osbuilder: Remove option to build skopeo, umoci

Now we don't need to have skopeo and umoci in the rootfs remove the code that optionally builds and installs them Fixes: #3970 Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-19 08:28:19 +00:00 · 2023-01-16 11:34:20 +00:00 · 2023-01-16 11:34:20 +00:00 · dd2d6a94f1
commit dd2d6a94f1
parent ee5fb8c998
4 changed files with 3 additions and 71 deletions
--- a/tools/osbuilder/rootfs-builder/README.md
+++ b/tools/osbuilder/rootfs-builder/README.md
@ -186,10 +186,4 @@ To add additional packages, use one of the following methods:
 #### Arbitrary rootfs changes

 Once the rootfs directory is created, you can add and remove files as
-needed. Changes affect the files included in the final guest image.
-
-#### Confidential containers support
-
-When building the rootfs for confidential containers if `SKOPEO=yes` is set then the `skopeo`
-package is built and added into the rootfs.
-If `UMOCI=yes` is set then the `umoci` package is built and added into the rootfs.
+needed. Changes affect the files included in the final guest image.
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@ -157,23 +157,9 @@ USE_PODMAN          If set and USE_DOCKER not set, then build the rootfs inside
                    a podman container (requires podman).
                    Default value: <not set>

-SKOPEO              If set to "yes", build Skopeo for confidential
-                    containers guest image pull. Currently, this is only
-                    supported for Ubuntu guests; see
-                    https://github.com/kata-containers/kata-containers/pull/2908
-                    for discussion.
-                    Default value: <not set>
-
-UMOCI               If set to "yes", build and umoci for confidential
-                    containers guest image unpack. Currently, this is only
-                    supported for Ubuntu guests; see
-                    https://github.com/kata-containers/kata-containers/pull/2908
-                    for discussion.
-                    Default value: <not set>
-
 AA_KBC              Key broker client module for attestation-agent. This is
-                    required for confidential containers. Requires UMOCI
-                    to be set. See https://github.com/containers/attestation-agent
+                    required for confidential containers.
+                    See https://github.com/containers/attestation-agent
                    for more information on available modules.
                    Default value: <not set>

@ -464,8 +450,6 @@ build_rootfs_distro()
 			--env OSBUILDER_VERSION="${OSBUILDER_VERSION}" \
 			--env OS_VERSION="${OS_VERSION}" \
 			--env INSIDE_CONTAINER=1 \
-			--env SKOPEO="${SKOPEO}" \
-			--env UMOCI="${UMOCI}" \
 			--env AA_KBC="${AA_KBC}" \
 			--env KATA_BUILD_CC="${KATA_BUILD_CC}" \
 			--env SECCOMP="${SECCOMP}" \
@ -669,17 +653,6 @@ EOF
 	info "Create /etc/resolv.conf file in rootfs if not exist"
 	touch "$dns_file"

-	if [ "${SKOPEO}" = "yes" ]; then
-		skopeo_url="$(get_package_version_from_kata_yaml externals.skopeo.url)"
-		skopeo_branch="$(get_package_version_from_kata_yaml externals.skopeo.branch)"
-		info "Install skopeo"
-		git clone "${skopeo_url}" --branch "${skopeo_branch}"
-		pushd skopeo
-		make bin/skopeo
-		install -o root -g root -m 0755 bin/skopeo "${ROOTFS_DIR}/usr/bin/"
-		popd
-	fi
-
    if [ -n "${AA_KBC}" ]; then
 		if [ "${AA_KBC}" == "offline_sev_kbc" ]; then
 			info "Adding agent config for ${AA_KBC}"
@ -715,24 +688,6 @@ EOF
 		popd
 	fi

-	if [ "${UMOCI}" = "yes" ]; then
-		case "$ARCH" in
-			aarch64) GOARCH=arm64;;
-			x86_64) GOARCH=amd64;;
-			*) GOARCH="$ARCH"
-		esac
-		export GOARCH
-
-		umoci_url="$(get_package_version_from_kata_yaml externals.umoci.url)"
-		umoci_tag="$(get_package_version_from_kata_yaml externals.umoci.tag)"
-		info "Install umoci"
-		git clone "${umoci_url}" --branch "${umoci_tag}"
-		pushd umoci
-		make
-		install -o root -g root -m 0755 umoci "${ROOTFS_DIR}/usr/local/bin/"
-		popd
-	fi
-
 	if [ "${KATA_BUILD_CC}" == "yes" ]; then
 		info "Integrate pause image inside rootfs for CC"
 		pause_repo="$(get_package_version_from_kata_yaml externals.pause.repo)"
--- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh
+++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
@ -9,7 +9,6 @@ PACKAGES="chrony iptables dbus kmod"
 [ "$AGENT_INIT" = no ] && PACKAGES+=" init"
 [ "$KATA_BUILD_CC" = yes ] && PACKAGES+=" cryptsetup-bin e2fsprogs"
 [ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp2"
-[ "$SKOPEO" = yes ] && PACKAGES+=" libgpgme11 libdevmapper1.02.1"
 REPO_URL=http://ports.ubuntu.com

 case "$ARCH" in
--- a/tools/osbuilder/scripts/lib.sh
+++ b/tools/osbuilder/scripts/lib.sh
@ -207,22 +207,6 @@ ${extra}
 	  agent-is-init-daemon: "${AGENT_INIT}"
 EOF

-	if [ "${SKOPEO}" = "yes" ]; then
-		cat >> "${file}" <<-EOF
-	skopeo:
-	  url: "${skopeo_url}"
-	  version: "${skopeo_branch}"
-EOF
-	fi
-
-	if [ "${UMOCI}" = "yes" ]; then
-		cat >> "${file}" <<-EOF
-	umoci:
-	  url: "${umoci_url}"
-	  version: "${umoci_tag}"
-EOF
-	fi
-
 	if [ -n "${AA_KBC}" ]; then
 		cat >> "${file}" <<-EOF
 	attestation-agent: