diff --git a/docs/how-to/ccv0.sh b/docs/how-to/ccv0.sh index 8d36639c45..f68ab65387 100755 --- a/docs/how-to/ccv0.sh +++ b/docs/how-to/ccv0.sh @@ -230,18 +230,7 @@ create_a_local_rootfs() { cd ${katacontainers_repo_dir}/tools/osbuilder/rootfs-builder export distro="ubuntu" [[ -z "${USE_PODMAN:-}" ]] && use_docker="${use_docker:-1}" - sudo -E OS_VERSION="${OS_VERSION:-}" GOPATH=$GOPATH EXTRA_PKGS="ca-certificates vim iputils-ping net-tools gnupg libgpgme-dev" DEBUG="${DEBUG}" USE_DOCKER="${use_docker:-}" SECCOMP=yes ./rootfs.sh -r ${ROOTFS_DIR} ${distro} - - # Build and add skopeo binary - TODO LATER replace with install from Ubuntu when the base is 20.10+, or - git clone --branch release-1.4 https://github.com/containers/skopeo ${GOPATH}/src/github.com/containers/skopeo - cd ${GOPATH}/src/github.com/containers/skopeo && make bin/skopeo - cp "${GOPATH}/src/github.com/containers/skopeo/bin/skopeo" "${ROOTFS_DIR}/usr/bin/skopeo" - - # Add umoci binary - TODO LATER replace with install from Ubuntu when the base is 20.10+ - go_arch=$("${tests_repo_dir}"/.ci/kata-arch.sh -g) - mkdir -p ${ROOTFS_DIR}/usr/local/bin/ - sudo curl -Lo ${ROOTFS_DIR}/usr/local/bin/umoci https://github.com/opencontainers/umoci/releases/download/v0.4.7/umoci.${go_arch} - sudo chmod u+x ${ROOTFS_DIR}/usr/local/bin/umoci + sudo -E OS_VERSION="${OS_VERSION:-}" GOPATH=$GOPATH DEBUG="${DEBUG}" USE_DOCKER="${use_docker:-}" SKOPEO_UMOCI=yes SECCOMP=yes ./rootfs.sh -r ${ROOTFS_DIR} ${distro} # During the ./rootfs.sh call the kata agent is built as root, so we need to update the permissions, so we can rebuild it sudo chown -R ${USER}:${USER} "${katacontainers_repo_dir}/src/agent/" diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index bfdd4bb271..5ea256b739 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -142,6 +142,19 @@ USE_PODMAN If set and USE_DOCKER not set, then build the rootfs inside a podman container (requires podman). Default value: +SKOPEO_UMOCI If set to "yes", build Skopeo and umoci for confidential + containers guest image pull. Currently, this is only + supported for Ubuntu guests; see + https://github.com/kata-containers/kata-containers/pull/2908 + for discussion. + Default value: + +AA_KBC Key broker client module for attestation-agent. This is + required for confidential containers. Requires SKOPEO_UMOCI + to be set. See https://github.com/containers/attestation-agent + for more information on available modules. + Default value: + Refer to the Platform-OS Compatibility Matrix for more details on the supported architectures: https://github.com/kata-containers/kata-containers/tree/main/tools/osbuilder#platform-distro-compatibility-matrix @@ -425,6 +438,9 @@ build_rootfs_distro() --env OSBUILDER_VERSION="${OSBUILDER_VERSION}" \ --env OS_VERSION="${OS_VERSION}" \ --env INSIDE_CONTAINER=1 \ + --env LIBC="${LIBC}" \ + --env SKOPEO_UMOCI="${SKOPEO_UMOCI}" \ + --env AA_KBC="${AA_KBC}" \ --env SECCOMP="${SECCOMP}" \ --env DEBUG="${DEBUG}" \ --env HOME="/root" \ @@ -551,11 +567,12 @@ EOT AGENT_DIR="${ROOTFS_DIR}/usr/bin" AGENT_DEST="${AGENT_DIR}/${AGENT_BIN}" + if [ "$ARCH" == "ppc64le" ] || [ "$ARCH" == "s390x" ]; then + LIBC=gnu + warning "Forcing LIBC=gnu because $ARCH has no musl Rust target" + fi + if [ -z "${AGENT_SOURCE_BIN}" ] ; then - if [ "$ARCH" == "ppc64le" ] || [ "$ARCH" == "s390x" ]; then - LIBC=gnu - echo "WARNING: Forcing LIBC=gnu because $ARCH has no musl Rust target" - fi [ "$LIBC" == "musl" ] && bash ${script_dir}/../../../ci/install_musl.sh # rust agent needs ${arch}-unknown-linux-${LIBC} if ! (rustup show | grep -v linux-${LIBC} > /dev/null); then @@ -617,6 +634,41 @@ EOT info "Create /etc/resolv.conf file in rootfs if not exist" touch "$dns_file" + if [ "${SKOPEO_UMOCI}" = "yes" ]; then + skopeo_url="$(get_package_version_from_kata_yaml externals.skopeo.url)" + skopeo_branch="$(get_package_version_from_kata_yaml externals.skopeo.branch)" + info "Install skopeo" + git clone "${skopeo_url}" --branch "${skopeo_branch}" + pushd skopeo + make bin/skopeo + install -o root -g root -m 0755 bin/skopeo "${ROOTFS_DIR}/usr/bin/" + popd + + umoci_url="$(get_package_version_from_kata_yaml externals.umoci.url)" + umoci_tag="$(get_package_version_from_kata_yaml