From 75bd97e8df0ec6817e395b8b54683406eca42b65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 14 May 2024 19:48:23 +0200 Subject: [PATCH] build: Ensure the default rootfs is built with AGENT_POLICY=yes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is needed, as b1710ee2c0909c82e75a659e82cde72665201618 made the default agent shipped the one with policy support. However, we simply didn't update the rootfs to reflect that, causing then an issue to start the agent as shown by the strace below: ``` open("/etc/kata-opa/default-policy.rego", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) futex(0x7f401eba0c28, FUTEX_WAKE_PRIVATE, 1) = 1 rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0 tkill(553681, SIGABRT) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 --- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=553681, si_uid=1000} --- +++ killed by SIGABRT (core dumped) +++ ``` This happens as the default policy **must** be set when the agent is built with policy support, but the code path that copies that into the rootfs is only triggered if the rootfs itself is built with AGENT_POLICY=yes, which we're now doing for both confidential and non-confidential cases. Sadly this was not caught by CI till we the cache was not used for rootfs, which should be solved by the previous commit. Fixes: #9630, #9631 Signed-off-by: Fabiano FidĂȘncio --- .../kata-deploy/local-build/kata-deploy-binaries.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index e355721d98..bc3c9944ad 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -326,13 +326,13 @@ install_image() { fi export AGENT_TARBALL=$(get_agent_tarball_path) + export AGENT_POLICY=yes "${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}" } #Install guest image for confidential guests install_image_confidential() { - export AGENT_POLICY=yes export MEASURED_ROOTFS=yes export PULL_TYPE=default install_image "confidential" @@ -396,13 +396,13 @@ install_initrd() { fi export AGENT_TARBALL=$(get_agent_tarball_path) + export AGENT_POLICY=yes "${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}" } #Install guest initrd for confidential guests install_initrd_confidential() { - export AGENT_POLICY=yes export MEASURED_ROOTFS=yes export PULL_TYPE=default install_initrd "confidential" @@ -410,7 +410,6 @@ install_initrd_confidential() { #Install Mariner guest initrd install_initrd_mariner() { - export AGENT_POLICY=yes install_initrd "mariner" }