Merge pull request #3926 from Jakob-Naucke/cc-cross

CCv0 | Multistrap & enable cross-building guest

ci/install_libseccomp.sh

@@ -19,7 +19,7 @@ source "${tests_repo_dir}/.ci/lib.sh"
 # fail. So let's ensure they are unset here.
 unset PREFIX DESTDIR
 
-arch=$(uname -m)
+arch=${ARCH:-$(uname -m)}
 workdir="$(mktemp -d --tmpdir build-libseccomp.XXXXX)"
 
 # Variables for libseccomp
@@ -70,7 +70,9 @@ build_and_install_gperf() {
     curl -sLO "${gperf_tarball_url}"
     tar -xf "${gperf_tarball}"
     pushd "gperf-${gperf_version}"
-    ./configure --prefix="${gperf_install_dir}"
+    # gperf is a build time dependency of libseccomp and not to be used in the target.
+    # Unset $CC since that might point to a cross compiler.
+    CC= ./configure --prefix="${gperf_install_dir}"
     make
     make install
     export PATH=$PATH:"${gperf_install_dir}"/bin
@@ -84,7 +86,7 @@ build_and_install_libseccomp() {
     curl -sLO "${libseccomp_tarball_url}"
     tar -xf "${libseccomp_tarball}"
     pushd "libseccomp-${libseccomp_version}"
-    ./configure --prefix="${libseccomp_install_dir}" CFLAGS="${cflags}" --enable-static
+    ./configure --prefix="${libseccomp_install_dir}" CFLAGS="${cflags}" --enable-static --host="${arch}"
     make
     make install
     popd

ci/install_musl.sh

@@ -1,24 +0,0 @@
-#!/usr/bin/env bash
-# Copyright (c) 2020 Ant Group
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-
-set -e
-
-install_aarch64_musl() {
-	local arch=$(uname -m)
-	if [ "${arch}" == "aarch64" ]; then
-		local musl_tar="${arch}-linux-musl-native.tgz"
-		local musl_dir="${arch}-linux-musl-native"
-		pushd /tmp
-		if curl -sLO --fail https://musl.cc/${musl_tar}; then
-			tar -zxf ${musl_tar}
-			mkdir -p /usr/local/musl/
-			cp -r ${musl_dir}/* /usr/local/musl/
-		fi
-		popd
-	fi
-}
-
-install_aarch64_musl

tools/osbuilder/dracut/Dockerfile.in

@@ -36,7 +36,4 @@ RUN zypper --non-interactive refresh; \
     zypper --non-interactive clean --all;
 
 
-# This will install the proper golang to build Kata components
-@INSTALL_MUSL@
-@INSTALL_GO@
 @INSTALL_RUST@

tools/osbuilder/rootfs-builder/alpine/Dockerfile.in

@@ -6,7 +6,7 @@
 ARG IMAGE_REGISTRY=docker.io
 FROM ${IMAGE_REGISTRY}/alpine:3.15
 
-RUN apk update && apk add \
+RUN apk update && apk add --no-cache \
     apk-tools-static \
     autoconf \
     automake \
@@ -30,3 +30,5 @@ RUN apk update && apk add \
     pkgconfig \
     protoc \
     tar
+# aarch64 requires this name -- link for all
+RUN ln -s /usr/bin/gcc "/usr/bin/$(uname -m)-linux-musl-gcc"

tools/osbuilder/rootfs-builder/clearlinux/Dockerfile.in

@@ -28,6 +28,7 @@ RUN dnf -y update && dnf install -y \
     libstdc++-static \
     m4 \
     make \
+    musl-gcc \
     openssl-devel \
     perl \
     perl-IPC-Cmd \
@@ -41,5 +42,4 @@ RUN dnf -y update && dnf install -y \
     dnf clean all
 
 # This will install the proper packages to build Kata components
-@INSTALL_MUSL@
 @INSTALL_RUST@

tools/osbuilder/rootfs-builder/debian/Dockerfile-aarch64.in

@@ -1,34 +0,0 @@
-#
-# Copyright (c) 2020 ARM Limited
-#
-# SPDX-License-Identifier: Apache-2.0
-
-ARG IMAGE_REGISTRY=docker.io
-# NOTE: OS_VERSION is set according to config.sh
-FROM ${IMAGE_REGISTRY}/debian:@OS_VERSION@
-
-# RUN commands
-RUN apt-get update && apt-get install -y \
-    autoconf \
-    automake \
-    binutils \
-    build-essential \
-    chrony \
-    coreutils \
-    curl \
-    debianutils \
-    debootstrap \
-    g++ \
-    gcc \
-    git \
-    libc-dev \
-    libstdc++-8-dev \
-    m4 \
-    make \
-    sed \
-    systemd \
-    tar \
-    vim
-# This will install the proper packages to build Kata components
-@INSTALL_MUSL@
-@INSTALL_RUST@

