From 37060a7d2e1090ac0df6e0a8656d30f7b37c052b Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Tue, 14 May 2024 14:26:11 +0200 Subject: [PATCH 1/3] local-build: Stop using cached artifacts when local-build/* is updated This is to add an info for files at `tools/packaging/kata-deploy/local-build/* to a version of the components and ensure that the cached artefacts are not used when the files of interest are updated. Fixes: #9630 Signed-off-by: Hyounggyu Choi --- .../packaging/kata-deploy/local-build/kata-deploy-binaries.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 33fba31863..e355721d98 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -186,7 +186,7 @@ install_cached_tarball_component() { fi local component="${1}" - local current_version="${2}" + local current_version="${2}-$(git log -1 --pretty=format:"%h" ${repo_root_dir}/tools/packaging/kata-deploy/local-build)" local current_image_version="${3}" local component_tarball_name="${4}" local component_tarball_path="${5}" @@ -1077,7 +1077,7 @@ handle_build() { esac pushd ${workdir} - echo "${latest_artefact}" > ${build_target}-version + echo "${latest_artefact}-$(git log -1 --pretty=format:"%h" ${repo_root_dir}/tools/packaging/kata-deploy/local-build)" > ${build_target}-version echo "${latest_builder_image}" > ${build_target}-builder-image-version sha256sum "${final_tarball_name}" > ${build_target}-sha256sum From 75bd97e8df0ec6817e395b8b54683406eca42b65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 14 May 2024 19:48:23 +0200 Subject: [PATCH 2/3] build: Ensure the default rootfs is built with AGENT_POLICY=yes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is needed, as b1710ee2c0909c82e75a659e82cde72665201618 made the default agent shipped the one with policy support. However, we simply didn't update the rootfs to reflect that, causing then an issue to start the agent as shown by the strace below: ``` open("/etc/kata-opa/default-policy.rego", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) futex(0x7f401eba0c28, FUTEX_WAKE_PRIVATE, 1) = 1 rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0 tkill(553681, SIGABRT) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 --- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=553681, si_uid=1000} --- +++ killed by SIGABRT (core dumped) +++ ``` This happens as the default policy **must** be set when the agent is built with policy support, but the code path that copies that into the rootfs is only triggered if the rootfs itself is built with AGENT_POLICY=yes, which we're now doing for both confidential and non-confidential cases. Sadly this was not caught by CI till we the cache was not used for rootfs, which should be solved by the previous commit. Fixes: #9630, #9631 Signed-off-by: Fabiano FidĂȘncio --- .../kata-deploy/local-build/kata-deploy-binaries.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index e355721d98..bc3c9944ad 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -326,13 +326,13 @@ install_image() { fi export AGENT_TARBALL=$(get_agent_tarball_path) + export AGENT_POLICY=yes "${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}" } #Install guest image for confidential guests install_image_confidential() { - export AGENT_POLICY=yes export MEASURED_ROOTFS=yes export PULL_TYPE=default install_image "confidential" @@ -396,13 +396,13 @@ install_initrd() { fi export AGENT_TARBALL=$(get_agent_tarball_path) + export AGENT_POLICY=yes "${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}" } #Install guest initrd for confidential guests install_initrd_confidential() { - export AGENT_POLICY=yes export MEASURED_ROOTFS=yes export PULL_TYPE=default install_initrd "confidential" @@ -410,7 +410,6 @@ install_initrd_confidential() { #Install Mariner guest initrd install_initrd_mariner() { - export AGENT_POLICY=yes install_initrd "mariner" } From 92bb235723be307c93e00bd0745548eff05f3f47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 14 May 2024 19:54:45 +0200 Subject: [PATCH 3/3] osbuilder: Log when the default policy is installed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This will help us to debug issues in the future (and would have helped in the past as well). :-) Signed-off-by: Fabiano FidĂȘncio --- tools/osbuilder/rootfs-builder/rootfs.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index 210ca24358..d7230c4297 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -706,6 +706,7 @@ EOF fi if [ "${AGENT_POLICY}" == "yes" ]; then + info "Install the default policy" # Install default settings for the kata-opa service. local kata_opa_in_dir="${script_dir}/../../../src/kata-opa" local opa_settings_dir="/etc/kata-opa"