From 123a30b301260beaf616c448fa8e9b246fbd823d Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Fri, 27 Sep 2024 12:35:59 +0200 Subject: [PATCH] podvm: use ORAS to pull cdh and asr and aa The artifacts are being retrieved from guest-component's ORAS now. Hence the rust build infrastructure can be removed with this change. There are some notable changes: - guest-component exposed the TEE_PLATFORM param on its top level build script, which we use to pull the correct artifact. Since we don't build attestation-agent directly anymore the ATTESTER param has been removed from the projects build scripts - in versions.yaml kata and guest-components have been moved from the "git" section to the "oci" section, however since the tag is dynamic, we also provide a "reference" field in those entries. Signed-off-by: Magnus Kulke --- .github/workflows/azure-podvm-image-build.yml | 2 +- .github/workflows/e2e_libvirt.yaml | 28 +++------- docs/Release-Process.md | 2 +- src/cloud-api-adaptor/Makefile | 19 +++---- src/cloud-api-adaptor/Makefile.defaults | 13 +++-- src/cloud-api-adaptor/azure/build-image.md | 3 +- .../ibmcloud-powervs/image/prereq.sh | 5 -- src/cloud-api-adaptor/podvm-mkosi/Makefile | 13 ++--- src/cloud-api-adaptor/podvm-mkosi/README.md | 2 +- src/cloud-api-adaptor/podvm/Dockerfile.podvm | 2 - .../podvm/Dockerfile.podvm_binaries | 6 +- .../podvm/Dockerfile.podvm_binaries.fedora | 4 +- .../podvm/Dockerfile.podvm_binaries.rhel | 4 +- .../podvm/Dockerfile.podvm_builder | 8 +-- .../podvm/Dockerfile.podvm_builder.fedora | 6 +- .../podvm/Dockerfile.podvm_builder.rhel | 6 +- src/cloud-api-adaptor/podvm/Makefile | 2 - src/cloud-api-adaptor/podvm/Makefile.inc | 56 ++++++++----------- src/cloud-api-adaptor/podvm/README.md | 6 +- .../podvm/hack/cross-build-extras.sh | 21 ------- src/cloud-api-adaptor/versions.yaml | 24 ++++---- 21 files changed, 80 insertions(+), 152 deletions(-) delete mode 100755 src/cloud-api-adaptor/podvm/hack/cross-build-extras.sh diff --git a/.github/workflows/azure-podvm-image-build.yml b/.github/workflows/azure-podvm-image-build.yml index 6f9211f5e..2a9023b93 100644 --- a/.github/workflows/azure-podvm-image-build.yml +++ b/.github/workflows/azure-podvm-image-build.yml @@ -107,7 +107,7 @@ jobs: - name: Build binaries run: make binaries \ - ATTESTER="az-snp-vtpm-attester,az-tdx-vtpm-attester" \ + TEE_PLATFORM="az-cvm-vtpm" \ LIBC=gnu - uses: azure/login@v1 diff --git a/.github/workflows/e2e_libvirt.yaml b/.github/workflows/e2e_libvirt.yaml index 6526c7178..f2ea9a1f6 100644 --- a/.github/workflows/e2e_libvirt.yaml +++ b/.github/workflows/e2e_libvirt.yaml @@ -51,12 +51,12 @@ jobs: - name: Read properties from versions.yaml run: | sudo snap install yq - echo "KBS_REPO=$(yq -e '.git.kbs.url' versions.yaml)" >> "$GITHUB_ENV" - echo "KBS_VERSION=$(yq -e '.git.kbs.reference' versions.yaml)" >> "$GITHUB_ENV" - echo "RUST_VERSION=$(yq -e '.tools.rust' versions.yaml)" >> "$GITHUB_ENV" + echo "KBS_CLIENT_REGISTRY=$(yq -e '.oci.kbs-client.registry' versions.yaml)" >> "$GITHUB_ENV" + echo "KBS_CLIENT_REF=$(yq -e '.oci.kbs-client.reference' versions.yaml)" >> "$GITHUB_ENV" go_version="$(yq '.tools.golang' versions.yaml)" [ -n "$go_version" ] echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV" + echo "ORAS_VERSION=$(yq -e '.tools.oras' versions.yaml)" >> "$GITHUB_ENV" - name: Setup Golang version ${{ env.GO_VERSION }} uses: actions/setup-go@v4 @@ -89,26 +89,14 @@ jobs: # For debugging cat libvirt.properties - - name: Install rust toolchain - uses: actions-rs/toolchain@v1 + - uses: oras-project/setup-oras@v1 with: - toolchain: ${{ env.RUST_VERSION }} - override: true - profile: minimal + version: ${{ env.ORAS_VERSION }} - - name: Checkout kbs Repository and build kbs-client + - name: Download kbs-client via ORAS run: | - sudo apt-get update -y - sudo apt-get install -y build-essential pkg-config libssl-dev - git clone "${KBS_REPO}" test/trustee - pushd test/trustee - git checkout "${KBS_VERSION}" - pushd kbs - make CLI_FEATURES=sample_only cli - popd - # For debugging - ls ./target/release - popd + oras pull "${KBS_CLIENT_REGISTRY}:sample_only-x86_64-linux-gnu-${KBS_CLIENT_REF}" + chmod +x ./kbs-client - name: run tests id: runTests diff --git a/docs/Release-Process.md b/docs/Release-Process.md index dd19d0365..4e795bbea 100644 --- a/docs/Release-Process.md +++ b/docs/Release-Process.md @@ -17,7 +17,7 @@ version is picked) and [trustee releases](https://github.com/confidential-contai `externals.coco-guest-components.version`, `externals.coco-trustee` and the `image-rs` crate in the agent's [`Cargo.toml`](https://github.com/kata-containers/kata-containers/blob/main/src/agent/Cargo.toml). - At this point it makes sense for us to stay in sync, by updating the guest-components and kbs that we use in peer pods, - by changing the `git.guest-components.reference` and `git.kbs.tag` values in [versions.yaml](../src/cloud-api-adaptor/versions.yaml). + by changing the `oci.guest-components.reference`, `oci.kbs.tag` and `oci.kbs-client.reference` values in [versions.yaml](../src/cloud-api-adaptor/versions.yaml). We should also bump the kata agent to the latest commit hash in our [version.yaml](../src/cloud-api-adaptor/versions.yaml) for testing. 1. Kata Containers [releases](https://github.com/kata-containers/kata-containers/releases) diff --git a/src/cloud-api-adaptor/Makefile b/src/cloud-api-adaptor/Makefile index 5ea540f0e..293972c42 100644 --- a/src/cloud-api-adaptor/Makefile +++ b/src/cloud-api-adaptor/Makefile @@ -7,18 +7,18 @@ include Makefile.defaults SHELL = bash -o pipefail -ARCH ?= $(subst x86_64,amd64,$(shell uname -m)) +ARCH ?= $(subst x86_64,amd64,$(shell uname -m)) # Default is dev build. To create release build set RELEASE_BUILD=true RELEASE_BUILD ?= false # CLOUD_PROVIDER is used for runtime -- which provider should be run against the binary/code. CLOUD_PROVIDER ?= -GOOPTIONS ?= GOOS=linux GOARCH=$(ARCH) CGO_ENABLED=0 -GOFLAGS ?= -BINARIES := cloud-api-adaptor agent-protocol-forwarder process-user-data -SOURCEDIRS := ./cmd ./pkg -PACKAGES := $(shell go list $(addsuffix /...,$(SOURCEDIRS))) -SOURCES := $(shell find $(SOURCEDIRS) -name '*.go' -print) -ATTESTER ?= none +GOOPTIONS ?= GOOS=linux GOARCH=$(ARCH) CGO_ENABLED=0 +GOFLAGS ?= +BINARIES := cloud-api-adaptor agent-protocol-forwarder process-user-data +SOURCEDIRS := ./cmd ./pkg +PACKAGES := $(shell go list $(addsuffix /...,$(SOURCEDIRS))) +SOURCES := $(shell find $(SOURCEDIRS) -name '*.go' -print) +TEE_PLATFORM ?= none # End-to-end tests overall run timeout. TEST_E2E_TIMEOUT ?= 60m # To run a sub-set of tests, set an unanchored regex matching the test's name as in go's test -run option. @@ -172,7 +172,6 @@ podvm-builder: --build-arg ACTIVATION_KEY=$(ACTIVATION_KEY) \ --build-arg ARCH=$(ARCH) \ --build-arg PROTOC_VERSION=$(PROTOC_VERSION) \ - --build-arg RUST_VERSION=$(RUST_VERSION) \ --build-arg YQ_VERSION=$(YQ_VERSION) \ --build-arg YQ_CHECKSUM=${YQ_CHECKSUM_$(ARCH)} \ --build-arg YQ_ARCH=$(ARCH) \ @@ -187,7 +186,7 @@ podvm-binaries: --build-arg BUILDER_IMG=$(PODVM_BUILDER_IMAGE) \ --build-arg PODVM_DISTRO=$(PODVM_DISTRO) \ --build-arg ARCH=$(ARCH) \ - --build-arg ATTESTER=$(ATTESTER) \ + --build-arg TEE_PLATFORM=$(TEE_PLATFORM) \ --build-arg PAUSE_REPO=$(PAUSE_REPO) \ --build-arg PAUSE_VERSION=$(PAUSE_VERSION) \ --build-arg PAUSE_BIN=$(PAUSE_BIN) \ diff --git a/src/cloud-api-adaptor/Makefile.defaults b/src/cloud-api-adaptor/Makefile.defaults index 5ea0fc02c..a740c7aa6 100644 --- a/src/cloud-api-adaptor/Makefile.defaults +++ b/src/cloud-api-adaptor/Makefile.defaults @@ -7,7 +7,9 @@ PAUSE_BIN ?= pause # stored in versions.yaml YQ_VERSION := v4.35.1 YQ_CHECKSUM := "sha256:bd695a6513f1196aeda17b174a15e9c351843fb1cef5f9be0af170f2dd744f08" -YQ_CHECKSUM_s390x:= "sha256:4e6324d08630e7df733894a11830412a43703682d65a76f1fc925aac08268a45" +YQ_CHECKSUM_s390x := "sha256:4e6324d08630e7df733894a11830412a43703682d65a76f1fc925aac08268a45" +# none,az-cvm-vtpm,tdx,se,cca +TEE_PLATFORM ?