Removed all errors/warnings pointed out by hadolint version 2.7.0, except for the following
ignored rules:
- "DL3008 warning: Pin versions in apt get install"
- "DL3041 warning: Specify version with `dnf install -y <package>-<version>`"
- "DL3033 warning: Specify version with `yum install -y <package>-<version>`"
- "DL3048 style: Invalid label key"
- "DL3003 warning: Use WORKDIR to switch to a directory"
- "DL3018 warning: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>"
- "DL3037 warning: Specify version with zypper install -y <package>[=]<version>"
Fixes#3107
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
It seems the lack of protoc in the alpine containers is causing issues
with some of our CIs, such as the VFIO one.
Fixes: #3323
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Currently the versions.txt in rootfs-builder dir is already removed,
so avoid to copy it in list of helper files.
Fixes: #3267
Signed-off-by: zhanghj <zhanghj.lc@inspur.com>
Now if no options/arguments specified, the shell scripts will return an error:
ERROR: Invalid rootfs directory: ''
This commit will show usage if no options/arguments specified.
Fixes: #3256
Signed-off-by: bin <bin@hyper.sh>
Use the same runtime used for podman run also for the podman build cmd
Additionally remove "docker" from the docker_run_args variable
Fixes: #3239
Signed-off-by: Snir Sheriber <ssheribe@redhat.com>
- Upgrade Alpine guest rootfs to 3.15
- Specify a minor version rather than patch level as the Alpine
repositories use that.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
#2399 partially reverted #418, missing on returning to bootstrapping a
rootfs with `apk.static` instead of copying the entire root, which can
result in drastically larger (more than 10x) images. Revert this as well
(requires some updates to URL building).
Fixes: #3216
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
The help information of '-f' option is missing, and same issue
with 'BLOCK_SIZE' env variables, fix it in usage() function.
Fixes: #3231
Signed-off-by: zhanghj <zhanghj.lc@inspur.com>
With the new rust image pull service skopeo we can parameterise whether to build
and install skopeo and turn it off by default if we don't need
signature verification support
Fixes: #3170
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Integrate EAA KBC into ubuntu rootfs image.
Fix build failure if build with AA_KBC=eaa_kbc option.
Fixes: #3167
Signed-off-by: zhouliang121 <liang.a.zhou@linux.alibaba.com>
Currently we do not have debian as part of the kata CI as we
do not have a mantainer, this PR removes debian as a supported
rootfs in order to have only the distros that we are supporting
and mantainining.
Fixes#3153
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
So that the debug console is more useful. In the meantime, remove
iptables as it is not used by kata-agent any more.
Fixes: #3138
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
kernel compiled in fedora 35 (latest) is not working, following error
is reported:
```
qemu-system-x86_64: Error loading uncompressed kernel without PVH ELF
Note
```
Build QAT kernel in fedora 34 container to fix it
fixes#3135
Signed-off-by: Julio Montes <julio.montes@intel.com>
- Document how to test the signature validation with
a number of different scenarios and test images
- Update ccv0.sh to add policy_path to kernel_params
Fixes: #2682
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
- Add hardcoded gpg, signature and polict files
- Modify rootfs.sh to put these in the correct place in the kata image
if skopeo and umoci are being used
Fixes: #2682
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
When the environment variable $SKOPEO_UMOCI is set to "yes", Skopeo and
umoci are built inside the guest build container and installed to the
guest rootfs. The respective build- and runtime dependencies are added.
This respects the (existing) $LIBC variable (gnu/musl) and avoids issues
with glibc mismatches.
This is currently only supported for Ubuntu guests, as the system Golang
packages included in the versions of other distros that we use are too
old to build these packages, and re-enabling installing Golang from
golang.org is cumbersome, given especially that it is unclear how long
we will keep using Skopeo and umoci.
Additionally, when the environment variable $AA_KBC is set,
attestation-agent (with that KBC) is included.
This replaces some logic in ccv0.sh that is removed.
Fixes: #2907
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
- Revert fedora OS changes made in #2556 as we aren't using it anymore.
- They should be done in main under #2116Fixes#2849
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This commit adds the PullImge endpoint to the agent
and the agent-ctl command to test it.
Fixes: #2509
Signed-off-by: Georgina Kinge <georgina.kinge@ibm.com>
Co-authored-by: stevenhorsman <steven@uk.ibm.com>
Currently the image-builder image is built from `fedora:latest` and
this is error-prone as any update of the base image can lead to
breakage. Instead let's create the image from Fedora 34, which is the
last known version to build fine.
Fixes#2960
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
The osbuilder needs to set up libseccomp library to build the kata-agent
because the kata-agent supports seccomp currently.
