mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-09-01 00:46:38 +00:00
Merge pull request #10466 from kata-containers/topic/ensure-shim-v2-sets-the-measured-rootfs-parameters-to-the-config
re-enable measured rootfs build & tests
This commit is contained in:
@@ -53,11 +53,6 @@ jobs:
|
||||
- qemu
|
||||
- qemu-snp-experimental
|
||||
- stratovirt
|
||||
- rootfs-image
|
||||
- rootfs-image-confidential
|
||||
- rootfs-image-mariner
|
||||
- rootfs-initrd
|
||||
- rootfs-initrd-confidential
|
||||
- runk
|
||||
- trace-forwarder
|
||||
- virtiofsd
|
||||
@@ -134,7 +129,7 @@ jobs:
|
||||
push-to-registry: true
|
||||
|
||||
- name: store-artifact ${{ matrix.asset }}
|
||||
if: ${{ matrix.stage != 'release' || (matrix.asset != 'agent' && matrix.asset != 'coco-guest-components' && matrix.asset != 'pause-image') }}
|
||||
if: ${{ matrix.stage != 'release' }}
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
|
||||
@@ -142,9 +137,17 @@ jobs:
|
||||
retention-days: 15
|
||||
if-no-files-found: error
|
||||
|
||||
build-asset-shim-v2:
|
||||
build-asset-rootfs:
|
||||
runs-on: ubuntu-22.04
|
||||
needs: build-asset
|
||||
strategy:
|
||||
matrix:
|
||||
asset:
|
||||
- rootfs-image
|
||||
- rootfs-image-confidential
|
||||
- rootfs-image-mariner
|
||||
- rootfs-initrd
|
||||
- rootfs-initrd-confidential
|
||||
steps:
|
||||
- name: Login to Kata Containers quay.io
|
||||
if: ${{ inputs.push-to-registry == 'yes' }}
|
||||
@@ -165,9 +168,73 @@ jobs:
|
||||
env:
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
|
||||
- name: get-artifacts
|
||||
uses: actions/download-artifact@v4
|
||||
with:
|
||||
pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
|
||||
path: kata-artifacts
|
||||
merge-multiple: true
|
||||
|
||||
- name: Build ${{ matrix.asset }}
|
||||
id: build
|
||||
run: |
|
||||
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
|
||||
make "${KATA_ASSET}-tarball"
|
||||
build_dir=$(readlink -f build)
|
||||
# store-artifact does not work with symlink
|
||||
mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/.
|
||||
env:
|
||||
KATA_ASSET: ${{ matrix.asset }}
|
||||
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
|
||||
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
|
||||
ARTEFACT_REGISTRY: ghcr.io
|
||||
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
|
||||
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
|
||||
|
||||
- name: store-artifact ${{ matrix.asset }}
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
|
||||
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
|
||||
retention-days: 15
|
||||
if-no-files-found: error
|
||||
|
||||
build-asset-shim-v2:
|
||||
runs-on: ubuntu-22.04
|
||||
needs: [build-asset, build-asset-rootfs]
|
||||
steps:
|
||||
- name: Login to Kata Containers quay.io
|
||||
if: ${{ inputs.push-to-registry == 'yes' }}
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
registry: quay.io
|
||||
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
|
||||
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
ref: ${{ inputs.commit-hash }}
|
||||
fetch-depth: 0 # This is needed in order to keep the commit ids history
|
||||
|
||||
- name: Rebase atop of the latest target branch
|
||||
run: |
|
||||
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
|
||||
env:
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
|
||||
- name: get-artifacts
|
||||
uses: actions/download-artifact@v4
|
||||
with:
|
||||
pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
|
||||
path: kata-artifacts
|
||||
merge-multiple: true
|
||||
|
||||
- name: Build shim-v2
|
||||
id: build
|
||||
run: |
|
||||
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
|
||||
make "${KATA_ASSET}-tarball"
|
||||
build_dir=$(readlink -f build)
|
||||
# store-artifact does not work with symlink
|
||||
@@ -181,6 +248,7 @@ jobs:
|
||||
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
|
||||
MEASURED_ROOTFS: yes
|
||||
|
||||
- name: store-artifact shim-v2
|
||||
uses: actions/upload-artifact@v4
|
||||
@@ -192,7 +260,7 @@ jobs:
|
||||
|
||||
create-kata-tarball:
|
||||
runs-on: ubuntu-22.04
|
||||
