From 6c05e5c67a0bdab86db52874f05e9863ba552794 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 15:11:16 +0200 Subject: [PATCH 01/18] packaging: Add and export BUILDER_REGISTRY MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUILD_REGISTRY, which points to quay.io/kata-containers/builder, will be used for storing the builder images used to build the artefacts via the kata-deploy scripts. The plan is to tag, whenever it's possible and makes sense, images like: * ${BUILDER_REGISTRY}:${component}-${unique_identifier} Signed-off-by: Fabiano Fidêncio --- tools/packaging/scripts/lib.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/packaging/scripts/lib.sh b/tools/packaging/scripts/lib.sh index d53159a8c..34fb29250 100644 --- a/tools/packaging/scripts/lib.sh +++ b/tools/packaging/scripts/lib.sh @@ -8,6 +8,7 @@ export GOPATH=${GOPATH:-${HOME}/go} export tests_repo="${tests_repo:-github.com/kata-containers/tests}" export tests_repo_dir="$GOPATH/src/$tests_repo" +export BUILDER_REGISTRY="quay.io/kata-containers/builders" this_script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" From e69a6f57493d286aca4711248263d17c0dacfca4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 16:20:52 +0200 Subject: [PATCH 02/18] packaging: Add get_last_modification() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add a function to get the hash of the last commit modifying a specific file. This will help to avoid writing `git rev-list ...` into every single build script used by the kata-deploy. Signed-off-by: Fabiano Fidêncio --- tools/packaging/scripts/lib.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tools/packaging/scripts/lib.sh b/tools/packaging/scripts/lib.sh index 34fb29250..616c17b96 100644 --- a/tools/packaging/scripts/lib.sh +++ b/tools/packaging/scripts/lib.sh @@ -98,3 +98,18 @@ get_kata_hash() { ref=$2 git ls-remote --heads --tags "https://github.com/${project}/${repo}.git" | grep "${ref}" | awk '{print $1}' } + +# $1 - Repo's root dir +# $2 - The file we're looking for the last modification +get_last_modification() { + local repo_root_dir="${1}" + local file="${2}" + + # This is a workaround needed for when running this code on Jenkins + git config --global --add safe.directory ${repo_root_dir} &> /dev/null + + dirty="" + [ $(git status --porcelain | grep "${file#${repo_root_dir}/}" | wc -l) -gt 0 ] && dirty="-dirty" + + echo "$(git log -1 --pretty=format:"%H" ${file})${dirty}" +} From 869827d77f62b8337a84228db740e1244afe47ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 16:38:38 +0200 Subject: [PATCH 03/18] packaging: Add push_to_registry() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This function will push a specific tag to a registry, whenever the PUSH_TO_REGISTRY environment variable is set, otherwise it's a no-op. This will be used in the future to avoid replicating that logic in every builder used by the kata-deploy scripts. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy-binaries-in-docker.sh | 4 +++- tools/packaging/scripts/lib.sh | 16 ++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index 164dbf864..412f1e87d 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -47,8 +47,10 @@ docker build -q -t build-kata-deploy \ docker run \ -v $HOME/.docker:/root/.docker \ -v /var/run/docker.sock:/var/run/docker.sock \ + -v "${kata_dir}:${kata_dir}" \ --env CI="${CI:-}" \ - --env USER=${USER} -v "${kata_dir}:${kata_dir}" \ + --env USER=${USER} \ + --env PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-"no"}" \ --rm \ -w ${script_dir} \ build-kata-deploy "${kata_deploy_create}" $@ diff --git a/tools/packaging/scripts/lib.sh b/tools/packaging/scripts/lib.sh index 616c17b96..5ac31d0e3 100644 --- a/tools/packaging/scripts/lib.sh +++ b/tools/packaging/scripts/lib.sh @@ -9,6 +9,7 @@ export GOPATH=${GOPATH:-${HOME}/go} export tests_repo="${tests_repo:-github.com/kata-containers/tests}" export tests_repo_dir="$GOPATH/src/$tests_repo" export BUILDER_REGISTRY="quay.io/kata-containers/builders" +export PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-"no"}" this_script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" @@ -113,3 +114,18 @@ get_last_modification() { echo "$(git log -1 --pretty=format:"%H" ${file})${dirty}" } + +# $1 - The tag to be pushed to the registry +# $2 - "yes" to use sudo, "no" otherwise +push_to_registry() { + local tag="${1}" + local use_sudo="${2:-"yes"}" + + if [ "${PUSH_TO_REGISTRY}" == "yes" ]; then + if [ "${use_sudo}" == "yes" ]; then + sudo docker push ${tag} + else + docker push ${tag} + fi + fi +} From b9b23112bf6fb23f550b2d1c7d53dd9a4987459b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 16:04:11 +0200 Subject: [PATCH 04/18] packaging: Use existing image to build the kernel MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's first try to pull a pre-existing image, instead of building our own, to be used as a builder image for the kernel. This will save us some CI time. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/kernel/build.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/packaging/static-build/kernel/build.sh b/tools/packaging/static-build/kernel/build.sh index 1aa6c1cd4..7e6f9a66e 100755 --- a/tools/packaging/static-build/kernel/build.sh +++ b/tools/packaging/static-build/kernel/build.sh @@ -12,12 +12,13 @@ script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" readonly repo_root_dir="$(cd "${script_dir}/../../../.." && pwd)" readonly kernel_builder="${repo_root_dir}/tools/packaging/kernel/build-kernel.sh" +source "${script_dir}/../../scripts/lib.sh" DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} -container_image="kata-kernel-builder" +container_image="${BUILDER_REGISTRY}:kernel-$(get_last_modification ${repo_root_dir} ${script_dir})-$(umame -m)" -sudo docker build -t "${container_image}" "${script_dir}" +sudo docker pull ${container_image} || sudo docker build -t "${container_image}" "${script_dir}" sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ From 6c3c771a52a66df1c31813339b87484aea1b028f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 16:08:05 +0200 Subject: [PATCH 05/18] packaging: Add infra to push the kernel builder image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add the needed infra for only building and pushing the kernel builder image to the Kata Containers' quay.io registry. Fixes: #5476 Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/kernel/build.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tools/packaging/static-build/kernel/build.sh b/tools/packaging/static-build/kernel/build.sh index 7e6f9a66e..c04ee0c8e 100755 --- a/tools/packaging/static-build/kernel/build.sh +++ b/tools/packaging/static-build/kernel/build.sh @@ -18,7 +18,10 @@ DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} container_image="${BUILDER_REGISTRY}:kernel-$(get_last_modification ${repo_root_dir} ${script_dir})-$(umame -m)" -sudo docker pull ${container_image} || sudo docker build -t "${container_image}" "${script_dir}" +sudo docker pull ${container_image} || \ + (sudo docker build -t "${container_image}" "${script_dir}" && \ + # No-op unless PUSH_TO_REGISTRY is exported as "yes" + push_to_registry "${container_image}") sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ From 24767d82aa5bd2db8264a0973054dac3b541d302 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 16:57:02 +0200 Subject: [PATCH 06/18] packaging: Use existing image to build the shim-v2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's try to pull a pre-existing image, instead of building our own, to be used as a builder for the shim-v2. This will save us some CI time. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/shim-v2/build.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/tools/packaging/static-build/shim-v2/build.sh b/tools/packaging/static-build/shim-v2/build.sh index 6cbb0a41b..a2e4630bf 100755 --- a/tools/packaging/static-build/shim-v2/build.sh +++ b/tools/packaging/static-build/shim-v2/build.sh @@ -10,7 +10,8 @@ set -o pipefail script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" readonly repo_root_dir="$(cd "${script_dir}/../../../.." && pwd)" -readonly kernel_builder="${repo_root_dir}/tools/packaging/kernel/build-kernel.sh" + +source "${script_dir}/../../scripts/lib.sh" VMM_CONFIGS="qemu fc" @@ -19,9 +20,14 @@ RUST_VERSION=${RUST_VERSION} DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} -container_image="shim-v2-builder" +container_image="${BUILDER_REGISTRY}:shim-v2-go-${GO_VERSION}-rust-${RUST_VERSION}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)" -sudo