osbuilder: Build Skopeo, umoci, attestation-agent

When the environment variable $SKOPEO_UMOCI is set to "yes", Skopeo and umoci are built inside the guest build container and installed to the guest rootfs. The respective build- and runtime dependencies are added. This respects the (existing) $LIBC variable (gnu/musl) and avoids issues with glibc mismatches. This is currently only supported for Ubuntu guests, as the system Golang packages included in the versions of other distros that we use are too old to build these packages, and re-enabling installing Golang from golang.org is cumbersome, given especially that it is unclear how long we will keep using Skopeo and umoci. Additionally, when the environment variable $AA_KBC is set, attestation-agent (with that KBC) is included. This replaces some logic in ccv0.sh that is removed. Fixes: #2907 Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2025-08-22 17:59:31 +00:00 · 2021-10-26 16:41:53 +02:00 · 2021-10-26 16:41:53 +02:00 · 13f6418c46
commit 13f6418c46
parent 9b34595ad0
7 changed files with 102 additions and 16 deletions
--- a/docs/how-to/ccv0.sh
+++ b/docs/how-to/ccv0.sh
@ -230,18 +230,7 @@ create_a_local_rootfs() {
    cd ${katacontainers_repo_dir}/tools/osbuilder/rootfs-builder
    export distro="ubuntu"
    [[ -z "${USE_PODMAN:-}" ]] && use_docker="${use_docker:-1}"
-    sudo -E OS_VERSION="${OS_VERSION:-}" GOPATH=$GOPATH EXTRA_PKGS="ca-certificates vim iputils-ping net-tools gnupg libgpgme-dev" DEBUG="${DEBUG}" USE_DOCKER="${use_docker:-}" SECCOMP=yes ./rootfs.sh -r ${ROOTFS_DIR} ${distro}
-
-    # Build and add skopeo binary - TODO LATER replace with install from Ubuntu when the base is 20.10+, or 
-    git clone --branch release-1.4 https://github.com/containers/skopeo ${GOPATH}/src/github.com/containers/skopeo
-    cd ${GOPATH}/src/github.com/containers/skopeo && make bin/skopeo
-    cp "${GOPATH}/src/github.com/containers/skopeo/bin/skopeo" "${ROOTFS_DIR}/usr/bin/skopeo"
-
-    # Add umoci binary - TODO LATER replace with install from Ubuntu when the base is 20.10+
-    go_arch=$("${tests_repo_dir}"/.ci/kata-arch.sh -g)
-    mkdir -p ${ROOTFS_DIR}/usr/local/bin/
-    sudo curl -Lo ${ROOTFS_DIR}/usr/local/bin/umoci https://github.com/opencontainers/umoci/releases/download/v0.4.7/umoci.${go_arch}
-    sudo chmod u+x ${ROOTFS_DIR}/usr/local/bin/umoci
+    sudo -E OS_VERSION="${OS_VERSION:-}" GOPATH=$GOPATH DEBUG="${DEBUG}" USE_DOCKER="${use_docker:-}" SKOPEO_UMOCI=yes SECCOMP=yes ./rootfs.sh -r ${ROOTFS_DIR} ${distro}

    # During the ./rootfs.sh call the kata agent is built as root, so we need to update the permissions, so we can rebuild it
    sudo chown -R ${USER}:${USER} "${katacontainers_repo_dir}/src/agent/"
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@ -142,6 +142,19 @@ USE_PODMAN          If set and USE_DOCKER not set, then build the rootfs inside
                    a podman container (requires podman).
                    Default value: <not set>

+SKOPEO_UMOCI        If set to "yes", build Skopeo and umoci for confidential
+                    containers guest image pull. Currently, this is only
+                    supported for Ubuntu guests; see
+                    https://github.com/kata-containers/kata-containers/pull/2908
+                    for discussion.
+                    Default value: <not set>
+
+AA_KBC              Key broker client module for attestation-agent. This is
+                    required for confidential containers. Requires SKOPEO_UMOCI
+                    to be set. See https://github.com/containers/attestation-agent
+                    for more information on available modules.
+                    Default value: <not set>
+
 Refer to the Platform-OS Compatibility Matrix for more details on the supported
 architectures:
 https://github.com/kata-containers/kata-containers/tree/main/tools/osbuilder#platform-distro-compatibility-matrix
@ -425,6 +438,9 @@ build_rootfs_distro()
 			--env OSBUILDER_VERSION="${OSBUILDER_VERSION}" \
 			--env OS_VERSION="${OS_VERSION}" \
 			--env INSIDE_CONTAINER=1 \
+			--env LIBC="${LIBC}" \
+			--env SKOPEO_UMOCI="${SKOPEO_UMOCI}" \
+			--env AA_KBC="${AA_KBC}" \
 			--env SECCOMP="${SECCOMP}" \
 			--env DEBUG="${DEBUG}" \
 			--env HOME="/root" \
@ -551,11 +567,12 @@ EOT
 	AGENT_DIR="${ROOTFS_DIR}/usr/bin"
 	AGENT_DEST="${AGENT_DIR}/${AGENT_BIN}"

+	if [ "$ARCH" == "ppc64le" ] || [ "$ARCH" == "s390x" ]; then
+		LIBC=gnu
+		warning "Forcing LIBC=gnu because $ARCH has no musl Rust target"
+	fi
+
 	if [ -z "${AGENT_SOURCE_BIN}" ] ; then
-		if [ "$ARCH" == "ppc64le" ] || [ "$ARCH" == "s390x" ]; then
-			LIBC=gnu
-			echo "WARNING: Forcing LIBC=gnu because $ARCH has no musl Rust target"
-		fi
 		[ "$LIBC" == "musl" ] && bash ${script_dir}/../../../ci/install_musl.sh
 		# rust agent needs ${arch}-unknown-linux-${LIBC}
 		if ! (rustup show | grep -v linux-${LIBC} > /dev/null); then
@ -617,6 +634,41 @@ EOT
 	info "Create /etc/resolv.conf file in rootfs if not exist"
 	touch "$dns_file"