needs: [build-asset, build-asset-shim-v2]
|
||||
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
|
@@ -35,8 +35,6 @@ jobs:
|
||||
- nydus
|
||||
- qemu
|
||||
- stratovirt
|
||||
- rootfs-image
|
||||
- rootfs-initrd
|
||||
- virtiofsd
|
||||
steps:
|
||||
- name: Login to Kata Containers quay.io
|
||||
@@ -75,7 +73,6 @@ jobs:
|
||||
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
|
||||
|
||||
- name: store-artifact ${{ matrix.asset }}
|
||||
if: ${{ inputs.stage != 'release' || matrix.asset != 'agent' }}
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
|
||||
@@ -83,9 +80,14 @@ jobs:
|
||||
retention-days: 15
|
||||
if-no-files-found: error
|
||||
|
||||
build-asset-shim-v2:
|
||||
build-asset-rootfs:
|
||||
runs-on: arm64-builder
|
||||
needs: build-asset
|
||||
strategy:
|
||||
matrix:
|
||||
asset:
|
||||
- rootfs-image
|
||||
- rootfs-initrd
|
||||
steps:
|
||||
- name: Login to Kata Containers quay.io
|
||||
if: ${{ inputs.push-to-registry == 'yes' }}
|
||||
@@ -106,8 +108,72 @@ jobs:
|
||||
env:
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
|
||||
- name: get-artifacts
|
||||
uses: actions/download-artifact@v4
|
||||
with:
|
||||
pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
|
||||
path: kata-artifacts
|
||||
merge-multiple: true
|
||||
|
||||
- name: Build ${{ matrix.asset }}
|
||||
run: |
|
||||
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
|
||||
make "${KATA_ASSET}-tarball"
|
||||
build_dir=$(readlink -f build)
|
||||
# store-artifact does not work with symlink
|
||||
mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/.
|
||||
env:
|
||||
KATA_ASSET: ${{ matrix.asset }}
|
||||
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
|
||||
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
|
||||
ARTEFACT_REGISTRY: ghcr.io
|
||||
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
|
||||
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
|
||||
|
||||
- name: store-artifact ${{ matrix.asset }}
|
||||
if: ${{ inputs.stage != 'release' }}
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
|
||||
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
|
||||
retention-days: 15
|
||||
if-no-files-found: error
|
||||
|
||||
build-asset-shim-v2:
|
||||
runs-on: arm64-builder
|
||||
needs: [build-asset, build-asset-rootfs]
|
||||
steps:
|
||||
- name: Login to Kata Containers quay.io
|
||||
if: ${{ inputs.push-to-registry == 'yes' }}
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
registry: quay.io
|
||||
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
|
||||
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
ref: ${{ inputs.commit-hash }}
|
||||
fetch-depth: 0 # This is needed in order to keep the commit ids history
|
||||
|
||||
- name: Rebase atop of the latest target branch
|
||||
run: |
|
||||
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
|
||||
env:
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
|
||||
- name: get-artifacts
|
||||
uses: actions/download-artifact@v4
|
||||
with:
|
||||
pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
|
||||
path: kata-artifacts
|
||||
merge-multiple: true
|
||||
|
||||
- name: Build shim-v2
|
||||
run: |
|
||||
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
|
||||
make "${KATA_ASSET}-tarball"
|
||||
build_dir=$(readlink -f build)
|
||||
# store-artifact does not work with symlink
|
||||
@@ -132,7 +198,7 @@ jobs:
|
||||
|
||||
create-kata-tarball:
|
||||
runs-on: arm64-builder
|
||||
needs: [build-asset, build-asset-shim-v2]
|
||||
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
|
||||
steps:
|
||||
- name: Adjust a permission for repo
|
||||
run: |
|
||||
|
@@ -30,7 +30,6 @@ jobs:
|
||||
- agent
|
||||
- kernel
|
||||
- qemu
|
||||
- rootfs-initrd
|
||||
- virtiofsd
|
||||
stage:
|
||||
- ${{ inputs.stage }}
|
||||
@@ -76,7 +75,7 @@ jobs:
|
||||
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
|
||||
|
||||
- name: store-artifact ${{ matrix.asset }}
|
||||
if: ${{ inputs.stage != 'release' || matrix.asset != 'agent' }}
|
||||
if: ${{ inputs.stage != 'release' }}
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
