Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for Confidential VM images #1148

Merged
merged 1 commit into from
Jun 1, 2023
Merged

Add support for Confidential VM images #1148

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions docs/book/src/capi/providers/azure.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,18 @@ make build-azure-sig-ubuntu-1804-gen2

Generation 2 images may only be used with Shared Image Gallery, not VHD.

### Confidential VM Images

Confidential VMs require specific generation 2 OS images. The naming pattern of those images includes the suffix `-cvm`. For example:

```bash
# Ubuntu 20.04 LTS for Confidential VMs
make build-azure-sig-ubuntu-2004-cvm

# Windows 2019 with containerd for Confindential VMs
make build-azure-sig-windows-2019-containerd-cvm
```

### Configuration
#### Common Azure options

Expand Down
22 changes: 20 additions & 2 deletions images/capi/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -333,9 +333,11 @@ GCE_BUILD_NAMES ?= gce-ubuntu-1804 gce-ubuntu-2004 gce-ubuntu-2204
VHD_TARGETS := $(shell grep VHD_TARGETS azure_targets.sh | sed 's/VHD_TARGETS=//' | tr -d \")
SIG_TARGETS := $(shell grep SIG_TARGETS azure_targets.sh | sed 's/SIG_TARGETS=//' | tr -d \")
SIG_GEN2_TARGETS := $(shell grep SIG_GEN2_TARGETS azure_targets.sh | sed 's/SIG_GEN2_TARGETS=//' | tr -d \")
SIG_CVM_TARGETS := $(shell grep SIG_CVM_TARGETS azure_targets.sh | sed 's/SIG_CVM_TARGETS=//' | tr -d \")
AZURE_BUILD_VHD_NAMES ?= $(addprefix azure-vhd-,$(VHD_TARGETS))
AZURE_BUILD_SIG_NAMES ?= $(addprefix azure-sig-,$(SIG_TARGETS))
AZURE_BUILD_SIG_GEN2_NAMES ?= $(addsuffix -gen2,$(addprefix azure-sig-,$(SIG_GEN2_TARGETS)))
AZURE_BUILD_SIG_CVM_NAMES ?= $(addsuffix -cvm,$(addprefix azure-sig-,$(SIG_CVM_TARGETS)))

OCI_BUILD_NAMES ?= oci-ubuntu-1804 oci-ubuntu-2004 oci-ubuntu-2204 oci-oracle-linux-8 oci-oracle-linux-9 oci-windows-2019 oci-windows-2022

Expand Down Expand Up @@ -373,8 +375,10 @@ AZURE_BUILD_VHD_TARGETS := $(addprefix build-,$(AZURE_BUILD_VHD_NAMES))
AZURE_VALIDATE_VHD_TARGETS := $(addprefix validate-,$(AZURE_BUILD_VHD_NAMES))
AZURE_BUILD_SIG_TARGETS := $(addprefix build-,$(AZURE_BUILD_SIG_NAMES))
AZURE_BUILD_SIG_GEN2_TARGETS := $(addprefix build-,$(AZURE_BUILD_SIG_GEN2_NAMES))
AZURE_BUILD_SIG_CVM_TARGETS := $(addprefix build-,$(AZURE_BUILD_SIG_CVM_NAMES))
AZURE_VALIDATE_SIG_TARGETS := $(addprefix validate-,$(AZURE_BUILD_SIG_NAMES))
AZURE_VALIDATE_SIG_GEN2_TARGETS := $(addprefix validate-,$(AZURE_BUILD_SIG_GEN2_NAMES))
AZURE_VALIDATE_SIG_CVM_TARGETS := $(addprefix validate-,$(AZURE_BUILD_SIG_CVM_NAMES))
DO_BUILD_TARGETS := $(addprefix build-,$(DO_BUILD_NAMES))
DO_VALIDATE_TARGETS := $(addprefix validate-,$(DO_BUILD_NAMES))
OPENSTACK_BUILD_TARGETS := $(addprefix build-,$(OPENSTACK_BUILD_NAMES))
Expand Down Expand Up @@ -462,6 +466,10 @@ $(AZURE_BUILD_SIG_TARGETS): deps-azure
$(AZURE_BUILD_SIG_GEN2_TARGETS): deps-azure
. $(abspath packer/azure/scripts/init-sig.sh) $(subst build-azure-sig-,,$@) && packer build $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="$(abspath packer/azure/azure-config.json)" -var-file="$(abspath packer/azure/azure-sig-gen2.json)" -var-file="$(abspath packer/azure/$(subst build-azure-sig-,,$@).json)" -only="$(subst build-azure-,,$@)" $(ABSOLUTE_PACKER_VAR_FILES) packer/azure/packer$(findstring -windows,$@).json

