diff --git a/tools/osbuilder/rootfs-builder/ubuntu/config.sh b/tools/osbuilder/rootfs-builder/ubuntu/config.sh index 9a5f9db9ff..45b1dd0d5f 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh +++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh @@ -11,11 +11,11 @@ OS_NAME=ubuntu # This should be Ubuntu's code name, e.g. "focal" (Focal Fossa) for 20.04 OS_VERSION=${OS_VERSION:-""} [[ -z "${OS_VERSION}" ]] && echo "OS_VERSION is required, but was not set" && exit 1 -PACKAGES="chrony iptables dbus" +PACKAGES="chrony iptables dbus cryptsetup-bin" # shellcheck disable=SC2154 [[ "${AGENT_INIT}" = no ]] && PACKAGES+=" init" # CDH secure storage feature requires these tools in the guest -[[ "${CONFIDENTIAL_GUEST:-no}" = "yes" ]] && PACKAGES+=" cryptsetup-bin e2fsprogs" +[[ "${CONFIDENTIAL_GUEST:-no}" = "yes" ]] && PACKAGES+=" e2fsprogs" # shellcheck disable=SC2154 [[ "${SECCOMP}" = yes ]] && PACKAGES+=" libseccomp2" [[ "$(uname -m)" = "s390x" ]] && PACKAGES+=" libcurl4 libnghttp2-14" diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 73128a089c..080668c65f 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -36,6 +36,7 @@ BASE_TARBALLS = serial-targets \ virtiofsd-tarball BASE_SERIAL_TARBALLS = rootfs-image-tarball \ rootfs-image-confidential-tarball \ + rootfs-image-coco-addon-tarball \ rootfs-image-mariner-tarball \ rootfs-initrd-confidential-tarball \ rootfs-initrd-tarball \ @@ -49,6 +50,7 @@ BASE_TARBALLS = serial-targets \ shim-v2-tarball \ virtiofsd-tarball BASE_SERIAL_TARBALLS = rootfs-image-tarball \ + rootfs-image-coco-addon-tarball \ rootfs-initrd-tarball else ifeq ($(ARCH), aarch64) BASE_TARBALLS = serial-targets \ @@ -61,6 +63,7 @@ BASE_TARBALLS = serial-targets \ virtiofsd-tarball BASE_SERIAL_TARBALLS = rootfs-image-tarball \ rootfs-image-confidential-tarball \ + rootfs-image-coco-addon-tarball \ rootfs-cca-confidential-image-tarball \ rootfs-cca-confidential-initrd-tarball \ rootfs-initrd-tarball @@ -187,10 +190,14 @@ DEPS := agent-tarball rootfs-image-tarball: $(DEPS) ${MAKE} $@-build -DEPS := agent-tarball pause-image-tarball coco-guest-components-tarball kernel-tarball +DEPS := agent-tarball kernel-tarball rootfs-image-confidential-tarball: $(DEPS) ${MAKE} $@-build +DEPS := pause-image-tarball coco-guest-components-tarball +rootfs-image-coco-addon-tarball: $(DEPS) + ${MAKE} $@-build + DEPS := agent-tarball rootfs-image-mariner-tarball: $(DEPS) ${MAKE} $@-build diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index b2f1046299..7f455f274f 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -136,6 +136,7 @@ options: stratovirt rootfs-image rootfs-image-confidential + rootfs-image-coco-addon rootfs-image-mariner rootfs-initrd rootfs-initrd-confidential @@ -182,7 +183,7 @@ get_kernel_modules_dir() { } cleanup_and_fail_shim_v2_specifics() { - for variant in confidential nvidia-gpu nvidia-gpu-confidential; do + for variant in confidential coco-addon nvidia-gpu nvidia-gpu-confidential; do local root_hash_file="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/shim-v2-root_hash_${variant}.txt" [[ -f "${root_hash_file}" ]] && rm -f "${root_hash_file}" done @@ -212,7 +213,7 @@ install_cached_shim_v2_tarball_get_root_hash() { local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build" local