From 58874f9c3e147198d63a111fb7c2cc411f12cf88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 25 Jan 2024 14:10:22 +0100 Subject: [PATCH 1/9] packaging: tools: Add the arch to the builder container MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This has been missed during reviews and will become a problem when the tools start to be built in different architectures. Signed-off-by: Fabiano Fidêncio --- tools/packaging/scripts/lib.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/packaging/scripts/lib.sh b/tools/packaging/scripts/lib.sh index 7e8fe05275..f7259b4c5f 100644 --- a/tools/packaging/scripts/lib.sh +++ b/tools/packaging/scripts/lib.sh @@ -207,7 +207,7 @@ get_tools_image_name() { libs_dir="${repo_root_dir}/src/libs" agent_dir="${repo_root_dir}/src/agent" - echo "${BUILDER_REGISTRY}:tools-$(get_last_modification ${tools_dir})-$(get_last_modification ${libs_dir})-$(get_last_modification ${agent_dir})" + echo "${BUILDER_REGISTRY}:tools-$(get_last_modification ${tools_dir})-$(get_last_modification ${libs_dir})-$(get_last_modification ${agent_dir})-$(uname -m)" } get_agent_image_name() { From 1039641ab8794a63f16186c87e61e02637884bae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 25 Jan 2024 14:11:14 +0100 Subject: [PATCH 2/9] packaging: agent: Add the arch to the builder container MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This has been missed during reviews and is already a problem as we're trying to build the agent outside of the rootfs for other architectures than x86_64. Signed-off-by: Fabiano Fidêncio --- tools/packaging/scripts/lib.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/packaging/scripts/lib.sh b/tools/packaging/scripts/lib.sh index f7259b4c5f..7311fb9a0b 100644 --- a/tools/packaging/scripts/lib.sh +++ b/tools/packaging/scripts/lib.sh @@ -214,5 +214,5 @@ get_agent_image_name() { libs_dir="${repo_root_dir}/src/libs" agent_dir="${repo_root_dir}/src/agent" - echo "${BUILDER_REGISTRY}:agent-$(get_last_modification ${libs_dir})-$(get_last_modification ${agent_dir})" + echo "${BUILDER_REGISTRY}:agent-$(get_last_modification ${libs_dir})-$(get_last_modification ${agent_dir})-$(uname -m)" } From 5b0d0687e5963d8aa2c116a7c56abc740fcc78c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 25 Jan 2024 17:06:57 +0100 Subject: [PATCH 3/9] packaging: agent: Allow building in all arches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We're moving away from alpine and using ubuntu in order to be able to build the agent for all the architectures we need. Signed-off-by: Fabiano Fidêncio --- .gitignore | 1 + .../kata-deploy/local-build/Makefile | 7 ++-- .../local-build/kata-deploy-binaries.sh | 5 +++ .../kata-deploy-copy-libseccomp-installer.sh | 22 ++++++++++++ tools/packaging/static-build/agent/Dockerfile | 35 +++++++++++-------- .../static-build/agent/build-static-agent.sh | 29 ++++++++++++--- tools/packaging/static-build/agent/build.sh | 4 +++ 7 files changed, 81 insertions(+), 22 deletions(-) create mode 100755 tools/packaging/kata-deploy/local-build/kata-deploy-copy-libseccomp-installer.sh diff --git a/.gitignore b/.gitignore index 29d21ac6de..fd1452f7bf 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,4 @@ src/agent/protocols/src/*.rs !src/agent/protocols/src/lib.rs build src/tools/log-parser/kata-log-parser +tools/packaging/static-build/agent/install_libseccomp.sh diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index ee907f16a6..901500ae3c 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -64,6 +64,9 @@ kata-tarball: | all-parallel merge-builds $(MK_DIR)/dockerbuild/install_yq.sh: $(MK_DIR)/kata-deploy-copy-yq-installer.sh +copy-scripts-for-the-agent-build: + ${MK_DIR}/kata-deploy-copy-libseccomp-installer.sh + all-parallel: $(MK_DIR)/dockerbuild/install_yq.sh ${MAKE} -f $(MK_PATH) all -j $(shell nproc ${CI:+--ignore 1}) V= @@ -76,10 +79,10 @@ serial-targets: %-tarball-build: $(MK_DIR)/dockerbuild/install_yq.sh $(call BUILD,$*) -agent-tarball: +agent-tarball: copy-scripts-for-the-agent-build ${MAKE} $@-build -agent-opa-tarball: +agent-opa-tarball: copy-scripts-for-the-agent-build ${MAKE} $@-build agent-ctl-tarball: diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index b56ee79e63..fe598f5037 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -681,6 +681,11 @@ install_agent_helper() { "${final_tarball_path}" \ && return 0 + export LIBSECCOMP_VERSION="$(get_from_kata_deps "externals.libseccomp.version")" + export LIBSECCOMP_URL="$(get_from_kata_deps "externals.libseccomp.url")" + export GPERF_VERSION="$(get_from_kata_deps "externals.gperf.version")" + export GPERF_URL="$(get_from_kata_deps "externals.gperf.url")" + info "build static agent" DESTDIR="${destdir}" AGENT_POLICY=${agent_policy} "${agent_builder}" } diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-copy-libseccomp-installer.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-copy-libseccomp-installer.sh new file mode 100755 index 0000000000..e52f369e04 --- /dev/null +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-copy-libseccomp-installer.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash +# +# Copyright (c) 2024 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# + +[ -z "${DEBUG}" ] || set -x +set -o errexit +set -o nounset +set -o pipefail +set -o errtrace + +script_dir=$(dirname "$(readlink -f "$0")") +install_libseccomp_script_src="${script_dir}/../../../../ci/install_libseccomp.sh" +install_libseccomp_script_dest="${script_dir}/../../static-build/agent/install_libseccomp.sh" + +cp "${install_libseccomp_script_src}" "${install_libseccomp_script_dest}" + +# We don't have to import any other file, as we're passing +# the env vars needed for installing libseccomp and gperf. +sed -i -e '/^source.*$/d' ${install_libseccomp_script_dest} diff --git a/tools/packaging/static-build/agent/Dockerfile b/tools/packaging/static-build/agent/Dockerfile index c72104cb59..517b957214 100644 --- a/tools/packaging/static-build/agent/Dockerfile +++ b/tools/packaging/static-build/agent/Dockerfile @@ -2,20 +2,25 @@ # # SPDX-License-Identifier: Apache-2.0 -FROM alpine:3.18 +FROM ubuntu:22.04 ARG RUST_TOOLCHAIN -SHELL ["/bin/ash", "-o", "pipefail", "-c"] -RUN apk --no-cache add \ - bash \ - curl \ - gcc \ - git \ - libcap-ng-static \ - libseccomp-static \ - make \ - musl-dev \ - openssl-dev \ - openssl-libs-static \ - protoc && \ - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN} +COPY install_libseccomp.sh /usr/bin/install_libseccomp.sh + +ENV DEBIAN_FRONTEND=noninteractive + +SHELL ["/bin/bash", "-o", "pipefail", "-c"] +RUN apt-get update && \ + apt-get --no-install-recommends -y install \ + ca-certificates \ + curl \ + g++ \ + gcc \ + libssl-dev \ + make \ + musl-tools \ + openssl \ + perl \ + protobuf-compiler && \ + apt-get clean && rm -rf /var/lib/apt/lists/ && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN} diff --git a/tools/packaging/static-build/agent/build-static-agent.sh b/tools/packaging/static-build/agent/build-static-agent.sh index 1d7389c33a..2646cbb089 100755 --- a/tools/packaging/static-build/agent/build-static-agent.sh +++ b/tools/packaging/static-build/agent/build-static-agent.sh @@ -15,13 +15,30 @@ source "${script_dir}/../../scripts/lib.sh" init_env() { source "$HOME/.cargo/env" - export LIBC=musl + ARCH=$(uname -m) + rust_arch="" + case ${ARCH} in + "aarch64") + export LIBC=musl + rust_arch=${ARCH} + ;; + "ppc64le") + export LIBC=gnu + rust_arch="powerpc64le" + ;; + "x86_64") + export LIBC=musl + rust_arch=${ARCH} + ;; + "s390x") + export LIBC=gnu + rust_arch=${ARCH} + ;; + esac + rustup target add ${rust_arch}-unknown-linux-${LIBC} + export LIBSECCOMP_LINK_TYPE=static export LIBSECCOMP_LIB_PATH=/usr/lib - - # This is needed to workaround - # https://github.com/sfackler/rust-openssl/issues/1624 - export OPENSSL_NO_VENDOR=Y } build_agent_from_source() { @@ -29,6 +46,8 @@ build_agent_from_source() { init_env + /usr/bin/install_libseccomp.sh /usr /usr + cd src/agent DESTDIR=${DESTDIR} AGENT_POLICY=${AGENT_POLICY} make DESTDIR=${DESTDIR} AGENT_POLICY=${AGENT_POLICY} make install diff --git a/tools/packaging/static-build/agent/build.sh b/tools/packaging/static-build/agent/build.sh index d847092e4d..870c054e45 100755 --- a/tools/packaging/static-build/agent/build.sh +++ b/tools/packaging/static-build/agent/build.sh @@ -26,6 +26,10 @@ sudo docker pull ${container_image} || \ sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ --env DESTDIR=${DESTDIR} \ --env AGENT_POLICY=${AGENT_POLICY:-no} \ + --env LIBSECCOMP_VERSION=${LIBSECCOMP_VERSION} \ + --env LIBSECCOMP_URL=${LIBSECCOMP_URL} \ + --env GPERF_VERSION=${GPERF_VERSION} \ + --env GPERF_URL=${GPERF_URL} \ -w "${repo_root_dir}" \ "${container_image}" \ bash -c "${agent_builder}" From 8307718842e22fe091f595cf27813a4fa9dd8166 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 25 Jan 2024 11:58:11 +0100 Subject: [PATCH 4/9] rootfs: Add AGENT_TARBALL env var MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This env var will serve us to pass the agent tarball to the rootfs builder, which will then just unpack the content into the rootfs instead of building the agent again. AGENT_TARBALL and AGENT_SOURCE_BIN should never be used together. Signed-off-by: Fabiano Fidêncio --- tools/osbuilder/rootfs-builder/rootfs.sh | 30 +++++++++++++++++++----- 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index 0a37cf5210..186a4a1802 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -125,6 +125,14 @@ AGENT_INIT When set to "yes", use ${AGENT_BIN} as init process in place AGENT_SOURCE_BIN Path to the directory of agent binary. If set, use the binary as agent but not build agent package. + AGENT_SOURCE_BIN and AGENT_TARBALL should never be used toghether. + Default value: + +AGENT_TARBALL Path to the kata-agent.tar.xz tarball to be unpacked inside the + rootfs. + If set, this will take the priority and will be used instead of + building the agent. + AGENT_SOURCE_BIN and AGENT_TARBALL should never be used toghether. Default value: AGENT_VERSION Version of the agent to include in the rootfs. @@ -419,14 +427,22 @@ build_rootfs_distro() engine_run_args+=" --ulimit nofile=262144:262144" engine_run_args+=" --runtime ${DOCKER_RUNTIME}" - if [ -z "${AGENT_SOURCE_BIN}" ] ; then - engine_run_args+=" -v ${GOPATH_LOCAL}:${GOPATH_LOCAL} --env GOPATH=${GOPATH_LOCAL}" - else + if [ -n "${AGENT_SOURCE_BIN}" ] && [ -n "${AGENT_TARBALL}" ]; then + die "AGENT_SOURCE_BIN and AGENT_TARBALL should never be used together!" + fi + + if [ -n "${AGENT_SOURCE_BIN}" ] ; then engine_run_args+=" --env AGENT_SOURCE_BIN=${AGENT_SOURCE_BIN}" engine_run_args+=" -v ${AGENT_SOURCE_BIN}:${AGENT_SOURCE_BIN}" - engine_run_args+=" -v ${GOPATH_LOCAL}:${GOPATH_LOCAL} --env