github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-21 16:57:08 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #8916 from fidencio/topic/packaging-reuse-already-built-agent

Browse Source 
packaging:  Don't always build the kata-agent
This commit is contained in:
Fabiano Fidêncio
2024-01-26 12:00:55 +01:00
committed by GitHub
parent c13a63c8ba 95c569b0a6
commit a7c68225aa
15 changed files with 143 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -15,3 +15,4 @@ src/agent/protocols/src/*.rs
!src/agent/protocols/src/lib.rs !src/agent/protocols/src/lib.rs
build build
src/tools/log-parser/kata-log-parser src/tools/log-parser/kata-log-parser
tools/packaging/static-build/agent/install_libseccomp.sh

3
tools/osbuilder/rootfs-builder/alpine/Dockerfile.in
View File

@@ -25,6 +25,7 @@ RUN apk update && apk add --no-cache \
musl \ musl \
musl-dev \ musl-dev \
protoc \ protoc \
tar tar \
xz
# aarch64 requires this name -- link for all # aarch64 requires this name -- link for all
RUN ln -s /usr/bin/gcc "/usr/bin/$(uname -m)-linux-musl-gcc" RUN ln -s /usr/bin/gcc "/usr/bin/$(uname -m)-linux-musl-gcc"

3
tools/osbuilder/rootfs-builder/cbl-mariner/Dockerfile.in
View File

@@ -10,6 +10,7 @@ RUN tdnf -y install \
build-essential \ build-essential \
dnf \ dnf \
git \ git \
tar tar \
xz
@INSTALL_RUST@ @INSTALL_RUST@

3
tools/osbuilder/rootfs-builder/centos/Dockerfile.in
View File

@@ -13,6 +13,7 @@ RUN dnf -y update && \
file \ file \
g++ \ g++ \
git \ git \
protobuf-compiler protobuf-compiler \
xz
@INSTALL_RUST@ @INSTALL_RUST@

3
tools/osbuilder/rootfs-builder/debian/Dockerfile.in
View File

@@ -32,7 +32,8 @@ RUN apt-get update && apt-get --no-install-recommends install -y \
systemd \ systemd \
tar \ tar \
vim \ vim \
wget wget \
xz-utils
# aarch64 requires this name -- link for all # aarch64 requires this name -- link for all
RUN ln -s /usr/bin/musl-gcc "/usr/bin/$(uname -m)-linux-musl-gcc" RUN ln -s /usr/bin/musl-gcc "/usr/bin/$(uname -m)-linux-musl-gcc"

