Merge pull request #3171 from stevenhorsman/skopeo-not-default

Stop skopeo being installed by default
2025-08-22 09:49:35 +00:00 · 2021-12-03 15:54:44 +00:00 · 2021-12-03 15:54:44 +00:00 · 6f2d89ef6f
commit 6f2d89ef6f
parent af91084887 bb66dbdccc
8 changed files with 49 additions and 23 deletions
--- a/docs/how-to/ccv0.sh
+++ b/docs/how-to/ccv0.sh
@ -232,7 +232,7 @@ create_a_local_rootfs() {
    cd ${katacontainers_repo_dir}/tools/osbuilder/rootfs-builder
    export distro="ubuntu"
    [[ -z "${USE_PODMAN:-}" ]] && use_docker="${use_docker:-1}"
-    sudo -E OS_VERSION="${OS_VERSION:-}" GOPATH=$GOPATH DEBUG="${DEBUG}" USE_DOCKER="${use_docker:-}" SKOPEO_UMOCI=yes SECCOMP=yes ./rootfs.sh -r ${ROOTFS_DIR} ${distro}
+    sudo -E OS_VERSION="${OS_VERSION:-}" GOPATH=$GOPATH DEBUG="${DEBUG}" USE_DOCKER="${use_docker:-}" SKOPEO=${SKOPEO:-} UMOCI=yes SECCOMP=yes ./rootfs.sh -r ${ROOTFS_DIR} ${distro}

    # During the ./rootfs.sh call the kata agent is built as root, so we need to update the permissions, so we can rebuild it
    sudo chown -R ${USER}:${USER} "${katacontainers_repo_dir}/src/agent/"
--- a/docs/how-to/how-to-build-and-test-ccv0.md
+++ b/docs/how-to/how-to-build-and-test-ccv0.md
@ -35,6 +35,9 @@ In order to build, and demo the CCv0 functionality, these are the steps I take:
      If you want to build and run these you can export the `katacontainers_repo`, `katacontainers_branch`, `tests_repo`
      and `tests_branch` variables e.g. `export katacontainers_repo=github.com/stevenhorsman/kata-containers && export katacontainers_branch=stevenh/agent-pull-image-endpoint && export tests_repo=github.com/stevenhorsman/tests && export tests_branch=stevenh/add-ccvo-changes-to-build`
      before running the script.
+    - By default `ccv0.sh` enables the agent to use the rust implementation to pull container images on the guest. If
+      you wish to instead build and include the `skopeo` package for this then set `export SKOPEO=yes`. `skopeo` is
+      required for verifying container image signatures of pulled images.
 - Run the full build process with `. ~/ccv0.sh -d build_and_install_all`
    - *I run this script sourced just so that the required installed components are accessible on the `PATH` to the rest*
      *of the process without having to reload the session.*
--- a/tools/osbuilder/rootfs-builder/README.md
+++ b/tools/osbuilder/rootfs-builder/README.md
@ -196,6 +196,7 @@ needed. Changes affect the files included in the final guest image.

 #### Confidential containers support

-When building the rootfs for confidential containers if `SKOPEO_UMOCI=yes` is set then the `skopeo` and `umoci`
-packages are built and added into the rootfs. It also adds the signature verification proof of concept files.
+When building the rootfs for confidential containers if `SKOPEO=yes` is set then the `skopeo`
+package is built and added into the rootfs. It also adds the signature verification proof of concept files.
+If `UMOCI=yes` is set then the `umoci` package is built and added into the rootfs.
 For more info on these, see [the documentation](signed-container-artifacts/README.md).
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@ -142,15 +142,22 @@ USE_PODMAN          If set and USE_DOCKER not set, then build the rootfs inside
                    a podman container (requires podman).
                    Default value: <not set>

-SKOPEO_UMOCI        If set to "yes", build Skopeo and umoci for confidential
+SKOPEO              If set to "yes", build Skopeo for confidential
                    containers guest image pull. Currently, this is only
                    supported for Ubuntu guests; see
                    https://github.com/kata-containers/kata-containers/pull/2908
                    for discussion.
                    Default value: <not set>

+UMOCI               If set to "yes", build and umoci for confidential
+                    containers guest image unpack. Currently, this is only
+                    supported for Ubuntu guests; see
+                    https://github.com/kata-containers/kata-containers/pull/2908
+                    for discussion.
+                    Default value: <not set>
+
 AA_KBC              Key broker client module for attestation-agent. This is
-                    required for confidential containers. Requires SKOPEO_UMOCI
+                    required for confidential containers. Requires UMOCI
                    to be set. See https://github.com/containers/attestation-agent
                    for more information on available modules.
                    Default value: <not set>
@ -439,7 +446,8 @@ build_rootfs_distro()
 			--env OS_VERSION="${OS_VERSION}" \
 			--env INSIDE_CONTAINER=1 \
 			--env LIBC="${LIBC}" \
-			--env SKOPEO_UMOCI="${SKOPEO_UMOCI}" \
+			--env SKOPEO="${SKOPEO}" \
+			--env UMOCI="${UMOCI}" \
 			--env AA_KBC="${AA_KBC}" \
 			--env SECCOMP="${SECCOMP}" \
 			--env DEBUG="${DEBUG}" \
@ -634,7 +642,7 @@ EOT
 	info "Create /etc/resolv.conf file in rootfs if not exist"
 	touch "$dns_file"

