mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-08-29 21:03:03 +00:00
packaging: coco-guest-components: Allow building the project
The Confidential Containers guest-components will, in the very short future, be part of the Kata Containers rootfs that's used by the Confidential Containers usecase. This commit introduces the ability to, standalone, build the component locally and as part of our CI, and this can be done by calling: `make coco-guest-components-tarball` Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com> Signed-off-by: Linda Yu <linda.yu@intel.com> Co-authored-by: stevenhorsman <steven@uk.ibm.com> Co-authored-by: Jakob Naucke <jakob.naucke@ibm.com> Co-authored-by: Wang, Arron <arron.wang@intel.com> Co-authored-by: zhouliang121 <liang.a.zhou@linux.alibaba.com> Co-authored-by: Alex Carter <alex.carter@ibm.com> Co-authored-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com> Co-authored-by: Xynnn007 <xynnn@linux.alibaba.com>
This commit is contained in:
parent
ee072e8a06
commit
644abde35c
@ -32,6 +32,7 @@ jobs:
|
||||
- agent-ctl
|
||||
- cloud-hypervisor
|
||||
- cloud-hypervisor-glibc
|
||||
- coco-guest-components
|
||||
- firecracker
|
||||
- genpolicy
|
||||
- kata-ctl
|
||||
|
@ -28,6 +28,7 @@ jobs:
|
||||
matrix:
|
||||
asset:
|
||||
- agent
|
||||
- coco-guest-components
|
||||
- kernel
|
||||
- qemu
|
||||
- rootfs-image
|
||||
|
@ -88,6 +88,9 @@ agent-opa-tarball: copy-scripts-for-the-agent-build
|
||||
agent-ctl-tarball:
|
||||
${MAKE} $@-build
|
||||
|
||||
coco-guest-components-tarball:
|
||||
${MAKE} $@-build
|
||||
|
||||
cloud-hypervisor-tarball:
|
||||
${MAKE} $@-build
|
||||
|
||||
|
@ -86,6 +86,7 @@ TARGET_BRANCH="${TARGET_BRANCH:-}"
|
||||
BUILDER_REGISTRY="${BUILDER_REGISTRY:-}"
|
||||
PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-"no"}"
|
||||
AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER:-}"
|
||||
COCO_GUEST_COMPONENTS_CONTAINER_BUILDER="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER:-}"
|
||||
INITRAMFS_CONTAINER_BUILDER="${INITRAMFS_CONTAINER_BUILDER:-}"
|
||||
KERNEL_CONTAINER_BUILDER="${KERNEL_CONTAINER_BUILDER:-}"
|
||||
OVMF_CONTAINER_BUILDER="${OVMF_CONTAINER_BUILDER:-}"
|
||||
@ -110,6 +111,7 @@ docker run \
|
||||
--env BUILDER_REGISTRY="${BUILDER_REGISTRY}" \
|
||||
--env PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY}" \
|
||||
--env AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER}" \
|
||||
--env COCO_GUEST_COMPONENTS_CONTAINER_BUILDER="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER}" \
|
||||
--env INITRAMFS_CONTAINER_BUILDER="${INITRAMFS_CONTAINER_BUILDER}" \
|
||||
--env KERNEL_CONTAINER_BUILDER="${KERNEL_CONTAINER_BUILDER}" \
|
||||
--env OVMF_CONTAINER_BUILDER="${OVMF_CONTAINER_BUILDER}" \
|
||||
|
@ -23,6 +23,7 @@ readonly version_file="${repo_root_dir}/VERSION"
|
||||
readonly versions_yaml="${repo_root_dir}/versions.yaml"
|
||||
|
||||
readonly agent_builder="${static_build_dir}/agent/build.sh"
|
||||
readonly coco_guest_components_builder="${static_build_dir}/coco-guest-components/build.sh"
|
||||
readonly clh_builder="${static_build_dir}/cloud-hypervisor/build-static-clh.sh"
|
||||
readonly firecracker_builder="${static_build_dir}/firecracker/build-static-firecracker.sh"
|
||||
readonly kernel_builder="${static_build_dir}/kernel/build.sh"
|
||||
@ -87,6 +88,7 @@ options:
|
||||
agent-opa
|
||||
agent-ctl
|
||||
boot-image-se
|
||||
coco-guest-components
|
||||
cloud-hypervisor
|
||||
cloud-hypervisor-glibc
|
||||
firecracker
|
||||
@ -710,6 +712,22 @@ install_agent_opa() {
|
||||
install_agent_helper "yes"
|
||||
}
|
||||
|
||||
install_coco_guest_components() {
|
||||
latest_artefact="$(get_from_kata_deps "externals.coco-guest-components.version")-$(get_from_kata_deps "externals.coco-guest-components.toolchain")"
|
||||
latest_builder_image="$(get_coco_guest_components_image_name)"
|
||||
|
||||
install_cached_tarball_component \
|
||||
"${build_target}" \
|
||||
"${latest_artefact}" \
|
||||
"${latest_builder_image}" \
|
||||
"${final_tarball_name}" \
|
||||
"${final_tarball_path}" \
|
||||
&& return 0
|
||||
|
||||
info "build static coco-guest-components"
|
||||
"${coco_guest_components_builder}"
|
||||
}
|
||||
|
||||
install_tools_helper() {
|
||||
tool=${1}
|
||||
|
||||
@ -821,9 +839,11 @@ handle_build() {
|
||||
agent-opa) install_agent_opa ;;
|
||||
|
||||
agent-ctl) install_agent_ctl ;;
|
||||
|
||||
|
||||
boot-image-se) install_se_image ;;
|
||||
|
||||
coco-guest-components) install_coco_guest_components ;;
|
||||
|
||||
cloud-hypervisor) install_clh ;;
|
||||
|
||||
cloud-hypervisor-glibc) install_clh_glibc ;;
|
||||
@ -941,6 +961,7 @@ main() {
|
||||
agent-opa
|
||||
agent-ctl
|
||||
cloud-hypervisor
|
||||
coco-guest-components
|
||||
firecracker
|
||||
genpolicy
|
||||
kata-ctl
|
||||
|
@ -151,6 +151,7 @@ used to build the release artefacts.
|
||||
The users who want to rebuild the tarballs using exactly the same images can simply use the following environment
|
||||
variables:
|
||||
* \`AGENT_CONTAINER_BUILDER\`
|
||||
* \`COCO_GUEST_COMPONENTS_CONTAINER_BUILDER\`
|
||||
* \`KERNEL_CONTAINER_BUILDER\`
|
||||
* \`OVMF_CONTAINER_BUILDER\`
|
||||
* \`QEMU_CONTAINER_BUILDER\`
|
||||
|
@ -216,3 +216,8 @@ get_agent_image_name() {
|
||||
|
||||
echo "${BUILDER_REGISTRY}:agent-$(get_last_modification ${libs_dir})-$(get_last_modification ${agent_dir})-$(uname -m)"
|
||||
}
|
||||
|
||||
get_coco_guest_components_image_name() {
|
||||
coco_guest_components_script_dir="${repo_root_dir}/tools/packaging/static-build/coco-guest-components"
|
||||
echo "${BUILDER_REGISTRY}:coco-guest-components-$(get_from_kata_deps "externals.coco-guest-components.toolchain")-$(get_last_modification ${coco_guest_components_script_dir})-$(uname -m)"
|
||||
}
|
||||
|
@ -0,0 +1,28 @@
|
||||
# Copyright (c) 2024 Intel
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
FROM ubuntu:22.04
|
||||
ARG RUST_TOOLCHAIN
|
||||
|
||||
ENV DEBIAN_FRONTEND=noninteractive
|
||||
|
||||
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
|
||||
RUN apt-get update && \
|
||||
apt-get --no-install-recommends -y install \
|
||||
binutils \
|
||||
ca-certificates \
|
||||
clang \
|
||||
curl \
|
||||
g++ \
|
||||
gcc \
|
||||
git \
|
||||
gnupg \
|
||||
libssl-dev \
|
||||
make \
|
||||
musl-tools \
|
||||
openssl \
|
||||
perl \
|
||||
protobuf-compiler && \
|
||||
apt-get clean && rm -rf /var/lib/apt/lists/ && \
|
||||
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN}
|
@ -0,0 +1,63 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Copyright (c) 2024 Intel Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
set -o errexit
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
|
||||
script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
|
||||
source "${script_dir}/../../scripts/lib.sh"
|
||||
|
||||
[ -n "$coco_guest_components_repo" ] || die "failed to get coco-guest-components repo"
|
||||
[ -n "$coco_guest_components_version" ] || die "failed to get coco-guest-components version"
|
||||
|
||||
[ -d "guest-components" ] && rm -rf guest-components
|
||||
|
||||
init_env() {
|
||||
source "$HOME/.cargo/env"
|
||||
|
||||
export LIBC=gnu
|
||||
|
||||
ARCH=$(uname -m)
|
||||
rust_arch=""
|
||||
case ${ARCH} in
|
||||
"aarch64")
|
||||
rust_arch=${ARCH}
|
||||
;;
|
||||
"ppc64le")
|
||||
rust_arch="powerpc64le"
|
||||
;;
|
||||
"x86_64")
|
||||
rust_arch=${ARCH}
|
||||
;;
|
||||
"s390x")
|
||||
rust_arch=${ARCH}
|
||||
;;
|
||||
esac
|
||||
rustup target add ${rust_arch}-unknown-linux-${LIBC}
|
||||
}
|
||||
|
||||
build_coco_guest_components_from_source() {
|
||||
echo "build coco-guest-components from source"
