Merge pull request #5835 from fidencio/topic/CC-cache-rootfs

CC | Cache and use rootfs whenever it's possible

tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh

@@ -118,6 +118,8 @@ install_cached_component() {
 	local current_image_version="${4}"
 	local component_tarball_name="${5}"
 	local component_tarball_path="${6}"
+	local root_hash_vanilla="${7:-""}"
+	local root_hash_tdx="${8:-""}"
 
 	local cached_version=$(curl -sfL "${jenkins_build_url}/latest" | awk '{print $1}') || cached_version="none"
 	local cached_image_version=$(curl -sfL "${jenkins_build_url}/latest_image" | awk '{print $1}') || cached_image_version="none"
@@ -130,9 +132,75 @@ install_cached_component() {
 	wget "${jenkins_build_url}/${component_tarball_name}" || return cleanup_and_fail
 	wget "${jenkins_build_url}/sha256sum-${component_tarball_name}" || return cleanup_and_fail
 	sha256sum -c "sha256sum-${component_tarball_name}" || return cleanup_and_fail
+	if [ -n "${root_hash_vanilla}" ]; then
+		wget "${jenkins_build_url}/${root_hash_vanilla}" || return cleanup_and_fail
+		mv "${root_hash_vanilla}" "${repo_root_dir}/tools/osbuilder/"
+	fi
+	if [ -n "${root_hash_tdx}" ]; then
+		wget "${jenkins_build_url}/${root_hash_tdx}" || return cleanup_and_fail
+		mv "${root_hash_tdx}" "${repo_root_dir}/tools/osbuilder/"
+	fi
 	mv "${component_tarball_name}" "${component_tarball_path}"
 }
 
+# We've to add a different cached function here as for using the shim-v2 caching
+# we have to rely and check some artefacts coming from the cc-rootfs-image and the
+# cc-tdx-rootfs-image jobs.
+install_cached_cc_shim_v2() {
+	local component="${1}"
+	local jenkins_build_url="${2}"
+	local current_version="${3}"
+	local current_image_version="${4}"
+	local component_tarball_name="${5}"
+	local component_tarball_path="${6}"
+	local root_hash_vanilla="${repo_root_dir}/tools/osbuilder/root_hash_vanilla.txt"
+	local root_hash_tdx="${repo_root_dir}/tools/osbuilder/root_hash_tdx.txt"
+
+	local rootfs_image_cached_root_hash="${jenkins_url}/job/kata-containers-2.0-rootfs-image-cc-$(uname -m)/${cached_artifacts_path}/root_hash_vanilla.txt"
+	local tdx_rootfs_image_cached_root_hash="${jenkins_url}/job/kata-containers-2.0-rootfs-image-tdx-cc-$(uname -m)/${cached_artifacts_path}/root_hash_tdx.txt"
+
+
+	wget "${rootfs_image_cached_root_hash}" -O "rootfs_root_hash_vanilla.txt" || return 1
+	if [ -f "${root_hash_vanilla}" ]; then
+		# There's already a pre-existent root_hash_vanilla.txt,
+		# let's check whether this is the same one cached on the
+		# rootfs job.
+
+		# In case it's not the same, let's proceed building the
+		# shim-v2 with what we have locally.
+		diff "${root_hash_vanilla}" "rootfs_root_hash_vanilla.txt" > /dev/null || return 1
+	fi
+	mv "rootfs_root_hash_vanilla.txt" "${root_hash_vanilla}"
+
+	wget "${rootfs_image_cached_root_hash}" -O "rootfs_root_hash_tdx.txt" || return 1
+	if [ -f "${root_hash_tdx}" ]; then
+		# There's already a pre-existent root_hash_tdx.txt,
+		# let's check whether this is the same one cached on the
+		# rootfs job.
+
+		# In case it's not the same, let's proceed building the
+		# shim-v2 with what we have locally.
+		diff "${root_hash_tdx}" "rootfs_root_hash_tdx.txt" > /dev/null || return 1
+	fi
+	mv "rootfs_root_hash_tdx.txt" "${root_hash_tdx}"
+
+	wget "${jenkins_build_url}/root_hash_vanilla.txt" -O "shim_v2_root_hash_vanilla.txt" || return 1
+	diff "${root_hash_vanilla}" "shim_v2_root_hash_vanilla.txt" > /dev/null || return 1
+
+	wget "${jenkins_build_url}/root_hash_tdx.txt" -O "shim_v2_root_hash_tdx.txt" || return 1
+	diff "${root_hash_tdx}" "shim_v2_root_hash_tdx.txt" > /dev/null || return 1
+
+	install_cached_component \
+		"${component}" \
+		"${jenkins_build_url}" \
+		"${current_version}" \
+		"${current_image_version}" \
+		"${component_tarball_name}" \
+		"${component_tarball_path}" \
+		"$(basename ${root_hash_vanilla})" \
+		"$(basename ${root_hash_tdx})"
+}
+
 # Install static CC cloud-hypervisor asset
 install_cc_clh() {
 	install_cached_component \
@@ -161,8 +229,45 @@ install_cc_image() {
 	image_type="${2:-image}"
 	image_initrd_suffix="${3:-""}"
 	root_hash_suffix="${4:-""}"
+	tee="${5:-""}"
 	export KATA_BUILD_CC=yes
 
