osbuilder: Integrate pause image inside rootfs

For CoCo stack, the pause image is managed by host side, then it may configure a malicious pause image, we need package a pause image inside the rootfs and don't the pause image from host. Fixes: #4768 Signed-off-by: Wang, Arron <arron.wang@intel.com>
2025-08-18 16:08:25 +00:00 · 2022-07-29 15:15:24 +08:00 · 2022-07-29 15:15:24 +08:00 · 75b9f3fa3c
commit 75b9f3fa3c
parent 4f49423c91
3 changed files with 34 additions and 1 deletions
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@ -16,6 +16,7 @@ AGENT_VERSION=${AGENT_VERSION:-}
 RUST_VERSION="null"
 AGENT_BIN=${AGENT_BIN:-kata-agent}
 AGENT_INIT=${AGENT_INIT:-no}
+KATA_BUILD_CC=${KATA_BUILD_CC:-no}
 KERNEL_MODULES_DIR=${KERNEL_MODULES_DIR:-""}
 OSBUILDER_VERSION="unknown"
 DOCKER_RUNTIME=${DOCKER_RUNTIME:-runc}
@ -437,6 +438,7 @@ build_rootfs_distro()
 			--env ROOTFS_DIR="/rootfs" \
 			--env AGENT_BIN="${AGENT_BIN}" \
 			--env AGENT_INIT="${AGENT_INIT}" \
+			--env KATA_BUILD_CC="${KATA_BUILD_CC}" \
 			--env ARCH="${ARCH}" \
 			--env CI="${CI}" \
 			--env KERNEL_MODULES_DIR="${KERNEL_MODULES_DIR}" \
@ -692,6 +694,17 @@ EOF
 		popd
 	fi

+	if [ "${KATA_BUILD_CC}" == "yes" ]; then
+		info "Integrate pause image inside rootfs for CC"
+		pause_repo="$(get_package_version_from_kata_yaml externals.pause.repo)"
+		pause_version="$(get_package_version_from_kata_yaml externals.pause.version)"
+		[ -n "pause_repo" ] || die "failed to get pause image repo"
+		[ -n "pause_version" ] || die "failed to get pause image version"
+
+		skopeo copy "${pause_repo}":"${pause_version}" oci:pause:"${pause_version}"
+		umoci unpack --image pause:"${pause_version}"  "${ROOTFS_DIR}/pause_bundle"
+	fi
+
 	info "Creating summary file"
 	create_summary_file "${ROOTFS_DIR}"
 }
--- a/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in
+++ b/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in
@ -3,6 +3,17 @@
 # SPDX-License-Identifier: Apache-2.0

 ARG IMAGE_REGISTRY=docker.io
+
+# Install skopeo which is not included in 20.04 release
+# This can be removed when we upgrade the base to 22.04 release
+FROM ${IMAGE_REGISTRY}/golang:1.18 AS skopeo
+@SET_PROXY@
+WORKDIR /skopeo
+ARG SKOPEO_VERSION="1.9.1"
+RUN curl -fsSL "https://github.com/containers/skopeo/archive/v${SKOPEO_VERSION}.tar.gz" \
+  | tar -xzf - --strip-components=1
+RUN CGO_ENABLED=0 DISABLE_DOCS=1 make BUILDTAGS=containers_image_openpgp GO_DYN_FLAGS=
+
 FROM ${IMAGE_REGISTRY}/ubuntu:@OS_VERSION@
@SET_PROXY@

@ -27,10 +38,14 @@ RUN apt-get update && \
    multistrap \
    musl-tools \
    pkg-config \
-    protobuf-compiler
+    protobuf-compiler \
+    umoci

 # aarch64 requires this name -- link for all
 RUN ln -s /usr/bin/musl-gcc "/usr/bin/$(uname -m)-linux-musl-gcc"

+COPY --from=skopeo /skopeo/bin/skopeo /usr/local/bin/
+COPY --from=skopeo /skopeo/default-policy.json /etc/containers/policy.json
+
@INSTALL_RUST@
@INSTALL_AA_KBC@
--- a/versions.yaml
+++ b/versions.yaml
@ -231,6 +231,11 @@ externals:
    url: "https://github.com/seccomp/libseccomp"
    version: "2.5.1"

+  pause:
+    description: "Kubernetes pause container image"
+    repo: "docker://k8s.gcr.io/pause"
+    version: "3.6"
+
  runc:
    description: "OCI CLI reference runtime implementation"
    url: "https://github.com/opencontainers/runc"