Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

podvm: retrieve guest-components via ORAS #2074

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

podvm: retrieve guest-components via ORAS #2074

wants to merge 2 commits into from

Conversation

mkulke
Copy link
Contributor

@mkulke mkulke commented Sep 30, 2024
edited
Loading

Note: draft until GC 731 and #2064 have been merged

In this change the artifacts are being retrieved from guest-component's ORAS now. Hence the rust build infrastructure can be removed with this change.

There is an option to verify the provenance of the guest component artifacts that we download as part of the build. It is opt-in, you have to set VERIFY_PROVENANCE=yes when building a podvm. There are respective build flags on the src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora and the src/cloud-api-adaptor/podvm-mkosi/Makefile. Currently only the azure-podvm-image-build ci workflow has the provenance checks enabled.

There are some notable changes:

  • guest-component exposed the TEE_PLATFORM param on its top level build script, which we use to pull the correct artifact. Since we don't build attestation-agent directly anymore the ATTESTER param has been removed from the projects build scripts
  • in versions.yaml kata and guest-components have been moved from the "git" section to the "oci" section, however since the tag is dynamic, we also provide a "reference" field in those entries.

@mkulke mkulke changed the title Mkulke/oras caching podvm: retrieve guest-components via ORAS Sep 30, 2024
stevenhorsman
stevenhorsman reviewed Sep 30, 2024
View reviewed changes
Copy link
Member

@stevenhorsman stevenhorsman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll re-review once the guest-component caching is merged and working, but on initial review this looks great and supercedes #2033 nicely. Thanks!

@mkulke mkulke force-pushed the mkulke/oras-caching branch 2 times, most recently from 123a30b to 6e53c66 Compare October 2, 2024 06:47
@wainersm
Copy link
Member

wainersm commented Oct 7, 2024

The required PRs were merged but oras images aren't published yet (https://github.com/confidential-containers/guest-components/actions/workflows/publish-artifacts.yml) due a bug on setup-oras action (oras-project/setup-oras#57); so I could not test this yet.

@mkulke mkulke added CI Issues related to CI workflows podvm Related to podvm images labels Oct 8, 2024
@mkulke mkulke force-pushed the mkulke/oras-caching branch 5 times, most recently from c81bfa5 to 12fb47c Compare October 8, 2024 14:05
@mkulke mkulke added the test_e2e_libvirt Run Libvirt e2e tests label Oct 8, 2024
@mkulke mkulke force-pushed the mkulke/oras-caching branch 7 times, most recently from b59d8d6 to 3123f42 Compare October 10, 2024 10:19
@mkulke mkulke mentioned this pull request Oct 11, 2024
Merged
@mkulke mkulke force-pushed the mkulke/oras-caching branch 2 times, most recently from d0b43e1 to d2f4929 Compare October 14, 2024 12:09
@mkulke mkulke marked this pull request as ready for review October 14, 2024 14:25
@mkulke mkulke requested a review from a team as a code owner October 14, 2024 14:25
@mkulke mkulke requested a review from wainersm October 14, 2024 14:26
stevenhorsman
stevenhorsman approved these changes Oct 14, 2024
View reviewed changes
Copy link
Member

@stevenhorsman stevenhorsman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This look good to me, just a couple of minor questions/comments

.github/workflows/e2e_libvirt.yaml Outdated Show resolved Hide resolved
src/cloud-api-adaptor/podvm/Makefile.inc Show resolved Hide resolved
src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora Outdated Show resolved Hide resolved
@stevenhorsman stevenhorsman mentioned this pull request Oct 16, 2024
Draft
@mkulke
podvm: use ORAS to pull cdh and asr and aa
dd5a6cf 
The artifacts are being retrieved from guest-component's ORAS now. Hence
the rust build infrastructure can be removed with this change.

The Rust build infra hasn't been fully removed yet, this should be done
in a follow-up PR (otherwise the e2e test suite will fail, since those
run on main).

There are some notable changes:
- guest-component exposed the TEE_PLATFORM param on its top level build
  script, which we use to pull the correct artifact. Since we don't
  build attestation-agent directly anymore the ATTESTER param has been
  removed from the project's build scripts
- in versions.yaml kata and guest-components have been moved from the
  "git" section to the "oci" section, however since the tag is dynamic,
  we also provide a "reference" field in those entries.
- bumped guest-components to a commit that is available as artifact in
  OCI

Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
@mkulke
ci: verify provenance for guest-components
239c49a 
The GC artifacts attestations are being verified, so far this is only
toggled on for mkosi on fedora images.

Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevenhorsman stevenhorsman stevenhorsman approved these changes

@wainersm wainersm Awaiting requested review from wainersm

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
CI Issues related to CI workflows podvm Related to podvm images test_e2e_libvirt Run Libvirt e2e tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mkulke @wainersm @stevenhorsman