diff --git a/tools/osbuilder/rootfs-builder/README.md b/tools/osbuilder/rootfs-builder/README.md index 3cfc031b06..87ecfe2f0a 100644 --- a/tools/osbuilder/rootfs-builder/README.md +++ b/tools/osbuilder/rootfs-builder/README.md @@ -196,6 +196,7 @@ needed. Changes affect the files included in the final guest image. #### Confidential containers support -When building the rootfs for confidential containers if `SKOPEO_UMOCI=yes` is set then the `skopeo` and `umoci` -packages are built and added into the rootfs. It also adds the signature verification proof of concept files. +When building the rootfs for confidential containers if `SKOPEO=yes` is set then the `skopeo` +package is built and added into the rootfs. It also adds the signature verification proof of concept files. +If `UMOCI=yes` is set then the `umoci` package is built and added into the rootfs. For more info on these, see [the documentation](signed-container-artifacts/README.md). diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index 3f2ba4d885..0879572e3b 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -142,15 +142,22 @@ USE_PODMAN If set and USE_DOCKER not set, then build the rootfs inside a podman container (requires podman). Default value: -SKOPEO_UMOCI If set to "yes", build Skopeo and umoci for confidential +SKOPEO If set to "yes", build Skopeo for confidential containers guest image pull. Currently, this is only supported for Ubuntu guests; see https://github.com/kata-containers/kata-containers/pull/2908 for discussion. Default value: +UMOCI If set to "yes", build and umoci for confidential + containers guest image unpack. Currently, this is only + supported for Ubuntu guests; see + https://github.com/kata-containers/kata-containers/pull/2908 + for discussion. + Default value: + AA_KBC Key broker client module for attestation-agent. This is - required for confidential containers. Requires SKOPEO_UMOCI + required for confidential containers. Requires UMOCI to be set. See https://github.com/containers/attestation-agent for more information on available modules. Default value: @@ -439,7 +446,8 @@ build_rootfs_distro() --env OS_VERSION="${OS_VERSION}" \ --env INSIDE_CONTAINER=1 \ --env LIBC="${LIBC}" \ - --env SKOPEO_UMOCI="${SKOPEO_UMOCI}" \ + --env SKOPEO="${SKOPEO}" \ + --env UMOCI="${UMOCI}" \ --env AA_KBC="${AA_KBC}" \ --env SECCOMP="${SECCOMP}" \ --env DEBUG="${DEBUG}" \ @@ -634,7 +642,7 @@ EOT info "Create /etc/resolv.conf file in rootfs if not exist" touch "$dns_file" - if [ "${SKOPEO_UMOCI}" = "yes" ]; then + if [ "${SKOPEO}" = "yes" ]; then skopeo_url="$(get_package_version_from_kata_yaml externals.skopeo.url)" skopeo_branch="$(get_package_version_from_kata_yaml externals.skopeo.branch)" info "Install skopeo" @@ -644,15 +652,6 @@ EOT install -o root -g root -m 0755 bin/skopeo "${ROOTFS_DIR}/usr/bin/" popd - umoci_url="$(get_package_version_from_kata_yaml externals.umoci.url)" - umoci_tag="$(get_package_version_from_kata_yaml externals.umoci.tag)" - info "Install umoci" - git clone "${umoci_url}" --branch "${umoci_tag}" - pushd umoci - make - install -o root -g root -m 0755 umoci "${ROOTFS_DIR}/usr/local/bin/" - popd - # Temp PoC code: Add image signature verification artifacts into rootfs rootfs_quay_verification_directory="/etc/containers/quay_verification" dev_verification_directory="${script_dir}/signed-container-artifacts" @@ -671,8 +670,11 @@ docker: EOT fi - if [ -n "${AA_KBC}" ]; then - [ -z "${SKOPEO_UMOCI}" ] && die "SKOPEO_UMOCI must be set to install attestation-agent" + if [ -n "${AA_KBC}" ]; then + if [ "${UMOCI}" != "yes" ]; then + UMOCI="yes" + warning "UMOCI wasn't set, but is required for attestation, so overridden" + fi attestation_agent_url="$(get_package_version_from_kata_yaml externals.attestation-agent.url)" attestation_agent_branch="$(get_package_version_from_kata_yaml externals.attestation-agent.branch)" @@ -691,6 +693,17 @@ EOT popd fi + if [ "${UMOCI}" = "yes" ]; then + umoci_url="$(get_package_version_from_kata_yaml externals.umoci.url)" + umoci_tag="$(get_package_version_from_kata_yaml externals.umoci.tag)" + info "Install umoci" + git clone "${umoci_url}" --branch "${umoci_tag}" + pushd umoci + make + install -o root -g root -m 0755 umoci "${ROOTFS_DIR}/usr/local/bin/" + popd + fi + info "Creating summary file" create_summary_file "${ROOTFS_DIR}" } diff --git a/tools/osbuilder/rootfs-builder/ubuntu/config.sh b/tools/osbuilder/rootfs-builder/ubuntu/config.sh index 5d3160bcfb..089eeb295b 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh +++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh @@ -12,7 +12,9 @@ OS_VERSION=${OS_VERSION:-20.04} OS_NAME=${OS_NAME:-"focal"} # packages to be installed by default -PACKAGES="systemd iptables init kmod" +# Note: ca-certificates is required for confidential containers +# to pull the container image on the guest +PACKAGES="systemd iptables init kmod ca-certificates" EXTRA_PKGS+=" chrony" DEBOOTSTRAP=${PACKAGE_MANAGER:-"debootstrap"} @@ -32,7 +34,7 @@ INIT_PROCESS=systemd ARCH_EXCLUDE_LIST=() [ "$SECCOMP" = "yes" ] && PACKAGES+=" libseccomp2" || true -[ -n "$SKOPEO_UMOCI" ] && PACKAGES+=" ca-certificates libgpgme11" || true +[ "$SKOPEO" = "yes" ] && PACKAGES+=" libgpgme11" || true if [ "${AA_KBC}" == "eaa_kbc" ] && [ "${ARCH}" == "x86_64" ]; then AA_KBC_EXTRAS=" diff --git a/tools/osbuilder/scripts/lib.sh b/tools/osbuilder/scripts/lib.sh index 70fcfac9b7..ef070e6081 100644 --- a/tools/osbuilder/scripts/lib.sh +++ b/tools/osbuilder/scripts/lib.sh @@ -219,11 +219,16 @@ ${extra} agent-is-init-daemon: "${AGENT_INIT}" EOT - if [ "${SKOPEO_UMOCI}" = "yes" ]; then + if [ "${SKOPEO}" = "yes" ]; then cat >> "${file}" <<-EOF skopeo: url: "${skopeo_url}" version: "${skopeo_branch}" +EOF + fi + + if [ "${UMOCI}" = "yes" ]; then + cat >> "${file}" <<-EOF umoci: url: "${umoci_url}" version: "${umoci_tag}"