33
tools/osbuilder/rootfs-builder/rootfs.sh
View File

@@ -125,6 +125,14 @@ AGENT_INIT When set to "yes", use ${AGENT_BIN} as init process in place
AGENT_SOURCE_BIN Path to the directory of agent binary. AGENT_SOURCE_BIN Path to the directory of agent binary.
If set, use the binary as agent but not build agent package. If set, use the binary as agent but not build agent package.
AGENT_SOURCE_BIN and AGENT_TARBALL should never be used toghether.
Default value: <not set>
AGENT_TARBALL Path to the kata-agent.tar.xz tarball to be unpacked inside the
rootfs.
If set, this will take the priority and will be used instead of
building the agent.
AGENT_SOURCE_BIN and AGENT_TARBALL should never be used toghether.
Default value: <not set> Default value: <not set>
AGENT_VERSION Version of the agent to include in the rootfs. AGENT_VERSION Version of the agent to include in the rootfs.
@@ -419,14 +427,22 @@ build_rootfs_distro()
engine_run_args+=" --ulimit nofile=262144:262144" engine_run_args+=" --ulimit nofile=262144:262144"
engine_run_args+=" --runtime ${DOCKER_RUNTIME}" engine_run_args+=" --runtime ${DOCKER_RUNTIME}"
if [ -z "${AGENT_SOURCE_BIN}" ] ; then if [ -n "${AGENT_SOURCE_BIN}" ] && [ -n "${AGENT_TARBALL}" ]; then
engine_run_args+=" -v ${GOPATH_LOCAL}:${GOPATH_LOCAL} --env GOPATH=${GOPATH_LOCAL}" die "AGENT_SOURCE_BIN and AGENT_TARBALL should never be used together!"
else fi
if [ -n "${AGENT_SOURCE_BIN}" ] ; then
engine_run_args+=" --env AGENT_SOURCE_BIN=${AGENT_SOURCE_BIN}" engine_run_args+=" --env AGENT_SOURCE_BIN=${AGENT_SOURCE_BIN}"
engine_run_args+=" -v ${AGENT_SOURCE_BIN}:${AGENT_SOURCE_BIN}" engine_run_args+=" -v ${AGENT_SOURCE_BIN}:${AGENT_SOURCE_BIN}"
engine_run_args+=" -v ${GOPATH_LOCAL}:${GOPATH_LOCAL} --env GOPATH=${GOPATH_LOCAL}"
fi fi
if [ -n "${AGENT_TARBALL}" ] ; then
engine_run_args+=" --env AGENT_TARBALL=${AGENT_TARBALL}"
engine_run_args+=" -v $(dirname ${AGENT_TARBALL}):$(dirname ${AGENT_TARBALL})"
fi
engine_run_args+=" -v ${GOPATH_LOCAL}:${GOPATH_LOCAL} --env GOPATH=${GOPATH_LOCAL}"
engine_run_args+=" $(docker_extra_args $distro)" engine_run_args+=" $(docker_extra_args $distro)"
# Relabel volumes so SELinux allows access (see docker-run(1)) # Relabel volumes so SELinux allows access (see docker-run(1))
@@ -630,7 +646,7 @@ EOF
AGENT_DIR="${ROOTFS_DIR}/usr/bin" AGENT_DIR="${ROOTFS_DIR}/usr/bin"
AGENT_DEST="${AGENT_DIR}/${AGENT_BIN}" AGENT_DEST="${AGENT_DIR}/${AGENT_BIN}"
if [ -z "${AGENT_SOURCE_BIN}" ] ; then if [ -z "${AGENT_SOURCE_BIN}" ] && [ -z "${AGENT_TARBALL}" ] ; then
test -r "${HOME}/.cargo/env" && source "${HOME}/.cargo/env" test -r "${HOME}/.cargo/env" && source "${HOME}/.cargo/env"
# rust agent needs ${arch}-unknown-linux-${LIBC} # rust agent needs ${arch}-unknown-linux-${LIBC}
if ! (rustup show | grep -v linux-${LIBC} > /dev/null); then if ! (rustup show | grep -v linux-${LIBC} > /dev/null); then
@@ -664,17 +680,20 @@ EOF
make clean make clean
make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP} AGENT_POLICY=${AGENT_POLICY} make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP} AGENT_POLICY=${AGENT_POLICY}
make install DESTDIR="${ROOTFS_DIR}" LIBC=${LIBC} INIT=${AGENT_INIT} make install DESTDIR="${ROOTFS_DIR}" LIBC=${LIBC} INIT=${AGENT_INIT}
${stripping_tool} ${ROOTFS_DIR}/usr/bin/kata-agent
if [ "${SECCOMP}" == "yes" ]; then if [ "${SECCOMP}" == "yes" ]; then
rm -rf "${libseccomp_install_dir}" "${gperf_install_dir}" rm -rf "${libseccomp_install_dir}" "${gperf_install_dir}"
fi fi
popd popd
else elif [ "${AGENT_SOURCE_BIN}" ]; then
mkdir -p ${AGENT_DIR} mkdir -p ${AGENT_DIR}
cp ${AGENT_SOURCE_BIN} ${AGENT_DEST} cp ${AGENT_SOURCE_BIN} ${AGENT_DEST}
OK "cp ${AGENT_SOURCE_BIN} ${AGENT_DEST}" OK "cp ${AGENT_SOURCE_BIN} ${AGENT_DEST}"
else
tar xvJpf ${AGENT_TARBALL} -C ${ROOTFS_DIR}
fi fi
${stripping_tool} ${ROOTFS_DIR}/usr/bin/kata-agent
[ -x "${AGENT_DEST}" ] || die "${AGENT_DEST} is not installed in ${ROOTFS_DIR}" [ -x "${AGENT_DEST}" ] || die "${AGENT_DEST} is not installed in ${ROOTFS_DIR}"
OK "Agent installed" OK "Agent installed"

3
tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in
View File

@@ -27,7 +27,8 @@ RUN apt-get update && \
makedev \ makedev \
multistrap \ multistrap \
musl-tools \ musl-tools \
protobuf-compiler protobuf-compiler \
xz-utils
# aarch64 requires this name -- link for all # aarch64 requires this name -- link for all
RUN ln -s /usr/bin/musl-gcc "/usr/bin/$(uname -m)-linux-musl-gcc" RUN ln -s /usr/bin/musl-gcc "/usr/bin/$(uname -m)-linux-musl-gcc"

