From 7dd2fde22d9b5056e4b36931ee8f45edb2309c75 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano.fidencio@intel.com>
Date: Fri, 26 Apr 2024 10:47:59 +0200
Subject: [PATCH 1/2] Revert "rootfs: Make OPA build working in docker for
 s390x and ppc64le"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This reverts commit d523e865c01d1dc047c203a89a3a448b538af458, as we will
not depend on the OPA binary anymore.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
---
 tools/osbuilder/rootfs-builder/rootfs.sh               |  9 +++++----
 tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in    |  5 +----
 tools/osbuilder/scripts/lib.sh                         |  1 -
 tools/packaging/guest-image/build_image.sh             |  6 ++----
 .../kata-deploy/local-build/kata-deploy-binaries.sh    | 10 ----------
 5 files changed, 8 insertions(+), 23 deletions(-)

diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh
index 13b1d3d25c..5fed5a0b7e 100755
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@@ -553,9 +553,10 @@ build_opa_from_source()
 	local opa_repo_url=$1
 	opa_version="$(get_package_version_from_kata_yaml externals.open-policy-agent.version)"
 
-	export PATH="$PATH:/usr/local/go/bin"
-	export GOOS="${TARGET_OS}"
-	[ ${CROSS_BUILD} == "yes" ] && export GOARCH="${TARGET_ARCH}" || export GOARCH="$(uname -m)"
+	if [ ${CROSS_BUILD} == "yes" ]; then
+		export GOOS="${TARGET_OS}"
+		export GOARCH="${TARGET_ARCH}}"
+	fi
 
 	current_dir="$(pwd)"
 	pushd $(mktemp -d) &>/dev/null
@@ -564,7 +565,7 @@ build_opa_from_source()
 		cd opa
 		export WASM_ENABLED=0
 		export DOCKER_RUNNING=0
-		make ci-build-linux-static || return 1
+		make ci-go-ci-build-linux-static || return 1
 
 		info "Copy OPA binary to ${current_dir}/opa"
 		binary_name="_release/${opa_version##v}/opa_${GOOS}_${GOARCH}_static"
diff --git a/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in b/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in
index 4dc2fe6003..9c9c03a2d3 100644
--- a/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in
+++ b/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in
@@ -6,7 +6,6 @@ ARG IMAGE_REGISTRY=docker.io
 FROM ${IMAGE_REGISTRY}/ubuntu:@OS_VERSION@
 @SET_PROXY@
 
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 # makedev tries to mknod from postinst
 RUN [ -x /usr/bin/systemd-detect-virt ] || ( echo "echo docker" >/usr/bin/systemd-detect-virt && chmod +x /usr/bin/systemd-detect-virt )
 # hadolint ignore=DL3009,SC2046
@@ -30,9 +29,7 @@ RUN apt-get update && \
     multistrap \
     musl-tools \
     protobuf-compiler \
-    xz-utils && \
-    ( go_version="@GO_VERSION@" && [ "${go_version}" = "" ] || ( \
-    echo "Installing go @GO_VERSION@" && curl -sSL "https://golang.org/dl/go@GO_VERSION@.linux-@ARCH@.tar.gz" | tar -xz -C /usr/local ))
+    xz-utils
 # aarch64 requires this name -- link for all
 RUN if [ ! -f "/usr/bin/$(uname -m)-linux-musl-gcc" ]; then ln -s /usr/bin/musl-gcc "/usr/bin/$(uname -m)-linux-musl-gcc"; fi
 
