From fb87bf221f9b73c0b8915d6eef063ef94dcfd10a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bombo?= Date: Thu, 21 Nov 2024 15:46:24 -0600 Subject: [PATCH 1/3] ci: Implement build step for CSI driver MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fully implements the compilation step for csi-kata-directvolume. This component can now be built by the CI running: $ cd tools/packaging/kata-deploy/local-build $ make csi-kata-directvolume-tarball A couple notes: * When installing the binary, we rename it from directvolplugin to csi-kata-directvolume on the fly to make it more readable. * We add go to the tools builder Dockerfile to support building this tool. * I've noticed the file install_libseccomp.sh gets created by the build process so I've added it to a .gitignore. Signed-off-by: Aurélien Bombo --- src/tools/csi-kata-directvolume/.gitignore | 1 + tools/packaging/kata-deploy/local-build/Makefile | 2 +- .../kata-deploy/local-build/kata-deploy-binaries.sh | 10 ++++++++++ tools/packaging/static-build/tools/.gitignore | 1 + tools/packaging/static-build/tools/Dockerfile | 10 +++++++++- tools/packaging/static-build/tools/build.sh | 1 + 6 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 src/tools/csi-kata-directvolume/.gitignore create mode 100644 tools/packaging/static-build/tools/.gitignore diff --git a/src/tools/csi-kata-directvolume/.gitignore b/src/tools/csi-kata-directvolume/.gitignore new file mode 100644 index 0000000000..e660fd93d3 --- /dev/null +++ b/src/tools/csi-kata-directvolume/.gitignore @@ -0,0 +1 @@ +bin/ diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 77a1660b96..f5fb753481 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -99,7 +99,7 @@ cloud-hypervisor-glibc-tarball: ${MAKE} $@-build csi-kata-directvolume-tarball: copy-scripts-for-the-tools-build - $(call DUMMY,$@) + ${MAKE} $@-build firecracker-tarball: ${MAKE} $@-build diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 04208dca08..04fba73aba 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -99,6 +99,7 @@ options: coco-guest-components cloud-hypervisor cloud-hypervisor-glibc + csi-kata-directvolume firecracker genpolicy kata-ctl @@ -1022,6 +1023,7 @@ install_tools_helper() { tool_binary=${tool} [ ${tool} = "agent-ctl" ] && tool_binary="kata-agent-ctl" + [ ${tool} = "csi-kata-directvolume" ] && tool_binary="directvolplugin" [ ${tool} = "trace-forwarder" ] && tool_binary="kata-trace-forwarder" binary=$(find ${repo_root_dir}/src/tools/${tool}/ -type f -name ${tool_binary}) @@ -1043,6 +1045,7 @@ install_tools_helper() { info "Install static ${tool_binary}" mkdir -p "${destdir}/opt/kata/bin/" + [ ${tool} = "csi-kata-directvolume" ] && tool_binary="csi-kata-directvolume" install -D --mode ${binary_permissions} ${binary} "${destdir}/opt/kata/bin/${tool_binary}" } @@ -1054,6 +1057,10 @@ install_genpolicy() { install_tools_helper "genpolicy" } +install_csi_kata_directvolume() { + install_tools_helper "csi-kata-directvolume" +} + install_kata_ctl() { install_tools_helper "kata-ctl" } @@ -1131,6 +1138,8 @@ handle_build() { cloud-hypervisor-glibc) install_clh_glibc ;; + csi-kata-directvolume) install_csi_kata_directvolume ;; + firecracker) install_firecracker ;; genpolicy) install_genpolicy ;; @@ -1350,6 +1359,7 @@ main() { agent-ctl cloud-hypervisor coco-guest-components + csi-kata-directvolume firecracker genpolicy kata-ctl diff --git a/tools/packaging/static-build/tools/.gitignore b/tools/packaging/static-build/tools/.gitignore new file mode 100644 index 0000000000..86def50b86 --- /dev/null +++ b/tools/packaging/static-build/tools/.gitignore @@ -0,0 +1 @@ +install_libseccomp.sh diff --git a/tools/packaging/static-build/tools/Dockerfile b/tools/packaging/static-build/tools/Dockerfile index c60fcb237c..fed9729061 100644 --- a/tools/packaging/static-build/tools/Dockerfile +++ b/tools/packaging/static-build/tools/Dockerfile @@ -10,9 +10,12 @@ COPY install_libseccomp.sh /usr/bin/install_libseccomp.sh ENV DEBIAN_FRONTEND=noninteractive +ENV GO_HOME="/opt" +ENV GOCACHE="${GO_HOME}/.cache" +ENV GOMODCACHE="${GO_HOME}/.modcache" ENV RUSTUP_HOME="/opt/rustup" ENV CARGO_HOME="/opt/cargo" -ENV PATH="/opt/cargo/bin/:${PATH}" +ENV PATH="/opt/cargo/bin/:/opt/go/bin:${PATH}" ENV OPT_LIB="/opt/lib" ENV LIBSECCOMP_LINK_TYPE=static @@ -44,6 +47,11 @@ RUN apt-get update && \ # Tools only build for x86_64 RUN rustup target add x86_64-unknown-linux-musl +RUN kernelname=$(uname -s | tr '[:upper:]' '[:lower:]'); \ + curl -OL "https://storage.googleapis.com/golang/go${GO_TOOLCHAIN}.${kernelname}-amd64.tar.gz" && \ + tar -C "${GO_HOME}" -xzf "go${GO_TOOLCHAIN}.${kernelname}-amd64.tar.gz" && \ + rm "go${GO_TOOLCHAIN}.