From 64009be3d7756b29720eb77d67f321054252d5b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 26 Oct 2022 14:09:47 +0200 Subject: [PATCH] packaging: Allow passing a container builder to the scripts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This, combined with the effort of caching builder images *and* only performing the build itself inside the builder images, is the very first step for reproducible builds for the project. Reproducible builds are quite important when we talk about Confidential Containers, as users may want to verify the content used / provided by the CSPs, and this is the first step towards that direction. Fixes: #5517 Signed-off-by: Fabiano FidĂȘncio --- .../local-build/kata-deploy-binaries-in-docker.sh | 7 +++++++ tools/packaging/static-build/initramfs/build.sh | 2 +- tools/packaging/static-build/kernel/build.sh | 2 +- tools/packaging/static-build/ovmf/build.sh | 2 +- tools/packaging/static-build/qemu/build-base-qemu.sh | 2 +- tools/packaging/static-build/shim-v2/build.sh | 2 +- tools/packaging/static-build/td-shim/build.sh | 2 +- tools/packaging/static-build/virtiofsd/build.sh | 2 +- 8 files changed, 14 insertions(+), 7 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index 91a1f5abc..c54e050e6 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -57,6 +57,13 @@ docker run \ --env KATA_BUILD_CC="${KATA_BUILD_CC:-}" \ --env INCLUDE_ROOTFS="$(realpath "${INCLUDE_ROOTFS:-}" 2> /dev/null || true)" \ --env PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-"no"}" \ + --env INITRAMFS_CONTAINER_BUILDER="${INITRAMFS_CONTAINER_BUILDER:-}" \ + --env KERNEL_CONTAINER_BUILDER="${KERNEL_CONTAINER_BUILDER:-}" \ + --env OVMF_CONTAINER_BUILDER="${OVMF_CONTAINER_BUILDER:-}" \ + --env QEMU_CONTAINER_BUILDER="${QEMU_CONTAINER_BUILDER:-}" \ + --env SHIM_V2_CONTAINER_BUILDER="${SHIM_V2_CONTAINER_BUILDER:-}" \ + --env TDSHIM_CONTAINER_BUILDER="${TDSHIM_CONTAINER_BUILDER:-}" \ + --env VIRTIOFSD_CONTAINER_BUILDER="${VIRTIOFSD_CONTAINER_BUILDER:-}" \ -v "${kata_dir}:${kata_dir}" \ --rm \ -w ${script_dir} \ diff --git a/tools/packaging/static-build/initramfs/build.sh b/tools/packaging/static-build/initramfs/build.sh index acbbc10e9..72fb45932 100755 --- a/tools/packaging/static-build/initramfs/build.sh +++ b/tools/packaging/static-build/initramfs/build.sh @@ -32,7 +32,7 @@ package_output_dir="${package_output_dir:-}" [ -n "${lvm2_repo}" ] || die "Failed to get lvm2 repo" [ -n "${lvm2_version}" ] || die "Failed to get lvm2 version" -container_image="${CC_BUILDER_REGISTRY}:initramfs-cryptsetup-${cryptsetup_version}-lvm2-${lvm2_version}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)" +container_image="${INITRAMFS_CONTAINER_BUILDER:-${CC_BUILDER_REGISTRY}:initramfs-cryptsetup-${cryptsetup_version}-lvm2-${lvm2_version}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)}" sudo docker pull ${container_image} || (sudo docker build \ --build-arg cryptsetup_repo="${cryptsetup_repo}" \ diff --git a/tools/packaging/static-build/kernel/build.sh b/tools/packaging/static-build/kernel/build.sh index cb723d410..8bd4dc2da 100755 --- a/tools/packaging/static-build/kernel/build.sh +++ b/tools/packaging/static-build/kernel/build.sh @@ -16,7 +16,7 @@ source "${script_dir}/../../scripts/lib.sh" DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} -container_image="${CC_BUILDER_REGISTRY}:kernel-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)" +container_image="${KERNEL_CONTAINER_BUILDER:-${CC_BUILDER_REGISTRY}:kernel-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)}" sudo docker pull ${container_image} || \ (sudo docker build -t "${container_image}" "${script_dir}" && \ diff --git a/tools/packaging/static-build/ovmf/build.sh