Umoci is not longer required if we have the attestation-agent, so don't
override the user input
Fixes: #5237
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
To use depmod in the rootfs builder, the docker environment will require kmod.
Fixes: kata-containers#5125
Signed-Off-By: Alex Carter <alex.carter@ibm.com>
Using depmod when adding kernel modules to get dependencies.
Needed for the efi secret module for sev.
Fixes: #5125
Signed-Off-By: Alex Carter <alex.carter@ibm.com>
Adds default config file.
Adds case in rootfs.sh to copy config.
Fixes kata-containers#5023
Fixes: #5023
Signed-Off-By: Alex Carter <alex.carter@ibm.com>
Guest log is showing a hang on systemd getty start.
Adding symlink for /dev/ttyS0 resolves issue.
Fixes: #4932
Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
Initialize the trusted stroage when the device is defined
as "/dev/trusted_store" with shell script as first step.
Fixes: #4882
Signed-off-by: Wang, Arron <arron.wang@intel.com>
It would be nice to use `versions.yaml` for the maintainability.
Previously, we have been specified the `libseccomp` and the `gperf` version
directly in this script without using the `versions.yaml` because the current
snap workflow is incomplete and fails.
This is because snap CI environment does not have kata-cotnainers repository
under ${GOPATH}. To avoid the failure, the `rootfs.sh` extracts the libseccomp
version and url in advance and pass them to the `install_libseccomp.sh` as
environment variables.
Fixes: #4941
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Add required kernel config for dm-crypt/dm-integrity/dm-verity
and related crypto config.
Add userspace command line tools for disk encryption support
and ext4 file system utilities.
Fixes: #4761
Signed-off-by: Arron Wang <arron.wang@intel.com>
For CoCo stack, the pause image is managed by host side,
then it may configure a malicious pause image, we need package
a pause image inside the rootfs and don't the pause image from host.
Fixes: #4768
Signed-off-by: Wang, Arron <arron.wang@intel.com>
Since we are introducing an agent API for interacting with guest
iptables, let's ensure that our example rootfs' have iptables-save/restore
installed.
Fixes: #4356
Signed-off-by: Eric Ernst <eric_ernst@apple.com>
This PR removes the clear containers reference as this is not longer
being used and is deprecated at the rootfs builder README.
Fixes#4278
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
This PR removes the clear containers reference as this is not longer
being used and is deprecated at the rootfs builder README.
Fixes#4278
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
In at least kata versions 2.3.3 and 2.4.0 it was noticed that the guest
operating system's clock would drift out of sync slowly over time
whilst the pod was running.
This had previously been raised and fixed in the old reposity via [1].
In essence kvm_ptp and chrony were paired together in order to
keep the system clock up to date with the host.
In the recent versions of kata metioned above,
the chronyd.service fails upon boot with status `266/NAMESPACE`
which seems to be due to the fact that the `/var/lib/chrony`
directory no longer exists.
This change sets the `/var/lib/chrony` directory for the `ReadWritePaths`
to be ignored when the directory does not exist, as per [2].
[1] https://github.com/kata-containers/runtime/issues/1279
[2] https://www.freedesktop.org/software/systemd
/man/systemd.exec.html#ReadWritePaths=
Fixes: #4167
Signed-off-by: Champ-Goblem <cameron_mcdermott@yahoo.co.uk>
Use `multistrap` for building Ubuntu rootfs. Adds support for building
for foreign architectures using the `ARCH` environment variable
(including umoci).
In the process, the Ubuntu rootfs workflow is vastly simplified.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
- Add a doc comment
- Pass to build container, e.g. to build x86_64 with glibc (would
always use musl)
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Remove a lot of cruft of musl installations -- we needed those for the
Go agent, but Rustup just takes care of everything. aarch64 on
Debian-based & Alpine is an exception -- create a symlink
`aarch64-linux-musl-gcc` to `musl-tools`'s `musl-gcc` or `gcc` on
Alpine. This is unified -- arch-specific Dockerfiles are removed.
Furthermore, we should keep it in Ubuntu for supporting the offline SEV
KBC. We also keep it in Clear Linux, as that runs our internal checks,
but it is e.g. not shipped in CentOS Stream 9.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Hadolint DL3019. If you're wondering why this is in this PR, that's
because I touch the file later, and we're only triggering the lints for
changed files.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Use `multistrap` for building Ubuntu rootfs. Adds support for building
for foreign architectures using the `ARCH` environment variable.
In the process, the Ubuntu rootfs workflow is vastly simplified.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
- Add a doc comment
- Pass to build container, e.g. to build x86_64 with glibc (would
always use musl)
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Remove a lot of cruft of musl installations -- we needed those for the
Go agent, but Rustup just takes care of everything. aarch64 on
Debian-based & Alpine is an exception -- create a symlink
`aarch64-linux-musl-gcc` to `musl-tools`'s `musl-gcc` or `gcc` on
Alpine. This is unified -- arch-specific Dockerfiles are removed.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Hadolint DL3019. If you're wondering why this is in this PR, that's
because I touch the file later, and we're only triggering the lints for
changed files.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
to cover a Red Hat (adjacent) rootfs with great cross-platform compatibility
and a workable release cadence. The previous CentOS & Fedora workflows are
simplified.
Also remove unnecessary `/usr/share` files as on Ubuntu and mark Alpine
as unuspported on ppc64le (due to musl, for a while already).
Fixes: #3340
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
We install Rust in the build containers, but we also install Rust in
`rootfs.sh` if it is missing. It makes sense to install Rust in the build
containers so it does not have to be installed every time, but for that check
to work on non-login shells, we should source `.cargo/env` before running it.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Relative links within this repository allow for easier navigation to
the corresponding file / directory in the current commit / for the
selected version.
Link text was slightly changed / fixed in
- docs/Unit-Test-Advice.md
- docs/how-to/how-to-run-docker-with-kata.md
Fixes#3045
Signed-off-by: Daniel Höxtermann <daniel@hxtm.dev>
Remove the libseccomp package from Dockerfile of `alpine` and `clearlinux`
because the libseccomp library is installed by the `ci/install_libseccomp.sh`
script when building the kata-agent.
Fixes: #3508
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
As the gentoo rootfs is not tested in our CI, we can't guarantee it
actually works as expected.
Whenever we have someone willing to maintain this rootfs we can have it
added back, and also add a CI job to test it altogether, avoiding then
any possible regression.
Fixes: #2144
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As the suse rootfs is not tested in our CI, we can't guarantee it
actually works as expected.
Whenver we have someone willing to maintain this rootfs we can have it
added back, and also add a CI job to test it altogether, avoiding then
any possible regression.
Fixes: #2145
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As the fedora rootfs is not tested in our CI, we can't guarantee it
actually works as expected.
Whenever we have someone willing to maintain the rootfs we can have it
added back, and also add a CI job to test it altogether, avoiding then
any possible regression.
Fixes: #2143
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As the centos rootfs is not tested in our CI, we can't guarantee it
actually works as expected.
Whenever we have someone willing to maintain the rootfs we can have it
added back, and also add a CI job to test it altogether, avoiding then
any possible regression.
Fixes: #2140
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