tools/osbuilder/rootfs-builder/debian/Dockerfile.in

@@ -27,14 +27,14 @@ RUN apt-get update && apt-get --no-install-recommends install -y \
     libstdc++-8-dev \
     m4 \
     make \
-    musl \
-    musl-dev \
     musl-tools \
     sed \
     systemd \
     tar \
     vim \
     wget
+# aarch64 requires this name -- link for all
+RUN ln -s /usr/bin/musl-gcc "/usr/bin/$(uname -m)-linux-musl-gcc"
 
 # This will install the proper packages to build Kata components
 @INSTALL_RUST@

tools/osbuilder/rootfs-builder/rootfs.sh

@@ -14,7 +14,6 @@ script_name="${0##*/}"
 script_dir="$(dirname $(readlink -f $0))"
 AGENT_VERSION=${AGENT_VERSION:-}
 RUST_VERSION="null"
-MUSL_VERSION=${MUSL_VERSION:-"null"}
 AGENT_BIN=${AGENT_BIN:-kata-agent}
 AGENT_INIT=${AGENT_INIT:-no}
 KERNEL_MODULES_DIR=${KERNEL_MODULES_DIR:-""}
@@ -40,7 +39,11 @@ handle_error() {
 trap 'handle_error $LINENO' ERR
 
 # Default architecture
-ARCH=$(uname -m)
+export ARCH=${ARCH:-$(uname -m)}
+if [ "$ARCH" == "ppc64le" ] || [ "$ARCH" == "s390x" ]; then
+	LIBC=gnu
+	echo "WARNING: Forcing LIBC=gnu because $ARCH has no musl Rust target"
+fi
 
 # distro-specific config file
 typeset -r CONFIG_SH="config.sh"
@@ -104,6 +107,11 @@ AGENT_SOURCE_BIN    Path to the directory of agent binary.
 AGENT_VERSION       Version of the agent to include in the rootfs.
                     Default value: ${AGENT_VERSION:-<not set>}
 
+ARCH                Target architecture (according to \`uname -m\`).
+                    Foreign bootstraps are currently only supported for Ubuntu
+                    and glibc agents.
+                    Default value: $(uname -m)
+
 DISTRO_REPO         Use host repositories to install guest packages.
                     Default value: <not set>
 
@@ -125,6 +133,9 @@ KERNEL_MODULES_DIR  Path to a directory containing kernel modules to include in
                     the rootfs.
                     Default value: <empty>
 
+LIBC                libc the agent is built against (gnu or musl).
+                    Default value: ${LIBC} (varies with architecture)
+
 ROOTFS_DIR          Path to the directory that is populated with the rootfs.
                     Default value: <${script_name} path>/rootfs-<DISTRO-name>
 
@@ -355,11 +366,6 @@ build_rootfs_distro()
 
 	echo "Required rust version: $RUST_VERSION"
 
-	detect_musl_version ||
-		die "Could not detect the required musl version for AGENT_VERSION='${AGENT_VERSION:-main}'."
-
-	echo "Required musl version: $MUSL_VERSION"
-
 	if [ -z "${USE_DOCKER}" ] && [ -z "${USE_PODMAN}" ]; then
 		info "build directly"
 		build_rootfs ${ROOTFS_DIR}
@@ -431,13 +437,14 @@ build_rootfs_distro()
 			--env ROOTFS_DIR="/rootfs" \
 			--env AGENT_BIN="${AGENT_BIN}" \
 			--env AGENT_INIT="${AGENT_INIT}" \
+			--env ARCH="${ARCH}" \
 			--env CI="${CI}" \
 			--env KERNEL_MODULES_DIR="${KERNEL_MODULES_DIR}" \
+			--env LIBC="${LIBC}" \
 			--env EXTRA_PKGS="${EXTRA_PKGS}" \
 			--env OSBUILDER_VERSION="${OSBUILDER_VERSION}" \
 			--env OS_VERSION="${OS_VERSION}" \
 			--env INSIDE_CONTAINER=1 \
-			--env LIBC="${LIBC}" \
 			--env SKOPEO="${SKOPEO}" \
 			--env UMOCI="${UMOCI}" \
 			--env AA_KBC="${AA_KBC}" \
@@ -563,13 +570,7 @@ EOF
 	AGENT_DIR="${ROOTFS_DIR}/usr/bin"
 	AGENT_DEST="${AGENT_DIR}/${AGENT_BIN}"
 
