diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index d463427861..96cf1b2650 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -43,6 +43,7 @@ jobs: - agent - busybox - cloud-hypervisor + - coco-guest-components - firecracker - kernel - kernel-debug @@ -51,6 +52,7 @@ jobs: - kernel-cca-confidential - nydus - ovmf + - pause-image - qemu - virtiofsd env: @@ -151,6 +153,7 @@ jobs: matrix: asset: - rootfs-image + - rootfs-image-confidential - rootfs-image-nvidia-gpu - rootfs-initrd steps: @@ -216,7 +219,9 @@ jobs: matrix: asset: - busybox + - coco-guest-components - kernel-nvidia-gpu-modules + - pause-image steps: - uses: geekyeggo/delete-artifact@176a747ab7e287e3ff4787bf8a148716375ca118 # v6.0.0 with: @@ -288,6 +293,7 @@ jobs: ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} TARGET_BRANCH: ${{ inputs.target-branch }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + MEASURED_ROOTFS: yes - name: store-artifact shim-v2 uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 @@ -297,6 +303,112 @@ jobs: retention-days: 15 if-no-files-found: error + build-tools-asset: + name: build-tools-asset + runs-on: ubuntu-24.04-arm + permissions: + contents: read + packages: write + strategy: + matrix: + asset: + - genpolicy + stage: + - ${{ inputs.stage }} + steps: + - name: Login to Kata Containers quay.io + if: ${{ inputs.push-to-registry == 'yes' }} + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + with: + registry: quay.io + username: ${{ vars.QUAY_DEPLOYER_USERNAME }} + password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} + + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ inputs.commit-hash }} + fetch-depth: 0 # This is needed in order to keep the commit ids history + persist-credentials: false + + - name: Rebase atop of the latest target branch + run: | + ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" + env: + TARGET_BRANCH: ${{ inputs.target-branch }} + + - name: Build ${{ matrix.asset }} + id: build + run: | + make "${KATA_ASSET}-tarball" + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + mkdir -p kata-tools-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-tools-build/. + env: + KATA_ASSET: ${{ matrix.asset }} + TAR_OUTPUT: ${{ matrix.asset }}.tar.gz + PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }} + ARTEFACT_REGISTRY: ghcr.io + ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }} + ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + TARGET_BRANCH: ${{ inputs.target-branch }} + RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + + - name: store-artifact ${{ matrix.asset }} + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: kata-tools-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }} + path: kata-tools-build/kata-static-${{ matrix.asset }}.tar.zst + retention-days: 15 + if-no-files-found: error + + create-kata-tools-tarball: + name: create-kata-tools-tarball + runs-on: ubuntu-24.04-arm + needs: [build-tools-asset] + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ inputs.commit-hash }} + fetch-depth: 0 + fetch-tags: true + persist-credentials: false + - name: Rebase atop of the latest target branch + run: | + ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" + env: + TARGET_BRANCH: ${{ inputs.target-branch }} + - name: get-artifacts + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + with: + pattern: kata-tools-artifacts-arm64-*${{ inputs.tarball-suffix }} + path: kata-tools-artifacts + merge-multiple: true + - name: merge-artifacts + run: | + ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-tools-artifacts versions.yaml kata-tools-static.tar.zst + env: + RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + - name: Check kata-tools tarball size (GitHub release asset limit) + run: | + # https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas + GITHUB_ASSET_MAX_BYTES=2147483648 + tarball_size=$(stat -c "%s" kata-tools-static.tar.zst) + if [[ "${tarball_size}" -ge "${GITHUB_ASSET_MAX_BYTES}" ]]; then + echo "::error::tarball size (${tarball_size} bytes) >= GitHub release asset limit (${GITHUB_ASSET_MAX_BYTES} bytes)" + exit 