Skip to content

Commit

Permalink
guest-components: Bump guest-components dependency
Browse files Browse the repository at this point in the history
There has been a change in build flags in the way attestation-agent is
built. cc_kbc is now always enabled as part of the `coco-as` and `kbs`
features. a new `ATTESTER` Makefile flag has been introduced to pick the
attesters that should be included in the attestation-agent build. By
default all attesters are being built, which won't build ootb, since
it's missing dependencies (e.g. sgx libraries)

For peerpods only a limited set of attesters actually make sense and
usually you'd want to define it at build time for a given TEE
architecture (e.g. azure vtpm or ibm se attester modules), so we default
to `ATTESTER=sample` in most cases.

The `AA_KBC` param is now only used for templating the `aa-kbc-params`
value in the podvm's static kata-agent config.

Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
  • Loading branch information
mkulke committed Jun 14, 2024
1 parent 6a94652 commit 1edea24
Show file tree
Hide file tree
Showing 15 changed files with 39 additions and 25 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/azure-podvm-image-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ jobs:

- name: Build binaries
run: make binaries \
AA_KBC="cc_kbc_az_snp_vtpm,cc_kbc_az_tdx_vtpm" \
ATTESTER="az_snp_vtpm_attester,az_tdx_vtpm_attester" \
LIBC=gnu

- uses: azure/login@v1
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/podvm_binaries.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build and push
run: AA_KBC=cc_kbc make podvm-binaries
run: make podvm-binaries
env:
PUSH: true
REGISTRY: ${{ inputs.registry }}
Expand Down
3 changes: 2 additions & 1 deletion src/cloud-api-adaptor/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ BINARIES := cloud-api-adaptor agent-protocol-forwarder process-user-data
SOURCEDIRS := ./cmd ./pkg
PACKAGES := $(shell go list $(addsuffix /...,$(SOURCEDIRS)))
SOURCES := $(shell find $(SOURCEDIRS) -name '*.go' -print)
ATTESTER ?= none
# End-to-end tests overall run timeout.
TEST_E2E_TIMEOUT ?= 60m

Expand Down Expand Up @@ -193,7 +194,7 @@ podvm-binaries:
--build-arg BUILDER_IMG=$(PODVM_BUILDER_IMAGE) \
--build-arg PODVM_DISTRO=$(PODVM_DISTRO) \
--build-arg ARCH=$(ARCH) \
--build-arg AA_KBC=$(AA_KBC) \
--build-arg ATTESTER=$(ATTESTER) \
$(if $(DEFAULT_AGENT_POLICY_FILE),--build-arg DEFAULT_AGENT_POLICY_FILE=$(DEFAULT_AGENT_POLICY_FILE),) \
$(DOCKER_OPTS) .
rm -rf .git
Expand Down
2 changes: 1 addition & 1 deletion src/cloud-api-adaptor/azure/build-image.md
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ export PKR_VAR_az_gallery_image_version="0.0.1"
export PKR_VAR_offer=0001-com-ubuntu-confidential-vm-jammy
export PKR_VAR_sku=22_04-lts-cvm

export AA_KBC="cc_kbc_az_snp_vtpm"
export ATTESTER="az-snp-vtpm-attester,az-tdx-vtpm-attester"
export LIBC=gnu
export CLOUD_PROVIDER=azure
PODVM_DISTRO=ubuntu make image
Expand Down
4 changes: 2 additions & 2 deletions src/cloud-api-adaptor/docker/image/Makefile
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
AA_KBC ?= offline_fs_kbc
ARCH ?= $(subst x86_64,amd64,$(shell uname -m))
BUILDER = ubuntu-binaries-builder-$(ARCH)
PODVM_IMG ?= quay.io/confidential-containers/podvm-docker-image
AGENT_POLICY = no
ATTESTER ?= none

.DEFAULT_GOAL := all
.PHONY: all
Expand Down Expand Up @@ -35,7 +35,7 @@ binaries:
cp -rf ../../../../.git ../../../.git
docker buildx build \
--build-arg BUILDER_IMG=$(BUILDER) \
--build-arg AA_KBC=$(AA_KBC) \
--build-arg ATTESTER=$(ATTESTER) \
$(if $(DEFAULT_AGENT_POLICY_FILE),--build-arg DEFAULT_AGENT_POLICY_FILE=$(DEFAULT_AGENT_POLICY_FILE),) \
-o type=local,dest="./resources/binaries-tree" \
-f ../../podvm/Dockerfile.podvm_binaries ../../../
Expand Down
2 changes: 1 addition & 1 deletion src/cloud-api-adaptor/libvirt/kcli_cluster.sh
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ create () {
fi
echo "Download $CLUSTER_IMAGE ${TARGET_ARCH} image"
# kcli support download image with archs: 'x86_64', 'aarch64', 'ppc64le', 's390x'
kcli download image $CLUSTER_IMAGE -a ${ARCH}
kcli download image $CLUSTER_IMAGE -P ${ARCH}

kcli create kube generic $parameters "$CLUSTER_NAME"