-	if [ "$ARCH" == "ppc64le" ] || [ "$ARCH" == "s390x" ]; then
-		LIBC=gnu
-		warning "Forcing LIBC=gnu because $ARCH has no musl Rust target"
-	fi
-
 	if [ -z "${AGENT_SOURCE_BIN}" ] ; then
-		[ "$LIBC" == "musl" ] && bash ${script_dir}/../../../ci/install_musl.sh
 		test -r "${HOME}/.cargo/env" && source "${HOME}/.cargo/env"
 		# rust agent needs ${arch}-unknown-linux-${LIBC}
 		if ! (rustup show | grep -v linux-${LIBC} > /dev/null); then
@@ -580,7 +581,6 @@ EOF
 			bash ${script_dir}/../../../ci/install_rust.sh ${RUST_VERSION}
 		fi
 		test -r "${HOME}/.cargo/env" && source "${HOME}/.cargo/env"
-		[ "$ARCH" == "aarch64" ] && OLD_PATH=$PATH && export PATH=$PATH:/usr/local/musl/bin
 
 		agent_dir="${script_dir}/../../../src/agent/"
 
@@ -588,7 +588,7 @@ EOF
 			info "Set up libseccomp"
 			libseccomp_install_dir=$(mktemp -d -t libseccomp.XXXXXXXXXX)
 			gperf_install_dir=$(mktemp -d -t gperf.XXXXXXXXXX)
-			bash ${script_dir}/../../../ci/install_libseccomp.sh "${libseccomp_install_dir}" "${gperf_install_dir}"
+			${script_dir}/../../../ci/install_libseccomp.sh "${libseccomp_install_dir}" "${gperf_install_dir}"
 			echo "Set environment variables for the libseccomp crate to link the libseccomp library statically"
 			export LIBSECCOMP_LINK_TYPE=static
 			export LIBSECCOMP_LIB_PATH="${libseccomp_install_dir}/lib"
@@ -602,7 +602,6 @@ EOF
 		make clean
 		make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP}
 		make install DESTDIR="${ROOTFS_DIR}" LIBC=${LIBC} INIT=${AGENT_INIT}
-		[ "$ARCH" == "aarch64" ] && export PATH=$OLD_PATH && rm -rf /usr/local/musl
 		if [ "${SECCOMP}" == "yes" ]; then
 			rm -rf "${libseccomp_install_dir}" "${gperf_install_dir}"
 		fi
@@ -673,16 +672,28 @@ EOF
 		source "${HOME}/.cargo/env"
 		target="${ARCH}-unknown-linux-${LIBC}"
 		if [ "${AA_KBC}" == "eaa_kbc" ] && [ "${ARCH}" == "x86_64" ]; then
-			AA_RUSTFLAG="-C link-args=-Wl,-rpath,/usr/local/lib/rats-tls"
+			RUSTFLAGS="-C link-args=-Wl,-rpath,/usr/local/lib/rats-tls"
 			# Currently eaa_kbc module only support this specific platform
 			target="x86_64-unknown-linux-gnu"
 		fi
-		RUSTFLAGS=${AA_RUSTFLAG} cargo build --release --target "${target}" --no-default-features --features "${AA_KBC}"
+		if [ "$(uname -m)" != "$ARCH" ]; then
-		install -o root -g root -m 0755 "target/${target}/release/attestation-agent" "${ROOTFS_DIR}/usr/local/bin/"
+			RUSTFLAGS+=" -C linker=$CC"
+		fi
+		export RUSTFLAGS
+		# Foreign CC is incompatible with libgit2 -- CC is still handled by `-C linker=...` flag
+		CC= cargo build --release --target "${target}" --no-default-features --features "${AA_KBC}"
+		install -D -o root -g root -m 0755 "target/${target}/release/attestation-agent" -t "${ROOTFS_DIR}/usr/local/bin/"
 		popd
 	fi
 
 	if [ "${UMOCI}" = "yes" ]; then
+		case "$ARCH" in
+			aarch64) GOARCH=arm64;;
+			x86_64) GOARCH=amd64;;
+			*) GOARCH="$ARCH"
+		esac
+		export GOARCH
+
 		umoci_url="$(get_package_version_from_kata_yaml externals.umoci.url)"
 		umoci_tag="$(get_package_version_from_kata_yaml externals.umoci.tag)"
 		info "Install umoci"