diff --git a/tools/osbuilder/scripts/lib.sh b/tools/osbuilder/scripts/lib.sh
index 3316a35c97..615ff10a95 100644
--- a/tools/osbuilder/scripts/lib.sh
+++ b/tools/osbuilder/scripts/lib.sh
@@ -237,7 +237,6 @@ RUN . /root/.cargo/env; cargo install cargo-when
 	sed \
 		-e "s#@OS_VERSION@#${OS_VERSION:-}#g" \
 		-e "s#@ARCH@#$ARCH#g" \
-		-e "s#@GO_VERSION@#$GO_VERSION#g" \
 		-e "s#@INSTALL_RUST@#${install_rust//$'\n'/\\n}#g" \
 		-e "s#@SET_PROXY@#${set_proxy:-}#g" \
 		Dockerfile.in > Dockerfile
diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh
index 68b8b5b8e3..9ce5065c94 100755
--- a/tools/packaging/guest-image/build_image.sh
+++ b/tools/packaging/guest-image/build_image.sh
@@ -47,8 +47,7 @@ build_initrd() {
 		AGENT_POLICY="${AGENT_POLICY:-}" \
 		PULL_TYPE="${PULL_TYPE:-default}" \
 		COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}" \
-		PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" \
-		GO_VERSION="${GO_VERSION:-}"
+		PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}"
 	mv "kata-containers-initrd.img" "${install_dir}/${artifact_name}"
 	(
 		cd "${install_dir}"
@@ -70,8 +69,7 @@ build_image() {
 		AGENT_POLICY="${AGENT_POLICY:-}" \
 		PULL_TYPE="${PULL_TYPE:-default}" \
 		COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}" \
-		PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" \
-		GO_VERSION="${GO_VERSION:-}"
+		PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}"
 	mv -f "kata-containers.img" "${install_dir}/${artifact_name}"
 	if [ -e "root_hash.txt" ]; then
 	    cp root_hash.txt "${install_dir}/"
diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
index 3e178eb9a2..d4bb8b6cd6 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -315,11 +315,6 @@ install_image() {
 		if [ "${variant}" == "confidential" ]; then
 			export COCO_GUEST_COMPONENTS_TARBALL="$(get_coco_guest_components_tarball_path)"
 			export PAUSE_IMAGE_TARBALL="$(get_pause_image_tarball_path)"
-			# GO_VERSION should be exported to install the package in ubuntu-rootfs-osbuilder
-			# This is necessary for installing opa from the source for s390x and ppc64le
-			if [ "${AGENT_POLICY}" == "yes" ] && [ "${ARCH}" == "s390x" -o "${ARCH}" == "ppc64le" ]; then
-				export GO_VERSION=$(get_from_kata_deps "languages.golang.meta.newest-version")
-			fi
 		fi
 	else
 		os_name="$(get_from_kata_deps "assets.image.architecture.${ARCH}.name")"
@@ -389,11 +384,6 @@ install_initrd() {
 		if [ "${variant}" == "confidential" ]; then
 			export COCO_GUEST_COMPONENTS_TARBALL="$(get_coco_guest_components_tarball_path)"
 			export PAUSE_IMAGE_TARBALL="$(get_pause_image_tarball_path)"
-			# GO_VERSION should be exported to install the package in ubuntu-rootfs-osbuilder
-			# This is necessary for installing opa from the source for s390x and ppc64le
-			if [ "${AGENT_POLICY}" == "yes" ] && [ "${ARCH}" == "s390x" -o "${ARCH}" == "ppc64le" ]; then
-				export GO_VERSION=$(get_from_kata_deps "languages.golang.meta.newest-version")
-			fi
 		fi
 	else
 		os_name="$(get_from_kata_deps "assets.initrd.architecture.${ARCH}.name")"

From fe21d7a58b242806f7048a9b61898b7661ad9b0b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano.fidencio@intel.com>
Date: Thu, 25 Apr 2024 22:37:35 +0200
Subject: [PATCH 2/2] rootfs: Stop building and shipping OPA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Since OPA binary was replaced by the regorus crate, we can finally stop
building and shipping the binary.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
---
 src/kata-opa/kata-opa.service.in              |  29 -----
 .../rootfs-builder/cbl-mariner/config.sh      |   1 -
 tools/osbuilder/rootfs-builder/rootfs.sh      | 108 ------------------
 versions.yaml                                 |   5 -
 4 files changed, 143 deletions(-)
 delete mode 100644 src/kata-opa/kata-opa.service.in

diff --git a/src/kata-opa/kata-opa.service.in b/src/kata-opa/kata-opa.service.in
deleted file mode 100644
index acb24d941a..0000000000
--- a/src/kata-opa/kata-opa.service.in
+++ /dev/null
@@ -1,29 +0,0 @@
-#
-# Copyright (c) 2023 Microsoft Corporation
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-
-[Unit]
-Description=Open Policy Agent for Kata Containers
-Documentation=https://github.com/kata-containers
-ConditionPathExists=@SETTINGSDIR@/default-policy.rego
-
-# kata-agent connects to OPA while starting up.
-Before=kata-agent.service
-
-[Service]
-Type=simple
-ExecStart=@BINDIR@/opa run --server --disable-telemetry --addr 127.0.0.1:8181 --log-level info
-DynamicUser=yes
-RuntimeDirectory=kata-opa
-LimitNOFILE=1048576
-
-# Don't restart because there may be an active policy that would be lost.
-Restart=no
-
-# Send log output to tty to allow capturing debug logs from a VM vsock port.
-StandardError=tty
-
-# Discourage OOM-killer from touching the policy service.
-OOMScoreAdjust=-997
diff --git a/tools/osbuilder/rootfs-builder/cbl-mariner/config.sh b/tools/osbuilder/rootfs-builder/cbl-mariner/config.sh
index aeea90278a..694124acd6 100644
--- a/tools/osbuilder/rootfs-builder/cbl-mariner/config.sh
+++ b/tools/osbuilder/rootfs-builder/cbl-mariner/config.sh
@@ -8,4 +8,3 @@ LIBC="gnu"
 PACKAGES="core-packages-base-image ca-certificates"
 [ "$AGENT_INIT" = no ] && PACKAGES+=" systemd"
 [ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp"
-[ "$AGENT_POLICY" = yes ] && PACKAGES+=" opa" || true
diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh
index 5fed5a0b7e..210ca24358 100755
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@@ -548,39 +548,6 @@ prepare_overlay()
 	popd  > /dev/null
 }
 
-build_opa_from_source()
-{
-	local opa_repo_url=$1
-	opa_version="$(get_package_version_from_kata_yaml externals.open-policy-agent.version)"
-
-	if [ ${CROSS_BUILD} == "yes" ]; then
-		export GOOS="${TARGET_OS}"
-		export GOARCH="${TARGET_ARCH}}"
-	fi
-
-	current_dir="$(pwd)"
-	pushd $(mktemp -d) &>/dev/null
-	git clone -b "${opa_version}" "${opa_repo_url}" opa || return 1
-	(
-		cd opa
-		export WASM_ENABLED=0
-		export DOCKER_RUNNING=0
-		make ci-go-ci-build-linux-static || return 1
-
-		info "Copy OPA binary to ${current_dir}/opa"
-		binary_name="_release/${opa_version##v}/opa_${GOOS}_${GOARCH}_static"
-		if [ -f "${binary_name}" ]; then
-			cp "${binary_name}" "${current_dir}/opa"
-		else
-			echo "OPA binary ${binary_name} not found"
-			return 1
-		fi
-	)
-	rm -rf opa
-	popd &>/dev/null
-	return 0
-}
-
 # Setup an existing rootfs directory, based on the OPTIONAL distro name
 # provided as argument
 setup_rootfs()
@@ -739,44 +706,6 @@ EOF
 	fi
 