root_hash_basedir="./opt/kata/share/kata-containers/" - for variant in confidential nvidia-gpu nvidia-gpu-confidential; do + for variant in confidential coco-addon nvidia-gpu nvidia-gpu-confidential; do local image_conf_tarball="kata-static-rootfs-image-${variant}.tar.zst" local tarball_path="${tarball_dir}/${image_conf_tarball}" local root_hash_path="${root_hash_basedir}root_hash_${variant}.txt" @@ -232,7 +233,7 @@ install_cached_shim_v2_tarball_compare_root_hashes() { local found_any="" local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build" - for variant in confidential nvidia-gpu nvidia-gpu-confidential; do + for variant in confidential coco-addon nvidia-gpu nvidia-gpu-confidential; do # Skip if one or the other does not exist. [[ ! -f "${tarball_dir}/root_hash_${variant}.txt" ]] && continue @@ -433,12 +434,11 @@ install_image() { latest_artefact+="-$(get_latest_nvidia_ctk_version)" latest_artefact+="-$(get_latest_nvidia_nvrc_version)" latest_artefact+="-$(get_latest_nvidia_nvat_version)" + latest_artefact+="-$(get_latest_coco_guest_components_artefact_and_builder_image_version)" + latest_artefact+="-$(get_latest_pause_image_artefact_and_builder_image_version)" else latest_artefact+="-$(get_latest_kernel_artefact_and_builder_image_version)" fi - - latest_artefact+="-$(get_latest_coco_guest_components_artefact_and_builder_image_version)" - latest_artefact+="-$(get_latest_pause_image_artefact_and_builder_image_version)" fi if [[ "${variant}" == "nvidia-gpu" ]]; then @@ -462,7 +462,11 @@ install_image() { info "Create image" if [[ -n "${variant}" ]]; then - if [[ "${variant}" == *confidential ]]; then + # NVIDIA confidential images still bake CoCo components into the + # rootfs (until the NVIDIA addon split lands). Standard + # confidential images no longer need them -- CoCo components are + # built as a separate addon image (rootfs-image-coco-addon). + if [[ "${variant}" == "nvidia-gpu-confidential" ]]; then COCO_GUEST_COMPONENTS_TARBALL="$(get_coco_guest_components_tarball_path)" export COCO_GUEST_COMPONENTS_TARBALL PAUSE_IMAGE_TARBALL="$(get_pause_image_tarball_path)" @@ -499,6 +503,10 @@ install_image() { } #Install guest image for confidential guests +# +# CoCo guest components are no longer baked into this image. +# They are built separately as a CoCo addon image +# (rootfs-image-coco-addon) and attached as an extra block device. install_image_confidential() { export CONFIDENTIAL_GUEST="yes" if [[ "${ARCH}" == "s390x" ]]; then @@ -509,6 +517,64 @@ install_image_confidential() { install_image "confidential" } +#Install CoCo addon image (erofs+verity, contains CoCo guest components + pause) +install_image_coco_addon() { + local component="rootfs-image-coco-addon" + + local coco_last_commit + coco_last_commit="$(get_latest_coco_guest_components_artefact_and_builder_image_version)" + local pause_last_commit + pause_last_commit="$(get_latest_pause_image_artefact_and_builder_image_version)" + + latest_artefact="$(get_kata_version)-coco-addon-${coco_last_commit}-${pause_last_commit}" + latest_builder_image="" + + install_cached_tarball_component \ + "${component}" \ + "${latest_artefact}" \ + "${latest_builder_image}" \ + "${final_tarball_name}" \ + "${final_tarball_path}" \ + && return 0 + + info "Create CoCo addon image" + + # Use a temp dir under the repo root so the path is valid both inside + # the outer build-kata-deploy container and in the nested image-builder + # container (Docker-in-Docker mounts use host paths). + local addon_rootfs + addon_rootfs="$(mktemp -d "${repo_root_dir}/.coco-addon-rootfs.XXXX")" + + COCO_GUEST_COMPONENTS_TARBALL="$(get_coco_guest_components_tarball_path)" + PAUSE_IMAGE_TARBALL="$(get_pause_image_tarball_path)" + + info "Unpacking CoCo guest components into addon rootfs" + tar --zstd -xvf "${COCO_GUEST_COMPONENTS_TARBALL}" -C "${addon_rootfs}" + + info "Unpacking pause image into addon rootfs" + tar --zstd -xvf "${PAUSE_IMAGE_TARBALL}" -C "${addon_rootfs}" + + local install_dir="${destdir}/${prefix}/share/kata-containers/" + mkdir -p "${install_dir}" + + local image_builder="${repo_root_dir}/tools/osbuilder/image-builder/image_builder.sh" + + export USE_DOCKER="1" + export BUILD_VARIANT="coco-addon" + export FS_TYPE="erofs" + export MEASURED_ROOTFS="yes" + export SKIP_DAX_HEADER="yes" + export SKIP_ROOTFS_CHECK="yes" + + "${image_builder}" -o "${install_dir}/kata-containers-coco-addon.img" "${addon_rootfs}" + + if [[ -e "${install_dir}/root_hash_coco-addon.txt" ]]; then + info "Root hash file: ${install_dir}/root_hash_coco-addon.txt" + fi + + rm -rf "${addon_rootfs}" +} + #Install cbl-mariner guest image install_image_mariner() { export IMAGE_SIZE_ALIGNMENT_MB=2 @@ -1071,7 +1137,7 @@ install_shimv2() { export MEASURED_ROOTFS export RUNTIME_CHOICE - for variant in confidential nvidia-gpu nvidia-gpu-confidential; do + for variant in confidential coco-addon nvidia-gpu nvidia-gpu-confidential; do local image_conf_tarball image_conf_tarball="$(find "${workdir}" -maxdepth 1 -name "kata-static-rootfs-image-${variant}.tar.zst" 2>/dev/null | head -n 1)" # Only one variant may be built at a time so we need to @@ -1459,6 +1525,8 @@ handle_build() { rootfs-image-confidential) install_image_confidential ;; + rootfs-image-coco-addon) install_image_coco_addon ;; + rootfs-image-mariner) install_image_mariner ;; rootfs-initrd) install_initrd ;; @@ -1526,7 +1594,7 @@ handle_build() { ;; shim-v2) if [[ "${MEASURED_ROOTFS}" == "yes" ]]; then - for variant in confidential nvidia-gpu nvidia-gpu-confidential; do + for variant in confidential coco-addon nvidia-gpu nvidia-gpu-confidential; do [[ -f "${workdir}/root_hash_${variant}.txt" ]] && mv "${workdir}/root_hash_${variant}.txt" "${workdir}/shim-v2-root_hash_${variant}.txt" done fi @@ -1588,10 +1656,10 @@ handle_build() { shim-v2) if [[ "${MEASURED_ROOTFS}" == "yes" ]]; then local found_any="" - for variant in confidential nvidia-gpu nvidia-gpu-confidential; do + for variant in confidential coco-addon nvidia-gpu nvidia-gpu-confidential; do # The variants could be built independently we need to check if # they exist and then push them to the registry - [[ -f "${workdir}/shim-v2-root_hash_${variant}.txt" ]] && files_to_push+=("shim-v2-root_hash_${variant}.txt") + [[ -f "${workdir}/shim-v2-root_hash_${variant}.txt" ]] && files_to_push+=("shim-v2-root_hash_${variant}.txt") found_any="yes" done [[ -z "${found_any}" ]] && die "No files to push for shim-v2 with MEASURED_ROOTFS support"