tools/osbuilder/rootfs-builder/template/Dockerfile.template

@@ -14,5 +14,4 @@ FROM ${IMAGE_REGISTRY}/@distro@:@OS_VERSION@
 # RUN commands
 
 # This will install the proper packages to build Kata components
-@INSTALL_MUSL@
 @INSTALL_RUST@

tools/osbuilder/rootfs-builder/ubuntu/Dockerfile-aarch64.in

@@ -1,48 +0,0 @@
-#
-# Copyright (c) 2020 ARM Limited
-#
-# SPDX-License-Identifier: Apache-2.0
-
-ARG IMAGE_REGISTRY=docker.io
-#ubuntu: docker image to be used to create a rootfs
-#@OS_VERSION@: Docker image version to build this dockerfile
-FROM ${IMAGE_REGISTRY}/ubuntu:@OS_VERSION@
-
-# This dockerfile needs to provide all the componets need to build a rootfs
-# Install any package need to create a rootfs (package manager, extra tools)
-
-# Avoid tzdata setup
-ENV DEBIAN_FRONTEND noninteractive
-
-# RUN commands
-RUN apt-get update && apt-get install -y \
-    autoconf \
-    automake \
-    binutils \
-    build-essential \
-    chrony \
-    coreutils \
-    curl \
-    debianutils \
-    debootstrap \
-    g++ \
-    gcc \
-    git \
-    golang-go \
-    libdevmapper-dev \
-    libc6-dev \
-    libgpgme-dev \
-    libssl-dev \
-    libstdc++-8-dev \
-    m4 \
-    make \
-    pkg-config \
-    sed \
-    systemd \
-    tar \
-    vim && \
-    apt-get clean && rm -rf /var/lib/apt/lists/
-
-# This will install the proper packages to build Kata components
-@INSTALL_MUSL@
-@INSTALL_RUST@

tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in

@@ -1,51 +1,36 @@
-#
+# Copyright (c) 2018 Yash Jain, 2022 IBM Corp.
-# Copyright (c) 2018  Yash Jain
 #
 # SPDX-License-Identifier: Apache-2.0
 
 ARG IMAGE_REGISTRY=docker.io
-#ubuntu: docker image to be used to create a rootfs
-#@OS_VERSION@: Docker image version to build this dockerfile
 FROM ${IMAGE_REGISTRY}/ubuntu:@OS_VERSION@
+@SET_PROXY@
 
-# This dockerfile needs to provide all the componets need to build a rootfs
+RUN apt-get update && \
-# Install any package need to create a rootfs (package manager, extra tools)
+    DEBIAN_FRONTEND=noninteractive \
-
+    apt-get --no-install-recommends -y install \
-# RUN commands
-RUN apt-get update && apt-get --no-install-recommends install -y \
-    apt-utils \
-    autoconf \
-    automake \
-    binutils \
-    build-essential \
     ca-certificates \
-    chrony \
-    coreutils \
     curl \
-    debianutils \
-    debootstrap \
     g++ \
-    gcc \
+    $(gcc_arch="@ARCH@" && [ "$(uname -m)" != "$gcc_arch" ] && ( \
+         libc_arch="$gcc_arch" && \
+         [ "$gcc_arch" = aarch64 ] && libc_arch=arm64; \
+         [ "$gcc_arch" = ppc64le ] && gcc_arch=powerpc64le && libc_arch=ppc64el; \
+         [ "$gcc_arch" = x86_64 ] && gcc_arch=x86-64 && libc_arch=amd64; \
+         echo "gcc-$gcc_arch-linux-gnu libc6-dev-$libc_arch-cross")) \
     git \
     golang-go \
     libdevmapper-dev \
-    libc6-dev \
     libgpgme-dev \
     libssl-dev \
-    libstdc++-8-dev \
-    m4 \
     make \
-    musl \
+    multistrap \
-    musl-dev \
     musl-tools \
     pkg-config \
-    protobuf-compiler \
+    protobuf-compiler
-    sed \
+
-    systemd \
+# aarch64 requires this name -- link for all
-    tar \
+RUN ln -s /usr/bin/musl-gcc "/usr/bin/$(uname -m)-linux-musl-gcc"
-    vim \
-    wget
 
-# This will install the proper packages to build Kata components
 @INSTALL_RUST@
 @INSTALL_AA_KBC@

tools/osbuilder/rootfs-builder/ubuntu/config.sh

@@ -1,46 +1,39 @@
-# This is a configuration file add extra variables to
+# Copyright (c) 2018 Yash Jain, 2022 IBM Corp.
-#
-# Copyright (c) 2018  Yash Jain
 #
 # SPDX-License-Identifier: Apache-2.0
-# be used by build_rootfs() from rootfs_lib.sh the variables will be
-# loaded just before call the function. For more information see the
-# rootfs-builder/README.md file.
 