-	if [ "${SKOPEO_UMOCI}" = "yes" ]; then
+	if [ "${SKOPEO}" = "yes" ]; then
 		skopeo_url="$(get_package_version_from_kata_yaml externals.skopeo.url)"
 		skopeo_branch="$(get_package_version_from_kata_yaml externals.skopeo.branch)"
 		info "Install skopeo"
@ -644,15 +652,6 @@ EOT
 		install -o root -g root -m 0755 bin/skopeo "${ROOTFS_DIR}/usr/bin/"
 		popd

-		umoci_url="$(get_package_version_from_kata_yaml externals.umoci.url)"
-		umoci_tag="$(get_package_version_from_kata_yaml externals.umoci.tag)"
-		info "Install umoci"
-		git clone "${umoci_url}" --branch "${umoci_tag}"
-		pushd umoci
-		make
-		install -o root -g root -m 0755 umoci "${ROOTFS_DIR}/usr/local/bin/"
-		popd
-
 		# Temp PoC code: Add image signature verification artifacts into rootfs
 		rootfs_quay_verification_directory="/etc/containers/quay_verification"
 		dev_verification_directory="${script_dir}/signed-container-artifacts"
@ -671,8 +670,11 @@ docker:
 EOT
 	fi

-	if [ -n "${AA_KBC}" ]; then
-		[ -z "${SKOPEO_UMOCI}" ] && die "SKOPEO_UMOCI must be set to install attestation-agent"
+    if [ -n "${AA_KBC}" ]; then
+        if [ "${UMOCI}" != "yes" ]; then
+          UMOCI="yes"
+          warning "UMOCI wasn't set, but is required for attestation, so overridden"
+        fi

 		attestation_agent_url="$(get_package_version_from_kata_yaml externals.attestation-agent.url)"
 		attestation_agent_branch="$(get_package_version_from_kata_yaml externals.attestation-agent.branch)"
@ -691,6 +693,17 @@ EOT
 		popd
 	fi

+	if [ "${UMOCI}" = "yes" ]; then
+		umoci_url="$(get_package_version_from_kata_yaml externals.umoci.url)"
+		umoci_tag="$(get_package_version_from_kata_yaml externals.umoci.tag)"
+		info "Install umoci"
+		git clone "${umoci_url}" --branch "${umoci_tag}"
+		pushd umoci
+		make
+		install -o root -g root -m 0755 umoci "${ROOTFS_DIR}/usr/local/bin/"
+		popd
+	fi
+
 	info "Creating summary file"
 	create_summary_file "${ROOTFS_DIR}"
 }
--- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh
+++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
@ -12,7 +12,9 @@ OS_VERSION=${OS_VERSION:-20.04}
 OS_NAME=${OS_NAME:-"focal"}

 # packages to be installed by default
-PACKAGES="systemd iptables init kmod"
+# Note: ca-certificates is required for confidential containers
+# to pull the container image on the guest
+PACKAGES="systemd iptables init kmod ca-certificates"
 EXTRA_PKGS+=" chrony"

 DEBOOTSTRAP=${PACKAGE_MANAGER:-"debootstrap"}
@ -32,7 +34,7 @@ INIT_PROCESS=systemd
 ARCH_EXCLUDE_LIST=()

 [ "$SECCOMP" = "yes" ] && PACKAGES+=" libseccomp2" || true
-[ -n "$SKOPEO_UMOCI" ] && PACKAGES+=" ca-certificates libgpgme11" || true
+[ "$SKOPEO" = "yes" ] && PACKAGES+=" libgpgme11" || true

 if [ "${AA_KBC}" == "eaa_kbc" ] && [ "${ARCH}" == "x86_64" ]; then
    AA_KBC_EXTRAS="
--- a/tools/osbuilder/scripts/lib.sh
+++ b/tools/osbuilder/scripts/lib.sh
@ -219,11 +219,16 @@ ${extra}
 	  agent-is-init-daemon: "${AGENT_INIT}"
 EOT

-	if [ "${SKOPEO_UMOCI}" = "yes" ]; then
+	if [ "${SKOPEO}" = "yes" ]; then
 		cat >> "${file}" <<-EOF
 	skopeo:
 	  url: "${skopeo_url}"
 	  version: "${skopeo_branch}"
+EOF
+	fi
+
+	if [ "${UMOCI}" = "yes" ]; then
+		cat >> "${file}" <<-EOF
 	umoci:
 	  url: "${umoci_url}"
 	  version: "${umoci_tag}"
--- a/tools/packaging/guest-image/build_image.sh
+++ b/tools/packaging/guest-image/build_image.sh
@ -49,7 +49,8 @@ build_image() {
 	info "image os: $img_distro"
 	info "image os version: $img_os_version"
 	# CCv0 on image is currently unsupported, do not pass
-	unset SKOPEO_UMOCI
+	unset SKOPEO
+	unset UMOCI
 	unset AA_KBC
 	sudo -E PATH="${PATH}" make image \
 		DISTRO="${img_distro}" \
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
@ -38,7 +38,8 @@ docker run ${TTY_OPT} \
 	-v /var/run/docker.sock:/var/run/docker.sock \
 	--user ${uid}:${gid} \
 	--env USER=${USER} \
-	--env SKOPEO_UMOCI="${SKOPEO_UMOCI:-}" \
+	--env SKOPEO="${SKOPEO:-}" \
+	--env UMOCI="${UMOCI:-}" \
 	--env AA_KBC="${AA_KBC:-}" \
 	--env INCLUDE_ROOTFS="${INCLUDE_ROOTFS:-}" \
 	-v "${kata_dir}:${kata_dir}" \