github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-22 09:49:35 +00:00
Code Issues Projects Releases Wiki Activity

agent: rootfs: add sealed-secret in Makefile

Browse Source 
When set SEALED_SECRET to "yes", the kata-agent is built with
sealed-secret capability, default value is "no".

Fixes: #7544

Signed-off-by: Biao Lu <biao.lu@intel.com>
This commit is contained in:
Biao Lu 2023-08-10 14:08:31 +08:00
parent 4e3a1ebcaf
commit acd0a75efd
3 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/agent/Makefile
View File

@ -33,6 +33,13 @@ ifeq ($(SECCOMP),yes)
override EXTRA_RUSTFEATURES += seccomp override EXTRA_RUSTFEATURES += seccomp
endif endif
SEALED_SECRET ?= no
# Enable sealed-secret feature of rust build
ifeq ($(SEALED_SECRET),yes)
override EXTRA_RUSTFEATURES += sealed-secret
endif
include ../../utils.mk include ../../utils.mk
ifeq ($(ARCH), ppc64le) ifeq ($(ARCH), ppc64le)

9
tools/osbuilder/rootfs-builder/rootfs.sh
View File

@ -28,6 +28,8 @@ LIBC=${LIBC:-musl}
# The kata agent enables seccomp feature. # The kata agent enables seccomp feature.
# However, it is not enforced by default: you need to enable that in the main configuration file. # However, it is not enforced by default: you need to enable that in the main configuration file.
SECCOMP=${SECCOMP:-"yes"} SECCOMP=${SECCOMP:-"yes"}
# The kata agent enables sealed-secret feature.
SEALED_SECRET=${SEALED_SECRET:-"no"}
SELINUX=${SELINUX:-"no"} SELINUX=${SELINUX:-"no"}
lib_file="${script_dir}/../scripts/lib.sh" lib_file="${script_dir}/../scripts/lib.sh"
@ -156,6 +158,10 @@ ROOTFS_DIR Path to the directory that is populated with the rootfs.
SECCOMP When set to "no", the kata-agent is built without seccomp capability. SECCOMP When set to "no", the kata-agent is built without seccomp capability.
Default value: "yes" Default value: "yes"
SEALED_SECRET When set to "yes", the kata-agent is built with sealed-secret
capability.
Default value: "no"
SELINUX When set to "yes", build the rootfs with the required packages to SELINUX When set to "yes", build the rootfs with the required packages to
enable SELinux in the VM. enable SELinux in the VM.
Make sure the guest kernel is compiled with SELinux enabled. Make sure the guest kernel is compiled with SELinux enabled.
@ -469,6 +475,7 @@ build_rootfs_distro()
--env INSIDE_CONTAINER=1 \ --env INSIDE_CONTAINER=1 \
--env AA_KBC="${AA_KBC}" \ --env AA_KBC="${AA_KBC}" \
--env SECCOMP="${SECCOMP}" \ --env SECCOMP="${SECCOMP}" \
--env SEALED_SECRET="${SEALED_SECRET}" \
--env SELINUX="${SELINUX}" \ --env SELINUX="${SELINUX}" \
--env DEBUG="${DEBUG}" \ --env DEBUG="${DEBUG}" \
--env HOME="/root" \ --env HOME="/root" \
@ -630,7 +637,7 @@ EOF
git checkout "${AGENT_VERSION}" && OK "git checkout successful" || die "checkout agent ${AGENT_VERSION} failed!" git checkout "${AGENT_VERSION}" && OK "git checkout successful" || die "checkout agent ${AGENT_VERSION} failed!"
fi fi
make clean make clean
make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP} make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP} SEALED_SECRET=${SEALED_SECRET}
make install DESTDIR="${ROOTFS_DIR}" LIBC=${LIBC} INIT=${AGENT_INIT} make install DESTDIR="${ROOTFS_DIR}" LIBC=${LIBC} INIT=${AGENT_INIT}
if [ "${SECCOMP}" == "yes" ]; then if [ "${SECCOMP}" == "yes" ]; then
rm -rf "${libseccomp_install_dir}" "${gperf_install_dir}" rm -rf "${libseccomp_install_dir}" "${gperf_install_dir}"

1
tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
View File

@ -228,6 +228,7 @@ install_cc_image() {
export KATA_BUILD_CC=yes export KATA_BUILD_CC=yes
export MEASURED_ROOTFS=yes export MEASURED_ROOTFS=yes
export DM_VERITY=yes export DM_VERITY=yes
export SEALED_SECRET=yes
variant="${1:-}" variant="${1:-}"
install_image "${variant}" install_image "${variant}"