-OS_VERSION=${OS_VERSION:-20.04}
+OS_NAME=ubuntu
 # This should be Ubuntu's code name, e.g. "focal" (Focal Fossa) for 20.04
-OS_NAME=${OS_NAME:-"focal"}
+OS_VERSION=${OS_VERSION:-focal}
+PACKAGES=chrony
+[ "$AGENT_INIT" = no ] && PACKAGES+=" init"
+[ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp2"
+[ "$SKOPEO" = yes ] && PACKAGES+=" libgpgme11"
+REPO_URL=http://ports.ubuntu.com
 
-# packages to be installed by default
+case "$ARCH" in
-# Note: ca-certificates is required for confidential containers
+	aarch64) DEB_ARCH=arm64;;
-# to pull the container image on the guest
+	ppc64le) DEB_ARCH=ppc64el;;
-PACKAGES="systemd coreutils init kmod ca-certificates"
+	s390x) DEB_ARCH="$ARCH";;
-EXTRA_PKGS+=" chrony"
+	x86_64) DEB_ARCH=amd64; REPO_URL=http://archive.ubuntu.com/ubuntu;;
-
+	*) die "$ARCH not supported"
-DEBOOTSTRAP=${PACKAGE_MANAGER:-"debootstrap"}
-
-case $(uname -m) in
-	x86_64) ARCHITECTURE="amd64";;
-	ppc64le) ARCHITECTURE="ppc64el";;
-	aarch64) ARCHITECTURE="arm64";;
-	s390x)	ARCHITECTURE="s390x";;
-	(*) die "$(uname -m) not supported "
 esac
 
-# Init process must be one of {systemd,kata-agent}
-INIT_PROCESS=systemd
-# List of zero or more architectures to exclude from build,
-# as reported by  `uname -m`
-ARCH_EXCLUDE_LIST=()
-
-[ "$SECCOMP" = "yes" ] && PACKAGES+=" libseccomp2" || true
-[ "$SKOPEO" = "yes" ] && PACKAGES+=" libgpgme11" || true
-
 if [ "${AA_KBC}" == "eaa_kbc" ] && [ "${ARCH}" == "x86_64" ]; then
-    AA_KBC_EXTRAS="
+	PACKAGES+=" apt gnupg"
+	AA_KBC_EXTRAS="
 RUN echo 'deb [arch=amd64] http://mirrors.openanolis.cn/inclavare-containers/ubuntu20.04 bionic main' \| tee /etc/apt/sources.list.d/inclavare-containers.list; \
-    wget -qO - http://mirrors.openanolis.cn/inclavare-containers/ubuntu20.04/DEB-GPG-KEY.key  \| apt-key add -; \
+    curl -L http://mirrors.openanolis.cn/inclavare-containers/ubuntu20.04/DEB-GPG-KEY.key \| apt-key add -; \
     apt-get update; \
     apt-get install -y rats-tls
 "
 fi
+
+if [ "$(uname -m)" != "$ARCH" ]; then
+	case "$ARCH" in
+		ppc64le) cc_arch=powerpc64le;;
+		x86_64) cc_arch=x86-64;;
+		*) cc_arch="$ARCH"
+	esac
+	export CC="$cc_arch-linux-gnu-gcc"
+fi

tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh

@@ -1,84 +1,41 @@
-# - Arguments
+# Copyright (c) 2018 Yash Jain, 2022 IBM Corp.
-#
-# Copyright (c) 2018  Yash Jain
 #
 # SPDX-License-Identifier: Apache-2.0
-#
+
-#
-# rootfs_dir=$1
-#
-# - Optional environment variables
-#
-# EXTRA_PKGS: Variable to add extra PKGS provided by the user
-#
-# BIN_AGENT: Name of the Kata-Agent binary
-#
-# REPO_URL: URL to distribution repository ( should be configured in
-#			config.sh file)
-#
-# Any other configuration variable for a specific distro must be added
-# and documented on its own config.sh
-#
-# - Expected result
-#
-# rootfs_dir populated with rootfs pkgs
-# It must provide a binary in /sbin/init
-#
 build_rootfs() {
-	# Mandatory
+	local rootfs_dir=$1
-	local ROOTFS_DIR=$1
+	local multistrap_conf=multistrap.conf
 
-	# Name of the Kata-Agent binary
+	[ -z "$rootfs_dir" ] && die "need rootfs"
-	local BIN_AGENT=${BIN_AGENT}
+	[ "$rootfs_dir" = "/" ] && die "rootfs cannot be slash"
 