docker build --build-arg GO_VERSION="${GO_VERSION}" --build-arg RUST_VERSION="${RUST_VERSION}" -t "${container_image}" "${script_dir}" +sudo docker pull ${container_image} || \ + sudo docker build \ + --build-arg GO_VERSION="${GO_VERSION}" \ + --build-arg RUST_VERSION="${RUST_VERSION}" \ + -t "${container_image}" \ + "${script_dir}" arch=$(uname -m) if [ ${arch} = "ppc64le" ]; then From 7ee00d8e5764acde38ff332d62370e38ae05c6c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 16:59:13 +0200 Subject: [PATCH 07/18] packaging: Add infra to push the shim-v2 builder image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add the needed infra for only building and pushing the shim-v2 builder image to the Kata Containers' quay.io registry. Fixes: #5478 Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/shim-v2/build.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/packaging/static-build/shim-v2/build.sh b/tools/packaging/static-build/shim-v2/build.sh index a2e4630bf..a40f87f25 100755 --- a/tools/packaging/static-build/shim-v2/build.sh +++ b/tools/packaging/static-build/shim-v2/build.sh @@ -23,11 +23,12 @@ PREFIX=${PREFIX:-/opt/kata} container_image="${BUILDER_REGISTRY}:shim-v2-go-${GO_VERSION}-rust-${RUST_VERSION}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)" sudo docker pull ${container_image} || \ - sudo docker build \ + (sudo docker build \ --build-arg GO_VERSION="${GO_VERSION}" \ --build-arg RUST_VERSION="${RUST_VERSION}" \ -t "${container_image}" \ - "${script_dir}" + "${script_dir}" && \ + push_to_registry "${container_image}") arch=$(uname -m) if [ ${arch} = "ppc64le" ]; then From 8c227e247185aa2a4496d26c6bc2d051a83a955a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 17:20:27 +0200 Subject: [PATCH 08/18] virtiofsd: Pass the expected toolchain to the build container MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's ensure we're building virtiofsd with a specific toolchain that's known to not cause any issues, instead of always using the latest one. On each bump of the virtiofsd, we'll make sure to adjust this according to what's been used by the virtiofsd community. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/virtiofsd/build.sh | 4 ++++ tools/packaging/static-build/virtiofsd/gnu/Dockerfile | 3 ++- tools/packaging/static-build/virtiofsd/musl/Dockerfile | 3 ++- versions.yaml | 1 + 4 files changed, 9 insertions(+), 2 deletions(-) diff --git a/tools/packaging/static-build/virtiofsd/build.sh b/tools/packaging/static-build/virtiofsd/build.sh index 64441d2ae..ec9d7e248 100755 --- a/tools/packaging/static-build/virtiofsd/build.sh +++ b/tools/packaging/static-build/virtiofsd/build.sh @@ -20,15 +20,18 @@ container_image="kata-virtiofsd-builder" kata_version="${kata_version:-}" virtiofsd_repo="${virtiofsd_repo:-}" virtiofsd_version="${virtiofsd_version:-}" +virtiofsd_toolchain="${virtiofsd_toolchain:-}" virtiofsd_zip="${virtiofsd_zip:-}" package_output_dir="${package_output_dir:-}" [ -n "${virtiofsd_repo}" ] || virtiofsd_repo=$(get_from_kata_deps "externals.virtiofsd.url") [ -n "${virtiofsd_version}" ] || virtiofsd_version=$(get_from_kata_deps "externals.virtiofsd.version") +[ -n "${virtiofsd_toolchain}" ] || virtiofsd_toolchain=$(get_from_kata_deps "externals.virtiofsd.toolchain") [ -n "${virtiofsd_zip}" ] || virtiofsd_zip=$(get_from_kata_deps "externals.virtiofsd.meta.binary") [ -n "${virtiofsd_repo}" ] || die "Failed to get virtiofsd repo" [ -n "${virtiofsd_version}" ] || die "Failed to get virtiofsd version or commit" +[ -n "${virtiofsd_toolchain}" ] || die "Failed to get the rust toolchain to build virtiofsd" [ -n "${virtiofsd_zip}" ] || die "Failed to get virtiofsd binary URL" ARCH=$(uname -m) @@ -48,6 +51,7 @@ case ${ARCH} in esac sudo docker build \ + --build-arg RUST_TOOLCHAIN="${virtiofsd_toolchain}" \ -t "${container_image}" "${script_dir}/${libc}" sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ diff --git a/tools/packaging/static-build/virtiofsd/gnu/Dockerfile b/tools/packaging/static-build/virtiofsd/gnu/Dockerfile index c214dfc41..c10b8db49 100644 --- a/tools/packaging/static-build/virtiofsd/gnu/Dockerfile +++ b/tools/packaging/static-build/virtiofsd/gnu/Dockerfile @@ -4,6 +4,7 @@ FROM ubuntu:20.04 ENV DEBIAN_FRONTEND=noninteractive +ARG RUST_TOOLCHAIN SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN apt-get update && \ @@ -16,4 +17,4 @@ RUN apt-get update && \ libseccomp-dev \ unzip && \ apt-get clean && rm -rf /var/lib/lists/ && \ - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN} diff --git a/tools/packaging/static-build/virtiofsd/musl/Dockerfile b/tools/packaging/static-build/virtiofsd/musl/Dockerfile index 9b9bb93b9..1236010e0 100644 --- a/tools/packaging/static-build/virtiofsd/musl/Dockerfile +++ b/tools/packaging/static-build/virtiofsd/musl/Dockerfile @@ -3,6 +3,7 @@ # SPDX-License-Identifier: Apache-2.0 FROM alpine:3.16.2 +ARG RUST_TOOLCHAIN SHELL ["/bin/ash", "-o", "pipefail", "-c"] RUN apk --no-cache add \ @@ -13,4 +14,4 @@ RUN apk --no-cache add \ libcap-ng-static \ libseccomp-static \ musl-dev && \ - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN} diff --git a/versions.yaml b/versions.yaml index 5f74ee8ba..36c0bb603 100644 --- a/versions.yaml +++ b/versions.yaml @@ -291,6 +291,7 @@ externals: description: "vhost-user virtio-fs device backend written in Rust" url: "https://gitlab.com/virtio-fs/virtiofsd" version: "v1.3.0" + toolchain: "1.62.0" meta: # From https://gitlab.com/virtio-fs/virtiofsd/-/releases/v1.3.0, # this is the link labelled virtiofsd-v1.3.0.zip From 7c93428a1889a5a5e9fd63031dd2c91e408d4bee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 17:12:18 +0200 Subject: [PATCH 09/18] packaging: Use existing image to build virtiofsd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's first try to pull a pre-existing image, instead of building our own, to be used as a builder image for the virtiofsd. This will save us some CI time. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/virtiofsd/build.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/packaging/static-build/virtiofsd/build.sh b/tools/packaging/static-build/virtiofsd/build.sh index ec9d7e248..42e76a514 100755 --- a/tools/packaging/static-build/virtiofsd/build.sh +++ b/tools/packaging/static-build/virtiofsd/build.sh @@ -16,7 +16,6 @@ source "${script_dir}/../../scripts/lib.sh" DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} -container_image="kata-virtiofsd-builder" kata_version="${kata_version:-}" virtiofsd_repo="${virtiofsd_repo:-}" virtiofsd_version="${virtiofsd_version:-}" @@ -50,7 +49,9 @@ case ${ARCH} in ;; esac -sudo docker build \ +container_image="${BUILDER_REGISTRY}:virtiofsd-${virtiofsd_toolchain}-${libc}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(umame -m)" + +sudo docker pull ${container_image} || sudo docker build \ --build-arg RUST_TOOLCHAIN="${virtiofsd_toolchain}" \ -t "${container_image}" "${script_dir}/${libc}" From d0181bb26261b50e1d4a2ddc2526fd80fea1034a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 17:28:52 +0200 Subject: [PATCH 10/18] packaging: Add infra to push the virtiofsd builder image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add the needed infra for only building and pushing the virtiofsd builder image to the Kata Containers' quay.io registry. Fixes: #5480 Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/virtiofsd/build.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/tools/packaging/static-build/virtiofsd/build.sh b/tools/packaging/static-build/virtiofsd/build.sh index 42e76a514..d3f8dca07 100755 --- a/tools/packaging/static-build/virtiofsd/build.sh +++ b/tools/packaging/static-build/virtiofsd/build.sh @@ -51,9 +51,12 @@ esac container_image="${BUILDER_REGISTRY}:virtiofsd-${virtiofsd_toolchain}-${libc}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(umame -m)" -sudo docker pull ${container_image} || sudo docker build \ - --build-arg RUST_TOOLCHAIN="${virtiofsd_toolchain}" \ - -t "${container_image}" "${script_dir}/${libc}" +sudo docker pull ${container_image} || \ + (sudo docker build \ + --build-arg RUST_TOOLCHAIN="${virtiofsd_toolchain}" \ + -t "${container_image}" "${script_dir}/${libc}" && \ + # No-op unless PUSH_TO_REGISTRY is exported as "yes" + push_to_registry "${container_image}") sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ From fb7b86b8e0e39cb5e47a6a89d110a516bc042da2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 27 Jan 2023 17:31:42 +0100 Subject: [PATCH 11/18] packaging: Use existing image to build QEMU MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's first try to pull a pre-existsing image, instead of building our own, to be used as a builder image for QEMU. This will save us some CI time. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/qemu/build-base-qemu.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tools/packaging/static-build/qemu/build-base-qemu.sh b/tools/packaging/static-build/qemu/build-base-qemu.sh index 4ad6e0f95..9584857c7 100755 --- a/tools/packaging/static-build/qemu/build-base-qemu.sh +++ b/tools/packaging/static-build/qemu/build-base-qemu.sh @@ -39,13 +39,15 @@ CACHE_TIMEOUT=$(date +"%Y-%m-%d") [ -n "${build_suffix}" ] && HYPERVISOR_NAME="kata-qemu-${build_suffix}" || HYPERVISOR_NAME="kata-qemu" [ -n "${build_suffix}" ] && PKGVERSION="kata-static-${build_suffix}" || PKGVERSION="kata-static" -sudo "${container_engine}" build \ +container_image="${BUILDER_REGISTRY}:qemu-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)" + +sudo docker pull ${container_image} || sudo "${container_engine}" build \ --build-arg CACHE_TIMEOUT="${CACHE_TIMEOUT}" \ --build-arg http_proxy="${http_proxy}" \ --build-arg https_proxy="${https_proxy}" \ "${packaging_dir}" \ -f "${script_dir}/Dockerfile" \ - -t qemu-static + -t "${container_image}" sudo "${container_engine}" run \ --rm \ @@ -59,7 +61,7 @@ sudo "${container_engine}" run \ --env QEMU_TARBALL="${qemu_tar}" \ --env PREFIX="${prefix}" \ -v "${repo_root_dir}:/root/kata-containers" \ - -v "${PWD}":/share qemu-static \ + -v "${PWD}":/share "${container_image}" \ bash -c "/root/kata-containers/tools/packaging/static-build/qemu/build-qemu.sh" sudo chown ${USER}:$(id -gn ${USER}) "${PWD}/${qemu_tar}" From c7f515172dc2a84a2c749e2d2c5c3667f5a65c5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 20 Oct 2022 09:41:34 +0200 Subject: [PATCH 12/18] packaging: Add infra to push the QEMU builder image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add the needed infra for only building and pushing the QEMU builder image to the Kata Containers' quay.io registry. Fixes: #5481 Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/qemu/build-base-qemu.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tools/packaging/static-build/qemu/build-base-qemu.sh b/tools/packaging/static-build/qemu/build-base-qemu.sh index 9584857c7..e1406006a 100755 --- a/tools/packaging/static-build/qemu/build-base-qemu.sh +++ b/tools/packaging/static-build/qemu/build-base-qemu.sh @@ -41,13 +41,15 @@ CACHE_TIMEOUT=$(date +"%Y-%m-%d") container_image="${BUILDER_REGISTRY}:qemu-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)" -sudo docker pull ${container_image} || sudo "${container_engine}" build \ +sudo docker pull ${container_image} || (sudo "${container_engine}" build \ --build-arg CACHE_TIMEOUT="${CACHE_TIMEOUT}" \ --build-arg http_proxy="${http_proxy}" \ --build-arg https_proxy="${https_proxy}" \ "${packaging_dir}" \ -f "${script_dir}/Dockerfile" \ - -t "${container_image}" + -t "${container_image}" && \ + # No-op unless PUSH_TO_REGISTRY is exported as "yes" + push_to_registry "${container_image}") sudo "${container_engine}" run \ --rm \ From f076fa4c770f09f98a06de207d2ccf3810bebc16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 16:12:34 +0200 Subject: [PATCH 13/18] packaging: Use existing image to build OVMF MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's first try to pull a pre-existing image, instead of buildinf our own, to be used as a builder image for OVMF. This will save us some CI time. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/ovmf/build.