Commit Graph

48 Commits

Author SHA1 Message Date
Zvonko Kaiser
a786dc48b0 kernel: fix enable kernel debug
The KERNEL_DEBUG_ENABLED was missing in the outer shell script
so overrides via make were not possible.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-18 02:24:19 +00:00
Fabiano Fidêncio
e2b93fff3f build: Allow passing IMAGE_SIZE_ALIGNMENT_MB as an env var
This helps considerably to avoid patching the code, and just adjusting
the build environment to use a smaller alignment than the default one.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-06-28 00:05:20 +02:00
Xynnn007
7420194ea8 build: abandon PULL_TYPE build env
Now kata-agent by default supports both guest pull and host pull
abilities, thus we do not need to specify the PULL_TYPE env when
building kata-agent.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 13:53:55 +08:00
Dan Mihai
65385a5bf9 image: custom guest rootfs image file size alignment
The Guest rootfs image file size is aligned up to 128M boundary,
since commmit 2b0d5b2. This change allows users to use a custom
alignment value - e.g., to align up to 2M, users will be able to
specify IMAGE_SIZE_ALIGNMENT_MB=2 for image_builder.sh.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-06-02 16:15:17 +00:00
Jacek Tomasiak
91fb4353f6
osbuilder: ubuntu: Add REPO_COMPONENTS setting
Added variable REPO_COMPONENTS (default: "main") which sets components
used by mmdebstrap for rootfs building.
This is useful for custom image builders who want to include EXTRA_PKGS
from components other than the default "main" (e.g. "universe").

Fixes: #11278
Signed-off-by: Jacek Tomasiak <jtomasiak@arista.com>
Signed-off-by: Jacek Tomasiak <jacek.tomasiak@gmail.com>
2025-05-20 14:01:48 +02:00
Jacek Tomasiak
da6860a632
osbuilder: ubuntu: Expose REPO_URL variables
This exposes REPO_URL and adds REPO_URL_X86_64 which can be set to use
custom Ubuntu repo for building rootfs.
If only one architecture is built, REPO_URL can be set. Otherwise,
REPO_URL_X86_64 is used for x86_64 arch and REPO_URL for others.

Fixes: #11276
Signed-off-by: Jacek Tomasiak <jtomasiak@arista.com>
Signed-off-by: Jacek Tomasiak <jacek.tomasiak@gmail.com>
2025-05-19 12:41:49 +02:00
Fabiano Fidêncio
7e9e9263d1 build: Allow users to build the go, rust, or both runtimes
Let's add a RUNTIME_CHOICE env var that can be passed to be build
scripts, which allows the user to select whether they bulld the go
runtime, the rust runtime, or both.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-04-24 10:36:26 +02:00
Fabiano Fidêncio
2fef594f14 build: Allow users to define AGENT_POLICY
This is mostly used for Kata Containers backing up Confidential
Computing use cases, this also has benefits for the normal Kata
Containers use cases, this it's left enabled by default.

However, let's allow users to specify whether or not they want to have
it enabled, as depending on their use-case, it just does not make sense.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-04-14 10:02:22 +02:00
Fabiano Fidêncio
5d0688079a build: Allow users to specificy EXTRA_PKGS
Right now we've had some logic to add EXTRA_PKGS, but those were
restrict to the nvidia builds, and would require changing the file
manually.

Let's make sure a user can add this just by specifying an env var.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-04-14 10:02:22 +02:00
Fabiano Fidêncio
40a15ac760 build: Allow adding a guest-hook to the rootfs
Kata Containers provides, since forever, a way to run OCI guest-hooks
from the rootfs, as long as the files are dropped in a specific location
defined in the configuration.toml.

However, so far, it's been up to the ones using it to hack the generated
image in order to add those guest hooks, which is far from handy.

Let's add a way for the ones interested on this feature to just drop a
tarball file under the same known build directory, spcificy an env var,
and let the guest hooks be installed during the rootfs build.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-04-14 10:02:16 +02:00
Fabiano Fidêncio
e3c98a5ac7 agent: Allow users to build without guest-pull
For those not interested in CoCo, let's at least allow them to easily
build the agent without the guest-pull feature.

This reduces the binary size (already stripped) from 25M to 18M.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-04-04 22:58:43 +01:00
stevenhorsman
c5ff513e0b shellcheck: Fix shellcheck SC2068
> Double quote array expansions to avoid re-splitting elements

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-04 09:35:46 +00:00
Zvonko Kaiser
9602ba6ccc gpu: Add proper KBUILD_SIGN_PIN to entry script
Update kata-deploy-binaries-in-docker.sh to read the
env variable KBUILD_SIGN_PIN that either can be set via
GHA or other means.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-02-28 01:31:35 +00:00
Fabiano Fidêncio
d5f907dcf1 rootfs-confidential: Ensure systemd is used as init
Let's make sure that we don't use Kata Containers' agent as init for the
Confidential related rootfses*, as we don't want to increase the agent's
complexity for no reason ... mainly when we can rely on a proper init
system.