+	local jenkins="${jenkins_url}/job/kata-containers-2.0-rootfs-image-cc-$(uname -m)/${cached_artifacts_path}"
+	local component="rootfs-image"
+	local root_hash_vanilla="root_hash_vanilla.txt"
+	local root_hash_tdx=""
+	if [ -n "${tee}" ]; then
+		if [ "${tee}" == "tdx" ]; then
+			jenkins="${jenkins_url}/job/kata-containers-2.0-rootfs-image-${tee}-cc-$(uname -m)/${cached_artifacts_path}"
+			component="${tee}-rootfs-image"
+			root_hash_vanilla=""
+			root_hash_tdx="root_hash_${tee}.txt"
+		fi
+	fi
+
+	local osbuilder_last_commit="$(echo $(get_last_modification "${repo_root_dir}/tools/osbuilder") | sed s/-dirty//)"
+	local guest_image_last_commit="$(get_last_modification "${repo_root_dir}/tools/packaging/guest-image")"
+	local agent_last_commit="$(get_last_modification "${repo_root_dir}/src/agent")"
+	local libs_last_commit="$(get_last_modification "${repo_root_dir}/src/libs")"
+	local attestation_agent_version="$(get_from_kata_deps "externals.attestation-agent.version")"
+	local gperf_version="$(get_from_kata_deps "externals.gperf.version")"
+	local libseccomp_version="$(get_from_kata_deps "externals.libseccomp.version")"
+	local pause_version="$(get_from_kata_deps "externals.pause.version")"
+	local skopeo_version="$(get_from_kata_deps "externals.skopeo.branch")"
+	local umoci_version="$(get_from_kata_deps "externals.umoci.tag")"
+	local rust_version="$(get_from_kata_deps "languages.rust.meta.newest-version")"
+
+	install_cached_component \
+		"${component}" \
+		"${jenkins}" \
+		"${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${attestation_agent_version}-${gperf_version}-${libseccomp_version}-${pause_version}-${skopeo_version}-${umoci_version}-${rust_version}-${image_type}-${AA_KBC}" \
+		"" \
+		"${final_tarball_name}" \
+		"${final_tarball_path}" \
+		"${root_hash_vanilla}" \
+		"${root_hash_tdx}" \
+		&& return 0
+
 	info "Create CC image configured with AA_KBC=${AA_KBC}"
 	"${rootfs_builder}" \
 		--imagetype="${image_type}" \
@@ -175,7 +280,7 @@ install_cc_image() {
 install_cc_sev_image() {
 	AA_KBC="offline_sev_kbc"
 	image_type="initrd"
-	install_cc_image "${AA_KBC}" "${image_type}"
+	install_cc_image "${AA_KBC}" "${image_type}" "sev"
 }
 
 install_cc_tdx_image() {
@@ -183,7 +288,7 @@ install_cc_tdx_image() {
 	image_type="image"
 	image_suffix="tdx"
 	root_hash_suffix="tdx"
-	install_cc_image "${AA_KBC}" "${image_type}" "${image_suffix}" "${root_hash_suffix}"
+	install_cc_image "${AA_KBC}" "${image_type}" "${image_suffix}" "${root_hash_suffix}" "tdx"
 }
 
