Commit Graph

989 Commits

Author SHA1 Message Date
Fabiano Fidêncio
94786dc939 Merge pull request #9659 from stevenhorsman/remove-non-printable-tag-characters
ci: cache: Filter out non-printable characters from tag
2024-05-18 14:47:07 +02:00
stevenhorsman
42fddb5530 ci: cache: Filter out non-printable characters from tag
- The tags have a trailing non-printable character, which results
in our cache tags having a trailing underscore e.g. `ghcr.io/kata-containers/cached-artefacts/agent:ce24e9835_`
For ease of use of these cached components, we should strip off the trailing underscore.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-05-17 14:16:40 +01:00
Hyounggyu Choi
3917930a76 CI: Append arch type to initramfs-cryptsetup image
This commit is to append an arch type to the initramfs-cryptsetup image
to prevent a wrong arch image from being pulled on a different arch host.

Fixes: #9654

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2024-05-17 11:42:49 +02:00
stevenhorsman
ce24e98358 ci: cache: Add tag character filtering
- Container image tags can only contain alphanumeric, period,
hyphen and underscore characters, so convert characters outside
of these to be underscores, to avoid having invalid tag failures

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-05-16 21:38:07 +01:00
stevenhorsman
a98b1e3afb ci: cache: Integrate tagging updates with recent changes
Recently the extra gpu caching was added, unfortunately when I
rebased I ended up with both the new tagging logic and old logic.
Let's try and integrate them properly to avoid doing the push twice.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-05-16 21:38:07 +01:00
stevenhorsman
9d9487b17f ci: cache: Fix unbound variable
Now we have the workflow updated and can test the changes in caching
we've hit an error:
```
line 1180: artefact_tag: unbound variable
```
so we need to fix that up. Sorry for missing this before.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-05-16 14:30:32 +01:00
Steve Horsman
d8468cb178 Merge pull request #9550 from stevenhorsman/tag-component-caches
Tag component caches
2024-05-16 11:05:18 +01:00
Steve Horsman
b31ff09b8d Merge pull request #9617 from zvonkok/artefact-repository
deploy: Add artefact repository
2024-05-16 10:41:23 +01:00
stevenhorsman
7f41329010 ci: cache: Optional tag components with tags
- CoCo wants to use the agent and coco-guest-components cached artifacts
so tag them with a helpful version, so make these easier to get

Signed-off-by: stevenhorsman <steven@uk.ibm.com>

 No commands remaining.
2024-05-15 16:56:40 +01:00
Hyounggyu Choi
e075150fbe CI: Use --abbrev=9 explicitly for abbreviated commit hash
A length of the result of `git log -1 --pretty=format:%h` could vary
over different CI systems, highly likely messing up their caching
mechanisms.

This commit is to use an option `--abbrev=9` to standardize the length
to 9 characters for CI.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2024-05-15 14:22:07 +02:00
Zvonko Kaiser
117e2f2ecc Merge pull request #9618 from zvonkok/nvidia-rootfs-#1
gpu: Add build targets for GPU rootfs initrd/image
2024-05-15 13:30:42 +02:00
Fabiano Fidêncio
75bd97e8df build: Ensure the default rootfs is built with AGENT_POLICY=yes
This is needed, as b1710ee2c0 made the
default agent shipped the one with policy support.  However, we simply
didn't update the rootfs to reflect that, causing then an issue to start
the agent as shown by the strace below:
```
open("/etc/kata-opa/default-policy.rego", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
futex(0x7f401eba0c28, FUTEX_WAKE_PRIVATE, 1) = 1
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
tkill(553681, SIGABRT)                  = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=553681, si_uid=1000} ---
+++ killed by SIGABRT (core dumped) +++
```

This happens as the default policy **must** be set when the agent is
built with policy support, but the code path that copies that into the
rootfs is only triggered if the rootfs itself is built with
AGENT_POLICY=yes, which we're now doing for both confidential and
non-confidential cases.

Sadly this was not caught by CI till we the cache was not used for
rootfs, which should be solved by the previous commit.

Fixes: #9630, #9631

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-14 20:39:15 +02:00
Hyounggyu Choi
37060a7d2e local-build: Stop using cached artifacts when local-build/* is updated
This is to add an info for files at `tools/packaging/kata-deploy/local-build/*
to a version of the components and ensure that the cached artefacts are not used
when the files of interest are updated.

