From a2926324f5caa4afafae354fcb4623a1ec27120d Mon Sep 17 00:00:00 2001 From: Jakob Naucke Date: Mon, 6 Dec 2021 17:55:50 +0100 Subject: [PATCH 1/4] kata-deploy: realpath INCLUDE_ROOTFS for Docker Run `realpath` on `INCLUDE_ROOTFS` so it is not required to provide a full path. This simplifies the required GitHub Actions workflow, as GitHub's `env` cannot use shell expansions, as well as the usability overall. Signed-off-by: Jakob Naucke --- .../kata-deploy/local-build/kata-deploy-binaries-in-docker.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index a8f7b118e7..a0d41b03b7 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -41,7 +41,7 @@ docker run ${TTY_OPT} \ --env SKOPEO="${SKOPEO:-}" \ --env UMOCI="${UMOCI:-}" \ --env AA_KBC="${AA_KBC:-}" \ - --env INCLUDE_ROOTFS="${INCLUDE_ROOTFS:-}" \ + --env INCLUDE_ROOTFS="$(realpath "${INCLUDE_ROOTFS:-}" 2> /dev/null || true)" \ -v "${kata_dir}:${kata_dir}" \ --rm \ -w ${script_dir} \ From 3c79630b87659c314246b058d96938506bd9a53e Mon Sep 17 00:00:00 2001 From: Jakob Naucke Date: Fri, 3 Dec 2021 17:25:25 +0100 Subject: [PATCH 2/4] docs: Create sample config for confidential agent Basic config, no debug endpoints, no exec/reseed. Uses the `$AA_KBC_PARAMS` variable to be used with `envsubst`. Signed-off-by: Jakob Naucke --- .../data/confidential-agent-config.toml.in | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 docs/how-to/data/confidential-agent-config.toml.in diff --git a/docs/how-to/data/confidential-agent-config.toml.in b/docs/how-to/data/confidential-agent-config.toml.in new file mode 100644 index 0000000000..bf293db86d --- /dev/null +++ b/docs/how-to/data/confidential-agent-config.toml.in @@ -0,0 +1,40 @@ +# Copyright (c) 2021 IBM Corp. +# +# SPDX-License-Identifier: Apache-2.0 +# + +aa_kbc_params = "$AA_KBC_PARAMS" +[endpoints] +allowed = [ +"AddARPNeighborsRequest", +"AddSwapRequest", +"CloseStdinRequest", +"CopyFileRequest", +"CreateContainerRequest", +"CreateSandboxRequest", +"DestroySandboxRequest", +"GetMetricsRequest", +"GetOOMEventRequest", +"GuestDetailsRequest", +"ListInterfacesRequest", +"ListRoutesRequest", +"MemHotplugByProbeRequest", +"OnlineCPUMemRequest", +"PauseContainerRequest", +"PullImageRequest", +"ReadStreamRequest", +"RemoveContainerRequest", +"ResumeContainerRequest", +"SetGuestDateTimeRequest", +"SignalProcessRequest", +"StartContainerRequest", +"StartTracingRequest", +"StatsContainerRequest", +"StopTracingRequest", +"TtyWinResizeRequest", +"UpdateContainerRequest", +"UpdateInterfaceRequest", +"UpdateRoutesRequest", +"WaitProcessRequest", +"WriteStreamRequest" +] From a570b6a0a646cdbe3cb8894a052c5acd6deda0f0 Mon Sep 17 00:00:00 2001 From: Jakob Naucke Date: Fri, 3 Dec 2021 17:25:25 +0100 Subject: [PATCH 3/4] github: Add workflow for deploying a CCv0 demo using the offline FS KBC [1] and keys from the SSH demo [2]. The workflow is adapted from `main:kata-deploy-test.yaml`. The image deployed here is _not_ for a trusted execution environment. [1] - https://github.com/confidential-containers/attestation-agent/tree/main/src/kbc_modules/offline_fs_kbc [2] - https://github.com/confidential-containers/documentation/tree/main/demos/ssh-demo Fixes: #3198 Signed-off-by: Jakob Naucke --- .github/workflows/deploy-ccv0-demo.yaml | 126 ++++++++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 .github/workflows/deploy-ccv0-demo.yaml diff --git a/.github/workflows/deploy-ccv0-demo.yaml b/.github/workflows/deploy-ccv0-demo.yaml new file mode 100644 index 0000000000..37dd09537c --- /dev/null +++ b/.github/workflows/deploy-ccv0-demo.yaml @@ -0,0 +1,126 @@ +on: + issue_comment: + types: [created, edited] + +name: deploy-ccv0-demo + +jobs: + check-comment-and-membership: + runs-on: ubuntu-latest + if: | + github.event.issue.pull_request + && github.event_name == 'issue_comment' + && github.event.action == 'created' + && startsWith(github.event.comment.body, '/deploy-ccv0-demo') + steps: + - name: Check membership + uses: kata-containers/is-organization-member@1.0.1 + id: is_organization_member + with: + organization: kata-containers + username: ${{ github.event.comment.user.login }} + token: ${{ secrets.GITHUB_TOKEN }} + - name: Fail if not member + run: | + result=${{ steps.is_organization_member.outputs.result }} + if [ $result == false ]; then + user=${{ github.event.comment.user.login }} + echo Either ${user} is not part of the kata-containers organization + echo or ${user} has its Organization Visibility set to Private at + echo https://github.com/orgs/kata-containers/people?query=${user} + echo + echo Ensure you change your Organization