*:
- images already used systemd as init
- initrds are now using systemd as init

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-23 12:04:13 +01:00
Zvonko Kaiser
0debf77770 gpu: NVIDIA gpu initrd/image build
With each release make sure we ship a GPU enabled rootfs/initrd

Fixes: #6554

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2024-11-21 18:57:23 +00:00
stevenhorsman
66f6ec2919 ci: cache: Pass through RELEASE env
In kata-deploy-binaries.sh we want to understand if we are running
as part of a release, so we need to pass through the RELEASE env
from the workflow, which I missed in
https://github.com/kata-containers/kata-containers/pull/9550

Fixes: #9921
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-07-22 16:39:35 +01:00
Fabiano Fidêncio
b7051890af
Merge pull request #9722 from zvonkok/busybox-build
deploy: Add busybox target
2024-07-17 13:47:15 +02:00
Gabriela Cervantes
28601b51d2 tools: Remove CI variable in kata deploy in docker script
This PR removes the CI variable in kata deploy in docker script
which was supported it in jenkins environment which is not
longer being supported it.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-07-09 20:04:24 +02:00
Zvonko Kaiser
b1909e940e deploy: Add busybox target
For a minimal initrd/image build we may want to leverage busybox.
This is part number two of the NVIDIA initrd/image build

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2024-06-18 15:31:00 +00:00
Wainer dos Santos Moschetta
e517167825 kata-deploy: always copy ci/install_yq.sh
To build the build-kata-deploy image, it should be copied ci/install_yq.sh to
tools/packaging/kata-deploy/local-build/dockerbuild as this script will install
yq within the image. Currently, if
tools/packaging/kata-deploy/local-build/dockerbuild/install_yq.sh exists then
make won't copy it again. This can raise problems as, for example, the current
update of yq version (commit c99ba42d) in ci/install_yq.sh won't force the
rebuild of the build-kata-deploy image.

Note: this isn't a problem on a fresh dev or CI environment.

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2024-06-17 12:18:22 -03:00
Zvonko Kaiser
693e307f72 deploy: Add artefact repository
New env var so everyone can test the PUSH_TO_REGISTRY feature

export PUSH_TO_REGISTRY=yes
export ARTEFACT_REGISTRY=quay.io
export ARTEFACT_REPOSITORY=my-fancy-kata-containers
export ARTEFACT_REGISTRY_USERNAME=zvonkok
export ARTEFACT_REGISTRY_PASSWORD=<super-secret>

make ...-tarball

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2024-05-10 16:41:52 +00:00
ChengyuZhu6
8724d7deeb
packaging: Enable to build agent with PULL_TYPE feature
Enable to build kata-agent with PULL_TYPE feature.

We build kata-agent with guest-pull feature by default, with PULL_TYPE set to default.
This doesn't affect how kata shares images by virtio-fs. The snapshotter controls the image pulling in the guest.
Only the nydus snapshotter with proxy mode can activate this feature.

Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
2024-03-19 18:06:00 +01:00
ChengyuZhu6
70a84eca9e packaging: allow to pull and unpack pause image
For Confidential containers stack, the pause image is managed by host side,
then it may configure a malicious pause image, we need package
a pause image inside the rootfs and don't the pause image from host.

But the installation of skopeo is not included in 20.04 release, so we
can not directly install skopeo in rootfs and pull pause image.

So I plan to let the task as a static build stuff, which would not be influenced
by the system version in rootfs. And the pause image will be part of the Kata Containers rootfs
that's used by the Confidential Containers usecase. This commit enables the component to be built
both locally and in our CI environment with the command: make pause-image-tarball.

Fixes: #9032

Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
Co-authored-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Co-authored-by: Wang, Arron <arron.wang@intel.com>
Co-authored-by: stevenhorsman <steven@uk.ibm.com>
Co-authored-by: Jakob Naucke <jakob.naucke@ibm.com>
2024-02-08 11:23:23 +08:00
Fabiano Fidêncio
644abde35c
packaging: coco-guest-components: Allow building the project
The Confidential Containers guest-components will, in the very short
future, be part of the Kata Containers rootfs that's used by the
Confidential Containers usecase.