3
tools/packaging/guest-image/build_image.sh
View File

@@ -20,6 +20,7 @@ source "${packaging_root_dir}/scripts/lib.sh"
readonly osbuilder_dir="$(cd "${repo_root_dir}/tools/osbuilder" && pwd)" readonly osbuilder_dir="$(cd "${repo_root_dir}/tools/osbuilder" && pwd)"
export GOPATH=${GOPATH:-${HOME}/go} export GOPATH=${GOPATH:-${HOME}/go}
export AGENT_TARBALL=${AGENT_TARBALL:-}
ARCH=${ARCH:-$(uname -m)} ARCH=${ARCH:-$(uname -m)}
if [ $(uname -m) == "${ARCH}" ]; then if [ $(uname -m) == "${ARCH}" ]; then
@@ -41,6 +42,7 @@ build_initrd() {
OS_VERSION="${os_version}" \ OS_VERSION="${os_version}" \
ROOTFS_BUILD_DEST="${builddir}/initrd-image" \ ROOTFS_BUILD_DEST="${builddir}/initrd-image" \
USE_DOCKER=1 \ USE_DOCKER=1 \
AGENT_TARBALL="${AGENT_TARBALL}" \
AGENT_INIT="yes" \ AGENT_INIT="yes" \
AGENT_POLICY="${AGENT_POLICY:-}" AGENT_POLICY="${AGENT_POLICY:-}"
mv "kata-containers-initrd.img" "${install_dir}/${artifact_name}" mv "kata-containers-initrd.img" "${install_dir}/${artifact_name}"
@@ -60,6 +62,7 @@ build_image() {
USE_DOCKER="1" \ USE_DOCKER="1" \
IMG_OS_VERSION="${os_version}" \ IMG_OS_VERSION="${os_version}" \
ROOTFS_BUILD_DEST="${builddir}/rootfs-image" \ ROOTFS_BUILD_DEST="${builddir}/rootfs-image" \
AGENT_TARBALL="${AGENT_TARBALL}" \
AGENT_POLICY="${AGENT_POLICY:-}" AGENT_POLICY="${AGENT_POLICY:-}"
mv -f "kata-containers.img" "${install_dir}/${artifact_name}" mv -f "kata-containers.img" "${install_dir}/${artifact_name}"
if [ -e "root_hash.txt" ]; then if [ -e "root_hash.txt" ]; then

17
tools/packaging/kata-deploy/local-build/Makefile
View File

@@ -64,6 +64,9 @@ kata-tarball: | all-parallel merge-builds
$(MK_DIR)/dockerbuild/install_yq.sh: $(MK_DIR)/dockerbuild/install_yq.sh:
$(MK_DIR)/kata-deploy-copy-yq-installer.sh $(MK_DIR)/kata-deploy-copy-yq-installer.sh
copy-scripts-for-the-agent-build:
${MK_DIR}/kata-deploy-copy-libseccomp-installer.sh
all-parallel: $(MK_DIR)/dockerbuild/install_yq.sh all-parallel: $(MK_DIR)/dockerbuild/install_yq.sh
${MAKE} -f $(MK_PATH) all -j $(shell nproc ${CI:+--ignore 1}) V= ${MAKE} -f $(MK_PATH) all -j $(shell nproc ${CI:+--ignore 1}) V=
@@ -76,10 +79,10 @@ serial-targets:
%-tarball-build: $(MK_DIR)/dockerbuild/install_yq.sh %-tarball-build: $(MK_DIR)/dockerbuild/install_yq.sh
$(call BUILD,$*) $(call BUILD,$*)
agent-tarball: agent-tarball: copy-scripts-for-the-agent-build
${MAKE} $@-build ${MAKE} $@-build
agent-opa-tarball: agent-opa-tarball: copy-scripts-for-the-agent-build
${MAKE} $@-build ${MAKE} $@-build
agent-ctl-tarball: agent-ctl-tarball:
@@ -151,19 +154,19 @@ qemu-tdx-experimental-tarball:
stratovirt-tarball: stratovirt-tarball:
${MAKE} $@-build ${MAKE} $@-build
rootfs-image-tarball: rootfs-image-tarball: agent-tarball
${MAKE} $@-build ${MAKE} $@-build
rootfs-image-tdx-tarball: kernel-tdx-experimental-tarball rootfs-image-tdx-tarball: agent-opa-tarball kernel-tdx-experimental-tarball
${MAKE} $@-build ${MAKE} $@-build
rootfs-initrd-mariner-tarball: rootfs-initrd-mariner-tarball: agent-opa-tarball
${MAKE} $@-build ${MAKE} $@-build
rootfs-initrd-sev-tarball: kernel-sev-tarball rootfs-initrd-sev-tarball: agent-opa-tarball kernel-sev-tarball
${MAKE} $@-build ${MAKE} $@-build
rootfs-initrd-tarball: rootfs-initrd-tarball: agent-tarball
${MAKE} $@-build ${MAKE} $@-build
runk-tarball: runk-tarball:

21
tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
View File

@@ -140,7 +140,7 @@ install_cached_tarball_component() {
local component_tarball_name="${4}" local component_tarball_name="${4}"
local component_tarball_path="${5}" local component_tarball_path="${5}"
sudo oras pull ${ARTEFACT_REGISTRY}/kata-containers/cached-artefacts/${build_target}:latest-${TARGET_BRANCH}-$(uname -m) sudo oras pull ${ARTEFACT_REGISTRY}/kata-containers/cached-artefacts/${build_target}:latest-${TARGET_BRANCH}-$(uname -m) || return 1
cached_version="$(cat ${component}-version)" cached_version="$(cat ${component}-version)"
cached_image_version="$(cat ${component}-builder-image-version)" cached_image_version="$(cat ${component}-builder-image-version)"
@@ -156,6 +156,16 @@ install_cached_tarball_component() {
mv "${component_tarball_name}" "${component_tarball_path}" mv "${component_tarball_name}" "${component_tarball_path}"
} }
get_agent_tarball_path() {
agent_local_build_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build"
agent_tarball_name="kata-static-agent.tar.xz"
if [ "${AGENT_POLICY:-no}" = "yes" ]; then
agent_tarball_name="kata-static-agent-opa.tar.xz"
fi
echo "${agent_local_build_dir}/${agent_tarball_name}"
}
#Install guest image #Install guest image
install_image() { install_image() {
local variant="${1:-}" local variant="${1:-}"
@@ -196,6 +206,7 @@ install_image() {
os_version="$(get_from_kata_deps "assets.image.architecture.${ARCH}.version")" os_version="$(get_from_kata_deps "assets.image.architecture.${ARCH}.version")"
fi fi
export AGENT_TARBALL=$(get_agent_tarball_path)
"${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}" "${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}"
} }
@@ -247,6 +258,7 @@ install_initrd() {
os_version="$(get_from_kata_deps "assets.initrd.architecture.${ARCH}.version")" os_version="$(get_from_kata_deps "assets.initrd.architecture.${ARCH}.version")"
fi fi
export AGENT_TARBALL=$(get_agent_tarball_path)
"${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}" "${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}"
} }
@@ -681,6 +693,11 @@ install_agent_helper() {
"${final_tarball_path}" \ "${final_tarball_path}" \
&& return 0 && return 0
export LIBSECCOMP_VERSION="$(get_from_kata_deps "externals.libseccomp.version")"
export LIBSECCOMP_URL="$(get_from_kata_deps "externals.libseccomp.url")"
export GPERF_VERSION="$(get_from_kata_deps "externals.gperf.version")"
export GPERF_URL="$(get_from_kata_deps "externals.gperf.url")"
info "build static agent" info "build static agent"
DESTDIR="${destdir}" AGENT_POLICY=${agent_policy} "${agent_builder}" DESTDIR="${destdir}" AGENT_POLICY=${agent_policy} "${agent_builder}"
} }
@@ -915,6 +932,8 @@ silent_mode_error_trap() {
} }
main() { main() {
git config --global --add safe.directory ${repo_root_dir}
local build_targets local build_targets
local silent local silent
build_targets=( build_targets=(

22
tools/packaging/kata-deploy/local-build/kata-deploy-copy-libseccomp-installer.sh Executable file
View File

@@ -0,0 +1,22 @@
#!/usr/bin/env bash
#
# Copyright (c) 2024 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
[ -z "${DEBUG}" ] || set -x
set -o errexit
set -o nounset
set -o pipefail
set -o errtrace
script_dir=$(dirname "$(readlink -f "$0")")
install_libseccomp_script_src="${script_dir}/../../../../ci/install_libseccomp.sh"
install_libseccomp_script_dest="${script_dir}/../../static-build/agent/install_libseccomp.sh"
cp "${install_libseccomp_script_src}" "${install_libseccomp_script_dest}"
# We don't have to import any other file, as we're passing
# the env vars needed for installing libseccomp and gperf.
sed -i -e '/^source.*$/d' ${install_libseccomp_script_dest}