Visibility to Public and + echo trigger the test again. + exit 1 + fi + + build-asset: + runs-on: ubuntu-latest + needs: check-comment-and-membership + strategy: + matrix: + asset: + - cloud-hypervisor + - firecracker + - kernel + - qemu + - rootfs-image + - rootfs-initrd + - shim-v2 + steps: + - uses: actions/checkout@v2 + - name: Install docker + run: | + curl -fsSL https://test.docker.com -o test-docker.sh + sh test-docker.sh + + - name: Prepare confidential container rootfs + if: ${{ matrix.asset == 'rootfs-initrd' }} + run: | + wget -P include_rootfs/etc/ https://raw.githubusercontent.com/confidential-containers/documentation/main/demos/ssh-demo/aa-offline_fs_kbc-keys.json + envsubst < docs/how-to/data/confidential-agent-config.toml.in > include_rootfs/etc/kata-config.toml + env: + AA_KBC_PARAMS: offline_fs_kbc::null + + - name: Build ${{ matrix.asset }} + run: | + make "${KATA_ASSET}-tarball" + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + sudo cp -r "${build_dir}" "kata-build" + env: + AA_KBC: offline_fs_kbc + INCLUDE_ROOTFS: include_rootfs + KATA_ASSET: ${{ matrix.asset }} + TAR_OUTPUT: ${{ matrix.asset }}.tar.gz + + - name: store-artifact ${{ matrix.asset }} + uses: actions/upload-artifact@v2 + with: + name: kata-artifacts + path: kata-build/kata-static-${{ matrix.asset }}.tar.xz + if-no-files-found: error + + create-kata-tarball: + runs-on: ubuntu-latest + needs: build-asset + steps: + - uses: actions/checkout@v2 + - name: get-artifacts + uses: actions/download-artifact@v2 + with: + name: kata-artifacts + path: kata-artifacts + - name: merge-artifacts + run: | + ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts + - name: store-artifacts + uses: actions/upload-artifact@v2 + with: + name: kata-static-tarball + path: kata-static.tar.xz + + kata-deploy: + needs: create-kata-tarball + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: get-kata-tarball + uses: actions/download-artifact@v2 + with: + name: kata-static-tarball + - name: build-and-push-kata-deploy-ci + id: build-and-push-kata-deploy-ci + run: | + tag=$(echo $GITHUB_REF | cut -d/ -f3-) + pushd $GITHUB_WORKSPACE + git checkout $tag + pkg_sha=$(git rev-parse HEAD) + popd + mv kata-static.tar.xz $GITHUB_WORKSPACE/tools/packaging/kata-deploy/kata-static.tar.xz + docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz -t quay.io/confidential-containers/kata-demo:$pkg_sha $GITHUB_WORKSPACE/tools/packaging/kata-deploy + docker login -u ${{ secrets.QUAY_DEPLOYER_USERNAME }} -p ${{ secrets.QUAY_DEPLOYER_PASSWORD }} quay.io + docker push quay.io/confidential-containers/kata-demo:$pkg_sha + mkdir -p packaging/kata-deploy + ln -s $GITHUB_WORKSPACE/tools/packaging/kata-deploy/action packaging/kata-deploy/action + echo "::set-output name=PKG_SHA::${pkg_sha}" From f5e6961dcb105777a1505d497f48150c3891b419 Mon Sep 17 00:00:00 2001 From: Jakob Naucke Date: Fri, 10 Dec 2021 16:44:57 +0100 Subject: [PATCH 4/4] kata-deploy: Configure Kata & containerd for CCv0 Introduce kata-cc runtime class, shim & config - Specify cri_handler in containerd config - Specify to use initrd - Specify kernel_params according to guest config - Specify service_offload Signed-off-by: Jakob Naucke --- .../kata-deploy/base/kata-deploy.yaml | 2 ++ .../packaging/kata-deploy/scripts/kata-deploy.sh | 16 +++++++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml b/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml index d500b1f1f5..3e2aba3404 100644 --- a/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml +++ b/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml @@ -28,6 +28,8 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName + - name: CONFIGURE_CC + value: "yes" securityContext: privileged: false volumeMounts: diff --git a/tools/packaging/kata-deploy/scripts/kata-deploy.sh b/tools/packaging/kata-deploy/scripts/kata-deploy.sh index 0d0afcece7..ca172ef166 100755 --- a/tools/packaging/kata-deploy/scripts/kata-deploy.sh +++ b/tools/packaging/kata-deploy/scripts/kata-deploy.sh @@ -18,6 +18,7 @@ shims=( "qemu" "clh" ) +[ "${CONFIGURE_CC:-}" == "yes" ] && shims+=("cc") # If we fail for any reason a message will be displayed die() { @@ -171,7 +172,8 @@ function configure_containerd_runtime() { else cat < \ + "/opt/kata/share/defaults/kata-containers/configuration-cc.toml" + fi +} + function remove_artifacts() { echo "deleting kata artifacts" rm -rf /opt/kata/ @@ -287,6 +300,7 @@ function main() { install_artifacts configure_cri_runtime "$runtime" + configure_kata kubectl label node "$NODE_NAME" --overwrite katacontainers.io/kata-runtime=true ;; cleanup)