${kernelname}-amd64.tar.gz" + # cmake looks for musl binutils # For setting CMAKE_AR, find_program searches for musl-ar. # Symlink to system ar. diff --git a/tools/packaging/static-build/tools/build.sh b/tools/packaging/static-build/tools/build.sh index 4862e376da..cf5df09f09 100755 --- a/tools/packaging/static-build/tools/build.sh +++ b/tools/packaging/static-build/tools/build.sh @@ -20,6 +20,7 @@ container_image="${TOOLS_CONTAINER_BUILDER:-$(get_tools_image_name)}" docker pull ${container_image} || \ (docker $BUILDX build $PLATFORM \ + --build-arg GO_TOOLCHAIN="$(get_from_kata_deps ".languages.golang.meta.newest-version")" \ --build-arg RUST_TOOLCHAIN="$(get_from_kata_deps ".languages.rust.meta.newest-version")" \ -t "${container_image}" "${script_dir}" && \ # No-op unless PUSH_TO_REGISTRY is exported as "yes" From fe55b29ef0fbc69ead507272beb7656490eee340 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bombo?= Date: Mon, 18 Nov 2024 15:35:54 -0600 Subject: [PATCH 2/3] csi-kata-directvolume: Remove go version check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The driver build recipe has a script to check the current Go version against the go.mod version. However, the script is broken ($expected is unbound) and I don't believe we do this for other components. On top of this, Go should be backward-compatible. Let's keep things simple for now and we can evaluate restoring this script in the future if need be. Signed-off-by: Aurélien Bombo --- .../release-tools/build.make | 14 +------- .../release-tools/verify-go-version.sh | 35 ------------------- 2 files changed, 1 insertion(+), 48 deletions(-) delete mode 100755 src/tools/csi-kata-directvolume/release-tools/verify-go-version.sh diff --git a/src/tools/csi-kata-directvolume/release-tools/build.make b/src/tools/csi-kata-directvolume/release-tools/build.make index 23f3e54b62..27fff519e4 100644 --- a/src/tools/csi-kata-directvolume/release-tools/build.make +++ b/src/tools/csi-kata-directvolume/release-tools/build.make @@ -56,7 +56,7 @@ ARCH := $(if $(GOARCH),$(GOARCH),$(shell go env GOARCH)) # Specific packages can be excluded from each of the tests below by setting the *_FILTER_CMD variables # to something like "| grep -v 'github.com/kubernetes-csi/project/pkg/foobar'". See usage below. -build-%: check-go-version-go +build-%: mkdir -p bin CGO_ENABLED=0 GOOS=linux go build $(GOFLAGS_VENDOR) -a -ldflags '-X main.version=$(REV) -extldflags "-static"' -o ./bin/$* ./cmd/$* if [ "$$ARCH" = "amd64" ]; then \ @@ -92,9 +92,6 @@ push: $(CMDS:%=push-%) clean: -rm -rf bin -test: check-go-version-go - - .PHONY: test-vet test: test-vet test-vet: @@ -111,12 +108,3 @@ test-fmt: gofmt -d $$files; \ false; \ fi - - -# Targets in the makefile can depend on check-go-version- -# to trigger a warning if the x.y version of that binary does not match -# what the project uses. Make ensures that this is only checked once per -# invocation. -.PHONY: check-go-version-% -check-go-version-%: - ./release-tools/verify-go-version.sh "$*" diff --git a/src/tools/csi-kata-directvolume/release-tools/verify-go-version.sh b/src/tools/csi-kata-directvolume/release-tools/verify-go-version.sh deleted file mode 100755 index 9c35c0c97b..0000000000 --- a/src/tools/csi-kata-directvolume/release-tools/verify-go-version.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/env bash -# -# Copyright 2019 The Kubernetes Authors. -# -# SPDX-License-Identifier: Apache-2.0 -# - -GO="$1" - -if [ ! "$GO" ]; then - echo >&2 "usage: $0 " - exit 1 -fi - -die () { - echo "ERROR: $*" - exit 1 -} - -version=$("$GO" version) || die "determining version of $GO failed" -# shellcheck disable=SC2001 -majorminor=$(echo "$version" | sed -e 's/.*go\([0-9]*\)\.\([0-9]*\).*/\1.\2/') - -if [ "$majorminor" != "$expected" ]; then - cat >&2 < Date: Wed, 20 Nov 2024 16:41:11 -0600 Subject: [PATCH 3/3] ci: Require CSI driver for CoCo tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With the building/publishing step for the CSI driver validated, we can set that as a requirement for the CoCo tests. Depends on: #10561 Signed-off-by: Aurélien Bombo --- .github/workflows/ci.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a3c8b6e745..b3c1c0e8e4 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -223,7 +223,10 @@ jobs: run-kata-coco-tests: if: ${{ inputs.skip-test != 'yes' }} - needs: [publish-kata-deploy-payload-amd64, build-and-publish-tee-confidential-unencrypted-image] + needs: + - publish-kata-deploy-payload-amd64 + - build-and-publish-tee-confidential-unencrypted-image + - publish-csi-driver-amd64 uses: ./.github/workflows/run-kata-coco-tests.yaml with: tarball-suffix: -${{ inputs.tag }}