From 389bbcb183a7d090db9e95d25b340d5e2163fffe Mon Sep 17 00:00:00 2001
From: Jakob Naucke <jakob.naucke@ibm.com>
Date: Fri, 3 Dec 2021 15:28:47 +0100
Subject: [PATCH 1/3] kata-deploy: Support separate Skopeo spec

The initrd build process now supports facultatively installing Skopeo
while still installing Umoci. Mirror this change in the respective
kata-deploy process.

Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
---
 tools/packaging/guest-image/build_image.sh                     | 3 ++-
 .../kata-deploy/local-build/kata-deploy-binaries-in-docker.sh  | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh
index 27ec99e0b7..65c0ba8e0d 100755
--- a/tools/packaging/guest-image/build_image.sh
+++ b/tools/packaging/guest-image/build_image.sh
@@ -49,7 +49,8 @@ build_image() {
 	info "image os: $img_distro"
 	info "image os version: $img_os_version"
 	# CCv0 on image is currently unsupported, do not pass
-	unset SKOPEO_UMOCI
+	unset SKOPEO
+	unset UMOCI
 	unset AA_KBC
 	sudo -E PATH="${PATH}" make image \
 		DISTRO="${img_distro}" \
diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
index c026d4c199..a8f7b118e7 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
@@ -38,7 +38,8 @@ docker run ${TTY_OPT} \
 	-v /var/run/docker.sock:/var/run/docker.sock \
 	--user ${uid}:${gid} \
 	--env USER=${USER} \
-	--env SKOPEO_UMOCI="${SKOPEO_UMOCI:-}" \
+	--env SKOPEO="${SKOPEO:-}" \
+	--env UMOCI="${UMOCI:-}" \
 	--env AA_KBC="${AA_KBC:-}" \
 	--env INCLUDE_ROOTFS="${INCLUDE_ROOTFS:-}" \
 	-v "${kata_dir}:${kata_dir}" \

From 95ab38ae541831265129c4660ebde4f496f1258e Mon Sep 17 00:00:00 2001
From: stevenhorsman <steven@uk.ibm.com>
Date: Fri, 26 Nov 2021 16:52:34 +0000
Subject: [PATCH 2/3] doc: Stop skopeo being installed by default

With the new rust image pull service skopeo we can parameterise whether to build
and install skopeo and turn it off by default if we don't need
signature verification support

Fixes: #3170

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
---
 docs/how-to/ccv0.sh                       | 2 +-
 docs/how-to/how-to-build-and-test-ccv0.md | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/how-to/ccv0.sh b/docs/how-to/ccv0.sh
index f01f47faae..87a243a2ad 100755
--- a/docs/how-to/ccv0.sh
+++ b/docs/how-to/ccv0.sh
@@ -232,7 +232,7 @@ create_a_local_rootfs() {
     cd ${katacontainers_repo_dir}/tools/osbuilder/rootfs-builder
     export distro="ubuntu"
     [[ -z "${USE_PODMAN:-}" ]] && use_docker="${use_docker:-1}"
-    sudo -E OS_VERSION="${OS_VERSION:-}" GOPATH=$GOPATH DEBUG="${DEBUG}" USE_DOCKER="${use_docker:-}" SKOPEO_UMOCI=yes SECCOMP=yes ./rootfs.sh -r ${ROOTFS_DIR} ${distro}
+    sudo -E OS_VERSION="${OS_VERSION:-}" GOPATH=$GOPATH DEBUG="${DEBUG}" USE_DOCKER="${use_docker:-}" SKOPEO=${SKOPEO:-} UMOCI=yes SECCOMP=yes ./rootfs.sh -r ${ROOTFS_DIR} ${distro}
 
     # During the ./rootfs.sh call the kata agent is built as root, so we need to update the permissions, so we can rebuild it
     sudo chown -R ${USER}:${USER} "${katacontainers_repo_dir}/src/agent/"
diff --git a/docs/how-to/how-to-build-and-test-ccv0.md b/docs/how-to/how-to-build-and-test-ccv0.md
index afa526d620..df010303df 100644
--- a/docs/how-to/how-to-build-and-test-ccv0.md
+++ b/docs/how-to/how-to-build-and-test-ccv0.md
@@ -35,6 +35,9 @@ In order to build, and demo the CCv0 functionality, these are the steps I take:
       If you want to build and run these you can export the `katacontainers_repo`, `katacontainers_branch`, `tests_repo`
       and `tests_branch` variables e.g. `export katacontainers_repo=github.com/stevenhorsman/kata-containers && export katacontainers_branch=stevenh/agent-pull-image-endpoint && export tests_repo=github.com/stevenhorsman/tests && export tests_branch=stevenh/add-ccvo-changes-to-build`
       before running the script.
+    - By default `ccv0.sh` enables the agent to use the rust implementation to pull container images on the guest. If
+      you wish to instead build and include the `skopeo` package for this then set `export SKOPEO=yes`. `skopeo` is
+      required for verifying container image signatures of pulled images.
 - Run the full build process with `. ~/ccv0.sh -d build_and_install_all`
     - *I run this script sourced just so that the required installed components are accessible on the `PATH` to the rest*
       *of the process without having to reload the session.*

