From e410c0462239913327f9ac1c13dadc43a7ac0db7 Mon Sep 17 00:00:00 2001 From: Snir Sheriber Date: Mon, 19 Sep 2022 12:38:15 +0300 Subject: [PATCH 01/33] agent: validate hugepage size is supported before setting a limit, otherwise paths may not be found. guest supporting different hugepage size is more likely with peer-pods where podvm may use different flavor. Fixes: #5191 Signed-off-by: Snir Sheriber --- src/agent/rustjail/src/cgroups/fs/mod.rs | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/src/agent/rustjail/src/cgroups/fs/mod.rs b/src/agent/rustjail/src/cgroups/fs/mod.rs index 175e9d92a9..bb52c9e3b2 100644 --- a/src/agent/rustjail/src/cgroups/fs/mod.rs +++ b/src/agent/rustjail/src/cgroups/fs/mod.rs @@ -252,19 +252,28 @@ fn set_devices_resources( } fn set_hugepages_resources( - _cg: &cgroups::Cgroup, + cg: &cgroups::Cgroup, hugepage_limits: &[LinuxHugepageLimit], res: &mut cgroups::Resources, ) { info!(sl!(), "cgroup manager set hugepage"); let mut limits = vec![]; + let hugetlb_controller = cg.controller_of::(); for l in hugepage_limits.iter() { - let hr = HugePageResource { - size: l.page_size.clone(), - limit: l.limit, - }; - limits.push(hr); + if hugetlb_controller.is_some() && hugetlb_controller.unwrap().size_supported(&l.page_size) + { + let hr = HugePageResource { + size: l.page_size.clone(), + limit: l.limit, + }; + limits.push(hr); + } else { + warn!( + sl!(), + "{} page size support cannot be verified, dropping requested limit", l.page_size + ); + } } res.hugepages.limits = limits; } From 4906228701b0a71ef8d2e941ce7cca2b8748ad40 Mon Sep 17 00:00:00 2001 From: Anand Krishnamoorthi Date: Sun, 2 Oct 2022 16:14:35 -0700 Subject: [PATCH 02/33] CCv0: Optimize integrity device creation by avoiding full device clear Based on https://gitlab.com/cryptsetup/cryptsetup/-/issues/525 1. When --no-wipe is used, the device will have invalid checksums 2. mkfs.ext4 would fail on an un-wiped device due to reads of pages with invalid checksums 3. To make mkfs.ext4 work - Perform a dry run to figure out which sectors (pages) mkfs.ext4 will write to. - Perform directe writes to these pages to ensure that they will have valid checksums - Invoke mkfs.ext4 again to perform initialization 4 Use lazy_journal_init option with mkfs.ext4 to lazily initialize the journal. According to the man pages, "This speeds up file system initialization noticeably, but carries some small risk if the system crashes before the journal has been overwritten entirely one time." Since the storage is ephemeral, not expected to survive a system crash/power cycle, it is safe to use lazy_journal_init. Fixes #5329 Signed-off-by: Anand Krishnamoorthi --- .../rootfs-builder/init_trusted_storage.sh | 57 ++++++++++++++++++- 1 file changed, 54 insertions(+), 3 deletions(-) diff --git a/tools/osbuilder/rootfs-builder/init_trusted_storage.sh b/tools/osbuilder/rootfs-builder/init_trusted_storage.sh index 279426ce37..9e0ea95afb 100755 --- a/tools/osbuilder/rootfs-builder/init_trusted_storage.sh +++ b/tools/osbuilder/rootfs-builder/init_trusted_storage.sh @@ -53,7 +53,7 @@ if [ -n "${2-}" ]; then data_integrity="$2" fi -device_name=$(sed -e 's/DEVNAME=//g;t;d' /sys/dev/block/${device_num}/uevent) +device_name=$(sed -e 's/DEVNAME=//g;t;d' "/sys/dev/block/${device_num}/uevent") device_path="/dev/$device_name" if [[ -n "$device_name" && -b "$device_path" ]]; then storage_key_path="/run/cc_storage.key" @@ -63,13 +63,64 @@ if [[ -n "$device_name" && -b "$device_path" ]]; then echo "YES" | cryptsetup luksFormat --type luks2 "$device_path" --sector-size 4096 \ --cipher aes-xts-plain64 "$storage_key_path" else + # Wiping a device is a time consuming operation. To avoid a full wipe, integritysetup + # and crypt setup provide a --no-wipe option. + # However, an integrity device that is not wiped will have invalid checksums. Normally + # this should not be a problem since a page must first be written to before it can be read + # (otherwise the data would be arbitrary). The act of writing would populate the checksum + # for the page. + # However, tools like mkfs.ext4 read pages before they are written; sometimes the read + # of an unwritten page happens due to kernel buffering. + # See https://gitlab.com/cryptsetup/cryptsetup/-/issues/525 for explanation and fix. + # The way to propery format the non-wiped dm-integrity device is to figure out which pages + # mkfs.ext4 will write to and then to write to those pages before hand so that they will + # have valid integrity tags. echo "YES" | cryptsetup luksFormat --type luks2 "$device_path" --sector-size 4096 \ - --cipher aes-xts-plain64 --integrity hmac-sha256 "$storage_key_path" + --cipher aes-xts-plain64 --integrity hmac-sha256 "$storage_key_path" \ + --integrity-no-wipe fi cryptsetup luksOpen -d "$storage_key_path" "$device_path" ephemeral_image_encrypted_disk rm "$storage_key_path" - mkfs.ext4 /dev/mapper/ephemeral_image_encrypted_disk + if [ "$data_integrity" == "false" ]; then + mkfs.ext4 /dev/mapper/ephemeral_image_encrypted_disk -E lazy_journal_init + else + # mkfs.ext4 doesn't perform whole sector writes and this will cause checksum failures + # with an unwiped integrity device. Therefore, first perform a dry run. + output=$(mkfs.ext4 /dev/mapper/ephemeral_image_encrypted_disk -F -n) + + # The above command will produce output like + # mke2fs 1.46.5 (30-Dec-2021) + # Creating filesystem with 268435456 4k blocks and 67108864 inodes + # Filesystem UUID: 4a5ff012-91c0-47d9-b4bb-8f83e830825f + # Superblock backups stored on blocks: + # 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, + # 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, + # 102400000, 214990848 + delimiter="Superblock backups stored on blocks:" + blocks_list=$([[ $output =~ $delimiter(.*) ]] && echo "${BASH_REMATCH[1]}") + + # Find list of blocks + block_nums=$(echo "$blocks_list" | grep -Eo '[0-9]{4,}' | sort -n) + + # Add zero to list of blocks + block_nums="0 $block_nums" + + # Iterate through each block and write to it to ensure that it has valid checksum + for block_num in $block_nums + do + echo "Clearing page at $block_num" + # Zero out the page + dd if=/dev/zero bs=4k count=1 oflag=direct \ + of=/dev/mapper/ephemeral_image_encrypted_disk seek="$block_num" + done + + # Now perform the actual ext4 format. Use lazy_journal_init so that the journal is + # initialized on demand. This is safe for ephemeral storage since we don't expect + # ephemeral storage to survice a power cycle. + mkfs.ext4 /dev/mapper/ephemeral_image_encrypted_disk -E lazy_journal_init + fi + [ ! -d "/run/image" ] && mkdir /run/image From 54544dd6173960127e7d0b2e74975de7ab2acd42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 12:24:45 +0200 Subject: [PATCH 03/33] packaging: Allow passing registry to build-and-upload-payload.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's make the registry an optional argument to be passed to the `kata-deploy-build-and-upload-payload.sh` script, defaulting to the official Confidential Containers payload registry. Signed-off-by: Fabiano Fidêncio --- .../local-build/kata-deploy-build-and-upload-payload.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh index 917864249a..a715b0f49c 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh @@ -7,13 +7,14 @@ KATA_DEPLOY_DIR="`dirname $0`/../../kata-deploy-cc" KATA_DEPLOY_ARTIFACT="${1:-"kata-static.tar.xz"}" +REGISTRY="${2:-"quay.io/confidential-containers/runtime-payload"}" echo "Copying $KATA_DEPLOY_ARTIFACT to $KATA_DEPLOY_DIR" cp $KATA_DEPLOY_ARTIFACT $KATA_DEPLOY_DIR pushd $KATA_DEPLOY_DIR -IMAGE_TAG="quay.io/confidential-containers/runtime-payload:kata-containers-$(git rev-parse HEAD)" +IMAGE_TAG="${REGISTRY}:kata-containers-$(git rev-parse HEAD)" echo "Building the image" docker build --tag $IMAGE_TAG . From f4437980b4958db506cff654c3d74669cb9dbd13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 12:57:29 +0200 Subject: [PATCH 04/33] packaging: Allow passing an extra tag to build-and-upload-payload.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's modify the script so we allow passing an extra tag, which will be used as part of the Kata Containers pyload for Confidential Containers CI GitHub action. With this we can pass a `latest` tag, which will make things easier for the integration on the operator side. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy-build-and-upload-payload.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh index a715b0f49c..d7409c08ef 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh @@ -8,6 +8,7 @@ KATA_DEPLOY_DIR="`dirname $0`/../../kata-deploy-cc" KATA_DEPLOY_ARTIFACT="${1:-"kata-static.tar.xz"}" REGISTRY="${2:-"quay.io/confidential-containers/runtime-payload"}" +TAG="${3:-}" echo "Copying $KATA_DEPLOY_ARTIFACT to $KATA_DEPLOY_DIR" cp $KATA_DEPLOY_ARTIFACT $KATA_DEPLOY_DIR @@ -22,4 +23,14 @@ docker build --tag $IMAGE_TAG . echo "Pushing the image to quay.io" docker push $IMAGE_TAG +if [ -n "${TAG}" ]; then + ADDITIONAL_TAG="${REGISTRY}:${TAG}" + + echo "Building the ${ADDITIONAL_TAG} image" + docker build --tag ${ADDITIONAL_TAG} . + + echo "Pushing the image ${ADDITIONAL_TAG} to quay.io" + docker push ${ADDITIONAL_TAG} +fi + popd From c57f8ff669e733c0c3c37515d327d60656797760 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 13:00:40 +0200 Subject: [PATCH 05/33] packaging: Expand the vars on build-and-upload-payload.