1 + fi + echo "tarball size: ${tarball_size} bytes" + - name: store-artifacts + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: kata-tools-static-tarball-arm64${{ inputs.tarball-suffix }} + path: kata-tools-static.tar.zst + retention-days: 15 + if-no-files-found: error + create-kata-tarball: name: create-kata-tarball runs-on: ubuntu-24.04-arm diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index dffb6ff1f7..9611fdc4b1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -217,7 +217,7 @@ jobs: tags: ghcr.io/kata-containers/test-images:unencrypted-${{ inputs.pr-number }} push: true context: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/ - platforms: linux/amd64, linux/s390x + platforms: linux/amd64, linux/arm64, linux/s390x file: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile run-kata-monitor-tests: @@ -277,6 +277,23 @@ jobs: pr-number: ${{ inputs.pr-number }} target-branch: ${{ inputs.target-branch }} + run-kata-coco-tests-on-arm64: + if: ${{ inputs.skip-test != 'yes' }} + needs: + - publish-kata-deploy-payload-arm64 + - build-and-publish-tee-confidential-unencrypted-image + uses: ./.github/workflows/run-kata-coco-tests-arm64-k8s.yaml + with: + tarball-suffix: -${{ inputs.tag }} + registry: ghcr.io + repo: ${{ github.repository_owner }}/kata-deploy-ci + tag: ${{ inputs.tag }}-arm64 + commit-hash: ${{ inputs.commit-hash }} + pr-number: ${{ inputs.pr-number }} + target-branch: ${{ inputs.target-branch }} + secrets: + AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} + run-k8s-tests-on-nvidia-gpu: if: ${{ inputs.skip-test != 'yes' }} needs: publish-kata-deploy-payload-amd64 diff --git a/.github/workflows/run-kata-coco-tests-arm64-k8s.yaml b/.github/workflows/run-kata-coco-tests-arm64-k8s.yaml new file mode 100644 index 0000000000..68c0c6ad35 --- /dev/null +++ b/.github/workflows/run-kata-coco-tests-arm64-k8s.yaml @@ -0,0 +1,128 @@ +name: CI | Run kata coco tests on arm64 k8s +on: + workflow_call: + inputs: + tarball-suffix: + required: false + type: string + registry: + required: true + type: string + repo: + required: true + type: string + tag: + required: true + type: string + pr-number: + required: true + type: string + commit-hash: + required: false + type: string + target-branch: + required: false + type: string + default: "" + secrets: + AUTHENTICATED_IMAGE_PASSWORD: + required: false + +permissions: {} + +jobs: + run-k8s-tests-coco-arm64-k8s: + name: run-k8s-tests-coco-arm64-k8s (${{ matrix.vmm }}, ${{ matrix.k8s }}) + strategy: + fail-fast: false + matrix: + vmm: + - qemu-coco-dev-runtime-rs + k8s: + - kubeadm + runs-on: arm64-k8s + environment: + name: ci + deployment: false + env: + DOCKER_REGISTRY: ${{ inputs.registry }} + DOCKER_REPO: ${{ inputs.repo }} + DOCKER_TAG: ${{ inputs.tag }} + GH_PR_NUMBER: ${{ inputs.pr-number }} + KATA_HYPERVISOR: ${{ matrix.vmm }} + KUBERNETES: ${{ matrix.k8s }} + K8S_TEST_HOST_TYPE: all + TARGET_ARCH: "aarch64" + KBS: "true" + KBS_INGRESS: "nodeport" + AUTO_GENERATE_POLICY: "yes" + PULL_TYPE: "guest-pull" + SNAPSHOTTER: "nydus" + AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }} + AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} + GH_TOKEN: ${{ github.token }} + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ inputs.commit-hash }} + fetch-depth: 0 + persist-credentials: false + + - name: Rebase atop of the latest target branch + run: | + ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" + env: + TARGET_BRANCH: ${{ inputs.target-branch }} + + - name: get-kata-tools-tarball + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + with: + name: kata-tools-static-tarball-arm64${{ inputs.tarball-suffix }} + path: kata-tools-artifacts + + - name: Install kata-tools + run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts + + - name: Deploy Kata + timeout-minutes: 20 + run: bash tests/integration/kubernetes/gha-run.sh deploy-kata + + - name: Uninstall previous `kbs-client` + timeout-minutes: 10 + run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client + + - name: Deploy CoCo KBS + timeout-minutes: 