This commit introduces the ability to, standalone, build the component
locally and as part of our CI, and this can be done by calling:
`make coco-guest-components-tarball`

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Signed-off-by: Linda Yu <linda.yu@intel.com>
Co-authored-by: stevenhorsman <steven@uk.ibm.com>
Co-authored-by: Jakob Naucke <jakob.naucke@ibm.com>
Co-authored-by: Wang, Arron <arron.wang@intel.com>
Co-authored-by: zhouliang121 <liang.a.zhou@linux.alibaba.com>
Co-authored-by: Alex Carter <alex.carter@ibm.com>
Co-authored-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
Co-authored-by: Xynnn007 <xynnn@linux.alibaba.com>
2024-01-26 19:36:01 +01:00
Hyounggyu Choi
52bdc87fe9 local-build: make kernel parameters configurable
This is to make kernel parameters configurable during the secure image build by adding an environment variable SE_KERNEL_PARAMS.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2023-12-07 20:05:40 +01:00
Hyounggyu Choi
9ceb2c27e0 local-build: consider cross-compilation env
This is to make a base builder image build genprotimg without a package
manager under the cross-compilation environment.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2023-12-07 20:05:40 +01:00
Hyounggyu Choi
4de8ef3d18 local-build: add build target boot-image-se
This is to add a build target boot-image-se for s390x.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2023-12-04 21:08:51 +01:00
Fabiano Fidêncio
ca3b888371 packaging: tools: Fix container image env var name
This should be TOOLS_CONTAINER_BUILDER instead of
VIRTIOFSD_CONTAINER_BUILDER.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-10-03 15:33:55 +02:00
Fabiano Fidêncio
5ca66795c7 packaging: Allow passing the TOOLS_CONTAINER_BUILDER
This follows what we've been doing for all the components we're
building, but was missed as part of #8077.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-10-03 15:33:55 +02:00
Fabiano Fidêncio
5208386ab1 packaging: Build the kata-agent
Let's add the needed functions to start building the kata-agent, with or
without the OPA support.

For now this build is not used as part of the rootfs build, but later on
this will (not as part of this series, though).

Fixes: #8099

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-10-03 15:33:55 +02:00
Fabiano Fidêncio
adc18ecdb1 ci: cache: For consistency, read all used env vars
Instead of having some of them only being considered if explicitly
passed to the script.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-09-14 20:24:48 +02:00
Fabiano Fidêncio
c7a851efd7 ci: cache: Pass the exposed env vars to the kata-deploy binaries in docker
As the environment variables are now being passed down from the GitHub
Actions, let's make sure they're exposed to the container used to build
the kata-deploy binaries, and during the build process we'll be able to
use those to log in and push the artefacts to the OCI registry, using
ORAS.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-09-14 20:24:48 +02:00
Fabiano Fidêncio
3818bf3311 local-build: Remove $HOME/.docker/buildx/activity/default
The file can be removed between builds without causing any issue, and
leaving it around has been causing us some headache due to:
```
ERROR: open /home/runner/.docker/buildx/activity/default: permission denied
```

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-08-28 13:41:36 +02:00
Jianyong Wu
e2c31fce23 kata-deploy: enable cross build for kata deploy script
kata-deploy-binaries-in-docker.sh is the entry to build kata components.
set some environment to facilitate the following cross build work.

Fixes: #6557
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
2023-08-01 22:10:46 +02:00
Aurélien Bombo
0152c9aba5 tools: Introduce USE_CACHE environment variable
This allows setting `USE_CACHE=no` to test building e2e during
developmet without having to comment code blocks and so forth.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2023-06-30 12:51:40 -07:00
Arron Wang
31c0ad2076 packaging: Add cryptsetup support in Guest kernel and rootfs
Add required kernel config for dm-crypt/dm-integrity/dm-verity
and related crypto config.

Add userspace command line tools for disk encryption support
and ext4 file system utilities.

Fixes: #6674

Signed-off-by: Arron Wang <arron.wang@intel.com>
2023-06-06 12:30:07 +02:00
Hyounggyu Choi
43e73bdef7 packaging: make BUILDER_REGISTRY configurable
This PR is to make an environment variable `BUILDER_REGISTRY` configurable
so that those who want to use their own registry for build can set up
the registry.

Fixes: #6988
Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2023-05-30 14:40:02 +02:00
Fabiano Fidêncio
ae24dc73c1 local-build: Standardise what's set for the local build scripts
We've a discrepancy on what's set along the scripts used to build the
Kata Cotainers artefacts locally.

Some of those were missing a way to easily debug them in case of a
failure happens, but one specific one (build-and-upload-payload.sh)
could actually silently fail.

All of those have been changed as part of this commut.

Fixes: #6908

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-05-22 08:36:01 +02:00
Gabriela Cervantes
b9a1db2601 kata-deploy: Add http_proxy as part of the docker build
Add http_proxy and https_proxy as part of the docker build arguments
in order to build properly when we are behind a proxy.

Fixes #6834

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2023-05-15 15:57:29 +00:00
Fabiano Fidêncio
781ed2986a packaging: Allow passing a container builder to the scripts
This, combined with the effort of caching builder images *and* only
performing the build itself inside the builder images, is the very first
step for reproducible builds for the project.

