Merge pull request #9559 from fidencio/topic/remove-opa-stuff

rootfs: Stop building and shipping OPA

src/kata-opa/kata-opa.service.in

@@ -1,29 +0,0 @@
-#
-# Copyright (c) 2023 Microsoft Corporation
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-
-[Unit]
-Description=Open Policy Agent for Kata Containers
-Documentation=https://github.com/kata-containers
-ConditionPathExists=@SETTINGSDIR@/default-policy.rego
-
-# kata-agent connects to OPA while starting up.
-Before=kata-agent.service
-
-[Service]
-Type=simple
-ExecStart=@BINDIR@/opa run --server --disable-telemetry --addr 127.0.0.1:8181 --log-level info
-DynamicUser=yes
-RuntimeDirectory=kata-opa
-LimitNOFILE=1048576
-
-# Don't restart because there may be an active policy that would be lost.
-Restart=no
-
-# Send log output to tty to allow capturing debug logs from a VM vsock port.
-StandardError=tty
-
-# Discourage OOM-killer from touching the policy service.
-OOMScoreAdjust=-997

tools/osbuilder/rootfs-builder/cbl-mariner/config.sh

@@ -8,4 +8,3 @@ LIBC="gnu"
 PACKAGES="core-packages-base-image ca-certificates"
 [ "$AGENT_INIT" = no ] && PACKAGES+=" systemd"
 [ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp"
-[ "$AGENT_POLICY" = yes ] && PACKAGES+=" opa" || true

tools/osbuilder/rootfs-builder/rootfs.sh

@@ -548,38 +548,6 @@ prepare_overlay()
 	popd  > /dev/null
 }
 
-build_opa_from_source()
-{
-	local opa_repo_url=$1
-	opa_version="$(get_package_version_from_kata_yaml externals.open-policy-agent.version)"
-
-	export PATH="$PATH:/usr/local/go/bin"
-	export GOOS="${TARGET_OS}"
-	[ ${CROSS_BUILD} == "yes" ] && export GOARCH="${TARGET_ARCH}" || export GOARCH="$(uname -m)"
-
-	current_dir="$(pwd)"
-	pushd $(mktemp -d) &>/dev/null
-	git clone -b "${opa_version}" "${opa_repo_url}" opa || return 1
-	(
-		cd opa
-		export WASM_ENABLED=0
-		export DOCKER_RUNNING=0
-		make ci-build-linux-static || return 1
-
-		info "Copy OPA binary to ${current_dir}/opa"
-		binary_name="_release/${opa_version##v}/opa_${GOOS}_${GOARCH}_static"
-		if [ -f "${binary_name}" ]; then
-			cp "${binary_name}" "${current_dir}/opa"
-		else
-			echo "OPA binary ${binary_name} not found"
-			return 1
-		fi
-	)
-	rm -rf opa
-	popd &>/dev/null
-	return 0
-}
-
 # Setup an existing rootfs directory, based on the OPTIONAL distro name
 # provided as argument
 setup_rootfs()
@@ -738,44 +706,6 @@ EOF
 	fi
 