10 + run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs + + - name: Install `kbs-client` + timeout-minutes: 10 + run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client + + - name: Install `bats` + run: bash tests/integration/kubernetes/gha-run.sh install-bats + + - name: Run tests + timeout-minutes: 90 + run: bash tests/integration/kubernetes/gha-run.sh run-tests + + - name: Report tests + if: always() + run: bash tests/integration/kubernetes/gha-run.sh report-tests + + - name: Collect artifacts ${{ matrix.vmm }} + if: always() + run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts + continue-on-error: true + + - name: Archive artifacts ${{ matrix.vmm }} + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: k8s-coco-arm64-${{ matrix.vmm }}-${{ matrix.k8s }}-${{ inputs.tag }} + path: /tmp/artifacts + retention-days: 1 + + - name: Delete kata-deploy + if: always() + timeout-minutes: 15 + run: bash tests/integration/kubernetes/gha-run.sh cleanup diff --git a/docs/helm-configuration.md b/docs/helm-configuration.md index 2b55f36321..79b0bd4242 100644 --- a/docs/helm-configuration.md +++ b/docs/helm-configuration.md @@ -109,7 +109,7 @@ Includes: - `qemu-se-runtime-rs` - IBM Secure Execution for Linux (SEL) Rust runtime (s390x) - `qemu-cca` - Arm Confidential Compute Architecture (arm64) - `qemu-coco-dev` - Confidential Containers development (amd64, s390x) -- `qemu-coco-dev-runtime-rs` - Confidential Containers development Rust runtime (amd64, s390x) +- `qemu-coco-dev-runtime-rs` - Confidential Containers development Rust runtime (amd64, arm64, s390x) ### [`try-kata-nvidia-gpu.values.yaml`](https://github.com/kata-containers/kata-containers/blob/main/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-nvidia-gpu.values.yaml) diff --git a/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in index 2734d83cbb..1c37e39b64 100644 --- a/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in @@ -544,17 +544,17 @@ kernel_modules = [] debug_console_enabled = false # Agent dial timeout in millisecond. -# (default: 10) -dial_timeout_ms = 10 +# (default: 100) +dial_timeout_ms = 100 # Agent reconnect timeout in millisecond. -# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 300) +# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 450) # If you find pod cannot connect to the agent when starting, please # consider increasing this value to increase the retry times. # You'd better not change the value of dial_timeout_ms, unless you have an # idea of what you are doing. -# (default: 3000) -reconnect_timeout_ms = 3000 +# (default: 45000) +reconnect_timeout_ms = 45000 # Timeout in seconds for guest components (attestation-agent, confidential-data-hub) # to create their Unix sockets after being spawned by the agent. diff --git a/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in index 93dbdf7846..99a6e1450f 100644 --- a/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in @@ -521,17 +521,17 @@ kernel_modules = [] debug_console_enabled = false # Agent dial timeout in millisecond. -# (default: 10) -dial_timeout_ms = 90 +# (default: 100) +dial_timeout_ms = 100 # Agent reconnect timeout in millisecond. -# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 300) +# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 450) # If you find pod cannot connect to the agent when starting, please # consider increasing this value to increase the retry times. # You'd better not change the value of dial_timeout_ms, unless you have an # idea of what you are doing. -# (default: 3000) -reconnect_timeout_ms = 5000 +# (default: 45000) +reconnect_timeout_ms = 45000 # Timeout in seconds for guest components (attestation-agent, confidential-data-hub) # to create their Unix sockets after being spawned by the agent. diff --git a/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in index c76ca186db..b3905c29b9 100644 --- a/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in @@ -563,17 +563,17 @@ kernel_modules = [] debug_console_enabled = false # Agent dial timeout in millisecond. -# (default: 