Today I learned, I must say.
When running a basic script, such as:
```bash
#/usr/bin/env bash
set -o errexit
set -o pipefail
set -o errtrace
cat junk && echo "hello"
echo "didn't fail"
cat junk
echo "hello"
echo "didn't fail"
```
One will get as a result:
```bash
cat: junk: No such file or directory
didn't fail
cat: junk: No such file or directory
```
Meaning that although there was an error on `cat junk && echo "hello"`,
and the `echo "hello"` part was not executed, an error was not reported
for that failure.
On the second part, though, it just breaks and returns an error as
expected.
Small scripts aside, this is exactly what was happening with the
attestation-agent, where a `make ... && make install ...` was being
called, make was failing but not actually breaking the script.
Let's change the logic and avoid such situations in the future, as it
caused our CI to be broken for quite some time without a simple way to
detect that line in the huge amount of logs left behind.
Here goes a reference to the documentation:
```
-e Exit immediately if a pipeline (which may consist
of a single simple command), a list, or a compound
command (see SHELL GRAMMAR above), exits with a
non-zero status. The shell does not exit if the
command that fails is part of the command list
immediately following a while or until keyword,
part of the test following the if or elif reserved
words, part of any command executed in a && or ||
list except the command following the final && or
||, any command in a pipeline but the last, or if
the command's return value is being inverted with
!. If a compound command other than a subshell
returns a non-zero status because a command failed
while -e was being ignored, the shell does not
exit. A trap on ERR, if set, is executed before
the shell exits. This option applies to the shell
environment and each subshell environment
separately (see COMMAND EXECUTION ENVIRONMENT
above), and may cause subshells to exit before
executing all the commands in the subshell.
If a compound command or shell function executes
in a context where -e is being ignored, none of
the commands executed within the compound command
or function body will be affected by the -e
setting, even if -e is set and a command returns a
failure status. If a compound command or shell
function sets -e while executing in a context
where -e is ignored, that setting will not have
any effect until the compound command or the
command containing the function call completes.
```
This comes from https://www.man7.org/linux/man-pages/man1/bash.1.htmlFixes: #7793
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
docker install now creates a group with gid 999 which happens to match what we
need to get docker-in-docker to work. Remove the group first as we don't need
it.
Fixes: #7726
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
(cherry picked from commit 3b881fbc0e)
The directory is a host path mount and cannot be removed from within the
container. What we actually want to remove is whatever is inside that
directory.
This may raise errors like:
```
rm: cannot remove '/opt/kata/': Device or resource busy
```
Fixes: #7746
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We can simply use `rm -f` all over the place and avoid the container
returning any error.
Fixes: #7733
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
(cherry picked from commit 5cba38c175)
The default `kata` runtime class would get created with the `kata`
handler instead of `kata-$KATA_HYPERVISOR`. This made Kata use the wrong
hypervisor and broke CI.
Fixes: #7681
Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
Without this library the builds are failing with the following error:
```
...
error: failed to run custom build command for `devicemapper-sys v0.1.5`
Caused by: process didn't exit successfully:
`/kata-containers/src/agent/target/release/build/devicemapper-sys-d8eae524a127e049/build-script-build`
(exit status: 101) --- stderr thread 'main' panicked at 'Unable to
find libclang: "couldn't find any valid shared libraries matching:
['libclang.so', 'libclang-*.so', 'libclang.so.*', 'libclang-*.so.*'],
set the `LIBCLANG_PATH` environment variable to a path where one of
these files can be found (invalid: [])"',
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/bindgen-0.63.0/./lib.rs:2338:31
```
Fixes: #7580
Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
Add k0s support to kata-deploy, in the very same way kata-containers
already supports k3s, and rke2.
k0s support requires v1.27.1, which is noted as part of the kata-deploy
documentation, as it's the way to use dynamic configuration on
containerd CRI runtimes.
This support will only be part of the `main` branch, as it's not a bug
fix that can be backported to the `stable-3.2` branch, and this is also
noted as part of the documentation.
Fixes: #7548
Signed-off-by: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com>
It's CCv0 specific for now, and it's needed as the Operator is now
delegating the runtimeclass creation to the kata-deploy daemonset.
Fixes: #7550
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
It's CCv0 specific for now, and it's needed as the Operator is now
delegating the runtimeclass creation to the kata-deploy daemonset.
Fixes: #7550
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
It's CCv0 specific for now, and it's needed as the Operator is now
delegating the runtimeclass creation to the kata-deploy daemonset.