From bb66dbdccc42733aa29aa0963908d038e188d6b9 Mon Sep 17 00:00:00 2001
From: stevenhorsman <steven@uk.ibm.com>
Date: Fri, 26 Nov 2021 16:52:48 +0000
Subject: [PATCH 3/3] osbuilder: Stop skopeo being installed by default

With the new rust image pull service skopeo we can parameterise whether to build
and install skopeo and turn it off by default if we don't need
signature verification support

Fixes: #3170

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
---
 tools/osbuilder/rootfs-builder/README.md      |  5 ++-
 tools/osbuilder/rootfs-builder/rootfs.sh      | 43 ++++++++++++-------
 .../osbuilder/rootfs-builder/ubuntu/config.sh |  6 ++-
 tools/osbuilder/scripts/lib.sh                |  7 ++-
 4 files changed, 41 insertions(+), 20 deletions(-)

diff --git a/tools/osbuilder/rootfs-builder/README.md b/tools/osbuilder/rootfs-builder/README.md
index 3cfc031b06..87ecfe2f0a 100644
--- a/tools/osbuilder/rootfs-builder/README.md
+++ b/tools/osbuilder/rootfs-builder/README.md
@@ -196,6 +196,7 @@ needed. Changes affect the files included in the final guest image.
 
 #### Confidential containers support
 
-When building the rootfs for confidential containers if `SKOPEO_UMOCI=yes` is set then the `skopeo` and `umoci`
-packages are built and added into the rootfs. It also adds the signature verification proof of concept files.
+When building the rootfs for confidential containers if `SKOPEO=yes` is set then the `skopeo`
+package is built and added into the rootfs. It also adds the signature verification proof of concept files.
+If `UMOCI=yes` is set then the `umoci` package is built and added into the rootfs.
 For more info on these, see [the documentation](signed-container-artifacts/README.md).
diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh
index 3f2ba4d885..0879572e3b 100755
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@@ -142,15 +142,22 @@ USE_PODMAN          If set and USE_DOCKER not set, then build the rootfs inside
                     a podman container (requires podman).
                     Default value: <not set>
 
-SKOPEO_UMOCI        If set to "yes", build Skopeo and umoci for confidential
+SKOPEO              If set to "yes", build Skopeo for confidential
                     containers guest image pull. Currently, this is only
                     supported for Ubuntu guests; see
                     https://github.com/kata-containers/kata-containers/pull/2908
                     for discussion.
                     Default value: <not set>
 
+UMOCI               If set to "yes", build and umoci for confidential
+                    containers guest image unpack. Currently, this is only
+                    supported for Ubuntu guests; see
+                    https://github.com/kata-containers/kata-containers/pull/2908
+                    for discussion.
+                    Default value: <not set>
+
 AA_KBC              Key broker client module for attestation-agent. This is
-                    required for confidential containers. Requires SKOPEO_UMOCI
+                    required for confidential containers. Requires UMOCI
                     to be set. See https://github.com/containers/attestation-agent
                     for more information on available modules.
                     Default value: <not set>
@@ -439,7 +446,8 @@ build_rootfs_distro()
 			--env OS_VERSION="${OS_VERSION}" \
 			--env INSIDE_CONTAINER=1 \
 			--env LIBC="${LIBC}" \
-			--env SKOPEO_UMOCI="${SKOPEO_UMOCI}" \
+			--env SKOPEO="${SKOPEO}" \
+			--env UMOCI="${UMOCI}" \
 			--env AA_KBC="${AA_KBC}" \
 			--env SECCOMP="${SECCOMP}" \
 			--env DEBUG="${DEBUG}" \
@@ -634,7 +642,7 @@ EOT
 	info "Create /etc/resolv.conf file in rootfs if not exist"
 	touch "$dns_file"
 