-	# In case of support EXTRA packages, use it to allow
+	# For simplicity's sake, use multistrap for foreign and native bootstraps.
-	# users to add more packages to the base rootfs
+	cat > "$multistrap_conf" << EOF
-	local EXTRA_PKGS=${EXTRA_PKGS:-}
+[General]
+cleanup=true
+aptsources=Ubuntu
+bootstrap=Ubuntu
 
-	# In case rootfs is created using repositories allow user to modify
+[Ubuntu]
-	# the default URL
+source=$REPO_URL
-	local REPO_URL=${REPO_URL:-YOUR_REPO}
+keyring=ubuntu-keyring
+suite=focal
+packages=$PACKAGES $EXTRA_PKGS
+EOF
+	multistrap -a "$DEB_ARCH" -d "$rootfs_dir" -f "$multistrap_conf"
+	rm -rf "$rootfs_dir/var/run"
+	ln -s /run "$rootfs_dir/var/run"
+	for file in /etc/{resolv.conf,ssl/certs/ca-certificates.crt}; do
+		mkdir -p "$rootfs_dir$(dirname $file)"
+		cp --remove-destination "$file" "$rootfs_dir$file"
+	done
 
-	# PATH where files this script is placed
+	# Reduce image size and memory footprint by removing unnecessary files and directories.
-	# Use it to refer to files in the same directory
+	rm -rf $rootfs_dir/usr/share/{bash-completion,bug,doc,info,lintian,locale,man,menu,misc,pixmaps,terminfo,zsh}
-	# Example: ${CONFIG_DIR}/foo
-	local CONFIG_DIR=${CONFIG_DIR}
 
-
+	if [ "${AA_KBC}" == "eaa_kbc" ] && [ "${ARCH}" == "x86_64" ]; then
-	# Populate ROOTFS_DIR
+		curl -L http://mirrors.openanolis.cn/inclavare-containers/ubuntu20.04/DEB-GPG-KEY.key | chroot "$rootfs_dir" apt-key add -
-	# Must provide /sbin/init and /bin/${BIN_AGENT}
+		cat << EOF | chroot "$rootfs_dir"
-	DEBOOTSTRAP="debootstrap"
-	check_root
-	mkdir -p "${ROOTFS_DIR}"
-	if [ -n "${PKG_MANAGER}"  ]; then
-		info "debootstrap path provided by user: ${PKG_MANAGER}"
-	elif check_program $DEBOOTSTRAP ; then
-		PKG_MANAGER=$DEBOOTSTRAP
-	else
-		die "$DEBOOTSTRAP is not installed"
-	fi
-	# trim whitespace
-	PACKAGES=$(echo $PACKAGES |xargs )
-	# add comma as debootstrap needs , separated package names.
-	# Don't change $PACKAGES in config.sh to include ','
-	# This is done to maintain consistency
-	PACKAGES=$(echo $PACKAGES | sed  -e 's/ /,/g' )
-
-	${PKG_MANAGER} --variant=minbase \
-		--arch=${ARCHITECTURE}\
-		--include="$PACKAGES" \
-		${OS_NAME} \
-		${ROOTFS_DIR}
-
-	[ -n "${EXTRA_PKGS}" ] && chroot $ROOTFS_DIR apt-get install -y ${EXTRA_PKGS}
-
-    # Reduce image size and memory footprint
-    # removing not needed files and directories.
-    chroot $ROOTFS_DIR rm -rf /usr/share/{bash-completion,bug,doc,info,lintian,locale,man,menu,misc,pixmaps,terminfo,zoneinfo,zsh}
-
- 	if [ "${AA_KBC}" == "eaa_kbc" ] && [ "${ARCH}" == "x86_64" ]; then
-		wget -qO - http://mirrors.openanolis.cn/inclavare-containers/ubuntu20.04/DEB-GPG-KEY.key  | chroot $ROOTFS_DIR apt-key add -
-		cat << EOF | chroot $ROOTFS_DIR
 echo 'deb [arch=amd64] http://mirrors.openanolis.cn/inclavare-containers/ubuntu20.04 bionic main' | tee /etc/apt/sources.list.d/inclavare-containers.list
 apt-get update
 apt-get install -y rats-tls

tools/osbuilder/scripts/lib.sh

@@ -7,7 +7,6 @@
 set -e
 
 KATA_REPO=${KATA_REPO:-github.com/kata-containers/kata-containers}
-MUSL_VERSION=${MUSL_VERSION:-"null"}
 # Give preference to variable set by CI
 yq_file="${script_dir}/../../../ci/install_yq.sh"
 kata_versions_file="${script_dir}/../../../versions.yaml"
@@ -228,108 +227,28 @@ generate_dockerfile()
 	dir="$1"
 	[ -d "${dir}" ] || die "${dir}: not a directory"
 