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Just for the sake of avoiding issues in the future. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy-build-and-upload-payload.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh index d7409c08ef..4e0d2393c4 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh @@ -5,23 +5,23 @@ # SPDX-License-Identifier: Apache-2.0 # -KATA_DEPLOY_DIR="`dirname $0`/../../kata-deploy-cc" +KATA_DEPLOY_DIR="`dirname ${0}`/../../kata-deploy-cc" KATA_DEPLOY_ARTIFACT="${1:-"kata-static.tar.xz"}" REGISTRY="${2:-"quay.io/confidential-containers/runtime-payload"}" TAG="${3:-}" -echo "Copying $KATA_DEPLOY_ARTIFACT to $KATA_DEPLOY_DIR" -cp $KATA_DEPLOY_ARTIFACT $KATA_DEPLOY_DIR +echo "Copying ${KATA_DEPLOY_ARTIFACT} to ${KATA_DEPLOY_DIR}" +cp ${KATA_DEPLOY_ARTIFACT} ${KATA_DEPLOY_DIR} -pushd $KATA_DEPLOY_DIR +pushd ${KATA_DEPLOY_DIR} IMAGE_TAG="${REGISTRY}:kata-containers-$(git rev-parse HEAD)" echo "Building the image" -docker build --tag $IMAGE_TAG . +docker build --tag ${IMAGE_TAG} . echo "Pushing the image to quay.io" -docker push $IMAGE_TAG +docker push ${IMAGE_TAG} if [ -n "${TAG}" ]; then ADDITIONAL_TAG="${REGISTRY}:${TAG}" From 4648d8bec7a9aa7f25f6f6e035433ecddd07d38b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 12:30:33 +0200 Subject: [PATCH 06/33] actions: Publish a payload on every CCv0 push MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's have a GitHub action to publish the Kata Containers payload, after every push to the CCv0 branch, to the Confidential Containers `runtime-payload-ci` registry. The intention of this action is to allow developers to test new features, and easily bisect breakages that could've happened during the development process. Ideally we'd have a CI/CD pipeline where every single change would be tested with the operator, but we're not yet there. In any case, this work would still be needed. :-) It's very important to mention that this should be carefully considered on whether it should or should not be merged back to `main`, as the flow of PRs there is way higher than what we currently have as part of the CCv0 branch. Fixes: #5460 Signed-off-by: Fabiano Fidêncio --- .github/workflows/cc-payload-after-push.yaml | 87 ++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 .github/workflows/cc-payload-after-push.yaml diff --git a/.github/workflows/cc-payload-after-push.yaml b/.github/workflows/cc-payload-after-push.yaml new file mode 100644 index 0000000000..7d3f78abfe --- /dev/null +++ b/.github/workflows/cc-payload-after-push.yaml @@ -0,0 +1,87 @@ +name: CI | Publish Kata Containers payload for Confidential Containers +on: + push: + branches: + - CCv0 + +jobs: + build-asset: + runs-on: ubuntu-latest + strategy: + matrix: + asset: + - cc-cloud-hypervisor + - cc-kernel + - cc-qemu + - cc-rootfs-image + - cc-shim-v2 + - cc-virtiofsd + - cc-sev-kernel + - cc-sev-ovmf + - cc-sev-rootfs-initrd + - cc-tdx-kernel + - cc-tdx-qemu + - cc-tdx-td-shim + - cc-tdx-tdvf + steps: + - uses: actions/checkout@v3 + - name: Build ${{ matrix.asset }} + run: | + make "${KATA_ASSET}-tarball" + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + sudo cp -r "${build_dir}" "kata-build" + env: + KATA_ASSET: ${{ matrix.asset }} + TAR_OUTPUT: ${{ matrix.asset }}.tar.gz + + - name: store-artifact ${{ matrix.asset }} + uses: actions/upload-artifact@v3 + with: + name: kata-artifacts + path: kata-build/kata-static-${{ matrix.asset }}.tar.xz + retention-days: 1 + if-no-files-found: error + + create-kata-tarball: + runs-on: ubuntu-latest + needs: build-asset + steps: + - uses: actions/checkout@v3 + - name: get-artifacts + uses: actions/download-artifact@v3 + with: + name: kata-artifacts + path: kata-artifacts + - name: merge-artifacts + run: | + ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts + - name: store-artifacts + uses: actions/upload-artifact@v3 + with: + name: kata-static-tarball + path: kata-static.tar.xz + retention-days: 1 + if-no-files-found: error + + kata-payload: + needs: create-kata-tarball + runs-on: ubuntu-latest + steps: + - name: Login to quay.io + uses: docker/login-action@v2 + with: + registry: quay.io + username: ${{ secrets.COCO_QUAY_DEPLOYER_USERNAME }} + password: ${{ secrets.COCO_QUAY_DEPLOYER_PASSWORD }} + + - uses: actions/checkout@v3 + - name: get-kata-tarball + uses: actions/download-artifact@v3 + with: + name: kata-static-tarball + + - name: build-and-push-kata-payload + id: build-and-push-kata-payload + run: | + ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh $(pwd)/kata-static.tar.xz "quay.io/repository/confidential-containers/runtime-payload-ci" "kata-containers-latest" From 74b2ab001d088e2c4c2c0f37a5a848fd72794efe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 14 Oct 2022 14:15:59 +0200 Subject: [PATCH 07/33] action: Automate CC payload release MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's create a GitHub action to automate the Kata Containers payload generation for the Confidential Containers project. This GitHub action builds the artefacts (in parallel), merges them into a single tarball, generates the payload with the resulting tarball, and uploads the payload to the Confidential Containers quay.io. It expects the tags to be used to be in the `CC-x.y.z` format, with x, y, and z being numbers. Fixes: #5330 Signed-off-by: Fabiano Fidêncio --- .github/workflows/cc-payload.yaml | 87 +++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 .github/workflows/cc-payload.yaml diff --git a/.github/workflows/cc-payload.yaml b/.github/workflows/cc-payload.yaml new file mode 100644 index 0000000000..44d6e4442f --- /dev/null +++ b/.github/workflows/cc-payload.yaml @@ -0,0 +1,87 @@ +name: Publish Kata Containers payload for Confidential Containers +on: + push: + tags: + - 'CC\-[0-9]+.[0-9]+.[0-9]+' + +jobs: + build-asset: + runs-on: ubuntu-latest + strategy: + matrix: + asset: + - cc-cloud-hypervisor + - cc-kernel + - cc-qemu + - cc-rootfs-image + - cc-shim-v2 + - cc-virtiofsd + - cc-sev-kernel + - cc-sev-ovmf + - cc-sev-rootfs-initrd + - cc-tdx-kernel + - cc-tdx-qemu + - cc-tdx-td-shim + - cc-tdx-tdvf + steps: + - uses: actions/checkout@v3 + - name: Build ${{ matrix.asset }} + run: | + make "${KATA_ASSET}-tarball" + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + sudo cp -r "${build_dir}" "kata-build" + env: + KATA_ASSET: ${{ matrix.asset }} + TAR_OUTPUT: ${{ matrix.asset }}.tar.gz + + - name: store-artifact ${{ matrix.asset }} + uses: actions/upload-artifact@v3 + with: + name: kata-artifacts + path: kata-build/kata-static-${{ matrix.asset }}.tar.xz + retention-days: 1 + if-no-files-found: error + + create-kata-tarball: + runs-on: ubuntu-latest + needs: build-asset + steps: + - uses: actions/checkout@v3 + - name: get-artifacts + uses: actions/download-artifact@v3 + with: + name: kata-artifacts + path: kata-artifacts + - name: merge-artifacts + run: | + ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts + - name: store-artifacts + uses: actions/upload-artifact@v3 + with: + name: kata-static-tarball + path: kata-static.tar.xz + retention-days: 1 + if-no-files-found: error + + kata-payload: + needs: create-kata-tarball + runs-on: ubuntu-latest + steps: + - name: Login to quay.io + uses: docker/login-action@v2 + with: + registry: quay.io + username: ${{ secrets.COCO_QUAY_DEPLOYER_USERNAME }} + password: ${{ secrets.COCO_QUAY_DEPLOYER_PASSWORD }} + + - uses: actions/checkout@v3 + - name: get-kata-tarball + uses: actions/download-artifact@v3 + with: + name: kata-static-tarball + + - name: build-and-push-kata-payload + id: build-and-push-kata-payload + run: | + ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh $(pwd)/kata-static.tar.xz From b3bd4e432c6109ab5d0ec35b1cd7abafe78972e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 22:41:04 +0200 Subject: [PATCH 08/33] actions: Fix runtime-payload-ci registry address MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There was a typo in the registry name, which should be quay.io/confidential-containers/runtime-payload-ci instead of quay.io/repository/confidential-containers/runtime-payload-ci Fixes: #5469 Signed-off-by: Fabiano Fidêncio --- .github/workflows/cc-payload-after-push.