with the name of the distribution bei 1. Create the builder dockerfile by copying `Dockerfile.podvm_builder` to `Dockerfile.podvm_builder.DISTRO` and adjusting the file properly (e.g. replace `FROM ubuntu:20.04` with `FROM DISTRO`). Try to keep the same - software versions (e.g. Golang, Rust) as much as possible. + software versions (e.g. Golang) as much as possible. 2. Create the podvm image dockerfile by copying `Dockerfile.podvm` to `Dockerfile.podvm.DISTRO` and adjusting the file properly likewise. In particular, the *PODVM_DISTRO* and *BUILDER_IMG* arguments should be changed. 3. Create the podvm binaries dockerfile by copying `Dockerfile.podvm_binaries` diff --git a/src/cloud-api-adaptor/versions.yaml b/src/cloud-api-adaptor/versions.yaml index 8553f15dc..0eeaf9789 100644 --- a/src/cloud-api-adaptor/versions.yaml +++ b/src/cloud-api-adaptor/versions.yaml @@ -32,12 +32,6 @@ git: coco-operator: url: https://github.com/confidential-containers/operator reference: main - guest-components: - url: https://github.com/confidential-containers/guest-components - reference: c2022037d8fbb076f569529e93b2cbe63a3968bb - kata-containers: - url: https://github.com/kata-containers/kata-containers - reference: 3.9.0 umoci: url: https://github.com/opencontainers/umoci reference: v0.4.7 @@ -47,7 +41,16 @@ git: kbs: url: https://github.com/confidential-containers/trustee reference: f287fcd60b0b3ddbef5546d646669813b9e68f8d +# If a tag is given it will attempt to pull the oci image by tag. if a +# reference is specified the corresponding tag will be constructed using +# the reference and suffixes like architecture or tee. oci: pause: - registry: docker://registry.k8s.io/pause + registry: registry.k8s.io/pause tag: 3.9 + kata-containers: + registry: ghcr.io/kata-containers/cached-artefacts + reference: 3.9.0 + guest-components: + registry: ghcr.io/confidential-containers/guest-components + reference: d8da69072424e496486dfb5421a26f16ff2a7abf