From 13f6418c46c65764eba2fda4e8a33d62c5ac852b Mon Sep 17 00:00:00 2001 From: Jakob Naucke Date: Tue, 26 Oct 2021 16:41:53 +0200 Subject: [PATCH] osbuilder: Build Skopeo, umoci, attestation-agent When the environment variable $SKOPEO_UMOCI is set to "yes", Skopeo and umoci are built inside the guest build container and installed to the guest rootfs. The respective build- and runtime dependencies are added. This respects the (existing) $LIBC variable (gnu/musl) and avoids issues with glibc mismatches. This is currently only supported for Ubuntu guests, as the system Golang packages included in the versions of other distros that we use are too old to build these packages, and re-enabling installing Golang from golang.org is cumbersome, given especially that it is unclear how long we will keep using Skopeo and umoci. Additionally, when the environment variable $AA_KBC is set, attestation-agent (with that KBC) is included. This replaces some logic in ccv0.sh that is removed. Fixes: #2907 Signed-off-by: Jakob Naucke --- docs/how-to/ccv0.sh | 13 +--- tools/osbuilder/rootfs-builder/rootfs.sh | 60 +++++++++++++++++-- .../ubuntu/Dockerfile-aarch64.in | 5 ++ .../rootfs-builder/ubuntu/Dockerfile.in | 5 ++ .../osbuilder/rootfs-builder/ubuntu/config.sh | 1 + tools/osbuilder/scripts/lib.sh | 19 ++++++ versions.yaml | 15 +++++ 7 files changed, 102 insertions(+), 16 deletions(-) diff --git a/docs/how-to/ccv0.sh b/docs/how-to/ccv0.sh index 8d36639c45..f68ab65387 100755 --- a/docs/how-to/ccv0.sh +++ b/docs/how-to/ccv0.sh @@ -230,18 +230,7 @@ create_a_local_rootfs() { cd ${katacontainers_repo_dir}/tools/osbuilder/rootfs-builder export distro="ubuntu" [[ -z "${USE_PODMAN:-}" ]] && use_docker="${use_docker:-1}" - sudo -E OS_VERSION="${OS_VERSION:-}" GOPATH=$GOPATH EXTRA_PKGS="ca-certificates vim iputils-ping net-tools gnupg libgpgme-dev" DEBUG="${DEBUG}" USE_DOCKER="${use_docker:-}" SECCOMP=yes ./rootfs.sh -r ${ROOTFS_DIR} ${distro} - - # Build and add skopeo binary - TODO LATER replace with install from Ubuntu when the base is 20.10+, or - git clone --branch release-1.4 https://github.com/containers/skopeo ${GOPATH}/src/github.com/containers/skopeo - cd ${GOPATH}/src/github.com/containers/skopeo && make bin/skopeo - cp "${GOPATH}/src/github.com/containers/skopeo/bin/skopeo" "${ROOTFS_DIR}/usr/bin/skopeo" - - # Add umoci binary - TODO LATER replace with install from Ubuntu when the base is 20.10+ - go_arch=$("${tests_repo_dir}"/.ci/kata-arch.sh -g) - mkdir -p ${ROOTFS_DIR}/usr/local/bin/ - sudo curl -Lo ${ROOTFS_DIR}/usr/local/bin/umoci https://github.com/opencontainers/umoci/releases/download/v0.4.7/umoci.${go_arch} - sudo chmod u+x ${ROOTFS_DIR}/usr/local/bin/umoci + sudo -E OS_VERSION="${OS_VERSION:-}" GOPATH=$GOPATH DEBUG="${DEBUG}" USE_DOCKER="${use_docker:-}" SKOPEO_UMOCI=yes SECCOMP=yes ./rootfs.sh -r ${ROOTFS_DIR} ${distro} # During the ./rootfs.sh call the kata agent is built as root, so we need to update the permissions, so we can rebuild it sudo chown -R ${USER}:${USER} "${katacontainers_repo_dir}/src/agent/" diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index bfdd4bb271..5ea256b739 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -142,6 +142,19 @@ USE_PODMAN If set and USE_DOCKER not set, then build the rootfs inside a podman