|
||||
@@ -84,9 +83,15 @@ jobs:
|
||||
retention-days: 1
|
||||
if-no-files-found: error
|
||||
|
||||
build-asset-shim-v2:
|
||||
build-asset-rootfs:
|
||||
runs-on: ppc64le
|
||||
needs: build-asset
|
||||
strategy:
|
||||
matrix:
|
||||
asset:
|
||||
- rootfs-initrd
|
||||
stage:
|
||||
- ${{ inputs.stage }}
|
||||
steps:
|
||||
- name: Prepare the self-hosted runner
|
||||
run: |
|
||||
@@ -112,8 +117,76 @@ jobs:
|
||||
env:
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
|
||||
- name: get-artifacts
|
||||
uses: actions/download-artifact@v4
|
||||
with:
|
||||
pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
|
||||
path: kata-artifacts
|
||||
merge-multiple: true
|
||||
|
||||
- name: Build ${{ matrix.asset }}
|
||||
run: |
|
||||
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
|
||||
make "${KATA_ASSET}-tarball"
|
||||
build_dir=$(readlink -f build)
|
||||
# store-artifact does not work with symlink
|
||||
mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/.
|
||||
env:
|
||||
KATA_ASSET: ${{ matrix.asset }}
|
||||
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
|
||||
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
|
||||
ARTEFACT_REGISTRY: ghcr.io
|
||||
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
|
||||
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
|
||||
|
||||
- name: store-artifact ${{ matrix.asset }}
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
|
||||
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
|
||||
retention-days: 1
|
||||
if-no-files-found: error
|
||||
|
||||
build-asset-shim-v2:
|
||||
runs-on: ppc64le
|
||||
needs: [build-asset, build-asset-rootfs]
|
||||
steps:
|
||||
- name: Prepare the self-hosted runner
|
||||
run: |
|
||||
${HOME}/scripts/prepare_runner.sh
|
||||
sudo rm -rf $GITHUB_WORKSPACE/*
|
||||
|
||||
- name: Login to Kata Containers quay.io
|
||||
if: ${{ inputs.push-to-registry == 'yes' }}
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
registry: quay.io
|
||||
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
|
||||
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
ref: ${{ inputs.commit-hash }}
|
||||
fetch-depth: 0 # This is needed in order to keep the commit ids history
|
||||
|
||||
- name: Rebase atop of the latest target branch
|
||||
run: |
|
||||
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
|
||||
env:
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
|
||||
- name: get-artifacts
|
||||
uses: actions/download-artifact@v4
|
||||
with:
|
||||
pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
|
||||
path: kata-artifacts
|
||||
merge-multiple: true
|
||||
|
||||
- name: Build shim-v2
|
||||
run: |
|
||||
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
|
||||
make "${KATA_ASSET}-tarball"
|
||||
build_dir=$(readlink -f build)
|
||||
# store-artifact does not work with symlink
|
||||
@@ -138,7 +211,7 @@ jobs:
|
||||
|
||||
create-kata-tarball:
|
||||
runs-on: ppc64le
|
||||
needs: [build-asset, build-asset-shim-v2]
|
||||
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
|
||||
steps:
|
||||
- name: Adjust a permission for repo
|
||||
run: |
|
||||
|
@@ -38,10 +38,6 @@ jobs:
|
||||
- kernel-confidential
|
||||
- pause-image
|
||||
- qemu
|
||||
- rootfs-image
|
||||
- rootfs-image-confidential
|
||||
- rootfs-initrd
|
||||
- rootfs-initrd-confidential
|
||||
- virtiofsd
|
||||
env:
|
||||
PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
|
||||
@@ -106,7 +102,70 @@ jobs:
|
||||
push-to-registry: true
|
||||
|
||||
- name: store-artifact ${{ matrix.asset }}
|
||||
if: ${{ inputs.stage != 'release' || (matrix.asset != 'agent' && matrix.asset != 'coco-guest-components' && matrix.asset != 'pause-image') }}
|
||||
if: ${{ inputs.stage != 'release' }}
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
|
||||
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
|
||||
retention-days: 15
|
||||
if-no-files-found: error
|
||||
|
||||
build-asset-rootfs:
|
||||
runs-on: s390x
|
||||
needs: build-asset
|
||||
strategy:
|
||||
matrix:
|
||||
asset:
|
||||
- rootfs-image
|
||||
- rootfs-image-confidential