.PHONY: $(AZURE_BUILD_SIG_CVM_TARGETS)
$(AZURE_BUILD_SIG_CVM_TARGETS): deps-azure
. $(abspath packer/azure/scripts/init-sig.sh) $(subst build-azure-sig-,,$@) && packer build $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="$(abspath packer/azure/azure-config.json)" -var-file="$(abspath packer/azure/azure-sig-cvm.json)" -var-file="$(abspath packer/azure/$(subst build-azure-sig-,,$@).json)" -only="$(subst build-azure-,,$@)" $(ABSOLUTE_PACKER_VAR_FILES) packer/azure/packer$(findstring -windows,$@).json

.PHONY: $(AZURE_VALIDATE_SIG_TARGETS)
$(AZURE_VALIDATE_SIG_TARGETS): deps-azure
packer validate $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="$(abspath packer/azure/azure-config.json)" -var-file="$(abspath packer/azure/azure-sig.json)" -var-file="$(abspath packer/azure/$(subst validate-azure-sig-,,$@).json)" -only="$(subst validate-azure-,,$@)" $(ABSOLUTE_PACKER_VAR_FILES) packer/azure/packer$(findstring -windows,$@).json
Expand All @@ -470,6 +478,10 @@ $(AZURE_VALIDATE_SIG_TARGETS): deps-azure
$(AZURE_VALIDATE_SIG_GEN2_TARGETS): deps-azure
packer validate $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="$(abspath packer/azure/azure-config.json)" -var-file="$(abspath packer/azure/azure-sig-gen2.json)" -var-file="$(abspath packer/azure/$(subst validate-azure-sig-,,$@).json)" -only="$(subst validate-azure-,,$@)" $(ABSOLUTE_PACKER_VAR_FILES) packer/azure/packer$(findstring windows,$@).json

.PHONY: $(AZURE_VALIDATE_SIG_CVM_TARGETS)
$(AZURE_VALIDATE_SIG_CVM_TARGETS): deps-azure
packer validate $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="$(abspath packer/azure/azure-config.json)" -var-file="$(abspath packer/azure/azure-sig-cvm.json)" -var-file="$(abspath packer/azure/$(subst validate-azure-sig-,,$@).json)" -only="$(subst validate-azure-,,$@)" $(ABSOLUTE_PACKER_VAR_FILES) packer/azure/packer$(findstring -windows,$@).json

.PHONY: $(DO_BUILD_TARGETS)
$(DO_BUILD_TARGETS): deps-do
packer build $(PACKER_NODE_FLAGS) -var-file="$(abspath packer/digitalocean/$(subst build-do-,,$@).json)" $(ABSOLUTE_PACKER_VAR_FILES) packer/digitalocean/packer.json
Expand Down Expand Up @@ -601,6 +613,8 @@ build-azure-sig-rhel-8: ## Builds RHEL 8 Azure managed image in Shared Image Gal
build-azure-sig-windows-2019: ## Builds Windows Server 2019 Azure managed image in Shared Image Gallery
build-azure-sig-windows-2019-containerd: ## Builds Windows Server 2019 with containerd Azure managed image in Shared Image Gallery
build-azure-sig-windows-2022-containerd: ## Builds Windows Server 2022 with containerd Azure managed image in Shared Image Gallery
build-azure-sig-windows-2019-containerd-cvm: ## Builds Windows Server 2019 with containerd CVM Azure managed image in Shared Image Gallery
build-azure-sig-windows-2022-containerd-cvm: ## Builds Windows Server 2022 with containerd CVM Azure managed image in Shared Image Gallery
build-azure-sig-windows-2004: ## Builds Windows Server 2004 SAC Azure managed image in Shared Image Gallery
build-azure-vhd-ubuntu-1804: ## Builds Ubuntu 18.04 VHD image for Azure
build-azure-vhd-ubuntu-2004: ## Builds Ubuntu 20.04 VHD image for Azure
Expand All @@ -617,8 +631,10 @@ build-azure-sig-flatcar-gen2: ## Builds Flatcar Azure Gen2 managed image in Shar
build-azure-sig-ubuntu-1804-gen2: ## Builds Ubuntu 18.04 Gen2 managed image in Shared Image Gallery
build-azure-sig-ubuntu-2004-gen2: ## Builds Ubuntu 20.04 Gen2 managed image in Shared Image Gallery
build-azure-sig-ubuntu-2204-gen2: ## Builds Ubuntu 22.04 Gen2 managed image in Shared Image Gallery
build-azure-sig-ubuntu-2004-cvm: ## Builds Ubuntu 20.04 CVM managed image in Shared Image Gallery
build-azure-sig-ubuntu-2204-cvm: ## Builds Ubuntu 22.04 CVM managed image in Shared Image Gallery
build-azure-vhds: $(AZURE_BUILD_VHD_TARGETS) ## Builds all Azure VHDs
build-azure-sigs: $(AZURE_BUILD_SIG_TARGETS) $(AZURE_BUILD_SIG_GEN2_TARGETS) ## Builds all Azure Shared Image Gallery images
build-azure-sigs: $(AZURE_BUILD_SIG_TARGETS) $(AZURE_BUILD_SIG_GEN2_TARGETS) $(AZURE_BUILD_SIG_CVM_TARGETS) ## Builds all Azure Shared Image Gallery images