10) -dial_timeout_ms = 10 +# (default: 100) +dial_timeout_ms = 100 # Agent reconnect timeout in millisecond. -# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 300) +# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 450) # If you find pod cannot connect to the agent when starting, please # consider increasing this value to increase the retry times. # You'd better not change the value of dial_timeout_ms, unless you have an # idea of what you are doing. -# (default: 3000) -reconnect_timeout_ms = 3000 +# (default: 45000) +reconnect_timeout_ms = 45000 # Timeout in seconds for guest components (attestation-agent, confidential-data-hub) # to create their Unix sockets after being spawned by the agent. diff --git a/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in index 2767324eaa..51bc649ead 100644 --- a/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in @@ -539,17 +539,17 @@ kernel_modules = [] debug_console_enabled = false # Agent dial timeout in millisecond. -# (default: 10) -dial_timeout_ms = 10 +# (default: 100) +dial_timeout_ms = 100 # Agent reconnect timeout in millisecond. -# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 300) +# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 450) # If you find pod cannot connect to the agent when starting, please # consider increasing this value to increase the retry times. # You'd better not change the value of dial_timeout_ms, unless you have an # idea of what you are doing. -# (default: 3000) -reconnect_timeout_ms = 3000 +# (default: 45000) +reconnect_timeout_ms = 45000 # Timeout in seconds for guest components (attestation-agent, confidential-data-hub) # to create their Unix sockets after being spawned by the agent. diff --git a/tests/gha-run-k8s-common.sh b/tests/gha-run-k8s-common.sh index 1463074be1..1d016499ed 100644 --- a/tests/gha-run-k8s-common.sh +++ b/tests/gha-run-k8s-common.sh @@ -707,7 +707,9 @@ function helm_helper() { yq -i ".shims.${shim}.supportedArches = [\"arm64\"]" "${values_yaml}" elif is_snp_hypervisor "${shim}" || is_tdx_hypervisor "${shim}" || is_confidential_gpu_hypervisor "${shim}"; then yq -i ".shims.${shim}.supportedArches = [\"amd64\"]" "${values_yaml}" - elif [[ "${shim}" == "qemu-runtime-rs" ]]; then + # qemu-coco-dev-runtime-rs is checked explicitly because + # qemu-coco-dev (Go runtime) does not support arm64. + elif [[ "${shim}" == "qemu-runtime-rs" ]] || [[ "${shim}" == "qemu-coco-dev-runtime-rs" ]]; then yq -i ".shims.${shim}.supportedArches = [\"amd64\", \"arm64\", \"s390x\"]" "${values_yaml}" elif is_non_tee_hypervisor "${shim}"; then yq -i ".shims.${shim}.supportedArches = [\"amd64\", \"s390x\"]" "${values_yaml}" diff --git a/tests/integration/kubernetes/confidential_kbs.sh b/tests/integration/kubernetes/confidential_kbs.sh index 4923fb6fdc..c71cdce808 100644 --- a/tests/integration/kubernetes/confidential_kbs.sh +++ b/tests/integration/kubernetes/confidential_kbs.sh @@ -227,7 +227,7 @@ kbs_install_cli() { source /etc/os-release || source /usr/lib/os-release case "${ID}" in - ubuntu) + debian|ubuntu) local pkgs="build-essential pkg-config libssl-dev" sudo apt-get update -y diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh index c5ae2b115c..a2609da84a 100755 --- a/tests/integration/kubernetes/gha-run.sh +++ b/tests/integration/kubernetes/gha-run.sh @@ -453,7 +453,7 @@ function main() { if [[ "${KATA_HOST_OS}" = "cbl-mariner" ]]; then AUTO_GENERATE_POLICY="yes" elif [[ "${KATA_HYPERVISOR}" = qemu-coco-dev* && \ - "${TARGET_ARCH}" = "x86_64" && \ + ( "${TARGET_ARCH}" = "x86_64" || "${TARGET_ARCH}" = "aarch64" ) && \ "${PULL_TYPE}" != "experimental-force-guest-pull" ]]; then AUTO_GENERATE_POLICY="yes" elif [[ "${KATA_HYPERVISOR}" = qemu-nvidia-gpu-* ]]; then diff --git a/tests/integration/kubernetes/k8s-policy-deployment-sc.bats b/tests/integration/kubernetes/k8s-policy-deployment-sc.bats index 4ed4573e7d..072bf6352f 100644 --- a/tests/integration/kubernetes/k8s-policy-deployment-sc.bats +++ b/tests/integration/kubernetes/k8s-policy-deployment-sc.bats @@ -11,6 +11,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled." + [[ "$(uname -m)" == "x86_64" ]] || skip "Image used in the tests is not multi-arch." setup_common || die "setup_common failed" deployment_name="policy-redis-deployment" @@ -100,6 +101,7 @@ test_deployment_policy_error() { teardown() { auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled." + [[ "$(uname -m)" == "x86_64" ]] || skip "Image used in the tests is not multi-arch." # Pod debugging information. Don't print the "Message:" line because it contains a truncated policy log. info "Pod ${deployment_name}:" diff --git a/tests/integration/kubernetes/k8s-policy-deployment.bats b/tests/integration/kubernetes/k8s-policy-deployment.bats index 9a442731b8..0543ef2ba8 100644 --- a/tests/integration/kubernetes/k8s-policy-deployment.bats +++ b/tests/integration/kubernetes/k8s-policy-deployment.bats @@ -11,6 +11,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled." + [[ "$(uname -m)" == "x86_64" ]] || skip "Image used in the tests is not multi-arch." setup_common || die "setup_common failed" deployment_name="policy-redis-deployment" @@ -60,6 +61,7 @@ test_deployment_policy_error() { teardown() { auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled." + [[ "$(uname -m)" == "x86_64" ]] || skip "Image used in the tests is not multi-arch." # Pod debugging information. Don't print the "Message:" line because it contains a truncated policy log. info "Pod ${deployment_name}:" diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh index be647ecaa3..34fce8cf17 100644 --- a/tests/integration/kubernetes/tests_common.sh +++ b/tests/integration/kubernetes/tests_common.sh @@ -112,6 +112,12 @@ is_k3s_or_rke2() { esac } +# The arm64 runner owners keep containerd updates synced across all runners. +is_arm64_host() { + [[ "$(uname -m)" == "aarch64" ]] && return 0 + return 1 +} + # Return the kubelet data directory, which varies by Kubernetes distribution. get_kubelet_data_dir() { case "${KUBERNETES:-}" in @@ -145,7 +151,7 @@ install_genpolicy_drop_ins() { # 20-* OCI version overlay if [[ "${KATA_HOST_OS:-}" == "cbl-mariner" ]]; then cp "${examples_dir}/20-oci-1.2.0-drop-in.json" "${settings_d}/" - elif is_k3s_or_rke2 || is_nvidia_gpu_platform || is_snp_hypervisor "${KATA_HYPERVISOR}" || is_tdx_hypervisor "${KATA_HYPERVISOR}" || [[ -n "${CONTAINER_ENGINE_VERSION:-}" ]]; then + elif is_k3s_or_rke2 || is_nvidia_gpu_platform || is_snp_hypervisor "${KATA_HYPERVISOR}" || is_tdx_hypervisor "${KATA_HYPERVISOR}" || [[ -n "${CONTAINER_ENGINE_VERSION:-}" ]] || is_arm64_host; then cp "${examples_dir}/20-oci-1.3.0-drop-in.json" "${settings_d}/" fi diff --git a/tools/packaging/kata-deploy/binary/src/config.rs b/tools/packaging/kata-deploy/binary/src/config.rs index 37e1028a70..08c7e63a1b 100644 --- a/tools/packaging/kata-deploy/binary/src/config.rs +++ b/tools/packaging/kata-deploy/binary/src/config.rs @@ -734,7 +734,7 @@ fn parse_custom_runtimes() -> Result> { fn get_default_shims_for_arch(arch: &str) -> &'static str { match arch { "x86_64" => "clh cloud-hypervisor dragonball fc qemu qemu-coco-dev qemu-coco-dev-runtime-rs qemu-runtime-rs qemu-nvidia-gpu qemu-nvidia-gpu-snp qemu-nvidia-gpu-tdx qemu-snp qemu-snp-runtime-rs qemu-tdx qemu-tdx-runtime-rs", - "aarch64" => "clh cloud-hypervisor dragonball fc qemu qemu-runtime-rs qemu-nvidia-gpu qemu-cca", + "aarch64" => "clh cloud-hypervisor dragonball fc qemu qemu-coco-dev-runtime-rs qemu-runtime-rs qemu-nvidia-gpu qemu-cca", "s390x" => "qemu qemu-runtime-rs qemu-se qemu-se-runtime-rs qemu-coco-dev qemu-coco-dev-runtime-rs", "ppc64le" => "qemu", _ => "qemu", // Fallback to qemu for unknown architectures diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-tee.values.yaml b/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-tee.values.yaml index 42dad88ad6..f5986a564e 100644 --- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-tee.values.yaml +++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-tee.values.yaml @@ -135,6 +135,7 @@ shims: enabled: true supportedArches: - amd64 + - arm64 - s390x allowedHypervisorAnnotations: [] containerd: diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml b/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml index 660822c729..606fe4ac63 100644 --- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml +++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml @@ -322,6 +322,7 @@ shims: enabled: ~ supportedArches: - amd64 + - arm64 - s390x allowedHypervisorAnnotations: [] containerd: diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 05dbfb052a..49d6f9611b 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -60,6 +60,7 @@ BASE_TARBALLS = serial-targets \ shim-v2-tarball \ virtiofsd-tarball BASE_SERIAL_TARBALLS = rootfs-image-tarball \ + rootfs-image-confidential-tarball \ rootfs-cca-confidential-image-tarball \ rootfs-cca-confidential-initrd-tarball \ rootfs-initrd-tarball diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index aa582672b6..73554e9132 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -710,7 +710,7 @@ install_kernel_helper() { DESTDIR="${destdir}" PREFIX="${prefix}" "${kernel_builder}" -v "${kernel_version}" -f -u "${kernel_url}" "${extra_cmd}" } -#Install kernel asset (on x86_64 and s390x built with -x for TEE/confidential; other arches without -x) +#Install kernel asset (on x86_64, s390x, and aarch64 built with -x for TEE/confidential) install_kernel() { local extra_cmd="" case "${ARCH}" in @@ -719,6 +719,11 @@ install_kernel() { export MEASURED_ROOTFS="no" extra_cmd="-x" ;; + aarch64) + export CONFIDENTIAL_GUEST="yes" + export MEASURED_ROOTFS="yes" + extra_cmd="-x" + ;; x86_64) export CONFIDENTIAL_GUEST="yes" export MEASURED_ROOTFS="yes" diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh index 612353e5d5..97d3a6e5c3 100755 --- a/tools/packaging/kernel/build-kernel.sh +++ b/tools/packaging/kernel/build-kernel.sh @@ -578,8 +578,11 @@ install_kata() { if [[ ${gpu_vendor} != "" ]]; then suffix="-${gpu_vendor}-gpu${suffix}" elif [[ ${conf_guest} != "" ]]; then - # CCA on aarch64 uses -confidential suffix; x86_64/s390x unified kernel does not - if [[ "${arch_target}" == "aarch64" ]]; then + # CCA kernel on arm64 needs a -confidential suffix to coexist + # with the unified kernel; the regular kernel with -x does not + # get the suffix (matching x86_64/s390x unified kernel behavior). + # CCA builds are identified by -H (linux_headers) being set. + if [[ "${arch_target}" == "arm64" ]] && [[ -n "${linux_headers}" ]]; then suffix="-${conf_guest}${suffix}" fi fi diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version index e702a30b33..6c412452bc 100644 --- a/tools/packaging/kernel/kata_config_version +++ b/tools/packaging/kernel/kata_config_version @@ -1 +1 @@ -188 +189 diff --git a/tools/packaging/static-build/tools/Dockerfile b/tools/packaging/static-build/tools/Dockerfile index eb52334592..17ede6581e 100644 --- a/tools/packaging/static-build/tools/Dockerfile +++ b/tools/packaging/static-build/tools/Dockerfile @@ -61,10 +61,21 @@ RUN ARCH=$(uname -m) && \ rm /tmp/oras.tar.gz && \ oras version -# Tools only build for x86_64 -RUN rustup target add x86_64-unknown-linux-musl +RUN ARCH=$(uname -m) && \ + case "${ARCH}" in \ + x86_64) MUSL_TARGET="x86_64-unknown-linux-musl" ;; \ + aarch64) MUSL_TARGET="aarch64-unknown-linux-musl" ;; \ + *) echo "Unsupported architecture: ${ARCH}" && exit 1 ;; \ + esac && \ + rustup target add "${MUSL_TARGET}" -RUN kernelname=$(uname -s | tr '[:upper:]' '[:lower:]'); \ - curl -fsSOL "https://go.dev/dl/go${GO_TOOLCHAIN}.${kernelname}-amd64.tar.gz" && \ - tar -C "${GO_HOME}" -xzf "go${GO_TOOLCHAIN}.${kernelname}-amd64.tar.gz" && \ - rm "go${GO_TOOLCHAIN}.${kernelname}-amd64.tar.gz" +RUN ARCH=$(uname -m) && \ + case "${ARCH}" in \ + x86_64) GO_ARCH="amd64" ;; \ + aarch64) GO_ARCH="arm64" ;; \ + *) echo "Unsupported architecture: ${ARCH}" && exit 1 ;; \ + esac && \ + kernelname=$(uname -s | tr '[:upper:]' '[:lower:]') && \ + curl -fsSOL "https://go.dev/dl/go${GO_TOOLCHAIN}.${kernelname}-${GO_ARCH}.tar.gz" && \ + tar -C "${GO_HOME}" -xzf "go${GO_TOOLCHAIN}.${kernelname}-${GO_ARCH}.tar.gz" && \ + rm "go${GO_TOOLCHAIN}.${kernelname}-${GO_ARCH}.tar.gz"