diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index fabbba4ee..bab6ac03f 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -32,6 +32,7 @@ SELINUX=${SELINUX:-"no"} AGENT_POLICY=${AGENT_POLICY:-no} AGENT_SOURCE_BIN=${AGENT_SOURCE_BIN:-""} AGENT_TARBALL=${AGENT_TARBALL:-""} +GUEST_HOOKS_TARBALL="${GUEST_HOOKS_TARBALL:-}" COCO_GUEST_COMPONENTS_TARBALL=${COCO_GUEST_COMPONENTS_TARBALL:-""} CONFIDENTIAL_GUEST="${CONFIDENTIAL_GUEST:-no}" PAUSE_IMAGE_TARBALL=${PAUSE_IMAGE_TARBALL:-""} @@ -520,6 +521,11 @@ build_rootfs_distro() engine_run_args+=" -v $(dirname ${PAUSE_IMAGE_TARBALL}):$(dirname ${PAUSE_IMAGE_TARBALL})" fi + if [[ -n "${GUEST_HOOKS_TARBALL}" ]]; then + engine_run_args+=" --env GUEST_HOOKS_TARBALL=${GUEST_HOOKS_TARBALL}" + engine_run_args+=" -v $(dirname ${GUEST_HOOKS_TARBALL}):$(dirname ${GUEST_HOOKS_TARBALL})" + fi + engine_run_args+=" -v ${GOPATH_LOCAL}:${GOPATH_LOCAL} --env GOPATH=${GOPATH_LOCAL}" engine_run_args+=" $(docker_extra_args $distro)" @@ -784,6 +790,11 @@ EOF ln -sf "${policy_file_name}" "${policy_dir}/default-policy.rego" fi + if [[ -n "${GUEST_HOOKS_TARBALL}" ]]; then + info "Install the ${GUEST_HOOKS_TARBALL} guest hooks" + tar xvJpf "${GUEST_HOOKS_TARBALL}" -C "${ROOTFS_DIR}" + fi + info "Check init is installed" [ -x "${init}" ] || [ -L "${init}" ] || die "/sbin/init is not installed in ${ROOTFS_DIR}" OK "init is installed" diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh index b53902230..228b3e1c1 100755 --- a/tools/packaging/guest-image/build_image.sh +++ b/tools/packaging/guest-image/build_image.sh @@ -21,6 +21,7 @@ readonly osbuilder_dir="$(cd "${repo_root_dir}/tools/osbuilder" && pwd)" export GOPATH=${GOPATH:-${HOME}/go} export AGENT_TARBALL=${AGENT_TARBALL:-} +export GUEST_HOOKS_TARBALL="${GUEST_HOOKS_TARBALL:-}" ARCH=${ARCH:-$(uname -m)} if [ $(uname -m) == "${ARCH}" ]; then @@ -48,7 +49,8 @@ build_initrd() { AGENT_POLICY="${AGENT_POLICY:-}" \ PULL_TYPE="${PULL_TYPE:-default}" \ COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}" \ - PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" + PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" \ + GUEST_HOOKS_TARBALL="${GUEST_HOOKS_TARBALL}" if [[ "${image_initrd_suffix}" == "nvidia-gpu"* ]]; then nvidia_driver_version=$(cat "${builddir}"/initrd-image/*/nvidia_driver_version) @@ -77,7 +79,8 @@ build_image() { AGENT_POLICY="${AGENT_POLICY:-}" \ PULL_TYPE="${PULL_TYPE:-default}" \ COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}" \ - PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" + PAUSE_IMAGE_TARBALL="${PAUSE_IMAGE_TARBALL:-}" \ + GUEST_HOOKS_TARBALL="${GUEST_HOOKS_TARBALL}" if [[ "${image_initrd_suffix}" == "nvidia-gpu"* ]]; then nvidia_driver_version=$(cat "${builddir}"/rootfs-image/*/nvidia_driver_version) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index f7abd5b05..410ba5297 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -105,6 +105,9 @@ USE_CACHE="${USE_CACHE:-}" BUSYBOX_CONF_FILE=${BUSYBOX_CONF_FILE:-} NVIDIA_GPU_STACK="${NVIDIA_GPU_STACK:-}" KBUILD_SIGN_PIN=${KBUILD_SIGN_PIN:-} +GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME:-}" +EXTRA_PKGS="${EXTRA_PKGS:-}" +AGENT_POLICY="${AGENT_POLICY:-yes}" docker run \ -v $HOME/.docker:/root/.docker \ @@ -137,6 +140,9 @@ docker run \ --env BUSYBOX_CONF_FILE="${BUSYBOX_CONF_FILE}" \ --env NVIDIA_GPU_STACK="${NVIDIA_GPU_STACK}" \ --env KBUILD_SIGN_PIN="${KBUILD_SIGN_PIN}" \ + --env GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME}" \ + --env EXTRA_PKGS="${EXTRA_PKGS}" \ + --env AGENT_POLICY="${AGENT_POLICY}" \ --env AA_KBC="${AA_KBC:-}" \ --env HKD_PATH="$(realpath "${HKD_PATH:-}" 2> /dev/null || true)" \ --env SE_KERNEL_PARAMS="${SE_KERNEL_PARAMS:-}" \ diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 04492266c..1838ac2e7 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -49,6 +49,9 @@ ARTEFACT_REGISTRY="${ARTEFACT_REGISTRY:-ghcr.io}" ARTEFACT_REPOSITORY="${ARTEFACT_REPOSITORY:-kata-containers}" ARTEFACT_REGISTRY_USERNAME="${ARTEFACT_REGISTRY_USERNAME:-}" ARTEFACT_REGISTRY_PASSWORD="${ARTEFACT_REGISTRY_PASSWORD:-}" +GUEST_HOOKS_TARBALL_NAME="${GUEST_HOOKS_TARBALL_NAME:-}" +EXTRA_PKGS="${EXTRA_PKGS:-}" +AGENT_POLICY="${AGENT_POLICY:-yes}" TARGET_BRANCH="${TARGET_BRANCH:-main}" PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-}" KERNEL_HEADERS_PKG_TYPE="${KERNEL_HEADERS_PKG_TYPE:-deb}" @@ -311,6 +314,13 @@ get_pause_image_tarball_path() { echo "${pause_image_local_build_dir}/${pause_image_tarball_name}" } +get_guest_hooks_tarball_path() { + guest_hooks_local_build_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build" + guest_hooks_tarball_name="${GUEST_HOOKS_TARBALL_NAME}" + + echo "${guest_hooks_local_build_dir}/${guest_hooks_tarball_name}" +} + get_latest_pause_image_artefact_and_builder_image_version() { local pause_image_repo="$(get_from_kata_deps ".externals.pause.repo")" local pause_image_version=$(get_from_kata_deps ".externals.pause.version") @@ -384,7 +394,15 @@ install_image() { fi export AGENT_TARBALL=$(get_agent_tarball_path) - export AGENT_POLICY=yes + export AGENT_POLICY + + if [[ -n "${GUEST_HOOKS_TARBALL_NAME}" ]]; then + export GUEST_HOOKS_TARBALL="$(get_guest_hooks_tarball_path)" + fi + + if [[ -n "${EXTRA_PKGS}" ]]; then + export EXTRA_PKGS + fi "${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}" } @@ -466,7 +484,15 @@ install_initrd() { fi export AGENT_TARBALL=$(get_agent_tarball_path) - export AGENT_POLICY=yes + export AGENT_POLICY + + if [[ -n "${GUEST_HOOKS_TARBALL_NAME}" ]]; then + export GUEST_HOOKS_TARBALL="$(get_guest_hooks_tarball_path)" + fi + + if [[ -n "${EXTRA_PKGS}" ]]; then + export EXTRA_PKGS + fi "${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}" } @@ -499,24 +525,24 @@ install_initrd_confidential() { # # Install NVIDIA GPU image install_image_nvidia_gpu() { - export AGENT_POLICY="yes" - export EXTRA_PKGS="apt" + export AGENT_POLICY + EXTRA_PKGS="apt ${EXTRA_PKGS}" NVIDIA_GPU_STACK=${NVIDIA_GPU_STACK:-"latest,compute,dcgm"} install_image "nvidia-gpu" } # Install NVIDIA GPU initrd install_initrd_nvidia_gpu() { - export AGENT_POLICY="yes" - export EXTRA_PKGS="apt" + export AGENT_POLICY + EXTRA_PKGS="apt ${EXTRA_PKGS}" NVIDIA_GPU_STACK=${NVIDIA_GPU_STACK:-"latest,compute,dcgm"} install_initrd "nvidia-gpu" } # Instal NVIDIA GPU confidential image install_image_nvidia_gpu_confidential() { - export AGENT_POLICY="yes" - export EXTRA_PKGS="apt" + export AGENT_POLICY + EXTRA_PKGS="apt ${EXTRA_PKGS}" # TODO: export MEASURED_ROOTFS=yes NVIDIA_GPU_STACK=${NVIDIA_GPU_STACK:-"latest,compute"} install_image "nvidia-gpu-confidential" @@ -524,8 +550,8 @@ install_image_nvidia_gpu_confidential() { # Install NVIDIA GPU confidential initrd install_initrd_nvidia_gpu_confidential() { - export AGENT_POLICY="yes" - export EXTRA_PKGS="apt" + export AGENT_POLICY + EXTRA_PKGS="apt ${EXTRA_PKGS}" # TODO: export MEASURED_ROOTFS=yes NVIDIA_GPU_STACK=${NVIDIA_GPU_STACK:-"latest,compute"} install_initrd "nvidia-gpu-confidential" @@ -937,7 +963,7 @@ install_agent() { export GPERF_URL="$(get_from_kata_deps ".externals.gperf.url")" info "build static agent" - DESTDIR="${destdir}" AGENT_POLICY="yes" PULL_TYPE=${PULL_TYPE} "${agent_builder}" + DESTDIR="${destdir}" AGENT_POLICY="${AGENT_POLICY}" PULL_TYPE=${PULL_TYPE} "${agent_builder}" } install_coco_guest_components() { diff --git a/versions.yaml b/versions.yaml index a0f810a22..e908644d1 100644 --- a/versions.yaml +++ b/versions.yaml @@ -364,9 +364,14 @@ externals: virtiofsd: description: "vhost-user virtio-fs device backend written in Rust" url: "https://gitlab.com/virtio-fs/virtiofsd" - # v1.13.0 + seccomp patch allowing the tkill syscall - version: "cecc61bca981ab42aae6ec490dfd59965e79025e" - toolchain: "1.83.0" + version: "v1.13.1" + toolchain: "1.80.0" + meta: + # From https://gitlab.com/virtio-fs/virtiofsd/-/releases/v1.13.1, + # this is the link labelled virtiofsd-v1.13.1.zip + # + # yamllint disable-line rule:line-length + binary: "https://gitlab.com/-/project/21523468/uploads/05d4925181301a59b8c322cd9f9d44a7/virtiofsd-v1.13.1.zip" xurls: description: |