From 45c1188839f30b313dc6f7d33a55269e49768f50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 3 Oct 2023 14:17:38 +0200 Subject: [PATCH 1/8] packaging: Add get_agent_image_name() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This will be used for building the kata-agent. Signed-off-by: Fabiano Fidêncio --- tools/packaging/scripts/lib.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tools/packaging/scripts/lib.sh b/tools/packaging/scripts/lib.sh index fe1faf5af..d1e17e20d 100644 --- a/tools/packaging/scripts/lib.sh +++ b/tools/packaging/scripts/lib.sh @@ -226,3 +226,10 @@ get_tools_image_name() { echo "${BUILDER_REGISTRY}:tools-$(get_last_modification ${tools_dir})-$(get_last_modification ${libs_dir})-$(get_last_modification ${agent_dir})" } + +get_agent_image_name() { + libs_dir="${repo_root_dir}/src/libs" + agent_dir="${repo_root_dir}/src/agent" + + echo "${BUILDER_REGISTRY}:agent-$(get_last_modification ${libs_dir})-$(get_last_modification ${agent_dir})" +} From 1727487eef00283b159bb829540913cc5fa7a5da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 3 Oct 2023 14:18:45 +0200 Subject: [PATCH 2/8] agent: Allow specifying DESTDIR and AGENT_POLICY via env vars MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This will help to build the agent binary as part of the kata-deploy localbuild, as we need to pass the DESTDIR to where the agent will be installed, and also whether we're building the agent with policy support enabled or not. Signed-off-by: Fabiano Fidêncio --- src/agent/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/agent/Makefile b/src/agent/Makefile index 699b71ce1..5b118beb9 100644 --- a/src/agent/Makefile +++ b/src/agent/Makefile @@ -34,7 +34,7 @@ ifeq ($(SECCOMP),yes) endif ##VAR AGENT_POLICY=yes|no define if agent enables the policy feature -AGENT_POLICY := no +AGENT_POLICY ?= no # Enable the policy feature of rust build ifeq ($(AGENT_POLICY),yes) @@ -62,7 +62,7 @@ endif TARGET_PATH = target/$(TRIPLE)/$(BUILD_TYPE)/$(TARGET) ##VAR DESTDIR= is a directory prepended to each installed target file -DESTDIR := +DESTDIR ?= ##VAR BINDIR= is a directory for installing executable programs BINDIR := /usr/bin From 5208386ab18a3e7873b4ec9a9efa9c8aeaddc7b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 3 Oct 2023 14:20:23 +0200 Subject: [PATCH 3/8] packaging: Build the kata-agent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add the needed functions to start building the kata-agent, with or without the OPA support. For now this build is not used as part of the rootfs build, but later on this will (not as part of this series, though). Fixes: #8099 Signed-off-by: Fabiano Fidêncio --- .../kata-deploy/local-build/Makefile | 6 +++ .../kata-deploy-binaries-in-docker.sh | 2 + .../local-build/kata-deploy-binaries.sh | 35 ++++++++++++++++++ tools/packaging/static-build/agent/Dockerfile | 21 +++++++++++ .../static-build/agent/build-static-agent.sh | 37 +++++++++++++++++++ tools/packaging/static-build/agent/build.sh | 31 ++++++++++++++++ 6 files changed, 132 insertions(+) create mode 100644 tools/packaging/static-build/agent/Dockerfile create mode 100755 tools/packaging/static-build/agent/build-static-agent.sh create mode 100755 tools/packaging/static-build/agent/build.sh diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 041cd5c80..db9218ac2 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -52,6 +52,12 @@ serial-targets: %-tarball-build: $(MK_DIR)/dockerbuild/install_yq.sh $(call BUILD,$*) +agent-tarball: + ${MAKE} $@-build + +agent-opa-tarball: + ${MAKE} $@-build + agent-ctl-tarball: ${MAKE} $@-build diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index 47cf2dd1d..64f505cd5 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -84,6 +84,7 @@ ARTEFACT_REGISTRY_PASSWORD="${ARTEFACT_REGISTRY_PASSWORD:-}" TARGET_BRANCH="${TARGET_BRANCH:-}" BUILDER_REGISTRY="${BUILDER_REGISTRY:-}" PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-"no"}" +AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER:-}" INITRAMFS_CONTAINER_BUILDER="${INITRAMFS_CONTAINER_BUILDER:-}" KERNEL_CONTAINER_BUILDER="${KERNEL_CONTAINER_BUILDER:-}" OVMF_CONTAINER_BUILDER="${OVMF_CONTAINER_BUILDER:-}" @@ -106,6 +107,7 @@ docker run \ --env TARGET_BRANCH="${TARGET_BRANCH}" \ --env BUILDER_REGISTRY="${BUILDER_REGISTRY}" \ --env PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY}" \ + --env AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER}" \ --env INITRAMFS_CONTAINER_BUILDER="${INITRAMFS_CONTAINER_BUILDER}" \ --env KERNEL_CONTAINER_BUILDER="${KERNEL_CONTAINER_BUILDER}" \ --env OVMF_CONTAINER_BUILDER="${OVMF_CONTAINER_BUILDER}" \ diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 0000ad710..fcbade011 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -22,6 +22,7 @@ readonly static_build_dir="${repo_root_dir}/tools/packaging/static-build" readonly version_file="${repo_root_dir}/VERSION" readonly versions_yaml="${repo_root_dir}/versions.yaml" +readonly agent_builder="${static_build_dir}/agent/build.sh" readonly clh_builder="${static_build_dir}/cloud-hypervisor/build-static-clh.sh" readonly firecracker_builder="${static_build_dir}/firecracker/build-static-firecracker.sh" readonly initramfs_builder="${static_build_dir}/initramfs/build.sh" @@ -81,6 +82,8 @@ options: -s : Silent mode (produce output in case of failure only) --build= : all + agent + agent-opa agent-ctl cloud-hypervisor cloud-hypervisor-glibc @@ -625,6 +628,32 @@ install_ovmf_sev() { install_ovmf "sev" "edk2-sev.tar.gz" } +install_agent_helper() { + agent_policy="${1:-no}" + + latest_artefact="$(git log -1 --pretty=format:"%h" ${repo_root_dir}/src/agent)" + latest_builder_image="$(get_agent_image_name)" + + install_cached_tarball_component \ + "${build_target}" \ + "${latest_artefact}" \ + "${latest_builder_image}" \ + "${final_tarball_name}" \ + "${final_tarball_path}" \ + && return 0 + + info "build static agent" + DESTDIR="${destdir}" AGENT_POLICY=${agent_policy} "${agent_builder}" +} + +install_agent() { + install_agent_helper +} + +install_agent_opa() { + install_agent_helper "yes" +} + install_tools_helper() { tool=${1} @@ -720,6 +749,10 @@ handle_build() { install_virtiofsd ;; + agent) install_agent ;; + + agent-opa) install_agent_opa ;; + agent-ctl) install_agent_ctl ;; cloud-hypervisor) install_clh ;; @@ -827,6 +860,8 @@ main() { local build_targets local silent build_targets=( + agent + agent-opa agent-ctl cloud-hypervisor firecracker diff --git a/tools/packaging/static-build/agent/Dockerfile b/tools/packaging/static-build/agent/Dockerfile new file mode 100644 index 000000000..c72104cb5 --- /dev/null +++ b/tools/packaging/static-build/agent/Dockerfile @@ -0,0 +1,21 @@ +# Copyright (c) 2023 Intel +# +# SPDX-License-Identifier: Apache-2.0 + +FROM alpine:3.18 +ARG RUST_TOOLCHAIN + +SHELL ["/bin/ash", "-o", "pipefail", "-c"] +RUN apk --no-cache add \ + bash \ + curl \ + gcc \ + git \ + libcap-ng-static \ + libseccomp-static \ + make \ + musl-dev \ + openssl-dev \ + openssl-libs-static \ + protoc && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN} diff --git a/tools/packaging/static-build/agent/build-static-agent.sh b/tools/packaging/static-build/agent/build-static-agent.sh new file mode 100755 index 000000000..1d7389c33 --- /dev/null +++ b/tools/packaging/static-build/agent/build-static-agent.