 #Install CC kernel asset
@@ -226,6 +331,20 @@ install_cc_qemu() {
 
 #Install all components that are not assets
 install_cc_shimv2() {
+	local shim_v2_last_commit="$(get_last_modification "${repo_root_dir}/src/runtime")"
+	local golang_version="$(get_from_kata_deps "languages.golang.meta.newest-version")"
+	local rust_version="$(get_from_kata_deps "languages.rust.meta.newest-version")"
+	local shim_v2_version="${shim_v2_last_commit}-${golang_version}-${rust_version}"
+
+	install_cached_cc_shim_v2 \
+		"shim-v2" \
+		"${jenkins_url}/job/kata-containers-2.0-shim-v2-cc-$(uname -m)/${cached_artifacts_path}" \
+		"${shim_v2_version}" \
+		"$(get_shim_v2_image_name)" \
+		"${final_tarball_name}" \
+		"${final_tarball_path}" \
+		&& return 0
+
 	GO_VERSION="$(yq r ${versions_yaml} languages.golang.meta.newest-version)"
 	export GO_VERSION
 	export REMOVE_VMM_CONFIGS="acrn fc"

tools/packaging/static-build/cache_components.sh

@@ -74,10 +74,53 @@ cache_virtiofsd_artifacts() {
 	create_cache_asset "${virtiofsd_tarball_name}" "${current_virtiofsd_version}" "${current_virtiofsd_image}"
 }
 
+cache_rootfs_artifacts() {
+	# We need to remove `-dirty` from teh osbuilder_last_commit as the rootfs artefacts are generated on that folder
+	local osbuilder_last_commit="$(echo $(get_last_modification "${repo_root_dir}/tools/osbuilder") | sed s/-dirty//)"
+	local guest_image_last_commit="$(get_last_modification "${repo_root_dir}/tools/packaging/guest-image")"
+	local agent_last_commit="$(get_last_modification "${repo_root_dir}/src/agent")"
+	local libs_last_commit="$(get_last_modification "${repo_root_dir}/src/libs")"
+	local attestation_agent_version="$(get_from_kata_deps "externals.attestation-agent.version")"
+	local gperf_version="$(get_from_kata_deps "externals.gperf.version")"
+	local libseccomp_version="$(get_from_kata_deps "externals.libseccomp.version")"
+	local pause_version="$(get_from_kata_deps "externals.pause.version")"
+	local skopeo_version="$(get_from_kata_deps "externals.skopeo.branch")"
+	local umoci_version="$(get_from_kata_deps "externals.umoci.tag")"
+	local rust_version="$(get_from_kata_deps "languages.rust.meta.newest-version")"
+	local rootfs_tarball_name="kata-static-cc-rootfs-image.tar.xz"
+	local aa_kbc="offline_fs_kbc"
+	local image_type="image"
+	local root_hash_vanilla="${repo_root_dir}/tools/osbuilder/root_hash_vanilla.txt"
+	local root_hash_tdx=""
+	if [ -n "${TEE}" ]; then
+		if [ "${TEE}" == "tdx" ]; then
+			rootfs_tarball_name="kata-static-cc-tdx-rootfs-image.tar.xz"
+			aa_kbc="eaa_kbc"
+			image_type="image"
+			root_hash_vanilla=""
+			root_hash_tdx="${repo_root_dir}/tools/osbuilder/root_hash_tdx.txt"
+		fi
+	fi
+	local current_rootfs_version="${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${attestation_agent_version}-${gperf_version}-${libseccomp_version}-${pause_version}-${skopeo_version}-${umoci_version}-${rust_version}-${image_type}-${aa_kbc}"
+	create_cache_asset "${rootfs_tarball_name}" "${current_rootfs_version}" "" "${root_hash_vanilla}" "${root_hash_tdx}"
+}
+
+cache_shim_v2_artifacts() {
+	local shim_v2_tarball_name="kata-static-cc-shim-v2.tar.xz"
+	local shim_v2_last_commit="$(get_last_modification "${repo_root_dir}/src/runtime")"
+	local golang_version="$(get_from_kata_deps "languages.golang.meta.newest-version")"
+	local rust_version="$(get_from_kata_deps "languages.rust.meta.newest-version")"
+	local current_shim_v2_version="${shim_v2_last_commit}-${golang_version}-${rust_version}"
+	local current_shim_v2_image="$(get_shim_v2_image_name)"
+	create_cache_asset "${shim_v2_tarball_name}" "${current_shim_v2_version}" "${current_shim_v2_image}" "${repo_root_dir}/tools/osbuilder/root_hash_vanilla.txt" "${repo_root_dir}/tools/osbuilder/root_hash_tdx.txt"
+}
+
 create_cache_asset() {
 	local component_name="${1}"
 	local component_version="${2}"
 	local component_image="${3}"
+	local root_hash_vanilla="${4:-""}"
+	local root_hash_tdx="${5:-""}"
 