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/packaging/static-build/ovmf/build.sh b/tools/packaging/static-build/ovmf/build.sh index fcbbd9321..020416269 100755 --- a/tools/packaging/static-build/ovmf/build.sh +++ b/tools/packaging/static-build/ovmf/build.sh @@ -16,7 +16,7 @@ source "${script_dir}/../../scripts/lib.sh" DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} -container_image="kata-ovmf-builder" +container_image="${BUILDER_REGISTRY}:ovmf-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)" ovmf_build="${ovmf_build:-x86_64}" kata_version="${kata_version:-}" ovmf_repo="${ovmf_repo:-}" @@ -52,7 +52,7 @@ fi [ -n "$ovmf_package" ] || die "failed to get ovmf package or commit" [ -n "$package_output_dir" ] || die "failed to get ovmf package or commit" -sudo docker build -t "${container_image}" "${script_dir}" +sudo docker pull ${container_image} || sudo docker build -t "${container_image}" "${script_dir}" sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ From 3fa24f7acce5a89048be2287e75b94fe6178b2ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 16:42:50 +0200 Subject: [PATCH 14/18] packaging: Add infra to push the OVMF builder image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add the needed infra for building and pushing the OVMF builder image to the Kata Containers' quay.io registry. Fixes: #5477 Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/ovmf/build.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tools/packaging/static-build/ovmf/build.sh b/tools/packaging/static-build/ovmf/build.sh index 020416269..96e989677 100755 --- a/tools/packaging/static-build/ovmf/build.sh +++ b/tools/packaging/static-build/ovmf/build.sh @@ -52,7 +52,10 @@ fi [ -n "$ovmf_package" ] || die "failed to get ovmf package or commit" [ -n "$package_output_dir" ] || die "failed to get ovmf package or commit" -sudo docker pull ${container_image} || sudo docker build -t "${container_image}" "${script_dir}" +sudo docker pull ${container_image} || \ + (sudo docker build -t "${container_image}" "${script_dir}" && \ + # No-op unless PUSH_TO_REGISTRY is exported as "yes" + push_to_registry "${container_image}") sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ From e8c6bfbdeb8fcfc53ab5c177b1eabe08ed11720e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 17:08:30 +0200 Subject: [PATCH 15/18] packaging: Use existing image to build td-shim MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's first try to pull a pre-existing image, instead of building our own, to be used as a builder image for the td-shim. This will save us some CI time. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/td-shim/build.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tools/packaging/static-build/td-shim/build.sh b/tools/packaging/static-build/td-shim/build.sh index 580c4a337..ef62f47f4 100755 --- a/tools/packaging/static-build/td-shim/build.sh +++ b/tools/packaging/static-build/td-shim/build.sh @@ -16,7 +16,6 @@ source "${script_dir}/../../scripts/lib.sh" DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} -container_image="kata-td-shim-builder" kata_version="${kata_version:-}" tdshim_repo="${tdshim_repo:-}" tdshim_version="${tdshim_version:-}" @@ -31,9 +30,12 @@ package_output_dir="${package_output_dir:-}" [ -n "${tdshim_version}" ] || die "Failed to get TD-shim version or commit" [ -n "${tdshim_toolchain}" ] || die "Failed to get TD-shim toolchain to be used to build the project" -sudo docker build \ +container_image="${BUILDER_REGISTRY}:td-shim-${tdshim_toolchain}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)" + +sudo docker pull ${container_image} || sudo docker build \ --build-arg RUST_TOOLCHAIN="${tdshim_toolchain}" \ - -t "${container_image}" "${script_dir}" + -t "${container_image}" \ + "${script_dir}" sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ From 45668fae15ac9f9d59543de656a616c139a30576 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 Oct 2022 17:08:30 +0200 Subject: [PATCH 16/18] packaging: Use existing image to build td-shim MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's first try to pull a pre-existing image, instead of building our own, to be used as a builder image for the td-shim. This will save us some CI time. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/td-shim/build.