From 353ceb948e66a8288acd259f25b315d4a003cc56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 27 Jan 2025 12:31:03 +0100 Subject: [PATCH 1/9] versions: Don't use the yaml variable definitions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit While having variables are nice, those are more extensive to write down, and actually confusing for tired developer eyes to read, plus we're mixing the use of the yaml variables here and there together with not using them for some architectures. With the best "all or nothing" spirit, let's just make it easier for our developers to read the versions.yaml and easily understand what's being used. Signed-off-by: Fabiano Fidêncio --- versions.yaml | 63 ++++++++++++++++++++++++--------------------------- 1 file changed, 30 insertions(+), 33 deletions(-) diff --git a/versions.yaml b/versions.yaml index f3f65f341d..cd952ae993 100644 --- a/versions.yaml +++ b/versions.yaml @@ -116,42 +116,39 @@ assets: url: "https://github.com/kata-containers/kata-containers/tools/osbuilder" architecture: aarch64: - name: &default-image-name "ubuntu" - version: &default-image-version "latest" + name: "ubuntu" + version: "latest" nvidia-gpu: - name: *default-image-name + name: "ubuntu" version: "jammy" nvidia-gpu-confidential: - name: *default-image-name + name: "ubuntu" version: "jammy" ppc64le: - name: *default-image-name - version: *default-image-version + name: "ubuntu" + version: "latest" s390x: - name: *default-image-name - version: *default-image-version + name: "ubuntu" + version: "latest" confidential: - name: *default-image-name - version: *default-image-version + name: "ubuntu" + version: "latest" x86_64: - name: *default-image-name - version: *default-image-version + name: "ubuntu" + version: "latest" confidential: - name: *default-image-name - version: *default-image-version + name: "ubuntu" + version: "latest" mariner: name: "cbl-mariner" version: "3.0" nvidia-gpu: - name: *default-image-name + name: "ubuntu" version: "jammy" nvidia-gpu-confidential: - name: *default-image-name + name: "ubuntu" version: "jammy" - meta: - image-type: *default-image-name - initrd: description: | Root filesystem initrd used to boot the guest virtual @@ -159,8 +156,8 @@ assets: url: "https://github.com/kata-containers/kata-containers/tools/osbuilder" architecture: aarch64: - name: &default-initrd-name "alpine" - version: &default-initrd-version "3.18" + name: "alpine" + version: "3.18" nvidia-gpu: name: "ubuntu" version: "jammy" @@ -170,25 +167,25 @@ assets: # Do not use Alpine on ppc64le & s390x, the agent cannot use musl because # there is no such Rust target ppc64le: - name: &glibc-initrd-name "ubuntu" - version: &glibc-initrd-version "20.04" + name: "ubuntu" + version: "20.04" s390x: - name: *glibc-initrd-name - version: *glibc-initrd-version + name: "ubuntu" + version: "20.04" confidential: - name: *glibc-initrd-name - version: *glibc-initrd-version + name: "ubuntu" + version: "20.04" x86_64: - name: *default-initrd-name - version: *default-initrd-version + name: "alpine" + version: "3.18" confidential: - name: *glibc-initrd-name - version: *glibc-initrd-version + name: "ubuntu" + version: "20.04" nvidia-gpu: - name: *glibc-initrd-name + name: "ubuntu" version: "jammy" nvidia-gpu-confidential: - name: *glibc-initrd-name + name: "ubuntu" version: "jammy" kernel: From ca96a6ac76d338697d13cb922b0b02797d7cd223 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 27 Jan 2025 12:36:48 +0100 Subject: [PATCH 2/9] versions: Use Ubuntu codename instead of versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As this is required as part of the osbuilder tool to be able to properly set the repositories used when building the rootfs. Signed-off-by: Fabiano Fidêncio --- versions.