Fixes: #7550
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
when interacting with systemd. We have occasionally faced issues with
compatibility between the systemctl version used inside the kata-deploy
container and the systemd version on the host. Instead of using a containerized
systemctl with bind mounted sockets, nsenter the host and run systemctl from
there. This provides less coupling between the kata-deploy container and the
host.
Fixes: #7511
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Depends on mutiarch feature of ubuntu, we can set up cross build
environment easily and achive as good build performance as native
build.
Fixes: #6557
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
It's too long a time to cross build agent based on docker buildx, thus
we cross build rootfs based on a container with cross compile toolchain
of gcc and rust with musl libc. Then we get fast build just like native
build.
rootfs initrd cross build is disabled as no cross compile tolchain for
rust with musl lib if found for alpine and based on docker buildx takes
too long a time.
Fixes: #6557
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Based on messense/rust-musl-cross which offer cross build musl lib
environment to cross compile virtiofsd.
Fixes: #6557
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
shim-v2 has go and rust code. For rust code, we use messense/rust-musl-cross
to build for speed up as it doesn't depends on qemu emulation. Build go
code based on docker buildx as it doesn't support cross build now.
Fixes: #6557
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
kata-deploy-binaries-in-docker.sh is the entry to build kata components.
set some environment to facilitate the following cross build work.
Fixes: #6557
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
We leverage three env, TARGET_ARCH means the buid target tuple;
ARCH nearly the same meaning with TARGET_ARCH but has been widely
used in kata; CROSS_BUILD means if you want to do cross compile.
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
diferent -> different
And also let's make sure we escape the backticks around the kata-deploy
environment variables, otherwise bash will try to interpret those.
Fixes: #7497
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We were doing "if - else if - else", while bash expects "if - elif -
else", and that should never have happened in the first place, but it
happend as part of b8b73939eaFixes: #7422
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This will help folks to debug / understand what's been passed to the
kata-deploy.sh script.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's allow the daemonset to create the runtimeclasses, which will
decrease one manual step a user of kata-deploy should take, and also
help us in the Confidential Containers land as the Operator can just
delegate it to this script.
Fixes: #7409
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This can be easily done as there was no official release with the
previous values.
The reason we're doing so is because when using `yq` to replace the
value, even when forcing `--tag '!!str' "yes"`, the content is placed
without quotes, causing errors in our CI.
While here, we're also removing the fallback value for DEBUG, as it is
**always** set in the kata-deploy.yaml file.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This will make things simpler to only create the handlers defined by the
kata-deploy user.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This will become handy in the near future, as we want to have separate
enrties for each file, while still keeping this one.
Having the entries sorted will make our lives easier to test those are
always in sync.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
On main we will not have this problem as we can easily configure which
shims will be installed according to an environment variable passed to
the kata-deploy.yaml file.
However, on CCV0, at least for now, we better keep the list of shims
separated by architecture, as we've found out that s390x CoCo Operator
CI is breaking because we try to install a shim that's not even built
for that architecture (dragonball).
Fixes: #7422
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This is another piece that got dropped as part of
6f552b010c and is causing regressions on
the operator tests.
Fixes: #7422
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We need the executable bit set because it is preserved into the
runtime-payload-ci image.
Fixes: #7460
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
This is to change a prefix from `confidential-containers` to `kata` for IBM SE image build.
Fixes: #7444
Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
Now that the shim-v2 for CCv0 has been rebuilt with the correct path,
let's re-enable the cache.
Fixes: #7422
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's re-enabled caching for the following components, as those were
rebuilt with the new prefix:
* cc-rootfs-image
* cc-rootfs-initrd
* cc-tdx-rootfs-image
* cc-tdx-td-shim
* cc-sev-rootfs-initrd
"cc-se-image" was part of the list, but we never had a target for it.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We should not return, in case cache is not used, before actually
downloading the root_hash_*.txt provided by the other components,
otherwise the job used to do the caching will always fail.
Fixes: #7422
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Otherwise we'd have to build the component every single time as the main
version is different from the CC one.
Fixes: #7422
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Otherwise we'd have to build the component every single time as the main
version is different from the CC one.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Otherwise we'd have to build the component every single time as the main
version is different from the CC one.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Otherwise we'd have to build the component every single time as the main
version is different from the CC one.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
kata-deploy-binaries.sh uses the last commit in
tools/packaging/static-build/kernel for its version check, while the cache
generation uses tools/packaging/kernel. Use tools/packaging/static-build/kernel
as $kata_config_version is already part of the version string and covers any
changes to tools/packaging/kernel.
Fixes: #7403
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