build-do-ubuntu-1804: ## Builds Ubuntu 18.04 DigitalOcean Snapshot
build-do-ubuntu-2004: ## Builds Ubuntu 20.04 DigitalOcean Snapshot
Expand Down Expand Up @@ -784,8 +800,10 @@ validate-azure-vhd-windows-2004: ## Validate Windows Server 2004 SAC VHD image A
validate-azure-sig-centos-7-gen2: ## Validates CentOS 7 Azure managed image in Shared Image Gallery Packer config
validate-azure-sig-ubuntu-1804-gen2: ## Validates Ubuntu 18.04 Azure managed image in Shared Image Gallery Packer config
validate-azure-sig-ubuntu-2004-gen2: ## Validates Ubuntu 20.04 Azure managed image in Shared Image Gallery Packer config
validate-azure-sig-ubuntu-2004-cvm: ## Validates Ubuntu 20.04 CVM Azure managed image in Shared Image Gallery Packer config
validate-azure-sig-ubuntu-2204-gen2: ## Validates Ubuntu 22.04 Azure managed image in Shared Image Gallery Packer config
validate-azure-all: $(AZURE_VALIDATE_SIG_TARGETS) $(AZURE_VALIDATE_VHD_TARGETS) $(AZURE_VALIDATE_SIG_GEN2_TARGETS) ## Validates all images for Azure Packer config
validate-azure-sig-ubuntu-2204-cvm: ## Validates Ubuntu 22.04 CVM Azure managed image in Shared Image Gallery Packer config
validate-azure-all: $(AZURE_VALIDATE_SIG_TARGETS) $(AZURE_VALIDATE_VHD_TARGETS) $(AZURE_VALIDATE_SIG_GEN2_TARGETS) $(AZURE_VALIDATE_SIG_CVM_TARGETS) ## Validates all images for Azure Packer config

validate-do-ubuntu-1804: ## Validates Ubuntu 18.04 DigitalOcean Snapshot Packer config
validate-do-ubuntu-2004: ## Validates Ubuntu 20.04 DigitalOcean Snapshot Packer config
Expand Down
15 changes: 15 additions & 0 deletions images/capi/ansible/roles/setup/tasks/debian.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,16 @@
loop: "{{ extra_repos.split() }}"
when: extra_repos != ""

- name: Hold nullboot
ansible.builtin.dpkg_selections:
name: nullboot
selection: hold
when: packer_build_name is search('cvm')

- name: Add '--no-tpm --no-efivars' to nullboot post install script
command: "sed -i 's/nullbootctl/nullbootctl --no-tpm --no-efivars/' /var/lib/dpkg/info/nullboot.postinst"
when: packer_build_name is search('cvm')

- name: perform a dist-upgrade
apt:
force_apt_get: True
Expand Down Expand Up @@ -103,3 +113,8 @@
until: apt_lock_status is not failed
retries: 5
delay: 10

- name: Remove '--no-tpm --no-efivars' from nullboot post install script
command: "sed -i 's/nullbootctl --no-tpm --no-efivars/nullbootctl/' /var/lib/dpkg/info/nullboot.postinst"
when: packer_build_name is search('cvm')