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cc-payload-after-push.yaml b/.github/workflows/cc-payload-after-push.yaml index 7d3f78abfe..f9315b903b 100644 --- a/.github/workflows/cc-payload-after-push.yaml +++ b/.github/workflows/cc-payload-after-push.yaml @@ -84,4 +84,4 @@ jobs: - name: build-and-push-kata-payload id: build-and-push-kata-payload run: | - ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh $(pwd)/kata-static.tar.xz "quay.io/repository/confidential-containers/runtime-payload-ci" "kata-containers-latest" + ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh $(pwd)/kata-static.tar.xz "quay.io/confidential-containers/runtime-payload-ci" "kata-containers-latest" From 299829aec09a1f237b85bc6cebd49980766ef33f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 20 Oct 2022 21:54:45 +0200 Subject: [PATCH 09/33] packaging: Don't build runtime-rs if no RUST_VERSION is provided MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As the CCv0 effort is not using the runtime-rs, let's add a mechanism to avoid building it. The easiest way to do so, is to simply *not* build the runtime-rs if the RUST_VERSION is not provided, and then not providing the RUST_VERSION as part of the cc-shim-v2-tarball target. Fixes: #5462 Signed-off-by: Fabiano Fidêncio --- .../local-build/kata-deploy-binaries.sh | 2 -- tools/packaging/static-build/shim-v2/build.sh | 20 ++++++++++--------- .../static-build/shim-v2/install_go_rust.sh | 12 ++++++----- 3 files changed, 18 insertions(+), 16 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 0eecc49c6b..e80f2fd898 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -149,9 +149,7 @@ install_cc_qemu() { #Install all components that are not assets install_cc_shimv2() { GO_VERSION="$(yq r ${versions_yaml} languages.golang.meta.newest-version)" - RUST_VERSION="$(yq r ${versions_yaml} languages.rust.meta.newest-version)" export GO_VERSION - export RUST_VERSION export REMOVE_VMM_CONFIGS="acrn fc" extra_opts="DEFSERVICEOFFLOAD=true" diff --git a/tools/packaging/static-build/shim-v2/build.sh b/tools/packaging/static-build/shim-v2/build.sh index 7d8239fa3a..bb883765a9 100755 --- a/tools/packaging/static-build/shim-v2/build.sh +++ b/tools/packaging/static-build/shim-v2/build.sh @@ -14,7 +14,7 @@ readonly kernel_builder="${repo_root_dir}/tools/packaging/kernel/build-kernel.sh GO_VERSION=${GO_VERSION} -RUST_VERSION=${RUST_VERSION} +RUST_VERSION=${RUST_VERSION:-} DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} @@ -30,15 +30,17 @@ if [ ${arch} = "ppc64le" ]; then arch="ppc64" fi -sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ - -w "${repo_root_dir}/src/runtime-rs" \ - "${container_image}" \ - bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX=${PREFIX} QEMUCMD=qemu-system-${arch}" +if [ -n "${RUST_VERSION}" ]; then + sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ + -w "${repo_root_dir}/src/runtime-rs" \ + "${container_image}" \ + bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX=${PREFIX} QEMUCMD=qemu-system-${arch}" -sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ - -w "${repo_root_dir}/src/runtime-rs" \ - "${container_image}" \ - bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX="${PREFIX}" DESTDIR="${DESTDIR}" install" + sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ + -w "${repo_root_dir}/src/runtime-rs" \ + "${container_image}" \ + bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX="${PREFIX}" DESTDIR="${DESTDIR}" install" +fi sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${repo_root_dir}/src/runtime" \ diff --git a/tools/packaging/static-build/shim-v2/install_go_rust.sh b/tools/packaging/static-build/shim-v2/install_go_rust.sh index db192f673b..1ad638ab37 100755 --- a/tools/packaging/static-build/shim-v2/install_go_rust.sh +++ b/tools/packaging/static-build/shim-v2/install_go_rust.sh @@ -51,11 +51,13 @@ EOF trap finish EXIT rust_version=${2:-} -ARCH=${ARCH:-$(uname -m)} -LIBC=${LIBC:-musl} -curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSLf | sh -s -- -y --default-toolchain ${rust_version} -t ${ARCH}-unknown-linux-${LIBC} -source /root/.cargo/env -rustup target add x86_64-unknown-linux-musl +if [ -n "${rust_version}" ]; then + ARCH=${ARCH:-$(uname -m)} + LIBC=${LIBC:-musl} + curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSLf | sh -s -- -y --default-toolchain ${rust_version} -t ${ARCH}-unknown-linux-${LIBC} + source /root/.cargo/env + rustup target add x86_64-unknown-linux-musl +fi pushd "${tmp_dir}" From a5dd0cd3aba8a7276d8f2d2eeff5ac888141d08a Mon Sep 17 00:00:00 2001 From: "Wang, Arron" Date: Thu, 1 Sep 2022 13:02:22 +0800 Subject: [PATCH 10/33] initramfs: Add build script to generate initramfs The init.sh in initramfs will parse the verity scheme, roothash, root device and setup the root device accordingly. Fixes: #5135 Signed-off-by: Wang, Arron --- .../local-build/kata-deploy-binaries.sh | 5 ++ .../static-build/initramfs/Dockerfile | 38 +++++++++++++ .../static-build/initramfs/build-initramfs.sh | 55 +++++++++++++++++++ .../packaging/static-build/initramfs/build.sh | 46 ++++++++++++++++ .../packaging/static-build/initramfs/init.sh | 44 +++++++++++++++ .../static-build/initramfs/initramfs.list | 21 +++++++ versions.yaml | 10 ++++ 7 files changed, 219 insertions(+) create mode 100644 tools/packaging/static-build/initramfs/Dockerfile create mode 100755 tools/packaging/static-build/initramfs/build-initramfs.sh create mode 100755 tools/packaging/static-build/initramfs/build.sh create mode 100755 tools/packaging/static-build/initramfs/init.sh create mode 100644 tools/packaging/static-build/initramfs/initramfs.list diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index ac144df289..f1d247bdcf 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -23,6 +23,7 @@ readonly versions_yaml="${repo_root_dir}/versions.yaml" readonly clh_builder="${static_build_dir}/cloud-hypervisor/build-static-clh.sh" readonly firecracker_builder="${static_build_dir}/firecracker/build-static-firecracker.sh" +readonly initramfs_builder="${static_build_dir}/initramfs/build.sh" readonly kernel_builder="${static_build_dir}/kernel/build.sh" readonly ovmf_builder="${static_build_dir}/ovmf/build.sh" readonly qemu_builder="${static_build_dir}/qemu/build-static-qemu.sh" @@ -133,6 +134,8 @@ install_cc_sev_image() { install_cc_kernel() { export KATA_BUILD_CC=yes + info "build initramfs for cc kernel" + "${initramfs_builder}" export kernel_version="$(yq r $versions_yaml assets.kernel.version)" DESTDIR="${destdir}" PREFIX="${cc_prefix}" "${kernel_builder}" -f -v "${kernel_version}" } @@ -183,6 +186,8 @@ install_cc_tee_kernel() { [[ "${tee}" != "tdx" && "${tee}" != "sev" ]] && die "Non supported TEE" + info "build initramfs for tee kernel" + "${initramfs_builder}" kernel_url="$(yq r $versions_yaml assets.kernel.${tee}.url)" DESTDIR="${destdir}" PREFIX="${cc_prefix}" "${kernel_builder}" -x "${tee}" -v "${kernel_version}" -u "${kernel_url}" } diff --git a/tools/packaging/static-build/initramfs/Dockerfile b/tools/packaging/static-build/initramfs/Dockerfile new file mode 100644 index 0000000000..3e8e10b4c5 --- /dev/null +++ b/tools/packaging/static-build/initramfs/Dockerfile @@ -0,0 +1,38 @@ +# Copyright (c) 2022 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 +from ubuntu:20.04 + +ARG DEBIAN_FRONTEND=noninteractive +ENV TZ=UTC +RUN apt-get update &&\ + apt-get --no-install-recommends install -y software-properties-common &&\ + add-apt-repository ppa:git-core/ppa -y &&\ + apt-get update && apt-get upgrade -y && \ + apt-get --no-install-recommends install -y \ + apt-utils \ + asciidoctor \ + autoconf \ + autopoint \ + automake \ + busybox-static \ + ca-certificates \ + curl \ + gcc \ + gettext \ + git \ + libaio-dev \ + libblkid-dev \ + libselinux1-dev \ + libtool \ + libpopt-dev \ + libjson-c-dev \ + libssl-dev \ + make \ + ninja-build \ + pkg-config \ + uuid-dev \ + libseccomp-dev \ + libseccomp2 \ + zlib1g-dev &&\ + apt-get clean && rm -rf /var/lib/apt/lists/ diff --git a/tools/packaging/static-build/initramfs/build-initramfs.sh b/tools/packaging/static-build/initramfs/build-initramfs.sh new file mode 100755 index 0000000000..a011e9822a --- /dev/null +++ b/tools/packaging/static-build/initramfs/build-initramfs.sh @@ -0,0 +1,55 @@ +#!/bin/bash +# +# Copyright (c) 2022 Intel +# +# SPDX-License-Identifier: Apache-2.0 + +set -o errexit +set -o nounset +set -o pipefail + +script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +source "${script_dir}/../../scripts/lib.sh" +install_dir="${1:-.}" + +cryptsetup_repo="${cryptsetup_repo:-}" +cryptsetup_version="${cryptsetup_version:-}" +lvm2_repo="${lvm2_repo:-}" +lvm2_version="${lvm2_version:-}" + +[ -n "${cryptsetup_repo}" ] || die "Failed to get cryptsetup repo" +[ -n "${cryptsetup_version}" ] || die "Failed to get cryptsetup version" +[ -n "${lvm2_repo}" ] || die "Failed to get lvm2 repo" +[ -n "${lvm2_version}" ] || die "Failed to get lvm2 version" + +build_root=$(mktemp -d) +pushd ${build_root} + +info "Build ${lvm2_repo} version: ${lvm2_version}" +git clone --depth 1 --branch "${lvm2_version}" "${lvm2_repo}" lvm2 +pushd lvm2 +./configure --enable-static_link --disable-selinux +make && make install +cp ./libdm/libdevmapper.pc /usr/lib/pkgconfig/devmapper.pc +popd #lvm2 + +info "Build ${cryptsetup_repo} version: ${cryptsetup_version}" +git clone --depth 1 --branch "${cryptsetup_version}" "${cryptsetup_repo}" cryptsetup +pushd cryptsetup +./autogen.sh +./configure --enable-static --enable-static-cryptsetup --disable-udev --disable-external-tokens --disable-ssh-token +make && make install +strip /usr/sbin/veritysetup.static +popd #cryptsetup + +info "Build gen_init_cpio tool" +git clone --depth 1 --filter=blob:none --sparse https://github.com/torvalds/linux.git +pushd linux +git sparse-checkout add usr && cd usr && make gen_init_cpio +install gen_init_cpio /usr/sbin/ +popd #linux + +popd #${build_root} + +install "${script_dir}/init.sh" /usr/sbin/ +gen_init_cpio "${script_dir}/initramfs.list" | gzip -9 -n > "${install_dir}"/initramfs.cpio.gz diff --git a/tools/packaging/static-build/initramfs/build.sh b/tools/packaging/static-build/initramfs/build.sh new file mode 100755 index 0000000000..0f4beddb7f --- /dev/null +++ b/tools/packaging/static-build/initramfs/build.