= none VERSIONS_HASH := $(firstword $(shell sha256sum $(VERSIONS_SRC))) @@ -30,18 +32,17 @@ rhel_s390x_IMAGE_CHECKSUM := $(call query,cloudimg.rhel.$(rhel_RELEASE).s390x.ch COCO_OPERATOR_REF := $(or $(COCO_OPERATOR_REF),$(call query,git.coco-operator.reference)) COCO_OPERATOR_REPO := $(or $(COCO_OPERATOR_REPO),$(call query,git.coco-operator.url)) -KATA_SRC := $(or $(KATA_SRC),$(call query,git.kata-containers.url)) -KATA_SRC_REF := $(or $(KATA_SRC_REF),$(call query,git.kata-containers.reference)) +KATA_REGISTRY := $(or $(KATA_REGISTRY), $(call query,oci.kata-containers.registry)) +KATA_REF := $(or $(KATA_REF), $(call query,oci.kata-containers.reference)) GO_VERSION := $(or $(GO_VERSION),$(call query,tools.golang)) PROTOC_VERSION := $(or $(PROTOC_VERSION),$(call query,tools.protoc)) -RUST_VERSION := $(or $(RUST_VERSION),$(call query,tools.rust)) ORAS_VERSION := $(or $(ORAS_VERSION),$(call query,tools.oras)) SKOPEO_REPO := $(or $(SKOPEO_REPO),$(call query,git.skopeo.url)) SKOPEO_VERSION := $(or $(SKOPEO_VERSION),$(call query,git.skopeo.reference)) UMOCI_REPO := $(or $(UMOCI_REPO),$(call query,git.umoci.url)) UMOCI_VERSION := $(or $(UMOCI_VERSION),$(call query,git.umoci.reference)) -GUEST_COMPONENTS_REPO := $(or $(GUEST_COMPONENTS_REPO),$(call query,git.guest-components.url)) -GUEST_COMPONENTS_VERSION := $(or $(GUEST_COMPONENTS_VERSION),$(call query,git.guest-components.reference)) +GUEST_COMPONENTS_REGISTRY := $(or $(GUEST_COMPONENTS_REGISTRY), $(call query,oci.guest-components.registry)) +GUEST_COMPONENTS_REF := $(or $(GUEST_COMPONENTS_REF),$(call query,oci.guest-components.reference)) PAUSE_REPO := $(or $(PAUSE_REPO),$(call query,oci.pause.registry)) PAUSE_VERSION := $(or $(PAUSE_VERSION),$(call query,oci.pause.tag)) PACKER_VERSION := $(or $(PACKER_VERSION),$(call query,tools.packer)) diff --git a/src/cloud-api-adaptor/azure/build-image.md b/src/cloud-api-adaptor/azure/build-image.md index ed1b975af..2139206f6 100644 --- a/src/cloud-api-adaptor/azure/build-image.md +++ b/src/cloud-api-adaptor/azure/build-image.md @@ -92,7 +92,6 @@ sudo apt install \ - Install `yq` by following instructions [here](https://mikefarah.gitbook.io/yq/#install). - Install Golang by following instructions [here](https://go.dev/doc/install). -- Install Rust (`cargo`) by following instructions [here](https://www.rust-lang.org/tools/install). - Install packer by following [these instructions](https://learn.hashicorp.com/tutorials/packer/get-started-install-cli). **Build** @@ -110,7 +109,7 @@ export PKR_VAR_az_gallery_image_version="0.0.1" export PKR_VAR_offer=0001-com-ubuntu-confidential-vm-jammy export PKR_VAR_sku=22_04-lts-cvm -export ATTESTER="az-snp-vtpm-attester,az-tdx-vtpm-attester" +export TEE_PLATFORM="az-cvm-vtpm" export LIBC=gnu export CLOUD_PROVIDER=azure PODVM_DISTRO=ubuntu make image diff --git a/src/cloud-api-adaptor/ibmcloud-powervs/image/prereq.sh b/src/cloud-api-adaptor/ibmcloud-powervs/image/prereq.sh index d74686ba5..bef68e4a4 100755 --- a/src/cloud-api-adaptor/ibmcloud-powervs/image/prereq.sh +++ b/src/cloud-api-adaptor/ibmcloud-powervs/image/prereq.sh @@ -2,7 +2,6 @@ # FIXME to pickup these values from versions.yaml GO_VERSION="1.22.7" -RUST_VERSION="1.75.0" # Install dependencies yum install -y curl libseccomp-devel openssl openssl-devel skopeo clang clang-devel @@ -17,7 +16,3 @@ yum install -y device-mapper-devel-1.02.197-2.el9.ppc64le.rpm curl https://dl.google.com/go/go${GO_VERSION}.linux-ppc64le.tar.gz -o go${GO_VERSION}.linux-ppc64le.tar.gz && \ rm -rf /usr/local/go && tar -C /usr/local -xzf go${GO_VERSION}.linux-ppc64le.tar.gz && \ rm -f go${GO_VERSION}.linux-ppc64le.tar.gz - -# Install Rust -curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain ${RUST_VERSION} -rustup target add powerpc64le-unknown-linux-gnu diff --git a/src/cloud-api-adaptor/podvm-mkosi/Makefile b/src/cloud-api-adaptor/podvm-mkosi/Makefile index a246441f3..3b27fcc43 100644 --- a/src/cloud-api-adaptor/podvm-mkosi/Makefile +++ b/src/cloud-api-adaptor/podvm-mkosi/Makefile @@ -1,10 +1,10 @@ include ../Makefile.defaults -ATTESTER ?