Merge pull request #10794 from fidencio/topic/bump-ubuntu-version-for-the-confidential-rootfs-and-initrd

versions: Bump Ubuntu base image & initrd

tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in

@@ -84,4 +84,4 @@ RUN ARCH=$(uname -m); \
 	esac; \
     rustup target add "${rust_arch}-unknown-linux-${libc}"
 
-RUN pip install --no-cache-dir pyinstaller==6.9.0
+RUN pip install --no-cache-dir pyinstaller==6.9.0 || pip install --no-cache-dir pyinstaller==6.9.0 --break-system-packages

tools/osbuilder/rootfs-builder/ubuntu/config.sh

@@ -2,10 +2,10 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-source /etc/os-release
 OS_NAME=ubuntu
 # This should be Ubuntu's code name, e.g. "focal" (Focal Fossa) for 20.04
-OS_VERSION=${OS_VERSION:-${UBUNTU_CODENAME}}
+OS_VERSION=${OS_VERSION:-""}
+[ -z "$OS_VERSION" ] && echo "OS_VERSION is required, but was not set" && exit 1
 PACKAGES="chrony iptables dbus"
 [ "$AGENT_INIT" = no ] && PACKAGES+=" init"
 [ "$MEASURED_ROOTFS" = yes ] && PACKAGES+=" cryptsetup-bin e2fsprogs"

tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh

@@ -22,7 +22,7 @@ bootstrap=Ubuntu
 [Ubuntu]
 source=$REPO_URL
 keyring=ubuntu-keyring
-suite=$UBUNTU_CODENAME
+suite=$OS_VERSION
 packages=$PACKAGES $EXTRA_PKGS
 EOF
 
@@ -31,12 +31,16 @@ EOF
 		curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key |
 			gpg --dearmour -o $rootfs_dir/etc/apt/trusted.gpg.d/intel-sgx-deb.gpg
 		sed -i -e "s/bootstrap=Ubuntu/bootstrap=Ubuntu intel-sgx/" $multistrap_conf
+		SUITE=$OS_VERSION
+		# Intel does not release sgx stuff for non-LTS, thus if using oracular (24.10),
+		# we need to enforce getting libtdx-attest from noble.
+		[ "$SUITE" = "oracular" ] && SUITE="noble"
 		cat >> $multistrap_conf << EOF
 
 [intel-sgx]
 source=https://download.01.org/intel-sgx/sgx_repo/ubuntu
-suite=$UBUNTU_CODENAME
+suite=$SUITE
-packages=libtdx-attest=1.20\*
+packages=libtdx-attest=1.22\*
 EOF
 	fi
 
@@ -45,7 +49,14 @@ EOF
 	apt update
 
 	if ! multistrap -a "$DEB_ARCH" -d "$rootfs_dir" -f "$multistrap_conf"; then
+		if [ "$OS_VERSION" = "focal" ]; then	
+			echo "WARN: multistrap failed, proceed with hack for Ubuntu 20.04"
 			build_dbus $rootfs_dir
+		else
+			echo "ERROR: multistrap failed, cannot proceed" && exit 1
+		fi
+	else
+		echo "INFO: multistrap succeeded"
 	fi
 	rm -rf "$rootfs_dir/var/run"
 	ln -s /run "$rootfs_dir/var/run"

tools/packaging/guest-image/build_image.sh

@@ -71,7 +71,7 @@ build_image() {
 		DISTRO="${os_name}" \
 		DEBUG="${DEBUG:-}" \
 		USE_DOCKER="1" \
-		IMG_OS_VERSION="${os_version}" \
+		OS_VERSION="${os_version}" \
 		ROOTFS_BUILD_DEST="${builddir}/rootfs-image" \
 		AGENT_TARBALL="${AGENT_TARBALL}" \
 		AGENT_POLICY="${AGENT_POLICY:-}" \

tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh

@@ -332,8 +332,12 @@ install_image() {
 	local variant="${1:-}"
 
 	image_type="image"
+	os_name="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.name")"
+	os_version="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.version")"
 	if [ -n "${variant}" ]; then
 		image_type+="-${variant}"
+		os_name="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.${variant}.name")"
+		os_version="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.${variant}.version")"
 	fi
 
 	local component="rootfs-${image_type}"
@@ -349,7 +353,7 @@ install_image() {
 		"$(get_last_modification "${repo_root_dir}/tools/packaging/static-build/agent")")
 
 
-	latest_artefact="$(get_kata_version)-${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${image_type}"
+	latest_artefact="$(get_kata_version)-${os_name}-${os_version}-${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${image_type}"
 	if [ "${variant}" == "confidential" ]; then
 		# For the confidential image we depend on the kernel built in order to ensure that
 		# measured boot is used
@@ -371,16 +375,10 @@ install_image() {
 	info "Create image"
 
 	if [ -n "${variant}" ]; then
-		os_name="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.${variant}.name")"
-		os_version="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.${variant}.version")"
-
 		if [[ "${variant}" == *confidential ]]; then
 			export COCO_GUEST_COMPONENTS_TARBALL="$(get_coco_guest_components_tarball_path)"
 			export PAUSE_IMAGE_TARBALL="$(get_pause_image_tarball_path)"
 		fi
-	else
-		os_name="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.name")"
-		os_version="$(get_from_kata_deps ".assets.image.architecture.${ARCH}.version")"
 	fi
 
 	export AGENT_TARBALL=$(get_agent_tarball_path)
@@ -406,8 +404,12 @@ install_initrd() {
 	local variant="${1:-}"
 
 	initrd_type="initrd"
+	os_name="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.name")"
+	os_version="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.version")"
 	if [ -n "${variant}" ]; then
 		initrd_type+="-${variant}"
+		os_name="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.${variant}.name")"
+		os_version="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.${variant}.version")"
 	fi
 
 	local component="rootfs-${initrd_type}"
@@ -422,7 +424,7 @@ install_initrd() {
 		"$(get_last_modification "${repo_root_dir}/src/agent")" \
 		"$(get_last_modification "${repo_root_dir}/tools/packaging/static-build/agent")")
 
