From 40a15ac7607ba977679f1830a9811845a36a5064 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Sat, 12 Apr 2025 13:04:55 +0200 Subject: [PATCH] build: Allow adding a guest-hook to the rootfs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Kata Containers provides, since forever, a way to run OCI guest-hooks from the rootfs, as long as the files are dropped in a specific location defined in the configuration.toml. However, so far, it's been up to the ones using it to hack the generated image in order to add those guest hooks, which is far from handy. Let's add a way for the ones interested on this feature to just drop a tarball file under the same known build directory, spcificy an env var, and let the guest hooks be installed during the rootfs build. Signed-off-by: Fabiano FidĂȘncio --- tools/osbuilder/rootfs-builder/rootfs.sh | 11 +++++++++++ tools/packaging/guest-image/build_image.sh | 7 +++++-- .../kata-deploy-binaries-in-docker.sh | 2 ++ .../local-build/kata-deploy-binaries.sh | 16 ++++++++++++++++ 4 files changed, 34 insertions(+), 2 deletions(-) diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index fabbba4ee..bab6ac03f 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -32,6 +32,7 @@ SELINUX=${SELINUX:-"no"} AGENT_POLICY=${AGENT_POLICY:-no} AGENT_SOURCE_BIN=${AGENT_SOURCE_BIN:-""} AGENT_TARBALL=${AGENT_TARBALL:-""} +GUEST_HOOKS_TARBALL="${GUEST_HOOKS_TARBALL:-}" COCO_GUEST_COMPONENTS_TARBALL=${COCO_GUEST_COMPONENTS_TARBALL:-""} CONFIDENTIAL_GUEST="${CONFIDENTIAL_GUEST:-no}" PAUSE_IMAGE_TARBALL=${PAUSE_IMAGE_TARBALL:-""} @@ -520,6 +521,11 @@ build_rootfs_distro() engine_run_args+=" -v $(dirname ${PAUSE_IMAGE_TARBALL}):$(dirname ${PAUSE_IMAGE_TARBALL})" fi + if [[ -n "${GUEST_HOOKS_TARBALL}" ]]; then + engine_run_args+=" --env GUEST_HOOKS_TARBALL=${GUEST_HOOKS_TARBALL}" + engine_run_args+=" -v $(dirname ${GUEST_HOOKS_TARBALL}):$(dirname ${GUEST_HOOKS_TARBALL})" + fi + engine_run_args+=" -v ${GOPATH_LOCAL}:${GOPATH_LOCAL} --env GOPATH=${GOPATH_LOCAL}" engine_run_args+=" $(docker_extra_args $distro)" @@ -784,6 +790,11 @@ EOF ln -sf "${policy_file_name}" "${policy_dir}/default-policy.rego" fi + if [[ -n "${GUEST_HOOKS_TARBALL}" ]]; then + info "Install the ${GUEST_HOOKS_TARBALL} guest hooks" + tar xvJpf "${GUEST_HOOKS_TARBALL}" -C "${ROOTFS_DIR}" + fi + info "Check init is installed" [ -x "${init}" ] || [ -L "${init}" ] || die "/sbin/init is not installed in ${ROOTFS_DIR}" OK "init is installed" diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh index b53902230..228b3e1c1 100755 --- a/tools/packaging/guest-image/build_image.sh +++ b/tools/packaging/guest-image/build_image.sh @@ -21,6 +21,7 @@ readonly osbuilder_dir="$(cd "${repo_root_dir}/tools/osbuilder" && pwd)" export GOPATH=${GOPATH:-${HOME}/go} export AGENT_TARBALL=${AGENT_TARBALL:-} +export GUEST_HOOKS_TARBALL="${GUEST_HOOKS_TARBALL:-}" ARCH=${ARCH:-$(uname -m)} if [ $(uname -m) == "${ARCH}" ]; then @@ -48,7 +49,8 @@ build_initrd() { AGENT_POLICY="${AGENT_POLICY:-}" \ PULL_TYPE="${PULL_TYPE:-default}" \ COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}" \ - PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" + PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" \ + GUEST_HOOKS_TARBALL="${GUEST_HOOKS_TARBALL}" if [[ "${image_initrd_suffix}" == "nvidia-gpu"* ]]; then nvidia_driver_version=$(cat "${builddir}"/initrd-image/*/nvidia_driver_version) @@ -77,7 +79,8 @@ build_image() { AGENT_POLICY="${AGENT_POLICY:-}" \ PULL_TYPE="${PULL_TYPE:-default}" \ COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}" \ - PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" + PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" \ + GUEST_HOOKS_TARBALL="${GUEST_HOOKS_TARBALL}" if [[ "${image_initrd_suffix}" == "nvidia-gpu"* ]]; then nvidia_driver_version=$(cat "${builddir}"/rootfs-image/*/nvidia_driver_version) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index f7abd5b05..02d878ede 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -105,6 +105,7 @@ USE_CACHE="${USE_CACHE:-}" BUSYBOX_CONF_FILE=${BUSYBOX_CONF_FILE:-} NVIDIA_GPU_STACK="${NVIDIA_GPU_STACK:-}" KBUILD_SIGN_PIN=${KBUILD_SIGN_PIN:-} +GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME:-}" docker run \ -v $HOME/.docker:/root/.docker \ @@ -137,6 +138,7 @@ docker run \ --env BUSYBOX_CONF_FILE="${BUSYBOX_CONF_FILE}" \ --env NVIDIA_GPU_STACK="${NVIDIA_GPU_STACK}" \ --env KBUILD_SIGN_PIN="${KBUILD_SIGN_PIN}" \ + --env GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME}" \ --env AA_KBC="${AA_KBC:-}" \ --env HKD_PATH="$(realpath "${HKD_PATH:-}" 2> /dev/null || true)" \ --env SE_KERNEL_PARAMS="${SE_KERNEL_PARAMS:-}" \ diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 04492266c..ffe0a9c86 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -49,6 +49,7 @@ ARTEFACT_REGISTRY="${ARTEFACT_REGISTRY:-ghcr.io}" ARTEFACT_REPOSITORY="${ARTEFACT_REPOSITORY:-kata-containers}" ARTEFACT_REGISTRY_USERNAME="${ARTEFACT_REGISTRY_USERNAME:-}" ARTEFACT_REGISTRY_PASSWORD="${ARTEFACT_REGISTRY_PASSWORD:-}" +GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME:-}" TARGET_BRANCH="${TARGET_BRANCH:-main}" PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-}" KERNEL_HEADERS_PKG_TYPE="${KERNEL_HEADERS_PKG_TYPE:-deb}" @@ -311,6 +312,13 @@ get_pause_image_tarball_path() { echo "${pause_image_local_build_dir}/${pause_image_tarball_name}" } +get_guest_hooks_tarball_path() { + guest_hooks_local_build_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build" + guest_hooks_tarball_name="${GUEST_HOOKS_TARBALL_NAME}" + + echo "${guest_hooks_local_build_dir}/${guest_hooks_tarball_name}" +} + get_latest_pause_image_artefact_and_builder_image_version() { local pause_image_repo="$(get_from_kata_deps ".externals.pause.repo")" local pause_image_version=$(get_from_kata_deps ".externals.pause.version") @@ -386,6 +394,10 @@ install_image() { export AGENT_TARBALL=$(get_agent_tarball_path) export AGENT_POLICY=yes + if [[ -n "${GUEST_HOOKS_TARBALL_NAME}" ]]; then + export GUEST_HOOKS_TARBALL="$(get_guest_hooks_tarball_path)" + fi + "${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}" } @@ -468,6 +480,10 @@ install_initrd() { export AGENT_TARBALL=$(get_agent_tarball_path) export AGENT_POLICY=yes + if [[ -n "${GUEST_HOOKS_TARBALL_NAME}" ]]; then + export GUEST_HOOKS_TARBALL="$(get_guest_hooks_tarball_path)" + fi + "${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}" }