From fdd6826d406adbca10fa5afa7f3a2ba03ac63ddf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 2 Dec 2022 17:34:42 +0100 Subject: [PATCH 1/7] cache_components: Add support for caching firmwares MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As we're already doing for some components, let's also add support for caching firmwares. TD-Shim and TDVF are the ones supported for now. Fixes: #5360, #5361 Signed-off-by: Fabiano Fidêncio --- .../static-build/cache_components.sh | 33 ++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/tools/packaging/static-build/cache_components.sh b/tools/packaging/static-build/cache_components.sh index 93b5fb22c..c1b3da312 100755 --- a/tools/packaging/static-build/cache_components.sh +++ b/tools/packaging/static-build/cache_components.sh @@ -14,6 +14,7 @@ source "${script_dir}/../scripts/lib.sh" export KATA_BUILD_CC="${KATA_BUILD_CC:-}" export TEE="${TEE:-}" +export FIRMWARE="${FIRMWARE:-}" cache_qemu_artifacts() { local qemu_tarball_name="kata-static-cc-qemu.tar.xz" @@ -47,6 +48,26 @@ cache_kernel_artifacts() { create_cache_asset "${kernel_tarball_name}" "${current_kernel_version}" "${current_kernel_image}" } +cache_firmware_artifacts() { + case ${FIRMWARE} in + "td-shim") + firmware_tarball_name="kata-static-cc-tdx-td-shim.tar.xz" + current_firmware_image="$(get_td_shim_image_name)" + current_firmware_version="$(get_from_kata_deps "externals.td-shim.version")-$(get_from_kata_deps "externals.td-shim.toolchain")" + ;; + "tdvf") + firmware_tarball_name="kata-static-cc-tdx-tdvf.tar.xz" + current_firmware_image="$(get_ovmf_image_name)" + current_firmware_version="$(get_from_kata_deps "externals.ovmf.tdx.version")" + ;; + *) + die "Not a valid firmware (td-shim, tdvf) wass set as the FIRMWARE environment variable." + + ;; + esac + create_cache_asset "${firmware_tarball_name}" "${current_firmware_version}" "${current_firmware_image}" +} + create_cache_asset() { local component_name="${1}" local component_version="${2}" @@ -71,6 +92,10 @@ Usage: $0 "[options]" -c Cloud hypervisor cache -k Kernel cache -q Qemu cache + -f Firmware cache + * Requires FIRMWARE environment variable set, valid values are: + * tdvf + * td-shim -h Shows help EOF )" @@ -80,8 +105,9 @@ main() { local cloud_hypervisor_component="${cloud_hypervisor_component:-}" local qemu_component="${qemu_component:-}" local kernel_component="${kernel_component:-}" + local firmware_component="${firmware_component:-}" local OPTIND - while getopts ":ckqh:" opt + while getopts ":ckqfh:" opt do case "$opt" in c) @@ -93,6 +119,9 @@ main() { q) qemu_component="1" ;; + f) + firmware_component="1" + ;; h) help exit 0; @@ -109,6 +138,7 @@ main() { [[ -z "${cloud_hypervisor_component}" ]] && \ [[ -z "${kernel_component}" ]] && \ [[ -z "${qemu_component}" ]] && \ + [[ -z "${firmware_component}" ]] && \ help && die "Must choose at least one option" mkdir -p "${WORKSPACE}/artifacts" @@ -118,6 +148,7 @@ main() { [ "${cloud_hypervisor_component}" == "1" ] && cache_clh_artifacts [ "${kernel_component}" == "1" ] && cache_kernel_artifacts [ "${qemu_component}" == "1" ] && cache_qemu_artifacts + [ "${firmware_component}" == "1" ] && cache_firmware_artifacts ls -la "${WORKSPACE}/artifacts/" popd From 8d03bc7e4b7fd2ffe63216364fa22870ecae2f19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 2 Dec 2022 17:49:56 +0100 Subject: [PATCH 2/7] cache_components: Remove unused `qemu_script_dir` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The `qemu_script_dir` is a leftover from before the rework on how we cache the components. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/cache_components.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/tools/packaging/static-build/cache_components.sh b/tools/packaging/static-build/cache_components.sh index c1b3da312..9a15153c0 100755 --- a/tools/packaging/static-build/cache_components.sh +++ b/tools/packaging/static-build/cache_components.sh @@ -23,7 +23,6 @@ cache_qemu_artifacts() { qemu_tarball_name="kata-static-cc-${TEE}-qemu.tar.xz" [ "${TEE}" == "tdx" ] && current_qemu_version=$(get_from_kata_deps "assets.hypervisor.qemu.tdx.tag") fi - local qemu_script_dir="${repo_root_dir}/tools/packaging/static-build/qemu" local qemu_sha=$(calc_qemu_files_sha256sum) local current_qemu_image="$(get_qemu_image_name)" From 316a4cfc8ed752949e58b14df21b4f459ba2f885 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 2 Dec 2022 17:55:12 +0100 Subject: [PATCH 3/7] cache_components: Add more document to the kernel / qemu options MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add a documentation about the environment variables that can be used with the `-k` and `-q` options. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/cache_components.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/packaging/static-build/cache_components.sh b/tools/packaging/static-build/cache_components.sh index 9a15153c0..93fed54cf 100755 --- a/tools/packaging/static-build/cache_components.sh +++ b/tools/packaging/static-build/cache_components.sh @@ -90,7 +90,13 @@ Usage: $0 "[options]" Options: -c Cloud hypervisor cache -k Kernel cache + * Can receive a TEE environnment variable value, valid values are: + * tdx + If no TEE environment is passed, the kernel is built without TEE support. -q Qemu cache + * Can receive a TEE environnment variable value, valid values are: + * tdx + If no TEE environment is passed, QEMU is built without TEE support. -f Firmware cache * Requires FIRMWARE environment variable set, valid values are: * tdvf From 5f2eb635741767f5baf39e01486441dc145cd05f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 2 Dec 2022 18:01:03 +0100 Subject: [PATCH 4/7] kata-deploy-binaryes: Adapt td-shim version for its cached version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With the cached version we're concatenating the td-shim version with the toolchain version used to build the project. Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index c3b17f65b..fa510564e 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -318,7 +318,7 @@ install_cc_tdx_td_shim() { install_cached_component \ "td-shim" \ "${jenkins_url}/job/kata-containers-2.0-td-shim-cc-$(uname -m)/${cached_artifacts_path}" \ - "$(get_from_kata_deps "assets.externals.td-shim.version")" \ + "$(get_from_kata_deps "externals.td-shim.version")-$(get_from_kata_deps "externals.td-shim.toolchain")" \ "$(get_td_shim_image_name)" \ "${final_tarball_name}" \ "${final_tarball_path}" \ From 724108a817a6a79ab5184ca1f0665e3f41fba195 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Sat, 3 Dec 2022 02:21:33 +0100 Subject: [PATCH 5/7] kata-deploy-binaries: Fix getting TDVF version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It's under the externals sections, not under assets. Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index fa510564e..b338ef3f9 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -333,7 +333,7 @@ install_cc_tee_ovmf() { tarball_name="${2}" local component_name="ovmf" - local component_version="$(get_from_kata_deps "assets.external.ovmf.${tee}.version")" + local component_version="$(get_from_kata_deps "externals.ovmf.${tee}.version")" [ "${tee}" == "tdx" ] && component_name="tdvf" install_cached_component \ "${component_name}" \ From 56d5d5932d93a3f3ae1efa269199da529b7d61ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Sun, 4 Dec 2022 17:10:05 +0100 Subject: [PATCH 6/7] kata-deploy-binaries: Avoid pushd / popd if not needed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's avoid getting into a dir and risking not being able to leave that dir in case something fails. Instead, let's just stay in the current dir and move the final tarball to the exoected directory in case all the checks go as expected. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy/local-build/kata-deploy-binaries.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index b338ef3f9..92e614c93 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -126,12 +126,11 @@ install_cached_component() { [ "${cached_version}" != "${current_version}" ] && return 1 info "Using cached tarball of ${component}" - pushd ${workdir} echo "Downloading tarball from: ${jenkins_build_url}/${component_tarball_name}" - curl -fL --progress-bar "${jenkins_build_url}/${component_tarball_name}" -o "${component_tarball_path}" || return cleanup_and_fail + curl -fL --progress-bar "${jenkins_build_url}/${component_tarball_name}" -o "${component_tarball_name}" || return cleanup_and_fail curl -fsOL "${jenkins_build_url}/sha256sum-${component_tarball_name}" || return cleanup_and_fail sha256sum -c "sha256sum-${component_tarball_name}" || return cleanup_and_fail - popd + mv "${component_tarball_name}" "${component_tarball_path}" } # Install static CC cloud-hypervisor asset From 3b6dd03b04b31c0b7299633856bf806fd4ef5151 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 5 Dec 2022 09:27:26 +0100 Subject: [PATCH 7/7] kata-deploy-binaruies: Use wget instead of curl for cached components MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It seems that the Kata Containers jenkins may be very slow to reach from behind the firewall, causing TDX machine to fail downloading some of the cached artefacts. With this in mind, let's switch to using wget for this specific case. Signed-off-by: Fabiano Fidêncio --- .../packaging/kata-deploy/local-build/dockerbuild/Dockerfile | 1 + .../packaging/kata-deploy/local-build/kata-deploy-binaries.sh | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/dockerbuild/Dockerfile b/tools/packaging/kata-deploy/local-build/dockerbuild/Dockerfile index 1f8d0de51..b640e1ca3 100644 --- a/tools/packaging/kata-deploy/local-build/dockerbuild/Dockerfile +++ b/tools/packaging/kata-deploy/local-build/dockerbuild/Dockerfile @@ -41,6 +41,7 @@ RUN apt-get update && \ git \ make \ unzip \ + wget \ xz-utils && \ apt-get clean && rm -rf /var/lib/apt/lists diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 92e614c93..8a10f7ed8 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -127,8 +127,8 @@ install_cached_component() { info "Using cached tarball of ${component}" echo "Downloading tarball from: ${jenkins_build_url}/${component_tarball_name}" - curl -fL --progress-bar "${jenkins_build_url}/${component_tarball_name}" -o "${component_tarball_name}" || return cleanup_and_fail - curl -fsOL "${jenkins_build_url}/sha256sum-${component_tarball_name}" || return cleanup_and_fail + wget "${jenkins_build_url}/${component_tarball_name}" || return cleanup_and_fail + wget "${jenkins_build_url}/sha256sum-${component_tarball_name}" || return cleanup_and_fail sha256sum -c "sha256sum-${component_tarball_name}" || return cleanup_and_fail mv "${component_tarball_name}" "${component_tarball_path}" }