 	if [ "${AGENT_POLICY}" == "yes" ]; then
-		# Setup systemd-based environment for kata-opa.
-		local opa_bin_dir="$(get_opa_bin_dir "${ROOTFS_DIR}")"
-		if [ -z "${opa_bin_dir}" ]; then
-			# OPA was not installed already, so download it here.
-			#
-			# TODO: if an OPA package is not available for the Guest image distro,
-			#   	Kata should cache the OPA source code, toolchain information, etc.
-			#   	OPA should be built from the cached source code instead of downloading
-			#   	this binary.
-			#
-			local opa_repo_url="$(get_package_version_from_kata_yaml externals.open-policy-agent.url)"
-			local opa_version="$(get_package_version_from_kata_yaml externals.open-policy-agent.version)"
-			if [ "$ARCH" == "ppc64le" ] || [ "$ARCH" == "s390x" ]; then
-				info "Building OPA binary from source at ${opa_repo_url}"
-				build_opa_from_source "${opa_repo_url}" || die "Failed to build OPA"
-			else
-				local opa_binary_arch
-				case ${ARCH} in
-					x86_64) opa_binary_arch="amd64" ;;
-					aarch64) opa_binary_arch="arm64" ;;
-					*) die "Unsupported architecture for the OPA binary" ;;
-				esac
-
-				local opa_bin_url="${opa_repo_url}/releases/download/${opa_version}/opa_linux_${opa_binary_arch}_static"
-				info "Downloading OPA binary from ${opa_bin_url}"
-				curl --fail -L "${opa_bin_url}" -o opa || die "Failed to download OPA"
-			fi
-
-			# Install the OPA binary.
-			opa_bin_dir="/usr/local/bin"
-			local opa_bin="${ROOTFS_DIR}${opa_bin_dir}/opa"
-			info "Installing OPA binary to ${opa_bin}"
-			install -D -o root -g root -m 0755 opa -T "${opa_bin}"
-			${stripping_tool} ${ROOTFS_DIR}${opa_bin_dir}/opa
-		else
-			info "OPA binary already exists in ${opa_bin_dir}"
-		fi
-
 		# Install default settings for the kata-opa service.
 		local kata_opa_in_dir="${script_dir}/../../../src/kata-opa"
 		local opa_settings_dir="/etc/kata-opa"
@@ -784,25 +714,6 @@ EOF
 		mkdir -p "${policy_dir}"
 		install -D -o root -g root -m 0644 "${kata_opa_in_dir}/${policy_file}" -T "${policy_dir}/${policy_file}"
 		ln -sf "${policy_file}" "${policy_dir}/default-policy.rego"
-
-		if [ "${AGENT_INIT}" == "yes" ]; then
-			info "OPA will be started by the kata agent"
-		else
-			# Install the unit file for the kata-opa service.
-			local kata_opa_unit="kata-opa.service"
-			local kata_opa_unit_path="${ROOTFS_DIR}/usr/lib/systemd/system/${kata_opa_unit}"
-			local kata_containers_wants="${ROOTFS_DIR}/etc/systemd/system/kata-containers.target.wants"
-
-			opa_settings_dir="${opa_settings_dir//\//\\/}"
-			sed -e "s/@SETTINGSDIR@/${opa_settings_dir}/g" "${kata_opa_in_dir}/${kata_opa_unit}.in" > "${kata_opa_unit}"
-
-			opa_bin_dir="${opa_bin_dir//\//\\/}"
-			sed -i -e "s/@BINDIR@/${opa_bin_dir}/g" "${kata_opa_unit}"
-
-			install -D -o root -g root -m 0644 "${kata_opa_unit}" -T "${kata_opa_unit_path}"
-			mkdir -p "${kata_containers_wants}"
-			ln -sf "${kata_opa_unit_path}" "${kata_containers_wants}/${kata_opa_unit}"
-		fi
 	fi
 
 	info "Check init is installed"
@@ -832,24 +743,6 @@ EOF
 	create_summary_file "${ROOTFS_DIR}"
 }
 
-get_opa_bin_dir()
-{
-	local rootfs_dir="$1"
-	local -a bin_dirs=(
-		"/bin"
-		"/usr/bin"
-		"/usr/local/bin"
-	)
-	for bin_dir in "${bin_dirs[@]}"
-	do
-		local opa_bin="${rootfs_dir}${bin_dir}/opa"
-		if [ -f "${opa_bin}" ]; then
-			echo "${bin_dir}"
-			return 0
-		fi
-	done
-}
-
 parse_arguments()
 {
 	[ "$#" -eq 0 ] && usage && return 0

tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in

@@ -6,7 +6,6 @@ ARG IMAGE_REGISTRY=docker.io
 FROM ${IMAGE_REGISTRY}/ubuntu:@OS_VERSION@
 @SET_PROXY@
 
