github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-21 01:13:56 +00:00
Code Issues Projects Releases Wiki Activity

rootfs: Stop building and shipping OPA

Browse Source 
Since OPA binary was replaced by the regorus crate, we can finally stop
building and shipping the binary.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This commit is contained in:
Fabiano Fidêncio 2024-04-25 22:37:35 +02:00
parent 7dd2fde22d
commit fe21d7a58b
No known key found for this signature in database
GPG Key ID: EE926C2BDACC177B
4 changed files with 0 additions and 143 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
src/kata-opa/kata-opa.service.in
View File

@ -1,29 +0,0 @@
#
# Copyright (c) 2023 Microsoft Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
[Unit]
Description=Open Policy Agent for Kata Containers
Documentation=https://github.com/kata-containers
ConditionPathExists=@SETTINGSDIR@/default-policy.rego
# kata-agent connects to OPA while starting up.
Before=kata-agent.service
[Service]
Type=simple
ExecStart=@BINDIR@/opa run --server --disable-telemetry --addr 127.0.0.1:8181 --log-level info
DynamicUser=yes
RuntimeDirectory=kata-opa
LimitNOFILE=1048576
# Don't restart because there may be an active policy that would be lost.
Restart=no
# Send log output to tty to allow capturing debug logs from a VM vsock port.
StandardError=tty
# Discourage OOM-killer from touching the policy service.
OOMScoreAdjust=-997

1
tools/osbuilder/rootfs-builder/cbl-mariner/config.sh
View File

@ -8,4 +8,3 @@ LIBC="gnu"
PACKAGES="core-packages-base-image ca-certificates" PACKAGES="core-packages-base-image ca-certificates"
[ "$AGENT_INIT" = no ] && PACKAGES+=" systemd" [ "$AGENT_INIT" = no ] && PACKAGES+=" systemd"
[ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp" [ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp"
[ "$AGENT_POLICY" = yes ] && PACKAGES+=" opa" || true