externals.umoci.tag)" + info "Install umoci" + git clone "${umoci_url}" --branch "${umoci_tag}" + pushd umoci + make + install -o root -g root -m 0755 umoci "${ROOTFS_DIR}/usr/local/bin/" + popd + fi + + if [ -n "${AA_KBC}" ]; then + [ -z "${SKOPEO_UMOCI}" ] && die "SKOPEO_UMOCI must be set to install attestation-agent" + + attestation_agent_url="$(get_package_version_from_kata_yaml externals.attestation-agent.url)" + attestation_agent_branch="$(get_package_version_from_kata_yaml externals.attestation-agent.branch)" + info "Install attestation-agent with KBC ${AA_KBC}" + git clone "${attestation_agent_url}" --branch "${attestation_agent_branch}" + pushd attestation-agent + source "${HOME}/.cargo/env" + target="${ARCH}-unknown-linux-${LIBC}" + cargo build --release --target "${target}" --no-default-features --features "${AA_KBC}" + install -o root -g root -m 0755 "target/${target}/release/attestation-agent" "${ROOTFS_DIR}/usr/local/bin/" + popd + fi + info "Creating summary file" create_summary_file "${ROOTFS_DIR}" } diff --git a/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile-aarch64.in b/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile-aarch64.in index cc0fed0190..5c12785570 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile-aarch64.in +++ b/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile-aarch64.in @@ -28,10 +28,15 @@ RUN apt-get update && apt-get install -y \ g++ \ gcc \ git \ + golang-go \ + libdevmapper-dev \ libc6-dev \ + libgpgme-dev \ + libssl-dev \ libstdc++-8-dev \ m4 \ make \ + pkg-config \ sed \ systemd \ tar \ diff --git a/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in b/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in index 07bf30ce89..50f1640432 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in +++ b/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in @@ -27,13 +27,18 @@ RUN apt-get update && apt-get --no-install-recommends install -y \ g++ \ gcc \ git \ + golang-go \ + libdevmapper-dev \ libc6-dev \ + libgpgme-dev \ + libssl-dev \ libstdc++-8-dev \ m4 \ make \ musl \ musl-dev \ musl-tools \ + pkg-config \ protobuf-compiler \ sed \ systemd \ diff --git a/tools/osbuilder/rootfs-builder/ubuntu/config.sh b/tools/osbuilder/rootfs-builder/ubuntu/config.sh index d1e0b699d0..d98cf94626 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh +++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh @@ -32,3 +32,4 @@ INIT_PROCESS=systemd ARCH_EXCLUDE_LIST=() [ "$SECCOMP" = "yes" ] && PACKAGES+=" libseccomp2" || true +[ -n "$SKOPEO_UMOCI" ] && PACKAGES+=" ca-certificates libgpgme11" || true diff --git a/tools/osbuilder/scripts/lib.sh b/tools/osbuilder/scripts/lib.sh index e393cd7041..7deefe7416 100644 --- a/tools/osbuilder/scripts/lib.sh +++ b/tools/osbuilder/scripts/lib.sh @@ -219,6 +219,25 @@ ${extra} agent-is-init-daemon: "${AGENT_INIT}" EOT + if [ "${SKOPEO_UMOCI}" = "yes" ]; then + cat >> "${file}" <<-EOF + skopeo: + url: "${skopeo_url}" + version: "${skopeo_branch}" + umoci: + url: "${umoci_url}" + version: "${umoci_tag}" +EOF + fi + + if [ -n "${AA_KBC}" ]; then + cat >> "${file}" <<-EOF + attestation-agent: + url: "${attestation_agent_url}" + kbc: "${AA_KBC}" +EOF + fi + local rootfs_file="${file_dir}/$(basename "${file}")" info "Created summary file '${rootfs_file}' inside rootfs" } diff --git a/versions.yaml b/versions.yaml index 98d4e54ee7..a2deb2a608 100644 --- a/versions.yaml +++ b/versions.yaml @@ -163,6 +163,11 @@ assets: externals: description: "Third-party projects used by the system" + attestation-agent: + description: "Provide attested key unwrapping for image decryption" + url: "https://github.com/confidential-containers/attestation-agent" + branch: "main" + cni-plugins: description: "CNI network plugins" url: "https://github.com/containernetworking/plugins" @@ -227,6 +232,16 @@ externals: .*/v?(\d\S+)\.tar\.gz version: "v1.0.1" + skopeo: + description: "Utility for container images and image repositories" + url: "https://github.com/containers/skopeo" + branch: "release-1.4" + + umoci: + description: "Utility for creating and manipulating container images" + url: "https://github.com/opencontainers/umoci" + tag: "v0.4.7" + musl: description: | The musl library is used to build the rust agent.