packaging: coco-guest-components: Allow building the project

The Confidential Containers guest-components will, in the very short
future, be part of the Kata Containers rootfs that's used by the
Confidential Containers usecase.

This commit introduces the ability to, standalone, build the component
locally and as part of our CI, and this can be done by calling:
`make coco-guest-components-tarball`

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Signed-off-by: Linda Yu <linda.yu@intel.com>
Co-authored-by: stevenhorsman <steven@uk.ibm.com>
Co-authored-by: Jakob Naucke <jakob.naucke@ibm.com>
Co-authored-by: Wang, Arron <arron.wang@intel.com>
Co-authored-by: zhouliang121 <liang.a.zhou@linux.alibaba.com>
Co-authored-by: Alex Carter <alex.carter@ibm.com>
Co-authored-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
Co-authored-by: Xynnn007 <xynnn@linux.alibaba.com>
This commit is contained in:
Fabiano Fidêncio 2024-01-26 14:30:07 +01:00
parent ee072e8a06
commit 644abde35c
No known key found for this signature in database
GPG Key ID: EE926C2BDACC177B
11 changed files with 177 additions and 1 deletions

View File

@ -32,6 +32,7 @@ jobs:
- agent-ctl
- cloud-hypervisor
- cloud-hypervisor-glibc
- coco-guest-components
- firecracker
- genpolicy
- kata-ctl

View File

@ -28,6 +28,7 @@ jobs:
matrix:
asset:
- agent
- coco-guest-components
- kernel
- qemu
- rootfs-image

View File

@ -88,6 +88,9 @@ agent-opa-tarball: copy-scripts-for-the-agent-build
agent-ctl-tarball:
${MAKE} $@-build
coco-guest-components-tarball:
${MAKE} $@-build
cloud-hypervisor-tarball:
${MAKE} $@-build

View File

@ -86,6 +86,7 @@ TARGET_BRANCH="${TARGET_BRANCH:-}"
BUILDER_REGISTRY="${BUILDER_REGISTRY:-}"
PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-"no"}"
AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER:-}"
COCO_GUEST_COMPONENTS_CONTAINER_BUILDER="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER:-}"
INITRAMFS_CONTAINER_BUILDER="${INITRAMFS_CONTAINER_BUILDER:-}"
KERNEL_CONTAINER_BUILDER="${KERNEL_CONTAINER_BUILDER:-}"
OVMF_CONTAINER_BUILDER="${OVMF_CONTAINER_BUILDER:-}"
@ -110,6 +111,7 @@ docker run \
--env BUILDER_REGISTRY="${BUILDER_REGISTRY}" \
--env PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY}" \
--env AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER}" \
--env COCO_GUEST_COMPONENTS_CONTAINER_BUILDER="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER}" \
--env INITRAMFS_CONTAINER_BUILDER="${INITRAMFS_CONTAINER_BUILDER}" \
--env KERNEL_CONTAINER_BUILDER="${KERNEL_CONTAINER_BUILDER}" \
--env OVMF_CONTAINER_BUILDER="${OVMF_CONTAINER_BUILDER}" \

View File

@ -23,6 +23,7 @@ readonly version_file="${repo_root_dir}/VERSION"
readonly versions_yaml="${repo_root_dir}/versions.yaml"
readonly agent_builder="${static_build_dir}/agent/build.sh"
readonly coco_guest_components_builder="${static_build_dir}/coco-guest-components/build.sh"
readonly clh_builder="${static_build_dir}/cloud-hypervisor/build-static-clh.sh"
readonly firecracker_builder="${static_build_dir}/firecracker/build-static-firecracker.sh"
readonly kernel_builder="${static_build_dir}/kernel/build.sh"
@ -87,6 +88,7 @@ options:
agent-opa
agent-ctl
boot-image-se
coco-guest-components
cloud-hypervisor
cloud-hypervisor-glibc
firecracker
@ -710,6 +712,22 @@ install_agent_opa() {
install_agent_helper "yes"
}
install_coco_guest_components() {
latest_artefact="$(get_from_kata_deps "externals.coco-guest-components.version")-$(get_from_kata_deps "externals.coco-guest-components.toolchain")"
latest_builder_image="$(get_coco_guest_components_image_name)"
install_cached_tarball_component \
"${build_target}" \
"${latest_artefact}" \
"${latest_builder_image}" \
"${final_tarball_name}" \
"${final_tarball_path}" \
&& return 0
info "build static coco-guest-components"
"${coco_guest_components_builder}"
}
install_tools_helper() {
tool=${1}
@ -821,9 +839,11 @@ handle_build() {
agent-opa) install_agent_opa ;;
agent-ctl) install_agent_ctl ;;
boot-image-se) install_se_image ;;
coco-guest-components) install_coco_guest_components ;;
cloud-hypervisor) install_clh ;;
cloud-hypervisor-glibc) install_clh_glibc ;;
@ -941,6 +961,7 @@ main() {
agent-opa
agent-ctl
cloud-hypervisor
coco-guest-components
firecracker
genpolicy
kata-ctl

View File

@ -151,6 +151,7 @@ used to build the release artefacts.
The users who want to rebuild the tarballs using exactly the same images can simply use the following environment
variables:
* \`AGENT_CONTAINER_BUILDER\`
* \`COCO_GUEST_COMPONENTS_CONTAINER_BUILDER\`
* \`KERNEL_CONTAINER_BUILDER\`
* \`OVMF_CONTAINER_BUILDER\`
* \`QEMU_CONTAINER_BUILDER\`

View File

@ -216,3 +216,8 @@ get_agent_image_name() {
echo "${BUILDER_REGISTRY}:agent-$(get_last_modification ${libs_dir})-$(get_last_modification ${agent_dir})-$(uname -m)"
}
get_coco_guest_components_image_name() {
coco_guest_components_script_dir="${repo_root_dir}/tools/packaging/static-build/coco-guest-components"
echo "${BUILDER_REGISTRY}:coco-guest-components-$(get_from_kata_deps "externals.coco-guest-components.toolchain")-$(get_last_modification ${coco_guest_components_script_dir})-$(uname -m)"
}

View File

@ -0,0 +1,28 @@
# Copyright (c) 2024 Intel
#
# SPDX-License-Identifier: Apache-2.0
FROM ubuntu:22.04
ARG RUST_TOOLCHAIN
ENV DEBIAN_FRONTEND=noninteractive
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN apt-get update && \
apt-get --no-install-recommends -y install \
binutils \
ca-certificates \
clang \
curl \
g++ \
gcc \
git \
gnupg \
libssl-dev \
make \
musl-tools \
openssl \
perl \
protobuf-compiler && \
apt-get clean && rm -rf /var/lib/apt/lists/ && \
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN}

View File

@ -0,0 +1,63 @@
#!/usr/bin/env bash
#
# Copyright (c) 2024 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
set -o errexit
set -o nounset
set -o pipefail
script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "${script_dir}/../../scripts/lib.sh"
[ -n "$coco_guest_components_repo" ] || die "failed to get coco-guest-components repo"
[ -n "$coco_guest_components_version" ] || die "failed to get coco-guest-components version"
[ -d "guest-components" ] && rm -rf guest-components
init_env() {
source "$HOME/.cargo/env"
export LIBC=gnu
ARCH=$(uname -m)
rust_arch=""
case ${ARCH} in
"aarch64")
rust_arch=${ARCH}
;;
"ppc64le")
rust_arch="powerpc64le"
;;
"x86_64")
rust_arch=${ARCH}
;;
"s390x")
rust_arch=${ARCH}
;;
esac
rustup target add ${rust_arch}-unknown-linux-${LIBC}
}
build_coco_guest_components_from_source() {
echo "build coco-guest-components from source"
init_env
git clone --depth 1 ${coco_guest_components_repo} guest-components
pushd guest-components
git fetch --depth=1 origin "${coco_guest_components_version}"
git checkout FETCH_HEAD
TEE_PLATFORM=${TEE_PLATFORM} make build
strip target/${rust_arch}-unknown-linux-${LIBC}/release/confidential-data-hub
strip target/${rust_arch}-unknown-linux-${LIBC}/release/attestation-agent
strip target/${rust_arch}-unknown-linux-${LIBC}/release/api-server-rest
TEE_PLATFORM=${TEE_PLATFORM} make install
popd
}
build_coco_guest_components_from_source $@

View File

@ -0,0 +1,45 @@
#!/usr/bin/env bash
#
# Copyright (c) 2024 Intel
#
# SPDX-License-Identifier: Apache-2.0
set -o errexit
set -o nounset
set -o pipefail
script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
readonly coco_guest_components_builder="${script_dir}/build-static-coco-guest-components.sh"
source "${script_dir}/../../scripts/lib.sh"
coco_guest_components_repo="${coco_guest_components_repo:-}"
coco_guest_components_version="${coco_guest_components_version:-}"
coco_guest_components_toolchain="${coco_guest_components_toolchain:-}"
package_output_dir="${package_output_dir:-}"
[ -n "${coco_guest_components_repo}" ] || coco_guest_components_repo=$(get_from_kata_deps "externals.coco-guest-components.url")
[ -n "${coco_guest_components_version}" ] || coco_guest_components_version=$(get_from_kata_deps "externals.coco-guest-components.version")
[ -n "${coco_guest_components_toolchain}" ] || coco_guest_components_toolchain=$(get_from_kata_deps "externals.coco-guest-components.toolchain")
[ -n "${coco_guest_components_repo}" ] || die "Failed to get coco-guest-components repo"
[ -n "${coco_guest_components_version}" ] || die "Failed to get coco-guest-components version or commit"
[ -n "${coco_guest_components_toolchain}" ] || die "Failed to get the rust toolchain to build coco-guest-components"
container_image="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER:-$(get_coco_guest_components_image_name)}"
[ "${CROSS_BUILD}" == "true" ] && container_image="${container_image}-cross-build"
sudo docker pull ${container_image} || \
(sudo docker $BUILDX build $PLATFORM \
--build-arg RUST_TOOLCHAIN="${coco_guest_components_toolchain}" \
-t "${container_image}" "${script_dir}" && \
# No-op unless PUSH_TO_REGISTRY is exported as "yes"
push_to_registry "${container_image}")
sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
-w "${PWD}" \
--env TEE_PLATFORM=${TEE_PLATFORM:-all} \
--env coco_guest_components_repo="${coco_guest_components_repo}" \
--env coco_guest_components_version="${coco_guest_components_version}" \
"${container_image}" \
bash -c "${coco_guest_components_builder}"

View File

@ -207,6 +207,12 @@ externals:
url: "https://github.com/containernetworking/plugins"
version: "v1.2.0"
coco-guest-components:
description: "Provides attested key unwrapping for image decryption"
url: "https://github.com/confidential-containers/guest-components/"
version: "42b7c9687ecd0907ef70da31cf290a60ee8432cd"
toolchain: "1.72.0"
conmon:
description: "An OCI container runtime monitor"
url: "https://github.com/containers/conmon"