github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-31 16:36:38 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #10794 from fidencio/topic/bump-ubuntu-version-for-the-confidential-rootfs-and-initrd

Browse Source 
versions: Bump Ubuntu base image & initrd
This commit is contained in:
Steve Horsman
2025-01-27 15:55:16 +00:00
committed by GitHub
parent b4c710576e 84b0ca1b18
commit 311c3638c6
6 changed files with 66 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in
View File

@@ -84,4 +84,4 @@ RUN ARCH=$(uname -m); \
esac; \
rustup target add "${rust_arch}-unknown-linux-${libc}"
RUN pip install --no-cache-dir pyinstaller==6.9.0
RUN pip install --no-cache-dir pyinstaller==6.9.0 || pip install --no-cache-dir pyinstaller==6.9.0 --break-system-packages

4
tools/osbuilder/rootfs-builder/ubuntu/config.sh
View File

@@ -2,10 +2,10 @@
#
# SPDX-License-Identifier: Apache-2.0
source /etc/os-release
OS_NAME=ubuntu
# This should be Ubuntu's code name, e.g. "focal" (Focal Fossa) for 20.04
OS_VERSION=${OS_VERSION:-${UBUNTU_CODENAME}}
OS_VERSION=${OS_VERSION:-""}
[ -z "$OS_VERSION" ] && echo "OS_VERSION is required, but was not set" && exit 1
PACKAGES="chrony iptables dbus"
[ "$AGENT_INIT" = no ] && PACKAGES+=" init"
[ "$MEASURED_ROOTFS" = yes ] && PACKAGES+=" cryptsetup-bin e2fsprogs"

19
tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh
View File

@@ -22,7 +22,7 @@ bootstrap=Ubuntu
[Ubuntu]
source=$REPO_URL
keyring=ubuntu-keyring
suite=$UBUNTU_CODENAME
suite=$OS_VERSION
packages=$PACKAGES $EXTRA_PKGS
EOF
@@ -31,12 +31,16 @@ EOF
curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key |
gpg --dearmour -o $rootfs_dir/etc/apt/trusted.gpg.d/intel-sgx-deb.gpg
sed -i -e "s/bootstrap=Ubuntu/bootstrap=Ubuntu intel-sgx/" $multistrap_conf
SUITE=$OS_VERSION
# Intel does not release sgx stuff for non-LTS, thus if using oracular (24.10),
# we need to enforce getting libtdx-attest from noble.
[ "$SUITE" = "oracular" ] && SUITE="noble"
cat >> $multistrap_conf << EOF
[intel-sgx]
source=https://download.01.org/intel-sgx/sgx_repo/ubuntu
suite=$UBUNTU_CODENAME
packages=libtdx-attest=1.20\*
suite=$SUITE
packages=libtdx-attest=1.22\*
EOF
fi
@@ -45,7 +49,14 @@ EOF
apt update
if ! multistrap -a "$DEB_ARCH" -d "$rootfs_dir" -f "$multistrap_conf"; then
build_dbus $rootfs_dir
if [ "$OS_VERSION" = "focal" ]; then
echo "WARN: multistrap failed, proceed with hack for Ubuntu 20.04"
build_dbus $rootfs_dir
else
echo "ERROR: multistrap failed, cannot proceed" && exit 1
fi
else
echo "INFO: multistrap succeeded"
fi
rm -rf "$rootfs_dir/var/run"
ln -s /run "$rootfs_dir/var/run"

2
tools/packaging/guest-image/build_image.sh
View File

@@ -71,7 +71,7 @@ build_image() {
DISTRO="${os_name}" \
DEBUG="${DEBUG:-}" \
USE_DOCKER="1" \
IMG_OS_VERSION="${os_version}" \
OS_VERSION="${os_version}" \
ROOTFS_BUILD_DEST="${builddir}/rootfs-image" \
AGENT_TARBALL="${AGENT_TARBALL}" \
AGENT_POLICY="${AGENT_POLICY:-}" \

