Merge pull request #2908 from Jakob-Naucke/install-aa

osbuilder: Build attestation-agent and friends

docs/how-to/ccv0.sh

@@ -230,18 +230,7 @@ create_a_local_rootfs() {
     cd ${katacontainers_repo_dir}/tools/osbuilder/rootfs-builder
     export distro="ubuntu"
     [[ -z "${USE_PODMAN:-}" ]] && use_docker="${use_docker:-1}"
-    sudo -E OS_VERSION="${OS_VERSION:-}" GOPATH=$GOPATH EXTRA_PKGS="ca-certificates vim iputils-ping net-tools gnupg libgpgme-dev" DEBUG="${DEBUG}" USE_DOCKER="${use_docker:-}" SECCOMP=yes ./rootfs.sh -r ${ROOTFS_DIR} ${distro}
-
-    # Build and add skopeo binary - TODO LATER replace with install from Ubuntu when the base is 20.10+, or 
-    git clone --branch release-1.4 https://github.com/containers/skopeo ${GOPATH}/src/github.com/containers/skopeo
-    cd ${GOPATH}/src/github.com/containers/skopeo && make bin/skopeo
-    cp "${GOPATH}/src/github.com/containers/skopeo/bin/skopeo" "${ROOTFS_DIR}/usr/bin/skopeo"
-
-    # Add umoci binary - TODO LATER replace with install from Ubuntu when the base is 20.10+
-    go_arch=$("${tests_repo_dir}"/.ci/kata-arch.sh -g)
-    mkdir -p ${ROOTFS_DIR}/usr/local/bin/
-    sudo curl -Lo ${ROOTFS_DIR}/usr/local/bin/umoci https://github.com/opencontainers/umoci/releases/download/v0.4.7/umoci.${go_arch}
-    sudo chmod u+x ${ROOTFS_DIR}/usr/local/bin/umoci
+    sudo -E OS_VERSION="${OS_VERSION:-}" GOPATH=$GOPATH DEBUG="${DEBUG}" USE_DOCKER="${use_docker:-}" SKOPEO_UMOCI=yes SECCOMP=yes ./rootfs.sh -r ${ROOTFS_DIR} ${distro}
 
     # During the ./rootfs.sh call the kata agent is built as root, so we need to update the permissions, so we can rebuild it
     sudo chown -R ${USER}:${USER} "${katacontainers_repo_dir}/src/agent/"

tools/osbuilder/rootfs-builder/rootfs.sh

@@ -142,6 +142,19 @@ USE_PODMAN          If set and USE_DOCKER not set, then build the rootfs inside
                     a podman container (requires podman).
                     Default value: <not set>
 
+SKOPEO_UMOCI        If set to "yes", build Skopeo and umoci for confidential
+                    containers guest image pull. Currently, this is only
+                    supported for Ubuntu guests; see
+                    https://github.com/kata-containers/kata-containers/pull/2908
+                    for discussion.
+                    Default value: <not set>
+
+AA_KBC              Key broker client module for attestation-agent. This is
+                    required for confidential containers. Requires SKOPEO_UMOCI
+                    to be set. See https://github.com/containers/attestation-agent
+                    for more information on available modules.
+                    Default value: <not set>
+
 Refer to the Platform-OS Compatibility Matrix for more details on the supported
 architectures:
 https://github.com/kata-containers/kata-containers/tree/main/tools/osbuilder#platform-distro-compatibility-matrix
@@ -425,6 +438,9 @@ build_rootfs_distro()
 			--env OSBUILDER_VERSION="${OSBUILDER_VERSION}" \
 			--env OS_VERSION="${OS_VERSION}" \
 			--env INSIDE_CONTAINER=1 \
+			--env LIBC="${LIBC}" \
+			--env SKOPEO_UMOCI="${SKOPEO_UMOCI}" \
+			--env AA_KBC="${AA_KBC}" \
 			--env SECCOMP="${SECCOMP}" \
 			--env DEBUG="${DEBUG}" \
 			--env HOME="/root" \
@@ -551,11 +567,12 @@ EOT
 	AGENT_DIR="${ROOTFS_DIR}/usr/bin"
 	AGENT_DEST="${AGENT_DIR}/${AGENT_BIN}"
 
+	if [ "$ARCH" == "ppc64le" ] || [ "$ARCH" == "s390x" ]; then
+		LIBC=gnu
+		warning "Forcing LIBC=gnu because $ARCH has no musl Rust target"
+	fi
+
 	if [ -z "${AGENT_SOURCE_BIN}" ] ; then
-		if [ "$ARCH" == "ppc64le" ] || [ "$ARCH" == "s390x" ]; then
-			LIBC=gnu
-			echo "WARNING: Forcing LIBC=gnu because $ARCH has no musl Rust target"
-		fi
 		[ "$LIBC" == "musl" ] && bash ${script_dir}/../../../ci/install_musl.sh
 		# rust agent needs ${arch}-unknown-linux-${LIBC}
 		if ! (rustup show | grep -v linux-${LIBC} > /dev/null); then
@@ -617,6 +634,41 @@ EOT
 	info "Create /etc/resolv.conf file in rootfs if not exist"
 	touch "$dns_file"
 