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +# +# Copyright (c) 2023 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +set -o errexit +set -o nounset +set -o pipefail + +script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +source "${script_dir}/../../scripts/lib.sh" + +init_env() { + source "$HOME/.cargo/env" + + export LIBC=musl + export LIBSECCOMP_LINK_TYPE=static + export LIBSECCOMP_LIB_PATH=/usr/lib + + # This is needed to workaround + # https://github.com/sfackler/rust-openssl/issues/1624 + export OPENSSL_NO_VENDOR=Y +} + +build_agent_from_source() { + echo "build agent from source" + + init_env + + cd src/agent + DESTDIR=${DESTDIR} AGENT_POLICY=${AGENT_POLICY} make + DESTDIR=${DESTDIR} AGENT_POLICY=${AGENT_POLICY} make install +} + +build_agent_from_source $@ diff --git a/tools/packaging/static-build/agent/build.sh b/tools/packaging/static-build/agent/build.sh new file mode 100755 index 000000000..d847092e4 --- /dev/null +++ b/tools/packaging/static-build/agent/build.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash +# +# Copyright (c) 2023 Intel +# +# SPDX-License-Identifier: Apache-2.0 + +set -o errexit +set -o nounset +set -o pipefail + +script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +readonly agent_builder="${script_dir}/build-static-agent.sh" + +source "${script_dir}/../../scripts/lib.sh" + +container_image="${AGENT_CONTAINER_BUILDER:-$(get_agent_image_name)}" +[ "${CROSS_BUILD}" == "true" ] && container_image="${container_image}-cross-build" + +sudo docker pull ${container_image} || \ + (sudo docker $BUILDX build $PLATFORM \ + --build-arg RUST_TOOLCHAIN="$(get_from_kata_deps "languages.rust.meta.newest-version")" \ + -t "${container_image}" "${script_dir}" && \ + # No-op unless PUSH_TO_REGISTRY is exported as "yes" + push_to_registry "${container_image}") + +sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ + --env DESTDIR=${DESTDIR} \ + --env AGENT_POLICY=${AGENT_POLICY:-no} \ + -w "${repo_root_dir}" \ + "${container_image}" \ + bash -c "${agent_builder}" From 02acef9575b55cd69f101d80d081990a2c5f799d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 3 Oct 2023 14:21:54 +0200 Subject: [PATCH 4/8] gha: Build the kata-agent as part of our workflows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The kata-agent binary won't be released, just built so it can be used, later on, as part of our tests and as part of the rootfs build. Signed-off-by: Fabiano Fidêncio --- .github/workflows/build-kata-static-tarball-amd64.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index dcfbfdc03..5df5e2772 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -27,6 +27,8 @@ jobs: strategy: matrix: asset: + - agent + - agent-opa - agent-ctl - cloud-hypervisor - cloud-hypervisor-glibc @@ -59,6 +61,10 @@ jobs: stage: - ${{ inputs.stage }} exclude: + - asset: agent + stage: release + - asset: agent-opa + stage: release - asset: cloud-hypervisor-glibc stage: release steps: From 5ca66795c7f5d9cc933503fbac52211351bc5a79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 3 Oct 2023 14:24:10 +0200 Subject: [PATCH 5/8] packaging: Allow passing the TOOLS_CONTAINER_BUILDER MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This follows what we've been doing for all the components we're building, but was missed as part of #8077. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy/local-build/kata-deploy-binaries-in-docker.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index 64f505cd5..080aa1a12 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -114,6 +114,7 @@ docker run \ --env QEMU_CONTAINER_BUILDER="${QEMU_CONTAINER_BUILDER}" \ --env SHIM_V2_CONTAINER_BUILDER="${SHIM_V2_CONTAINER_BUILDER}" \ --env TDSHIM_CONTAINER_BUILDER="${TDSHIM_CONTAINER_BUILDER}" \ + --env TOOLS_CONTAINER_BUILDER="${TOOLS_CONTAINER_BUILDER}" \ --env VIRTIOFSD_CONTAINER_BUILDER="${VIRTIOFSD_CONTAINER_BUILDER}" \ --env MEASURED_ROOTFS="${MEASURED_ROOTFS}" \ --env USE_CACHE="${USE_CACHE}" \ From ca3b8883716aef524df61a018bbf5e1564ee22d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 3 Oct 2023 14:25:24 +0200 Subject: [PATCH 6/8] packaging: tools: Fix container image env var name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This should be TOOLS_CONTAINER_BUILDER instead of VIRTIOFSD_CONTAINER_BUILDER. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy/local-build/kata-deploy-binaries-in-docker.sh | 1 + tools/packaging/static-build/tools/build.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index 080aa1a12..19653720e 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -91,6 +91,7 @@ OVMF_CONTAINER_BUILDER="${OVMF_CONTAINER_BUILDER:-}" QEMU_CONTAINER_BUILDER="${QEMU_CONTAINER_BUILDER:-}" SHIM_V2_CONTAINER_BUILDER="${SHIM_V2_CONTAINER_BUILDER:-}" TDSHIM_CONTAINER_BUILDER="${TDSHIM_CONTAINER_BUILDER:-}" +TOOLS_CONTAINER_BUILDER="${TOOLS_CONTAINER_BUILDER:-}" VIRTIOFSD_CONTAINER_BUILDER="${VIRTIOFSD_CONTAINER_BUILDER:-}" MEASURED_ROOTFS="${MEASURED_ROOTFS:-}" USE_CACHE="${USE_CACHE:-}" diff --git a/tools/packaging/static-build/tools/build.sh b/tools/packaging/static-build/tools/build.sh index 11abe7bb2..a4dd958c4 100755 --- a/tools/packaging/static-build/tools/build.sh +++ b/tools/packaging/static-build/tools/build.sh @@ -15,7 +15,7 @@ source "${script_dir}/../../scripts/lib.sh" tool="${1}" -container_image="${VIRTIOFSD_CONTAINER_BUILDER:-$(get_tools_image_name)}" +container_image="${TOOLS_CONTAINER_BUILDER:-$(get_tools_image_name)}" [ "${CROSS_BUILD}" == "true" ] && container_image="${container_image}-cross-build" sudo docker pull ${container_image} || \ From 18fa483d907d59e5dec98d837fca64fa27f6bc26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 3 Oct 2023 14:27:56 +0200 Subject: [PATCH 7/8] packaging: release: Mention newly added images MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We've added two new containerd builder images recently, one for the components under `src/tools` and another one for the Kata Containers agent. Signed-off-by: Fabiano Fidêncio --- tools/packaging/release/release-notes.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/packaging/release/release-notes.sh b/tools/packaging/release/release-notes.sh index 254aa255b..734028dc0 100755 --- a/tools/packaging/release/release-notes.sh +++ b/tools/packaging/release/release-notes.sh @@ -140,18 +140,22 @@ The majority of the components of the project were built using containers. In o build reproducibility we publish those container images, and when those are used combined with the version of the projects listed as part of the "versions.yaml" file, users can get as close to the environment we used to build the release artefacts. +* agent (on all its different flavours): $(get_agent_image_name) * Kernel (on all its different flavours): $(get_kernel_image_name) * OVMF (on all its different flavours): $(get_ovmf_image_name) * QEMU (on all its different flavurs): $(get_qemu_image_name) * shim-v2: $(get_shim_v2_image_name) +* tools: $(get_tools_image_name) * virtiofsd: $(get_virtiofsd_image_name) The users who want to rebuild the tarballs using exactly the same images can simply use the following environment variables: +* \`AGENT_CONTAINER_BUILDER\` * \`KERNEL_CONTAINER_BUILDER\` * \`OVMF_CONTAINER_BUILDER\` * \`QEMU_CONTAINER_BUILDER\` * \`SHIM_V2_CONTAINER_BUILDER\` +* \`TOOLS_CONTAINER_BUILDER\` * \`VIRTIOFSD_CONTAINER_BUILDER\` ## Kata Linux Containers Kernel From 560bbffb57702c60bc441f5decb10d0db0b270d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 3 Oct 2023 15:31:53 +0200 Subject: [PATCH 8/8] packaging: tools: Remove `set -x` leftover MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was used for debugging, and ended up being merged with that. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/tools/build-static-tools.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/tools/packaging/static-build/tools/build-static-tools.sh b/tools/packaging/static-build/tools/build-static-tools.sh index 15e9f740a..2004fcf90 100755 --- a/tools/packaging/static-build/tools/build-static-tools.sh +++ b/tools/packaging/static-build/tools/build-static-tools.sh @@ -23,7 +23,6 @@ init_env() { } build_tool_from_source() { - set -x tool=${1} echo "build ${tool} from source"