23
tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
View File

@@ -332,8 +332,12 @@ install_image() {
local variant="${1:-}"
image_type="image"
os_name="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.name")"
os_version="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.version")"
if [ -n "${variant}" ]; then
image_type+="-${variant}"
os_name="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.${variant}.name")"
os_version="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.${variant}.version")"
fi
local component="rootfs-${image_type}"
@@ -349,7 +353,7 @@ install_image() {
"$(get_last_modification "${repo_root_dir}/tools/packaging/static-build/agent")")
latest_artefact="$(get_kata_version)-${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${image_type}"
latest_artefact="$(get_kata_version)-${os_name}-${os_version}-${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${image_type}"
if [ "${variant}" == "confidential" ]; then
# For the confidential image we depend on the kernel built in order to ensure that
# measured boot is used
@@ -371,16 +375,10 @@ install_image() {
info "Create image"
if [ -n "${variant}" ]; then
os_name="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.${variant}.name")"
os_version="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.${variant}.version")"
if [[ "${variant}" == *confidential ]]; then
export COCO_GUEST_COMPONENTS_TARBALL="$(get_coco_guest_components_tarball_path)"
export PAUSE_IMAGE_TARBALL="$(get_pause_image_tarball_path)"
fi
else
os_name="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.name")"
os_version="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.version")"
fi
export AGENT_TARBALL=$(get_agent_tarball_path)
@@ -406,8 +404,12 @@ install_initrd() {
local variant="${1:-}"
initrd_type="initrd"
os_name="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.name")"
os_version="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.version")"
if [ -n "${variant}" ]; then
initrd_type+="-${variant}"
os_name="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.${variant}.name")"
os_version="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.${variant}.version")"
fi
local component="rootfs-${initrd_type}"
@@ -422,7 +424,7 @@ install_initrd() {
"$(get_last_modification "${repo_root_dir}/src/agent")" \
"$(get_last_modification "${repo_root_dir}/tools/packaging/static-build/agent")")
latest_artefact="${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${initrd_type}"
latest_artefact="$(get_kata_version)-${os_name}-${os_version}-${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${initrd_type}"
if [ "${variant}" == "confidential" ]; then
# For the confidential initrd we depend on the kernel built in order to ensure that
# measured boot is used
@@ -446,17 +448,12 @@ install_initrd() {
info "Create initrd"
if [ -n "${variant}" ]; then
os_name="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.${variant}.name")"
os_version="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.${variant}.version")"
if [[ "${variant}" == *confidential ]]; then
export COCO_GUEST_COMPONENTS_TARBALL="$(get_coco_guest_components_tarball_path)"
export PAUSE_IMAGE_TARBALL="$(get_pause_image_tarball_path)"
fi
else
# No variant is passed, it means vanilla kata containers
os_name="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.name")"
os_version="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.version")"
if [ "${os_name}" = "alpine" ]; then
export AGENT_INIT=yes
fi

77
versions.yaml
View File

@@ -116,41 +116,38 @@ assets:
url: "https://github.com/kata-containers/kata-containers/tools/osbuilder"
architecture:
aarch64:
name: &default-image-name "ubuntu"
version: &default-image-version "latest"
name: "ubuntu"
version: "jammy" # 22.04 LTS
nvidia-gpu:
name: *default-image-name
version: "jammy"
name: "ubuntu"
version: "jammy" # 22.04 LTS
nvidia-gpu-confidential:
name: *default-image-name
version: "jammy"
name: "ubuntu"
version: "jammy" # 22.04 LTS
ppc64le:
name: *default-image-name
version: *default-image-version
name: "ubuntu"
version: "jammy" # 22.04 LTS
s390x:
name: *default-image-name
version: *default-image-version
name: "ubuntu"
version: "jammy" # 22.04 LTS
confidential:
name: *default-image-name
version: *default-image-version
name: "ubuntu"
version: "jammy" # 22.04 LTS
x86_64:
name: *default-image-name
version: *default-image-version
name: "ubuntu"
version: "jammy" # 22.04 lTS
confidential:
name: *default-image-name
version: *default-image-version
name: "ubuntu"
version: "oracular" # 24.10
mariner:
name: "cbl-mariner"
version: "3.0"
nvidia-gpu:
name: *default-image-name
version: "jammy"
name: "ubuntu"
version: "jammy" # 22.04 LTS
nvidia-gpu-confidential:
name: *default-image-name
version: "jammy"
meta:
image-type: *default-image-name
name: "ubuntu"
version: "jammy" # 22.04 LTS
initrd:
description: |
@@ -159,37 +156,37 @@ assets:
url: "https://github.com/kata-containers/kata-containers/tools/osbuilder"
architecture:
aarch64:
name: &default-initrd-name "alpine"
version: &default-initrd-version "3.18"
name: "alpine"
version: "3.18"
nvidia-gpu:
name: "ubuntu"
version: "jammy"
version: "jammy" # 22.04 LTS
nvidia-gpu-confidential:
name: "ubuntu"
version: "jammy"
# Do not use Alpine on ppc64le & s390x, the agent cannot use musl because
# there is no such Rust target
ppc64le:
name: &glibc-initrd-name "ubuntu"
version: &glibc-initrd-version "20.04"
name: "ubuntu"
version: "jammy" # 22.04 LTS
s390x:
name: *glibc-initrd-name
version: *glibc-initrd-version
name: "ubuntu"
version: "jammy" # 22.04 LTS
confidential:
name: *glibc-initrd-name
version: *glibc-initrd-version
name: "ubuntu"
version: "jammy" # 22.04 LTS
x86_64:
name: *default-initrd-name
version: *default-initrd-version
name: "alpine"
version: "3.18"
confidential:
name: *glibc-initrd-name
version: *glibc-initrd-version
name: "ubuntu"
version: "focal" # 20.04 LTS
nvidia-gpu:
name: *glibc-initrd-name
version: "jammy"
name: "ubuntu"
version: "jammy" # 22.04 LTS
nvidia-gpu-confidential:
name: *glibc-initrd-name
version: "jammy"
name: "ubuntu"
version: "jammy" # 22.04 LTS
kernel:
description: "Linux kernel optimised for virtual machines"