2 changes: 2 additions & 0 deletions images/capi/azure_targets.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,5 @@ SIG_TARGETS="ubuntu-1804 ubuntu-2004 ubuntu-2204 centos-7 rhel-8 windows-2019 wi
SIG_CI_TARGETS="ubuntu-2004 ubuntu-2204 windows-2019-containerd windows-2022-containerd flatcar"
SIG_GEN2_TARGETS="ubuntu-1804 ubuntu-2004 ubuntu-2204 centos-7 flatcar"
SIG_GEN2_CI_TARGETS="ubuntu-2004 ubuntu-2204 flatcar"
SIG_CVM_TARGETS="ubuntu-2004 ubuntu-2204 windows-2019-containerd windows-2022-containerd"
SIG_CVM_CI_TARGETS="ubuntu-2204 windows-2022-containerd"
7 changes: 7 additions & 0 deletions images/capi/packer/azure/azure-sig-cvm.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"image_name": "capi-{{user `distribution`}}-{{user `distribution_version`}}-cvm",
"replication_regions": "{{env `AZURE_LOCATION`}}",
"resource_group_name": "{{env `RESOURCE_GROUP_NAME`}}",
"shared_image_gallery_name": "{{env `GALLERY_NAME`}}",
"sig_image_version": "0.3.{{user `build_timestamp`}}"
}
19 changes: 18 additions & 1 deletion images/capi/packer/azure/scripts/init-sig.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ packer validate -syntax-only $PACKER_FILE || exit 1

az sig create --resource-group ${RESOURCE_GROUP_NAME} --gallery-name ${GALLERY_NAME}

SECURITY_TYPE_CVM_SUPPORTED_FEATURE="SecurityType=ConfidentialVmSupported"

create_image_definition() {
az sig image-definition create \
--resource-group ${RESOURCE_GROUP_NAME} \
Expand All @@ -43,7 +45,8 @@ create_image_definition() {
--offer ${SIG_OFFER:-capz-demo} \
--sku ${SIG_SKU:-$2} \
--hyper-v-generation ${3} \
--os-type ${4}
--os-type ${4} \
--features ${5:-''}
}

SIG_TARGET=$1
Expand Down Expand Up @@ -73,6 +76,14 @@ case ${SIG_TARGET} in
windows-2022-containerd)
create_image_definition ${SIG_TARGET} "win-2022-containerd" "V1" "Windows"
;;
windows-2019-containerd-cvm)
SKU="windows-2019-cvm-containerd"
create_image_definition ${SKU} ${SKU} "V2" "Windows" ${SECURITY_TYPE_CVM_SUPPORTED_FEATURE}
;;
windows-2022-containerd-cvm)
SKU="windows-2022-cvm-containerd"
create_image_definition ${SKU} ${SKU} "V2" "Windows" ${SECURITY_TYPE_CVM_SUPPORTED_FEATURE}
;;
flatcar)
SKU="flatcar-${FLATCAR_CHANNEL}-${FLATCAR_VERSION}"
create_image_definition ${SKU} ${SKU} "V1" "Linux"
Expand All @@ -83,9 +94,15 @@ case ${SIG_TARGET} in
ubuntu-2004-gen2)
create_image_definition ${SIG_TARGET} "20_04-lts-gen2" "V2" "Linux"
;;
ubuntu-2004-cvm)
create_image_definition ${SIG_TARGET} "20_04-lts-cvm" "V2" "Linux" ${SECURITY_TYPE_CVM_SUPPORTED_FEATURE}
;;
ubuntu-2204-gen2)
create_image_definition ${SIG_TARGET} "22_04-lts-gen2" "V2" "Linux"
;;
ubuntu-2204-cvm)
create_image_definition ${SIG_TARGET} "22_04-lts-cvm" "V2" "Linux" ${SECURITY_TYPE_CVM_SUPPORTED_FEATURE}
;;
centos-7-gen2)
create_image_definition "centos-7-gen2" "centos-7-gen2" "V2" "Linux"
;;
Expand Down
9 changes: 9 additions & 0 deletions images/capi/packer/azure/ubuntu-2004-cvm.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"build_name": "ubuntu-2004-cvm",
"distribution": "ubuntu",
"distribution_release": "focal",
"distribution_version": "2004",
"image_offer": "0001-com-ubuntu-confidential-vm-focal",
"image_publisher": "Canonical",
"image_sku": "20_04-lts-cvm"
}
9 changes: 9 additions & 0 deletions images/capi/packer/azure/ubuntu-2204-cvm.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"build_name": "ubuntu-2204-cvm",
"distribution": "ubuntu",
"distribution_release": "jammy",
"distribution_version": "2204",
"image_offer": "0001-com-ubuntu-confidential-vm-jammy",
"image_publisher": "Canonical",
"image_sku": "22_04-lts-cvm"
}
16 changes: 16 additions & 0 deletions images/capi/packer/azure/windows-2019-containerd-cvm.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{
"additional_registry_images": "false",
"additional_registry_images_list": "",
"build_name": "windows-2019-containerd-cvm",
"distribution": "windows",
"distribution_version": "2019",
"image_offer": "windows-cvm",
"image_publisher": "MicrosoftWindowsServer",
"image_sku": "2019-datacenter-cvm",
"image_version": "latest",
"load_additional_components": "false",
"runtime": "containerd",
"vm_size": "Standard_D4s_v3",
"windows_updates_kbs": "",
"wins_url": ""
}
16 changes: 16 additions & 0 deletions images/capi/packer/azure/windows-2022-containerd-cvm.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{
"additional_registry_images": "false",
"additional_registry_images_list": "",
"build_name": "windows-2022-containerd-cvm",
"distribution": "windows",
"distribution_version": "2022",
"image_offer": "windows-cvm",
"image_publisher": "MicrosoftWindowsServer",
"image_sku": "2022-datacenter-cvm",
"image_version": "latest",
"load_additional_components": "false",
"runtime": "containerd",
"vm_size": "Standard_D4s_v3",
"windows_updates_kbs": "",
"wins_url": ""
}
22 changes: 22 additions & 0 deletions images/capi/scripts/ci-azure-e2e.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,13 +38,17 @@ source azure_targets.sh
IFS=' ' read -r -a VHD_CI_TARGETS <<< "${VHD_CI_TARGETS}"
IFS=' ' read -r -a SIG_CI_TARGETS <<< "${SIG_CI_TARGETS}"
IFS=' ' read -r -a SIG_GEN2_CI_TARGETS <<< "${SIG_GEN2_CI_TARGETS}"
IFS=' ' read -r -a SIG_CVM_CI_TARGETS <<< "${SIG_CVM_CI_TARGETS}"