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tools/packaging/static-build/td-shim/build.sh b/tools/packaging/static-build/td-shim/build.sh index ef62f47f4..2afa4cebd 100755 --- a/tools/packaging/static-build/td-shim/build.sh +++ b/tools/packaging/static-build/td-shim/build.sh @@ -32,10 +32,13 @@ package_output_dir="${package_output_dir:-}" container_image="${BUILDER_REGISTRY}:td-shim-${tdshim_toolchain}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)" -sudo docker pull ${container_image} || sudo docker build \ +sudo docker pull ${container_image} || (sudo docker build \ --build-arg RUST_TOOLCHAIN="${tdshim_toolchain}" \ -t "${container_image}" \ - "${script_dir}" + "${script_dir}" && \ + # No-op unless PUSH_TO_REGISTRY is exported as "yes" + push_to_registry "${container_image}") + sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ From 781ed2986a25fb6a3e2c0e94a4fc8609c41ed5e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 26 Oct 2022 14:09:47 +0200 Subject: [PATCH 17/18] packaging: Allow passing a container builder to the scripts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This, combined with the effort of caching builder images *and* only performing the build itself inside the builder images, is the very first step for reproducible builds for the project. Reproducible builds are quite important when we talk about Confidential Containers, as users may want to verify the content used / provided by the CSPs, and this is the first step towards that direction. Fixes: #5517 Signed-off-by: Fabiano Fidêncio --- .../local-build/kata-deploy-binaries-in-docker.sh | 7 +++++++ tools/packaging/static-build/kernel/build.sh | 2 +- tools/packaging/static-build/ovmf/build.sh | 2 +- tools/packaging/static-build/qemu/build-base-qemu.sh | 2 +- tools/packaging/static-build/shim-v2/build.sh | 2 +- tools/packaging/static-build/td-shim/build.sh | 3 +-- tools/packaging/static-build/virtiofsd/build.sh | 2 +- 7 files changed, 13 insertions(+), 7 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index 412f1e87d..defb338d9 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -51,6 +51,13 @@ docker run \ --env CI="${CI:-}" \ --env USER=${USER} \ --env PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-"no"}" \ + --env INITRAMFS_CONTAINER_BUILDER="${INITRAMFS_CONTAINER_BUILDER:-}" \ + --env KERNEL_CONTAINER_BUILDER="${KERNEL_CONTAINER_BUILDER:-}" \ + --env OVMF_CONTAINER_BUILDER="${OVMF_CONTAINER_BUILDER:-}" \ + --env QEMU_CONTAINER_BUILDER="${QEMU_CONTAINER_BUILDER:-}" \ + --env SHIM_V2_CONTAINER_BUILDER="${SHIM_V2_CONTAINER_BUILDER:-}" \ + --env TDSHIM_CONTAINER_BUILDER="${TDSHIM_CONTAINER_BUILDER:-}" \ + --env VIRTIOFSD_CONTAINER_BUILDER="${VIRTIOFSD_CONTAINER_BUILDER:-}" \ --rm \ -w ${script_dir} \ build-kata-deploy "${kata_deploy_create}" $@ diff --git a/tools/packaging/static-build/kernel/build.sh b/tools/packaging/static-build/kernel/build.sh index c04ee0c8e..8235ba22f 100755 --- a/tools/packaging/static-build/kernel/build.sh +++ b/tools/packaging/static-build/kernel/build.sh @@ -16,7 +16,7 @@ source "${script_dir}/../../scripts/lib.sh" DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} -container_image="${BUILDER_REGISTRY}:kernel-$(get_last_modification ${repo_root_dir} ${script_dir})-$(umame -m)" +container_image="${KERNEL_CONTAINER_BUILDER:-${BUILDER_REGISTRY}:kernel-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)}" sudo docker pull ${container_image} || \ (sudo docker build -t "${container_image}" "${script_dir}" && \ diff --git a/tools/packaging/static-build/ovmf/build.sh b/tools/packaging/static-build/ovmf/build.sh index 96e989677..256a89249 100755 --- a/tools/packaging/static-build/ovmf/build.sh +++ b/tools/packaging/static-build/ovmf/build.sh @@ -16,7 +16,7 @@ source "${script_dir}/../../scripts/lib.sh" DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} -container_image="${BUILDER_REGISTRY}:ovmf-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)" +container_image="${OVMF_CONTAINER_BUILDER:-${BUILDER_REGISTRY}:ovmf-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)}" ovmf_build="${ovmf_build:-x86_64}" kata_version="${kata_version:-}" ovmf_repo="${ovmf_repo:-}" diff --git a/tools/packaging/static-build/qemu/build-base-qemu.sh b/tools/packaging/static-build/qemu/build-base-qemu.sh index e1406006a..d5ac3e259 100755 --- a/tools/packaging/static-build/qemu/build-base-qemu.sh +++ b/tools/packaging/static-build/qemu/build-base-qemu.sh @@ -39,7 +39,7 @@ CACHE_TIMEOUT=$(date +"%Y-%m-%d") [ -n "${build_suffix}" ] && HYPERVISOR_NAME="kata-qemu-${build_suffix}" || HYPERVISOR_NAME="kata-qemu" [ -n "${build_suffix}" ] && PKGVERSION="kata-static-${build_suffix}" || PKGVERSION="kata-static" -container_image="${BUILDER_REGISTRY}:qemu-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)" +container_image="${QEMU_CONTAINER_BUILDER:-${BUILDER_REGISTRY}:qemu-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)}" sudo docker pull ${container_image} || (sudo "${container_engine}" build \ --build-arg CACHE_TIMEOUT="${CACHE_TIMEOUT}" \ diff --git a/tools/packaging/static-build/shim-v2/build.sh b/tools/packaging/static-build/shim-v2/build.sh index a40f87f25..2164cf9d1 100755 --- a/tools/packaging/static-build/shim-v2/build.sh +++ b/tools/packaging/static-build/shim-v2/build.sh @@ -20,7 +20,7 @@ RUST_VERSION=${RUST_VERSION} DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} -container_image="${BUILDER_REGISTRY}:shim-v2-go-${GO_VERSION}-rust-${RUST_VERSION}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)" +container_image="${SHIM_V2_CONTAINER_BUILDER:-${BUILDER_REGISTRY}:shim-v2-go-${GO_VERSION}-rust-${RUST_VERSION}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)}" sudo docker pull ${container_image} || \ (sudo docker build \ diff --git a/tools/packaging/static-build/td-shim/build.sh b/tools/packaging/static-build/td-shim/build.sh index 2afa4cebd..f822fd827 100755 --- a/tools/packaging/static-build/td-shim/build.sh +++ b/tools/packaging/static-build/td-shim/build.sh @@ -30,7 +30,7 @@ package_output_dir="${package_output_dir:-}" [ -n "${tdshim_version}" ] || die "Failed to get TD-shim version or commit" [ -n "${tdshim_toolchain}" ] || die "Failed to get TD-shim toolchain to be used to build the project" -container_image="${BUILDER_REGISTRY}:td-shim-${tdshim_toolchain}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)" +container_image="${TDSHIM_CONTAINER_BUILDER:-${BUILDER_REGISTRY}:td-shim-${tdshim_toolchain}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)}" sudo docker pull ${container_image} || (sudo docker build \ --build-arg RUST_TOOLCHAIN="${tdshim_toolchain}" \ @@ -39,7 +39,6 @@ sudo docker pull ${container_image} || (sudo docker build \ # No-op unless PUSH_TO_REGISTRY is exported as "yes" push_to_registry "${container_image}") - sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ --env DESTDIR="${DESTDIR}" \ diff --git a/tools/packaging/static-build/virtiofsd/build.sh b/tools/packaging/static-build/virtiofsd/build.sh index d3f8dca07..3a41c1211 100755 --- a/tools/packaging/static-build/virtiofsd/build.sh +++ b/tools/packaging/static-build/virtiofsd/build.sh @@ -49,7 +49,7 @@ case ${ARCH} in ;; esac -container_image="${BUILDER_REGISTRY}:virtiofsd-${virtiofsd_toolchain}-${libc}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(umame -m)" +container_image="${VIRTIOFSD_CONTAINER_BUILDER:-${BUILDER_REGISTRY}:virtiofsd-${virtiofsd_toolchain}-${libc}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)}" sudo docker pull ${container_image} || \ (sudo docker build \ From b835c40bbdc126e97256c0342d10aa0b09ac14e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 27 Jan 2023 21:49:56 +0100 Subject: [PATCH 18/18] workflows: Push the builder image to quay.io MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's push the builder images to a registry, so we can take advantage of those on each step of our building process. Signed-off-by: Fabiano Fidêncio --- .github/workflows/kata-deploy-push.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/kata-deploy-push.yaml b/.github/workflows/kata-deploy-push.yaml index c7d7e8cb4..548391fb5 100644 --- a/.github/workflows/kata-deploy-push.yaml +++ b/.github/workflows/kata-deploy-push.yaml @@ -28,6 +28,13 @@ jobs: - virtiofsd - nydus steps: + - name: Login to Kata Containers quay.io + uses: docker/login-action@v2 + with: + registry: quay.io + username: ${{ secrets.QUAY_DEPLOYER_USERNAME }} + password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} + - uses: actions/checkout@v2 - name: Install docker if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }} @@ -44,6 +51,7 @@ jobs: sudo cp -r --preserve=all "${build_dir}" "kata-build" env: KATA_ASSET: ${{ matrix.asset }} + PUSH_TO_REGISTRY: yes - name: store-artifact ${{ matrix.asset }} if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}