From b6873f958166a23a9d8126b90a1c1fdec00f178b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 30 Aug 2022 20:15:57 +0200 Subject: [PATCH 01/13] kata-deploy: Add td-shim as part of the cc-tarball MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 4cf502fb200b2da90f5e8387e00fd618f4154ec5 added the ability to build TD-Shim, but forgot to have it added as part of the cc-tarball target. Fixes: #5042 Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy/local-build/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 682e1152f..f53ac750c 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -87,6 +87,7 @@ cc: cc-cloud-hypervisor-tarball \ cc-virtiofsd-tarball \ cc-tdx-kernel-tarball \ cc-tdx-qemu-tarball \ + cc-tdx-td-shim-tarball \ cc-tdx-tdvf-tarball cc-cloud-hypervisor-tarball: From a2d9633dad7435207d70214a97e51593bf9a5d54 Mon Sep 17 00:00:00 2001 From: Ryan Savino Date: Thu, 1 Sep 2022 20:36:28 -0500 Subject: [PATCH 02/13] qemu: fix tdx qemu tarball directories Dockerfile cannot decipher multiple conditional statements in the main RUN call. Cannot segregate statements in Dockerfile with '{}' braces without wrapping entire statement in 'bash -c' statement. Dockerfile does not support setting variables by bash command. Must set HYPERVISOR_NAME and PKGVERSION from parent script: build-base-qemu.sh Fixes: #5078 Signed-Off-By: Ryan Savino (cherry picked from commit 54d6d01754b689a32da852cfd85a69d2c4730baa) --- tools/packaging/static-build/qemu/Dockerfile | 5 ++--- tools/packaging/static-build/qemu/build-base-qemu.sh | 6 +++++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/tools/packaging/static-build/qemu/Dockerfile b/tools/packaging/static-build/qemu/Dockerfile index 51b596047..b06c34550 100644 --- a/tools/packaging/static-build/qemu/Dockerfile +++ b/tools/packaging/static-build/qemu/Dockerfile @@ -56,7 +56,8 @@ ARG QEMU_REPO # commit/tag/branch ARG QEMU_VERSION ARG PREFIX -ARG BUILD_SUFFIX +ARG HYPERVISOR_NAME +ARG PKGVERSION ARG QEMU_DESTDIR ARG QEMU_TARBALL @@ -78,8 +79,6 @@ RUN git clone --depth=1 "${QEMU_REPO}" qemu && \ git fetch --depth=1 origin "${QEMU_VERSION}" && git checkout FETCH_HEAD && \ scripts/git-submodule.sh update meson capstone && \ /root/patch_qemu.sh "${QEMU_VERSION}" "/root/kata_qemu/patches" && \ - [ -n "${BUILD_SUFFIX}" ] && HYPERVISOR_NAME="kata-qemu-${BUILD_SUFFIX}" || HYPERVISOR_NAME="kata-qemu" && \ - [ -n "${BUILD_SUFFIX}" ] && PKGVERSION="kata-static-${BUILD_SUFFIX}" || PKGVERSION="kata-static" && \ (PREFIX="${PREFIX}" /root/configure-hypervisor.sh -s "${HYPERVISOR_NAME}" | xargs ./configure \ --with-pkgversion="${PKGVERSION}") && \ make -j"$(nproc ${CI:+--ignore 1})" && \ diff --git a/tools/packaging/static-build/qemu/build-base-qemu.sh b/tools/packaging/static-build/qemu/build-base-qemu.sh index a16285cd0..7d95f0233 100755 --- a/tools/packaging/static-build/qemu/build-base-qemu.sh +++ b/tools/packaging/static-build/qemu/build-base-qemu.sh @@ -34,9 +34,13 @@ prefix="${prefix:-"/opt/kata"}" CACHE_TIMEOUT=$(date +"%Y-%m-%d") +[ -n "${build_suffix}" ] && HYPERVISOR_NAME="kata-qemu-${build_suffix}" || HYPERVISOR_NAME="kata-qemu" +[ -n "${build_suffix}" ] && PKGVERSION="kata-static-${build_suffix}" || PKGVERSION="kata-static" + sudo "${container_engine}" build \ --build-arg CACHE_TIMEOUT="${CACHE_TIMEOUT}" \ - --build-arg BUILD_SUFFIX="${build_suffix}" \ + --build-arg HYPERVISOR_NAME="${HYPERVISOR_NAME}" \ + --build-arg PKGVERSION="${PKGVERSION}" \ --build-arg http_proxy="${http_proxy}" \ --build-arg https_proxy="${https_proxy}" \ --build-arg QEMU_DESTDIR="${qemu_destdir}" \ From a8feee68a89ccd65481759152425e8860c496d62 Mon Sep 17 00:00:00 2001 From: Ryan Savino Date: Thu, 1 Sep 2022 21:07:30 -0500 Subject: [PATCH 03/13] qemu: create no_patches.txt file for SPR-BKC-QEMU-v2.5 Patches failing without the no_patches.txt file for SPR-BKC-QEMU-v2.5. Signed-Off-By: Ryan Savino (cherry picked from commit 59e3850bfd02ae497673119871f0a9954b75d685) --- .../qemu/patches/tag_patches/SPR-BKC-QEMU-v2.5/no_patches.txt | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 