github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-31 08:28:34 +00:00
Code Issues Projects Releases Wiki Activity

osbuilder: Stop skopeo being installed by default

Browse Source 
With the new rust image pull service skopeo we can parameterise whether to build
and install skopeo and turn it off by default if we don't need
signature verification support

Fixes: #3170

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This commit is contained in:
stevenhorsman
2021-11-26 16:52:48 +00:00
parent 95ab38ae54
commit bb66dbdccc
4 changed files with 41 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
tools/osbuilder/rootfs-builder/README.md
View File

@@ -196,6 +196,7 @@ needed. Changes affect the files included in the final guest image.
#### Confidential containers support
When building the rootfs for confidential containers if `SKOPEO_UMOCI=yes` is set then the `skopeo` and `umoci`
packages are built and added into the rootfs. It also adds the signature verification proof of concept files.
When building the rootfs for confidential containers if `SKOPEO=yes` is set then the `skopeo`
package is built and added into the rootfs. It also adds the signature verification proof of concept files.
If `UMOCI=yes` is set then the `umoci` package is built and added into the rootfs.
For more info on these, see [the documentation](signed-container-artifacts/README.md).

43
tools/osbuilder/rootfs-builder/rootfs.sh
View File

@@ -142,15 +142,22 @@ USE_PODMAN If set and USE_DOCKER not set, then build the rootfs inside
a podman container (requires podman).
Default value: <not set>
SKOPEO_UMOCI If set to "yes", build Skopeo and umoci for confidential
SKOPEO If set to "yes", build Skopeo for confidential
containers guest image pull. Currently, this is only
supported for Ubuntu guests; see
https://github.com/kata-containers/kata-containers/pull/2908
for discussion.
Default value: <not set>
UMOCI If set to "yes", build and umoci for confidential
containers guest image unpack. Currently, this is only
supported for Ubuntu guests; see
https://github.com/kata-containers/kata-containers/pull/2908
for discussion.
Default value: <not set>
AA_KBC Key broker client module for attestation-agent. This is
required for confidential containers. Requires SKOPEO_UMOCI
required for confidential containers. Requires UMOCI
to be set. See https://github.com/containers/attestation-agent
for more information on available modules.
Default value: <not set>
@@ -439,7 +446,8 @@ build_rootfs_distro()
--env OS_VERSION="${OS_VERSION}" \
--env INSIDE_CONTAINER=1 \
--env LIBC="${LIBC}" \
--env SKOPEO_UMOCI="${SKOPEO_UMOCI}" \
--env SKOPEO="${SKOPEO}" \
--env UMOCI="${UMOCI}" \
--env AA_KBC="${AA_KBC}" \
--env SECCOMP="${SECCOMP}" \
--env DEBUG="${DEBUG}" \
@@ -634,7 +642,7 @@ EOT
info "Create /etc/resolv.conf file in rootfs if not exist"
touch "$dns_file"
if [ "${SKOPEO_UMOCI}" = "yes" ]; then
if [ "${SKOPEO}" = "yes" ]; then
skopeo_url="$(get_package_version_from_kata_yaml externals.skopeo.url)"
skopeo_branch="$(get_package_version_from_kata_yaml externals.skopeo.branch)"
info "Install skopeo"
@@ -644,15 +652,6 @@ EOT
install -o root -g root -m 0755 bin/skopeo "${ROOTFS_DIR}/usr/bin/"
popd
umoci_url="$(get_package_version_from_kata_yaml externals.umoci.url)"
umoci_tag="$(get_package_version_from_kata_yaml externals.umoci.tag)"
info "Install umoci"
git clone "${umoci_url}" --branch "${umoci_tag}"
pushd umoci
make
install -o root -g root -m 0755 umoci "${ROOTFS_DIR}/usr/local/bin/"
popd
# Temp PoC code: Add image signature verification artifacts into rootfs
rootfs_quay_verification_directory="/etc/containers/quay_verification"
dev_verification_directory="${script_dir}/signed-container-artifacts"
@@ -671,8 +670,11 @@ docker:
EOT
fi
if [ -n "${AA_KBC}" ]; then
[ -z "${SKOPEO_UMOCI}" ] && die "SKOPEO_UMOCI must be set to install attestation-agent"
if [ -n "${AA_KBC}" ]; then
if [ "${UMOCI}" != "yes" ]; then
UMOCI="yes"
warning "UMOCI wasn't set, but is required for attestation, so overridden"
fi
attestation_agent_url="$(get_package_version_from_kata_yaml externals.attestation-agent.url)"
attestation_agent_branch="$(get_package_version_from_kata_yaml externals.attestation-agent.branch)"
@@ -691,6 +693,17 @@ EOT
popd
fi
if [ "${UMOCI}" = "yes" ]; then
umoci_url="$(get_package_version_from_kata_yaml externals.umoci.url)"
umoci_tag="$(get_package_version_from_kata_yaml externals.umoci.tag)"
info "Install umoci"
git clone "${umoci_url}" --branch "${umoci_tag}"
pushd umoci
make
install -o root -g root -m 0755 umoci "${ROOTFS_DIR}/usr/local/bin/"
popd
fi
info "Creating summary file"
create_summary_file "${ROOTFS_DIR}"
}

6
tools/osbuilder/rootfs-builder/ubuntu/config.sh
View File

@@ -12,7 +12,9 @@ OS_VERSION=${OS_VERSION:-20.04}
OS_NAME=${OS_NAME:-"focal"}
# packages to be installed by default
PACKAGES="systemd iptables init kmod"
# Note: ca-certificates is required for confidential containers
# to pull the container image on the guest
PACKAGES="systemd iptables init kmod ca-certificates"
EXTRA_PKGS+=" chrony"
DEBOOTSTRAP=${PACKAGE_MANAGER:-"debootstrap"}
@@ -32,7 +34,7 @@ INIT_PROCESS=systemd
ARCH_EXCLUDE_LIST=()
[ "$SECCOMP" = "yes" ] && PACKAGES+=" libseccomp2" || true
[ -n "$SKOPEO_UMOCI" ] && PACKAGES+=" ca-certificates libgpgme11" || true
[ "$SKOPEO" = "yes" ] && PACKAGES+=" libgpgme11" || true
if [ "${AA_KBC}" == "eaa_kbc" ] && [ "${ARCH}" == "x86_64" ]; then
AA_KBC_EXTRAS="

7
tools/osbuilder/scripts/lib.sh
View File

@@ -219,11 +219,16 @@ ${extra}
agent-is-init-daemon: "${AGENT_INIT}"
EOT
if [ "${SKOPEO_UMOCI}" = "yes" ]; then
if [ "${SKOPEO}" = "yes" ]; then
cat >> "${file}" <<-EOF
skopeo:
url: "${skopeo_url}"
version: "${skopeo_branch}"
EOF
fi
if [ "${UMOCI}" = "yes" ]; then
cat >> "${file}" <<-EOF
umoci:
url: "${umoci_url}"
version: "${umoci_tag}"