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash +# +# Copyright (c) 2022 Intel +# +# SPDX-License-Identifier: Apache-2.0 + +set -o errexit +set -o nounset +set -o pipefail + +script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +readonly repo_root_dir="$(cd "${script_dir}/../../../.." && pwd)" +readonly initramfs_builder="${script_dir}/build-initramfs.sh" +readonly default_install_dir="$(cd "${script_dir}/../../kernel" && pwd)" + +source "${script_dir}/../../scripts/lib.sh" + +container_image="kata-initramfs-builder" +kata_version="${kata_version:-}" +cryptsetup_repo="${cryptsetup_repo:-}" +cryptsetup_version="${cryptsetup_version:-}" +lvm2_repo="${lvm2_repo:-}" +lvm2_version="${lvm2_version:-}" +package_output_dir="${package_output_dir:-}" + +[ -n "${cryptsetup_repo}" ] || cryptsetup_repo=$(get_from_kata_deps "externals.cryptsetup.url" "${kata_version}") +[ -n "${cryptsetup_version}" ] || cryptsetup_version=$(get_from_kata_deps "externals.cryptsetup.version" "${kata_version}") +[ -n "${lvm2_repo}" ] || lvm2_repo=$(get_from_kata_deps "externals.lvm2.url" "${kata_version}") +[ -n "${lvm2_version}" ] || lvm2_version=$(get_from_kata_deps "externals.lvm2.version" "${kata_version}") + +[ -n "${cryptsetup_repo}" ] || die "Failed to get cryptsetup repo" +[ -n "${cryptsetup_version}" ] || die "Failed to get cryptsetup version" +[ -n "${lvm2_repo}" ] || die "Failed to get lvm2 repo" +[ -n "${lvm2_version}" ] || die "Failed to get lvm2 version" + +sudo docker build \ + -t "${container_image}" "${script_dir}" + +sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ + -w "${PWD}" \ + --env cryptsetup_repo="${cryptsetup_repo}" \ + --env cryptsetup_version="${cryptsetup_version}" \ + --env lvm2_repo="${lvm2_repo}" \ + --env lvm2_version="${lvm2_version}" \ + "${container_image}" \ + bash -c "${initramfs_builder} ${default_install_dir}" diff --git a/tools/packaging/static-build/initramfs/init.sh b/tools/packaging/static-build/initramfs/init.sh new file mode 100755 index 0000000000..1bc70b25c1 --- /dev/null +++ b/tools/packaging/static-build/initramfs/init.sh @@ -0,0 +1,44 @@ +#!/bin/sh +# +# Copyright (c) 2022 Intel +# +# SPDX-License-Identifier: Apache-2.0 + +[ -d /dev ] || mkdir -m 0755 /dev +[ -d /root ] || mkdir -m 0700 /root +[ -d /sys ] || mkdir /sys +[ -d /proc ] || mkdir /proc +[ -d /mnt ] || mkdir /mnt +[ -d /tmp ] || mkdir /tmp + +mount -t sysfs -o nodev,noexec,nosuid sysfs /sys +mount -t proc -o nodev,noexec,nosuid proc /proc + +echo "/sbin/mdev" > /proc/sys/kernel/hotplug +mdev -s + +get_option() { + local value + value=" $(cat /proc/cmdline) " + value="${value##* ${1}=}" + value="${value%% *}" + [ "${value}" != "" ] && echo "${value}" +} + +rootfs_verifier=$(get_option cc_rootfs_verity.scheme) +rootfs_hash=$(get_option cc_rootfs_verity.hash) +root_device=$(get_option root) +hash_device=${root_device%?}2 + +if [ -e ${root_device} ] && [ -e ${hash_device} ] && [ "${rootfs_verifier}" = "dm-verity" ] +then + veritysetup open "${root_device}" root "${hash_device}" "${rootfs_hash}" + mount /dev/mapper/root /mnt +else + echo "No LUKS device found" + mount "${root_device}" /mnt +fi + +umount /proc +umount /sys +exec switch_root /mnt /sbin/init diff --git a/tools/packaging/static-build/initramfs/initramfs.list b/tools/packaging/static-build/initramfs/initramfs.list new file mode 100644 index 0000000000..90c8af8c98 --- /dev/null +++ b/tools/packaging/static-build/initramfs/initramfs.list @@ -0,0 +1,21 @@ +# Copyright (c) 2022 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +# initramfs to setup verified boot for rootfs +dir /dev 0755 0 0 +dir /root 0700 0 0 +dir /sbin 0755 0 0 +dir /bin 0755 0 0 +dir /run 0755 0 0 +dir /mnt 0755 0 0 +file /init /usr/sbin/init.sh 0755 0 0 +file /sbin/busybox /usr/bin/busybox 0755 0 0 +file /sbin/veritysetup /usr/sbin/veritysetup.static 0755 0 0 +slink /bin/sh /sbin/busybox 0755 0 0 +slink /sbin/mount /sbin/busybox 0755 0 0 +slink /bin/mkdir /sbin/busybox 0755 0 0 +slink /sbin/mdev /sbin/busybox 0755 0 0 +slink /sbin/switch_root /sbin/busybox 0755 0 0 +slink /sbin/umount /sbin/busybox 0755 0 0 +slink /sbin/cat /sbin/busybox 0755 0 0 diff --git a/versions.yaml b/versions.yaml index 57efa29f27..4c43f65b42 100644 --- a/versions.yaml +++ b/versions.yaml @@ -219,11 +219,21 @@ externals: url: "https://github.com/kubernetes-sigs/cri-tools" version: "1.23.0" + cryptsetup: + description: "A utility used to setup disk encryption, integrity protection" + url: "https://gitlab.com/cryptsetup/cryptsetup" + version: "v2.5.0" + gperf: description: "GNU gperf is a perfect hash function generator" url: "http://ftp.gnu.org/pub/gnu/gperf/" version: "3.1" + lvm2: + description: "LVM2 and device-mapper tools and libraries" + url: "https://github.com/lvmteam/lvm2" + version: "v2_03_16" + kubernetes: description: "Kubernetes project container manager" url: "https://github.com/kubernetes/kubernetes" From fa1bf8f75ce527cf5449fce47f0bd493c713ed70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 15:11:16 +0200 Subject: [PATCH 11/33] packaging: Add and export CC_BUILDER_REGISTRY MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CC_BUILD_REGISTRY, which points to quay.io/kata-containers/cc-builder, will be used for storing the builder images used to build the artefacts via the kata-deploy scripts. The plan is to tag, whenever it's possible and makes sense, images like: * ${CC_BUILDER_REGISTRY}:kernel-${sha} * ${CC_BUILDER_REGISTRY}:qemu-${sha} * ${CC_BUILDER_REGISTRY}:ovmf-${sha} * ${CC_BUILDER_REGISTRY}:shim-v2-${go-toolchain}-{rust-toolchain}-${sha} * ${CC_BUILDER_REGISTRY}:td-shim-${toolchain}-${sha} * ${CC_BUILDER_REGISTRY}:virtiofsd-${toolchain}-${sha} Where ${sha} is the sha of the last commit modifying the Dockerfile used by the builder. Signed-off-by: Fabiano Fidêncio --- tools/packaging/scripts/lib.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/packaging/scripts/lib.sh b/tools/packaging/scripts/lib.sh index 640b1b79e5..86698ee262 100644 --- a/tools/packaging/scripts/lib.sh +++ b/tools/packaging/scripts/lib.sh @@ -8,6 +8,7 @@ export GOPATH=${GOPATH:-${HOME}/go} export tests_repo="${tests_repo:-github.com/kata-containers/tests}" export tests_repo_dir="$GOPATH/src/$tests_repo" +export CC_BUILDER_REGISTRY="quay.io/kata-containers/cc-builders" this_script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" From b1454dbcaa6c8c1e0b903ee1708dc8daf5f640b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 16:20:52 +0200 Subject: [PATCH 12/33] packaging: Add get_last_modification() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add a function to get the hash of the last commit modifying a specific file. This will help to avoid writing `git rev-list ...` into every single build script used by the kata-deploy. Signed-off-by: Fabiano Fidêncio --- tools/packaging/scripts/lib.sh | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/tools/packaging/scripts/lib.sh b/tools/packaging/scripts/lib.sh index 86698ee262..eed0fe9f01 100644 --- a/tools/packaging/scripts/lib.sh +++ b/tools/packaging/scripts/lib.sh @@ -113,4 +113,19 @@ get_config_version() { else die "failed to find ${config_version_file}" fi -} \ No newline at end of file +} + +# $1 - Repo's root dir +# $2 - The file we're looking for the last modification +get_last_modification() { + local repo_root_dir="${1}" + local file="${2}" + + # This is a workaround needed for when running this code on Jenkins + git config --global --add safe.directory ${repo_root_dir} &> /dev/null + + dirty="" + [ $(git status --porcelain | grep "${file}" | wc -l) -gt 0 ] && dirty="-dirty" + + echo "$(git log -1 --pretty=format:"%H" ${file})${dirty}" +} From a6c0bf882378335356917f5de48836f3be6f67de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 16:38:38 +0200 Subject: [PATCH 13/33] packaging: Add push_to_registry() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This function will push a specific tag to a registry, whenever the PUSH_TO_REGISTRY environment variable is set, otherwise it's a no-op. This will be used in the future to avoid replicating that logic in every builder used by the kata-deploy scripts. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy-binaries-in-docker.sh | 1 + tools/packaging/scripts/lib.sh | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index 0b7c4b2389..91a1f5abc0 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -56,6 +56,7 @@ docker run \ --env AA_KBC="${AA_KBC:-}" \ --env KATA_BUILD_CC="${KATA_BUILD_CC:-}" \ --env INCLUDE_ROOTFS="$(realpath "${INCLUDE_ROOTFS:-}" 2> /dev/null || true)" \ + --env PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-"no"}" \ -v "${kata_dir}:${kata_dir}" \ --rm \ -w ${script_dir} \ diff --git a/tools/packaging/scripts/lib.sh b/tools/packaging/scripts/lib.sh index eed0fe9f01..43e9d4c113 100644 --- a/tools/packaging/scripts/lib.sh +++ b/tools/packaging/scripts/lib.sh @@ -9,6 +9,7 @@ export GOPATH=${GOPATH:-${HOME}/go} export tests_repo="${tests_repo:-github.com/kata-containers/tests}" export tests_repo_dir="$GOPATH/src/$tests_repo" export CC_BUILDER_REGISTRY="quay.io/kata-containers/cc-builders" +export PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-"no"}" this_script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" @@ -129,3 +130,18 @@ get_last_modification() { echo "$(git log -1 --pretty=format:"%H" ${file})${dirty}" } + +# $1 - The tag to be pushed to the registry +# $2 - "yes" to use sudo, "no" otherwise +push_to_registry() { + local tag="${1}" + local use_sudo="${2:-"yes"}" + + if [ "${PUSH_TO_REGISTRY}" == "yes" ]; then + if [ "${use_sudo}" == "yes" ]; then + sudo docker push ${tag} + else + docker push ${tag} + fi + fi +} From c1aac0cdeab66b2ee7f2e2fd822d837c3dcd544f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 20 Oct 2022 18:51:01 +0200 Subject: [PATCH 14/33] packaging: Use existing image for the kata-deploy-build MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's first try to pull a pre-existing image, instead of building our own, to be used as a builder image for the kata-deploy artefacts. This will save us some CI time. Signed-off-by: Fabiano Fidêncio --- .../local-build/kata-deploy-binaries-in-docker.