-	if [ "${SKOPEO_UMOCI}" = "yes" ]; then
+	if [ "${SKOPEO}" = "yes" ]; then
 		skopeo_url="$(get_package_version_from_kata_yaml externals.skopeo.url)"
 		skopeo_branch="$(get_package_version_from_kata_yaml externals.skopeo.branch)"
 		info "Install skopeo"
@@ -644,15 +652,6 @@ EOT
 		install -o root -g root -m 0755 bin/skopeo "${ROOTFS_DIR}/usr/bin/"
 		popd
 
-		umoci_url="$(get_package_version_from_kata_yaml externals.umoci.url)"
-		umoci_tag="$(get_package_version_from_kata_yaml externals.umoci.tag)"
-		info "Install umoci"
-		git clone "${umoci_url}" --branch "${umoci_tag}"
-		pushd umoci
-		make
-		install -o root -g root -m 0755 umoci "${ROOTFS_DIR}/usr/local/bin/"
-		popd
-
 		# Temp PoC code: Add image signature verification artifacts into rootfs
 		rootfs_quay_verification_directory="/etc/containers/quay_verification"
 		dev_verification_directory="${script_dir}/signed-container-artifacts"
@@ -671,8 +670,11 @@ docker:
 EOT
 	fi
 
-	if [ -n "${AA_KBC}" ]; then
-		[ -z "${SKOPEO_UMOCI}" ] && die "SKOPEO_UMOCI must be set to install attestation-agent"
+    if [ -n "${AA_KBC}" ]; then
+        if [ "${UMOCI}" != "yes" ]; then
+          UMOCI="yes"
+          warning "UMOCI wasn't set, but is required for attestation, so overridden"
+        fi
 
 		attestation_agent_url="$(get_package_version_from_kata_yaml externals.attestation-agent.url)"
 		attestation_agent_branch="$(get_package_version_from_kata_yaml externals.attestation-agent.branch)"
@@ -691,6 +693,17 @@ EOT
 		popd
 	fi
 
+	if [ "${UMOCI}" = "yes" ]; then
+		umoci_url="$(get_package_version_from_kata_yaml externals.umoci.url)"
+		umoci_tag="$(get_package_version_from_kata_yaml externals.umoci.tag)"
+		info "Install umoci"
+		git clone "${umoci_url}" --branch "${umoci_tag}"
+		pushd umoci
+		make
+		install -o root -g root -m 0755 umoci "${ROOTFS_DIR}/usr/local/bin/"
+		popd
+	fi
+
 	info "Creating summary file"
 	create_summary_file "${ROOTFS_DIR}"
 }
diff --git a/tools/osbuilder/rootfs-builder/ubuntu/config.sh b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
index 5d3160bcfb..089eeb295b 100644
--- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh
+++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
@@ -12,7 +12,9 @@ OS_VERSION=${OS_VERSION:-20.04}
 OS_NAME=${OS_NAME:-"focal"}
 
 # packages to be installed by default
-PACKAGES="systemd iptables init kmod"
+# Note: ca-certificates is required for confidential containers
+# to pull the container image on the guest
+PACKAGES="systemd iptables init kmod ca-certificates"
 EXTRA_PKGS+=" chrony"
 
 DEBOOTSTRAP=${PACKAGE_MANAGER:-"debootstrap"}
@@ -32,7 +34,7 @@ INIT_PROCESS=systemd
 ARCH_EXCLUDE_LIST=()
 
 [ "$SECCOMP" = "yes" ] && PACKAGES+=" libseccomp2" || true
-[ -n "$SKOPEO_UMOCI" ] && PACKAGES+=" ca-certificates libgpgme11" || true
+[ "$SKOPEO" = "yes" ] && PACKAGES+=" libgpgme11" || true
 
 if [ "${AA_KBC}" == "eaa_kbc" ] && [ "${ARCH}" == "x86_64" ]; then
     AA_KBC_EXTRAS="
diff --git a/tools/osbuilder/scripts/lib.sh b/tools/osbuilder/scripts/lib.sh
index 70fcfac9b7..ef070e6081 100644
--- a/tools/osbuilder/scripts/lib.sh
+++ b/tools/osbuilder/scripts/lib.sh
@@ -219,11 +219,16 @@ ${extra}
 	  agent-is-init-daemon: "${AGENT_INIT}"
 EOT
 
-	if [ "${SKOPEO_UMOCI}" = "yes" ]; then
+	if [ "${SKOPEO}" = "yes" ]; then
 		cat >> "${file}" <<-EOF
 	skopeo:
 	  url: "${skopeo_url}"
 	  version: "${skopeo_branch}"
+EOF
+	fi
+
+	if [ "${UMOCI}" = "yes" ]; then
+		cat >> "${file}" <<-EOF
 	umoci:
 	  url: "${umoci_url}"
 	  version: "${umoci_tag}"