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 # makedev tries to mknod from postinst
 RUN [ -x /usr/bin/systemd-detect-virt ] || ( echo "echo docker" >/usr/bin/systemd-detect-virt && chmod +x /usr/bin/systemd-detect-virt )
 # hadolint ignore=DL3009,SC2046
@@ -30,9 +29,7 @@ RUN apt-get update && \
     multistrap \
     musl-tools \
     protobuf-compiler \
-    xz-utils && \
-    ( go_version="@GO_VERSION@" && [ "${go_version}" = "" ] || ( \
-    echo "Installing go @GO_VERSION@" && curl -sSL "https://golang.org/dl/go@GO_VERSION@.linux-@ARCH@.tar.gz" | tar -xz -C /usr/local ))
+    xz-utils
 # aarch64 requires this name -- link for all
 RUN if [ ! -f "/usr/bin/$(uname -m)-linux-musl-gcc" ]; then ln -s /usr/bin/musl-gcc "/usr/bin/$(uname -m)-linux-musl-gcc"; fi
 

tools/osbuilder/scripts/lib.sh

@@ -237,7 +237,6 @@ RUN . /root/.cargo/env; cargo install cargo-when
 	sed \
 		-e "s#@OS_VERSION@#${OS_VERSION:-}#g" \
 		-e "s#@ARCH@#$ARCH#g" \
-		-e "s#@GO_VERSION@#$GO_VERSION#g" \
 		-e "s#@INSTALL_RUST@#${install_rust//$'\n'/\\n}#g" \
 		-e "s#@SET_PROXY@#${set_proxy:-}#g" \
 		Dockerfile.in > Dockerfile

tools/packaging/guest-image/build_image.sh

@@ -47,8 +47,7 @@ build_initrd() {
 		AGENT_POLICY="${AGENT_POLICY:-}" \
 		PULL_TYPE="${PULL_TYPE:-default}" \
 		COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}" \
-		PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" \
-		GO_VERSION="${GO_VERSION:-}"
+		PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}"
 	mv "kata-containers-initrd.img" "${install_dir}/${artifact_name}"
 	(
 		cd "${install_dir}"
@@ -70,8 +69,7 @@ build_image() {
 		AGENT_POLICY="${AGENT_POLICY:-}" \
 		PULL_TYPE="${PULL_TYPE:-default}" \
 		COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}" \
-		PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" \
-		GO_VERSION="${GO_VERSION:-}"
+		PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}"
 	mv -f "kata-containers.img" "${install_dir}/${artifact_name}"
 	if [ -e "root_hash.txt" ]; then
 	    cp root_hash.txt "${install_dir}/"

tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh

@@ -315,11 +315,6 @@ install_image() {
 		if [ "${variant}" == "confidential" ]; then
 			export COCO_GUEST_COMPONENTS_TARBALL="$(get_coco_guest_components_tarball_path)"
 			export PAUSE_IMAGE_TARBALL="$(get_pause_image_tarball_path)"
-			# GO_VERSION should be exported to install the package in ubuntu-rootfs-osbuilder
-			# This is necessary for installing opa from the source for s390x and ppc64le
-			if [ "${AGENT_POLICY}" == "yes" ] && [ "${ARCH}" == "s390x" -o "${ARCH}" == "ppc64le" ]; then
-				export GO_VERSION=$(get_from_kata_deps "languages.golang.meta.newest-version")
-			fi
 		fi
 	else
 		os_name="$(get_from_kata_deps "assets.image.architecture.${ARCH}.name")"
@@ -389,11 +384,6 @@ install_initrd() {
 		if [ "${variant}" == "confidential" ]; then
 			export COCO_GUEST_COMPONENTS_TARBALL="$(get_coco_guest_components_tarball_path)"
 			export PAUSE_IMAGE_TARBALL="$(get_pause_image_tarball_path)"
-			# GO_VERSION should be exported to install the package in ubuntu-rootfs-osbuilder
-			# This is necessary for installing opa from the source for s390x and ppc64le
-			if [ "${AGENT_POLICY}" == "yes" ] && [ "${ARCH}" == "s390x" -o "${ARCH}" == "ppc64le" ]; then
-				export GO_VERSION=$(get_from_kata_deps "languages.golang.meta.newest-version")
-			fi
 		fi
 	else
 		os_name="$(get_from_kata_deps "assets.initrd.architecture.${ARCH}.name")"

versions.yaml

@@ -324,11 +324,6 @@ externals:
     url: "https://github.com/containerd/nydus-snapshotter"
     version: "v0.13.11"
 
-  open-policy-agent:
-    description: "Open Policy Agent"
-    url: "https://github.com/open-policy-agent/opa"
-    version: "v0.55.0"
-
   ovmf:
     description: "Firmware, implementation of UEFI for virtual machines."
     url: "https://github.com/tianocore/edk2"