b/tools/packaging/static-build/ovmf/build.sh index dbaa79b0f..50ef9a73e 100755 --- a/tools/packaging/static-build/ovmf/build.sh +++ b/tools/packaging/static-build/ovmf/build.sh @@ -16,7 +16,7 @@ source "${script_dir}/../../scripts/lib.sh" DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} -container_image="${CC_BUILDER_REGISTRY}:ovmf-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)" +container_image="${OVMF_CONTAINER_BUILDER:-${CC_BUILDER_REGISTRY}:ovmf-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)}" ovmf_build="${ovmf_build:-x86_64}" kata_version="${kata_version:-}" ovmf_repo="${ovmf_repo:-}" diff --git a/tools/packaging/static-build/qemu/build-base-qemu.sh b/tools/packaging/static-build/qemu/build-base-qemu.sh index 2c66f1085..5cdb7e654 100755 --- a/tools/packaging/static-build/qemu/build-base-qemu.sh +++ b/tools/packaging/static-build/qemu/build-base-qemu.sh @@ -39,7 +39,7 @@ CACHE_TIMEOUT=$(date +"%Y-%m-%d") [ -n "${build_suffix}" ] && HYPERVISOR_NAME="kata-qemu-${build_suffix}" || HYPERVISOR_NAME="kata-qemu" [ -n "${build_suffix}" ] && PKGVERSION="kata-static-${build_suffix}" || PKGVERSION="kata-static" -container_image="${CC_BUILDER_REGISTRY}:qemu-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)" +container_image="${QEMU_CONTAINER_BUILDER:-${CC_BUILDER_REGISTRY}:qemu-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)}" sudo docker pull ${container_image} || \ (sudo "${container_engine}" build \ diff --git a/tools/packaging/static-build/shim-v2/build.sh b/tools/packaging/static-build/shim-v2/build.sh index b14a68047..340daf6d8 100755 --- a/tools/packaging/static-build/shim-v2/build.sh +++ b/tools/packaging/static-build/shim-v2/build.sh @@ -19,7 +19,7 @@ RUST_VERSION=${RUST_VERSION:-} DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} -container_image="${CC_BUILDER_REGISTRY}:shim-v2-go-${GO_VERSION}-rust-${RUST_VERSION}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)" +container_image="${SHIM_V2_CONTAINER_BUILDER:-${CC_BUILDER_REGISTRY}:shim-v2-go-${GO_VERSION}-rust-${RUST_VERSION}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)}" EXTRA_OPTS="${EXTRA_OPTS:-""}" REMOVE_VMM_CONFIGS="${REMOVE_VMM_CONFIGS:-""}" diff --git a/tools/packaging/static-build/td-shim/build.sh b/tools/packaging/static-build/td-shim/build.sh index 803ec644a..fd55d3148 100755 --- a/tools/packaging/static-build/td-shim/build.sh +++ b/tools/packaging/static-build/td-shim/build.sh @@ -30,7 +30,7 @@ package_output_dir="${package_output_dir:-}" [ -n "${tdshim_version}" ] || die "Failed to get TD-shim version or commit" [ -n "${tdshim_toolchain}" ] || die "Failed to get TD-shim toolchain to be used to build the project" -container_image="${CC_BUILDER_REGISTRY}:td-shim-${tdshim_toolchain}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)" +container_image="${TDSHIM_CONTAINER_BUILDER:-${CC_BUILDER_REGISTRY}:td-shim-${tdshim_toolchain}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)}" sudo docker pull ${container_image} || \ (sudo docker build \ diff --git a/tools/packaging/static-build/virtiofsd/build.sh b/tools/packaging/static-build/virtiofsd/build.sh index 1b7d3e32b..dbf0fac2b 100755 --- a/tools/packaging/static-build/virtiofsd/build.sh +++ b/tools/packaging/static-build/virtiofsd/build.sh @@ -49,7 +49,7 @@ case ${ARCH} in ;; esac -container_image="${CC_BUILDER_REGISTRY}:virtiofsd-${virtiofsd_toolchain}-${libc}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)" +container_image="${VIRTIOFSD_CONTAINER_BUILDER:-${CC_BUILDER_REGISTRY}:virtiofsd-${virtiofsd_toolchain}-${libc}-$(get_last_modification ${repo_root_dir} ${script_dir})-$(uname -m)}" sudo docker pull ${container_image} || \ (sudo docker build \