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/versions.yaml b/versions.yaml index cd952ae993..e3d2c2fb88 100644 --- a/versions.yaml +++ b/versions.yaml @@ -168,19 +168,19 @@ assets: # there is no such Rust target ppc64le: name: "ubuntu" - version: "20.04" + version: "focal" # 20.04 LTS s390x: name: "ubuntu" - version: "20.04" + version: "focal" # 20.04 LTS confidential: name: "ubuntu" - version: "20.04" + version: "focal" # 20.04 LTS x86_64: name: "alpine" version: "3.18" confidential: name: "ubuntu" - version: "20.04" + version: "focal" # 20.04 LTS nvidia-gpu: name: "ubuntu" version: "jammy" From 02a18c135986a264764d81bf4c5e73493eeae23a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 27 Jan 2025 12:37:39 +0100 Subject: [PATCH 3/9] versions: Clarify which release matches a codename MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It'll make the life of the developers not so familiar with Ubuntu easier. Signed-off-by: Fabiano Fidêncio --- versions.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/versions.yaml b/versions.yaml index e3d2c2fb88..e8be49ec5c 100644 --- a/versions.yaml +++ b/versions.yaml @@ -120,10 +120,10 @@ assets: version: "latest" nvidia-gpu: name: "ubuntu" - version: "jammy" + version: "jammy" # 22.04 LTS nvidia-gpu-confidential: name: "ubuntu" - version: "jammy" + version: "jammy" # 22.04 LTS ppc64le: name: "ubuntu" version: "latest" @@ -144,10 +144,10 @@ assets: version: "3.0" nvidia-gpu: name: "ubuntu" - version: "jammy" + version: "jammy" # 22.04 LTS nvidia-gpu-confidential: name: "ubuntu" - version: "jammy" + version: "jammy" # 22.04 LTS initrd: description: | @@ -160,7 +160,7 @@ assets: version: "3.18" nvidia-gpu: name: "ubuntu" - version: "jammy" + version: "jammy" # 22.04 LTS nvidia-gpu-confidential: name: "ubuntu" version: "jammy" @@ -183,10 +183,10 @@ assets: version: "focal" # 20.04 LTS nvidia-gpu: name: "ubuntu" - version: "jammy" + version: "jammy" # 22.04 LTS nvidia-gpu-confidential: name: "ubuntu" - version: "jammy" + version: "jammy" # 22.04 LTS kernel: description: "Linux kernel optimised for virtual machines" From 585f82f7306d629cbc4777350c4f40d9648afc58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 27 Jan 2025 13:25:20 +0100 Subject: [PATCH 4/9] osbuilder: ubuntu: Ensure OS_VERSION is passed & used MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Right now we're hitting an interesting situation with osbuilder, where regardless of what's being passed Ubuntu 20.04 (focal) is being used when building the rootfs-image, as shown in the snippets of the logs below: ``` ffidenci@tatu:~/src/upstream/kata-containers/kata-containers$ make rootfs-image-confidential-tarball /home/ffidenci/src/upstream/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build//kata-deploy-copy-libseccomp-installer.sh "agent" make agent-tarball-build ... make pause-image-tarball-build ... make coco-guest-components-tarball-build ... make kernel-confidential-tarball-build ... make rootfs-image-confidential-tarball-build make[1]: Entering directory '/home/ffidenci/src/upstream/kata-containers/kata-containers' /home/ffidenci/src/upstream/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build//kata-deploy-binaries-in-docker.sh --build=rootfs-image-confidential sha256:f16c57890b0e85f6e1bbe1957926822495063bc6082a83e6ab7f7f13cabeeb93 Build kata version 3.13.0: rootfs-image-confidential INFO: DESTDIR /home/ffidenci/src/upstream/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/rootfs-image-confidential/destdir INFO: Create image build image ~/src/upstream/kata-containers/kata-containers/tools/osbuilder ~/src/upstream/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/rootfs-image-confidential/builddir INFO: Build image INFO: image os: ubuntu INFO: image os version: latest Creating rootfs for ubuntu /home/ffidenci/src/upstream/kata-containers/kata-containers/tools/osbuilder/rootfs-builder/rootfs.sh -o 3.13.0-13f0807e9f5687d8e5e9a0f4a0a8bb57ca50d00c-dirty -r /home/ffidenci/src/upstream/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/rootfs-image-confidential/builddir/rootfs-image/ubuntu_rootfs ubuntu INFO: rootfs_lib.sh file found. Loading content ~/src/upstream/kata-containers/kata-containers/tools/osbuilder/rootfs-builder/ubuntu ~/src/upstream/kata-containers/kata-containers/tools/osbuilder ~/src/upstream/kata-containers/kata-containers/tools/osbuilder INFO: rootfs_lib.sh file found. Loading content INFO: build directly WARNING: apt does not have a stable CLI interface. Use with caution in scripts. Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [128 kB] Get:2 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB] Get:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease [128 kB] Get:4 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [4276 kB] Get:5 http://archive.ubuntu.com/ubuntu focal-backports InRelease [128 kB] Get:6 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB] Get:7 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [1297 kB] Get:8 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [30.9 kB] Get:9 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [4187 kB] Get:10 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB] Get:11 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1275 kB] Get:12 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB] Get:13 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [4663 kB] Get:14 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1589 kB] Get:15 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [34.6 kB] Get:16 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [4463 kB] Get:17 http://archive.ubuntu.com/ubuntu focal-backports/main amd64 Packages [55.2 kB] Get:18 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [28.6 kB] Fetched 34.1 MB in 5s (6284 kB/s) ... ``` The reason this is happening is due to a few issues in different places: 1. IMG_OS_VERSION, passed to osbuilder, is not used anywhere and OS_VERSION should be used instead. And we should break if OS_VERSION is not properly passed down 2. Using UBUNTU_CODENAME is simply wrong, as it'll use whatever comes as the base container from kata-deploy's local-build scripts, and it has just been working by luck Note that at the same time this commit fixes the wrong behaviour, it would break the rootfses build as they are, this we need to set the versions.yaml to use 20.04 were it was already using 20.04 even without us knowing. Signed-off-by: Fabiano Fidêncio --- tools/osbuilder/rootfs-builder/ubuntu/config.sh | 4 ++-- tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh | 4 ++-- tools/packaging/guest-image/build_image.sh | 2 +- versions.yaml | 12 ++++++------ 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/tools/osbuilder/rootfs-builder/ubuntu/config.sh b/tools/osbuilder/rootfs-builder/ubuntu/config.sh index 356505527c..f1eb736645 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh +++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh @@ -2,10 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 -source /etc/os-release OS_NAME=ubuntu # This should be Ubuntu's code name, e.g. "focal" (Focal Fossa) for 20.04 -OS_VERSION=${OS_VERSION:-${UBUNTU_CODENAME}} +OS_VERSION=${OS_VERSION:-""} +[ -z "$OS_VERSION" ] && echo "OS_VERSION is required, but was not set" && exit 1 PACKAGES="chrony iptables dbus" [ "$AGENT_INIT" = no ] && PACKAGES+=" init" [ "$MEASURED_ROOTFS" = yes ] && PACKAGES+=" cryptsetup-bin e2fsprogs" diff --git a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh index 03f25f4c5e..99712b2d23 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh +++ b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh @@ -22,7 +22,7 @@ bootstrap=Ubuntu [Ubuntu] source=$REPO_URL keyring=ubuntu-keyring -suite=$UBUNTU_CODENAME +suite=$OS_VERSION packages=$PACKAGES $EXTRA_PKGS EOF @@ -35,7 +35,7 @@ EOF [intel-sgx] source=https://download.01.org/intel-sgx/sgx_repo/ubuntu -suite=$UBUNTU_CODENAME +suite=$OS_VERSION packages=libtdx-attest=1.20\* EOF fi diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh index 0b33bd9f00..b53902230c 100755 --- a/tools/packaging/guest-image/build_image.sh +++ b/tools/packaging/guest-image/build_image.sh @@ -71,7 +71,7 @@ build_image() { DISTRO="${os_name}" \ DEBUG="${DEBUG:-}" \ USE_DOCKER="1" \ - IMG_OS_VERSION="${os_version}" \ + OS_VERSION="${os_version}" \ ROOTFS_BUILD_DEST="${builddir}/rootfs-image" \ AGENT_TARBALL="${AGENT_TARBALL}" \ AGENT_POLICY="${AGENT_POLICY:-}" \ diff --git a/versions.yaml b/versions.yaml index e8be49ec5c..bcff523577 100644 --- a/versions.yaml +++ b/versions.yaml @@ -117,7 +117,7 @@ assets: architecture: aarch64: name: "ubuntu" - version: "latest" + version: "focal" # 20.04 LTS nvidia-gpu: name: "ubuntu" version: "jammy" # 22.04 LTS @@ -126,19 +126,19 @@ assets: version: "jammy" # 22.04 LTS ppc64le: name: "ubuntu" - version: "latest" + version: "focal" # 20.04 LTS s390x: name: "ubuntu" - version: "latest" + version: "focal" # 20.04 LTS confidential: name: "ubuntu" - version: "latest" + version: "focal" # 20.04 LTS x86_64: name: "ubuntu" - version: "latest" + version: "focal" # 20.04 lTS confidential: name: "ubuntu" - version: "latest" + version: "focal" # 20.04 LTS mariner: name: "cbl-mariner" version: "3.0" From 4a66acc6f5463390469ed109c3db0330670d8873 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 27 Jan 2025 13:57:56 +0100 Subject: [PATCH 5/9] osbuilder: ubuntu: Abort if multistrap fails (but not on 20.04) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We have gotten Ubuntu 20.04 working pretty much "by luck", as multistrap fails the deployment, and then a hacky function was introduced to add the proper dbus links. However, this does not scale at all, and we should: * Fail if multistrap fails * I won't do this for Ubuntu 20.04 as it's working for now and soon enough it'll be EOL * Add better logging to ensure someone can know when multistrap fails Below you can find the failure that we're hitting on Ubuntu 20.04: ```sh Errors were encountered while processing: dbus ERR: dpkg configure reported an error. Native mode configuration reported an error! I: Tidying up apt cache and list data. Multistrap system reported 1 error in /rootfs/. I: Tidying up apt cache and list data. ``` Signed-off-by: Fabiano Fidêncio --- tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh index 99712b2d23..389249605d 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh +++ b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh @@ -45,7 +45,14 @@ EOF apt update if ! multistrap -a "$DEB_ARCH" -d "$rootfs_dir" -f "$multistrap_conf"; then - build_dbus $rootfs_dir + if [ "$OS_VERSION" = "focal" ]; then + echo "WARN: multistrap failed, proceed with hack for Ubuntu 20.04" + build_dbus $rootfs_dir + else + echo "ERROR: multistrap failed, cannot proceed" && exit 1 + fi + else + echo "INFO: multistrap succeeded" fi rm -rf "$rootfs_dir/var/run" ln -s /run "$rootfs_dir/var/run" From c54f78bc6b5161b5a85673e68089400d614430a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 24 Jan 2025 21:48:46 +0100 Subject: [PATCH 6/9] local-build: cache: Consider os name & version for image/initrd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Otherwise a bump in the os name and / or os version would lead to the CI using a cached artefact. Signed-off-by: Fabiano Fidêncio --- .../local-build/kata-deploy-binaries.sh | 23 ++++++++----------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 8e81cbfee2..eccfcb9e83 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -332,8 +332,12 @@ install_image() { local variant="${1:-}" image_type="image" + os_name="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.name")" + os_version="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.version")" if [ -n "${variant}" ]; then image_type+="-${variant}" + os_name="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.${variant}.name")" + os_version="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.${variant}.version")" fi local component="rootfs-${image_type}" @@ -349,7 +353,7 @@ install_image() { "$(get_last_modification "${repo_root_dir}/tools/packaging/static-build/agent")") - latest_artefact="$(get_kata_version)-${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${image_type}" + latest_artefact="$(get_kata_version)-${os_name}-${os_version}-${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${image_type}" if [ "${variant}" == "confidential" ]; then # For the confidential image we depend on the kernel built in order to ensure that # measured boot is used @@ -371,16 +375,10 @@ install_image() { info "Create image" if [ -n "${variant}" ]; then - os_name="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.