|
||||
- rootfs-initrd
|
||||
- rootfs-initrd-confidential
|
||||
steps:
|
||||
- name: Login to Kata Containers quay.io
|
||||
if: ${{ inputs.push-to-registry == 'yes' }}
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
registry: quay.io
|
||||
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
|
||||
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
ref: ${{ inputs.commit-hash }}
|
||||
fetch-depth: 0 # This is needed in order to keep the commit ids history
|
||||
|
||||
- name: Rebase atop of the latest target branch
|
||||
run: |
|
||||
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
|
||||
env:
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
|
||||
- name: get-artifacts
|
||||
uses: actions/download-artifact@v4
|
||||
with:
|
||||
pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
|
||||
path: kata-artifacts
|
||||
merge-multiple: true
|
||||
|
||||
- name: Build ${{ matrix.asset }}
|
||||
id: build
|
||||
run: |
|
||||
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
|
||||
make "${KATA_ASSET}-tarball"
|
||||
build_dir=$(readlink -f build)
|
||||
# store-artifact does not work with symlink
|
||||
mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/.
|
||||
env:
|
||||
KATA_ASSET: ${{ matrix.asset }}
|
||||
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
|
||||
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
|
||||
ARTEFACT_REGISTRY: ghcr.io
|
||||
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
|
||||
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
|
||||
|
||||
- name: store-artifact ${{ matrix.asset }}
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
|
||||
@@ -116,7 +175,7 @@ jobs:
|
||||
|
||||
build-asset-boot-image-se:
|
||||
runs-on: s390x
|
||||
needs: build-asset
|
||||
needs: [build-asset, build-asset-rootfs]
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
@@ -142,11 +201,7 @@ jobs:
|
||||
|
||||
- name: Build boot-image-se
|
||||
run: |
|
||||
base_dir=tools/packaging/kata-deploy/local-build/
|
||||
cp -r kata-artifacts ${base_dir}/build
|
||||
# Skip building dependant artifacts of boot-image-se-tarball
|
||||
# because we already have them from the previous build
|
||||
sed -i 's/\(^boot-image-se-tarball:\).*/\1/g' ${base_dir}/Makefile
|
||||
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "boot-image-se"
|
||||
make boot-image-se-tarball
|
||||
build_dir=$(readlink -f build)
|
||||
sudo cp -r "${build_dir}" "kata-build"
|
||||
@@ -164,7 +219,7 @@ jobs:
|
||||
|
||||
build-asset-shim-v2:
|
||||
runs-on: s390x
|
||||
needs: build-asset
|
||||
needs: [build-asset, build-asset-rootfs]
|
||||
steps:
|
||||
- name: Login to Kata Containers quay.io
|
||||
if: ${{ inputs.push-to-registry == 'yes' }}
|
||||
@@ -185,9 +240,17 @@ jobs:
|
||||
env:
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
|
||||
- name: get-artifacts
|
||||
uses: actions/download-artifact@v4
|
||||
with:
|
||||
pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
|
||||
path: kata-artifacts
|
||||
merge-multiple: true
|
||||
|
||||
- name: Build shim-v2
|
||||
id: build
|
||||
run: |
|
||||
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
|
||||
make "${KATA_ASSET}-tarball"
|
||||
build_dir=$(readlink -f build)
|
||||
# store-artifact does not work with symlink
|
||||
@@ -201,6 +264,7 @@ jobs:
|
||||
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
|
||||
MEASURED_ROOTFS: yes
|
||||
|
||||
- name: store-artifact shim-v2
|
||||
uses: actions/upload-artifact@v4
|
||||
@@ -212,7 +276,7 @@ jobs:
|
||||
|
||||
create-kata-tarball:
|
||||
runs-on: s390x
|
||||
needs: [build-asset, build-asset-boot-image-se, build-asset-shim-v2]
|
||||
needs: [build-asset, build-asset-rootfs, build-asset-boot-image-se, build-asset-shim-v2]
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
|
@@ -151,8 +151,8 @@ FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd
|
||||
SNPCERTSPATH := /opt/snp/cert_chain.cert
|
||||
|
||||
ROOTMEASURECONFIG ?= ""
|
||||
KERNELPARAMS += $(ROOTMEASURECONFIG)
|
||||
KERNELTDXPARAMS += $(ROOTMEASURECONFIG)
|
||||
KERNELQEMUCOCODEVPARAMS += $(ROOTMEASURECONFIG)