= none -ARCH ?= $(subst x86_64,amd64,$(shell uname -m)) -BUILDER = fedora-binaries-builder-$(ARCH) -SE_BOOT ?= false -IS_DEBIAN := $(shell if grep -q 'ID_LIKE=debian' /etc/os-release; then echo "true"; else echo "false"; fi) +TEE_PLATFORM ?= none +ARCH ?= $(subst x86_64,amd64,$(shell uname -m)) +BUILDER = fedora-binaries-builder-$(ARCH) +SE_BOOT ?= false +IS_DEBIAN := $(shell if grep -q 'ID_LIKE=debian' /etc/os-release; then echo "true"; else echo "false"; fi) REGISTRY ?= quay.io/confidential-containers PODVM_DISTRO ?= fedora @@ -34,7 +34,6 @@ fedora-binaries-builder: --build-arg GO_VERSION=$(GO_VERSION) \ --build-arg ARCH=$(ARCH) \ --build-arg PROTOC_VERSION=$(PROTOC_VERSION) \ - --build-arg RUST_VERSION=$(RUST_VERSION) \ --build-arg YQ_VERSION=$(YQ_VERSION) \ --build-arg YQ_CHECKSUM=$(YQ_CHECKSUM) \ --build-arg YQ_ARCH=$(ARCH) \ @@ -52,7 +51,7 @@ ifeq ($(IS_DEBIAN),true) endif docker buildx build \ --build-arg BUILDER_IMG=$(BUILDER) \ - --build-arg ATTESTER=$(ATTESTER) \ + --build-arg TEE_PLATFORM=$(TEE_PLATFORM) \ --build-arg PAUSE_REPO=$(PAUSE_REPO) \ --build-arg PAUSE_VERSION=$(PAUSE_VERSION) \ --build-arg PAUSE_BIN=$(PAUSE_BIN) \ diff --git a/src/cloud-api-adaptor/podvm-mkosi/README.md b/src/cloud-api-adaptor/podvm-mkosi/README.md index 99bb26846..248e19e40 100644 --- a/src/cloud-api-adaptor/podvm-mkosi/README.md +++ b/src/cloud-api-adaptor/podvm-mkosi/README.md @@ -93,7 +93,7 @@ Another issue is s390x does not support UEFI. Instead, we can first use **mkosi* It requires a **s390x host** to build s390x image with make commands: ``` make fedora-binaries-builder -ATTESTER=se-attester make binaries +TEE_PLATFORM=se-attester make binaries make image # SE_BOOT=true make image # make image-debug diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm b/src/cloud-api-adaptor/podvm/Dockerfile.podvm index 185e667a4..334ef864e 100644 --- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm +++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm @@ -52,8 +52,6 @@ RUN tar xvf /src/cloud-api-adaptor/podvm/files/pause-bundle.tar.gz -C /src/cloud COPY . /src WORKDIR /src/cloud-api-adaptor/podvm -# Installs add-ons for foreign target, if required -RUN ./hack/cross-build-extras.sh # Will rebuild only the local binaries (agent-protocol-forwarder/process-user-data) # To rebuild everything update to "make FORCE=true image" diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries index 32f46545d..ba3267257 100644 --- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries +++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries @@ -14,7 +14,7 @@ ARG GUEST_COMPONENTS_VERSION ARG GUEST_COMPONENTS_REPO # By default AA will be built with the `all-attesters` feature, # which doesn't compile ootb on ubuntu. -ARG ATTESTER=none +ARG TEE_PLATFORM=none # If not provided, uses system architecture ARG ARCH #This is the name of the policy file under @@ -33,7 +33,7 @@ ENV CLOUD_PROVIDER=${CLOUD_PROVIDER} ENV PODVM_DISTRO=${PODVM_DISTRO} ENV GUEST_COMPONENTS_VERSION=${GUEST_COMPONENTS_VERSION} ENV GUEST_COMPONENTS_REPO=${GUEST_COMPONENTS_REPO} -ENV ATTESTER=${ATTESTER} +ENV TEE_PLATFORM=${TEE_PLATFORM} ENV ARCH=${ARCH} ENV DEFAULT_AGENT_POLICY_FILE=${DEFAULT_AGENT_POLICY_FILE} @@ -44,8 +44,6 @@ ENV IMAGE_CHECKSUM="none" COPY . /src WORKDIR /src/cloud-api-adaptor/podvm -# Installs add-ons for foreign target, if required -RUN ./hack/cross-build-extras.sh RUN LIBC=gnu make binaries diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora index 3da7fe08f..567770eb1 100644 --- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora +++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora @@ -14,7 +14,7 @@ ARG GUEST_COMPONENTS_VERSION ARG GUEST_COMPONENTS_REPO # By default AA will be built with the `all-attesters` feature, # which doesn't compile on fedora. -ARG ATTESTER=none +ARG TEE_PLATFORM=none # If not provided, uses system architecture ARG ARCH #This is the name of the policy file under @@ -34,7 +34,7 @@ ENV CLOUD_PROVIDER=${CLOUD_PROVIDER} ENV PODVM_DISTRO=${PODVM_DISTRO} ENV GUEST_COMPONENTS_VERSION=${GUEST_COMPONENTS_VERSION} ENV GUEST_COMPONENTS_REPO=${GUEST_COMPONENTS_REPO} -ENV ATTESTER=${ATTESTER} +ENV TEE_PLATFORM=${TEE_PLATFORM} ENV ARCH=${ARCH} ENV DEFAULT_AGENT_POLICY_FILE=${DEFAULT_AGENT_POLICY_FILE} ENV IMAGE_NAME=${IMAGE_NAME} diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.rhel b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.rhel index bf59c28c8..3b74ab52b 100644 --- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.rhel +++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.rhel @@ -11,7 +11,7 @@ FROM ${BUILDER_IMG} AS podvm_builder ARG PODVM_DISTRO=rhel # By default AA will be built with the `all-attesters` feature, # which doesn't compile ootb on RHEL. -ARG ATTESTER=none +ARG TEE_PLATFORM=none # If not provided, uses system architecture ARG ARCH #This is the name of the policy file under @@ -27,7 +27,7 @@ ENV PAUSE_REPO=${PAUSE_REPO} ENV PAUSE_VERSION=${PAUSE_VERSION} ENV PAUSE_BIN=${PAUSE_BIN} ENV PODVM_DISTRO=${PODVM_DISTRO} -ENV ATTESTER=${ATTESTER} +ENV TEE_PLATFORM=${TEE_PLATFORM} ENV ARCH=${ARCH} ENV DEFAULT_AGENT_POLICY_FILE=${DEFAULT_AGENT_POLICY_FILE} diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder index 802c1778c..6574fc150 100644 --- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder +++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder @@ -14,13 +14,11 @@ ARG YQ_ARCH="amd64" ARG PROTOC_ARCH="x86_64" ARG GO_VERSION ARG PROTOC_VERSION -ARG RUST_VERSION ARG YQ_VERSION ARG YQ_CHECKSUM ARG ORAS_VERSION # Without setting ENV gh-action is failing to use the correct values ENV GO_VERSION=${GO_VERSION} -ENV RUST_VERSION=${RUST_VERSION} ENV PROTOC_VERSION=${PROTOC_VERSION} ENV ARCH=${ARCH} ENV YQ_ARCH=${YQ_ARCH} @@ -48,11 +46,7 @@ ADD https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_${Y RUN echo "${YQ_CHECKSUM#sha256:} /usr/local/bin/yq" | sha256sum -c RUN chmod a+x /usr/local/bin/yq -ENV PATH="/root/.cargo/bin:/usr/local/go/bin:$PATH" - -ADD https://sh.rustup.rs rustup -RUN chmod a+x rustup && ./rustup -y --default-toolchain ${RUST_VERSION} \ - && rustup target add x86_64-unknown-linux-musl && ln -sf /usr/bin/g++ /bin/musl-g++ +ENV PATH="/usr/local/go/bin:$PATH" ADD https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-linux-x86_64.zip protoc-${PROTOC_VERSION}-linux-x86_64.zip RUN unzip protoc-${PROTOC_VERSION}-linux-x86_64.zip -d /usr/local && rm -f protoc-${PROTOC_VERSION}-linux-x86_64.zip diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder.fedora b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder.fedora index b3bdee6d6..e1f4c7475 100644 --- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder.fedora +++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder.fedora @@ -13,7 +13,6 @@ ARG YQ_ARCH="amd64" ARG PROTOC_ARCH="x86_64" ARG GO_VERSION ARG PROTOC_VERSION -ARG RUST_VERSION ARG YQ_VERSION ARG YQ_CHECKSUM ARG ORAS_VERSION @@ -32,10 +31,7 @@ ADD https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_${Y RUN echo "${YQ_CHECKSUM#sha256:} /usr/local/bin/yq" | sha256sum -c RUN chmod a+x /usr/local/bin/yq -ENV PATH="/root/.cargo/bin:/usr/local/go/bin:$PATH" - -ADD https://sh.rustup.rs rustup -RUN chmod a+x rustup && ./rustup -y --default-toolchain ${RUST_VERSION} +ENV PATH="/usr/local/go/bin:$PATH" ADD https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip RUN unzip protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip -d /usr/local && rm -f protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder.rhel b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder.rhel index d7a5b58c1..ceb0ef7ec 100644 --- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder.rhel +++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder.rhel @@ -14,7 +14,6 @@ ARG YQ_ARCH="amd64" ARG PROTOC_ARCH="x86_64" ARG GO_VERSION ARG PROTOC_VERSION -ARG RUST_VERSION ARG PACKER_VERSION ARG ORAS_VERSION ARG YQ_VERSION @@ -24,7 +23,6 @@ ARG ACTIVATION_KEY # Without setting ENV gh-action is failing to use the correct values ENV GO_VERSION=${GO_VERSION} -ENV RUST_VERSION=${RUST_VERSION} ENV PROTOC_VERSION=${PROTOC_VERSION} ENV PROTOC_ARCH=${PROTOC_ARCH} ENV ARCH=${ARCH} @@ -74,9 +72,7 @@ RUN ln -s /usr/libexec/qemu-kvm /usr/bin/qemu-system-$(uname -m) RUN git clone https://github.com/canonical/cloud-utils RUN cd cloud-utils && make install -RUN curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain "${RUST_VERSION}" - -ENV PATH="/root/.cargo/bin:/usr/local/go/bin:$PATH" +ENV PATH="/usr/local/go/bin:$PATH" RUN wget https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip && \ unzip protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip -d /usr/local && rm -f protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip diff --git a/src/cloud-api-adaptor/podvm/Makefile b/src/cloud-api-adaptor/podvm/Makefile index 1afa224a9..464c08efe 100644 --- a/src/cloud-api-adaptor/podvm/Makefile +++ b/src/cloud-api-adaptor/podvm/Makefile @@ -20,8 +20,6 @@ ifndef IMAGE_CHECKSUM $(error "IMAGE_CHECKSUM is not defined") endif -KATA_AGENT_SRC := ../../kata-containers/src/agent -STATIC_LIBSECCOMP_BUILDER := ../../kata-containers/ci/install_libseccomp.sh AGENT_PROTOCOL_FORWARDER_SRC := ../ QEMU_MACHINE_TYPE_s390x := s390-ccw-virtio diff --git a/src/cloud-api-adaptor/podvm/Makefile.inc b/src/cloud-api-adaptor/podvm/Makefile.inc index a58198d48..685285bfa 100644 --- a/src/cloud-api-adaptor/podvm/Makefile.inc +++ b/src/cloud-api-adaptor/podvm/Makefile.inc @@ -24,13 +24,11 @@ ARCH := $(or $(ARCH),$(HOST_ARCH)) ARCH := $(subst amd64,x86_64,$(ARCH)) DEB_ARCH := $(subst x86_64,amd64,$(ARCH)) LIBC ?= $(if $(filter $(ARCH),s390x ppc64le),gnu,musl) -RUST_ARCH ?= $(subst ppc64le,powerpc64le,$(ARCH)) -RUST_TARGET := $(RUST_ARCH)-unknown-linux-$(LIBC) # Auth json file for registry access. Used with skopeo AUTHFILE ?= -ATTESTER ?= none +TEE_PLATFORM ?= none CDH_RESOURCE_PROVIDER ?= kbs SEALED_SECRET ?= yes @@ -43,14 +41,6 @@ FORCE_TARGET := $(if $(FORCE),force,) SHELL := env PATH=$(PATH) /bin/bash -ifneq ($(HOST_ARCH),$(ARCH)) - ifeq ($(CC),cc) - CC := $(ARCH)-linux-$(LIBC)-gcc - $(warning A foreign ARCH was passed, but no CC alternative. Using $(CC) as best guess) - endif -RUST_FLAGS := CC=$(CC) ARCH=$(ARCH) -endif - ifndef IMAGE_NAME COMMIT := $(shell commit=$$(git describe --match '' --dirty --always) && \ if [ -n "$$(git ls-files --other --exclude-per-directory .gitignore "$(FILES_DIR)")" ]; then \ @@ -94,8 +84,6 @@ PAUSE_SRC = pause # Allows to override PAUSE_BUNDLE ?= pause_bundle -GUEST_COMPONENTS_SRC = ../../../guest-components - # Clone a specific commit/tag/branch of a repo. # $(1) - Repository URL # $(2) - Destination directory @@ -113,10 +101,11 @@ endef # Ensure that the oras tags is converted to something valid # $(1) - return value # $(2) - initial_tag +# $(3) - suffix define generate_tag - $(eval $0_tag_length_limit=$(shell expr 128 - $(shell echo "-$(ARCH)" | wc -c))) + $(eval $0_tag_length_limit=$(shell expr 128 - $(shell echo "-$(3)" | wc -c))) processed_tag=$(shell echo $(2) | tr -dc '[:print:]' | tr -c '[a-zA-Z0-9\_\.