-	latest_artefact="${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${initrd_type}"
+	latest_artefact="$(get_kata_version)-${os_name}-${os_version}-${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${initrd_type}"
 	if [ "${variant}" == "confidential" ]; then
 		# For the confidential initrd we depend on the kernel built in order to ensure that
 		# measured boot is used
@@ -446,17 +448,12 @@ install_initrd() {
 	info "Create initrd"
 
 	if [ -n "${variant}" ]; then
-		os_name="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.${variant}.name")"
-		os_version="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.${variant}.version")"
-
 		if [[ "${variant}" == *confidential ]]; then
 			export COCO_GUEST_COMPONENTS_TARBALL="$(get_coco_guest_components_tarball_path)"
 			export PAUSE_IMAGE_TARBALL="$(get_pause_image_tarball_path)"
 		fi
 	else
 		# No variant is passed, it means vanilla kata containers
-		os_name="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.name")"
-		os_version="$(get_from_kata_deps ".assets.initrd.architecture.${ARCH}.version")"
 		if [ "${os_name}" = "alpine" ]; then
 			export AGENT_INIT=yes
 		fi

versions.yaml

@@ -116,41 +116,38 @@ assets:
     url: "https://github.com/kata-containers/kata-containers/tools/osbuilder"
     architecture:
       aarch64:
-        name: &default-image-name "ubuntu"
+        name: "ubuntu"
-        version: &default-image-version "latest"
+        version: "jammy" # 22.04 LTS
         nvidia-gpu:
-          name: *default-image-name
+          name: "ubuntu"
-          version: "jammy"
+          version: "jammy" # 22.04 LTS
         nvidia-gpu-confidential:
-          name: *default-image-name
+          name: "ubuntu"
-          version: "jammy"
+          version: "jammy" # 22.04 LTS
       ppc64le:
-        name: *default-image-name
+        name: "ubuntu"
-        version: *default-image-version
+        version: "jammy" # 22.04 LTS
       s390x:
-        name: *default-image-name
+        name: "ubuntu"
-        version: *default-image-version
+        version: "jammy" # 22.04 LTS
         confidential:
-          name: *default-image-name
+          name: "ubuntu"
-          version: *default-image-version
+          version: "jammy" # 22.04 LTS
       x86_64:
-        name: *default-image-name
+        name: "ubuntu"
-        version: *default-image-version
+        version: "jammy" # 22.04 lTS
         confidential:
-          name: *default-image-name
+          name: "ubuntu"
-          version: *default-image-version
+          version: "oracular" # 24.10
         mariner:
           name: "cbl-mariner"
           version: "3.0"
         nvidia-gpu:
-          name: *default-image-name
+          name: "ubuntu"
-          version: "jammy"
+          version: "jammy" # 22.04 LTS
         nvidia-gpu-confidential:
-          name: *default-image-name
+          name: "ubuntu"
-          version: "jammy"
+          version: "jammy" # 22.04 LTS
-
-    meta:
-      image-type: *default-image-name
 
   initrd:
     description: |
@@ -159,37 +156,37 @@ assets:
     url: "https://github.com/kata-containers/kata-containers/tools/osbuilder"
     architecture:
       aarch64:
-        name: &default-initrd-name "alpine"
+        name: "alpine"
-        version: &default-initrd-version "3.18"
+        version: "3.18"
         nvidia-gpu:
           name: "ubuntu"
-          version: "jammy"
+          version: "jammy" # 22.04 LTS
         nvidia-gpu-confidential:
           name: "ubuntu"
           version: "jammy"
       # Do not use Alpine on ppc64le & s390x, the agent cannot use musl because
       # there is no such Rust target
       ppc64le:
-        name: &glibc-initrd-name "ubuntu"
+        name: "ubuntu"
-        version: &glibc-initrd-version "20.04"
+        version: "jammy" # 22.04 LTS
       s390x:
-        name: *glibc-initrd-name
+        name: "ubuntu"
-        version: *glibc-initrd-version
+        version: "jammy" # 22.04 LTS
         confidential:
-          name: *glibc-initrd-name
+          name: "ubuntu"
-          version: *glibc-initrd-version
+          version: "jammy" # 22.04 LTS
       x86_64:
-        name: *default-initrd-name
+        name: "alpine"
-        version: *default-initrd-version
+        version: "3.18"
         confidential:
-          name: *glibc-initrd-name
+          name: "ubuntu"
-          version: *glibc-initrd-version
+          version: "focal" # 20.04 LTS
         nvidia-gpu:
-          name: *glibc-initrd-name
+          name: "ubuntu"
-          version: "jammy"
+          version: "jammy" # 22.04 LTS
         nvidia-gpu-confidential:
-          name: *glibc-initrd-name
+          name: "ubuntu"
-          version: "jammy"
+          version: "jammy" # 22.04 LTS
 
   kernel:
     description: "Linux kernel optimised for virtual machines"