GOPATH=${GOPATH_LOCAL}" fi + if [ -n "${AGENT_TARBALL}" ] ; then + engine_run_args+=" --env AGENT_TARBALL=${AGENT_TARBALL}" + engine_run_args+=" -v $(dirname ${AGENT_TARBALL}):$(dirname ${AGENT_TARBALL})" + fi + + engine_run_args+=" -v ${GOPATH_LOCAL}:${GOPATH_LOCAL} --env GOPATH=${GOPATH_LOCAL}" + engine_run_args+=" $(docker_extra_args $distro)" # Relabel volumes so SELinux allows access (see docker-run(1)) @@ -630,7 +646,7 @@ EOF AGENT_DIR="${ROOTFS_DIR}/usr/bin" AGENT_DEST="${AGENT_DIR}/${AGENT_BIN}" - if [ -z "${AGENT_SOURCE_BIN}" ] ; then + if [ -z "${AGENT_SOURCE_BIN}" ] && [ -z "${AGENT_TARBALL}" ] ; then test -r "${HOME}/.cargo/env" && source "${HOME}/.cargo/env" # rust agent needs ${arch}-unknown-linux-${LIBC} if ! (rustup show | grep -v linux-${LIBC} > /dev/null); then @@ -669,10 +685,12 @@ EOF rm -rf "${libseccomp_install_dir}" "${gperf_install_dir}" fi popd - else + elif [ "${AGENT_SOURCE_BIN}" ]; then mkdir -p ${AGENT_DIR} cp ${AGENT_SOURCE_BIN} ${AGENT_DEST} OK "cp ${AGENT_SOURCE_BIN} ${AGENT_DEST}" + else + tar xvJpf ${AGENT_TARBALL} -C ${ROOTFS_DIR} fi [ -x "${AGENT_DEST}" ] || die "${AGENT_DEST} is not installed in ${ROOTFS_DIR}" From f23451de01ecf815d29e8b67e77ac7f299d14b87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 25 Jan 2024 11:56:08 +0100 Subject: [PATCH 5/9] rootfs: Add xz as a dep MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As we'll be untarring the agent tarball (and any other component that may be part of the rootfs) into the rootfs, we have to have xz installed. For debian and ubuntu the package is called xz-utils; for centos, alpine and cbl-mariner the package is called xz. Signed-off-by: Fabiano Fidêncio --- tools/osbuilder/rootfs-builder/alpine/Dockerfile.in | 3 ++- tools/osbuilder/rootfs-builder/cbl-mariner/Dockerfile.in | 3 ++- tools/osbuilder/rootfs-builder/centos/Dockerfile.in | 3 ++- tools/osbuilder/rootfs-builder/debian/Dockerfile.in | 3 ++- tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in | 3 ++- 5 files changed, 10 insertions(+), 5 deletions(-) diff --git a/tools/osbuilder/rootfs-builder/alpine/Dockerfile.in b/tools/osbuilder/rootfs-builder/alpine/Dockerfile.in index c9c4f0fba1..3131592c43 100644 --- a/tools/osbuilder/rootfs-builder/alpine/Dockerfile.in +++ b/tools/osbuilder/rootfs-builder/alpine/Dockerfile.in @@ -25,6 +25,7 @@ RUN apk update && apk add --no-cache \ musl \ musl-dev \ protoc \ - tar + tar \ + xz # aarch64 requires this name -- link for all RUN ln -s /usr/bin/gcc "/usr/bin/$(uname -m)-linux-musl-gcc" diff --git a/tools/osbuilder/rootfs-builder/cbl-mariner/Dockerfile.in b/tools/osbuilder/rootfs-builder/cbl-mariner/Dockerfile.in index 6fa29807d9..5cb4cef64d 100644 --- a/tools/osbuilder/rootfs-builder/cbl-mariner/Dockerfile.in +++ b/tools/osbuilder/rootfs-builder/cbl-mariner/Dockerfile.in @@ -10,6 +10,7 @@ RUN tdnf -y install \ build-essential \ dnf \ git \ - tar + tar \ + xz @INSTALL_RUST@ diff --git a/tools/osbuilder/rootfs-builder/centos/Dockerfile.in b/tools/osbuilder/rootfs-builder/centos/Dockerfile.in index fce8059947..693aea1c8d 100644 --- a/tools/osbuilder/rootfs-builder/centos/Dockerfile.in +++ b/tools/osbuilder/rootfs-builder/centos/Dockerfile.in @@ -13,6 +13,7 @@ RUN dnf -y update && \ file \ g++ \ git \ - protobuf-compiler + protobuf-compiler \ + xz @INSTALL_RUST@ diff --git a/tools/osbuilder/rootfs-builder/debian/Dockerfile.in b/tools/osbuilder/rootfs-builder/debian/Dockerfile.in index 0220598570..f8c26b8c33 100644 --- a/tools/osbuilder/rootfs-builder/debian/Dockerfile.in +++ b/tools/osbuilder/rootfs-builder/debian/Dockerfile.in @@ -32,7 +32,8 @@ RUN apt-get update && apt-get --no-install-recommends install -y \ systemd \ tar \ vim \ - wget + wget \ + xz-utils # aarch64 requires this name -- link for all RUN ln -s /usr/bin/musl-gcc "/usr/bin/$(uname -m)-linux-musl-gcc" diff --git a/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in b/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in index 61307e9560..03a34784e7 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in +++ b/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in @@ -27,7 +27,8 @@ RUN apt-get update && \ makedev \ multistrap \ musl-tools \ - protobuf-compiler + protobuf-compiler \ + xz-utils # aarch64 requires this name -- link for all RUN ln -s /usr/bin/musl-gcc "/usr/bin/$(uname -m)-linux-musl-gcc" From eb7a33ee715b76762817250e9ac42b18da8688a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 25 Jan 2024 12:02:08 +0100 Subject: [PATCH 6/9] rootfs: Always strip the agent binary MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's always do this, regardless of where the agent is coming from. Signed-off-by: Fabiano Fidêncio --- tools/osbuilder/rootfs-builder/rootfs.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index 186a4a1802..b13acb2751 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -680,7 +680,6 @@ EOF make clean make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP} AGENT_POLICY=${AGENT_POLICY} make install DESTDIR="${ROOTFS_DIR}" LIBC=${LIBC} INIT=${AGENT_INIT} - ${stripping_tool} ${ROOTFS_DIR}/usr/bin/kata-agent if [ "${SECCOMP}" == "yes" ]; then rm -rf "${libseccomp_install_dir}" "${gperf_install_dir}" fi @@ -693,6 +692,8 @@ EOF tar xvJpf ${AGENT_TARBALL} -C ${ROOTFS_DIR} fi + ${stripping_tool} ${ROOTFS_DIR}/usr/bin/kata-agent + [ -x "${AGENT_DEST}" ] || die "${AGENT_DEST} is not installed in ${ROOTFS_DIR}" OK "Agent installed" From 21fd7e6dfdfca7c73f8079d68f3f31cb976ecf88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 25 Jan 2024 13:30:28 +0100 Subject: [PATCH 7/9] packaging: Fail in case oras can't find an artefact MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It just means the component is not cached, and that it must be built in the usual way. Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index fe598f5037..ef0883eefd 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -140,7 +140,7 @@ install_cached_tarball_component() { local component_tarball_name="${4}" local component_tarball_path="${5}" - sudo oras pull ${ARTEFACT_REGISTRY}/kata-containers/cached-artefacts/${build_target}:latest-${TARGET_BRANCH}-$(uname -m) + sudo oras pull ${ARTEFACT_REGISTRY}/kata-containers/cached-artefacts/${build_target}:latest-${TARGET_BRANCH}-$(uname -m) || return 1 cached_version="$(cat ${component}-version)" cached_image_version="$(cat ${component}-builder-image-version)" From dd494798291ddfc76a402ab62695e5566c8b67a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 25 Jan 2024 12:08:36 +0100 Subject: [PATCH 8/9] packaging: Don't build the agent if not needed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's start relying on the already cached agent to be deployed inside the rootfs. By doing this we save a lot of time in our CI, and we have a better way, for developers, to play with changes in the agent. Fixes: #8915 Signed-off-by: Fabiano Fidêncio --- tools/packaging/guest-image/build_image.sh | 3 +++ tools/packaging/kata-deploy/local-build/Makefile | 10 +++++----- .../local-build/kata-deploy-binaries.sh | 14 +++++++++++++- 3 files changed, 21 insertions(+), 6 deletions(-) diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh index 1512849cbc..4367cfaae9 100755 --- a/tools/packaging/guest-image/build_image.sh +++ b/tools/packaging/guest-image/build_image.sh @@ -20,6 +20,7 @@ source "${packaging_root_dir}/scripts/lib.sh" readonly osbuilder_dir="$(cd "${repo_root_dir}/tools/osbuilder" && pwd)" export GOPATH=${GOPATH:-${HOME}/go} +export AGENT_TARBALL=${AGENT_TARBALL:-} ARCH=${ARCH:-$(uname -m)} if [ $(uname -m) == "${ARCH}" ]; then @@ -41,6 +42,7 @@ build_initrd() { OS_VERSION="${os_version}" \ ROOTFS_BUILD_DEST="${builddir}/initrd-image" \ USE_DOCKER=1 \ + AGENT_TARBALL="${AGENT_TARBALL}" \ AGENT_INIT="yes" \ AGENT_POLICY="${AGENT_POLICY:-}" mv "kata-containers-initrd.img" "${install_dir}/${artifact_name}" @@ -60,6 +62,7 @@ build_image() { USE_DOCKER="1" \ IMG_OS_VERSION="${os_version}" \ ROOTFS_BUILD_DEST="${builddir}/rootfs-image" \ + AGENT_TARBALL="${AGENT_TARBALL}" \ AGENT_POLICY="${AGENT_POLICY:-}" mv -f "kata-containers.img" "${install_dir}/${artifact_name}" if [ -e "root_hash.txt" ]; then diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 901500ae3c..289cb06d23 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -154,19 +154,19 @@ qemu-tdx-experimental-tarball: stratovirt-tarball: ${MAKE} $@-build -rootfs-image-tarball: +rootfs-image-tarball: agent-tarball ${MAKE} $@-build -rootfs-image-tdx-tarball: kernel-tdx-experimental-tarball +rootfs-image-tdx-tarball: agent-opa-tarball kernel-tdx-experimental-tarball ${MAKE} $@-build -rootfs-initrd-mariner-tarball: +rootfs-initrd-mariner-tarball: agent-opa-tarball ${MAKE} $@-build -rootfs-initrd-sev-tarball: kernel-sev-tarball +rootfs-initrd-sev-tarball: agent-opa-tarball kernel-sev-tarball ${MAKE} $@-build -rootfs-initrd-tarball: +rootfs-initrd-tarball: agent-tarball ${MAKE} $@-build runk-tarball: diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index ef0883eefd..1b209d5752 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -156,6 +156,16 @@ install_cached_tarball_component() { mv "${component_tarball_name}" "${component_tarball_path}" } +get_agent_tarball_path() { + agent_local_build_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build" + agent_tarball_name="kata-static-agent.tar.xz" + if [ "${AGENT_POLICY:-no}" = "yes" ]; then + agent_tarball_name="kata-static-agent-opa.tar.xz" + fi + + echo "${agent_local_build_dir}/${agent_tarball_name}" +} + #Install guest image install_image() { local variant="${1:-}" @@ -195,7 +205,8 @@ install_image() { os_name="$(get_from_kata_deps "assets.image.architecture.${ARCH}.name")" os_version="$(get_from_kata_deps "assets.image.architecture.${ARCH}.version")" fi - + + export AGENT_TARBALL=$(get_agent_tarball_path) "${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}" } @@ -247,6 +258,7 @@ install_initrd() { os_version="$(get_from_kata_deps "assets.initrd.architecture.${ARCH}.version")" fi + export AGENT_TARBALL=$(get_agent_tarball_path) "${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}" } From 95c569b0a641f9a600da6a4c1cfc8f588cb69850 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 26 Jan 2024 09:44:43 +0100 Subject: [PATCH 9/9] packaging: Add safe.directory to the git config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Otherwise building as root will not work, as demonstrated by the arm64 CI. Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 1b209d5752..784c9b85a3 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -929,6 +929,8 @@ silent_mode_error_trap() { } main() { + git config --global --add safe.directory ${repo_root_dir} + local build_targets local silent build_targets=(