# Append the "gen2" targets to the original SIG list
for element in "${SIG_GEN2_CI_TARGETS[@]}"
do
SIG_CI_TARGETS+=("${element}-gen2")
done

# Append "-cvm" suffix to SIG CVM targets
SIG_CVM_CI_TARGETS=("${SIG_CVM_CI_TARGETS[@]/%/-cvm}")

# shellcheck source=parse-prow-creds.sh
source "packer/azure/scripts/parse-prow-creds.sh"

Expand All @@ -59,6 +63,11 @@ get_random_region() {
echo "${REGIONS[${RANDOM} % ${#REGIONS[@]}]}"
}

export VALID_CVM_LOCATIONS=("eastus" "westus" "northeurope" "westeurope")
get_random_cvm_region() {
echo "${VALID_CVM_LOCATIONS[${RANDOM} % ${#VALID_CVM_LOCATIONS[@]}]}"
}

export PATH=${PWD}/.local/bin:$PATH
export PATH=${PYTHON_BIN_DIR:-"/root/.local/bin"}:$PATH

Expand Down Expand Up @@ -96,6 +105,19 @@ if [[ "${AZURE_BUILD_FORMAT:-vhd}" == "sig" ]]; then
make build-azure-sig-${target} > ${ARTIFACTS}/azure-sigs/${target}.log 2>&1 &
PIDS["sig-${target}"]=$!
done

SELECTED_LOCATION="${AZURE_LOCATION}"
if [[ ! " ${VALID_CVM_LOCATIONS[*]} " =~ " ${SELECTED_LOCATION} " ]]; then
SELECTED_LOCATION="$(get_random_cvm_region)"
echo "AZURE_LOCATION=${AZURE_LOCATION} is invalid for Confidential VM targets. Valid CVM locations: ${VALID_CVM_LOCATIONS[*]}."
echo "Selected location is ${SELECTED_LOCATION}."
fi

for target in ${SIG_CVM_CI_TARGETS[@]};
do
AZURE_LOCATION="${SELECTED_LOCATION}" make build-azure-sig-${target} > ${ARTIFACTS}/azure-sigs/${target}.log 2>&1 &
PIDS["sig-${target}"]=$!
done
else
for target in ${VHD_CI_TARGETS[@]};
do
Expand Down