Merge pull request #7601 from ChengyuZhu6/install_dmsetup

CC | tools: Install dependencies with dm-verity in rootfs
2025-08-22 09:49:35 +00:00 · 2023-08-23 17:24:43 +01:00 · 2023-08-23 17:24:43 +01:00 · 0e9a8f22ca
commit 0e9a8f22ca
parent cfba372f17 d053f848b4
5 changed files with 22 additions and 4 deletions
--- a/tools/osbuilder/image-builder/image_builder.sh
+++ b/tools/osbuilder/image-builder/image_builder.sh
@ -12,6 +12,7 @@ set -o pipefail

 DOCKER_RUNTIME=${DOCKER_RUNTIME:-runc}
 MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
+DM_VERITY=${DM_VERITY:-no}

 #For cross build
 CROSS_BUILD=${CROSS_BUILD:-false}
@ -51,6 +52,13 @@ readonly dax_header_sz=2
 readonly dax_alignment=2

 # The list of systemd units and files that are not needed in Kata Containers
+readonly -a udev_systemd_units=(
+	"systemd-udevd"
+	"systemd-udevd-control"
+	"systemd-udevd-kernel"
+	"systemd-udev-trigger"
+)
+
 readonly -a systemd_units=(
 	"systemd-coredump@"
 	"systemd-journald"
@ -59,10 +67,6 @@ readonly -a systemd_units=(
 	"systemd-random-seed"
 	"systemd-timesyncd"
 	"systemd-tmpfiles-setup"
-	"systemd-udevd"
-	"systemd-udevd-control"
-	"systemd-udevd-kernel"
-	"systemd-udev-trigger"
 	"systemd-update-utmp"
 )

@ -455,6 +459,14 @@ setup_selinux() {

 setup_systemd() {
 		local mount_dir="$1"
+		if [ "${DM_VERITY}" == "no" ]; then
+			for u in "${udev_systemd_units[@]}"; do
+				find "${mount_dir}" -type f \( \
+					-name "${u}.service" -o \
+					-name "${u}.socket" \) \
+					-exec rm -f {} \;
+			done
+		fi

 		info "Removing unneeded systemd services and sockets"
 		for u in "${systemd_units[@]}"; do
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@ -18,6 +18,7 @@ AGENT_BIN=${AGENT_BIN:-kata-agent}
 AGENT_INIT=${AGENT_INIT:-no}
 KATA_BUILD_CC=${KATA_BUILD_CC:-no}
 MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
+DM_VERITY=${DM_VERITY:-no}
 KERNEL_MODULES_DIR=${KERNEL_MODULES_DIR:-""}
 OSBUILDER_VERSION="unknown"
 DOCKER_RUNTIME=${DOCKER_RUNTIME:-runc}
@ -459,6 +460,7 @@ build_rootfs_distro()
 			--env ARCH="${ARCH}" \
 			--env CI="${CI}" \
 			--env MEASURED_ROOTFS="${MEASURED_ROOTFS}" \
+			--env DM_VERITY="${DM_VERITY}" \
 			--env KERNEL_MODULES_DIR="${KERNEL_MODULES_DIR}" \
 			--env LIBC="${LIBC}" \
 			--env EXTRA_PKGS="${EXTRA_PKGS}" \
--- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh
+++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
@ -9,6 +9,7 @@ PACKAGES="chrony iptables dbus kmod"
 [ "$AGENT_INIT" = no ] && PACKAGES+=" init"
 [ "$MEASURED_ROOTFS" = yes ] && PACKAGES+=" cryptsetup-bin e2fsprogs"
 [ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp2"
+[ "$DM_VERITY" = yes ] && PACKAGES+=" udev dmsetup"
 REPO_URL=http://ports.ubuntu.com

 case "$ARCH" in
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
@ -94,6 +94,7 @@ docker run \
 	--env TDSHIM_CONTAINER_BUILDER="${TDSHIM_CONTAINER_BUILDER:-}" \
 	--env VIRTIOFSD_CONTAINER_BUILDER="${VIRTIOFSD_CONTAINER_BUILDER:-}" \
 	--env MEASURED_ROOTFS="${MEASURED_ROOTFS:-}" \
+	--env DM_VERITY="${DM_VERITY:-}" \
 	--env USE_CACHE="${USE_CACHE:-}" \
 	--env CROSS_BUILD="${CROSS_BUILD}" \
 	--env TARGET_ARCH="${TARGET_ARCH}" \
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@ -44,6 +44,7 @@ readonly cached_artifacts_path="lastSuccessfulBuild/artifact/artifacts"

 ARCH=${ARCH:-$(uname -m)}
 MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
+DM_VERITY=${DM_VERITY:-no}
 USE_CACHE="${USE_CACHE:-"yes"}"

 workdir="${WORKDIR:-$PWD}"
@ -226,6 +227,7 @@ install_cc_image() {
 	export AA_KBC="${AA_KBC:-offline_fs_kbc}"
 	export KATA_BUILD_CC=yes
 	export MEASURED_ROOTFS=yes
+	export DM_VERITY=yes
 	variant="${1:-}"

 	install_image "${variant}"