Fixes: #9630

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2024-05-14 19:47:33 +02:00
Lukáš Doktor
d9ae130031 kata-deploy: Fix tdx_not_supported call
the `tdx_not_supported_warning` function does not exists, the
`tdx_not_supported` should be called instead.

Fixes: #9628

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
2024-05-14 13:26:07 +02:00
Fabiano Fidêncio
4cd048444d build: nvidia-gpu: Fix cache usage of the headers tarball
Whenever we count on having the headers tarball, we must unpack the
cached content into the expected directory, otherwise we'd simply fail,
as we've been failing in our CI, at the end of the process where we
generate the tarball from the cached components.

It's weird to me, sincerely, that the headers tarball end up in such
weird place (build/kernel-nvidia-gpu/builddir/), but I'll leave that to
Zvonko to figure out whether something better can be done, as the intuit
of this PR is simply unblock Kata Containers CI.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-11 17:59:53 +02:00
Zvonko Kaiser
693e307f72 deploy: Add artefact repository
New env var so everyone can test the PUSH_TO_REGISTRY feature

export PUSH_TO_REGISTRY=yes
export ARTEFACT_REGISTRY=quay.io
export ARTEFACT_REPOSITORY=my-fancy-kata-containers
export ARTEFACT_REGISTRY_USERNAME=zvonkok
export ARTEFACT_REGISTRY_PASSWORD=<super-secret>

make ...-tarball

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2024-05-10 16:41:52 +00:00
Zvonko Kaiser
4d0f42a145 deploy: Fix wrong pushing of artifacts
Added explicit case statements for nvidia-gpu and
nvidia-gpu-confidential

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2024-05-10 14:08:32 +00:00
Zvonko Kaiser
85374f55d2 gpu: Add build targets for GPU rootfs initrd/image
Preparation for complete GPU rootfs build step #1/#N

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2024-05-10 09:47:21 +00:00
Fabiano Fidêncio
20515fed70 Merge pull request #9484 from zvonkok/nvidia-runtimeclasses
deploy: Add runtimeClasses relating to the NVIDIA GPU
2024-05-10 03:52:12 +02:00
Fabiano Fidêncio
2f686b1179 Merge pull request #9608 from fidencio/topic/tdx-depend-on-distro-host-stack-part-II
tdx: Adapt kata-deploy to use QEMU / OVMF from the distros
2024-05-09 10:25:19 +02:00
Zvonko Kaiser
da7e6a0f07 deploy: Add runtimeClasses relating to the NVIDIA GPU
Fixes: #9483

For the added configurations we need to provide runtimeClasses.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-09 10:00:59 +02:00
Fabiano Fidêncio
a9720495de kata-deploy: Ensure the distro QEMU and OVMF are used for TDX
Here we're checking the distro's `/etc/os-release` or
`/usr/lib/os-release` in order to get which distro we're deploying the
Kata Containers artefacts to, and then to properly adjust the QEMU and
OVMF with TDX support that's been shipped with the distros.

Together with that, we're also printing the instructions provided by the
distro on how to enable and use TDX.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-09 07:59:12 +02:00
Fabiano Fidêncio
84b94dc2b1 kata-deploy: Expose /host to the daemon-set
We'll need to have access to the host os-release file (either under
`/etc/os-release` or under `/usr/lib/os-release`), and the simplest
approach that comes to my mind to do is doing what a debug pod would do,
mounting `/` as `/host` and then allowing us to have access to those
files, and then corectly set the TDX specific QEMU and OVMF (TDVF) paths
for the tdx available configurations.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-09 07:59:12 +02:00
Fabiano Fidêncio
f2d40da8e4 versions: build: Remove unused td-shim entry
We haven't been using nor testing with td-shim, as Cloud Hypervisor does
not officially support TDX yet, and TDVF is supposed to be used with
QEMU, instead of td-shim.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-09 07:59:12 +02:00
Fabiano Fidêncio
ea82740b19 versions: build: Remove TDX specific QEMU
Let's remove everything related to the TDX specific QEMU building /
shipping from our repo, as we'll be relying on the one coming from the
distros.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-09 07:59:12 +02:00
Fabiano Fidêncio
4292c4c3b1 versions: build: Remove TDX specific OVMF (TDVF)
Let's remove everything related to the TDVF building / shipping from our
repo, as we'll be relying on the one coming from the distro.