+	if [ "${SKOPEO_UMOCI}" = "yes" ]; then
+		skopeo_url="$(get_package_version_from_kata_yaml externals.skopeo.url)"
+		skopeo_branch="$(get_package_version_from_kata_yaml externals.skopeo.branch)"
+		info "Install skopeo"
+		git clone "${skopeo_url}" --branch "${skopeo_branch}"
+		pushd skopeo
+		make bin/skopeo
+		install -o root -g root -m 0755 bin/skopeo "${ROOTFS_DIR}/usr/bin/"
+		popd
+
+		umoci_url="$(get_package_version_from_kata_yaml externals.umoci.url)"
+		umoci_tag="$(get_package_version_from_kata_yaml externals.umoci.tag)"
+		info "Install umoci"
+		git clone "${umoci_url}" --branch "${umoci_tag}"
+		pushd umoci
+		make
+		install -o root -g root -m 0755 umoci "${ROOTFS_DIR}/usr/local/bin/"
+		popd
+	fi
+
+	if [ -n "${AA_KBC}" ]; then
+		[ -z "${SKOPEO_UMOCI}" ] && die "SKOPEO_UMOCI must be set to install attestation-agent"
+
+		attestation_agent_url="$(get_package_version_from_kata_yaml externals.attestation-agent.url)"
+		attestation_agent_branch="$(get_package_version_from_kata_yaml externals.attestation-agent.branch)"
+		info "Install attestation-agent with KBC ${AA_KBC}"
+		git clone "${attestation_agent_url}" --branch "${attestation_agent_branch}"
+		pushd attestation-agent
+		source "${HOME}/.cargo/env"
+		target="${ARCH}-unknown-linux-${LIBC}"
+		cargo build --release --target "${target}" --no-default-features --features "${AA_KBC}"
+		install -o root -g root -m 0755 "target/${target}/release/attestation-agent" "${ROOTFS_DIR}/usr/local/bin/"
+		popd
+	fi
+
 	info "Creating summary file"
 	create_summary_file "${ROOTFS_DIR}"
 }

tools/osbuilder/rootfs-builder/ubuntu/Dockerfile-aarch64.in

@@ -28,10 +28,15 @@ RUN apt-get update && apt-get install -y \
     g++ \
     gcc \
     git \
+    golang-go \
+    libdevmapper-dev \
     libc6-dev \
+    libgpgme-dev \
+    libssl-dev \
     libstdc++-8-dev \
     m4 \
     make \
+    pkg-config \
     sed \
     systemd \
     tar \

tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in

@@ -27,13 +27,18 @@ RUN apt-get update && apt-get --no-install-recommends install -y \
     g++ \
     gcc \
     git \
+    golang-go \
+    libdevmapper-dev \
     libc6-dev \
+    libgpgme-dev \
+    libssl-dev \
     libstdc++-8-dev \
     m4 \
     make \
     musl \
     musl-dev \
     musl-tools \
+    pkg-config \
     protobuf-compiler \
     sed \
     systemd \

tools/osbuilder/rootfs-builder/ubuntu/config.sh

@@ -32,3 +32,4 @@ INIT_PROCESS=systemd
 ARCH_EXCLUDE_LIST=()
 
 [ "$SECCOMP" = "yes" ] && PACKAGES+=" libseccomp2" || true
+[ -n "$SKOPEO_UMOCI" ] && PACKAGES+=" ca-certificates libgpgme11" || true

tools/osbuilder/scripts/lib.sh

@@ -219,6 +219,25 @@ ${extra}
 	  agent-is-init-daemon: "${AGENT_INIT}"
 EOT
 
+	if [ "${SKOPEO_UMOCI}" = "yes" ]; then
+		cat >> "${file}" <<-EOF
+	skopeo:
+	  url: "${skopeo_url}"
+	  version: "${skopeo_branch}"
+	umoci:
+	  url: "${umoci_url}"
+	  version: "${umoci_tag}"
+EOF
+	fi
+
+	if [ -n "${AA_KBC}" ]; then
+		cat >> "${file}" <<-EOF
+	attestation-agent:
+	  url: "${attestation_agent_url}"
+	  kbc: "${AA_KBC}"
+EOF
+	fi
+
 	local rootfs_file="${file_dir}/$(basename "${file}")"
 	info "Created summary file '${rootfs_file}' inside rootfs"
 }

versions.yaml

@@ -163,6 +163,11 @@ assets:
 externals:
   description: "Third-party projects used by the system"
 
+  attestation-agent:
+    description: "Provide attested key unwrapping for image decryption"
+    url: "https://github.com/confidential-containers/attestation-agent"
+    branch: "main"
+
   cni-plugins:
     description: "CNI network plugins"
     url: "https://github.com/containernetworking/plugins"
@@ -227,6 +232,16 @@ externals:
       .*/v?(\d\S+)\.tar\.gz
     version: "v1.0.1"
 
+  skopeo:
+    description: "Utility for container images and image repositories"
+    url: "https://github.com/containers/skopeo"
+    branch: "release-1.4"
+
+  umoci:
+    description: "Utility for creating and manipulating container images"
+    url: "https://github.com/opencontainers/umoci"
+    tag: "v0.4.7"
+
   musl:
     description: |
       The musl library is used to build the rust agent.