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index 91a1f5abc0..3deb1fc3a8 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -16,6 +16,8 @@ kata_deploy_create="${script_dir}/kata-deploy-binaries.sh" uid=$(id -u ${USER}) gid=$(id -g ${USER}) +source "${script_dir}/../../scripts/lib.sh" + if [ "${script_dir}" != "${PWD}" ]; then ln -sf "${script_dir}/build" "${PWD}/build" fi @@ -37,7 +39,9 @@ if [ ! -d "$HOME/.docker" ]; then remove_dot_docker_dir=true fi -docker build -q -t build-kata-deploy \ +container_image="${CC_BUILDER_REGISTRY}:build-kata-deploy-$(get_last_modification ${kata_dir} ${script_dir})" + +docker pull "${container_image}" || docker build -q -t "${container_image}" \ --build-arg IMG_USER="${USER}" \ --build-arg UID=${uid} \ --build-arg GID=${gid} \ @@ -60,7 +64,7 @@ docker run \ -v "${kata_dir}:${kata_dir}" \ --rm \ -w ${script_dir} \ - build-kata-deploy "${kata_deploy_create}" $@ + "${container_image}" "${kata_deploy_create}" $@ if [ $remove_dot_docker_dir == true ]; then rm -rf "$HOME/.docker" From fe8b246ae4f3945fc5816cefcee5cf67bf233a59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 20 Oct 2022 18:53:22 +0200 Subject: [PATCH 15/33] packaging: Add infra to push the kata-deploy builder image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add the needed infra for only building and pushing the image used to build the kata-deploy artefacts to the Kata Containers' quay.io registry. Fixes: #5475 Signed-off-by: Fabiano Fidêncio --- .../local-build/kata-deploy-binaries-in-docker.sh | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index 3deb1fc3a8..50cd797c3f 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -41,12 +41,15 @@ fi container_image="${CC_BUILDER_REGISTRY}:build-kata-deploy-$(get_last_modification ${kata_dir} ${script_dir})" -docker pull "${container_image}" || docker build -q -t "${container_image}" \ - --build-arg IMG_USER="${USER}" \ - --build-arg UID=${uid} \ - --build-arg GID=${gid} \ - --build-arg HOST_DOCKER_GID=${docker_gid} \ - "${script_dir}/dockerbuild/" +docker pull "${container_image}" || \ + (docker build -q -t "${container_image}" \ + --build-arg IMG_USER="${USER}" \ + --build-arg UID=${uid} \ + --build-arg GID=${gid} \ + --build-arg HOST_DOCKER_GID=${docker_gid} \ + "${script_dir}/dockerbuild/" && \ + # No-op unless PUSH_TO_REGISTRY is exported as "yes" + push_to_registry "${container_image}" "no") docker run \ --privileged \ From 3cd900da6d54c02bb1f8fb7a16f850e3b19af084 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 16:04:11 +0200 Subject: [PATCH 16/33] packaging: Use existing image to build the kernel MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's first try to pull a pre-existing image, instead of building our own, to be used as a builder image for the kernel. This will save us some CI time. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/kernel/build.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/packaging/static-build/kernel/build.sh b/tools/packaging/static-build/kernel/build.sh index 13570f49ac..98ee0e9261 100755 --- a/tools/packaging/static-build/kernel/build.sh +++ b/tools/packaging/static-build/kernel/build.sh @@ -12,12 +12,13 @@ script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" readonly repo_root_dir="$(cd "${script_dir}/../../../.." && pwd)" readonly kernel_builder="${repo_root_dir}/tools/packaging/kernel/build-kernel.sh" +source "${script_dir}/../../scripts/lib.sh" DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} -container_image="kata-kernel-builder" +container_image="${CC_BUILDER_REGISTRY}:kernel-$(get_last_modification ${repo_root_dir} ${script_dir})" -sudo docker build -t "${container_image}" "${script_dir}" +sudo docker pull ${container_image} || sudo docker build -t "${container_image}" "${script_dir}" sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ From 31a13e80815dd38497cb7daa80fa97b42f63fbc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 16:08:05 +0200 Subject: [PATCH 17/33] packaging: Add infra to push the kernel builder image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add the needed infra for only building and pushing the kernel builder image to the Kata Containers' quay.io registry. Fixes: #5476 Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/kernel/build.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tools/packaging/static-build/kernel/build.sh b/tools/packaging/static-build/kernel/build.sh index 98ee0e9261..4206decffa 100755 --- a/tools/packaging/static-build/kernel/build.sh +++ b/tools/packaging/static-build/kernel/build.sh @@ -18,7 +18,10 @@ DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} container_image="${CC_BUILDER_REGISTRY}:kernel-$(get_last_modification ${repo_root_dir} ${script_dir})" -sudo docker pull ${container_image} || sudo docker build -t "${container_image}" "${script_dir}" +sudo docker pull ${container_image} || \ + (sudo docker build -t "${container_image}" "${script_dir}" && \ + # No-op unless PUSH_TO_REGISTRY is exported as "yes" + push_to_registry "${container_image}") sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ From 5cef4d983726936c591ecc62cbdc64434f84f245 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 16:12:34 +0200 Subject: [PATCH 18/33] packaging: Use existing image to build OVMF MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's first try to pull a pre-existing image, instead of buildinf our own, to be used as a builder image for OVMF. This will save us some CI time. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/ovmf/build.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/packaging/static-build/ovmf/build.sh b/tools/packaging/static-build/ovmf/build.sh index fcbbd93210..51818f453f 100755 --- a/tools/packaging/static-build/ovmf/build.sh +++ b/tools/packaging/static-build/ovmf/build.sh @@ -16,7 +16,7 @@ source "${script_dir}/../../scripts/lib.sh" DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} -container_image="kata-ovmf-builder" +container_image="${CC_BUILDER_REGISTRY}:ovmf-$(get_last_modification ${repo_root_dir} ${script_dir})" ovmf_build="${ovmf_build:-x86_64}" kata_version="${kata_version:-}" ovmf_repo="${ovmf_repo:-}" @@ -52,7 +52,7 @@ fi [ -n "$ovmf_package" ] || die "failed to get ovmf package or commit" [ -n "$package_output_dir" ] || die "failed to get ovmf package or commit" -sudo docker build -t "${container_image}" "${script_dir}" +sudo docker pull ${container_image} || sudo docker build -t "${container_image}" "${script_dir}" sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ From 92d5dbb20c7770ddae337f6818481ae07e1eed00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 16:42:50 +0200 Subject: [PATCH 19/33] packaging: Add infra to push the OVMF builder image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add the needed infra for building and pushing the OVMF builder image to the Kata Containers' quay.io registry. Fixes: #5477 Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/ovmf/build.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tools/packaging/static-build/ovmf/build.sh b/tools/packaging/static-build/ovmf/build.sh index 51818f453f..16a52756ab 100755 --- a/tools/packaging/static-build/ovmf/build.sh +++ b/tools/packaging/static-build/ovmf/build.sh @@ -52,7 +52,10 @@ fi [ -n "$ovmf_package" ] || die "failed to get ovmf package or commit" [ -n "$package_output_dir" ] || die "failed to get ovmf package or commit" -sudo docker pull ${container_image} || sudo docker build -t "${container_image}" "${script_dir}" +sudo docker pull ${container_image} || \ + (sudo docker build -t "${container_image}" "${script_dir}" && \ + # No-op unless PUSH_TO_REGISTRY is exported as "yes" + push_to_registry "${container_image}") sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ From 1c1034255a109a10f80576fde911094711b8b04c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 16:57:02 +0200 Subject: [PATCH 20/33] packaging: Use existing image to build the shim-v2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's try to pull a pre-existing image, instead of building our own, to be used as a builder for the shim-v2. This will save us some CI time. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/shim-v2/build.