 	sudo cp "${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/${component_name}" .
 	sudo chown -R "${USER}:${USER}" .
@@ -87,6 +130,18 @@ create_cache_asset() {
 	cat "latest"
 	echo "${component_image}" > "latest_image"
 	cat "latest_image"
+	if [ -n "${root_hash_vanilla}" ]; then
+		local cached_root_hash_vanilla="$(basename ${root_hash_vanilla})"
+		sudo cp "${root_hash_vanilla}" "${cached_root_hash_vanilla}"
+		sudo chown -R "${USER}:${USER}" "${cached_root_hash_vanilla}"
+		echo "${cached_root_hash_vanilla}: $(cat "${cached_root_hash_vanilla}")"
+	fi
+	if [ -n "${root_hash_tdx}" ]; then
+		local cached_root_hash_tdx="$(basename ${root_hash_tdx})"
+		sudo cp "${root_hash_tdx}" "${cached_root_hash_tdx}"
+		sudo chown -R "${USER}:${USER}" "${cached_root_hash_tdx}"
+		echo "${cached_root_hash_tdx}: $(cat "${cached_root_hash_tdx}")"
+	fi
 }
 
 help() {
@@ -108,7 +163,12 @@ Usage: $0 "[options]"
 			* Requires FIRMWARE environment variable set, valid values are:
 			  * tdvf
 			  * td-shim
+		-s	Shim v2 cache
 		-v	Virtiofsd cache
+		-r	Rootfs Cache
+			* can receive a TEE environment variable value, valid values are:
+			  * tdx
+			  If not TEE environment is passed, the Rootfs Image will be built without TEE support.
 		-h	Shows help
 EOF
 )"
@@ -119,9 +179,11 @@ main() {
 	local qemu_component="${qemu_component:-}"
 	local kernel_component="${kernel_component:-}"
 	local firmware_component="${firmware_component:-}"
+	local shim_v2_component="${shim_v2_component:-}"
 	local virtiofsd_component="${virtiofsd_component:-}"
+	local rootfs_component="${rootfs_component:-}"
 	local OPTIND
-	while getopts ":ckqfvh:" opt
+	while getopts ":ckqfvrsh:" opt
 	do
 		case "$opt" in
 		c)
@@ -136,9 +198,15 @@ main() {
 		f)
 			firmware_component="1"
 			;;
+		s)
+			shim_v2_component="1"
+			;;
 		v)
 			virtiofsd_component="1"
 			;;
+		r)
+			rootfs_component="1"
+			;;
 		h)
 			help
 			exit 0;
@@ -156,7 +224,9 @@ main() {
 	[[ -z "${kernel_component}" ]] && \
 	[[ -z "${qemu_component}" ]] && \
 	[[ -z "${firmware_component}" ]] && \
+	[[ -z "${shim_v2_component}" ]] && \
 	[[ -z "${virtiofsd_component}" ]] && \
+	[[ -z "${rootfs_component}" ]] && \
 		help && die "Must choose at least one option"
 
 	mkdir -p "${WORKSPACE}/artifacts"
@@ -167,7 +237,9 @@ main() {
 	[ "${kernel_component}" == "1" ] && cache_kernel_artifacts
 	[ "${qemu_component}" == "1" ] && cache_qemu_artifacts
 	[ "${firmware_component}" == "1" ] && cache_firmware_artifacts
+	[ "${shim_v2_component}" == "1" ] && cache_shim_v2_artifacts
 	[ "${virtiofsd_component}" == "1" ] && cache_virtiofsd_artifacts
+	[ "${rootfs_component}" == "1" ] && cache_rootfs_artifacts
 
 	ls -la "${WORKSPACE}/artifacts/"
 	popd

tools/packaging/static-build/shim-v2/build.sh

@@ -49,7 +49,7 @@ if [ -n "${RUST_VERSION}" ]; then
 		"${container_image}" \
 		bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX="${PREFIX}" DESTDIR="${DESTDIR}" install"
 fi
-	
+
 sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
 	-w "${repo_root_dir}/src/runtime" \
 	"${container_image}" \