tools/packaging/qemu/patches/tag_patches/SPR-BKC-QEMU-v2.5/no_patches.txt diff --git a/tools/packaging/qemu/patches/tag_patches/SPR-BKC-QEMU-v2.5/no_patches.txt b/tools/packaging/qemu/patches/tag_patches/SPR-BKC-QEMU-v2.5/no_patches.txt new file mode 100644 index 000000000..e69de29bb From abe89586c6c8b3e0860af2cd53b77b18530b19cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 2 Sep 2022 15:47:48 +0200 Subject: [PATCH 04/13] qemu: Keep passing BUILD_SUFFIX MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In the commit 54d6d01754b689a32da852cfd85a69d2c4730baa we ended up removing the BUILD_SUFFIX argument passed to QEMU as it only seemed to be used to generate the HYPERVISOR_NAME and PKGVERSION, which were added as arguments to the dockerfile. However, it turns out BUILD_SUFFIX is used by the `qemu-build-post.sh` script, so it can rename the QEMU binary accordingly. Let's just bring it back. Fixes: #5078 Signed-off-by: Fabiano Fidêncio (cherry picked from commit 373dac2dbb2b0134d12f3ef43a795c594b97bde1) --- tools/packaging/static-build/qemu/Dockerfile | 3 +++ tools/packaging/static-build/qemu/build-base-qemu.sh | 1 + 2 files changed, 4 insertions(+) diff --git a/tools/packaging/static-build/qemu/Dockerfile b/tools/packaging/static-build/qemu/Dockerfile index b06c34550..1e4441dae 100644 --- a/tools/packaging/static-build/qemu/Dockerfile +++ b/tools/packaging/static-build/qemu/Dockerfile @@ -56,6 +56,9 @@ ARG QEMU_REPO # commit/tag/branch ARG QEMU_VERSION ARG PREFIX +# BUILD_SUFFIX is used by the qemu-build-post.sh script to +# properly rename non vanilla versions of the QEMU +ARG BUILD_SUFFIX ARG HYPERVISOR_NAME ARG PKGVERSION ARG QEMU_DESTDIR diff --git a/tools/packaging/static-build/qemu/build-base-qemu.sh b/tools/packaging/static-build/qemu/build-base-qemu.sh index 7d95f0233..0657503f1 100755 --- a/tools/packaging/static-build/qemu/build-base-qemu.sh +++ b/tools/packaging/static-build/qemu/build-base-qemu.sh @@ -39,6 +39,7 @@ CACHE_TIMEOUT=$(date +"%Y-%m-%d") sudo "${container_engine}" build \ --build-arg CACHE_TIMEOUT="${CACHE_TIMEOUT}" \ + --build-arg BUILD_SUFFIX=${build_suffix} \ --build-arg HYPERVISOR_NAME="${HYPERVISOR_NAME}" \ --build-arg PKGVERSION="${PKGVERSION}" \ --build-arg http_proxy="${http_proxy}" \ From 1f610ea5cc08b475cc85df27a8ede2a0f9ef1214 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 5 Sep 2022 08:42:35 +0200 Subject: [PATCH 05/13] packaging: Improve qemu build image handling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's create the QEMU build image based on the version of QEMU used, so if we happen to have a parallel build we ensure different images are being used. Also, let's ensure the image gets remove after the build. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/qemu/build-base-qemu.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tools/packaging/static-build/qemu/build-base-qemu.sh b/tools/packaging/static-build/qemu/build-base-qemu.sh index 0657503f1..cda5563c4 100755 --- a/tools/packaging/static-build/qemu/build-base-qemu.sh +++ b/tools/packaging/static-build/qemu/build-base-qemu.sh @@ -37,6 +37,8 @@ CACHE_TIMEOUT=$(date +"%Y-%m-%d") [ -n "${build_suffix}" ] && HYPERVISOR_NAME="kata-qemu-${build_suffix}" || HYPERVISOR_NAME="kata-qemu" [ -n "${build_suffix}" ] && PKGVERSION="kata-static-${build_suffix}" || PKGVERSION="kata-static" +container_image="qemu-static-${qemu_version,,}" + sudo "${container_engine}" build \ --build-arg CACHE_TIMEOUT="${CACHE_TIMEOUT}" \ --build-arg BUILD_SUFFIX=${build_suffix} \ @@ -51,12 +53,14 @@ sudo "${container_engine}" build \ --build-arg PREFIX="${prefix}" \ "${packaging_dir}" \ -f "${script_dir}/Dockerfile" \ - -t qemu-static + -t "${container_image}" sudo "${container_engine}" run \ --rm \ -i \ - -v "${PWD}":/share qemu-static \ + -v "${PWD}":/share "${container_image}" \ mv "${qemu_destdir}/${qemu_tar}" /share/ +sudo docker image rm "${container_image}" + sudo chown ${USER}:$(id -gn ${USER}) "${PWD}/${qemu_tar}" From f684d00d50d838ea5d0d8744ef3565bfacfe0f5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 5 Sep 2022 14:17:44 +0200 Subject: [PATCH 06/13] kata-deploy-cc: Simplify the script MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As containerd is the only supported container engine, let's simplify the script and, at the same time, make it clear that other container engines are not supported yet. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy-cc/scripts/kata-deploy.sh | 72 +++++++------------ 1 file changed, 27 insertions(+), 45 deletions(-) diff --git a/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh b/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh index 27f139dff..c290cdd0e 100755 --- a/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh +++ b/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh @@ -204,11 +204,7 @@ function remove_artifacts() { function cleanup_cri_runtime() { cleanup_different_shims_base - case $1 in - containerd | k3s | k3s-agent | rke2-agent | rke2-server) - cleanup_containerd - ;; - esac + cleanup_containerd } @@ -223,9 +219,7 @@ function reset_runtime() { kubectl label node "$NODE_NAME" katacontainers.io/kata-runtime- systemctl daemon-reload systemctl restart "$1" - if [ "$1" == "containerd" ]; then - systemctl restart kubelet - fi + systemctl restart kubelet } function main() { @@ -236,21 +230,13 @@ function main() { fi runtime=$(get_container_runtime) + if [ "$runtime" != "containerd" ]; then + die "$runtime is not supported for now" + fi - if [ "$runtime" == "k3s" ] || [ "$runtime" == "k3s-agent" ] || [ "$runtime" == "rke2-agent" ] || [ "$runtime" == "rke2-server" ]; then - containerd_conf_tmpl_file="${containerd_conf_file}.tmpl" - if [ ! -f "$containerd_conf_tmpl_file" ]; then - cp "$containerd_conf_file" "$containerd_conf_tmpl_file" - fi - - containerd_conf_file="${containerd_conf_tmpl_file}" - containerd_conf_file_backup="${containerd_conf_file}.bak" - elif [ "$runtime" == "containerd" ]; then - # runtime == containerd - if [ ! -f "$containerd_conf_file" ] && [ -d $(dirname "$containerd_conf_file") ] && \ - [ -x $(command -v containerd) ]; then - containerd config default > "$containerd_conf_file" - fi + if [ ! -f "$containerd_conf_file" ] && [ -d $(dirname "$containerd_conf_file") ] && \ + [ -x $(command -v containerd) ]; then + containerd config default > "$containerd_conf_file" fi action=${1:-} @@ -259,29 +245,25 @@ function main() { die "invalid arguments" fi - # only install / remove / update if we are dealing with containerd - if [[ "$runtime" =~ ^(containerd|k3s|k3s-agent|rke2-agent|rke2-server)$ ]]; then - - case "$action" in - install) - install_artifacts - configure_cri_runtime "$runtime" - kubectl label node "$NODE_NAME" --overwrite katacontainers.io/kata-runtime=true - ;; - cleanup) - cleanup_cri_runtime "$runtime" - kubectl label node "$NODE_NAME" --overwrite katacontainers.io/kata-runtime=cleanup - remove_artifacts - ;; - reset) - reset_runtime $runtime - ;; - *) - echo invalid arguments - print_usage - ;; - esac - fi + case "$action" in + install) + install_artifacts + configure_cri_runtime "$runtime" + kubectl label node "$NODE_NAME" --overwrite katacontainers.io/kata-runtime=true + ;; + cleanup) + cleanup_cri_runtime "$runtime" + kubectl label node "$NODE_NAME" --overwrite katacontainers.io/kata-runtime=cleanup + remove_artifacts + ;; + reset) + reset_runtime $runtime + ;; + *) + echo invalid arguments + print_usage + ;; + esac #It is assumed this script will be called as a daemonset. As a result, do # not return, otherwise the daemon will restart and rexecute the script From a43f95d01b948a6d61e7524d4029bb894b09ca41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 5 Sep 2022 14:20:29 +0200 Subject: [PATCH 07/13] kata-deploy: Rely on the configure config path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Instead of passing a `KATA_CONF_FILE` environament variable, let's rely on the configured (in the container engine) config path, as both containerd and CRI-O support it, and we're using this for both of them. This is a "backport" of f7ccf92dc82e9264fafd0ccf565f6dd014786e3e, from the original `kata-deploy.sh` to the one used for Confidential Containers. Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh b/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh index c290cdd0e..db79f2d27 100755 --- a/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh +++ b/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh @@ -94,10 +94,7 @@ function configure_different_shims_base() { fi fi - cat << EOF | tee "$shim_file" -#!/usr/bin/env bash -KATA_CONF_FILE=/opt/confidential-containers/share/defaults/kata-containers/configuration-${shim}.toml /opt/confidential-containers/bin/containerd-shim-kata-v2 "\$@" -EOF + ln -sf /opt/kata/bin/containerd-shim-kata-v2 "${shim_file}" chmod +x "$shim_file" if [ "${shim}" == "${default_shim}" ]; then From fb711e0e8e9bca07e852b49ffd84540b08ac9da1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 2 Sep 2022 19:56:28 +0200 Subject: [PATCH 08/13] kata-deploy-cc: Improve shim backup / restore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We're currently backing up and restoring all the possible shim files, but the default one ("containerd-shim-kata-v2"). Let's ensure this is also backed up and restored. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy-cc/scripts/kata-deploy.sh | 51 ++++++++++++------- 1 file changed, 34 insertions(+), 17 deletions(-) diff --git a/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh b/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh index db79f2d27..44a811510 100755 --- a/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh +++ b/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh @@ -70,6 +70,20 @@ function configure_cri_runtime() { systemctl restart "$1" } +function backup_shim() { + local shim_file="$1" + local shim_backup="${shim_file}.bak" + + if [ -f "${shim_file}" ]; then + echo "warning: ${shim_file} already exists" >&2 + if [ ! -f "${shim_backup}" ]; then + mv "${shim_file}" "${shim_backup}" + else + rm "${shim_file}" + fi + fi +} + function configure_different_shims_base() { # Currently containerd has an assumption on the location of the shimv2 implementation # This forces kata-deploy to create files in a well-defined location that's part of @@ -78,46 +92,49 @@ function configure_different_shims_base() { # https://github.com/containerd/containerd/issues/3073 # https://github.com/containerd/containerd/issues/5006 + local default_shim_file="/usr/local/bin/containerd-shim-kata-v2" + mkdir -p /usr/local/bin for shim in "${shims[@]}"; do local shim_binary="containerd-shim-kata-${shim}-v2" local shim_file="/usr/local/bin/${shim_binary}" - local shim_backup="/usr/local/bin/${shim_binary}.bak" - - if [ -f "${shim_file}" ]; then - echo "warning: ${shim_binary} already exists" >&2 - if [ ! -f "${shim_backup}" ]; then - mv "${shim_file}" "${shim_backup}" - else - rm "${shim_file}" - fi - fi + backup_shim "${shim_file}" ln -sf /opt/kata/bin/containerd-shim-kata-v2 "${shim_file}" chmod +x "$shim_file" if [ "${shim}" == "${default_shim}" ]; then + backup_shim "${default_shim_file}" + echo "Creating the default shim-v2 binary" - ln -sf "${shim_file}" /usr/local/bin/containerd-shim-kata-v2 + ln -sf "${shim_file}" "${default_shim_file}" fi done } +function restore_shim() { + local shim_file="$1" + local shim_backup="${shim_file}.bak" + + if [ -f "${shim_backup}" ]; then + mv "$shim_backup" "$shim_file" + fi +} + function cleanup_different_shims_base() { + local default_shim_file="/usr/local/bin/containerd-shim-kata-v2" + for shim in "${shims[@]}"; do local shim_binary="containerd-shim-kata-${shim}-v2" local shim_file="/usr/local/bin/${shim_binary}" - local shim_backup="/usr/local/bin/${shim_binary}.bak" rm "${shim_file}" || true - - if [ -f "${shim_backup}" ]; then - mv "$shim_backup" "$shim_file" - fi + restore_shim "${shim_file}" done - rm /usr/local/bin/containerd-shim-kata-v2 + rm "${default_shim_file}" || true + restore_shim "${default_shim_file}" } function configure_containerd_runtime() { From 518137f781e8109395d6c26a887159da5759b4c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 5 Sep 2022 14:27:44 +0200 Subject: [PATCH 09/13] kata-deploy-cc: Try to remove /opt/confidential-containers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's try to remove the /opt/confidential-containers directory. If it's not empty, let's not bother force removing it, as the pre-install script also drops files to the very same directory. Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh b/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh index 44a811510..012cf6ebb 100755 --- a/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh +++ b/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh @@ -213,6 +213,11 @@ function remove_artifacts() { /opt/confidential-containers/bin/qemu-system-x86_64 \ /opt/confidential-containers/bin/qemu-system-x86_64-tdx \ /opt/confidential-containers/bin/cloud-hypervisor + + # Try to remove the /opt/confidential-containers directory. + # If it's not empty, don't bother force removing it, as the + # pre-install script also drops files here. + rmdir /opt/confidential-containers 2>/dev/null } function cleanup_cri_runtime() { From 48c0cf5b5d759033dd22ddb4e4838c596ecdc504 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 30 Aug 2022 23:33:20 +0200 Subject: [PATCH 10/13] kata-deploy: Adjust build & upload script MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's adjust the `kata-deploy-build-and-upload-image.sh` to build the image following the `kata-containers-${commit}` tag pattern, and to push it to the quay.io/confidential-containers/runtime-payload repo. Signed-off-by: Fabiano Fidêncio --- .../local-build/kata-deploy-build-and-upload-image.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-image.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-image.sh index 1db840a19..917864249 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-image.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-image.sh @@ -1,19 +1,19 @@ #!/usr/bin/env bash # -# Copyright 2021 Fabiano Fidêncio +# Copyright 2022 Intel # # SPDX-License-Identifier: Apache-2.0 # -KATA_DEPLOY_DIR="`dirname $0`/../" -KATA_DEPLOY_ARTIFACT="$1" +KATA_DEPLOY_DIR="`dirname $0`/../../kata-deploy-cc" +KATA_DEPLOY_ARTIFACT="${1:-"kata-static.tar.xz"}" echo "Copying $KATA_DEPLOY_ARTIFACT to $KATA_DEPLOY_DIR" cp $KATA_DEPLOY_ARTIFACT $KATA_DEPLOY_DIR pushd $KATA_DEPLOY_DIR -IMAGE_TAG="quay.io/kata-containers/kata-deploy-cc:v0" +IMAGE_TAG="quay.io/confidential-containers/runtime-payload:kata-containers-$(git rev-parse HEAD)" echo "Building the image" docker build --tag $IMAGE_TAG . From 012a76d0989622981a276a726ea884f1bd4ab8ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 31 Aug 2022 11:29:03 +0200 Subject: [PATCH 11/13] kata-deploy: Rename `image` target to `cc-payload` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The `image` target is only used by and only present in the `CCv0` branch, and it's name is misleading. :-) Let's rename it (and the scripts used by it) to mention payload rather than image, and to actually build the cc related tarballs instead of the "vanilla" Kata Containers tarballs. Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy/local-build/Makefile | 4 ++-- ...pload-image.sh => kata-deploy-build-and-upload-payload.sh} | 0 2 files changed, 2 insertions(+), 2 deletions(-) rename tools/packaging/kata-deploy/local-build/{kata-deploy-build-and-upload-image.sh => kata-deploy-build-and-upload-payload.sh} (100%) diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index f53ac750c..98611ae9d 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -71,8 +71,8 @@ merge-builds: install-tarball: tar -xvf ./kata-static.tar.xz -C / -image: kata-tarball - $(MK_DIR)kata-deploy-build-and-upload-image.sh $(CURDIR)/kata-static.tar.xz +cc-payload: cc-tarball + $(MK_DIR)kata-deploy-build-and-upload-payload.sh $(CURDIR)/kata-static.tar.xz cc-tarball: | cc-parallel merge-builds diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-image.