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tools/packaging/static-build/shim-v2/build.sh b/tools/packaging/static-build/shim-v2/build.sh index bb883765a9..498d64f2e5 100755 --- a/tools/packaging/static-build/shim-v2/build.sh +++ b/tools/packaging/static-build/shim-v2/build.sh @@ -12,18 +12,22 @@ script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" readonly repo_root_dir="$(cd "${script_dir}/../../../.." && pwd)" readonly kernel_builder="${repo_root_dir}/tools/packaging/kernel/build-kernel.sh" +source "${script_dir}/../../scripts/lib.sh" GO_VERSION=${GO_VERSION} RUST_VERSION=${RUST_VERSION:-} DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} -container_image="shim-v2-builder" +container_image="${CC_BUILDER_REGISTRY}:shim-v2-go-${GO_VERSION}-rust-${RUST_VERSION}-$(get_last_modification ${repo_root_dir} ${script_dir})" EXTRA_OPTS="${EXTRA_OPTS:-""}" REMOVE_VMM_CONFIGS="${REMOVE_VMM_CONFIGS:-""}" -sudo docker build --build-arg GO_VERSION="${GO_VERSION}" --build-arg RUST_VERSION="${RUST_VERSION}" -t "${container_image}" "${script_dir}" +sudo docker pull ${container_image} || sudo docker build \ + --build-arg GO_VERSION="${GO_VERSION}" \ + --build-arg RUST_VERSION="${RUST_VERSION}" \ + -t "${container_image}" "${script_dir}" arch=$(uname -m) if [ ${arch} = "ppc64le" ]; then From ca8abc6cae414b47ca62908ff10bbc14989bd21d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 16:59:13 +0200 Subject: [PATCH 21/33] packaging: Add infra to push the shim-v2 builder image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add the needed infra for only building and pushing the shim-v2 builder image to the Kata Containers' quay.io registry. Fixes: #5478 Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/shim-v2/build.sh | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/tools/packaging/static-build/shim-v2/build.sh b/tools/packaging/static-build/shim-v2/build.sh index 498d64f2e5..564e5cb9a5 100755 --- a/tools/packaging/static-build/shim-v2/build.sh +++ b/tools/packaging/static-build/shim-v2/build.sh @@ -24,10 +24,13 @@ container_image="${CC_BUILDER_REGISTRY}:shim-v2-go-${GO_VERSION}-rust-${RUST_VER EXTRA_OPTS="${EXTRA_OPTS:-""}" REMOVE_VMM_CONFIGS="${REMOVE_VMM_CONFIGS:-""}" -sudo docker pull ${container_image} || sudo docker build \ - --build-arg GO_VERSION="${GO_VERSION}" \ - --build-arg RUST_VERSION="${RUST_VERSION}" \ - -t "${container_image}" "${script_dir}" +sudo docker pull ${container_image} || \ + (sudo docker build \ + --build-arg GO_VERSION="${GO_VERSION}" \ + --build-arg RUST_VERSION="${RUST_VERSION}" \ + -t "${container_image}" "${script_dir}" && \ + # No-op unless PUSH_TO_REGISTRY is exported as "yes" + push_to_registry "${container_image}") arch=$(uname -m) if [ ${arch} = "ppc64le" ]; then From 55cdd92b576a42cba8559efdf0a762a15f60e389 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 17:08:30 +0200 Subject: [PATCH 22/33] packaging: Use existing image to build td-shim MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's first try to pull a pre-existing image, instead of building our own, to be used as a builder image for the td-shim. This will save us some CI time. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/td-shim/build.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tools/packaging/static-build/td-shim/build.sh b/tools/packaging/static-build/td-shim/build.sh index 580c4a3376..3a3505b795 100755 --- a/tools/packaging/static-build/td-shim/build.sh +++ b/tools/packaging/static-build/td-shim/build.sh @@ -16,7 +16,6 @@ source "${script_dir}/../../scripts/lib.sh" DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} -container_image="kata-td-shim-builder" kata_version="${kata_version:-}" tdshim_repo="${tdshim_repo:-}" tdshim_version="${tdshim_version:-}" @@ -31,9 +30,12 @@ package_output_dir="${package_output_dir:-}" [ -n "${tdshim_version}" ] || die "Failed to get TD-shim version or commit" [ -n "${tdshim_toolchain}" ] || die "Failed to get TD-shim toolchain to be used to build the project" -sudo docker build \ +container_image="${CC_BUILDER_REGISTRY}:td-shim-${tdshim_toolchain}-$(get_last_modification ${repo_root_dir} ${script_dir})" + +sudo docker pull ${container_image} || sudo docker build \ --build-arg RUST_TOOLCHAIN="${tdshim_toolchain}" \ - -t "${container_image}" "${script_dir}" + -t "${container_image}" \ + "${script_dir}" sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ From 42fd229f26c6645b780ff7d64521501c7cd28a77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 17:09:35 +0200 Subject: [PATCH 23/33] packaging: Add infra to push the td-shim builder image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add the needed infra for only building and pushing the td-shim builder image to the Kata Containers' quay.io registry. Fixes: #5479 Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/td-shim/build.sh | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/tools/packaging/static-build/td-shim/build.sh b/tools/packaging/static-build/td-shim/build.sh index 3a3505b795..8a6c978afb 100755 --- a/tools/packaging/static-build/td-shim/build.sh +++ b/tools/packaging/static-build/td-shim/build.sh @@ -32,10 +32,13 @@ package_output_dir="${package_output_dir:-}" container_image="${CC_BUILDER_REGISTRY}:td-shim-${tdshim_toolchain}-$(get_last_modification ${repo_root_dir} ${script_dir})" -sudo docker pull ${container_image} || sudo docker build \ - --build-arg RUST_TOOLCHAIN="${tdshim_toolchain}" \ - -t "${container_image}" \ - "${script_dir}" +sudo docker pull ${container_image} || \ + (sudo docker build \ + --build-arg RUST_TOOLCHAIN="${tdshim_toolchain}" \ + -t "${container_image}" \ + "${script_dir}" && \ + # No-op unless PUSH_TO_REGISTRY is exported as "yes" + push_to_registry "${container_image}") sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ From 9ba01f36dee9646978138a24c33cbac5fc7fa0c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 17:20:27 +0200 Subject: [PATCH 24/33] virtiofsd: Pass the expected toolchain to the build container MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's ensure we're building virtiofsd with a specific toolchain that's known to not cause any issues, instead of always using the latest one. On each bump of the virtiofsd, we'll make sure to adjust this according to what's been used by the virtiofsd community. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/virtiofsd/build.sh | 4 ++++ tools/packaging/static-build/virtiofsd/gnu/Dockerfile | 3 ++- tools/packaging/static-build/virtiofsd/musl/Dockerfile | 3 ++- versions.yaml | 1 + 4 files changed, 9 insertions(+), 2 deletions(-) diff --git a/tools/packaging/static-build/virtiofsd/build.sh b/tools/packaging/static-build/virtiofsd/build.sh index 64441d2aef..ec9d7e2483 100755 --- a/tools/packaging/static-build/virtiofsd/build.sh +++ b/tools/packaging/static-build/virtiofsd/build.sh @@ -20,15 +20,18 @@ container_image="kata-virtiofsd-builder" kata_version="${kata_version:-}" virtiofsd_repo="${virtiofsd_repo:-}" virtiofsd_version="${virtiofsd_version:-}" +virtiofsd_toolchain="${virtiofsd_toolchain:-}" virtiofsd_zip="${virtiofsd_zip:-}" package_output_dir="${package_output_dir:-}" [ -n "${virtiofsd_repo}" ] || virtiofsd_repo=$(get_from_kata_deps "externals.virtiofsd.url") [ -n "${virtiofsd_version}" ] || virtiofsd_version=$(get_from_kata_deps "externals.virtiofsd.version") +[ -n "${virtiofsd_toolchain}" ] || virtiofsd_toolchain=$(get_from_kata_deps "externals.virtiofsd.toolchain") [ -n "${virtiofsd_zip}" ] || virtiofsd_zip=$(get_from_kata_deps "externals.virtiofsd.meta.binary") [ -n "${virtiofsd_repo}" ] || die "Failed to get virtiofsd repo" [ -n "${virtiofsd_version}" ] || die "Failed to get virtiofsd version or commit" +[ -n "${virtiofsd_toolchain}" ] || die "Failed to get the rust toolchain to build virtiofsd" [ -n "${virtiofsd_zip}" ] || die "Failed to get virtiofsd binary URL" ARCH=$(uname -m) @@ -48,6 +51,7 @@ case ${ARCH} in esac sudo docker build \ + --build-arg RUST_TOOLCHAIN="${virtiofsd_toolchain}" \ -t "${container_image}" "${script_dir}/${libc}" sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ diff --git a/tools/packaging/static-build/virtiofsd/gnu/Dockerfile b/tools/packaging/static-build/virtiofsd/gnu/Dockerfile index c214dfc415..c10b8db492 100644 --- a/tools/packaging/static-build/virtiofsd/gnu/Dockerfile +++ b/tools/packaging/static-build/virtiofsd/gnu/Dockerfile @@ -4,6 +4,7 @@ FROM ubuntu:20.04 ENV DEBIAN_FRONTEND=noninteractive +ARG RUST_TOOLCHAIN SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN apt-get update && \ @@ -16,4 +17,4 @@ RUN apt-get update && \ libseccomp-dev \ unzip && \ apt-get clean && rm -rf /var/lib/lists/ && \ - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN} diff --git a/tools/packaging/static-build/virtiofsd/musl/Dockerfile b/tools/packaging/static-build/virtiofsd/musl/Dockerfile index 9b9bb93b90..1236010e08 100644 --- a/tools/packaging/static-build/virtiofsd/musl/Dockerfile +++ b/tools/packaging/static-build/virtiofsd/musl/Dockerfile @@ -3,6 +3,7 @@ # SPDX-License-Identifier: Apache-2.0 FROM alpine:3.16.2 +ARG RUST_TOOLCHAIN SHELL ["/bin/ash", "-o", "pipefail", "-c"] RUN apk --no-cache add \ @@ -13,4 +14,4 @@ RUN apk --no-cache add \ libcap-ng-static \ libseccomp-static \ musl-dev && \ - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN} diff --git a/versions.yaml b/versions.yaml index ad71900e0a..01b33367f8 100644 --- a/versions.yaml +++ b/versions.yaml @@ -314,6 +314,7 @@ externals: description: "vhost-user virtio-fs device backend written in Rust" url: "https://gitlab.com/virtio-fs/virtiofsd" version: "v1.3.0" + toolchain: "1.62.0" meta: # From https://gitlab.com/virtio-fs/virtiofsd/-/releases/v1.3.0, # this is the link labelled virtiofsd-v1.3.0.zip From 29f64d6181e30bb0090fe41386e9238a5ba438cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 17:12:18 +0200 Subject: [PATCH 25/33] packaging: Use existing image to build virtiofsd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's first try to pull a pre-existing image, instead of building our own, to be used as a builder image for the virtiofsd. This will save us some CI time. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/virtiofsd/build.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/packaging/static-build/virtiofsd/build.sh b/tools/packaging/static-build/virtiofsd/build.sh index ec9d7e2483..a0e8c8d20d 100755 --- a/tools/packaging/static-build/virtiofsd/build.sh +++ b/tools/packaging/static-build/virtiofsd/build.sh @@ -16,7 +16,6 @@ source "${script_dir}/../../scripts/lib.sh" DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} -container_image="kata-virtiofsd-builder" kata_version="${kata_version:-}" virtiofsd_repo="${virtiofsd_repo:-}" virtiofsd_version="${virtiofsd_version:-}" @@ -50,7 +49,9 @@ case ${ARCH} in ;; esac -sudo docker build \ +container_image="${CC_BUILDER_REGISTRY}:virtiofsd-${virtiofsd_toolchain}-${libc}-$(get_last_modification ${repo_root_dir} ${script_dir})" + +sudo docker pull ${container_image} || sudo docker build \ --build-arg RUST_TOOLCHAIN="${virtiofsd_toolchain}" \ -t "${container_image}" "${script_dir}/${libc}" From a036584ed93483dae2c0133f7ef659753225ae68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 17:28:52 +0200 Subject: [PATCH 26/33] packaging: Add infra to push the virtiofsd builder image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add the needed infra for only building and pushing the virtiofsd builder image to the Kata Containers' quay.io registry. Fixes: #5480 Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/virtiofsd/build.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/tools/packaging/static-build/virtiofsd/build.sh b/tools/packaging/static-build/virtiofsd/build.sh index a0e8c8d20d..18b50a79e2 100755 --- a/tools/packaging/static-build/virtiofsd/build.sh +++ b/tools/packaging/static-build/virtiofsd/build.sh @@ -51,9 +51,12 @@ esac container_image="${CC_BUILDER_REGISTRY}:virtiofsd-${virtiofsd_toolchain}-${libc}-$(get_last_modification ${repo_root_dir} ${script_dir})" -sudo docker pull ${container_image} || sudo docker build \ - --build-arg RUST_TOOLCHAIN="${virtiofsd_toolchain}" \ - -t "${container_image}" "${script_dir}/${libc}" +sudo docker pull ${container_image} || \ + (sudo docker build \ + --build-arg RUST_TOOLCHAIN="${virtiofsd_toolchain}" \ + -t "${container_image}" "${script_dir}/${libc}" && \ + # No-op unless PUSH_TO_REGISTRY is exported as "yes" + push_to_registry "${container_image}") sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ From b26cd250c87090b17bafc3a6a220f925afb53286 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 21:12:08 +0200 Subject: [PATCH 27/33] qemu: Re-work static-build Dockerfile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Differently than every single other bit that's part of our repo, QEMU has been using a single Dockerfile that prepares an environment where the project can be built, but *also* building the project as part of that very same Dockerfile. This is a problem, for several different reasons, including: * It's very hard to have a reproducible build if you don't have an archived image of the builder * One cannot cache / ipload the image of the builder, as that contains already a specific version of QEMU * Every single CI run we end up building the builder image, which includes building dependencies (such as liburing) Let's split the logic into a new build script, and pass the build script to be executed inside the builder image, which will be only responsible for providing an environment where QEMU can be built. Fixes: #5464 Backports: #5465 Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/qemu/Dockerfile | 36 +------------------ .../static-build/qemu/build-base-qemu.sh | 21 ++++++----- .../packaging/static-build/qemu/build-qemu.sh | 28 +++++++++++++++ 3 files changed, 41 insertions(+), 44 deletions(-) create mode 100755 tools/packaging/static-build/qemu/build-qemu.sh diff --git a/tools/packaging/static-build/qemu/Dockerfile b/tools/packaging/static-build/qemu/Dockerfile index 1e4441daec..930a907817 100644 --- a/tools/packaging/static-build/qemu/Dockerfile +++ b/tools/packaging/static-build/qemu/Dockerfile @@ -4,15 +4,12 @@ # SPDX-License-Identifier: Apache-2.0 from ubuntu:20.04 - -WORKDIR /root/qemu - # CACHE_TIMEOUT: date to invalid cache, if the date changes the image will be rebuild # This is required to keep build dependencies with security fixes. ARG CACHE_TIMEOUT -RUN echo "$CACHE_TIMEOUT" ARG DEBIAN_FRONTEND=noninteractive +SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN apt-get update && apt-get upgrade -y && \ apt-get --no-install-recommends install -y \ apt-utils \ @@ -52,38 +49,7 @@ RUN apt-get update && apt-get upgrade -y && \ if [ "$(uname -m)" != "s390x" ]; then apt-get install -y --no-install-recommends libpmem-dev; fi && \ apt-get clean && rm -rf /var/lib/apt/lists/ -ARG QEMU_REPO -# commit/tag/branch -ARG QEMU_VERSION -ARG PREFIX -# BUILD_SUFFIX is used by the qemu-build-post.sh script to -# properly rename non vanilla versions of the QEMU -ARG BUILD_SUFFIX -ARG HYPERVISOR_NAME -ARG PKGVERSION -ARG QEMU_DESTDIR -ARG QEMU_TARBALL - -SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN git clone https://github.com/axboe/liburing/ ~/liburing && \ cd ~/liburing && \ git checkout tags/liburing-2.1 && \ make && make install && ldconfig - -COPY scripts/configure-hypervisor.sh /root/configure-hypervisor.sh -COPY qemu /root/kata_qemu -COPY scripts/apply_patches.sh /root/apply_patches.sh -COPY scripts/patch_qemu.sh /root/patch_qemu.sh -COPY static-build/scripts/qemu-build-post.sh /root/static-build/scripts/qemu-build-post.sh -COPY static-build/qemu.blacklist /root/static-build/qemu.blacklist - -RUN git clone --depth=1 "${QEMU_REPO}" qemu && \ - cd qemu && \ - git fetch --depth=1 origin "${QEMU_VERSION}" && git checkout FETCH_HEAD && \ - scripts/git-submodule.sh update meson capstone && \ - /root/patch_qemu.sh "${QEMU_VERSION}" "/root/kata_qemu/patches" && \ - (PREFIX="${PREFIX}" /root/configure-hypervisor.sh -s "${HYPERVISOR_NAME}" | xargs ./configure \ - --with-pkgversion="${PKGVERSION}") && \ - make -j"$(nproc ${CI:+--ignore 1})" && \ - make install DESTDIR="${QEMU_DESTDIR}" && \ - /root/static-build/scripts/qemu-build-post.sh diff --git a/tools/packaging/static-build/qemu/build-base-qemu.sh b/tools/packaging/static-build/qemu/build-base-qemu.sh index cda5563c40..1a97131207 100755 --- a/tools/packaging/static-build/qemu/build-base-qemu.sh +++ b/tools/packaging/static-build/qemu/build-base-qemu.sh @@ -9,6 +9,8 @@ set -o nounset set -o pipefail script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +readonly repo_root_dir="$(cd "${script_dir}/../../../.." && pwd)" +readonly qemu_builder="${script_dir}/build-qemu.sh" source "${script_dir}/../../scripts/lib.sh" source "${script_dir}/../qemu.blacklist" @@ -41,16 +43,8 @@ container_image="qemu-static-${qemu_version,,}" sudo "${container_engine}" build \ --build-arg CACHE_TIMEOUT="${CACHE_TIMEOUT}" \ - --build-arg BUILD_SUFFIX=${build_suffix} \ - --build-arg HYPERVISOR_NAME="${HYPERVISOR_NAME}" \ - --build-arg PKGVERSION="${PKGVERSION}" \ --build-arg http_proxy="${http_proxy}" \ --build-arg https_proxy="${https_proxy}" \ - --build-arg QEMU_DESTDIR="${qemu_destdir}" \ - --build-arg QEMU_REPO="${qemu_repo}" \ - --build-arg QEMU_VERSION="${qemu_version}" \ - --build-arg QEMU_TARBALL="${qemu_tar}" \ - --build-arg PREFIX="${prefix}" \ "${packaging_dir}" \ -f "${script_dir}/Dockerfile" \ -t "${container_image}" @@ -58,8 +52,17 @@ sudo "${container_engine}" build \ sudo "${container_engine}" run \ --rm \ -i \ + --env BUILD_SUFFIX="${build_suffix}" \ + --env HYPERVISOR_NAME="${HYPERVISOR_NAME}" \ + --env PKGVERSION="${PKGVERSION}" \ + --env QEMU_DESTDIR="${qemu_destdir}" \ + --env QEMU_REPO="${qemu_repo}" \ + --env QEMU_VERSION="${qemu_version}" \ + --env QEMU_TARBALL="${qemu_tar}" \ + --env PREFIX="${prefix}" \ + -v "${repo_root_dir}:/root/kata-containers" \ -v "${PWD}":/share "${container_image}" \ - mv "${qemu_destdir}/${qemu_tar}" /share/ + bash -c "/root/kata-containers/tools/packaging/static-build/qemu/build-qemu.sh" sudo docker image rm "${container_image}" diff --git a/tools/packaging/static-build/qemu/build-qemu.sh b/tools/packaging/static-build/qemu/build-qemu.sh new file mode 100755 index 0000000000..edab348910 --- /dev/null +++ b/tools/packaging/static-build/qemu/build-qemu.