Reproducible builds are quite important when we talk about Confidential
Containers, as users may want to verify the content used / provided by
the CSPs, and this is the first step towards that direction.

Fixes: #5517

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-02-17 12:06:48 +01:00
Fabiano Fidêncio
869827d77f packaging: Add push_to_registry()
This function will push a specific tag to a registry, whenever the
PUSH_TO_REGISTRY environment variable is set, otherwise it's a no-op.

This will be used in the future to avoid replicating that logic in every
builder used by the kata-deploy scripts.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-02-17 11:30:21 +01:00
Fabiano Fidêncio
4da743f90b packaging: Mount $HOME/.docker in the 1st layer container
In order to ensure that the proxy configuration is passed to the 2nd
layer container, let's ensure the $HOME/.docker/config.json file is
exposed inside the 1st layer container.

For some reason which I still don't fully understand exporting
https_proxy / http_proxy / no_proxy was not enough to get those
variables exported to the 2nd layer container.

In this commit we're creating a "$HOME/.docker" directory, and removing
it after the build, in case it doesn't exist yet.  The reason we do this
is to avoid docker not running in case "$HOME/.docker" doesn't exist.

This was not tested with podman, but if there's an issue with podman,
the issue was already there beforehand and should be treated as a
different problem than the one addressed in this commit.

Fixes: #5077

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2022-10-05 15:25:07 +02:00
Wainer dos Santos Moschetta
f7d41e98cb kata-deploy: export CI in the build container
The clone_tests_repo() in ci/lib.sh relies on CI variable to decide
whether to checkout the tests repository or not. So it is required to
pass that variable down to the build container of kata-deploy, otherwise
it can fail on some scenarios.

Fixes #4949
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2022-08-17 10:42:49 -03:00
Archana Shinde
efdb92366b build: Fix clh source build as normal user
While running make as non-privileged user, the make errors out with
the following message:
"INFO: Build cloud-hypervisor enabling the following features: tdx
Got permission denied while trying to connect to the Docker daemon
socket at unix:///var/run/docker.sock: Post
"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/create?fromImage=cloudhypervisor%2Fdev&tag=20220524-0":
dial unix /var/run/docker.sock: connect: permission denied"

Even though the user may be part of docker group, the clh build from
source does a docker in docker build. It is necessary for the user of
the nested container to be part of docker build for the build to
succeed.

Fixes #4594

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
2022-07-06 18:28:00 -07:00
Greg Kurz
154c8b03d3 tools/packaging/kata-deploy: Copy install_yq.sh in a dedicated script
'make kata-tarball' sometimes fails early with:

cp: cannot create regular file '[...]/tools/packaging/kata-deploy/local-build/dockerbuild/install_yq.sh': File exists

This happens because all assets are built in parallel using the same
`kata-deploy-binaries-in-docker.sh` script, and thus all try to copy
the `install_yq.sh` script to the same location with the `cp` command.
This is a well known race condition that cannot be avoided without
serialization of `cp` invocations.

Move the copying of `install_yq.sh` to a separate script and ensure
it is called *before* parallel builds. Make the presence of the copy
a prerequisite for each sub-build so that they still can be triggered
individually. Update the GH release workflow to also call this script
before calling `kata-deploy-binaries-in-docker.sh`.

Fixes #3756

Signed-off-by: Greg Kurz <groug@kaod.org>
2022-03-25 15:59:24 +01:00
David Gibson
1ed7da8fc7 packaging: Eliminate TTY_OPT and NO_TTY variables in kata-deploy
NO_TTY configured whether to add the -t option to docker run.  It makes no
sense for the caller to configure this, since whether you need it depends
on the commands you're running.  Since the point here is to run
non-interactive build scripts, we don't need -t, or -i either.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Greg Kurz <groug@kaod.org>
2022-03-25 15:52:02 +01:00
Sebastian Hasler
adffd3f8b6 scripts: Use shebang /usr/bin/env bash
Not all distros have `/bin/bash`, e.g. NixOS.

Fixes: #3450

Signed-off-by: Sebastian Hasler <sebastian.hasler@stuvus.uni-stuttgart.de>
2022-01-13 22:53:28 +01:00
Carlos Venegas
0c5ded4bd7 kata-deploy: build kata only with docker in host
Add script to build kata using docker.

Allow build kata-deploy binaries using docker.
kata-deploy-binaries-in-docker.sh is a wrapper of
kata-deploy-binaries.sh it will call kata-deploy-binaries.sh in a
container with all the dependencies installed.

Signed-off-by: Carlos Venegas <jos.c.venegas.munoz@intel.com>
2021-07-28 19:45:35 +00:00