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh similarity index 100% rename from tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-image.sh rename to tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh From fb54dfd6489ccd629637d77e88337ba38189d644 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 31 Aug 2022 13:04:58 +0200 Subject: [PATCH 12/13] docs: How to generate the payload for the CC Operator MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add the documentation on how to generate the Kata Containers payload, based in the CCv0 branch, that's consumed by the Confidential Containers Operator. Fixes: #5041 Signed-off-by: Fabiano Fidêncio --- docs/how-to/README.md | 1 + ...or-the-confidential-containers-operator.md | 44 +++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 docs/how-to/how-to-generate-a-kata-containers-payload-for-the-confidential-containers-operator.md diff --git a/docs/how-to/README.md b/docs/how-to/README.md index 89903fd57..e82e22ee1 100644 --- a/docs/how-to/README.md +++ b/docs/how-to/README.md @@ -46,3 +46,4 @@ ## Confidential Containers - [How to use build and test the Confidential Containers `CCv0` proof of concept](how-to-build-and-test-ccv0.md) +- [How to generate a Kata Containers payload for the Confidential Containers Operator](how-to-generate-a-kata-containers-payload-for-the-confidential-containers-operator.md) diff --git a/docs/how-to/how-to-generate-a-kata-containers-payload-for-the-confidential-containers-operator.md b/docs/how-to/how-to-generate-a-kata-containers-payload-for-the-confidential-containers-operator.md new file mode 100644 index 000000000..40451aa97 --- /dev/null +++ b/docs/how-to/how-to-generate-a-kata-containers-payload-for-the-confidential-containers-operator.md @@ -0,0 +1,44 @@ +# Generating a Kata Containers payload for the Confidential Containers Operator + +[Confidential Containers +Operator](https://github.com/confidential-containers/operator) consumes a Kata +Containers payload, generated from the `CCv0` branch, and here one can find all +the necessary info on how to build such a payload. + +## Requirements + +* `make` installed in the machine +* Docker installed in the machine +* `sudo` access to the machine + +## Process + +* Clone [Kata Containers](https://github.com/kata-containers/kata-containers) + ```sh + git clone --branch CCv0 https://github.com/kata-containers/kata-containers + ``` + * In case you've already cloned the repo, make sure to switch to the `CCv0` branch + ```sh + git checkout CCv0 + ``` + * Ensure your tree is clean and in sync with upstream `CCv0` + ```sh + git clean -xfd + git reset --hard /CCv0 + ``` +* Make sure you're authenticated to `quay.io` + ```sh + sudo docker login quay.io + ``` +* From the top repo directory, run: + ```sh + sudo make cc-payload + ``` +* Make sure the image was upload to the [Confidential Containers + runtime-payload +registry](https://quay.io/repository/confidential-containers/runtime-payload?tab=tags) + +## Notes + +Make sure to run it on a machine that's not the one you're hacking on, prepare a +cup of tea, and get back to it an hour later (at least). From 01e29fc1fd7af017d33687fe2f9d3eddd4ec9c4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 5 Sep 2022 15:15:52 +0200 Subject: [PATCH 13/13] kata-deploy-cc: Do a serial build of the payload MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Every now and then we've been hitting issues with parallel builds. in order to not rely on lucky for the first release, let's do a serial build of the payload image. Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy/local-build/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 98611ae9d..a30479c7b 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -74,7 +74,7 @@ install-tarball: cc-payload: cc-tarball $(MK_DIR)kata-deploy-build-and-upload-payload.sh $(CURDIR)/kata-static.tar.xz -cc-tarball: | cc-parallel merge-builds +cc-tarball: | cc merge-builds cc-parallel: $(MK_DIR)/dockerbuild/install_yq.sh ${MAKE} -f $(MK_PATH) cc -j$$(( $$(nproc) - 1 )) V=