Expand Down
8 changes: 4 additions & 4 deletions src/cloud-api-adaptor/podvm-mkosi/Makefile
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
include ../Makefile.defaults

AA_KBC ?= cc_kbc
ARCH ?= $(subst x86_64,amd64,$(shell uname -m))
BUILDER = fedora-binaries-builder-$(ARCH)
ATTESTER ?= none
ARCH ?= $(subst x86_64,amd64,$(shell uname -m))
BUILDER = fedora-binaries-builder-$(ARCH)

REGISTRY ?= quay.io/confidential-containers
PODVM_DISTRO ?= fedora
Expand Down Expand Up @@ -43,7 +43,7 @@ binaries:
cp -rf ../../../.git ../../.git
docker buildx build \
--build-arg BUILDER_IMG=$(BUILDER) \
--build-arg AA_KBC=$(AA_KBC) \
--build-arg ATTESTER=$(ATTESTER) \
$(if $(DEFAULT_AGENT_POLICY_FILE),--build-arg DEFAULT_AGENT_POLICY_FILE=$(DEFAULT_AGENT_POLICY_FILE),) \
-o type=local,dest="./resources/binaries-tree" \
-f ../podvm/Dockerfile.podvm_binaries.fedora ../../
Expand Down
6 changes: 4 additions & 2 deletions src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,9 @@ ARG CLOUD_PROVIDER
ARG PODVM_DISTRO=ubuntu
ARG GUEST_COMPONENTS_VERSION
ARG GUEST_COMPONENTS_REPO
ARG AA_KBC="cc_kbc"
# By default AA will be built with the `all-attesters` feature,
# which doesn't compile ootb on ubuntu.
ARG ATTESTER=none
# If not provided, uses system architecture
ARG ARCH
#This is the name of the policy file under
Expand All @@ -23,7 +25,7 @@ ENV CLOUD_PROVIDER ${CLOUD_PROVIDER}
ENV PODVM_DISTRO ${PODVM_DISTRO}
ENV GUEST_COMPONENTS_VERSION ${GUEST_COMPONENTS_VERSION}
ENV GUEST_COMPONENTS_REPO ${GUEST_COMPONENTS_REPO}
ENV AA_KBC ${AA_KBC}
ENV ATTESTER ${ATTESTER}
ENV ARCH ${ARCH}
ENV DEFAULT_AGENT_POLICY_FILE ${DEFAULT_AGENT_POLICY_FILE}

Expand Down
6 changes: 4 additions & 2 deletions src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,9 @@ ARG CLOUD_PROVIDER
ARG PODVM_DISTRO=rhel
ARG GUEST_COMPONENTS_VERSION
ARG GUEST_COMPONENTS_REPO
ARG AA_KBC="cc_kbc"
# By default AA will be built with the `all-attesters` feature,
# which doesn't compile on fedora.
ARG ATTESTER=none
# If not provided, uses system architecture
ARG ARCH
#This is the name of the policy file under
Expand All @@ -23,7 +25,7 @@ ENV CLOUD_PROVIDER ${CLOUD_PROVIDER}
ENV PODVM_DISTRO ${PODVM_DISTRO}
ENV GUEST_COMPONENTS_VERSION ${GUEST_COMPONENTS_VERSION}
ENV GUEST_COMPONENTS_REPO ${GUEST_COMPONENTS_REPO}
ENV AA_KBC ${AA_KBC}
ENV ATTESTER ${ATTESTER}
ENV ARCH ${ARCH}
ENV DEFAULT_AGENT_POLICY_FILE ${DEFAULT_AGENT_POLICY_FILE}

Expand Down
6 changes: 4 additions & 2 deletions src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.rhel
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,17 @@ ARG BUILDER_IMG
FROM ${BUILDER_IMG} AS podvm_builder

ARG PODVM_DISTRO=rhel
ARG AA_KBC="cc_kbc"
# By default AA will be built with the `all-attesters` feature,
# which doesn't compile ootb on RHEL.
ARG ATTESTER=none
# If not provided, uses system architecture
ARG ARCH
#This is the name of the policy file under
#files/etc/kata-opa
ARG DEFAULT_AGENT_POLICY_FILE=allow-all.rego

ENV PODVM_DISTRO ${PODVM_DISTRO}
ENV AA_KBC ${AA_KBC}
ENV ATTESTER ${ATTESTER}
ENV ARCH ${ARCH}
ENV DEFAULT_AGENT_POLICY_FILE ${DEFAULT_AGENT_POLICY_FILE}

Expand Down
5 changes: 3 additions & 2 deletions src/cloud-api-adaptor/podvm/Makefile.inc
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,13 @@ ARCH := $(or $(ARCH),$(HOST_ARCH))
# Normalise x86_64 / amd64 for input ARCH
ARCH := $(subst amd64,x86_64,$(ARCH))
DEB_ARCH := $(subst x86_64,amd64,$(ARCH))
AA_KBC ?= cc_kbc
AA_KBC ?= offline_fs_kbc
KBC_URI ?= null
LIBC ?= $(if $(filter $(ARCH),s390x ppc64le),gnu,musl)
RUST_ARCH ?= $(subst ppc64le,powerpc64le,$(ARCH))
RUST_TARGET := $(RUST_ARCH)-unknown-linux-$(LIBC)