4
tools/packaging/scripts/lib.sh
View File

@@ -207,12 +207,12 @@ get_tools_image_name() {
libs_dir="${repo_root_dir}/src/libs" libs_dir="${repo_root_dir}/src/libs"
agent_dir="${repo_root_dir}/src/agent" agent_dir="${repo_root_dir}/src/agent"
echo "${BUILDER_REGISTRY}:tools-$(get_last_modification ${tools_dir})-$(get_last_modification ${libs_dir})-$(get_last_modification ${agent_dir})" echo "${BUILDER_REGISTRY}:tools-$(get_last_modification ${tools_dir})-$(get_last_modification ${libs_dir})-$(get_last_modification ${agent_dir})-$(uname -m)"
} }
get_agent_image_name() { get_agent_image_name() {
libs_dir="${repo_root_dir}/src/libs" libs_dir="${repo_root_dir}/src/libs"
agent_dir="${repo_root_dir}/src/agent" agent_dir="${repo_root_dir}/src/agent"
echo "${BUILDER_REGISTRY}:agent-$(get_last_modification ${libs_dir})-$(get_last_modification ${agent_dir})" echo "${BUILDER_REGISTRY}:agent-$(get_last_modification ${libs_dir})-$(get_last_modification ${agent_dir})-$(uname -m)"
} }

35
tools/packaging/static-build/agent/Dockerfile
View File

@@ -2,20 +2,25 @@
# #
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
FROM alpine:3.18 FROM ubuntu:22.04
ARG RUST_TOOLCHAIN ARG RUST_TOOLCHAIN
SHELL ["/bin/ash", "-o", "pipefail", "-c"] COPY install_libseccomp.sh /usr/bin/install_libseccomp.sh
RUN apk --no-cache add \
bash \ ENV DEBIAN_FRONTEND=noninteractive
curl \
gcc \ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
git \ RUN apt-get update && \
libcap-ng-static \ apt-get --no-install-recommends -y install \
libseccomp-static \ ca-certificates \
make \ curl \
musl-dev \ g++ \
openssl-dev \ gcc \
openssl-libs-static \ libssl-dev \
protoc && \ make \
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN} musl-tools \
openssl \
perl \
protobuf-compiler && \
apt-get clean && rm -rf /var/lib/apt/lists/ && \
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN}

29
tools/packaging/static-build/agent/build-static-agent.sh
View File

@@ -15,13 +15,30 @@ source "${script_dir}/../../scripts/lib.sh"
init_env() { init_env() {
source "$HOME/.cargo/env" source "$HOME/.cargo/env"
export LIBC=musl ARCH=$(uname -m)
rust_arch=""
case ${ARCH} in
"aarch64")
export LIBC=musl
rust_arch=${ARCH}
;;
"ppc64le")
export LIBC=gnu
rust_arch="powerpc64le"
;;
"x86_64")
export LIBC=musl
rust_arch=${ARCH}
;;
"s390x")
export LIBC=gnu
rust_arch=${ARCH}
;;
esac
rustup target add ${rust_arch}-unknown-linux-${LIBC}
export LIBSECCOMP_LINK_TYPE=static export LIBSECCOMP_LINK_TYPE=static
export LIBSECCOMP_LIB_PATH=/usr/lib export LIBSECCOMP_LIB_PATH=/usr/lib
# This is needed to workaround
# https://github.com/sfackler/rust-openssl/issues/1624
export OPENSSL_NO_VENDOR=Y
} }
build_agent_from_source() { build_agent_from_source() {
@@ -29,6 +46,8 @@ build_agent_from_source() {
init_env init_env
/usr/bin/install_libseccomp.sh /usr /usr
cd src/agent cd src/agent
DESTDIR=${DESTDIR} AGENT_POLICY=${AGENT_POLICY} make DESTDIR=${DESTDIR} AGENT_POLICY=${AGENT_POLICY} make
DESTDIR=${DESTDIR} AGENT_POLICY=${AGENT_POLICY} make install DESTDIR=${DESTDIR} AGENT_POLICY=${AGENT_POLICY} make install

4
tools/packaging/static-build/agent/build.sh
View File

@@ -26,6 +26,10 @@ sudo docker pull ${container_image} || \
sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
--env DESTDIR=${DESTDIR} \ --env DESTDIR=${DESTDIR} \
--env AGENT_POLICY=${AGENT_POLICY:-no} \ --env AGENT_POLICY=${AGENT_POLICY:-no} \
--env LIBSECCOMP_VERSION=${LIBSECCOMP_VERSION} \
--env LIBSECCOMP_URL=${LIBSECCOMP_URL} \
--env GPERF_VERSION=${GPERF_VERSION} \
--env GPERF_URL=${GPERF_URL} \
-w "${repo_root_dir}" \ -w "${repo_root_dir}" \
"${container_image}" \ "${container_image}" \
bash -c "${agent_builder}" bash -c "${agent_builder}"