Later on, we may need to re-add TDVF logic, as we're already using
upstream edk2 repo / content, but when that's needed we'll simply revert
this commit.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-05-09 07:59:12 +02:00
Zvonko Kaiser
fb0b821771 kernel: Add caching of kernel-headers
Fixes: #9481

We need to cache the kernel-headers for the NVIDIA GPU initrd/image build.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2024-05-08 11:30:39 +00:00
Fabiano Fidêncio
f04a7a55ed Merge pull request #9563 from fidencio/topic/agent-use-policy-by-default
build: Build the shipped agent with policy enabled
2024-05-01 12:22:05 +02:00
Julien Ropé
c2aed995b7 kata-deploy: configure debugging for crio
Fix the configuration for crio's log_level

Fixes: #9556

Signed-off-by: Julien Ropé <jrope@redhat.com>
2024-04-30 17:48:43 +02:00
Wainer dos Santos Moschetta
c6708726ff kata-deploy: install the new kata-qemu-coco-dev runtimeclass
Created the runtimeclasses/kata-qemu-coco-dev.yaml file and updated the list
of SHIMS.

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2024-04-29 05:45:11 -03:00
Fabiano Fidêncio
d3b300ff95 build: tests: Remove agent-opa
Now that the `kata-agent` is being built with policy support, let's stop
building the `kata-opa-agent`, reducing the amount of things we need to
test and maintain.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-04-28 12:52:54 +02:00
Fabiano Fidêncio
b1710ee2c0 build: Build the shipped agent with policy enabled
Now that the OPA binary is not required anymore, let's start shipping
the agent with the policy enabled by default.

The agent *without* policy enabled has 30MB, while it's 34MB *with* the
policy enabled.

This 4MB (~10%) increase is, IMHO, worth it in order to reduce the
amount of components we have to maintain and test, including the
possibility to also reduce the amount of possible rootfs / initrd
images.

Whoever wants to use the agent without policy enabled can simply do that
by building their own agent. :-)

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-04-28 12:52:54 +02:00
Fabiano Fidêncio
7dd2fde22d Revert "rootfs: Make OPA build working in docker for s390x and ppc64le"
This reverts commit d523e865c0, as we will
not depend on the OPA binary anymore.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-04-26 18:51:27 +02:00
Jakub Ledworowski
73366da9f9 build: Fix tarball not building correctly in docker
When docker is installed on the host system using script from https://get.docker.com/ it automatically creates a docker group with gid=999.
Then during docker build process of tarball, eg. make qemu-tdx-experimental-tarball docker is also installed inside the image with the same
script, which also automatically adds docker group with gid=999.
Then, the build tries to add a new group docker_on_host with gid=999, which already exists, which breaks the build.

Signed-off-by: Jakub Ledworowski <jakub.ledworowski@intel.com>
2024-04-24 15:35:36 +02:00
Fabiano Fidêncio
4e35f11a3d Merge pull request #9535 from fidencio/topic/fix-crio-debug-drop-in
kata-deploy: Stop append `log_level = "debug"` for CRI-O
2024-04-24 10:03:36 +02:00
Fabiano Fidêncio
d190c9d4d9 kata-deploy: Stop append log_level = "debug" for CRI-O
This should only be done once, and if CRI-O restarts, there's a big
chance kata-deploy will also restart and the user would end up with a
file that looks like:
```
[crio]
log_level = "debug"
[crio]
log_level = "debug"
[crio]
log_level = "debug"
...
```

And that would simply cause CRI-O to not start.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-04-23 14:51:35 +02:00
Hyounggyu Choi
8fbed9f6a4 local-build: Use confidential kernel and initrd for boot-image-se
This is to make `boot-image-se-tarball` use confidential kernel and
initrd instead of vanilla version of artifacts.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2024-04-19 07:09:04 +02:00
Hyounggyu Choi
d523e865c0 rootfs: Make OPA build working in docker for s390x and ppc64le
The commit is to make the OPA build from source working in `ubuntu-rootfs-osbuilder`.
To achieve the goal, the configuration is changed as follows:

- Switch the make target to `ci-build-linux-static` not triggering docker-in-docker build
- Install go in the builder image for s390x and ppc64le

Fixes: #9466

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2024-04-16 16:49:12 +02:00
Hyounggyu Choi
a792dc3e2b kernel: Adjust s390x config for confidential containers
`CONFIG_TN3270_TTY` and `CONFIG_S390_AP_IOMMU` are dropped for s390x
in 6.7.x which is used for a confidential kernel.
But they are still used for a vanilla kernel. So we need to add them
to the whitelist.