|
||||
|
||||
init_env
|
||||
|
||||
git clone --depth 1 ${coco_guest_components_repo} guest-components
|
||||
pushd guest-components
|
||||
|
||||
git fetch --depth=1 origin "${coco_guest_components_version}"
|
||||
git checkout FETCH_HEAD
|
||||
|
||||
TEE_PLATFORM=${TEE_PLATFORM} make build
|
||||
strip target/${rust_arch}-unknown-linux-${LIBC}/release/confidential-data-hub
|
||||
strip target/${rust_arch}-unknown-linux-${LIBC}/release/attestation-agent
|
||||
strip target/${rust_arch}-unknown-linux-${LIBC}/release/api-server-rest
|
||||
TEE_PLATFORM=${TEE_PLATFORM} make install
|
||||
popd
|
||||
}
|
||||
|
||||
build_coco_guest_components_from_source $@
|
45
tools/packaging/static-build/coco-guest-components/build.sh
Executable file
45
tools/packaging/static-build/coco-guest-components/build.sh
Executable file
@ -0,0 +1,45 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Copyright (c) 2024 Intel
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
set -o errexit
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
|
||||
script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
readonly coco_guest_components_builder="${script_dir}/build-static-coco-guest-components.sh"
|
||||
|
||||
source "${script_dir}/../../scripts/lib.sh"
|
||||
|
||||
coco_guest_components_repo="${coco_guest_components_repo:-}"
|
||||
coco_guest_components_version="${coco_guest_components_version:-}"
|
||||
coco_guest_components_toolchain="${coco_guest_components_toolchain:-}"
|
||||
package_output_dir="${package_output_dir:-}"
|
||||
|
||||
[ -n "${coco_guest_components_repo}" ] || coco_guest_components_repo=$(get_from_kata_deps "externals.coco-guest-components.url")
|
||||
[ -n "${coco_guest_components_version}" ] || coco_guest_components_version=$(get_from_kata_deps "externals.coco-guest-components.version")
|
||||
[ -n "${coco_guest_components_toolchain}" ] || coco_guest_components_toolchain=$(get_from_kata_deps "externals.coco-guest-components.toolchain")
|
||||
|
||||
[ -n "${coco_guest_components_repo}" ] || die "Failed to get coco-guest-components repo"
|
||||
[ -n "${coco_guest_components_version}" ] || die "Failed to get coco-guest-components version or commit"
|
||||
[ -n "${coco_guest_components_toolchain}" ] || die "Failed to get the rust toolchain to build coco-guest-components"
|
||||
|
||||
container_image="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER:-$(get_coco_guest_components_image_name)}"
|
||||
[ "${CROSS_BUILD}" == "true" ] && container_image="${container_image}-cross-build"
|
||||
|
||||
sudo docker pull ${container_image} || \
|
||||
(sudo docker $BUILDX build $PLATFORM \
|
||||
--build-arg RUST_TOOLCHAIN="${coco_guest_components_toolchain}" \
|
||||
-t "${container_image}" "${script_dir}" && \
|
||||
# No-op unless PUSH_TO_REGISTRY is exported as "yes"
|
||||
push_to_registry "${container_image}")
|
||||
|
||||
sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
|
||||
-w "${PWD}" \
|
||||
--env TEE_PLATFORM=${TEE_PLATFORM:-all} \
|
||||
--env coco_guest_components_repo="${coco_guest_components_repo}" \
|
||||
--env coco_guest_components_version="${coco_guest_components_version}" \
|
||||
"${container_image}" \
|
||||
bash -c "${coco_guest_components_builder}"
|
@ -207,6 +207,12 @@ externals:
|
||||
url: "https://github.com/containernetworking/plugins"
|
||||
version: "v1.2.0"
|
||||
|
||||
coco-guest-components:
|
||||
description: "Provides attested key unwrapping for image decryption"
|
||||
url: "https://github.com/confidential-containers/guest-components/"
|
||||
version: "42b7c9687ecd0907ef70da31cf290a60ee8432cd"
|
||||
toolchain: "1.72.0"
|
||||
|
||||
conmon:
|
||||
description: "An OCI container runtime monitor"
|
||||
url: "https://github.com/containers/conmon"
|
||||
|
Loading…
Reference in New Issue
Block a user