ATTESTER ?= none
CDH_RESOURCE_PROVIDER ?= kbs
SEALED_SECRET ?= yes

Expand Down Expand Up @@ -169,7 +170,7 @@ $(GUEST_COMPONENTS_SRC):
$(call git_clone_repo_ref,$(GUEST_COMPONENTS_REPO),$(GUEST_COMPONENTS_SRC),$(GUEST_COMPONENTS_VERSION))

$(ATTESTATION_AGENT): $(FORCE_TARGET) | $(GUEST_COMPONENTS_SRC)
cd "$(GUEST_COMPONENTS_SRC)/attestation-agent" && CC= ARCH=$(ARCH) $(MAKE) KBC="$(AA_KBC)" ttrpc=true LIBC="$(LIBC)"
cd "$(GUEST_COMPONENTS_SRC)/attestation-agent" && CC= ARCH=$(ARCH) $(MAKE) ATTESTER=$(ATTESTER) ttrpc=true LIBC="$(LIBC)"
mkdir -p "$(@D)"
install --compare "$(GUEST_COMPONENTS_SRC)/target/$(RUST_TARGET)/release/attestation-agent" "$@"

Expand Down
4 changes: 2 additions & 2 deletions src/cloud-api-adaptor/test/e2e/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -64,10 +64,10 @@ popd
popd
```

We need build and use the PodVM image with `AA_KBC=cc_kbc` enabled, for example:
We need build and use the PodVM image:
```
pushd ${cloud-api-adaptor}
AA_KBC=cc_kbc make podvm-builder podvm-binaries podvm-image
make podvm-builder podvm-binaries podvm-image
popd
```
Then extract the PodVM image and use it following [extracting-the-qcow2-image](../../podvm/README.md#extracting-the-qcow2-image)
Expand Down
5 changes: 5 additions & 0 deletions src/cloud-api-adaptor/test/e2e/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

const CURL_IMAGE = "quay.io/curl/curl:latest"
const BUSYBOX_IMAGE = "quay.io/prometheus/busybox:latest"
const WAIT_DEPLOYMENT_AVAILABLE_TIMEOUT = time.Second * 180
const DEFAULT_AUTH_SECRET = "auth-json-secret-default"
Expand Down Expand Up @@ -140,6 +141,10 @@ func NewBusyboxPod(namespace string) *corev1.Pod {
return NewBusyboxPodWithName(namespace, "busybox")
}

func NewCurlPodWithName(namespace, podName string) *corev1.Pod {
return NewPod(namespace, podName, "curl", CURL_IMAGE, WithCommand([]string{"/bin/sh", "-c", "sleep 3600"}))
}

func NewBusyboxPodWithName(namespace, podName string) *corev1.Pod {
return NewPod(namespace, podName, "busybox", BUSYBOX_IMAGE, WithCommand([]string{"/bin/sh", "-c", "sleep 3600"}))
}
Expand Down
7 changes: 4 additions & 3 deletions src/cloud-api-adaptor/test/e2e/common_suite.go
Original file line number Diff line number Diff line change
Expand Up @@ -595,13 +595,14 @@ func DoTestKbsKeyRelease(t *testing.T, e env.Environment, assert CloudAssert) {
func DoTestKbsKeyReleaseForFailure(t *testing.T, e env.Environment, assert CloudAssert) {

log.Info("Do test kbs key release failure case")
pod := NewBusyboxPodWithName(E2eNamespace, "busybox-wget-failure")
pod := NewCurlPodWithName(E2eNamespace, "curl-failure")
testCommands := []TestCommand{
{
Command: []string{"wget", "-q", "-O-", "http://127.0.0.1:8006/cdh/resource/reponame/workload_key/key.bin"},
Command: []string{"curl", "-s", "http://127.0.0.1:8006/cdh/resource/reponame/workload_key/key.bin"},
ContainerName: pod.Spec.Containers[0].Name,
TestCommandStdoutFn: func(stdout bytes.Buffer) bool {
if strings.Contains(stdout.String(), "request unautorized") {
body := stdout.String()
if strings.Contains(strings.ToLower(body), "error") {
log.Infof("Pass failure case as: %s", stdout.String())
return true
} else {
Expand Down
2 changes: 1 addition & 1 deletion src/cloud-api-adaptor/versions.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ tools:
git:
guest-components:
url: https://github.com/confidential-containers/guest-components
reference: 277617af60c32661819c1132ffbf3db8dc6e1b9f
reference: 9bcc7c1addcbad1e249a6d870d9df68f2824254b
kata-containers:
url: https://github.com/kata-containers/kata-containers
reference: 59ff40f05484da2a462fa44f18fe95e7c8484546
Expand Down

0 comments on commit 1edea24

Please sign in to comment.