${variant}.name")" - os_version="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.${variant}.version")" - if [[ "${variant}" == *confidential ]]; then export COCO_GUEST_COMPONENTS_TARBALL="$(get_coco_guest_components_tarball_path)" export PAUSE_IMAGE_TARBALL="$(get_pause_image_tarball_path)" fi - else - os_name="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.name")" - os_version="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.version")" fi export AGENT_TARBALL=$(get_agent_tarball_path) @@ -406,8 +404,12 @@ install_initrd() { local variant="${1:-}" initrd_type="initrd" + os_name="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.name")" + os_version="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.version")" if [ -n "${variant}" ]; then initrd_type+="-${variant}" + os_name="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.${variant}.name")" + os_version="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.${variant}.version")" fi local component="rootfs-${initrd_type}" @@ -422,7 +424,7 @@ install_initrd() { "$(get_last_modification "${repo_root_dir}/src/agent")" \ "$(get_last_modification "${repo_root_dir}/tools/packaging/static-build/agent")") - latest_artefact="${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${initrd_type}" + latest_artefact="$(get_kata_version)-${os_name}-${os_version}-${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${initrd_type}" if [ "${variant}" == "confidential" ]; then # For the confidential initrd we depend on the kernel built in order to ensure that # measured boot is used @@ -446,17 +448,12 @@ install_initrd() { info "Create initrd" if [ -n "${variant}" ]; then - os_name="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.${variant}.name")" - os_version="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.${variant}.version")" - if [[ "${variant}" == *confidential ]]; then export COCO_GUEST_COMPONENTS_TARBALL="$(get_coco_guest_components_tarball_path)" export PAUSE_IMAGE_TARBALL="$(get_pause_image_tarball_path)" fi else # No variant is passed, it means vanilla kata containers - os_name="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.name")" - os_version="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.version")" if [ "${os_name}" = "alpine" ]; then export AGENT_INIT=yes fi From 2b5dbfacb8785a460b71b99b9fb68bd0f1ce240e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Sun, 26 Jan 2025 18:35:11 +0100 Subject: [PATCH 7/9] osbuilder: ubuntu: Try to install pyinstaller using --break-system-packages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We first try without passing the `--break-system-packages` argument, as that's not supported on Ubuntu 22.04 or older, but that's required on Ubuntu 24.04 or newer. Signed-off-by: Fabiano Fidêncio --- tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in b/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in index d67bceb996..16fa213eb8 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in +++ b/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in @@ -84,4 +84,4 @@ RUN ARCH=$(uname -m); \ esac; \ rustup target add "${rust_arch}-unknown-linux-${libc}" -RUN pip install --no-cache-dir pyinstaller==6.9.0 +RUN pip install --no-cache-dir pyinstaller==6.9.0 || pip install --no-cache-dir pyinstaller==6.9.0 --break-system-packages From b6e0effc062822671565a0c0de582b1b1d50ef00 Mon Sep 17 00:00:00 2001 From: Carlos Segarra Date: Fri, 24 Jan 2025 08:57:12 +0000 Subject: [PATCH 8/9] tdx: bump version of libtdx-attest in rootfs-builder Bump libtdx-attest to its 1.22 release. Signed-off-by: Carlos Segarra --- tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh index 389249605d..bdfbd8bdad 