In order to ensure that the proxy configuration is passed to the 2nd
layer container, let's ensure the $HOME/.docker/config.json file is
exposed inside the 1st layer container.
For some reason which I still don't fully understand exporting
https_proxy / http_proxy / no_proxy was not enough to get those
variables exported to the 2nd layer container.
In this commit we're creating a "$HOME/.docker" directory, and removing
it after the build, in case it doesn't exist yet. The reason we do this
is to avoid docker not running in case "$HOME/.docker" doesn't exist.
This was not tested with podman, but if there's an issue with podman,
the issue was already there beforehand and should be treated as a
different problem than the one addressed in this commit.
Fixes: #5077
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Shell expands `*"rc"*` to the top-level `src` directory. This results
in comparing a version with a directory name. This doesn't make sense
and causes the script to choose the wrong branch of the `if`.
The intent of the check is actually to detect `rc` in the version.
Fixes: #5283
Signed-off-by: Greg Kurz <groug@kaod.org>
Umoci is not longer required if we have the attestation-agent, so don't
override the user input
Fixes: #5237
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
To avoid the random failures when we are building the rootfs as it seems
that it does not find the value for the libseccomp and gperf directory,
this PR export these variables.
Fixes#5232
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
As 3.0.0-rc0 has been released, let's switch the kata-deploy / kata-cleanup
tags back to "latest", and re-add the kata-deploy-stable and the
kata-cleanup-stable files.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Developer-Guide.md is updated to work using current golang versions.
Related Readmes are also updated.
Signed-off-by: Joana Pecholt <joana.pecholt@aisec.fraunhofer.de>
To use depmod in the rootfs builder, the docker environment will require kmod.
Fixes: kata-containers#5125
Signed-Off-By: Alex Carter <alex.carter@ibm.com>
Using depmod when adding kernel modules to get dependencies.
Needed for the efi secret module for sev.
Fixes: #5125
Signed-Off-By: Alex Carter <alex.carter@ibm.com>
kata-deploy files must be adapted to a new release. The cases where it
happens are when the release goes from -> to:
* main -> stable:
* kata-deploy-stable / kata-cleanup-stable: are removed
* stable -> stable:
* kata-deploy / kata-cleanup: bump the release to the new one.
There are no changes when doing an alpha release, as the files on the
"main" branch always point to the "latest" and "stable" tags.
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
Adds default config file.
Adds case in rootfs.sh to copy config.
Fixes kata-containers#5023
Fixes: #5023
Signed-Off-By: Alex Carter <alex.carter@ibm.com>
The sev initrd target had been changed to "cc-sev-rootfs-initrd".
This was good discussion as part of #5120.
I failed to rename it from "cc-sev-initrd-image" in kata-deploy-binaries.
The script will fail for a bad build target.
Fixes: #5166
Signed-Off-By: Alex Carter <alex.carter@ibm.com>
Adds the efi_secret kernel module to the sev initrd.
Adds a rootfs flag for kernel module based on the AA_KBC.
Finding the kernel module in the local build based on kernel version and kernel config version.
Moved kernel config version checking function from kernel builder to lib script.
Fixes: #5118
Signed-Off-By: Alex Carter <alex.carter@ibm.com>
Adds a make target, and a function in the kata-deploy-binaries script.
In the spirit of avoiding code duplication, making the cc-initrd function more generic.
Fixes: #5118
Signed-Off-By: Alex Carter <alex.carter@ibm.com>
Adds a new make target for an sev kernel which can be built and put into payload bundles for the operator.
Currently not including this sev kernel target in the cc payload bundle.
Unfortunately having to breakflow from using the generic cc_tee_kernel functions in either the kata-deploy-binaries or build-kernel.
Largely based on using an upstreamed kernel release, meaning the url is the defaul cdn, and e.g. we use version rather than tag.
The upside of this is that we can use the sha sum checking functionality from the generic get_kernel function.
CC label in title removed for commit message check.
Fixes: #5037
Signed-off-by: Alex Carter <Alex.Carter@ibm.com>
Currently leaving the cc-sev-ovmf-tarball target out of the cc payload.
I was not sure where discussion had landed on the number of payload bundles.
e.g. could be included in a cc bundle along with tdx support or create an SEV bundle.
Fixes: kata-containers#5025
Fixes: #5025
Signed-off-by: Alex Carter <Alex.Carter@ibm.com>
After adding an SEV QEMU config file (#4850), need to configure containerd to select this when appropriate based on a new runtimeclass.
Adds to the configuration of containerd so the correct config is selected.
Fixes: #4851
Signed-Off-By: Alex Carter <alex.carter@ibm.com>
Let's remove the whole content from:
* /opt/confidential-containers/libexec
* /opt/confidential-containers/share
And then manually remove the binaries under bin directory` as the
pre-install hook will drop binaries there.
Finally, let's call a `rmdir -p /opt/confidential-containers/bin` which
should take care of the cleanup in case no pre-install hook is used, and
let's make sure we pass `--ignore-fail-on-non-empty` so we don't fail
when using a pre-install hook.
Fixes: #5128
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
For Confidential Containers the file is present at
`/opt/confidential-containers` instead of `/opt/kata`.
Fixes: #5119
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Every now and then we've been hitting issues with parallel builds. in
order to not rely on lucky for the first release, let's do a serial
build of the payload image.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The `image` target is only used by and only present in the `CCv0`
branch, and it's name is misleading. :-)
Let's rename it (and the scripts used by it) to mention payload rather
than image, and to actually build the cc related tarballs instead of the
"vanilla" Kata Containers tarballs.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's adjust the `kata-deploy-build-and-upload-image.sh` to build the
image following the `kata-containers-${commit}` tag pattern, and to push
it to the quay.io/confidential-containers/runtime-payload repo.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's try to remove the /opt/confidential-containers directory. If it's
not empty, let's not bother force removing it, as the pre-install script
also drops files to the very same directory.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We're currently backing up and restoring all the possible shim files,
but the default one ("containerd-shim-kata-v2").
Let's ensure this is also backed up and restored.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Instead of passing a `KATA_CONF_FILE` environament variable, let's rely
on the configured (in the container engine) config path, as both
containerd and CRI-O support it, and we're using this for both of them.
This is a "backport" of f7ccf92dc8, from
the original `kata-deploy.sh` to the one used for Confidential
Containers.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As containerd is the only supported container engine, let's simplify the
script and, at the same time, make it clear that other container engines
are not supported yet.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