 	if [ "${AGENT_POLICY}" == "yes" ]; then
-		# Setup systemd-based environment for kata-opa.
-		local opa_bin_dir="$(get_opa_bin_dir "${ROOTFS_DIR}")"
-		if [ -z "${opa_bin_dir}" ]; then
-			# OPA was not installed already, so download it here.
-			#
-			# TODO: if an OPA package is not available for the Guest image distro,
-			#   	Kata should cache the OPA source code, toolchain information, etc.
-			#   	OPA should be built from the cached source code instead of downloading
-			#   	this binary.
-			#
-			local opa_repo_url="$(get_package_version_from_kata_yaml externals.open-policy-agent.url)"
-			local opa_version="$(get_package_version_from_kata_yaml externals.open-policy-agent.version)"
-			if [ "$ARCH" == "ppc64le" ] || [ "$ARCH" == "s390x" ]; then
-				info "Building OPA binary from source at ${opa_repo_url}"
-				build_opa_from_source "${opa_repo_url}" || die "Failed to build OPA"
-			else
-				local opa_binary_arch
-				case ${ARCH} in
-					x86_64) opa_binary_arch="amd64" ;;
-					aarch64) opa_binary_arch="arm64" ;;
-					*) die "Unsupported architecture for the OPA binary" ;;
-				esac
-
-				local opa_bin_url="${opa_repo_url}/releases/download/${opa_version}/opa_linux_${opa_binary_arch}_static"
-				info "Downloading OPA binary from ${opa_bin_url}"
-				curl --fail -L "${opa_bin_url}" -o opa || die "Failed to download OPA"
-			fi
-
-			# Install the OPA binary.
-			opa_bin_dir="/usr/local/bin"
-			local opa_bin="${ROOTFS_DIR}${opa_bin_dir}/opa"
-			info "Installing OPA binary to ${opa_bin}"
-			install -D -o root -g root -m 0755 opa -T "${opa_bin}"
-			${stripping_tool} ${ROOTFS_DIR}${opa_bin_dir}/opa
-		else
-			info "OPA binary already exists in ${opa_bin_dir}"
-		fi
-
 		# Install default settings for the kata-opa service.
 		local kata_opa_in_dir="${script_dir}/../../../src/kata-opa"
 		local opa_settings_dir="/etc/kata-opa"
@@ -785,25 +714,6 @@ EOF
 		mkdir -p "${policy_dir}"
 		install -D -o root -g root -m 0644 "${kata_opa_in_dir}/${policy_file}" -T "${policy_dir}/${policy_file}"
 		ln -sf "${policy_file}" "${policy_dir}/default-policy.rego"
-
-		if [ "${AGENT_INIT}" == "yes" ]; then
-			info "OPA will be started by the kata agent"
-		else
-			# Install the unit file for the kata-opa service.
-			local kata_opa_unit="kata-opa.service"
-			local kata_opa_unit_path="${ROOTFS_DIR}/usr/lib/systemd/system/${kata_opa_unit}"
-			local kata_containers_wants="${ROOTFS_DIR}/etc/systemd/system/kata-containers.target.wants"
-
-			opa_settings_dir="${opa_settings_dir//\//\\/}"
-			sed -e "s/@SETTINGSDIR@/${opa_settings_dir}/g" "${kata_opa_in_dir}/${kata_opa_unit}.in" > "${kata_opa_unit}"
-
-			opa_bin_dir="${opa_bin_dir//\//\\/}"
-			sed -i -e "s/@BINDIR@/${opa_bin_dir}/g" "${kata_opa_unit}"
-
-			install -D -o root -g root -m 0644 "${kata_opa_unit}" -T "${kata_opa_unit_path}"
-			mkdir -p "${kata_containers_wants}"
-			ln -sf "${kata_opa_unit_path}" "${kata_containers_wants}/${kata_opa_unit}"
-		fi
 	fi
 
 	info "Check init is installed"
@@ -833,24 +743,6 @@ EOF
 	create_summary_file "${ROOTFS_DIR}"
 }
 
-get_opa_bin_dir()
-{
-	local rootfs_dir="$1"
-	local -a bin_dirs=(
-		"/bin"
-		"/usr/bin"
-		"/usr/local/bin"
-	)
-	for bin_dir in "${bin_dirs[@]}"
-	do
-		local opa_bin="${rootfs_dir}${bin_dir}/opa"
-		if [ -f "${opa_bin}" ]; then
-			echo "${bin_dir}"
-			return 0
-		fi
-	done
-}
-
 parse_arguments()
 {
 	[ "$#" -eq 0 ] && usage && return 0
diff --git a/versions.yaml b/versions.yaml
index 635046621c..f2e837eda0 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -324,11 +324,6 @@ externals:
     url: "https://github.com/containerd/nydus-snapshotter"
     version: "v0.13.11"
 
-  open-policy-agent:
-    description: "Open Policy Agent"
-    url: "https://github.com/open-policy-agent/opa"
-    version: "v0.55.0"
-
   ovmf:
     description: "Firmware, implementation of UEFI for virtual machines."
     url: "https://github.com/tianocore/edk2"