packaging: Build the kata-agent

Let's add the needed functions to start building the kata-agent, with or
without the OPA support.

For now this build is not used as part of the rootfs build, but later on
this will (not as part of this series, though).

Fixes: #8099

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>

tools/packaging/kata-deploy/local-build/Makefile

@@ -52,6 +52,12 @@ serial-targets:
 %-tarball-build: $(MK_DIR)/dockerbuild/install_yq.sh
 	$(call BUILD,$*)
 
+agent-tarball:
+	${MAKE} $@-build
+
+agent-opa-tarball:
+	${MAKE} $@-build
+
 agent-ctl-tarball:
 	${MAKE} $@-build
 

tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh

@@ -84,6 +84,7 @@ ARTEFACT_REGISTRY_PASSWORD="${ARTEFACT_REGISTRY_PASSWORD:-}"
 TARGET_BRANCH="${TARGET_BRANCH:-}"
 BUILDER_REGISTRY="${BUILDER_REGISTRY:-}"
 PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-"no"}"
+AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER:-}"
 INITRAMFS_CONTAINER_BUILDER="${INITRAMFS_CONTAINER_BUILDER:-}"
 KERNEL_CONTAINER_BUILDER="${KERNEL_CONTAINER_BUILDER:-}"
 OVMF_CONTAINER_BUILDER="${OVMF_CONTAINER_BUILDER:-}"
@@ -106,6 +107,7 @@ docker run \
 	--env TARGET_BRANCH="${TARGET_BRANCH}" \
 	--env BUILDER_REGISTRY="${BUILDER_REGISTRY}" \
 	--env PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY}" \
+	--env AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER}" \
 	--env INITRAMFS_CONTAINER_BUILDER="${INITRAMFS_CONTAINER_BUILDER}" \
 	--env KERNEL_CONTAINER_BUILDER="${KERNEL_CONTAINER_BUILDER}" \
 	--env OVMF_CONTAINER_BUILDER="${OVMF_CONTAINER_BUILDER}" \

tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh

@@ -22,6 +22,7 @@ readonly static_build_dir="${repo_root_dir}/tools/packaging/static-build"
 readonly version_file="${repo_root_dir}/VERSION"
 readonly versions_yaml="${repo_root_dir}/versions.yaml"
 
+readonly agent_builder="${static_build_dir}/agent/build.sh"
 readonly clh_builder="${static_build_dir}/cloud-hypervisor/build-static-clh.sh"
 readonly firecracker_builder="${static_build_dir}/firecracker/build-static-firecracker.sh"
 readonly initramfs_builder="${static_build_dir}/initramfs/build.sh"
@@ -81,6 +82,8 @@ options:
 -s             	      : Silent mode (produce output in case of failure only)
 --build=<asset>       :
 	all
+	agent
+	agent-opa
 	agent-ctl
 	cloud-hypervisor
 	cloud-hypervisor-glibc
@@ -625,6 +628,32 @@ install_ovmf_sev() {
 	install_ovmf "sev" "edk2-sev.tar.gz"
 }
 
+install_agent_helper() {
+	agent_policy="${1:-no}"
+
+	latest_artefact="$(git log -1 --pretty=format:"%h" ${repo_root_dir}/src/agent)"
+	latest_builder_image="$(get_agent_image_name)"
+
+	install_cached_tarball_component \
+		"${build_target}" \
+		"${latest_artefact}" \
+		"${latest_builder_image}" \
+		"${final_tarball_name}" \
+		"${final_tarball_path}" \
+		&& return 0
+
+	info "build static agent"
+	DESTDIR="${destdir}" AGENT_POLICY=${agent_policy} "${agent_builder}"
+}
+
+install_agent() {
+	install_agent_helper
+}
+
+install_agent_opa() {
+	install_agent_helper "yes"
+}
+
 install_tools_helper() {
 	tool=${1}
 
@@ -720,6 +749,10 @@ handle_build() {
 		install_virtiofsd
 		;;
 
+	agent) install_agent ;;
+
+	agent-opa) install_agent_opa ;;
+
 	agent-ctl) install_agent_ctl ;;
 
 	cloud-hypervisor) install_clh ;;
@@ -827,6 +860,8 @@ main() {
 	local build_targets
 	local silent
 	build_targets=(
+		agent
+		agent-opa
 		agent-ctl
 		cloud-hypervisor
 		firecracker

tools/packaging/static-build/agent/Dockerfile

@@ -0,0 +1,21 @@
+# Copyright (c) 2023 Intel
+#
+# SPDX-License-Identifier: Apache-2.0
+
+FROM alpine:3.18
+ARG RUST_TOOLCHAIN
+
+SHELL ["/bin/ash", "-o", "pipefail", "-c"]
+RUN apk --no-cache add \
+        bash \
+        curl \
+        gcc \
+        git \
+        libcap-ng-static \
+        libseccomp-static \
+        make \
+        musl-dev \
+        openssl-dev \
+        openssl-libs-static \
+        protoc && \
+    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN}

tools/packaging/static-build/agent/build-static-agent.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2023 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+source "${script_dir}/../../scripts/lib.sh"
+
+init_env() {
+	source "$HOME/.cargo/env"
+
+	export LIBC=musl
+	export LIBSECCOMP_LINK_TYPE=static
+	export LIBSECCOMP_LIB_PATH=/usr/lib
+
+	# This is needed to workaround
+	# https://github.com/sfackler/rust-openssl/issues/1624
+	export OPENSSL_NO_VENDOR=Y
+}
+
+build_agent_from_source() {
+	echo "build agent from source"
+
+	init_env
+
+	cd src/agent
+	DESTDIR=${DESTDIR} AGENT_POLICY=${AGENT_POLICY} make
+	DESTDIR=${DESTDIR} AGENT_POLICY=${AGENT_POLICY} make install
+}
+
+build_agent_from_source $@

tools/packaging/static-build/agent/build.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2023 Intel
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+readonly agent_builder="${script_dir}/build-static-agent.sh"
+
+source "${script_dir}/../../scripts/lib.sh"
+
+container_image="${AGENT_CONTAINER_BUILDER:-$(get_agent_image_name)}"
+[ "${CROSS_BUILD}" == "true" ] && container_image="${container_image}-cross-build"
+
+sudo docker pull ${container_image} || \
+	(sudo docker $BUILDX build $PLATFORM \
+	    	--build-arg RUST_TOOLCHAIN="$(get_from_kata_deps "languages.rust.meta.newest-version")" \
+		-t "${container_image}" "${script_dir}" && \
+	 # No-op unless PUSH_TO_REGISTRY is exported as "yes"
+	 push_to_registry "${container_image}")
+
+sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
+	--env DESTDIR=${DESTDIR} \
+	--env AGENT_POLICY=${AGENT_POLICY:-no} \
+	-w "${repo_root_dir}" \
+	"${container_image}" \
+	bash -c "${agent_builder}"