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash +# +# Copyright (c) 2022 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +set -o errexit +set -o nounset +set -o pipefail + +kata_packaging_dir="/root/kata-containers/tools/packaging" +kata_packaging_scripts="${kata_packaging_dir}/scripts" + +kata_static_build_dir="${kata_packaging_dir}/static-build" +kata_static_build_scripts="${kata_static_build_dir}/scripts" + +git clone --depth=1 "${QEMU_REPO}" qemu +pushd qemu +git fetch --depth=1 origin "${QEMU_VERSION}" +git checkout FETCH_HEAD +scripts/git-submodule.sh update meson capstone +${kata_packaging_scripts}/patch_qemu.sh "${QEMU_VERSION}" "${kata_packaging_dir}/qemu/patches" +PREFIX="${PREFIX}" ${kata_packaging_scripts}/configure-hypervisor.sh -s "${HYPERVISOR_NAME}" | xargs ./configure --with-pkgversion="${PKGVERSION}" +make -j"$(nproc +--ignore 1)" +make install DESTDIR="${QEMU_DESTDIR}" +popd +${kata_static_build_scripts}/qemu-build-post.sh +mv "${QEMU_DESTDIR}/${QEMU_TARBALL}" /share/ From 9e1df04e66a2b52010bbc316bf8bb62ffdb07224 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 20 Oct 2022 09:40:14 +0200 Subject: [PATCH 28/33] packaging: Use existing image to build QEMU MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's first try to pull a pre-existsing image, instead of building our own, to be used as a builder image for QEMU. This will save us some CI time. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/qemu/build-base-qemu.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/packaging/static-build/qemu/build-base-qemu.sh b/tools/packaging/static-build/qemu/build-base-qemu.sh index 1a97131207..c2f6587a2f 100755 --- a/tools/packaging/static-build/qemu/build-base-qemu.sh +++ b/tools/packaging/static-build/qemu/build-base-qemu.sh @@ -39,9 +39,9 @@ CACHE_TIMEOUT=$(date +"%Y-%m-%d") [ -n "${build_suffix}" ] && HYPERVISOR_NAME="kata-qemu-${build_suffix}" || HYPERVISOR_NAME="kata-qemu" [ -n "${build_suffix}" ] && PKGVERSION="kata-static-${build_suffix}" || PKGVERSION="kata-static" -container_image="qemu-static-${qemu_version,,}" +container_image="${CC_BUILDER_REGISTRY}:qemu-$(get_last_modification ${repo_root_dir} ${script_dir})" -sudo "${container_engine}" build \ +sudo docker pull ${container_image} || sudo "${container_engine}" build \ --build-arg CACHE_TIMEOUT="${CACHE_TIMEOUT}" \ --build-arg http_proxy="${http_proxy}" \ --build-arg https_proxy="${https_proxy}" \ From d4db7ed3c8d5fb19fbe2c32ee7d8591bad493e23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 20 Oct 2022 09:41:34 +0200 Subject: [PATCH 29/33] packaging: Add infra to push the QEMU builder image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add the needed infra for only building and pushing the QEMU builder image to the Kata Containers' quay.io registry. Fixes: #5481 Signed-off-by: Fabiano Fidêncio --- .../static-build/qemu/build-base-qemu.sh | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/tools/packaging/static-build/qemu/build-base-qemu.sh b/tools/packaging/static-build/qemu/build-base-qemu.sh index c2f6587a2f..9be55bedc1 100755 --- a/tools/packaging/static-build/qemu/build-base-qemu.sh +++ b/tools/packaging/static-build/qemu/build-base-qemu.sh @@ -41,13 +41,16 @@ CACHE_TIMEOUT=$(date +"%Y-%m-%d") container_image="${CC_BUILDER_REGISTRY}:qemu-$(get_last_modification ${repo_root_dir} ${script_dir})" -sudo docker pull ${container_image} || sudo "${container_engine}" build \ - --build-arg CACHE_TIMEOUT="${CACHE_TIMEOUT}" \ - --build-arg http_proxy="${http_proxy}" \ - --build-arg https_proxy="${https_proxy}" \ - "${packaging_dir}" \ - -f "${script_dir}/Dockerfile" \ - -t "${container_image}" +sudo docker pull ${container_image} || \ + (sudo "${container_engine}" build \ + --build-arg CACHE_TIMEOUT="${CACHE_TIMEOUT}" \ + --build-arg http_proxy="${http_proxy}" \ + --build-arg https_proxy="${https_proxy}" \ + "${packaging_dir}" \ + -f "${script_dir}/Dockerfile" \ + -t "${container_image}" && \ + # No-op unless PUSH_TO_REGISTRY is exported as "yes" + push_to_registry "${container_image}") sudo "${container_engine}" run \ --rm \ From 94807e73e72ebddad4df96a85c24b9110391db22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 20 Oct 2022 11:12:09 +0200 Subject: [PATCH 30/33] packaging: Don't remove QEMU image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Now that the QEMU builder image provides only the environment used for building QEMU, let's ensure it doesn't get removed. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/qemu/build-base-qemu.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/tools/packaging/static-build/qemu/build-base-qemu.sh b/tools/packaging/static-build/qemu/build-base-qemu.sh index 9be55bedc1..7bc6805d10 100755 --- a/tools/packaging/static-build/qemu/build-base-qemu.sh +++ b/tools/packaging/static-build/qemu/build-base-qemu.sh @@ -67,6 +67,4 @@ sudo "${container_engine}" run \ -v "${PWD}":/share "${container_image}" \ bash -c "/root/kata-containers/tools/packaging/static-build/qemu/build-qemu.sh" -sudo docker image rm "${container_image}" - sudo chown ${USER}:$(id -gn ${USER}) "${PWD}/${qemu_tar}" From ebf6c8383983e78a071baf0aed565f38453226ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 25 Oct 2022 15:07:11 +0200 Subject: [PATCH 31/33] packaging: Use exissting image to build the initramfs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's first try to pull a pre-existing image, instead of building our own, to be used as a builder for the initramds. This will save us some CI time. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/initramfs/build.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/packaging/static-build/initramfs/build.sh b/tools/packaging/static-build/initramfs/build.sh index 0f4beddb7f..cc309e5987 100755 --- a/tools/packaging/static-build/initramfs/build.sh +++ b/tools/packaging/static-build/initramfs/build.sh @@ -15,7 +15,6 @@ readonly default_install_dir="$(cd "${script_dir}/../../kernel" && pwd)" source "${script_dir}/../../scripts/lib.sh" -container_image="kata-initramfs-builder" kata_version="${kata_version:-}" cryptsetup_repo="${cryptsetup_repo:-}" cryptsetup_version="${cryptsetup_version:-}" @@ -33,7 +32,9 @@ package_output_dir="${package_output_dir:-}" [ -n "${lvm2_repo}" ] || die "Failed to get lvm2 repo" [ -n "${lvm2_version}" ] || die "Failed to get lvm2 version" -sudo docker build \ +container_image="${CC_BUILDER_REGISTRY}:initramfs-cryptsetup-${cryptsetup_version}-lvm2-${lvm2_version}-$(get_last_modification ${repo_root_dir} ${script_dir})" + +sudo docker pull ${container_image} || sudo docker build \ -t "${container_image}" "${script_dir}" sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ From 111ad87828e479dd986ac1a158637d195c0283bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 25 Oct 2022 15:09:11 +0200 Subject: [PATCH 32/33] packaging: Add infra to push the initramfs builder image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add the needed infra for only building and pushing the initramfs builder image to the Kata Containers' quay.io registry. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/initramfs/build.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tools/packaging/static-build/initramfs/build.sh b/tools/packaging/static-build/initramfs/build.sh index cc309e5987..96d09763c3 100755 --- a/tools/packaging/static-build/initramfs/build.sh +++ b/tools/packaging/static-build/initramfs/build.sh @@ -34,8 +34,10 @@ package_output_dir="${package_output_dir:-}" container_image="${CC_BUILDER_REGISTRY}:initramfs-cryptsetup-${cryptsetup_version}-lvm2-${lvm2_version}-$(get_last_modification ${repo_root_dir} ${script_dir})" -sudo docker pull ${container_image} || sudo docker build \ - -t "${container_image}" "${script_dir}" +sudo docker pull ${container_image} || (sudo docker build \ + -t "${container_image}" "${script_dir}" && \ + # No-op unless PUSH_TO_REGISTRY is exported as "yes" + push_to_registry "${container_image}") sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ From c916c98ab503b27b247ad2a99984f6888e4e8b79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 20 Oct 2022 18:27:36 +0200 Subject: [PATCH 33/33] actions: Push the builder images as part of the payload generation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's take advantge of an existing action that publishes the payload after each pull request, to also publish the "builder images" used to build each one of the artefacts. Signed-off-by: Fabiano Fidêncio --- .github/workflows/cc-payload-after-push.yaml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cc-payload-after-push.yaml b/.github/workflows/cc-payload-after-push.yaml index f9315b903b..b7b08dd230 100644 --- a/.github/workflows/cc-payload-after-push.yaml +++ b/.github/workflows/cc-payload-after-push.yaml @@ -24,7 +24,16 @@ jobs: - cc-tdx-td-shim - cc-tdx-tdvf steps: + - name: Login to Kata Containers quay.io + uses: docker/login-action@v2 + with: + registry: quay.io + username: ${{ secrets.QUAY_DEPLOYER_USERNAME }} + password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} + - uses: actions/checkout@v3 + with: + fetch-depth: 0 # This is needed in order to keep the commit ids history - name: Build ${{ matrix.asset }} run: | make "${KATA_ASSET}-tarball" @@ -34,6 +43,7 @@ jobs: env: KATA_ASSET: ${{ matrix.asset }} TAR_OUTPUT: ${{ matrix.asset }}.tar.gz + PUSH_TO_REGISTRY: yes - name: store-artifact ${{ matrix.asset }} uses: actions/upload-artifact@v3 @@ -68,7 +78,7 @@ jobs: needs: create-kata-tarball runs-on: ubuntu-latest steps: - - name: Login to quay.io + - name: Login to Confidential Containers quay.io uses: docker/login-action@v2 with: registry: quay.io