+	if [ "${SKOPEO_UMOCI}" = "yes" ]; then
+		skopeo_url="$(get_package_version_from_kata_yaml externals.skopeo.url)"
+		skopeo_branch="$(get_package_version_from_kata_yaml externals.skopeo.branch)"
+		info "Install skopeo"
+		git clone "${skopeo_url}" --branch "${skopeo_branch}"
+		pushd skopeo
+		make bin/skopeo
+		install -o root -g root -m 0755 bin/skopeo "${ROOTFS_DIR}/usr/bin/"
+		popd
+
+		umoci_url="$(get_package_version_from_kata_yaml externals.umoci.url)"
+		umoci_tag="$(get_package_version_from_kata_yaml externals.umoci.tag)"
+		info "Install umoci"
+		git clone "${umoci_url}" --branch "${umoci_tag}"
+		pushd umoci
+		make
+		install -o root -g root -m 0755 umoci "${ROOTFS_DIR}/usr/local/bin/"
+		popd
+	fi
+
+	if [ -n "${AA_KBC}" ]; then
+		[ -z "${SKOPEO_UMOCI}" ] && die "SKOPEO_UMOCI must be set to install attestation-agent"
+
+		attestation_agent_url="$(get_package_version_from_kata_yaml externals.attestation-agent.url)"
+		attestation_agent_branch="$(get_package_version_from_kata_yaml externals.attestation-agent.branch)"
+		info "Install attestation-agent with KBC ${AA_KBC}"
+		git clone "${attestation_agent_url}" --branch "${attestation_agent_branch}"
+		pushd attestation-agent
+		source "${HOME}/.cargo/env"
+		target="${ARCH}-unknown-linux-${LIBC}"
+		cargo build --release --target "${target}" --no-default-features --features "${AA_KBC}"
+		install -o root -g root -m 0755 "target/${target}/release/attestation-agent" "${ROOTFS_DIR}/usr/local/bin/"
+		popd
+	fi
+
 	info "Creating summary file"
 	create_summary_file "${ROOTFS_DIR}"
 }
--- a/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile-aarch64.in
+++ b/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile-aarch64.in
@ -28,10 +28,15 @@ RUN apt-get update && apt-get install -y \
    g++ \
    gcc \
    git \
+    golang-go \
+    libdevmapper-dev \
    libc6-dev \
+    libgpgme-dev \
+    libssl-dev \
    libstdc++-8-dev \
    m4 \
    make \
+    pkg-config \
    sed \
    systemd \
    tar \
--- a/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in
+++ b/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in
@ -27,13 +27,18 @@ RUN apt-get update && apt-get --no-install-recommends install -y \
    g++ \
    gcc \
    git \
+    golang-go \
+    libdevmapper-dev \
    libc6-dev \
+    libgpgme-dev \
+    libssl-dev \
    libstdc++-8-dev \
    m4 \
    make \
    musl \
    musl-dev \
    musl-tools \
+    pkg-config \
    protobuf-compiler \
    sed \
    systemd \
--- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh
+++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
@ -32,3 +32,4 @@ INIT_PROCESS=systemd
 ARCH_EXCLUDE_LIST=()

 [ "$SECCOMP" = "yes" ] && PACKAGES+=" libseccomp2" || true
+[ -n "$SKOPEO_UMOCI" ] && PACKAGES+=" ca-certificates libgpgme11" || true
--- a/tools/osbuilder/scripts/lib.sh
+++ b/tools/osbuilder/scripts/lib.sh
@ -219,6 +219,25 @@ ${extra}
 	  agent-is-init-daemon: "${AGENT_INIT}"
 EOT

+	if [ "${SKOPEO_UMOCI}" = "yes" ]; then
+		cat >> "${file}" <<-EOF
+	skopeo:
+	  url: "${skopeo_url}"
+	  version: "${skopeo_branch}"
+	umoci:
+	  url: "${umoci_url}"
+	  version: "${umoci_tag}"
+EOF
+	fi
+
+	if [ -n "${AA_KBC}" ]; then
+		cat >> "${file}" <<-EOF
+	attestation-agent:
+	  url: "${attestation_agent_url}"
+	  kbc: "${AA_KBC}"
+EOF
+	fi
+
 	local rootfs_file="${file_dir}/$(basename "${file}")"
 	info "Created summary file '${rootfs_file}' inside rootfs"
 }
--- a/versions.yaml
+++ b/versions.yaml
@ -163,6 +163,11 @@ assets:
 externals:
  description: "Third-party projects used by the system"

+  attestation-agent:
+    description: "Provide attested key unwrapping for image decryption"
+    url: "https://github.com/confidential-containers/attestation-agent"
+    branch: "main"
+
  cni-plugins:
    description: "CNI network plugins"
    url: "https://github.com/containernetworking/plugins"
@ -227,6 +232,16 @@ externals:
      .*/v?(\d\S+)\.tar\.gz
    version: "v1.0.1"

+  skopeo:
+    description: "Utility for container images and image repositories"
+    url: "https://github.com/containers/skopeo"
+    branch: "release-1.4"
+
+  umoci:
+    description: "Utility for creating and manipulating container images"
+    url: "https://github.com/opencontainers/umoci"
+    tag: "v0.4.7"
+
  musl:
    description: |
      The musl library is used to build the rust agent.