container (requires podman). Default value: +SKOPEO_UMOCI If set to "yes", build Skopeo and umoci for confidential + containers guest image pull. Currently, this is only + supported for Ubuntu guests; see + https://github.com/kata-containers/kata-containers/pull/2908 + for discussion. + Default value: + +AA_KBC Key broker client module for attestation-agent. This is + required for confidential containers. Requires SKOPEO_UMOCI + to be set. See https://github.com/containers/attestation-agent + for more information on available modules. + Default value: + Refer to the Platform-OS Compatibility Matrix for more details on the supported architectures: https://github.com/kata-containers/kata-containers/tree/main/tools/osbuilder#platform-distro-compatibility-matrix @@ -425,6 +438,9 @@ build_rootfs_distro() --env OSBUILDER_VERSION="${OSBUILDER_VERSION}" \ --env OS_VERSION="${OS_VERSION}" \ --env INSIDE_CONTAINER=1 \ + --env LIBC="${LIBC}" \ + --env SKOPEO_UMOCI="${SKOPEO_UMOCI}" \ + --env AA_KBC="${AA_KBC}" \ --env SECCOMP="${SECCOMP}" \ --env DEBUG="${DEBUG}" \ --env HOME="/root" \ @@ -551,11 +567,12 @@ EOT AGENT_DIR="${ROOTFS_DIR}/usr/bin" AGENT_DEST="${AGENT_DIR}/${AGENT_BIN}" + if [ "$ARCH" == "ppc64le" ] || [ "$ARCH" == "s390x" ]; then + LIBC=gnu + warning "Forcing LIBC=gnu because $ARCH has no musl Rust target" + fi + if [ -z "${AGENT_SOURCE_BIN}" ] ; then - if [ "$ARCH" == "ppc64le" ] || [ "$ARCH" == "s390x" ]; then - LIBC=gnu - echo "WARNING: Forcing LIBC=gnu because $ARCH has no musl Rust target" - fi [ "$LIBC" == "musl" ] && bash ${script_dir}/../../../ci/install_musl.sh # rust agent needs ${arch}-unknown-linux-${LIBC} if ! (rustup show | grep -v linux-${LIBC} > /dev/null); then @@ -617,6 +634,41 @@ EOT info "Create /etc/resolv.conf file in rootfs if not exist" touch "$dns_file" + if [ "${SKOPEO_UMOCI}" = "yes" ]; then + skopeo_url="$(get_package_version_from_kata_yaml externals.skopeo.url)" + skopeo_branch="$(get_package_version_from_kata_yaml externals.skopeo.branch)" + info "Install skopeo" + git clone "${skopeo_url}" --branch "${skopeo_branch}" + pushd skopeo + make bin/skopeo + install -o root -g root -m 0755 bin/skopeo "${ROOTFS_DIR}/usr/bin/" + popd + + umoci_url="$(get_package_version_from_kata_yaml externals.umoci.url)" + umoci_tag="$(get_package_version_from_kata_yaml externals.umoci.tag)" + info "Install umoci" + git clone "${umoci_url}" --branch "${umoci_tag}" + pushd umoci + make + install -o root -g root -m 0755 umoci "${ROOTFS_DIR}/usr/local/bin/" + popd + fi + + if [ -n "${AA_KBC}" ]; then + [ -z "${SKOPEO_UMOCI}" ] && die "SKOPEO_UMOCI must be set to install attestation-agent" + + attestation_agent_url="$(get_package_version_from_kata_yaml externals.attestation-agent.url)" + attestation_agent_branch="$(get_package_version_from_kata_yaml externals.attestation-agent.branch)" + info "Install attestation-agent with KBC ${AA_KBC}" + git clone "${attestation_agent_url}" --branch "${attestation_agent_branch}" + pushd attestation-agent + source "${HOME}/.cargo/env" + target="${ARCH}-unknown-linux-${LIBC}" + cargo build --release --target "${target}" --no-default-features --features "${AA_KBC}" + install -o root -g root -m 0755 "target/${target}/release/attestation-agent" "${ROOTFS_DIR}/usr/local/bin/" + popd + fi + info "Creating summary file" create_summary_file "${ROOTFS_DIR}" } diff --git a/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile-aarch64.in b/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile-aarch64.in index cc0fed0190..5c12785570 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile-aarch64.in +++ b/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile-aarch64.in @@ -28,10 +28,15 @@ RUN apt-get update && apt-get install -y \ g++ \ gcc \ git \ + golang-go \ + libdevmapper-dev \ libc6-dev \ + libgpgme-dev \ + libssl-dev \ libstdc++-8-dev \ m4 \ make \ + pkg-config \ sed \ systemd \ tar \ diff --git a/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in b/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in index 07bf30ce89..50f1640432 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in +++ b/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in @@ -27,13 +27,18 @@ RUN apt-get update && apt-get --no-install-recommends install -y \ g++ \ gcc \ git \ + golang-go \ + libdevmapper-dev \ libc6-dev \ + libgpgme-dev \ + libssl-dev \ libstdc++-8-dev \ m4 \ make \ musl \ musl-dev \ musl-tools \ + pkg-config \ protobuf-compiler \ sed \ systemd \ diff --git a/tools/osbuilder/rootfs-builder/ubuntu/config.sh b/tools/osbuilder/rootfs-builder/ubuntu/config.sh index d1e0b699d0..d98cf94626 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh +++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh @@ -32,3 +32,4 @@ INIT_PROCESS=systemd ARCH_EXCLUDE_LIST=() [ "$SECCOMP" = "yes" ] && PACKAGES+=" libseccomp2" || true +[ -n "$SKOPEO_UMOCI" ] && PACKAGES+=" ca-certificates libgpgme11" || true diff --git a/tools/osbuilder/scripts/lib.sh b/tools/osbuilder/scripts/lib.sh index e393cd7041..7deefe7416 100644 --- a/tools/osbuilder/scripts/lib.sh +++ b/tools/osbuilder/scripts/lib.sh @@ -219,6 +219,25 @@ ${extra} agent-is-init-daemon: "${AGENT_INIT}" EOT + if [ "${SKOPEO_UMOCI}" = "yes" ]; then + cat >> "${file}" <<-EOF + skopeo: + url: "${skopeo_url}" + version: "${skopeo_branch}" + umoci: + url: "${umoci_url}" + version: "${umoci_tag}" +EOF + fi + + if [ -n "${AA_KBC}" ]; then + cat >> "${file}" <<-EOF + attestation-agent: + url: "${attestation_agent_url}" + kbc: "${AA_KBC}" +EOF + fi + local rootfs_file="${file_dir}/$(basename "${file}")" info "Created summary file '${rootfs_file}' inside rootfs" } diff --git a/versions.yaml b/versions.yaml index 98d4e54ee7..a2deb2a608 100644 --- a/versions.yaml +++ b/versions.yaml @@ -163,6 +163,11 @@ assets: externals: description: "Third-party projects used by the system" + attestation-agent: + description: "Provide attested key unwrapping for image decryption" + url: "https://github.com/confidential-containers/attestation-agent" + branch: "main" + cni-plugins: description: "CNI network plugins" url: "https://github.com/containernetworking/plugins" @@ -227,6 +232,16 @@ externals: .*/v?(\d\S+)\.tar\.gz version: "v1.0.1" + skopeo: + description: "Utility for container images and image repositories" + url: "https://github.com/containers/skopeo" + branch: "release-1.4" + + umoci: + description: "Utility for creating and manipulating container images" + url: "https://github.com/opencontainers/umoci" + tag: "v0.4.7" + musl: description: | The musl library is used to build the rust agent.