The library is built from the sources to create a static library for musl libc.
In addition, environment variables for the libseccomp crate are set to
link the library statically.
Fixes: #1476
Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
This is to bump the OOT QAT 1.7 driver version to the
latest version. I dida test on my QAT enabled system and
everything functioned as expected.
Fixes: #2877
Signed-off-by: Eric Adams <eric.adams@intel.com>
When building with dracut method the build_rootfs_distro() is not called, in turn
detect_rust_version() isn't either, so the install_rust.sh script is gave a null
rust version. This changed the script to call detect_rust_version() right before
install_rust.sh.
Related to commit: f34f67d610Fixes#2862
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
and update the script in `ci/` accordingly.
When only parts of the Kata Containers repositories are checked out
(e.g. when building with Snap) and no Rust version is provided in
calling `install_rust.sh`, the scripts will attempt to clone the
appropriate repos to read the version, which will fail because the
directories already exist. Since we have read the version already, we
can just specify it.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
The agent build inside a Docker or Podman container has been re-enabled,
but we have since introduced the `$CI` environment variable. Pass it to
avoid checking out the tests repo to main when there is a dependency.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
or Podman. This is a partial revert of
76c18aa345. The rationale behind that
commit was the fact that the agent could not be built on Alpine, and
then this capability was removed altogether. The issue in Alpine has
since been resolved (see
https://github.com/kata-containers/osbuilder/issues/386). At the same
time, this ensures being able to run a glibc agent on hosts with distros
more recent than the osbuilder distro used (i.e. as of now, when you
build the agent on the host, and its glibc is newer than the one used in
the guest, the agent may encounter unresolved symbols).
Fixes#2398
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
The centos ppc64le gpg key at mirror.centos.org doesn't exist (link rot?).
Replacing it with url from CentOS/sig-core-AltArch on github.
Fixes: #2676
Signed-off-by: Aaron Simmons <paleozogt@gmail.com>
zsh doesn't support "==" as equal comparison operator, so
replace "==" with "=" to make the script more portable
Fixes: #2584
Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
This patch fixes inconsistent calculations of the rootfs size.
For `du` and `df`, `-B 1MB` is different from `-BM`. The
former is the power of 1000, and the latter is the power of
1024. So comparing them doesn't make sense. The bug may result
in a larger image than needed.
Fixes: #2560
Signed-off-by: Yujia Qiao <rapiz3142@gmail.com>
There is no need to keep multiple copies of the license file in
different directory. We can just use the top level one for the project.
Fixes: #2553
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
The script runs apt sync at some point which scans all possible fds
in order to close them. The operation is incredibly slow on VMs
and may lead to build timeouts.
Fix it by limiting the container runtime fds to a sane limit.
Fixes: #2510
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Once the ${ROOTFS_DIR} is created, the tool can't run the second
time since the directory is populated and the debootstrap tool
will fail.
Fix by deleting the contents of ${ROOTFS_DIR} if the directory exists.
Note that running make clean will also allow the re-run, it
is only an optimization for some cases the build fails in the middle.
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Let the DISTRO variable to be set from outside,
allowing "sudo -E DISTRO=<ANY> make clean" to delete the correct files.
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Alpine used to work as guest under 1.x, but because there is no musl
target for Rust on s390x, Alpine will not work for 2.x. Document this.
Fixes: #2436
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
- no need to create `/usr/lib/systemd/systemd` link any more
- install `chrony` as extra package and install extra packages in chroot
rather than `debootstrap`, because `chrony` provides `time-daemon`,
which under 20.04 is provided by `systemd-timesyncd`, which is
required by `systemd`, and `debootstrap`'s conflict resolvement can't
handle this, but `apt`'s can.
Fixes: #2147
Depends-on: github.com/kata-containers/tests#3636
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
With Kata 1.x EOL, the Go agent is no more. So, remove support for it from
the osbuilder scripts. This removes the RUST_AGENT variable, treating it
as always true.
fixes#2396
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
When the guest is built using dracut and the agent uses glibc (esp.
ppc64le/s390x), libraries might be missing. In my case, it was
`libutil.so`, but more can be added easily. Add a script to configure
`install_items` for dracut w.r.t. `ldd` of the agent.
Fixes: #2384
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
With lines like
0a2e2c6038/tools/osbuilder/rootfs-builder/fedora/config.sh (L8)
we imply that one can set another OS_VERSION and it will get picked up.
This is not the case when building inside Docker/Podman because the
variable is not passed to the container, which can lead to confusion.
Forward this env.
Fixes: #2378
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
Removed all TOCs now that GitHub auto-generates them.
Also updated the documentation requirements doc removing the requirement
to add a TOC.
Fixes: #2022.
Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
