github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-07 19:14:10 +00:00
Code Issues Projects Releases Wiki Activity

build: Allow adding a guest-hook to the rootfs

Browse Source 
Kata Containers provides, since forever, a way to run OCI guest-hooks
from the rootfs, as long as the files are dropped in a specific location
defined in the configuration.toml.

However, so far, it's been up to the ones using it to hack the generated
image in order to add those guest hooks, which is far from handy.

Let's add a way for the ones interested on this feature to just drop a
tarball file under the same known build directory, spcificy an env var,
and let the guest hooks be installed during the rootfs build.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
This commit is contained in:
Fabiano Fidêncio 2025-04-12 13:04:55 +02:00
parent 0b4fea9382
commit 40a15ac760
4 changed files with 34 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
tools/osbuilder/rootfs-builder/rootfs.sh
View File

@ -32,6 +32,7 @@ SELINUX=${SELINUX:-"no"}
AGENT_POLICY=${AGENT_POLICY:-no} AGENT_POLICY=${AGENT_POLICY:-no}
AGENT_SOURCE_BIN=${AGENT_SOURCE_BIN:-""} AGENT_SOURCE_BIN=${AGENT_SOURCE_BIN:-""}
AGENT_TARBALL=${AGENT_TARBALL:-""} AGENT_TARBALL=${AGENT_TARBALL:-""}
GUEST_HOOKS_TARBALL="${GUEST_HOOKS_TARBALL:-}"
COCO_GUEST_COMPONENTS_TARBALL=${COCO_GUEST_COMPONENTS_TARBALL:-""} COCO_GUEST_COMPONENTS_TARBALL=${COCO_GUEST_COMPONENTS_TARBALL:-""}
CONFIDENTIAL_GUEST="${CONFIDENTIAL_GUEST:-no}" CONFIDENTIAL_GUEST="${CONFIDENTIAL_GUEST:-no}"
PAUSE_IMAGE_TARBALL=${PAUSE_IMAGE_TARBALL:-""} PAUSE_IMAGE_TARBALL=${PAUSE_IMAGE_TARBALL:-""}
@ -520,6 +521,11 @@ build_rootfs_distro()
engine_run_args+=" -v $(dirname ${PAUSE_IMAGE_TARBALL}):$(dirname ${PAUSE_IMAGE_TARBALL})" engine_run_args+=" -v $(dirname ${PAUSE_IMAGE_TARBALL}):$(dirname ${PAUSE_IMAGE_TARBALL})"
fi fi
if [[ -n "${GUEST_HOOKS_TARBALL}" ]]; then
engine_run_args+=" --env GUEST_HOOKS_TARBALL=${GUEST_HOOKS_TARBALL}"
engine_run_args+=" -v $(dirname ${GUEST_HOOKS_TARBALL}):$(dirname ${GUEST_HOOKS_TARBALL})"
fi
engine_run_args+=" -v ${GOPATH_LOCAL}:${GOPATH_LOCAL} --env GOPATH=${GOPATH_LOCAL}" engine_run_args+=" -v ${GOPATH_LOCAL}:${GOPATH_LOCAL} --env GOPATH=${GOPATH_LOCAL}"
engine_run_args+=" $(docker_extra_args $distro)" engine_run_args+=" $(docker_extra_args $distro)"
@ -784,6 +790,11 @@ EOF
ln -sf "${policy_file_name}" "${policy_dir}/default-policy.rego" ln -sf "${policy_file_name}" "${policy_dir}/default-policy.rego"
fi fi
if [[ -n "${GUEST_HOOKS_TARBALL}" ]]; then
info "Install the ${GUEST_HOOKS_TARBALL} guest hooks"
tar xvJpf "${GUEST_HOOKS_TARBALL}" -C "${ROOTFS_DIR}"
fi
info "Check init is installed" info "Check init is installed"
[ -x "${init}" ] || [ -L "${init}" ] || die "/sbin/init is not installed in ${ROOTFS_DIR}" [ -x "${init}" ] || [ -L "${init}" ] || die "/sbin/init is not installed in ${ROOTFS_DIR}"
OK "init is installed" OK "init is installed"

7
tools/packaging/guest-image/build_image.sh
View File

@ -21,6 +21,7 @@ readonly osbuilder_dir="$(cd "${repo_root_dir}/tools/osbuilder" && pwd)"
export GOPATH=${GOPATH:-${HOME}/go} export GOPATH=${GOPATH:-${HOME}/go}
export AGENT_TARBALL=${AGENT_TARBALL:-} export AGENT_TARBALL=${AGENT_TARBALL:-}
export GUEST_HOOKS_TARBALL="${GUEST_HOOKS_TARBALL:-}"
ARCH=${ARCH:-$(uname -m)} ARCH=${ARCH:-$(uname -m)}
if [ $(uname -m) == "${ARCH}" ]; then if [ $(uname -m) == "${ARCH}" ]; then
@ -48,7 +49,8 @@ build_initrd() {
AGENT_POLICY="${AGENT_POLICY:-}" \ AGENT_POLICY="${AGENT_POLICY:-}" \
PULL_TYPE="${PULL_TYPE:-default}" \ PULL_TYPE="${PULL_TYPE:-default}" \
COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}" \ COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}" \
PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" \
GUEST_HOOKS_TARBALL="${GUEST_HOOKS_TARBALL}"
if [[ "${image_initrd_suffix}" == "nvidia-gpu"* ]]; then if [[ "${image_initrd_suffix}" == "nvidia-gpu"* ]]; then
nvidia_driver_version=$(cat "${builddir}"/initrd-image/*/nvidia_driver_version) nvidia_driver_version=$(cat "${builddir}"/initrd-image/*/nvidia_driver_version)
@ -77,7 +79,8 @@ build_image() {
AGENT_POLICY="${AGENT_POLICY:-}" \ AGENT_POLICY="${AGENT_POLICY:-}" \
PULL_TYPE="${PULL_TYPE:-default}" \ PULL_TYPE="${PULL_TYPE:-default}" \
COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}" \ COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}" \
PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" \
GUEST_HOOKS_TARBALL="${GUEST_HOOKS_TARBALL}"
if [[ "${image_initrd_suffix}" == "nvidia-gpu"* ]]; then if [[ "${image_initrd_suffix}" == "nvidia-gpu"* ]]; then
nvidia_driver_version=$(cat "${builddir}"/rootfs-image/*/nvidia_driver_version) nvidia_driver_version=$(cat "${builddir}"/rootfs-image/*/nvidia_driver_version)

2
tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
View File

@ -105,6 +105,7 @@ USE_CACHE="${USE_CACHE:-}"
BUSYBOX_CONF_FILE=${BUSYBOX_CONF_FILE:-} BUSYBOX_CONF_FILE=${BUSYBOX_CONF_FILE:-}
NVIDIA_GPU_STACK="${NVIDIA_GPU_STACK:-}" NVIDIA_GPU_STACK="${NVIDIA_GPU_STACK:-}"
KBUILD_SIGN_PIN=${KBUILD_SIGN_PIN:-} KBUILD_SIGN_PIN=${KBUILD_SIGN_PIN:-}
GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME:-}"
docker run \ docker run \
-v $HOME/.docker:/root/.docker \ -v $HOME/.docker:/root/.docker \
@ -137,6 +138,7 @@ docker run \
--env BUSYBOX_CONF_FILE="${BUSYBOX_CONF_FILE}" \ --env BUSYBOX_CONF_FILE="${BUSYBOX_CONF_FILE}" \
--env NVIDIA_GPU_STACK="${NVIDIA_GPU_STACK}" \ --env NVIDIA_GPU_STACK="${NVIDIA_GPU_STACK}" \
--env KBUILD_SIGN_PIN="${KBUILD_SIGN_PIN}" \ --env KBUILD_SIGN_PIN="${KBUILD_SIGN_PIN}" \
--env GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME}" \
--env AA_KBC="${AA_KBC:-}" \ --env AA_KBC="${AA_KBC:-}" \
--env HKD_PATH="$(realpath "${HKD_PATH:-}" 2> /dev/null || true)" \ --env HKD_PATH="$(realpath "${HKD_PATH:-}" 2> /dev/null || true)" \
--env SE_KERNEL_PARAMS="${SE_KERNEL_PARAMS:-}" \ --env SE_KERNEL_PARAMS="${SE_KERNEL_PARAMS:-}" \