108
tools/osbuilder/rootfs-builder/rootfs.sh
View File

@ -548,39 +548,6 @@ prepare_overlay()
popd > /dev/null popd > /dev/null
} }
build_opa_from_source()
{
local opa_repo_url=$1
opa_version="$(get_package_version_from_kata_yaml externals.open-policy-agent.version)"
if [ ${CROSS_BUILD} == "yes" ]; then
export GOOS="${TARGET_OS}"
export GOARCH="${TARGET_ARCH}}"
fi
current_dir="$(pwd)"
pushd $(mktemp -d) &>/dev/null
git clone -b "${opa_version}" "${opa_repo_url}" opa || return 1
(
cd opa
export WASM_ENABLED=0
export DOCKER_RUNNING=0
make ci-go-ci-build-linux-static || return 1
info "Copy OPA binary to ${current_dir}/opa"
binary_name="_release/${opa_version##v}/opa_${GOOS}_${GOARCH}_static"
if [ -f "${binary_name}" ]; then
cp "${binary_name}" "${current_dir}/opa"
else
echo "OPA binary ${binary_name} not found"
return 1
fi
)
rm -rf opa
popd &>/dev/null
return 0
}
# Setup an existing rootfs directory, based on the OPTIONAL distro name # Setup an existing rootfs directory, based on the OPTIONAL distro name
# provided as argument # provided as argument
setup_rootfs() setup_rootfs()
@ -739,44 +706,6 @@ EOF
fi fi
if [ "${AGENT_POLICY}" == "yes" ]; then if [ "${AGENT_POLICY}" == "yes" ]; then
# Setup systemd-based environment for kata-opa.
local opa_bin_dir="$(get_opa_bin_dir "${ROOTFS_DIR}")"
if [ -z "${opa_bin_dir}" ]; then
# OPA was not installed already, so download it here.
#
# TODO: if an OPA package is not available for the Guest image distro,
# Kata should cache the OPA source code, toolchain information, etc.
# OPA should be built from the cached source code instead of downloading
# this binary.
#
local opa_repo_url="$(get_package_version_from_kata_yaml externals.open-policy-agent.url)"
local opa_version="$(get_package_version_from_kata_yaml externals.open-policy-agent.version)"
if [ "$ARCH" == "ppc64le" ] || [ "$ARCH" == "s390x" ]; then
info "Building OPA binary from source at ${opa_repo_url}"
build_opa_from_source "${opa_repo_url}" || die "Failed to build OPA"
else
local opa_binary_arch
case ${ARCH} in
x86_64) opa_binary_arch="amd64" ;;
aarch64) opa_binary_arch="arm64" ;;
*) die "Unsupported architecture for the OPA binary" ;;
esac
local opa_bin_url="${opa_repo_url}/releases/download/${opa_version}/opa_linux_${opa_binary_arch}_static"
info "Downloading OPA binary from ${opa_bin_url}"
curl --fail -L "${opa_bin_url}" -o opa || die "Failed to download OPA"
fi
# Install the OPA binary.
opa_bin_dir="/usr/local/bin"
local opa_bin="${ROOTFS_DIR}${opa_bin_dir}/opa"
info "Installing OPA binary to ${opa_bin}"
install -D -o root -g root -m 0755 opa -T "${opa_bin}"
${stripping_tool} ${ROOTFS_DIR}${opa_bin_dir}/opa
else
info "OPA binary already exists in ${opa_bin_dir}"
fi
# Install default settings for the kata-opa service. # Install default settings for the kata-opa service.
local kata_opa_in_dir="${script_dir}/../../../src/kata-opa" local kata_opa_in_dir="${script_dir}/../../../src/kata-opa"
local opa_settings_dir="/etc/kata-opa" local opa_settings_dir="/etc/kata-opa"
@ -785,25 +714,6 @@ EOF
mkdir -p "${policy_dir}" mkdir -p "${policy_dir}"
install -D -o root -g root -m 0644 "${kata_opa_in_dir}/${policy_file}" -T "${policy_dir}/${policy_file}" install -D -o root -g root -m 0644 "${kata_opa_in_dir}/${policy_file}" -T "${policy_dir}/${policy_file}"
ln -sf "${policy_file}" "${policy_dir}/default-policy.rego" ln -sf "${policy_file}" "${policy_dir}/default-policy.rego"
if [ "${AGENT_INIT}" == "yes" ]; then
info "OPA will be started by the kata agent"
else
# Install the unit file for the kata-opa service.
local kata_opa_unit="kata-opa.service"
local kata_opa_unit_path="${ROOTFS_DIR}/usr/lib/systemd/system/${kata_opa_unit}"
local kata_containers_wants="${ROOTFS_DIR}/etc/systemd/system/kata-containers.target.wants"
opa_settings_dir="${opa_settings_dir//\//\\/}"
sed -e "s/@SETTINGSDIR@/${opa_settings_dir}/g" "${kata_opa_in_dir}/${kata_opa_unit}.in" > "${kata_opa_unit}"
opa_bin_dir="${opa_bin_dir//\//\\/}"
sed -i -e "s/@BINDIR@/${opa_bin_dir}/g" "${kata_opa_unit}"
install -D -o root -g root -m 0644 "${kata_opa_unit}" -T "${kata_opa_unit_path}"
mkdir -p "${kata_containers_wants}"
ln -sf "${kata_opa_unit_path}" "${kata_containers_wants}/${kata_opa_unit}"
fi
fi fi
info "Check init is installed" info "Check init is installed"
@ -833,24 +743,6 @@ EOF
create_summary_file "${ROOTFS_DIR}" create_summary_file "${ROOTFS_DIR}"
} }
get_opa_bin_dir()
{
local rootfs_dir="$1"
local -a bin_dirs=(
"/bin"
"/usr/bin"
"/usr/local/bin"
)
for bin_dir in "${bin_dirs[@]}"
do
local opa_bin="${rootfs_dir}${bin_dir}/opa"
if [ -f "${opa_bin}" ]; then
echo "${bin_dir}"
return 0
fi
done
}
parse_arguments() parse_arguments()
{ {
[ "$#" -eq 0 ] && usage && return 0 [ "$#" -eq 0 ] && usage && return 0

5
versions.yaml
View File

@ -324,11 +324,6 @@ externals:
url: "https://github.com/containerd/nydus-snapshotter" url: "https://github.com/containerd/nydus-snapshotter"
version: "v0.13.11" version: "v0.13.11"
open-policy-agent:
description: "Open Policy Agent"
url: "https://github.com/open-policy-agent/opa"
version: "v0.55.0"
ovmf: ovmf:
description: "Firmware, implementation of UEFI for virtual machines." description: "Firmware, implementation of UEFI for virtual machines."
url: "https://github.com/tianocore/edk2" url: "https://github.com/tianocore/edk2"