|
||||
|
||||
# Name of default configuration file the runtime will use.
|
||||
CONFIG_FILE = configuration.toml
|
||||
@@ -646,6 +646,7 @@ USER_VARS += DEFMACHINETYPE_CLH
|
||||
USER_VARS += DEFMACHINETYPE_STRATOVIRT
|
||||
USER_VARS += KERNELPARAMS
|
||||
USER_VARS += KERNELTDXPARAMS
|
||||
USER_VARS += KERNELQEMUCOCODEVPARAMS
|
||||
USER_VARS += LIBEXECDIR
|
||||
USER_VARS += LOCALSTATEDIR
|
||||
USER_VARS += PKGDATADIR
|
||||
|
@@ -73,7 +73,7 @@ valid_hypervisor_paths = @QEMUVALIDHYPERVISORPATHS@
|
||||
# may stop the virtual machine from booting.
|
||||
# To see the list of default parameters, enable hypervisor debug, create a
|
||||
# container and look for 'default-kernel-parameters' log entries.
|
||||
kernel_params = "@KERNELPARAMS@"
|
||||
kernel_params = "@KERNELQEMUCOCODEVPARAMS@"
|
||||
|
||||
# Path to the firmware.
|
||||
# If you want that qemu uses the default firmware leave this option empty
|
||||
|
36
tests/gha-adjust-to-use-prebuilt-components.sh
Executable file
36
tests/gha-adjust-to-use-prebuilt-components.sh
Executable file
@@ -0,0 +1,36 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Copyright (c) 2024 Intel Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
set -o errexit
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
|
||||
this_script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
repo_root_dir="$(cd "${this_script_dir}/../" && pwd)"
|
||||
|
||||
base_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build"
|
||||
build_dir="${base_dir}/build"
|
||||
|
||||
function main() {
|
||||
artifacts_dir="${1:-}"
|
||||
asset="${2:-}"
|
||||
|
||||
if [ -z "${artifacts_dir}" ]; then
|
||||
echo "The artefacts directory must be passed as the first argument to this script."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "${asset}" ]; then
|
||||
echo "The asset must be passed as the second argument to this script."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
mv ${artifacts_dir} ${build_dir}
|
||||
sed -i "s/\(^${asset}-tarball:\).*/\1/g" ${base_dir}/Makefile
|
||||
}
|
||||
|
||||
main "$@"
|
@@ -5,16 +5,19 @@
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
load "${BATS_TEST_DIRNAME}/../../common.bash"
|
||||
load "${BATS_TEST_DIRNAME}/lib.sh"
|
||||
load "${BATS_TEST_DIRNAME}/tests_common.sh"
|
||||
|
||||
check_and_skip() {
|
||||
# Currently the kernel-confidential, isn't built withh measured rootfs support, so this test
|
||||
# should be skipped until it is
|
||||
# See https://github.com/kata-containers/kata-containers/issues/9612,
|
||||
# https://github.com/kata-containers/kata-containers/issues/7235
|
||||
# and https://github.com/kata-containers/kata-containers/issues/7415
|
||||
skip "measured rootfs tests not implemented for hypervisor: $KATA_HYPERVISOR"
|
||||
case "${KATA_HYPERVISOR}" in
|
||||
qemu-tdx|qemu-coco-dev)
|
||||
return
|
||||
;;
|
||||
*)
|
||||
skip "measured rootfs tests not implemented for hypervisor: $KATA_HYPERVISOR"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
setup() {
|
||||
@@ -25,11 +28,10 @@ setup() {
|
||||
@test "Test cannnot launch pod with measured boot enabled and incorrect hash" {
|
||||
pod_config="$(new_pod_config nginx "kata-${KATA_HYPERVISOR}")"
|
||||
|
||||
incorrect_hash="5180b1568c2ba972e4e06ee0a55976acae8329f2a5d1d2004395635e1ec4a76e"
|
||||
incorrect_hash="1111111111111111111111111111111111111111111111111111111111111111"