-	local architecture=$(uname -m)
+	local rustarch="$ARCH"
-	local rustarch=${architecture}
+	[ "$ARCH" = ppc64le ] && rustarch=powerpc64le
-	local muslarch=${architecture}
-	local libc=musl
-	case "$(uname -m)" in
-		"ppc64le")
-			rustarch=powerpc64le
-			muslarch=powerpc64
-			libc=gnu
-			;;
-		"s390x")
-			libc=gnu
-			;;
-
-		*)
-			;;
-	esac
 
 	[ -n "${http_proxy:-}" ] && readonly set_proxy="RUN sed -i '$ a proxy="${http_proxy:-}"' /etc/dnf/dnf.conf /etc/yum.conf; true"
 
 	# Rust agent
-	# rust installer should set path apropiately, just in case
-	# install musl for compiling rust-agent
-	local musl_source_url="https://git.zv.io/toolchains/musl-cross-make.git"
-	local musl_source_dir="musl-cross-make"
-	install_musl=
-	if [ "${muslarch}" == "aarch64" ]; then
-		local musl_tar="${muslarch}-linux-musl-native.tgz"
-		local musl_dir="${muslarch}-linux-musl-native"
-		local aarch64_musl_target="aarch64-linux-musl"
-		install_musl="
-RUN cd /tmp; \
-	mkdir -p /usr/local/musl/; \
-	if curl -sLO --fail https://musl.cc/${musl_tar}; then \
-		tar -zxf ${musl_tar}; \
-		cp -r ${musl_dir}/* /usr/local/musl/; \
-	else \
-		git clone ${musl_source_url}; \
-		TARGET=${aarch64_musl_target} make -j$(nproc) -C ${musl_source_dir} install; \
-		cp -r ${musl_source_dir}/output/* /usr/local/musl/; \
-		cp /usr/local/musl/bin/aarch64-linux-musl-g++ /usr/local/musl/bin/g++; \
-	fi
-ENV PATH=\$PATH:/usr/local/musl/bin
-RUN ln -sf /usr/local/musl/bin/g++ /usr/bin/g++
-"
-	else
-		local musl_tar="musl-${MUSL_VERSION}.tar.gz"
-		local musl_dir="musl-${MUSL_VERSION}"
-		install_musl="
-RUN pushd /root; \
-    curl -sLO https://www.musl-libc.org/releases/${musl_tar}; tar -zxf ${musl_tar}; \
-	cd ${musl_dir}; \
-	sed -i \"s/^ARCH = .*/ARCH = ${muslarch}/g\" dist/config.mak; \
-	./configure > /dev/null 2>\&1; \
-	make > /dev/null 2>\&1; \
-	make install > /dev/null 2>\&1; \
-	echo \"/usr/local/musl/lib\" > /etc/ld-musl-${muslarch}.path; \
-	popd
-ENV PATH=\$PATH:/usr/local/musl/bin
-"
-	fi
-
 	readonly install_rust="
-RUN curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSLf --output /tmp/rust-init; \
+ENV http_proxy=${http_proxy:-}
-    chmod a+x /tmp/rust-init; \
+ENV https_proxy=${http_proxy:-}
-	export http_proxy=${http_proxy:-}; \
+RUN curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSLf | \
-	export https_proxy=${http_proxy:-}; \
+    sh -s -- -y --default-toolchain ${RUST_VERSION} -t ${rustarch}-unknown-linux-${LIBC}
-	/tmp/rust-init -y --default-toolchain ${RUST_VERSION}
+RUN . /root/.cargo/env; cargo install cargo-when
-RUN . /root/.cargo/env; \
-    export http_proxy=${http_proxy:-}; \
-	export https_proxy=${http_proxy:-}; \
-	cargo install cargo-when; \
-	rustup target install ${rustarch}-unknown-linux-${libc}
-RUN ln -sf /usr/bin/g++ /bin/musl-g++
 "
 	pushd "${dir}"
-	dockerfile_template="Dockerfile.in"
-	dockerfile_arch_template="Dockerfile-${architecture}.in"
-	# if arch-specific docker file exists, swap the univesal one with it.
-        if [ -f "${dockerfile_arch_template}" ]; then
-                dockerfile_template="${dockerfile_arch_template}"
-        else
-                [ -f "${dockerfile_template}" ] || die "${dockerfile_template}: file not found"
-        fi
 