\-]' _ | head -c $(shell echo $($0_tag_length_limit))) - $(1) := $$(processed_tag)-$(ARCH) + $(1) := $$(processed_tag)-$(3) endef binaries: $(BINARIES) @@ -130,8 +119,8 @@ $(PROCESS_USER_DATA): always install -D --compare "$(ROOT_DIR)/process-user-data" "$@" $(KATA_AGENT): $(FORCE_TARGET) - $(eval $(call generate_tag,tag,$(KATA_SRC_REF))) - oras pull ghcr.io/kata-containers/cached-artefacts/agent:${tag} + $(eval $(call generate_tag,tag,$(KATA_REF),$(ARCH))) + oras pull $(KATA_REGISTRY)/agent:${tag} tar xvJpf kata-static-agent.tar.xz install -D --compare "./usr/bin/kata-agent" "$@" @@ -155,31 +144,30 @@ $(UMOCI_SRC)/umoci: $(UMOCI_SRC) $(PAUSE_SRC): $(SKOPEO_BIN) $(SKOPEO_BIN) --override-arch $(DEB_ARCH) --policy "$(FILES_DIR)/etc/containers/policy.json" copy \ - $(if $(AUTHFILE),--authfile $(AUTHFILE)) "$(PAUSE_REPO):$(PAUSE_VERSION)" "oci:$(PAUSE_SRC):$(PAUSE_VERSION)" + $(if $(AUTHFILE),--authfile $(AUTHFILE)) "docker://$(PAUSE_REPO):$(PAUSE_VERSION)" "oci:$(PAUSE_SRC):$(PAUSE_VERSION)" $(PAUSE): | $(PAUSE_SRC) $(UMOCI_SRC)/umoci $(UMOCI_SRC)/umoci unpack --rootless --image "$(PAUSE_SRC):$(PAUSE_VERSION)" "${FILES_DIR}/$(PAUSE_BUNDLE)" -$(GUEST_COMPONENTS_SRC): - $(call git_clone_repo_ref,$(GUEST_COMPONENTS_REPO),$(GUEST_COMPONENTS_SRC),$(GUEST_COMPONENTS_VERSION)) - -$(ATTESTATION_AGENT): $(FORCE_TARGET) | $(GUEST_COMPONENTS_SRC) - cd "$(GUEST_COMPONENTS_SRC)/attestation-agent" && CC= ARCH=$(ARCH) $(MAKE) ATTESTER=$(ATTESTER) ttrpc=true LIBC="$(LIBC)" - mkdir -p "$(@D)" - install --compare "$(GUEST_COMPONENTS_SRC)/target/$(RUST_TARGET)/release/attestation-agent" "$@" +$(ATTESTATION_AGENT): $(FORCE_TARGET) + $(eval $(call generate_tag,tag,$(GUEST_COMPONENTS_REF),$(TEE_PLATFORM))) + oras pull $(GUEST_COMPONENTS_REGISTRY)/attestation-agent:${tag} + tar xvJpf attestation-agent.tar.xz + install -D --compare attestation-agent "$@" -$(CONFIDENTIAL_DATA_HUB): $(FORCE_TARGET) | $(GUEST_COMPONENTS_SRC) - cd "$(GUEST_COMPONENTS_SRC)/confidential-data-hub" && CC= ARCH=$(ARCH) $(MAKE) RESOURCE_PROVIDER="$(CDH_RESOURCE_PROVIDER)" LIBC="$(LIBC)" - mkdir -p "$(@D)" - install --compare "$(GUEST_COMPONENTS_SRC)/target/$(RUST_TARGET)/release/confidential-data-hub" "$@" +$(CONFIDENTIAL_DATA_HUB): $(FORCE_TARGET) + $(eval $(call generate_tag,tag,$(GUEST_COMPONENTS_REF),$(ARCH))) + oras pull $(GUEST_COMPONENTS_REGISTRY)/confidential-data-hub:${tag} + tar xvJpf confidential-data-hub.tar.xz + install -D --compare confidential-data-hub "$@" -$(API_SERVER_REST): $(FORCE_TARGET) | $(GUEST_COMPONENTS_SRC) - cd "$(GUEST_COMPONENTS_SRC)/api-server-rest" && CC= ARCH=$(ARCH) $(MAKE) LIBC="$(LIBC)" - mkdir -p "$(@D)" - install --compare "$(GUEST_COMPONENTS_SRC)/target/$(RUST_TARGET)/release/api-server-rest" "$@" +$(API_SERVER_REST): $(FORCE_TARGET) + $(eval $(call generate_tag,tag,$(GUEST_COMPONENTS_REF),$(ARCH))) + oras pull $(GUEST_COMPONENTS_REGISTRY)/api-server-rest:${tag} + tar xvJpf api-server-rest.tar.xz + install -D --compare api-server-rest "$@" clean_sources: - [ -d "$(GUEST_COMPONENTS_SRC)" ] && cd "$(GUEST_COMPONENTS_SRC)" && git clean -xfd [ -d "$(ROOT_DIR)" ] && cd "$(ROOT_DIR)" && git clean -xfd -e podvm [ -d "$(PAUSE_SRC)" ] && cd "$(PAUSE_SRC)" && rm -rf * [ -d "$(UMOCI_SRC)" ] && cd "$(UMOCI_SRC)" && git clean -xfd -e umoci diff --git a/src/cloud-api-adaptor/podvm/README.md b/src/cloud-api-adaptor/podvm/README.md index b363e63d4..c1b074a4c 100644 --- a/src/cloud-api-adaptor/podvm/README.md +++ b/src/cloud-api-adaptor/podvm/README.md @@ -6,7 +6,7 @@ find [here](../docs/consuming-prebuilt-podvm-images.md) information on how to co # How to build locally -In order to build locally it requires the source trees and softwares mentioned in the [developer's guide](../docs/DEVELOPMENT.md) to build this project binaries. It will also need [packer](https://www.packer.io/) (to build the qcow2), [rust](https://www.rust-lang.org/tools/install) (to build the Kata Containers's agent), as well as the following packages: +In order to build locally it requires the source trees and softwares mentioned in the [developer's guide](../docs/DEVELOPMENT.md) to build this project binaries. It will also need [packer](https://www.packer.io/) (to build the qcow2) as well as the following packages: * On Ubuntu: @@ -14,8 +14,6 @@ In order to build locally it requires the source trees and softwares mentioned i $ apt-get install -y qemu-kvm cloud-utils qemu-utils protobuf-compiler pkg-config libdevmapper-dev libgpgme-dev ``` -You may need to link the agent with the musl C library. In this case, you should install the musl-tools (Ubuntu) package and setup the Rust toolchain as explained [here](https://github.com/kata-containers/kata-containers/blob/main/src/agent/README.md#build-with-musl). - Finally run the following commands to build the qcow2 image: ```bash @@ -192,7 +190,7 @@ Follow the steps below, replacing `DISTRO` with the name of the distribution bei 1. Create the builder dockerfile by copying `Dockerfile.podvm_builder` to `Dockerfile.podvm_builder.DISTRO` and adjusting the file properly (e.g. replace `FROM ubuntu:20.04` with `FROM DISTRO`). Try to keep the same - software versions (e.g. Golang, Rust) as much as possible. + software versions (e.g. Golang) as much as possible. 2. Create the podvm image dockerfile by copying `Dockerfile.podvm` to `Dockerfile.podvm.DISTRO` and adjusting the file properly likewise. In particular, the *PODVM_DISTRO* and *BUILDER_IMG* arguments should be changed. 3. Create the podvm binaries dockerfile by copying `Dockerfile.podvm_binaries` diff --git a/src/cloud-api-adaptor/podvm/hack/cross-build-extras.sh b/src/cloud-api-adaptor/podvm/hack/cross-build-extras.sh deleted file mode 100755 index f0093ff36..000000000 --- a/src/cloud-api-adaptor/podvm/hack/cross-build-extras.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# cross-build-extras.sh -# Install the additional requires for cross-compilation -# of podvm image binaries - -# If ARCH is not set, exit -[[ -z $ARCH ]] && exit 0 - -# Normalise ARCH (if input is amd64 use x86_64) -ARCH=${ARCH/amd64/x86_64} - -# If ARCH is equal to HOST, exit -[[ $ARCH = $(uname -m) ]] && exit 0 - -# Only gnu is available for s390x -libc=$([[ $ARCH =~ s390x ]] && echo "gnu" || echo "musl") -rustTarget="$ARCH-unknown-linux-$libc" - -rustup target add "$rustTarget" -apt install -y "qemu-system-$ARCH" -apt install -y "gcc-$ARCH-linux-$libc" diff --git a/src/cloud-api-adaptor/versions.yaml b/src/cloud-api-adaptor/versions.yaml index 5386678cd..1f74a97a9 100644 --- a/src/cloud-api-adaptor/versions.yaml +++ b/src/cloud-api-adaptor/versions.yaml @@ -21,7 +21,6 @@ cloudimg: tools: bats: 1.10.0 golang: 1.22.7 - rust: 1.75.0 protoc: 3.15.0 packer: v1.9.4 kcli: 99.0.202407031308 @@ -32,25 +31,28 @@ git: coco-operator: url: https://github.com/confidential-containers/operator reference: v0.10.0 - guest-components: - url: https://github.com/confidential-containers/guest-components - reference: c2022037d8fbb076f569529e93b2cbe63a3968bb - kata-containers: - url: https://github.com/kata-containers/kata-containers - reference: 3.9.0 umoci: url: https://github.com/opencontainers/umoci reference: v0.4.7 skopeo: url: https://github.com/containers/skopeo reference: v1.5.0 - kbs: - url: https://github.com/confidential-containers/trustee - reference: v0.10.1 +# If a tag is given it will attempt to pull the exact oci image, if a reference +# is specified the corresponding tag will be constructed using the reference and +# suffixes like architecture or tee. oci: pause: - registry: docker://registry.k8s.io/pause + registry: registry.k8s.io/pause tag: 3.9 kbs: registry: ghcr.io/confidential-containers/key-broker-service tag: built-in-as-v0.10.1 + kbs-client: + registry: ghcr.io/confidential-containers/staged-images/kbs-client + reference: e890fc90c384207668fa3a4d6a2f2a2d652797ee + kata-containers: + registry: ghcr.io/kata-containers/cached-artefacts + reference: 3.8.0 + guest-components: + registry: ghcr.io/confidential-containers/guest-components + reference: c2022037d8fbb076f569529e93b2cbe63a3968bb