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh +++ b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh @@ -36,7 +36,7 @@ EOF [intel-sgx] source=https://download.01.org/intel-sgx/sgx_repo/ubuntu suite=$OS_VERSION -packages=libtdx-attest=1.20\* +packages=libtdx-attest=1.22\* EOF fi From 84b0ca1b18b2f3d90ea781c1853de17c4948aab8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 27 Jan 2025 14:21:09 +0100 Subject: [PATCH 9/9] versions: Bump Ubuntu rootfs / initrd versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit While I wish we could be bumping to the very same version everywhere, it's not possible and it's been quite a ride to get a combination of things that work. Let me try to describe my approach here: * Do *NOT* stay on 20.04 * This version will be EOL'ed by April * This version has a very old version of systemd that causes a bug when trying to online the cpusets for guests using systemd as init, causing then a breakage on the qemu-coco-non-tee and TDX non-attestation set of tests * Bump to 22.04 when possible * This was possible for the majority of the cases, but for the confidential initrd & confidential images for x86_64, the reason being failures on AMD SEV CI (which I didn't debug), and a kernel panic on the CentOS 9 Stream TDX machine * 22.04 is being used instead of 24.04 as multistrap is simply broken on Ubuntu 24.04, and I'd prefer to stay on an LTS release whenever it's possible * Bump to 24.10 for x86_64 image confidential * This was done as we got everything working with 24.10 in the CI. * This requires using libtdx-attest from noble (Ubuntu 24.04), as Intel only releases their sgx stuff for LTS releases. * Stick to 20.04 for x86_64 initrd confidential * 24.10 caused a panic on their CI * This is only being used by AMD so far, so they can decide when to bump, after doing the proper testing & debug that the bump will work as expected for them Signed-off-by: Fabiano Fidêncio --- .../rootfs-builder/ubuntu/rootfs_lib.sh | 6 +++++- versions.yaml | 18 +++++++++--------- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh index bdfbd8bdad..464144fb45 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh +++ b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh @@ -31,11 +31,15 @@ EOF curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | gpg --dearmour -o $rootfs_dir/etc/apt/trusted.gpg.d/intel-sgx-deb.gpg sed -i -e "s/bootstrap=Ubuntu/bootstrap=Ubuntu intel-sgx/" $multistrap_conf + SUITE=$OS_VERSION + # Intel does not release sgx stuff for non-LTS, thus if using oracular (24.10), + # we need to enforce getting libtdx-attest from noble. + [ "$SUITE" = "oracular" ] && SUITE="noble" cat >> $multistrap_conf << EOF [intel-sgx] source=https://download.01.org/intel-sgx/sgx_repo/ubuntu -suite=$OS_VERSION +suite=$SUITE packages=libtdx-attest=1.22\* EOF fi diff --git a/versions.yaml b/versions.yaml index bcff523577..21590af1c7 100644 --- a/versions.yaml +++ b/versions.yaml @@ -117,7 +117,7 @@ assets: architecture: aarch64: name: "ubuntu" - version: "focal" # 20.04 LTS + version: "jammy" # 22.04 LTS nvidia-gpu: name: "ubuntu" version: "jammy" # 22.04 LTS @@ -126,19 +126,19 @@ assets: version: "jammy" # 22.04 LTS ppc64le: name: "ubuntu" - version: "focal" # 20.04 LTS + version: "jammy" # 22.04 LTS s390x: name: "ubuntu" - version: "focal" # 20.04 LTS + version: "jammy" # 22.04 LTS confidential: name: "ubuntu" - version: "focal" # 20.04 LTS + version: "jammy" # 22.04 LTS x86_64: name: "ubuntu" - version: "focal" # 20.04 lTS + version: "jammy" # 22.04 lTS confidential: name: "ubuntu" - version: "focal" # 20.04 LTS + version: "oracular" # 24.10 mariner: name: "cbl-mariner" version: "3.0" @@ -168,13 +168,13 @@ assets: # there is no such Rust target ppc64le: name: "ubuntu" - version: "focal" # 20.04 LTS + version: "jammy" # 22.04 LTS s390x: name: "ubuntu" - version: "focal" # 20.04 LTS + version: "jammy" # 22.04 LTS confidential: name: "ubuntu" - version: "focal" # 20.04 LTS + version: "jammy" # 22.04 LTS x86_64: name: "alpine" version: "3.18"