-	# ppc64le and s390x have no musl target
+	sed \
-	if [ "${architecture}" == "ppc64le" ] || [ "${architecture}" == "s390x" ]; then
+		-e "s#@OS_VERSION@#${OS_VERSION:-}#g" \
-		sed \
+		-e "s#@ARCH@#$ARCH#g" \
-			-e "s|@OS_VERSION@|${OS_VERSION:-}|g" \
+		-e "s#@INSTALL_RUST@#${install_rust//$'\n'/\\n}#g" \
-			-e "s|@INSTALL_MUSL@||g" \
+		-e "s#@SET_PROXY@#${set_proxy:-}#g" \
-			-e "s|@INSTALL_RUST@|${install_rust//$'\n'/\\n}|g" \
+		-e "s#@INSTALL_AA_KBC@#${AA_KBC_EXTRAS//$'\n'/\\n}#g" \
-			-e "s|@SET_PROXY@|${set_proxy:-}|g" \
+		Dockerfile.in > Dockerfile
-			"${dockerfile_template}" > Dockerfile
-	else
-		sed \
-			-e "s|@OS_VERSION@|${OS_VERSION:-}|g" \
-			-e "s|@INSTALL_MUSL@|${install_musl//$'\n'/\\n}|g" \
-			-e "s|@INSTALL_RUST@|${install_rust//$'\n'/\\n}|g" \
-			-e "s|@SET_PROXY@|${set_proxy:-}|g" \
-			-e "s|@INSTALL_AA_KBC@|${AA_KBC_EXTRAS//$'\n'/\\n}|g" \
-			"${dockerfile_template}" > Dockerfile
-	fi
 	popd
 }
 
@@ -370,17 +289,6 @@ detect_rust_version()
 	[ -n "$RUST_VERSION" ]
 }
 
-detect_musl_version()
-{
-	info "Detecting musl version"
-    local yq_path="externals.musl.version"
-
-	info "Get musl version from ${kata_versions_file}"
-	MUSL_VERSION="$(get_package_version_from_kata_yaml "$yq_path")"
-
-	[ -n "$MUSL_VERSION" ]
-}
-
 before_starting_container() {
 	return 0
 }

tools/osbuilder/tests/test_images.sh

@@ -640,8 +640,6 @@ test_dracut()
 		die "Could not detect the required Go version for AGENT_VERSION='${AGENT_VERSION:-master}'."
 	detect_rust_version ||
 		die "Could not detect the required rust version for AGENT_VERSION='${AGENT_VERSION:-master}'."
-	detect_musl_version ||
-		die "Could not detect the required musl version for AGENT_VERSION='${AGENT_VERSION:-master}'."
 
 	generate_dockerfile ${dracut_dir}
 	info "Creating container for dracut"

utils.mk

@@ -112,8 +112,9 @@ endef
 ##VAR BUILD_TYPE=release|debug type of rust build
 BUILD_TYPE = release
 
+HOST_ARCH = $(shell uname -m)
 ##VAR ARCH=arch target to build (format: uname -m)
-ARCH = $(shell uname -m)
+ARCH ?= $(HOST_ARCH)
 ##VAR LIBC=musl|gnu
 LIBC ?= musl
 ifneq ($(LIBC),musl)
@@ -142,6 +143,14 @@ ifeq ($(ARCH), aarch64)
     $(warning "WARNING: aarch64-musl needs extra symbols from libgcc")
 endif
 
+ifneq ($(HOST_ARCH),$(ARCH))
+    ifeq ($(CC),)
+         CC = gcc
+         $(warning "WARNING: A foreign ARCH was passed, but no CC alternative. Using $(CC).")
+    endif
+    override EXTRA_RUSTFLAGS += -C linker=$(CC)
+endif
+
 TRIPLE = $(ARCH)-unknown-linux-$(LIBC)
 
 CWD := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))

versions.yaml

@@ -246,19 +246,6 @@ externals:
     url: "https://github.com/opencontainers/umoci"
     tag: "v0.4.7"
 
-  musl:
-    description: |
-      The musl library is used to build the rust agent.
-    url: "https://www.musl-libc.org/"
-    uscan-url: >-
-      https://www.musl-libc.org/releases/
-      musl-([\d\.]+)\.tar\.gz
-    version: "1.1.23"
-    meta:
-      description: |
-        'newest-version' is the latest version known to work.
-      newest-version: "1.1.23"
-
   nydus:
     description: "Nydus image acceleration service"
     url: "https://github.com/dragonflyoss/image-service"