16
tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
View File

@ -49,6 +49,7 @@ ARTEFACT_REGISTRY="${ARTEFACT_REGISTRY:-ghcr.io}"
ARTEFACT_REPOSITORY="${ARTEFACT_REPOSITORY:-kata-containers}" ARTEFACT_REPOSITORY="${ARTEFACT_REPOSITORY:-kata-containers}"
ARTEFACT_REGISTRY_USERNAME="${ARTEFACT_REGISTRY_USERNAME:-}" ARTEFACT_REGISTRY_USERNAME="${ARTEFACT_REGISTRY_USERNAME:-}"
ARTEFACT_REGISTRY_PASSWORD="${ARTEFACT_REGISTRY_PASSWORD:-}" ARTEFACT_REGISTRY_PASSWORD="${ARTEFACT_REGISTRY_PASSWORD:-}"
GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME:-}"
TARGET_BRANCH="${TARGET_BRANCH:-main}" TARGET_BRANCH="${TARGET_BRANCH:-main}"
PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-}" PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-}"
KERNEL_HEADERS_PKG_TYPE="${KERNEL_HEADERS_PKG_TYPE:-deb}" KERNEL_HEADERS_PKG_TYPE="${KERNEL_HEADERS_PKG_TYPE:-deb}"
@ -311,6 +312,13 @@ get_pause_image_tarball_path() {
echo "${pause_image_local_build_dir}/${pause_image_tarball_name}" echo "${pause_image_local_build_dir}/${pause_image_tarball_name}"
} }
get_guest_hooks_tarball_path() {
guest_hooks_local_build_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build"
guest_hooks_tarball_name="${GUEST_HOOKS_TARBALL_NAME}"
echo "${guest_hooks_local_build_dir}/${guest_hooks_tarball_name}"
}
get_latest_pause_image_artefact_and_builder_image_version() { get_latest_pause_image_artefact_and_builder_image_version() {
local pause_image_repo="$(get_from_kata_deps ".externals.pause.repo")" local pause_image_repo="$(get_from_kata_deps ".externals.pause.repo")"
local pause_image_version=$(get_from_kata_deps ".externals.pause.version") local pause_image_version=$(get_from_kata_deps ".externals.pause.version")
@ -386,6 +394,10 @@ install_image() {
export AGENT_TARBALL=$(get_agent_tarball_path) export AGENT_TARBALL=$(get_agent_tarball_path)
export AGENT_POLICY=yes export AGENT_POLICY=yes
if [[ -n "${GUEST_HOOKS_TARBALL_NAME}" ]]; then
export GUEST_HOOKS_TARBALL="$(get_guest_hooks_tarball_path)"
fi
"${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}" "${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}"
} }
@ -468,6 +480,10 @@ install_initrd() {
export AGENT_TARBALL=$(get_agent_tarball_path) export AGENT_TARBALL=$(get_agent_tarball_path)
export AGENT_POLICY=yes export AGENT_POLICY=yes
if [[ -n "${GUEST_HOOKS_TARBALL_NAME}" ]]; then
export GUEST_HOOKS_TARBALL="$(get_guest_hooks_tarball_path)"
fi
"${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}" "${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}"
} }