|
||||
|
||||
# Despite the kernel being built with support, it is not currently enabled
|
||||
# on configuration.toml. To avoid editing that file on the worker node,
|
||||
# here it will be enabled via pod annotations.
|
||||
# To avoid editing that file on the worker node, here it will be
|
||||
# enabled via pod annotations.
|
||||
set_metadata_annotation "$pod_config" \
|
||||
"io.katacontainers.config.hypervisor.kernel_params" \
|
||||
"rootfs_verity.scheme=dm-verity rootfs_verity.hash=$incorrect_hash"
|
||||
@@ -45,10 +47,9 @@ setup() {
|
||||
echo "Pod $pod_config file:"
|
||||
cat $pod_config
|
||||
|
||||
assert_pod_fail "$pod_config"
|
||||
kubectl apply -f $pod_config
|
||||
|
||||
assert_logs_contain "$node" kata "$node_start_time" \
|
||||
'verity: .* metadata block .* is corrupted'
|
||||
waitForProcess "60" "3" "exec_host $node journalctl -t kata | grep \"verity: .* metadata block .* is corrupted\""
|
||||
}
|
||||
|
||||
teardown() {
|
||||
|
@@ -166,6 +166,12 @@ get_kernel_modules_dir() {
|
||||
echo ${kernel_modules_dir}
|
||||
}
|
||||
|
||||
cleanup_and_fail_shim_v2_specifics() {
|
||||
rm -f "${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/shim-v2-root_hash.txt"
|
||||
|
||||
return $(cleanup_and_fail "${1:-}" "${2:-}")
|
||||
}
|
||||
|
||||
cleanup_and_fail() {
|
||||
local component_tarball_name="${1:-}"
|
||||
local extra_tarballs="${2:-}"
|
||||
@@ -184,6 +190,36 @@ cleanup_and_fail() {
|
||||
return 1
|
||||
}
|
||||
|
||||
install_cached_shim_v2_tarball_get_root_hash() {
|
||||
if [ "${MEASURED_ROOTFS}" != "yes" ]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build"
|
||||
local image_conf_tarball="kata-static-rootfs-image-confidential.tar.xz"
|
||||
|
||||
local root_hash_basedir="./opt/kata/share/kata-containers/"
|
||||
|
||||
tar xvf "${tarball_dir}/${image_conf_tarball}" ${root_hash_basedir}root_hash.txt --transform s,${root_hash_basedir},,
|
||||
mv root_hash.txt "${tarball_dir}/root_hash.txt"
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
install_cached_shim_v2_tarball_compare_root_hashes() {
|
||||
if [ "${MEASURED_ROOTFS}" != "yes" ]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build"
|
||||
|
||||
[ -f shim-v2-root_hash.txt ] || return 1
|
||||
|
||||
diff "${tarball_dir}/root_hash.txt" shim-v2-root_hash.txt || return 1
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
install_cached_tarball_component() {
|
||||
if [ "${USE_CACHE}" != "yes" ]; then
|
||||
return 1
|
||||
@@ -198,6 +234,10 @@ install_cached_tarball_component() {
|
||||
# "tarball1_name:tarball1_path tarball2_name:tarball2_path ... tarballN_name:tarballN_path"
|
||||
local extra_tarballs="${6:-}"
|
||||
|
||||
if [ "${component}" = "shim-v2" ]; then
|
||||
install_cached_shim_v2_tarball_get_root_hash
|
||||
fi
|
||||
|
||||
oras pull ${ARTEFACT_REGISTRY}/${ARTEFACT_REPOSITORY}/cached-artefacts/${build_target}:latest-${TARGET_BRANCH}-$(uname -m) || return 1
|
||||
|
||||
cached_version="$(cat ${component}-version)"
|
||||
@@ -206,10 +246,14 @@ install_cached_tarball_component() {
|
||||
rm -f ${component}-version
|
||||
rm -f ${component}-builder-image-version
|
||||
|
||||
[ "${cached_image_version}" != "${current_image_version}" ] && return 1
|
||||
[ "${cached_version}" != "${current_version}" ] && return 1
|
||||
[ "${cached_image_version}" != "${current_image_version}" ] && return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}")
|
||||
[ "${cached_version}" != "${current_version}" ] && return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}")
|
||||
sha256sum -c "${component}-sha256sum" || return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}")
|
||||
|
||||
if [ "${component}" = "shim-v2" ]; then
|
||||
install_cached_shim_v2_tarball_compare_root_hashes || return $(cleanup_and_fail_shim_v2_specifics "${component_tarball_path}" "${extra_tarballs}")
|
||||
fi
|
||||
|
||||
info "Using cached tarball of ${component}"
|
||||
mv "${component_tarball_name}" "${component_tarball_path}"
|
||||
|
||||
@@ -777,6 +821,7 @@ install_shimv2() {
|
||||
|
||||
export GO_VERSION
|
||||
export RUST_VERSION
|
||||
export MEASURED_ROOTFS
|
||||
|
||||
DESTDIR="${destdir}" PREFIX="${prefix}" "${shimv2_builder}"
|
||||
}
|
||||
@@ -1145,6 +1190,21 @@ handle_build() {
|
||||
fi
|
||||
tar tvf "${modules_final_tarball_path}"
|
||||
;;
|
||||
shim-v2)
|
||||
if [ "${MEASURED_ROOTFS}" = "yes" ]; then
|
||||
local image_conf_tarball="${workdir}/kata-static-rootfs-image-confidential.tar.xz"
|
||||
if [ ! -f "${image_conf_tarball}" ]; then
|
||||
die "Building the shim-v2 with MEASURED_ROOTFS support requires a rootfs confidential image tarball"
|
||||
fi
|
||||
|
||||
local root_hash_basedir="./opt/kata/share/kata-containers/"
|
||||
if ! tar xvf ${image_conf_tarball} ${root_hash_basedir}root_hash.txt --transform s,${root_hash_basedir},,; then
|
||||
die "Building the shim-v2 with MEASURED_ROOTFS support requres a rootfs confidential image tarball built with MEASURED_ROOTFS support"
|
||||
fi
|
||||
|
||||
mv root_hash.txt shim-v2-root_hash.txt
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
pushd ${workdir}
|
||||
@@ -1210,6 +1270,13 @@ handle_build() {
|
||||
"kata-static-${build_target}-modules.tar.xz"
|
||||
)
|
||||
;;
|
||||
shim-v2)
|
||||
if [ "${MEASURED_ROOTFS}" = "yes" ]; then
|
||||
files_to_push+=(
|
||||
"shim-v2-root_hash.txt"
|
||||
)
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
|
@@ -28,7 +28,8 @@ EXTRA_OPTS="${EXTRA_OPTS:-""}"
|
||||
if [ "${MEASURED_ROOTFS}" == "yes" ]; then
|
||||
info "Enable rootfs measurement config"
|
||||
|
||||
root_hash_file="${repo_root_dir}/tools/osbuilder/root_hash.txt"
|
||||
root_hash_file="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/root_hash.txt"
|
||||
|
||||
[ -f "$root_hash_file" ] || \
|
||||
die "Root hash file for measured rootfs not found at ${root_hash_file}"
|
||||
|
||||
|
Reference in New Issue
Block a user