Fixes: #9465

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2024-04-15 10:28:59 +02:00
stevenhorsman
29a5652e31 packaging: guest-components, set new environment variables
- Set KBC_PROVIDER and ATTESTER rather than TEE_PLATFORM
to avoid tss build issues for vTPM attester(s)
- There are future plans to make a matching TEE_PLATFORM, so this can be simplified once that is available

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-04-08 11:38:53 +01:00
stevenhorsman
101a5bf273 packaging: Update guest-components Dockerfile
- Switch to Ubuntu 20.04 for building guest-components as
The rootfs is based on 20.04, so we need matching GLIBC versions.
See #8955
- Add dependencies needed by TDX verifier as we want to build for all platforms

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-04-08 11:38:53 +01:00
Fabiano Fidêncio
2ee03b5dc3 tdvf: Adapt the build command
This is done in order to match the example from:
https://github.com/intel/tdx-linux/wiki/Instruction-to-set-up-TDX-host-and-guest#build-tdvf-image

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-04-05 19:51:27 +02:00
Fabiano Fidêncio
fe5adae5d9 qemu-tdx: Update to v8.1.0 + TDX patches
Let's update the QEMU to the one that's officially maintained by Intel
till all the TDX patches make their way upstream.

We've had to also update python to explicitly use python3 and add
python3-venv as part of the dependencies.

Fixes: #8810

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-04-05 10:23:51 +02:00
GabyCT
12947b1ba6 Merge pull request #9344 from GabyCT/topic/kerneldoc
docs: Remove stale kernel information
2024-04-03 11:13:54 -06:00
Tobin Feldman-Fitzthum
04d021bd12 packaging: remove SERVICEOFFLOAD option
Since we're removing the unused service_offload parameter,
don't set it in any of the packaging scripts.

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
2024-03-27 12:21:13 -05:00
Greg Kurz
e1068da1a0 Merge pull request #9326 from gkurz/draft-release
Only tag and publish the release when it is fully ready
2024-03-27 15:59:59 +01:00
Steve Horsman
45aba769c0 Merge pull request #9346 from cmaf/ci-remove-repo-docs
Remove additional links to tests directory
2024-03-27 11:13:32 +00:00
Greg Kurz
5009fabde4 release: Keep it draft until all artifacts have been published
The automated release workflow starts with the creation of the release in
GitHub. This is followed by the build and upload of the various artifacts,
which can be very long (like hours). During this period, the release appears
to be fully available in https://github.com/kata-containers/kata-containers/
even though it lacks all the artifacts. This might be confusing for users
or automation consuming the release.

Create the release as draft and clear the draft flag when all jobs are
done. This ensure that the release will only be tagged and made public
when it is fully usable.

If some job fails because of network timeout or any other transient
error, the correct action is to restart the failed jobs until they
eventually all succeed. This is by far the quicker path to complete
the release process.

If the workflow is *canceled* for some reason, the draft release is left
behind. A new run of the workflow will create a brand new draft release
with the same name (not an issue with GitHub). The draft release from
the previous run should be manually deleted. This step won't be automated
as it looks safer to leave the decision to a human.

[1] https://github.com/kata-containers/kata-containers/releases

Fixes #9064 - part VI

Signed-off-by: Greg Kurz <groug@kaod.org>
2024-03-26 14:48:05 +01:00
Chelsea Mafrica
4e3deb5a3b tools: Fix path for installing yq in packaging script
The lib.sh script uses the right directory but the wrong path for the
script that installs yq; fix it.

Fixes #9165

Signed-off-by: Chelsea Mafrica <chelsea.e.mafrica@intel.com>
2024-03-25 15:09:52 -07:00
Gabriela Cervantes
ddef2be4f1 docs: Remove stale kernel information
This PR removes stale kernel information from the README document.

Fixes #9343

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-03-25 15:57:00 +00:00